Merge 216da0b7 (automated)

4 files changed, 477 insertions, 0 deletions

diff --git a/pkg/sentry/fs/fdpipe/fdpipe_state_autogen.go b/pkg/sentry/fs/fdpipe/fdpipe_state_autogen.go
new file mode 100755
index 000000000..46192664c
--- /dev/null
+++ b/pkg/sentry/fs/fdpipe/fdpipe_state_autogen.go
@@ -0,0 +1,27 @@
+// automatically generated by stateify.
+
+package fdpipe
+
+import (
+	"gvisor.googlesource.com/gvisor/pkg/state"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/fs"
+)
+
+func (x *pipeOperations) save(m state.Map) {
+	x.beforeSave()
+	var flags fs.FileFlags = x.saveFlags()
+	m.SaveValue("flags", flags)
+	m.Save("opener", &x.opener)
+	m.Save("readAheadBuffer", &x.readAheadBuffer)
+}
+
+func (x *pipeOperations) load(m state.Map) {
+	m.LoadWait("opener", &x.opener)
+	m.Load("readAheadBuffer", &x.readAheadBuffer)
+	m.LoadValue("flags", new(fs.FileFlags), func(y interface{}) { x.loadFlags(y.(fs.FileFlags)) })
+	m.AfterLoad(x.afterLoad)
+}
+
+func init() {
+	state.Register("fdpipe.pipeOperations", (*pipeOperations)(nil), state.Fns{Save: (*pipeOperations).save, Load: (*pipeOperations).load})
+}
diff --git a/pkg/sentry/fs/fdpipe/pipe.go b/pkg/sentry/fs/fdpipe/pipe.go
new file mode 100644
index 000000000..4ef7ea08a
--- /dev/null
+++ b/pkg/sentry/fs/fdpipe/pipe.go
@@ -0,0 +1,168 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package fdpipe implements common namedpipe opening and accessing logic.
+package fdpipe
+
+import (
+	"os"
+	"sync"
+	"syscall"
+
+	"gvisor.googlesource.com/gvisor/pkg/fd"
+	"gvisor.googlesource.com/gvisor/pkg/fdnotifier"
+	"gvisor.googlesource.com/gvisor/pkg/log"
+	"gvisor.googlesource.com/gvisor/pkg/secio"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/context"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/fs"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/fs/fsutil"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/safemem"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/usermem"
+	"gvisor.googlesource.com/gvisor/pkg/syserror"
+	"gvisor.googlesource.com/gvisor/pkg/waiter"
+)
+
+// pipeOperations are the fs.FileOperations of a host pipe.
+//
+// +stateify savable
+type pipeOperations struct {
+	fsutil.FilePipeSeek             `state:"nosave"`
+	fsutil.FileNotDirReaddir        `state:"nosave"`
+	fsutil.FileNoFsync              `state:"nosave"`
+	fsutil.FileNoopFlush            `state:"nosave"`
+	fsutil.FileNoMMap               `state:"nosave"`
+	fsutil.FileNoIoctl              `state:"nosave"`
+	fsutil.FileNoSplice             `state:"nosave"`
+	fsutil.FileUseInodeUnstableAttr `state:"nosave"`
+	waiter.Queue                    `state:"nosave"`
+
+	// flags are the flags used to open the pipe.
+	flags fs.FileFlags `state:".(fs.FileFlags)"`
+
+	// opener is how the pipe was opened.
+	opener NonBlockingOpener `state:"wait"`
+
+	// file represents the host pipe.
+	file *fd.FD `state:"nosave"`
+
+	// mu protects readAheadBuffer access below.
+	mu sync.Mutex `state:"nosave"`
+
+	// readAheadBuffer contains read bytes that have not yet been read
+	// by the application but need to be buffered for save-restore for correct
+	// opening semantics.  The readAheadBuffer will only be non-empty when the
+	// is first opened and will be drained by subsequent reads on the pipe.
+	readAheadBuffer []byte
+}
+
+// newPipeOperations returns an implementation of fs.FileOperations for a pipe.
+func newPipeOperations(ctx context.Context, opener NonBlockingOpener, flags fs.FileFlags, file *fd.FD, readAheadBuffer []byte) (*pipeOperations, error) {
+	pipeOps := &pipeOperations{
+		flags:           flags,
+		opener:          opener,
+		file:            file,
+		readAheadBuffer: readAheadBuffer,
+	}
+	if err := pipeOps.init(); err != nil {
+		return nil, err
+	}
+	return pipeOps, nil
+}
+
+// init initializes p.file.
+func (p *pipeOperations) init() error {
+	var s syscall.Stat_t
+	if err := syscall.Fstat(p.file.FD(), &s); err != nil {
+		log.Warningf("pipe: cannot stat fd %d: %v", p.file.FD(), err)
+		return syscall.EINVAL
+	}
+	if s.Mode&syscall.S_IFIFO != syscall.S_IFIFO {
+		log.Warningf("pipe: cannot load fd %d as pipe, file type: %o", p.file.FD(), s.Mode)
+		return syscall.EINVAL
+	}
+	if err := syscall.SetNonblock(p.file.FD(), true); err != nil {
+		return err
+	}
+	return fdnotifier.AddFD(int32(p.file.FD()), &p.Queue)
+}
+
+// EventRegister implements waiter.Waitable.EventRegister.
+func (p *pipeOperations) EventRegister(e *waiter.Entry, mask waiter.EventMask) {
+	p.Queue.EventRegister(e, mask)
+	fdnotifier.UpdateFD(int32(p.file.FD()))
+}
+
+// EventUnregister implements waiter.Waitable.EventUnregister.
+func (p *pipeOperations) EventUnregister(e *waiter.Entry) {
+	p.Queue.EventUnregister(e)
+	fdnotifier.UpdateFD(int32(p.file.FD()))
+}
+
+// Readiness returns a mask of ready events for stream.
+func (p *pipeOperations) Readiness(mask waiter.EventMask) (eventMask waiter.EventMask) {
+	return fdnotifier.NonBlockingPoll(int32(p.file.FD()), mask)
+}
+
+// Release implements fs.FileOperations.Release.
+func (p *pipeOperations) Release() {
+	fdnotifier.RemoveFD(int32(p.file.FD()))
+	p.file.Close()
+	p.file = nil
+}
+
+// Read implements fs.FileOperations.Read.
+func (p *pipeOperations) Read(ctx context.Context, file *fs.File, dst usermem.IOSequence, offset int64) (int64, error) {
+	// Drain the read ahead buffer, if it contains anything first.
+	var bufN int
+	var bufErr error
+	p.mu.Lock()
+	if len(p.readAheadBuffer) > 0 {
+		bufN, bufErr = dst.CopyOut(ctx, p.readAheadBuffer)
+		p.readAheadBuffer = p.readAheadBuffer[bufN:]
+		dst = dst.DropFirst(bufN)
+	}
+	p.mu.Unlock()
+	if dst.NumBytes() == 0 || bufErr != nil {
+		return int64(bufN), bufErr
+	}
+
+	// Pipes expect full reads.
+	n, err := dst.CopyOutFrom(ctx, safemem.FromIOReader{secio.FullReader{p.file}})
+	total := int64(bufN) + n
+	if err != nil && isBlockError(err) {
+		return total, syserror.ErrWouldBlock
+	}
+	return total, err
+}
+
+// Write implements fs.FileOperations.Write.
+func (p *pipeOperations) Write(ctx context.Context, file *fs.File, src usermem.IOSequence, offset int64) (int64, error) {
+	n, err := src.CopyInTo(ctx, safemem.FromIOWriter{p.file})
+	if err != nil && isBlockError(err) {
+		return n, syserror.ErrWouldBlock
+	}
+	return n, err
+}
+
+// isBlockError unwraps os errors and checks if they are caused by EAGAIN or
+// EWOULDBLOCK. This is so they can be transformed into syserror.ErrWouldBlock.
+func isBlockError(err error) bool {
+	if err == syserror.EAGAIN || err == syserror.EWOULDBLOCK {
+		return true
+	}
+	if pe, ok := err.(*os.PathError); ok {
+		return isBlockError(pe.Err)
+	}
+	return false
+}
diff --git a/pkg/sentry/fs/fdpipe/pipe_opener.go b/pkg/sentry/fs/fdpipe/pipe_opener.go
new file mode 100644
index 000000000..0cabe2e18
--- /dev/null
+++ b/pkg/sentry/fs/fdpipe/pipe_opener.go
@@ -0,0 +1,193 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fdpipe
+
+import (
+	"io"
+	"os"
+	"syscall"
+	"time"
+
+	"gvisor.googlesource.com/gvisor/pkg/fd"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/context"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/fs"
+	"gvisor.googlesource.com/gvisor/pkg/syserror"
+)
+
+// NonBlockingOpener is a generic host file opener used to retry opening host
+// pipes if necessary.
+type NonBlockingOpener interface {
+	// NonBlockingOpen tries to open a host pipe in a non-blocking way,
+	// and otherwise returns an error. Implementations should be idempotent.
+	NonBlockingOpen(context.Context, fs.PermMask) (*fd.FD, error)
+}
+
+// Open blocks until a host pipe can be opened or the action was cancelled.
+// On success, returns fs.FileOperations wrapping the opened host pipe.
