Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syscalls: do not conceal BPF_PROG_* syscall errors #334

Closed
wants to merge 1 commit into from
Closed

syscalls: do not conceal BPF_PROG_* syscall errors #334

wants to merge 1 commit into from

Conversation

cyphar
Copy link
Contributor

@cyphar cyphar commented Jul 1, 2021
edited
Loading

The error wrapping code for BPF_PROG_* syscall-related errors would mask
the true source of all underlying syscall errors, which meant that you
couldn't detect several fairly important cases (such as -EACESS and
-EPERM). It seems that this behaviour wasn't intentional (prior to
commit de57e91, the behaviour was to bubble up the syscall error)
and the similar wrapping of BPF_MAP_* errors did bubble up the syscall
error too.

This is needed for runc to be able to detect permission errors due to
SELinux labels blocking certain operations (mainly NewProgramFromID),
and unifies the behaviour for BPF_PROG_* and BPF_MAP_* syscalls.

It turns out that wrapMapError doesn't actually wrap the either error,
but @lmb said they will come up with a better long term solution, so
leave this alone for now.

Ref: opencontainers/runc#3055
Fixes: de57e91 ("Add *GetNextID")
Signed-off-by: Aleksa Sarai [email protected]

@cyphar cyphar force-pushed the syscall-bpf_prog-error-wrapping branch from 7cf7600 to 26565c8 Compare July 1, 2021 04:05
lmb
lmb reviewed Jul 1, 2021
View reviewed changes
syscalls.go Show resolved Hide resolved
syscalls.go Outdated Show resolved Hide resolved
@cyphar cyphar force-pushed the syscall-bpf_prog-error-wrapping branch 2 times, most recently from 512de7d to c0a6c42 Compare July 2, 2021 04:28
@cyphar
syscalls: do not conceal BPF_PROG_* syscall errors
23adcaa 
The error wrapping code for BPF_PROG_* syscall-related errors would mask
the true source of all underlying syscall errors, which meant that you
couldn't detect several fairly important cases (such as -EACESS and
-EPERM). It seems that this behaviour wasn't intentional (prior to
commit de57e91, the behaviour was to bubble up the syscall error)
and the similar wrapping of BPF_MAP_* errors did bubble up the syscall
error too.

This is needed for runc to be able to detect permission errors due to
SELinux labels blocking certain operations (mainly NewProgramFromID),
and unifies the behaviour for BPF_PROG_* and BPF_MAP_* syscalls.

It turns out that wrapMapError doesn't actually wrap the either error,
but lmb said they will come up with a better long term solution, so
leave this alone for now.

Fixes: de57e91 ("Add *GetNextID")
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar force-pushed the syscall-bpf_prog-error-wrapping branch from c0a6c42 to 23adcaa Compare July 2, 2021 04:30
@cyphar
Copy link
Contributor Author

cyphar commented Jul 2, 2021

#336 fixes this in a much nicer way.

@cyphar cyphar closed this Jul 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lmb lmb lmb left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cyphar @lmb