fix(container): stop masking procfs access errors

Map only ErrNotExist to ErrContainerFSUnreachable in
the GetHostAbsPath fallback path, so dead-process
races are quietly handled while real access errors
(e.g. ErrPermission from missing CAP_SYS_PTRACE or
Yama ptrace_scope restrictions) propagate to callers
and surface at error level.

Also wrap errors with %w in getProcessFSRoot to
preserve the error chain for callers using errors.Is.

Author: ethical-buddy

pkg/datastores/container/path_resolver.go

@@ -82,7 +82,11 @@ func (cPathRes *ContainerPathResolver) GetHostAbsPath(mountNSAbsolutePath string
 
 	procFSRoot, err := cPathRes.getProcessFSRoot(uint(pid))
 	if err != nil {
-		return "", errfmt.Errorf("could not access process %d FS: %v", pid, err)
+		if errors.Is(err, fs.ErrNotExist) {
+			return "", ErrContainerFSUnreachable
+		}
+
+		return "", errfmt.Errorf("could not access process %d FS: %w", pid, err)
 	}
 
 	// register this process in the mount namespace
@@ -105,7 +109,7 @@ func (cPathRes *ContainerPathResolver) getProcessFSRoot(pid uint) (string, error
 	entries, err := fs.ReadDir(cPathRes.fs, strings.TrimPrefix(procRootPath, "/"))
 	if err != nil {
 		// This process is either not alive or we don't have permissions to access.
-		return "", errfmt.Errorf("failed accessing process FS root %s: %v", procRootPath, err)
+		return "", errfmt.WrapError(fmt.Errorf("failed accessing process FS root %s: %w", procRootPath, err))
 	}
 	if len(entries) == 0 {
 		return "", errfmt.Errorf("process FS root (%s) is empty", procRootPath)
@@ -307,6 +311,6 @@ func (cPathRes *ContainerPathResolver) isFileAccessible(path string) bool {
 }
 
 var (
-	ErrContainerFSUnreachable = errors.New("container file system is unreachable in mount namespace because there are not living children")
+	ErrContainerFSUnreachable = errors.New("container file system is unreachable in mount namespace")
 	ErrNonAbsolutePath        = errors.New("file path is not absolute in its container mount point")
 )

pkg/datastores/container/path_resolver_test.go

@@ -1,7 +1,9 @@
 package container
 
 import (
+	"errors"
 	"fmt"
+	"io/fs"
 	"testing"
 	"testing/fstest"
 
@@ -337,3 +339,44 @@ func TestPathResolver_isFileAccessible(t *testing.T) {
 	// Test with a directory (should be accessible but not readable as a file)
 	assert.True(t, pres.isFileAccessible("/proc"))
 }
+
+// errorFS is a fake fs.FS that returns a fixed error for all ReadDir calls.
+type errorFS struct {
+	err error
+}
+
+func (e errorFS) Open(name string) (fs.File, error) {
+	return nil, &fs.PathError{Op: "open", Path: name, Err: e.err}
+}
+
+func (e errorFS) ReadDir(name string) ([]fs.DirEntry, error) {
+	return nil, &fs.PathError{Op: "readdir", Path: name, Err: e.err}
+}
+
+func TestPathResolver_getProcessFSRoot_PermissionDenied(t *testing.T) {
+	t.Parallel()
+
+	bucket := bucketcache.BucketCache{}
+	bucket.Init(20)
+	pres := InitContainerPathResolver(&bucket)
+	pres.fs = errorFS{err: fs.ErrPermission}
+
+	_, err := pres.getProcessFSRoot(1234)
+	require.Error(t, err)
+	assert.ErrorIs(t, err, fs.ErrPermission)
+	assert.False(t, errors.Is(err, fs.ErrNotExist))
+}
+
+func TestPathResolver_getProcessFSRoot_NotExist(t *testing.T) {
+	t.Parallel()
+
+	bucket := bucketcache.BucketCache{}
+	bucket.Init(20)
+	pres := InitContainerPathResolver(&bucket)
+	pres.fs = errorFS{err: fs.ErrNotExist}
+
+	_, err := pres.getProcessFSRoot(1234)
+	require.Error(t, err)
+	assert.ErrorIs(t, err, fs.ErrNotExist)
+	assert.True(t, errors.Is(err, fs.ErrNotExist))
+}