Issue in permissions checking in nvcgo/internal/cgroup/ebpf.go ?
oOraph opened this issue · 2 comments
I'm probably missing something here. Can someone explain me this code part ?
https://github.com/NVIDIA/libnvidia-container/blob/main/src/nvcgo/internal/cgroup/ebpf.go#L139C4-L139C4
R3 & bpfAccess == 0
is not enough is it ?
example:
device access permissions: r _ _ (bpfAccess == unix.BPF_DEVCG_ACC_READ
)
device access request: r w _ (R3 = unix.BPF_DEVCG_ACC_READ | unix.BPF_DEVCG_ACC_WRITE
)
then R3 & bpfAccess != 0
which makes the device a potential candidate to be accepted for write permissions despite the device access being only read ?
Am I missing something ?
Shouldn't we rather have something like this ?
if (R3 & unix.BPF_DEVCG_ACC_READ != 0) && (bpfAccess & unix.BPF_DEVCG_ACC_READ == 0) goto next
if (R3 & unix.BPF_DEVCG_ACC_WRITE != 0) && (bpfAccess & unix.BPF_DEVCG_ACC_WRITE == 0) goto next
if (R3 & unix.BPF_DEVCG_ACC_MKNOD != 0) && (bpfAccess & unix.BPF_DEVCG_ACC_MKNOD == 0) goto next
Note that I got confirmation that there is indeed an issue:
the check should rather be R3 & bpfAccess != R3
as it is now the case on main branch here:
https://github.com/containers/crun/blob/main/src/libcrun/ebpf.c#L220
And even so it's still arbitrary anyway because then we check for a match with the device permissions at the time of the bpf program forgery, not the time of the bpf program execution