Skip to content

Machine ID: Improve warning/error message when secure symlinks are not available #33513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
strideynet merged 3 commits into from
Oct 17, 2023
Merged

Machine ID: Improve warning/error message when secure symlinks are not available #33513

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5607dfd
Improve warning/err message for secure symlinks
strideynet Oct 16, 2023
5cb22a8
Further tweak message
strideynet Oct 16, 2023
b40fa12
Add missing nil return
strideynet Oct 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 7 additions & 13 deletions lib/tbot/botfs/fs_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,20 +90,15 @@ func openSymlinksMode(path string, mode OpenMode, symlinksMode SymlinksMode) (*o
case SymlinksSecure:
file, err = openSecure(path, mode)
if err == unix.ENOSYS {
return nil, trace.Errorf("openSecure(%q) failed due to missing "+
"syscall; `symlinks: insecure` may be required for this "+
"system", path)
return nil, trace.Errorf("openSecure failed due to missing syscall; configure `symlinks: insecure` for %q", path)
} else if err != nil {
return nil, trace.Wrap(err)
}
case SymlinksTrySecure:
file, err = openSecure(path, mode)
if err == unix.ENOSYS {
missingSyscallWarning.Do(func() {
log.Warnf("Failed to write to %q securely due to missing "+
"syscall; falling back to regular file write. Set "+
"`symlinks: insecure` on this destination to disable this "+
"warning.", path)
log.Warnf("Failed to open file securely due to missing syscall; falling back to regular file handling. Configure `symlinks: insecure` for %q to disable this warning.", path)
})

file, err = openStandard(path, mode)
Expand Down Expand Up @@ -169,9 +164,7 @@ func Create(path string, isDir bool, symlinksMode SymlinksMode) error {
case SymlinksSecure:
if err := createSecure(path, isDir); err != nil {
if err == unix.ENOSYS {
return trace.Errorf("createSecure(%q) failed due to missing "+
"syscall; `symlinks: insecure` may be required for this "+
"system", path)
return trace.Errorf("createSecure failed due to missing syscall; configure `symlinks: insecure` for %q", path)
}

return trace.Wrap(err)
Expand All @@ -191,9 +184,7 @@ func Create(path string, isDir bool, symlinksMode SymlinksMode) error {
// It's a bit gross to stuff this sync.Once into a global, but
// hopefully that's forgivable since it just manages a log message.
missingSyscallWarning.Do(func() {
log.Warnf("Failed to create %q securely due to missing syscall; "+
"falling back to regular file creation. Set `symlinks: "+
"insecure` on this destination to disable this warning.", path)
log.Warnf("Failed to create file securely due to missing syscall; falling back to regular file handling. Configure `symlinks: insecure` for %q to disable this warning.", path)
})

return trace.Wrap(createStandard(path, isDir))
Expand Down Expand Up @@ -440,6 +431,9 @@ func HasACLSupport() (bool, error) {
// HasSecureWriteSupport determines if `CreateSecure()` should be supported
// on this OS / kernel version. Note that it just checks the kernel version,
// so this should be treated as a fallible hint.
//
// We've encountered this being incorrect in environments where access to the
// kernel is hampered e.g. seccomp/apparmor/container runtimes.
func HasSecureWriteSupport() (bool, error) {
minKernel := semver.New(Openat2MinKernel)
version, err := utils.KernelVersion()
Expand Down