[syserror] Update syserror to linuxerr for EACCES, EBADF, and EPERM.

Update all instances of the above errors to the faster linuxerr implementation. With the temporary linuxerr.Equals(), no logical changes are made. PiperOrigin-RevId: 382306655
author: Zach Koopmans <zkoopmans@google.com> 2021-06-30 08:15:44 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-06-30 08:18:59 -0700
commit: 6ef268409620c57197b9d573e23be8cb05dbf381 (patch)
tree: 6dddb49b605335939b7ef7b23c50a3eadee5e912 /pkg/sentry/vfs/permissions.go
parent: 66a79461a23e5e98c53a809eda442393cd6925b3 (diff)
1 files changed, 14 insertions, 13 deletions
diff --git a/pkg/sentry/vfs/permissions.go b/pkg/sentry/vfs/permissions.go
index b7704874f..22abdd5b8 100644
--- a/pkg/sentry/vfs/permissions.go
+++ b/pkg/sentry/vfs/permissions.go
@@ -20,6 +20,7 @@ import (
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
+	"gvisor.dev/gvisor/pkg/errors/linuxerr"
 	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.dev/gvisor/pkg/sentry/limits"
 	"gvisor.dev/gvisor/pkg/syserror"
@@ -77,7 +78,7 @@ func GenericCheckPermissions(creds *auth.Credentials, ats AccessTypes, mode linu
 	// the caller's user namespace; compare
 	// kernel/capability.c:privileged_wrt_inode_uidgid().
 	if !kuid.In(creds.UserNamespace).Ok() || !kgid.In(creds.UserNamespace).Ok() {
-		return syserror.EACCES
+		return linuxerr.EACCES
 	}
 	// CAP_DAC_READ_SEARCH allows the caller to read and search arbitrary
 	// directories, and read arbitrary non-directory files.
@@ -94,7 +95,7 @@ func GenericCheckPermissions(creds *auth.Credentials, ats AccessTypes, mode linu
 			return nil
 		}
 	}
-	return syserror.EACCES
+	return linuxerr.EACCES
 }
 
 // MayLink determines whether creating a hard link to a file with the given
@@ -110,12 +111,12 @@ func MayLink(creds *auth.Credentials, mode linux.FileMode, kuid auth.KUID, kgid
 
 	// Only regular files can be hard linked.
 	if mode.FileType() != linux.S_IFREG {
-		return syserror.EPERM
+		return linuxerr.EPERM
 	}
 
 	// Setuid files should not get pinned to the filesystem.
 	if mode&linux.S_ISUID != 0 {
-		return syserror.EPERM
+		return linuxerr.EPERM
 	}
 
 	// Executable setgid files should not get pinned to the filesystem, but we
@@ -123,7 +124,7 @@ func MayLink(creds *auth.Credentials, mode linux.FileMode, kuid auth.KUID, kgid
 
 	// Hardlinking to unreadable or unwritable sources is dangerous.
 	if err := GenericCheckPermissions(creds, MayRead|MayWrite, mode, kuid, kgid); err != nil {
-		return syserror.EPERM
+		return linuxerr.EPERM
 	}
 	return nil
 }
@@ -199,7 +200,7 @@ func CheckSetStat(ctx context.Context, creds *auth.Credentials, opts *SetStatOpt
 	}
 	if stat.Mask&linux.STATX_MODE != 0 {
 		if !CanActAsOwner(creds, kuid) {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 		// TODO(b/30815691): "If the calling process is not privileged (Linux:
 		// does not have the CAP_FSETID capability), and the group of the file
@@ -210,13 +211,13 @@ func CheckSetStat(ctx context.Context, creds *auth.Credentials, opts *SetStatOpt
 	if stat.Mask&linux.STATX_UID != 0 {
 		if !((creds.EffectiveKUID == kuid && auth.KUID(stat.UID) == kuid) ||
 			HasCapabilityOnFile(creds, linux.CAP_CHOWN, kuid, kgid)) {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 	}
 	if stat.Mask&linux.STATX_GID != 0 {
 		if !((creds.EffectiveKUID == kuid && creds.InGroup(auth.KGID(stat.GID))) ||
 			HasCapabilityOnFile(creds, linux.CAP_CHOWN, kuid, kgid)) {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 	}
 	if opts.NeedWritePerm && !creds.HasCapability(linux.CAP_DAC_OVERRIDE) {
@@ -229,7 +230,7 @@ func CheckSetStat(ctx context.Context, creds *auth.Credentials, opts *SetStatOpt
 			if (stat.Mask&linux.STATX_ATIME != 0 && stat.Atime.Nsec != linux.UTIME_NOW) ||
 				(stat.Mask&linux.STATX_MTIME != 0 && stat.Mtime.Nsec != linux.UTIME_NOW) ||
 				(stat.Mask&linux.STATX_CTIME != 0 && stat.Ctime.Nsec != linux.UTIME_NOW) {
-				return syserror.EPERM
+				return linuxerr.EPERM
 			}
 			if err := GenericCheckPermissions(creds, MayWrite, mode, kuid, kgid); err != nil {
 				return err
@@ -252,7 +253,7 @@ func CheckDeleteSticky(creds *auth.Credentials, parentMode linux.FileMode, paren
 		HasCapabilityOnFile(creds, linux.CAP_FOWNER, childKUID, childKGID) {
 		return nil
 	}
-	return syserror.EPERM
+	return linuxerr.EPERM
 }
 
 // CanActAsOwner returns true if creds can act as the owner of a file with the
@@ -306,7 +307,7 @@ func CheckXattrPermissions(creds *auth.Credentials, ats AccessTypes, mode linux.
 			return nil
 		}
 		if ats.MayWrite() {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 		return syserror.ENODATA
 	case strings.HasPrefix(name, linux.XATTR_USER_PREFIX):
@@ -316,12 +317,12 @@ func CheckXattrPermissions(creds *auth.Credentials, ats AccessTypes, mode linux.
 		filetype := mode.FileType()
 		if filetype != linux.ModeRegular && filetype != linux.ModeDirectory {
 			if ats.MayWrite() {
-				return syserror.EPERM
+				return linuxerr.EPERM
 			}
 			return syserror.ENODATA
 		}
 		if filetype == linux.ModeDirectory && mode&linux.ModeSticky != 0 && ats.MayWrite() && !CanActAsOwner(creds, kuid) {
-			return syserror.EPERM
+			return linuxerr.EPERM
 		}
 	}
 	return nil
author	Zach Koopmans <zkoopmans@google.com>	2021-06-30 08:15:44 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-06-30 08:18:59 -0700
commit	6ef268409620c57197b9d573e23be8cb05dbf381 (patch)
tree	6dddb49b605335939b7ef7b23c50a3eadee5e912 /pkg/sentry/vfs/permissions.go
parent	66a79461a23e5e98c53a809eda442393cd6925b3 (diff)