gvisor: socket() returns EPROTONOSUPPORT if protocol is not supported

PiperOrigin-RevId: 250426407

6 files changed, 70 insertions, 8 deletions

diff --git a/pkg/sentry/socket/epsocket/provider.go b/pkg/sentry/socket/epsocket/provider.go
index fb1815c2d..ec930d8d5 100644
--- a/pkg/sentry/socket/epsocket/provider.go
+++ b/pkg/sentry/socket/epsocket/provider.go
@@ -76,7 +76,7 @@ func getTransportProtocol(ctx context.Context, stype transport.SockType, protoco
 			return header.TCPProtocolNumber, nil
 		}
 	}
-	return 0, syserr.ErrInvalidArgument
+	return 0, syserr.ErrProtocolNotSupported
 }
 
 // Socket creates a new socket object for the AF_INET or AF_INET6 family.
diff --git a/pkg/sentry/socket/unix/unix.go b/pkg/sentry/socket/unix/unix.go
index 931056d51..1414be0c6 100644
--- a/pkg/sentry/socket/unix/unix.go
+++ b/pkg/sentry/socket/unix/unix.go
@@ -598,8 +598,8 @@ type provider struct{}
 // Socket returns a new unix domain socket.
 func (*provider) Socket(t *kernel.Task, stype transport.SockType, protocol int) (*fs.File, *syserr.Error) {
 	// Check arguments.
-	if protocol != 0 {
-		return nil, syserr.ErrInvalidArgument
+	if protocol != 0 && protocol != linux.AF_UNIX /* PF_UNIX */ {
+		return nil, syserr.ErrProtocolNotSupported
 	}
 
 	// Create the endpoint and socket.
@@ -624,8 +624,8 @@ func (*provider) Socket(t *kernel.Task, stype transport.SockType, protocol int)
 // Pair creates a new pair of AF_UNIX connected sockets.
 func (*provider) Pair(t *kernel.Task, stype transport.SockType, protocol int) (*fs.File, *fs.File, *syserr.Error) {
 	// Check arguments.
-	if protocol != 0 {
-		return nil, nil, syserr.ErrInvalidArgument
+	if protocol != 0 && protocol != linux.AF_UNIX /* PF_UNIX */ {
+		return nil, nil, syserr.ErrProtocolNotSupported
 	}
 
 	var isPacket bool
diff --git a/test/syscalls/BUILD b/test/syscalls/BUILD
index 0d6b6ccc7..c53742d14 100644
--- a/test/syscalls/BUILD
+++ b/test/syscalls/BUILD
@@ -35,6 +35,8 @@ syscall_test(
 
 syscall_test(test = "//test/syscalls/linux:brk_test")
 
+syscall_test(test = "//test/syscalls/linux:socket_test")
+
 syscall_test(test = "//test/syscalls/linux:chdir_test")
 
 syscall_test(test = "//test/syscalls/linux:chmod_test")
diff --git a/test/syscalls/linux/BUILD b/test/syscalls/linux/BUILD
index ec57ec129..8465e5ad0 100644
--- a/test/syscalls/linux/BUILD
+++ b/test/syscalls/linux/BUILD
@@ -313,6 +313,19 @@ cc_binary(
 )
 
 cc_binary(
+    name = "socket_test",
+    testonly = 1,
+    srcs = ["socket.cc"],
+    linkstatic = 1,
+    deps = [
+        ":socket_test_util",
+        "//test/util:test_main",
+        "//test/util:test_util",
+        "@com_google_googletest//:gtest",
+    ],
+)
+
+cc_binary(
     name = "brk_test",
     testonly = 1,
     srcs = ["brk.cc"],
diff --git a/test/syscalls/linux/socket.cc b/test/syscalls/linux/socket.cc
new file mode 100644
index 000000000..0404190a0
--- /dev/null
+++ b/test/syscalls/linux/socket.cc
@@ -0,0 +1,48 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <sys/socket.h>
+#include <unistd.h>
+
+#include "gtest/gtest.h"
+#include "test/syscalls/linux/socket_test_util.h"
+#include "test/util/test_util.h"
+
+namespace gvisor {
+namespace testing {
+
+TEST(SocketTest, UnixSocketPairProtocol) {
+  int socks[2];
+  ASSERT_THAT(socketpair(AF_UNIX, SOCK_STREAM, PF_UNIX, socks),
+              SyscallSucceeds());
+  close(socks[0]);
+  close(socks[1]);
+}
+
+TEST(SocketTest, Protocol) {
+  struct {
+    int domain, type, protocol;
+  } tests[] = {
+      {AF_UNIX, SOCK_STREAM, PF_UNIX},     {AF_UNIX, SOCK_SEQPACKET, PF_UNIX},
+      {AF_UNIX, SOCK_DGRAM, PF_UNIX},      {AF_INET, SOCK_DGRAM, IPPROTO_UDP},
+      {AF_INET, SOCK_STREAM, IPPROTO_TCP},
+  };
+  for (int i = 0; i < ABSL_ARRAYSIZE(tests); i++) {
+    ASSERT_NO_ERRNO_AND_VALUE(
+        Socket(tests[i].domain, tests[i].type, tests[i].protocol));
+  }
+}
+
+}  // namespace testing
+}  // namespace gvisor
diff --git a/test/syscalls/linux/socket_unix.cc b/test/syscalls/linux/socket_unix.cc
index 09a1c1c6e..95cf8d2a3 100644
--- a/test/syscalls/linux/socket_unix.cc
+++ b/test/syscalls/linux/socket_unix.cc
@@ -1567,15 +1567,14 @@ TEST_P(UnixSocketPairTest, TIOCOUTQSucceeds) {
 }
 
 TEST_P(UnixSocketPairTest, NetdeviceIoctlsSucceed) {
-  FileDescriptor sock =
-      ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_UNIX, SOCK_DGRAM, 0));
+  auto sockets = ASSERT_NO_ERRNO_AND_VALUE(NewSocketPair());
 
   // Prepare the request.
   struct ifreq ifr;
   snprintf(ifr.ifr_name, IFNAMSIZ, "lo");
 
   // Check that the ioctl either succeeds or fails with ENODEV.
-  int err = ioctl(sock.get(), SIOCGIFINDEX, &ifr);
+  int err = ioctl(sockets->first_fd(), SIOCGIFINDEX, &ifr);
   if (err < 0) {
     ASSERT_EQ(errno, ENODEV);
   }