Add ErrNotPermitted error for permission denied in feature probes #1949
Open
javiercardona-work wants to merge 2 commits intocilium:mainfrom
Open
Add ErrNotPermitted error for permission denied in feature probes #1949javiercardona-work wants to merge 2 commits intocilium:mainfrom
ErrNotPermitted error for permission denied in feature probes #1949javiercardona-work wants to merge 2 commits intocilium:mainfrom
Conversation
Add ErrNotPermitted error to distinguish permission denied (EPERM)
from feature not supported (EINVAL) in feature probes.
Previously, EPERM and EINVAL were both mapped to ErrNotSupported.
This was imprecise: EPERM means the kernel recognized the request
but denied permission, indicating the feature exists. EINVAL means
the kernel doesn't recognize the request.
Now feature probes return:
- nil: feature is supported and accessible
- ErrNotSupported: kernel doesn't have the feature
- ErrNotPermitted: feature exists but permission denied
This gives callers richer information for diagnostics and error
messages while maintaining backward compatibility (callers can
still check err != nil for "can't use this feature").
ErrNotPermitted wraps the original EPERM error so callers can
unwrap if needed.
BREAKING CHANGE: Code that checks for ErrNotSupported to handle
"feature unavailable" cases will no longer catch permission errors.
To maintain previous behavior, update code as follows:
Before:
if errors.Is(err, ebpf.ErrNotSupported) {
// handle unavailable feature
}
After:
if errors.Is(err, ebpf.ErrNotSupported) || errors.Is(err, ebpf.ErrNotPermitted) {
// handle unavailable feature
}
Or simply check for any error:
if err != nil {
// handle unavailable feature
}
Signed-off-by: Javier Cardona <jcardona@meta.com>
Add TestErrNotPermitted to verify: - ErrNotPermitted is distinct from ErrNotSupported - Wrapped errors can be matched with errors.Is() Update DocDetectXDP example to show how to handle ErrNotPermitted in addition to ErrNotSupported. Signed-off-by: Javier Cardona <jcardona@meta.com>
javiercardona-work
requested review from
a team,
dylandreimerink,
mmat11,
rgo3 and
ti-mo
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add
ErrNotPermittedto distinguish permission denied (EPERM) from feature not supported (EINVAL) in feature probes.Problem
Previously, feature probes treated EPERM and EINVAL identically, returning ErrNotSupported for both. This was imprecise:
Solution
Feature probes now return:
nil: feature is supported and accessibleErrNotSupported: kernel doesn't have the featureErrNotPermitted: feature exists but permission deniedErrNotPermitted wraps the original EPERM error so callers can unwrap if needed.
Usage
Breaking Change
Code checking only for
ErrNotSupportedwill no longer catch permission errors. To maintain previous behavior: