Skip to content

syscalls: do not conceal BPF_PROG_* syscall errors #334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cyphar wants to merge 1 commit into from
Closed

syscalls: do not conceal BPF_PROG_* syscall errors #334

cyphar wants to merge 1 commit into from

Conversation

@cyphar
Copy link
Contributor

@cyphar cyphar commented Jul 1, 2021
edited
Loading

The error wrapping code for BPF_PROG_* syscall-related errors would mask
the true source of all underlying syscall errors, which meant that you
couldn't detect several fairly important cases (such as -EACESS and
-EPERM). It seems that this behaviour wasn't intentional (prior to
commit de57e91, the behaviour was to bubble up the syscall error)
and the similar wrapping of BPF_MAP_* errors did bubble up the syscall
error too.

This is needed for runc to be able to detect permission errors due to
SELinux labels blocking certain operations (mainly NewProgramFromID),
and unifies the behaviour for BPF_PROG_* and BPF_MAP_* syscalls.

It turns out that wrapMapError doesn't actually wrap the either error,
but @lmb said they will come up with a better long term solution, so
leave this alone for now.

Ref: opencontainers/runc#3055
Fixes: de57e91 ("Add *GetNextID")
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@cyphar cyphar force-pushed the syscall-bpf_prog-error-wrapping branch from 7cf7600 to 26565c8 Compare July 1, 2021 04:05
lmb
lmb reviewed Jul 1, 2021
View reviewed changes
@cyphar cyphar force-pushed the syscall-bpf_prog-error-wrapping branch 2 times, most recently from 512de7d to c0a6c42 Compare July 2, 2021 04:28
@cyphar
syscalls: do not conceal BPF_PROG_* syscall errors
23adcaa 
The error wrapping code for BPF_PROG_* syscall-related errors would mask
the true source of all underlying syscall errors, which meant that you
couldn't detect several fairly important cases (such as -EACESS and
-EPERM). It seems that this behaviour wasn't intentional (prior to
commit de57e91, the behaviour was to bubble up the syscall error)
and the similar wrapping of BPF_MAP_* errors did bubble up the syscall
error too.

This is needed for runc to be able to detect permission errors due to
SELinux labels blocking certain operations (mainly NewProgramFromID),
and unifies the behaviour for BPF_PROG_* and BPF_MAP_* syscalls.

It turns out that wrapMapError doesn't actually wrap the either error,
but lmb said they will come up with a better long term solution, so
leave this alone for now.

Fixes: de57e91 ("Add *GetNextID")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar force-pushed the syscall-bpf_prog-error-wrapping branch from c0a6c42 to 23adcaa Compare July 2, 2021 04:30
@cyphar
Copy link
Contributor Author

cyphar commented Jul 2, 2021

#336 fixes this in a much nicer way.

@cyphar cyphar closed this Jul 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lmb lmb lmb left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cyphar @lmb