Allow loading weak kfuncs without CAP_SYS_ADMIN#1950
Open
dylandreimerink wants to merge 3 commits intomainfrom
Open
Allow loading weak kfuncs without CAP_SYS_ADMIN#1950dylandreimerink wants to merge 3 commits intomainfrom
CAP_SYS_ADMIN#1950dylandreimerink wants to merge 3 commits intomainfrom
Conversation
This commits introduces the WithCapabilities helper function which allows us to write tests that assert behavior works correctly when certain capabilities are present or absent. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
This commit changes the TestWeakKfunc test so it runs without CAP_SYS_ADMIN to assert that we should be able to load BPF programs with weak kfuncs even when we don't have that capability. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
Currently when users attempt to load a program with a weak kfunc on a kernel that does not have that kfunc while lacking CAP_SYS_ADMIN, loading fails with the following error. > fixing up kfuncs: finding kfunc in kernel: find target in modules: > iterate modules: get next BTF ID: operation not permitted` This happens because when we are unable to find the kfunc in the kernel BTF, we attempt to look for it in kernel modules. Iterating over kernel modules requires CAP_SYS_ADMIN, and we throw the error we get back. This commit changes `findTargetInKernel` to wrap the EPERM error we get back when lacking CAP_SYS_ADMIN with btf.ErrNotFound. This allows the kfunc resolution logic to treat it the same way as if the kfunc was not found. For non weak kfuncs, this will still cause loading to fail, but for weak kfuncs, loading will now succeed. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently when users attempt to load a program with a weak kfunc on a kernel that does not have that kfunc while lacking
CAP_SYS_ADMIN, loading fails with the following error.This happens because when we are unable to find the kfunc in the kernel BTF, we attempt to look for it in kernel modules. Iterating over kernel modules requires
CAP_SYS_ADMIN, and we throw the error we get back.This PR changes
findTargetInKernelto wrap theEPERMerror we get back when lackingCAP_SYS_ADMINwithbtf.ErrNotFound. This allows the kfunc resolution logic to treat it the same way as if the kfunc was not found. For non weak kfuncs, this will still cause loading to fail, but for weak kfuncs, loading will now succeed.CurrentlyThe PR also includes a new test helper which allows us to drop capabilities to a specific set while running a callback so we can write tests that assert certain behavior works with reduced capabilities.
Fixes: #1929