Skip to content

Commit 6d8bc46

Browse files
vstinnervstinner
committed
Catch EPERM error in py_getrandom()
Issue python#27955: Fallback on reading /dev/urandom device when the getrandom() syscall fails with EPERM, for example when blocked by SECCOMP.
1 parent af59732 commit 6d8bc46

File tree

2 files changed

+11
-7
lines changed

2 files changed

+11
-7
lines changed

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ Release date: TBA
1010
Core and Builtins
1111
-----------------
1212

13+
- Issue #27955: Fallback on reading /dev/urandom device when the getrandom()
14+
syscall fails with EPERM, for example when blocked by SECCOMP.
15+
1316
- Issue #28131: Fix a regression in zipimport's compile_source(). zipimport
1417
should use the same optimization level as the interpreter.
1518

Python/random.c

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -121,8 +121,8 @@ py_getentropy(unsigned char *buffer, Py_ssize_t size, int fatal)
121121

122122
/* Call getrandom()
123123
- Return 1 on success
124-
- Return 0 if getrandom() syscall is not available (failed with ENOSYS)
125-
or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom
124+
- Return 0 if getrandom() syscall is not available (failed with ENOSYS or
125+
EPERM) or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom
126126
not initialized yet) and raise=0.
127127
- Raise an exception (if raise is non-zero) and return -1 on error:
128128
getrandom() failed with EINTR and the Python signal handler raised an
@@ -131,7 +131,7 @@ static int
131131
py_getrandom(void *buffer, Py_ssize_t size, int raise)
132132
{
133133
/* Is getrandom() supported by the running kernel? Set to 0 if getrandom()
134-
failed with ENOSYS. Need Linux kernel 3.17 or newer, or Solaris
134+
failed with ENOSYS or EPERM. Need Linux kernel 3.17 or newer, or Solaris
135135
11.3 or newer */
136136
static int getrandom_works = 1;
137137

@@ -182,8 +182,9 @@ py_getrandom(void *buffer, Py_ssize_t size, int raise)
182182

183183
if (n < 0) {
184184
/* ENOSYS: getrandom() syscall not supported by the kernel (but
185-
* maybe supported by the host which built Python). */
186-
if (errno == ENOSYS) {
185+
* maybe supported by the host which built Python). EPERM:
186+
* getrandom() syscall blocked by SECCOMP or something else. */
187+
if (errno == ENOSYS || errno == EPERM) {
187188
getrandom_works = 0;
188189
return 0;
189190
}
@@ -250,7 +251,7 @@ dev_urandom_noraise(unsigned char *buffer, Py_ssize_t size)
250251
if (py_getrandom(buffer, size, 0) == 1) {
251252
return;
252253
}
253-
/* getrandom() failed with ENOSYS,
254+
/* getrandom() failed with ENOSYS or EPERM,
254255
fall back on reading /dev/urandom */
255256
#endif
256257

@@ -301,7 +302,7 @@ dev_urandom_python(char *buffer, Py_ssize_t size)
301302
if (res == 1) {
302303
return 0;
303304
}
304-
/* getrandom() failed with ENOSYS,
305+
/* getrandom() failed with ENOSYS or EPERM,
305306
fall back on reading /dev/urandom */
306307
#endif
307308

0 commit comments

Comments
 (0)