summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/platform/ptrace
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2021-03-03 18:43:27 +0000
committergVisor bot <gvisor-bot@google.com>2021-03-03 18:43:27 +0000
commitaae5455fe381c4cbc956f61c971284ee05c52dfc (patch)
tree2b1cb0233968680dcd0374f20ee826cf311bda95 /pkg/sentry/platform/ptrace
parente2599d556573b05eb3714c1e791fa29431dc3d3f (diff)
parenta9441aea2780da8c93da1c73da860219f98438de (diff)
Merge release-20210301.0-5-ga9441aea2 (automated)
Diffstat (limited to 'pkg/sentry/platform/ptrace')
-rw-r--r--pkg/sentry/platform/ptrace/filters.go9
-rw-r--r--pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go18
-rw-r--r--pkg/sentry/platform/ptrace/ptrace_unsafe.go66
-rw-r--r--pkg/sentry/platform/ptrace/stub_unsafe.go18
-rw-r--r--pkg/sentry/platform/ptrace/subprocess.go77
-rw-r--r--pkg/sentry/platform/ptrace/subprocess_amd64.go19
-rw-r--r--pkg/sentry/platform/ptrace/subprocess_arm64.go11
-rw-r--r--pkg/sentry/platform/ptrace/subprocess_linux.go66
-rw-r--r--pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go6
9 files changed, 143 insertions, 147 deletions
diff --git a/pkg/sentry/platform/ptrace/filters.go b/pkg/sentry/platform/ptrace/filters.go
index 20fc62acb..ba4503b0d 100644
--- a/pkg/sentry/platform/ptrace/filters.go
+++ b/pkg/sentry/platform/ptrace/filters.go
@@ -15,16 +15,15 @@
package ptrace
import (
- "syscall"
-
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/seccomp"
)
// SyscallFilters returns syscalls made exclusively by the ptrace platform.
func (*PTrace) SyscallFilters() seccomp.SyscallRules {
return seccomp.SyscallRules{
- syscall.SYS_PTRACE: {},
- syscall.SYS_TGKILL: {},
- syscall.SYS_WAIT4: {},
+ unix.SYS_PTRACE: {},
+ unix.SYS_TGKILL: {},
+ unix.SYS_WAIT4: {},
}
}
diff --git a/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go b/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go
index 32b8a6be9..4f7fe993a 100644
--- a/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go
+++ b/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go
@@ -17,21 +17,21 @@
package ptrace
import (
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
)
// getTLS gets the thread local storage register.
func (t *thread) getTLS(tls *uint64) error {
- iovec := syscall.Iovec{
+ iovec := unix.Iovec{
Base: (*byte)(unsafe.Pointer(tls)),
Len: uint64(unsafe.Sizeof(*tls)),
}
- _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
- syscall.PTRACE_GETREGSET,
+ _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
+ unix.PTRACE_GETREGSET,
uintptr(t.tid),
linux.NT_ARM_TLS,
uintptr(unsafe.Pointer(&iovec)),
@@ -44,13 +44,13 @@ func (t *thread) getTLS(tls *uint64) error {
// setTLS sets the thread local storage register.
func (t *thread) setTLS(tls *uint64) error {
- iovec := syscall.Iovec{
+ iovec := unix.Iovec{
Base: (*byte)(unsafe.Pointer(tls)),
Len: uint64(unsafe.Sizeof(*tls)),
}
- _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
- syscall.PTRACE_SETREGSET,
+ _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
+ unix.PTRACE_SETREGSET,
uintptr(t.tid),
linux.NT_ARM_TLS,
uintptr(unsafe.Pointer(&iovec)),
diff --git a/pkg/sentry/platform/ptrace/ptrace_unsafe.go b/pkg/sentry/platform/ptrace/ptrace_unsafe.go
index 8b72d24e8..2c21f946e 100644
--- a/pkg/sentry/platform/ptrace/ptrace_unsafe.go
+++ b/pkg/sentry/platform/ptrace/ptrace_unsafe.go
@@ -15,9 +15,9 @@
package ptrace
import (
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
"gvisor.dev/gvisor/pkg/sentry/arch"
"gvisor.dev/gvisor/pkg/usermem"
@@ -25,13 +25,13 @@ import (
// getRegs gets the general purpose register set.
