[syserror] Update syserror to linuxerr for EACCES, EBADF, and EPERM.

Update all instances of the above errors to the faster linuxerr implementation. With the temporary linuxerr.Equals(), no logical changes are made. PiperOrigin-RevId: 382306655
author: Zach Koopmans <zkoopmans@google.com> 2021-06-30 08:15:44 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-06-30 08:18:59 -0700
commit: 6ef268409620c57197b9d573e23be8cb05dbf381 (patch)
tree: 6dddb49b605335939b7ef7b23c50a3eadee5e912 /pkg/sentry/kernel/auth
parent: 66a79461a23e5e98c53a809eda442393cd6925b3 (diff)
3 files changed, 17 insertions, 18 deletions
diff --git a/pkg/sentry/kernel/auth/credentials.go b/pkg/sentry/kernel/auth/credentials.go
index 32c344399..fc245c54b 100644
--- a/pkg/sentry/kernel/auth/credentials.go
+++ b/pkg/sentry/kernel/auth/credentials.go
@@ -17,7 +17,6 @@ package auth
 import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/errors/linuxerr"
-	"gvisor.dev/gvisor/pkg/syserror"
 )
 
 // Credentials contains information required to authorize privileged operations
@@ -215,7 +214,7 @@ func (c *Credentials) UseUID(uid UID) (KUID, error) {
 	if kuid == c.RealKUID || kuid == c.EffectiveKUID || kuid == c.SavedKUID {
 		return kuid, nil
 	}
-	return NoID, syserror.EPERM
+	return NoID, linuxerr.EPERM
 }
 
 // UseGID checks that c can use gid in its user namespace, then translates it
@@ -231,7 +230,7 @@ func (c *Credentials) UseGID(gid GID) (KGID, error) {
 	if kgid == c.RealKGID || kgid == c.EffectiveKGID || kgid == c.SavedKGID {
 		return kgid, nil
 	}
-	return NoID, syserror.EPERM
+	return NoID, linuxerr.EPERM
 }
 
 // SetUID translates the provided uid to the root user namespace and updates c's
diff --git a/pkg/sentry/kernel/auth/id_map.go b/pkg/sentry/kernel/auth/id_map.go
index 955b6d40b..f06a374a0 100644
--- a/pkg/sentry/kernel/auth/id_map.go
+++ b/pkg/sentry/kernel/auth/id_map.go
@@ -18,7 +18,6 @@ import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/errors/linuxerr"
-	"gvisor.dev/gvisor/pkg/syserror"
 )
 
