Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cgroupv2: ebpf: ignore inaccessible existing programs #3055

Merged
merged 2 commits into from
Jul 14, 2021
Merged

cgroupv2: ebpf: ignore inaccessible existing programs #3055

merged 2 commits into from
Jul 14, 2021

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Jul 1, 2021
edited by kolyshkin
Loading

This is necessary in order for runc to be able to configure device
cgroups with --systemd-cgroup on distributions that have very strict
SELinux policies such as openSUSE MicroOS.

The core issue here is that systemd is adding its own BPF policy that
has an SELinux label such that runc cannot interact with it. In order to
work around this, we can just ignore the policy -- in theory this
behaviour is not correct but given that the most obvious case
(--systemd-cgroup) will still handle updates correctly, this logic is
reasonable.

Fixes: d0f2c25 ("cgroup2: devices: replace all existing filters when attaching")
Signed-off-by: Aleksa Sarai [email protected]

Changelog Entry

 * cgroupv2: bpf: Ignore inaccessible existing programs in case of
   permission error when handling replacement of existing bpf cgroup
   programs. This fixes a regression in 1.0.0, where some SELinux
   policies would block runc from being able to run entirely. #3055

1.0 backport: #3087

@cyphar cyphar added the backport/1.0-todo A PR in main branch which needs to be backported to release-1.0 label Jul 1, 2021
@cyphar
Copy link
Member Author

cyphar commented Jul 1, 2021

This was a regression in 1.0.0.

@cyphar cyphar changed the title cgroupv2: ebpf: ignore -EACCES when fetching program information cgroupv2: ebpf: ignore inaccessible existing programs Jul 1, 2021
@cyphar cyphar marked this pull request as draft July 1, 2021 03:53
@cyphar

This comment has been minimized.

Sign in to view
@cyphar cyphar mentioned this pull request Jul 1, 2021
Closed
@cyphar

This comment has been minimized.

Sign in to view
@cyphar cyphar marked this pull request as ready for review July 2, 2021 09:57
@kolyshkin
Copy link
Contributor

Nice!

Should we mark this one as a draft, waiting for 0.6.2 (or whatever the next version is) of cilium/ebpf to be released?

@cyphar cyphar marked this pull request as draft July 6, 2021 08:30
@cyphar
Copy link
Member Author

cyphar commented Jul 6, 2021

Sure, I marked it as a draft (though not sure when they'll do a release).

This was referenced Jul 8, 2021
Closed
Closed
@kolyshkin
Copy link
Contributor

Sure, I marked it as a draft (though not sure when they'll do a release).

Filed cilium/ebpf#340, hope they will cut a release soon.

AkihiroSuda
AkihiroSuda reviewed Jul 12, 2021
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@kolyshkin kolyshkin mentioned this pull request Jul 13, 2021
Closed
cyphar added 2 commits July 14, 2021 11:17
@cyphar
vendor: update github.com/cilium/ebpf
fe518a0 
We need to update the eBPF library so that we can get the raw syscall
errors from bpf(2) syscalls using errors.Is.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
cgroupv2: ebpf: ignore inaccessible existing programs
57e3c54 
This is necessary in order for runc to be able to configure device
cgroups with --systemd-cgroup on distributions that have very strict
SELinux policies such as openSUSE MicroOS[1].

The core issue here is that systemd is adding its own BPF policy that
has an SELinux label such that runc cannot interact with it. In order to
work around this, we can just ignore the policy -- in theory this
behaviour is not correct but given that the most obvious case
(--systemd-cgroup) will still handle updates correctly, this logic is
reasonable.

[1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428

Fixes: d0f2c25 ("cgroup2: devices: replace all existing filters when attaching")
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar marked this pull request as ready for review July 14, 2021 01:17
kolyshkin
kolyshkin approved these changes Jul 14, 2021
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin kolyshkin mentioned this pull request Jul 14, 2021
Merged
@AkihiroSuda AkihiroSuda merged commit fceadf2 into opencontainers:master Jul 14, 2021
@cyphar cyphar deleted the cgroup-bpf-replace-selinux branch July 15, 2021 04:06
This was referenced Jul 20, 2021
Closed
Closed
@thaJeztah
Copy link
Member

Got a report that the fix may not be sufficient, and errors still pop up (I asked them to open a ticket in this repository); moby/moby#42677 (comment)

@dave-tucker dave-tucker mentioned this pull request Jul 30, 2021
Open
@kolyshkin kolyshkin added backport/1.0-done A PR in main branch which has been backported to release-1.0 and removed backport/1.0-todo A PR in main branch which needs to be backported to release-1.0 labels Nov 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@kolyshkin kolyshkin kolyshkin approved these changes

Assignees
No one assigned
Labels
area/cgroupv2 area/ebpf backport/1.0-done A PR in main branch which has been backported to release-1.0 kind/bug regression
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cyphar @kolyshkin @thaJeztah @AkihiroSuda