func (t *thread) getRegs(regs *arch.Registers) error {
- iovec := syscall.Iovec{
+ iovec := unix.Iovec{
Base: (*byte)(unsafe.Pointer(regs)),
Len: uint64(unsafe.Sizeof(*regs)),
}
- _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
- syscall.PTRACE_GETREGSET,
+ _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
+ unix.PTRACE_GETREGSET,
uintptr(t.tid),
linux.NT_PRSTATUS,
uintptr(unsafe.Pointer(&iovec)),
@@ -44,13 +44,13 @@ func (t *thread) getRegs(regs *arch.Registers) error {
// setRegs sets the general purpose register set.
func (t *thread) setRegs(regs *arch.Registers) error {
- iovec := syscall.Iovec{
+ iovec := unix.Iovec{
Base: (*byte)(unsafe.Pointer(regs)),
Len: uint64(unsafe.Sizeof(*regs)),
}
- _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
- syscall.PTRACE_SETREGSET,
+ _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
+ unix.PTRACE_SETREGSET,
uintptr(t.tid),
linux.NT_PRSTATUS,
uintptr(unsafe.Pointer(&iovec)),
@@ -61,15 +61,15 @@ func (t *thread) setRegs(regs *arch.Registers) error {
return nil
}
-// getFPRegs gets the floating-point data via the GETREGSET ptrace syscall.
+// getFPRegs gets the floating-point data via the GETREGSET ptrace unix.
func (t *thread) getFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsave bool) error {
- iovec := syscall.Iovec{
+ iovec := unix.Iovec{
Base: (*byte)(fpState),
Len: fpLen,
}
- _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
- syscall.PTRACE_GETREGSET,
+ _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
+ unix.PTRACE_GETREGSET,
uintptr(t.tid),
fpRegSet(useXsave),
uintptr(unsafe.Pointer(&iovec)),
@@ -80,15 +80,15 @@ func (t *thread) getFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsa
return nil
}
-// setFPRegs sets the floating-point data via the SETREGSET ptrace syscall.
+// setFPRegs sets the floating-point data via the SETREGSET ptrace unix.
func (t *thread) setFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsave bool) error {
- iovec := syscall.Iovec{
+ iovec := unix.Iovec{
Base: (*byte)(fpState),
Len: fpLen,
}
- _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
- syscall.PTRACE_SETREGSET,
+ _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
+ unix.PTRACE_SETREGSET,
uintptr(t.tid),
fpRegSet(useXsave),
uintptr(unsafe.Pointer(&iovec)),
@@ -101,9 +101,9 @@ func (t *thread) setFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsa
// getSignalInfo retrieves information about the signal that caused the stop.
func (t *thread) getSignalInfo(si *arch.SignalInfo) error {
- _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
- syscall.PTRACE_GETSIGINFO,
+ _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
+ unix.PTRACE_GETSIGINFO,
uintptr(t.tid),
0,
uintptr(unsafe.Pointer(si)),
@@ -123,18 +123,18 @@ func (t *thread) getSignalInfo(si *arch.SignalInfo) error {
func (t *thread) clone() (*thread, error) {
r, ok := usermem.Addr(stackPointer(&t.initRegs)).RoundUp()
if !ok {
- return nil, syscall.EINVAL
+ return nil, unix.EINVAL
}
rval, err := t.syscallIgnoreInterrupt(
&t.initRegs,
- syscall.SYS_CLONE,
+ unix.SYS_CLONE,
arch.SyscallArgument{Value: uintptr(
- syscall.CLONE_FILES |
- syscall.CLONE_FS |
- syscall.CLONE_SIGHAND |
- syscall.CLONE_THREAD |
- syscall.CLONE_PTRACE |
- syscall.CLONE_VM)},
+ unix.CLONE_FILES |
+ unix.CLONE_FS |
+ unix.CLONE_SIGHAND |
+ unix.CLONE_THREAD |
+ unix.CLONE_PTRACE |
+ unix.CLONE_VM)},
// The stack pointer is just made up, but we have it be
// something sensible so the kernel doesn't think we're
// up to no good. Which we are.
@@ -158,9 +158,9 @@ func (t *thread) clone() (*thread, error) {
// getEventMessage retrieves a message about the ptrace event that just happened.
func (t *thread) getEventMessage() (uintptr, error) {
var msg uintptr
- _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
- syscall.PTRACE_GETEVENTMSG,
+ _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
+ unix.PTRACE_GETEVENTMSG,
uintptr(t.tid),
0,
uintptr(unsafe.Pointer(&msg)),
diff --git a/pkg/sentry/platform/ptrace/stub_unsafe.go b/pkg/sentry/platform/ptrace/stub_unsafe.go
index 341dde143..780227248 100644
--- a/pkg/sentry/platform/ptrace/stub_unsafe.go
+++ b/pkg/sentry/platform/ptrace/stub_unsafe.go
@@ -16,9 +16,9 @@ package ptrace
import (
"reflect"
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/safecopy"
"gvisor.dev/gvisor/pkg/usermem"
)
@@ -56,17 +56,17 @@ func stubInit() {
// something that may have been there already. We just walk
// down the address space until we find a place where the stub
// can be placed.
- addr, _, errno := syscall.RawSyscall6(
- syscall.SYS_MMAP,
+ addr, _, errno := unix.RawSyscall6(
+ unix.SYS_MMAP,
stubStart,
mapLen,
- syscall.PROT_WRITE|syscall.PROT_READ,
- syscall.MAP_PRIVATE|syscall.MAP_ANONYMOUS,
+ unix.PROT_WRITE|unix.PROT_READ,
+ unix.MAP_PRIVATE|unix.MAP_ANONYMOUS,
0 /* fd */, 0 /* offset */)
if addr != stubStart || errno != 0 {
if addr != 0 {
// Unmap the region we've mapped accidentally.
- syscall.RawSyscall(syscall.SYS_MUNMAP, addr, mapLen, 0)
+ unix.RawSyscall(unix.SYS_MUNMAP, addr, mapLen, 0)
}
// Attempt to begin at a lower address.
@@ -79,11 +79,11 @@ func stubInit() {
copy(targetSlice, stubSlice)
// Make the stub executable.
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_MPROTECT,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_MPROTECT,
stubStart,
mapLen,
- syscall.PROT_EXEC|syscall.PROT_READ); errno != 0 {
+ unix.PROT_EXEC|unix.PROT_READ); errno != 0 {
panic("mprotect failed: " + errno.Error())
}
diff --git a/pkg/sentry/platform/ptrace/subprocess.go b/pkg/sentry/platform/ptrace/subprocess.go
index 17fb0a0d8..acccbfe2e 100644
--- a/pkg/sentry/platform/ptrace/subprocess.go
+++ b/pkg/sentry/platform/ptrace/subprocess.go
@@ -18,7 +18,6 @@ import (
"fmt"
"os"
"runtime"
- "syscall"
"golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/log"
@@ -35,9 +34,9 @@ import (
//
// These constants are only used in subprocess.go.
const (
- ERESTARTSYS = syscall.Errno(512)
- ERESTARTNOINTR = syscall.Errno(513)
- ERESTARTNOHAND = syscall.Errno(514)
+ ERESTARTSYS = unix.Errno(512)
+ ERESTARTNOINTR = unix.Errno(513)
+ ERESTARTNOHAND = unix.Errno(514)
)
// globalPool exists to solve two distinct problems:
@@ -96,7 +95,7 @@ func (tp *threadPool) lookupOrCreate(currentTID int32, newThread func() *thread)
// threads never exiting.
for origTID, t := range tp.threads {
// Signal zero is an easy existence check.
- if err := syscall.Tgkill(syscall.Getpid(), int(origTID), 0); err != nil {
+ if err := unix.Tgkill(unix.Getpid(), int(origTID), 0); err != nil {
// This thread has been abandoned; reuse it.
delete(tp.threads, origTID)
tp.threads[currentTID] = t
@@ -186,7 +185,7 @@ func newSubprocess(create func() (*thread, error)) (*subprocess, error) {
// (Hopefully nobody tgkilled it with a signal <
// SIGSTOP before the SIGSTOP was delivered, in which
// case that signal would be delivered before SIGSTOP.)
- if sig := t.wait(stopped); sig != syscall.SIGSTOP {
+ if sig := t.wait(stopped); sig != unix.SIGSTOP {
panic(fmt.Sprintf("error waiting for new clone: expected SIGSTOP, got %v", sig))
}
@@ -269,7 +268,7 @@ func (s *subprocess) newThread() *thread {
// attach attaches to the thread.
func (t *thread) attach() {
- if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, syscall.PTRACE_ATTACH, uintptr(t.tid), 0, 0, 0, 0); errno != 0 {
+ if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_ATTACH, uintptr(t.tid), 0, 0, 0, 0); errno != 0 {
panic(fmt.Sprintf("unable to attach: %v", errno))
}
@@ -277,7 +276,7 @@ func (t *thread) attach() {
// stopped from the SIGSTOP queued by CLONE_PTRACE (see inner loop of
// newSubprocess), so we always expect to see signal-delivery-stop with
// SIGSTOP.