 // MapFromKUID translates kuid, a UID in the root namespace, to a UID in ns.
@@ -107,7 +106,7 @@ func (ns *UserNamespace) SetUIDMap(ctx context.Context, entries []IDMapEntry) er
 	// than once to a uid_map file in a user namespace fails with the error
 	// EPERM. Similar rules apply for gid_map files." - user_namespaces(7)
 	if !ns.uidMapFromParent.IsEmpty() {
-		return syserror.EPERM
+		return linuxerr.EPERM
 	}
 	// "At least one line must be written to the file."
 	if len(entries) == 0 {
@@ -122,12 +121,12 @@ func (ns *UserNamespace) SetUIDMap(ctx context.Context, entries []IDMapEntry) er
 	// in the user namespace of the process pid.
 	// """
 	if !c.HasCapabilityIn(linux.CAP_SETUID, ns) {
-		return syserror.EPERM
+		return linuxerr.EPERM
 	}
 	// "2. The writing process must either be in the user namespace of the process
 	// pid or be in the parent user namespace of the process pid."
 	if c.UserNamespace != ns && c.UserNamespace != ns.parent {
-		return syserror.EPERM
+		return linuxerr.EPERM
 	}
 	// """
 	// 3. (see trySetUIDMap)
@@ -146,14 +145,14 @@ func (ns *UserNamespace) SetUIDMap(ctx context.Context, entries []IDMapEntry) er
 		//   parent user namespace to a user ID (group ID) in the user namespace.
 		// """
 		if len(entries) != 1 || ns.parent.MapToKUID(UID(entries[0].FirstParentID)) != c.EffectiveKUID || entries[0].Length != 1 {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 		// """
 		//   + The writing process must have the same effective user ID as the
 		//   process that created the user namespace.
 		// """
 		if c.EffectiveKUID != ns.owner {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 	}
 	// trySetUIDMap leaves data in maps if it fails.
@@ -183,7 +182,7 @@ func (ns *UserNamespace) trySetUIDMap(entries []IDMapEntry) error {
 		// mappings when it's created, so SetUIDMap would have returned EPERM
 		// without reaching this point if ns is root.
 		if !ns.parent.allIDsMapped(&ns.parent.uidMapToParent, e.FirstParentID, lastParentID) {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 		// If either of these Adds fail, we have an overlapping range.
 		if !ns.uidMapFromParent.Add(idMapRange{e.FirstParentID, lastParentID}, e.FirstID) {
@@ -203,24 +202,24 @@ func (ns *UserNamespace) SetGIDMap(ctx context.Context, entries []IDMapEntry) er
 	ns.mu.Lock()
 	defer ns.mu.Unlock()
 	if !ns.gidMapFromParent.IsEmpty() {
-		return syserror.EPERM
+		return linuxerr.EPERM
 	}
 	if len(entries) == 0 {
 		return linuxerr.EINVAL
 	}
 	if !c.HasCapabilityIn(linux.CAP_SETGID, ns) {
-		return syserror.EPERM
+		return linuxerr.EPERM
 	}
 	if c.UserNamespace != ns && c.UserNamespace != ns.parent {
-		return syserror.EPERM
+		return linuxerr.EPERM
 	}
 	if !c.HasCapabilityIn(linux.CAP_SETGID, ns.parent) {
 		if len(entries) != 1 || ns.parent.MapToKGID(GID(entries[0].FirstParentID)) != c.EffectiveKGID || entries[0].Length != 1 {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 		// It's correct for this to still be UID.
 		if c.EffectiveKUID != ns.owner {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 		// "In the case of gid_map, use of the setgroups(2) system call must
 		// first be denied by writing "deny" to the /proc/[pid]/setgroups file
@@ -247,7 +246,7 @@ func (ns *UserNamespace) trySetGIDMap(entries []IDMapEntry) error {
 			return linuxerr.EINVAL
 		}
 		if !ns.parent.allIDsMapped(&ns.parent.gidMapToParent, e.FirstParentID, lastParentID) {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 		if !ns.gidMapFromParent.Add(idMapRange{e.FirstParentID, lastParentID}, e.FirstID) {
 			return linuxerr.EINVAL
diff --git a/pkg/sentry/kernel/auth/user_namespace.go b/pkg/sentry/kernel/auth/user_namespace.go
index 9dd52c860..bec0c28cd 100644
--- a/pkg/sentry/kernel/auth/user_namespace.go
+++ b/pkg/sentry/kernel/auth/user_namespace.go
@@ -17,6 +17,7 @@ package auth
 import (
 	"math"
 
+	"gvisor.dev/gvisor/pkg/errors/linuxerr"
 	"gvisor.dev/gvisor/pkg/sync"
 	"gvisor.dev/gvisor/pkg/syserror"
 )
@@ -114,10 +115,10 @@ func (c *Credentials) NewChildUserNamespace() (*UserNamespace, error) {
 	// process are mapped to user IDs and group IDs in the user namespace of
 	// the calling process at the time of the call." - unshare(2)
 	if !c.EffectiveKUID.In(c.UserNamespace).Ok() {
-		return nil, syserror.EPERM
+		return nil, linuxerr.EPERM
 	}
 	if !c.EffectiveKGID.In(c.UserNamespace).Ok() {
-		return nil, syserror.EPERM
+		return nil, linuxerr.EPERM
 	}
 	return &UserNamespace{
 		parent: c.UserNamespace,
author	Zach Koopmans <zkoopmans@google.com>	2021-06-30 08:15:44 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-06-30 08:18:59 -0700
commit	6ef268409620c57197b9d573e23be8cb05dbf381 (patch)
tree	6dddb49b605335939b7ef7b23c50a3eadee5e912 /pkg/sentry/kernel/auth
parent	66a79461a23e5e98c53a809eda442393cd6925b3 (diff)