+func Open(ctx context.Context, opener NonBlockingOpener, flags fs.FileFlags) (fs.FileOperations, error) {
+	p := &pipeOpenState{}
+	canceled := false
+	for {
+		if file, err := p.TryOpen(ctx, opener, flags); err != syserror.ErrWouldBlock {
+			return file, err
+		}
+
+		// Honor the cancellation request if open still blocks.
+		if canceled {
+			// If we were canceled but we have a handle to a host
+			// file, we need to close it.
+			if p.hostFile != nil {
+				p.hostFile.Close()
+			}
+			return nil, syserror.ErrInterrupted
+		}
+
+		cancel := ctx.SleepStart()
+		select {
+		case <-cancel:
+			// The cancellation request received here really says
+			// "cancel from now on (or ASAP)". Any environmental
+			// changes happened before receiving it, that might have
+			// caused open to not block anymore, should still be
+			// respected. So we cannot just return here. We have to
+			// give open another try below first.
+			canceled = true
+			ctx.SleepFinish(false)
+		case <-time.After(100 * time.Millisecond):
+			// If we would block, then delay retrying for a bit, since there
+			// is no way to know when the pipe would be ready to be
+			// re-opened. This is identical to sending an event notification
+			// to stop blocking in Task.Block, given that this routine will
+			// stop retrying if a cancelation is received.
+			ctx.SleepFinish(true)
+		}
+	}
+}
+
+// pipeOpenState holds state needed to open a blocking named pipe read only, for instance the
+// file that has been opened but doesn't yet have a corresponding writer.
+type pipeOpenState struct {
+	// hostFile is the read only named pipe which lacks a corresponding writer.
+	hostFile *fd.FD
+}
+
+// unwrapError is needed to match against ENXIO primarily.
+func unwrapError(err error) error {
+	if pe, ok := err.(*os.PathError); ok {
+		return pe.Err
+	}
+	return err
+}
+
+// TryOpen uses a NonBlockingOpener to try to open a host pipe, respecting the fs.FileFlags.
+func (p *pipeOpenState) TryOpen(ctx context.Context, opener NonBlockingOpener, flags fs.FileFlags) (*pipeOperations, error) {
+	switch {
+	// Reject invalid configurations so they don't accidentally succeed below.
+	case !flags.Read && !flags.Write:
+		return nil, syscall.EINVAL
+
+	// Handle opening RDWR or with O_NONBLOCK: will never block, so try only once.
+	case (flags.Read && flags.Write) || flags.NonBlocking:
+		f, err := opener.NonBlockingOpen(ctx, fs.PermMask{Read: flags.Read, Write: flags.Write})
+		if err != nil {
+			return nil, err
+		}
+		return newPipeOperations(ctx, opener, flags, f, nil)
+
+	// Handle opening O_WRONLY blocking: convert ENXIO to syserror.ErrWouldBlock.
+	// See TryOpenWriteOnly for more details.
+	case flags.Write:
+		return p.TryOpenWriteOnly(ctx, opener)
+
+	default:
+		// Handle opening O_RDONLY blocking: convert EOF from read to syserror.ErrWouldBlock.
+		// See TryOpenReadOnly for more details.
+		return p.TryOpenReadOnly(ctx, opener)
+	}
+}
+
+// TryOpenReadOnly tries to open a host pipe read only but only returns a fs.File when
+// there is a coordinating writer.  Call TryOpenReadOnly repeatedly on the same pipeOpenState
+// until syserror.ErrWouldBlock is no longer returned.
+//
+// How it works:
+//
+// Opening a pipe read only will return no error, but each non zero Read will return EOF
+// until a writer becomes available, then EWOULDBLOCK.  This is the only state change
+// available to us.  We keep a read ahead buffer in case we read bytes instead of getting
+// EWOULDBLOCK, to be read from on the first read request to this fs.File.
+func (p *pipeOpenState) TryOpenReadOnly(ctx context.Context, opener NonBlockingOpener) (*pipeOperations, error) {
+	// Waiting for a blocking read only open involves reading from the host pipe until
+	// bytes or other writers are available, so instead of retrying opening the pipe,
+	// it's necessary to retry reading from the pipe. To do this we need to keep around
+	// the read only pipe we opened, until success or an irrecoverable read error (at
+	// which point it must be closed).
+	if p.hostFile == nil {
+		var err error
+		p.hostFile, err = opener.NonBlockingOpen(ctx, fs.PermMask{Read: true})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Try to read from the pipe to see if writers are around.
+	tryReadBuffer := make([]byte, 1)
+	n, rerr := p.hostFile.Read(tryReadBuffer)
+
+	// No bytes were read.
+	if n == 0 {
+		// EOF means that we're not ready yet.
+		if rerr == nil || rerr == io.EOF {
+			return nil, syserror.ErrWouldBlock
+		}
+		// Any error that is not EWOULDBLOCK also means we're not
+		// ready yet, and probably never will be ready.  In this
+		// case we need to close the host pipe we opened.