- if sig := t.wait(stopped); sig != syscall.SIGSTOP {
+ if sig := t.wait(stopped); sig != unix.SIGSTOP {
panic(fmt.Sprintf("wait failed: expected SIGSTOP, got %v", sig))
}
@@ -301,7 +300,7 @@ func (t *thread) grabInitRegs() {
//
// Because the SIGSTOP is not suppressed, the thread will enter group-stop.
func (t *thread) detach() {
- if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, syscall.PTRACE_DETACH, uintptr(t.tid), 0, uintptr(syscall.SIGSTOP), 0, 0); errno != 0 {
+ if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_DETACH, uintptr(t.tid), 0, uintptr(unix.SIGSTOP), 0, 0); errno != 0 {
panic(fmt.Sprintf("can't detach new clone: %v", errno))
}
}
@@ -331,14 +330,14 @@ func (t *thread) dumpAndPanic(message string) {
func (t *thread) unexpectedStubExit() {
msg, err := t.getEventMessage()
- status := syscall.WaitStatus(msg)
- if status.Signaled() && status.Signal() == syscall.SIGKILL {
+ status := unix.WaitStatus(msg)
+ if status.Signaled() && status.Signal() == unix.SIGKILL {
// SIGKILL can be only sent by a user or OOM-killer. In both
// these cases, we don't need to panic. There is no reasons to
// think that something wrong in gVisor.
log.Warningf("The ptrace stub process %v has been killed by SIGKILL.", t.tgid)
pid := os.Getpid()
- syscall.Tgkill(pid, pid, syscall.Signal(syscall.SIGKILL))
+ unix.Tgkill(pid, pid, unix.Signal(unix.SIGKILL))
}
t.dumpAndPanic(fmt.Sprintf("wait failed: the process %d:%d exited: %x (err %v)", t.tgid, t.tid, msg, err))
}
@@ -346,12 +345,12 @@ func (t *thread) unexpectedStubExit() {
// wait waits for a stop event.
//
// Precondition: outcome is a valid waitOutcome.
-func (t *thread) wait(outcome waitOutcome) syscall.Signal {
- var status syscall.WaitStatus
+func (t *thread) wait(outcome waitOutcome) unix.Signal {
+ var status unix.WaitStatus
for {
- r, err := syscall.Wait4(int(t.tid), &status, syscall.WALL|syscall.WUNTRACED, nil)
- if err == syscall.EINTR || err == syscall.EAGAIN {
+ r, err := unix.Wait4(int(t.tid), &status, unix.WALL|unix.WUNTRACED, nil)
+ if err == unix.EINTR || err == unix.EAGAIN {
// Wait was interrupted; wait again.
continue
} else if err != nil {
@@ -369,12 +368,12 @@ func (t *thread) wait(outcome waitOutcome) syscall.Signal {
if stopSig == 0 {
continue // Spurious stop.
}
- if stopSig == syscall.SIGTRAP {
- if status.TrapCause() == syscall.PTRACE_EVENT_EXIT {
+ if stopSig == unix.SIGTRAP {
+ if status.TrapCause() == unix.PTRACE_EVENT_EXIT {
t.unexpectedStubExit()
}
// Re-encode the trap cause the way it's expected.
- return stopSig | syscall.Signal(status.TrapCause()<<8)
+ return stopSig | unix.Signal(status.TrapCause()<<8)
}
// Not a trap signal.
return stopSig
@@ -382,7 +381,7 @@ func (t *thread) wait(outcome waitOutcome) syscall.Signal {
if !status.Exited() && !status.Signaled() {
t.dumpAndPanic(fmt.Sprintf("ptrace status unexpected: got %v, wanted exited", status))
}
- return syscall.Signal(status.ExitStatus())
+ return unix.Signal(status.ExitStatus())
default:
// Should not happen.
t.dumpAndPanic(fmt.Sprintf("unknown outcome: %v", outcome))
@@ -397,7 +396,7 @@ func (t *thread) wait(outcome waitOutcome) syscall.Signal {
// manually created threads.
