From 81707abd33d2ddebcd8ceeb08dfc01bf86d8badd Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Sun, 7 Feb 2021 19:03:18 +0100
Subject: [PATCH] ebpf: fix device access check

Checking the access mode as bellow

    if (R3 & bpfAccess == 0 /* use R1 as a temp var */) goto next

does not handle correctly device file probing with:

    access(dev_name, F_OK)

F_OK does not trigger read or write access. Instead the access type in
R3 in that case will be zero and the check will not pass even if "rw" is
allowed for the device file. Comparing the 'masked' access type with the
requested one solves the issue:

    if (R3 & bpfAccess != R3 /* use R1 as a temp var */) goto next

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
 libcontainer/cgroups/ebpf/devicefilter/devicefilter.go      | 4 ++--
 libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter.go
index a173fd4a16f..fcd3746e023 100644
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter.go
+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter.go
@@ -127,10 +127,10 @@ func (p *program) appendDevice(dev *devices.Rule) error {
 	}
 	if hasAccess {
 		p.insts = append(p.insts,
-			// if (R3 & bpfAccess == 0 /* use R1 as a temp var */) goto next
+			// if (R3 & bpfAccess != R3 /* use R1 as a temp var */) goto next
 			asm.Mov.Reg32(asm.R1, asm.R3),
 			asm.And.Imm32(asm.R1, bpfAccess),
-			asm.JEq.Imm(asm.R1, 0, nextBlockSym),
+			asm.JNE.Reg(asm.R1, asm.R3, nextBlockSym),
 		)
 	}
 	if hasMajor {
diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
index f714bcac272..cfcaa20306a 100644
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
@@ -121,7 +121,7 @@ block-9:
         50: JNEImm dst: r2 off: -1 imm: 1 <block-10>
         51: Mov32Reg dst: r1 src: r3
         52: And32Imm dst: r1 imm: 1
-        53: JEqImm dst: r1 off: -1 imm: 0 <block-10>
+        53: JNEReg dst: r1 off: -1 src: r3 <block-10>
         54: Mov32Imm dst: r0 imm: 1
         55: Exit
 block-10:
@@ -129,7 +129,7 @@ block-10:
         56: JNEImm dst: r2 off: -1 imm: 2 <block-11>
         57: Mov32Reg dst: r1 src: r3
         58: And32Imm dst: r1 imm: 1
-        59: JEqImm dst: r1 off: -1 imm: 0 <block-11>
+        59: JNEReg dst: r1 off: -1 src: r3 <block-11>
         60: Mov32Imm dst: r0 imm: 1
         61: Exit
 block-11: