AgentSonar/permissions.go at main · knostic/AgentSonar · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package sai

import (
	"errors"
	"fmt"
	"runtime"
)

type PermissionReason int

const (
	ReasonUnknown PermissionReason = iota
	ReasonBPFAccess   // macOS: /dev/bpf* not readable
	ReasonBPFGroup    // macOS: user not in access_bpf group
	ReasonCapability  // Linux: missing cap_net_raw/cap_net_admin
)

func (r PermissionReason) String() string {
	switch r {
	case ReasonBPFAccess:
		return "BPF device not accessible"
	case ReasonBPFGroup:
		return "user not in access_bpf group"
	case ReasonCapability:
		return "missing network capture capabilities"
	default:
		return "unknown permission issue"
	}
}

type PermissionError struct {
	Reason   PermissionReason
	Platform string
	Err      error
}

func (e *PermissionError) Error() string {
	if e.Err != nil {
		return fmt.Sprintf("%s: %v", e.Reason, e.Err)
	}
	return e.Reason.String()
}

func (e *PermissionError) Unwrap() error {
	return e.Err
}

func (e *PermissionError) Hint() string {
	switch e.Reason {
	case ReasonBPFAccess, ReasonBPFGroup:
		return "run 'agentsonar install' to configure BPF permissions"
	case ReasonCapability:
		return "run 'agentsonar install' to configure capture capabilities"
	default:
		return "run 'agentsonar install' to configure permissions"
	}
}

func isPermissionError(err error) bool {
	if err == nil {
		return false
	}
	msg := err.Error()
	switch runtime.GOOS {
	case "darwin":
		return contains(msg, "permission denied") ||
			contains(msg, "you don't have permission") ||
			contains(msg, "Operation not permitted")
	case "linux":
		return contains(msg, "permission denied") ||
			contains(msg, "Operation not permitted") ||
			contains(msg, "EPERM")
	}
	return contains(msg, "permission denied")
}

func contains(s, substr string) bool {
	return len(s) >= len(substr) && searchSubstring(s, substr)
}

func searchSubstring(s, substr string) bool {
	for i := 0; i <= len(s)-len(substr); i++ {
		if matchAt(s, substr, i) {
			return true
		}
	}
	return false
}

func matchAt(s, substr string, start int) bool {
	for j := 0; j < len(substr); j++ {
		sc := s[start+j]
		pc := substr[j]
		if sc >= 'A' && sc <= 'Z' {
			sc += 32
		}
		if pc >= 'A' && pc <= 'Z' {
			pc += 32
		}
		if sc != pc {
			return false
		}
	}
	return true
}

func IsPermissionError(err error) bool {
	var permErr *PermissionError
	return errors.As(err, &permErr)
}