bpf: Return better error codes from hooked syscalls

When a syscall is rejected in BPF, by default the error code returned is -EPERM. Set more appropriate codes explicitly in the remaining places. The new error codes are chosen according to the documented possible return values of connect() and bind() syscalls in their corresponding man pages. When there is no health service to connect, ECONNREFUSED is returned. When map_update_elem returns an error (should only happen if max_entries is exceeded), ENOBUFS is returned, which is the closest error from the man page that indicates some internal error of the implementation: `Insufficient resources were available to complete the call`. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
cilium · Jan 11, 2023 · 47eae08 · 47eae08
1 parent 274614f
commit 47eae08
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 6 deletions.
diff --git a/bpf/bpf_sock.c b/bpf/bpf_sock.c
@@ -456,8 +456,13 @@ int cil_sock4_connect(struct bpf_sock_addr *ctx)
 {
 	int err;
 
-	if (sock_is_health_check(ctx))
-		return __sock4_health_fwd(ctx);
+	if (sock_is_health_check(ctx)) {
+		int ret = __sock4_health_fwd(ctx);
+
+		if (ret == SYS_REJECT)
+			try_set_retval(-ECONNREFUSED);
+		return ret;
+	}
 
 	err = __sock4_xlate_fwd(ctx, ctx, false);
 	if (err == -EHOSTUNREACH || err == -ENOMEM) {
@@ -555,8 +560,10 @@ int cil_sock4_pre_bind(struct bpf_sock_addr *ctx)
 	    !ctx_in_hostns(ctx, NULL))
 		return ret;
 	if (sock_is_health_check(ctx) &&
-	    __sock4_pre_bind(ctx, ctx))
+	    __sock4_pre_bind(ctx, ctx)) {
+		try_set_retval(-ENOBUFS);
 		ret = SYS_REJECT;
+	}
 	return ret;
 }
 #endif /* ENABLE_HEALTH_CHECK */
@@ -950,8 +957,10 @@ int cil_sock6_pre_bind(struct bpf_sock_addr *ctx)
 	    !ctx_in_hostns(ctx, NULL))
 		return ret;
 	if (sock_is_health_check(ctx) &&
-	    __sock6_pre_bind(ctx))
+	    __sock6_pre_bind(ctx)) {
+		try_set_retval(-ENOBUFS);
 		ret = SYS_REJECT;
+	}
 	return ret;
 }
 #endif /* ENABLE_HEALTH_CHECK */
@@ -1101,8 +1110,13 @@ int cil_sock6_connect(struct bpf_sock_addr *ctx)
 {
 	int err;
 
-	if (sock_is_health_check(ctx))
-		return __sock6_health_fwd(ctx);
+	if (sock_is_health_check(ctx)) {
+		int ret = __sock6_health_fwd(ctx);
+
+		if (ret == SYS_REJECT)
+			try_set_retval(-ECONNREFUSED);
+		return ret;
+	}
 
 	err = __sock6_xlate_fwd(ctx, false);
 	if (err == -EHOSTUNREACH || err == -ENOMEM) {

diff --git a/bpf/include/bpf/errno.h b/bpf/include/bpf/errno.h
@@ -33,9 +33,15 @@
 #ifndef ECONNRESET
 # define ECONNRESET	104
 #endif
+#ifndef ENOBUFS
+# define ENOBUFS	105
+#endif
 #ifndef ENOTCONN
 # define ENOTCONN	107
 #endif
+#ifndef ECONNREFUSED
+# define ECONNREFUSED	111
+#endif
 #ifndef EHOSTUNREACH
 # define EHOSTUNREACH	113
 #endif