Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue in permissions checking in nvcgo/internal/cgroup/ebpf.go ? #227

Open
oOraph opened this issue Oct 26, 2023 · 2 comments
Open

Issue in permissions checking in nvcgo/internal/cgroup/ebpf.go ? #227

oOraph opened this issue Oct 26, 2023 · 2 comments

Comments

@oOraph
Copy link
Contributor

oOraph commented Oct 26, 2023
edited
Loading

I'm probably missing something here. Can someone explain me this code part ?
https://github.com/NVIDIA/libnvidia-container/blob/main/src/nvcgo/internal/cgroup/ebpf.go#L139C4-L139C4

R3 & bpfAccess == 0 is not enough is it ?

example:
device access permissions: r _ _ (bpfAccess == unix.BPF_DEVCG_ACC_READ)
device access request: r w _ (R3 = unix.BPF_DEVCG_ACC_READ | unix.BPF_DEVCG_ACC_WRITE)

then R3 & bpfAccess != 0 which makes the device a potential candidate to be accepted for write permissions despite the device access being only read ?

Am I missing something ?

Shouldn't we rather have something like this ?

if (R3 & unix.BPF_DEVCG_ACC_READ != 0) && (bpfAccess & unix.BPF_DEVCG_ACC_READ == 0) goto next
if (R3 & unix.BPF_DEVCG_ACC_WRITE != 0) && (bpfAccess & unix.BPF_DEVCG_ACC_WRITE == 0) goto next
if (R3 & unix.BPF_DEVCG_ACC_MKNOD != 0) && (bpfAccess & unix.BPF_DEVCG_ACC_MKNOD == 0) goto next
@oOraph oOraph changed the title Issue in permissions checking in nvcgo/internal/cgroup/ebpf.go Issue in permissions checking in nvcgo/internal/cgroup/ebpf.go ? Oct 26, 2023
@oOraph oOraph mentioned this issue Nov 7, 2023
Closed
@oOraph
Copy link
Contributor Author

oOraph commented Nov 7, 2023
edited
Loading

Note that I got confirmation that there is indeed an issue:

containers/crun#1343

the check should rather be R3 & bpfAccess != R3 as it is now the case on main branch here:

https://github.com/containers/crun/blob/main/src/libcrun/ebpf.c#L220

And even so it's still arbitrary anyway because then we check for a match with the device permissions at the time of the bpf program forgery, not the time of the bpf program execution

oOraph added a commit to oOraph/libnvidia-container that referenced this issue Nov 7, 2023
@oOraph
ebpf cgroupdev program: fix device permission check issue
28375fe 
Related to:
NVIDIA#227

Signed-off-by: Raphael <[email protected]>
@oOraph oOraph mentioned this issue Nov 7, 2023
Closed
@oOraph
Copy link
Contributor Author

oOraph commented Nov 7, 2023

#229

Allan-Nava pushed a commit to HiWay-Media/libnvidia-container that referenced this issue Dec 5, 2023
@oOraph
Fix device permission check when using cgroupv2
580c009 
Related to:
NVIDIA#227

Signed-off-by: Raphael Glon <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@oOraph