Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cgroup2: devices: handle eBPF skipping more correctly #2793

Merged
merged 1 commit into from
Feb 9, 2021
Merged

cgroup2: devices: handle eBPF skipping more correctly #2793

merged 1 commit into from
Feb 9, 2021

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Feb 5, 2021

In the past we incorrectly handled eBPF errors in two ways:

  1. We would only ignore errors if there was an allow rule in the list
    (this doesn't make sense because for security purposes we only care
    if a deny rule is being ignored). Arguably this is a security flaw
    but you would only get an error from bpf(2) in rare cases, and thus
    is not a big enough deal to go through security review.

  2. If we were in a rootless container we would still return an error
    even though bpf(2) is blocked for rootless containers.

Fixes #2792
Signed-off-by: Aleksa Sarai [email protected]

@cyphar cyphar requested a review from AkihiroSuda February 5, 2021 06:43
@cyphar
cgroup2: devices: handle eBPF skipping more correctly
2831fb5 
In the past we incorrectly handled eBPF errors in two ways:

 1. We would only ignore errors if there was an allow rule in the list
    (this doesn't make sense because for security purposes we only care
    if a *deny* rule is being ignored). Arguably this is a security flaw
    but you would only get an error from bpf(2) in rare cases, and thus
    is not a big enough deal to go through security review.

 2. If we were in a rootless container we would still return an error
    even though bpf(2) is blocked for rootless containers.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
Copy link
Member Author

cyphar commented Feb 5, 2021

@PeterCxy can you check if this fixes the issue for you?

@PeterCxy
Copy link

PeterCxy commented Feb 5, 2021

@cyphar (Please ignore my last deleted reply, it was a mistake)

I can confirm this fixed #2792 and now Docker works fine with runc inside unprivileged containers with cgroups v2

giuseppe
giuseppe previously approved these changes Feb 5, 2021
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

AkihiroSuda
AkihiroSuda previously approved these changes Feb 5, 2021
View reviewed changes
@kolyshkin kolyshkin added this to the 1.0.0-rc94 milestone Feb 5, 2021
@cyphar cyphar dismissed stale reviews from AkihiroSuda and giuseppe via 70f00a7 February 7, 2021 07:46
@cyphar cyphar mentioned this pull request Feb 8, 2021
Closed
@cyphar cyphar requested review from AkihiroSuda, kolyshkin and a team February 8, 2021 04:28
@mrunalp mrunalp merged commit 2dbfa87 into opencontainers:master Feb 9, 2021
@cyphar cyphar deleted the cgroup2-ebpf-userns branch February 10, 2021 03:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@mrunalp mrunalp mrunalp approved these changes

@giuseppe giuseppe giuseppe left review comments

@kolyshkin kolyshkin Awaiting requested review from kolyshkin

Assignees
No one assigned
Labels
area/cgroupv2
Projects
None yet
Milestone
1.0.0-rc94
6 participants
@cyphar @PeterCxy @mrunalp @giuseppe @AkihiroSuda @kolyshkin