From 57f9d1f01a6b249c6673e6da253c3504ce8ce4c4 Mon Sep 17 00:00:00 2001
From: Askar Safin <safinaskar@gmail.com>
Date: Wed, 24 Jan 2024 15:22:00 +0300
Subject: [PATCH] This commit is part of clone3 clean up. As part of clean up
 we will remove tests/ui/command/command-create-pidfd.rs . But it contains
 very useful comment, so let's move the comment to
 library/std/src/sys/pal/unix/rand.rs , which contains another instance of the
 same Docker problem

---
 library/std/src/sys/pal/unix/rand.rs     | 13 ++++++++++++-
 tests/ui/command/command-create-pidfd.rs | 10 ----------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/library/std/src/sys/pal/unix/rand.rs b/library/std/src/sys/pal/unix/rand.rs
index cf0fe0f47c5..1dba1ccf64e 100644
--- a/library/std/src/sys/pal/unix/rand.rs
+++ b/library/std/src/sys/pal/unix/rand.rs
@@ -106,7 +106,18 @@ mod imp {
                     // supported on the current kernel.
                     //
                     // Also fall back in case it is disabled by something like
-                    // seccomp or inside of virtual machines.
+                    // seccomp or inside of docker.
+                    //
+                    // If the `getrandom` syscall is not implemented in the current kernel version it should return an
+                    // `ENOSYS` error. Docker also blocks the whole syscall inside unprivileged containers, and
+                    // returns `EPERM` (instead of `ENOSYS`) when a program tries to invoke the syscall. Because of
+                    // that we need to check for *both* `ENOSYS` and `EPERM`.
+                    //
+                    // Note that Docker's behavior is breaking other projects (notably glibc), so they're planning
+                    // to update their filtering to return `ENOSYS` in a future release:
+                    //
+                    //     https://github.com/moby/moby/issues/42680
+                    //
                     GETRANDOM_UNAVAILABLE.store(true, Ordering::Relaxed);
                     return false;
                 } else if err == libc::EAGAIN {
diff --git a/tests/ui/command/command-create-pidfd.rs b/tests/ui/command/command-create-pidfd.rs
index 4df443c66d6..9f9e5dd0e01 100644
--- a/tests/ui/command/command-create-pidfd.rs
+++ b/tests/ui/command/command-create-pidfd.rs
@@ -16,16 +16,6 @@ fn has_clone3() -> bool {
         .then(|| Error::last_os_error())
         .expect("probe syscall should not succeed");
 
-    // If the `clone3` syscall is not implemented in the current kernel version it should return an
-    // `ENOSYS` error. Docker also blocks the whole syscall inside unprivileged containers, and
-    // returns `EPERM` (instead of `ENOSYS`) when a program tries to invoke the syscall. Because of
-    // that we need to check for *both* `ENOSYS` and `EPERM`.
-    //
-    // Note that Docker's behavior is breaking other projects (notably glibc), so they're planning
-    // to update their filtering to return `ENOSYS` in a future release:
-    //
-    //     https://github.com/moby/moby/issues/42680
-    //
     err.raw_os_error() != Some(libc::ENOSYS) && err.raw_os_error() != Some(libc::EPERM)
 }