+		if unwrapError(rerr) != syscall.EWOULDBLOCK {
+			p.hostFile.Close()
+			return nil, rerr
+		}
+	}
+
+	// If any bytes were read, no matter the corresponding error, we need
+	// to keep them around so they can be read by the application.
+	var readAheadBuffer []byte
+	if n > 0 {
+		readAheadBuffer = tryReadBuffer
+	}
+
+	// Successfully opened read only blocking pipe with either bytes available
+	// to read and/or a writer available.
+	return newPipeOperations(ctx, opener, fs.FileFlags{Read: true}, p.hostFile, readAheadBuffer)
+}
+
+// TryOpenWriteOnly tries to open a host pipe write only but only returns a fs.File when
+// there is a coordinating reader.  Call TryOpenWriteOnly repeatedly on the same pipeOpenState
+// until syserror.ErrWouldBlock is no longer returned.
+//
+// How it works:
+//
+// Opening a pipe write only will return ENXIO until readers are available.  Converts the ENXIO
+// to an syserror.ErrWouldBlock, to tell callers to retry.
+func (*pipeOpenState) TryOpenWriteOnly(ctx context.Context, opener NonBlockingOpener) (*pipeOperations, error) {
+	hostFile, err := opener.NonBlockingOpen(ctx, fs.PermMask{Write: true})
+	if unwrapError(err) == syscall.ENXIO {
+		return nil, syserror.ErrWouldBlock
+	}
+	if err != nil {
+		return nil, err
+	}
+	return newPipeOperations(ctx, opener, fs.FileFlags{Write: true}, hostFile, nil)
+}
diff --git a/pkg/sentry/fs/fdpipe/pipe_state.go b/pkg/sentry/fs/fdpipe/pipe_state.go
new file mode 100644
index 000000000..8b347aa11
--- /dev/null
+++ b/pkg/sentry/fs/fdpipe/pipe_state.go
@@ -0,0 +1,89 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fdpipe
+
+import (
+	"fmt"
+	"io/ioutil"
+	"sync"
+
+	"gvisor.googlesource.com/gvisor/pkg/sentry/context"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/fs"
+)
+
+// beforeSave is invoked by stateify.
+func (p *pipeOperations) beforeSave() {
+	if p.flags.Read {
+		data, err := ioutil.ReadAll(p.file)
+		if err != nil && !isBlockError(err) {
+			panic(fmt.Sprintf("failed to read from pipe: %v", err))
+		}
+		p.readAheadBuffer = append(p.readAheadBuffer, data...)
+	} else if p.flags.Write {
+		file, err := p.opener.NonBlockingOpen(context.Background(), fs.PermMask{Write: true})
+		if err != nil {
+			panic(fs.ErrSaveRejection{fmt.Errorf("write-only pipe end cannot be re-opened as %v: %v", p, err)})
+		}
+		file.Close()
+	}
+}
+
+// saveFlags is invoked by stateify.
+func (p *pipeOperations) saveFlags() fs.FileFlags {
+	return p.flags
+}
+
+// readPipeOperationsLoading is used to ensure that write-only pipe fds are
+// opened after read/write and read-only pipe fds, to avoid ENXIO when
+// multiple pipe fds refer to different ends of the same pipe.
+var readPipeOperationsLoading sync.WaitGroup
+
+// loadFlags is invoked by stateify.
+func (p *pipeOperations) loadFlags(flags fs.FileFlags) {
+	// This is a hack to ensure that readPipeOperationsLoading includes all
+	// readable pipe fds before any asynchronous calls to
+	// readPipeOperationsLoading.Wait().
+	if flags.Read {
+		readPipeOperationsLoading.Add(1)
+	}
+	p.flags = flags
+}
+
+// afterLoad is invoked by stateify.
+func (p *pipeOperations) afterLoad() {
+	load := func() error {
+		if !p.flags.Read {
+			readPipeOperationsLoading.Wait()
+		} else {
+			defer readPipeOperationsLoading.Done()
+		}
+		var err error
+		p.file, err = p.opener.NonBlockingOpen(context.Background(), fs.PermMask{
+			Read:  p.flags.Read,
+			Write: p.flags.Write,
+		})
+		if err != nil {
+			return fmt.Errorf("unable to open pipe %v: %v", p, err)
+		}
+		if err := p.init(); err != nil {
+			return fmt.Errorf("unable to initialize pipe %v: %v", p, err)
+		}
+		return nil
+	}
+
+	// Do background opening of pipe ends. Note for write-only pipe ends we
+	// have to do it asynchronously to avoid blocking the restore.
+	fs.Async(fs.CatchError(load))
+}