func (t *thread) destroy() {
t.detach()
- syscall.Tgkill(int(t.tgid), int(t.tid), syscall.Signal(syscall.SIGKILL))
+ unix.Tgkill(int(t.tgid), int(t.tid), unix.Signal(unix.SIGKILL))
t.wait(killed)
}
@@ -407,12 +406,12 @@ func (t *thread) init() {
// set PTRACE_O_EXITKILL to ensure that the unexpected exit of the
// sentry will immediately kill the associated stubs.
const PTRACE_O_EXITKILL = 0x100000
- _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
- syscall.PTRACE_SETOPTIONS,
+ _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
+ unix.PTRACE_SETOPTIONS,
uintptr(t.tid),
0,
- syscall.PTRACE_O_TRACESYSGOOD|syscall.PTRACE_O_TRACEEXIT|PTRACE_O_EXITKILL,
+ unix.PTRACE_O_TRACESYSGOOD|unix.PTRACE_O_TRACEEXIT|PTRACE_O_EXITKILL,
0, 0)
if errno != 0 {
panic(fmt.Sprintf("ptrace set options failed: %v", errno))
@@ -434,17 +433,17 @@ func (t *thread) syscall(regs *arch.Registers) (uintptr, error) {
// Execute the syscall instruction. The task has to stop on the
// trap instruction which is right after the syscall
// instruction.
- if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, syscall.PTRACE_CONT, uintptr(t.tid), 0, 0, 0, 0); errno != 0 {
+ if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_CONT, uintptr(t.tid), 0, 0, 0, 0); errno != 0 {
panic(fmt.Sprintf("ptrace syscall-enter failed: %v", errno))
}
sig := t.wait(stopped)
- if sig == syscall.SIGTRAP {
+ if sig == unix.SIGTRAP {
// Reached syscall-enter-stop.
break
} else {
// Some other signal caused a thread stop; ignore.
- if sig != syscall.SIGSTOP && sig != syscall.SIGCHLD {
+ if sig != unix.SIGSTOP && sig != unix.SIGCHLD {
log.Warningf("The thread %d:%d has been interrupted by %d", t.tgid, t.tid, sig)
}
continue
@@ -483,7 +482,7 @@ func (t *thread) syscallIgnoreInterrupt(
// NotifyInterrupt implements interrupt.Receiver.NotifyInterrupt.
func (t *thread) NotifyInterrupt() {
- syscall.Tgkill(int(t.tgid), int(t.tid), syscall.Signal(platform.SignalInterrupt))
+ unix.Tgkill(int(t.tgid), int(t.tid), unix.Signal(platform.SignalInterrupt))
}
// switchToApp is called from the main SwitchToApp entrypoint.
@@ -532,15 +531,15 @@ func (s *subprocess) switchToApp(c *context, ac arch.Context) bool {
for {
// Start running until the next system call.
if isSingleStepping(regs) {
- if _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
+ if _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
unix.PTRACE_SYSEMU_SINGLESTEP,
uintptr(t.tid), 0, 0, 0, 0); errno != 0 {
panic(fmt.Sprintf("ptrace sysemu failed: %v", errno))
}
} else {
- if _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
+ if _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
unix.PTRACE_SYSEMU,
uintptr(t.tid), 0, 0, 0, 0); errno != 0 {
panic(fmt.Sprintf("ptrace sysemu failed: %v", errno))
@@ -550,7 +549,7 @@ func (s *subprocess) switchToApp(c *context, ac arch.Context) bool {
// Wait for the syscall-enter stop.
sig := t.wait(stopped)
- if sig == syscall.SIGSTOP {
+ if sig == unix.SIGSTOP {
// SIGSTOP was delivered to another thread in the same thread
// group, which initiated another group stop. Just ignore it.
continue
@@ -571,7 +570,7 @@ func (s *subprocess) switchToApp(c *context, ac arch.Context) bool {
}
// Is it a system call?
- if sig == (syscallEvent | syscall.SIGTRAP) {
+ if sig == (syscallEvent | unix.SIGTRAP) {
s.arm64SyscallWorkaround(t, regs)
// Ensure registers are sane.
@@ -619,14 +618,14 @@ func (s *subprocess) syscall(sysno uintptr, args ...arch.SyscallArgument) (uintp
func (s *subprocess) MapFile(addr usermem.Addr, f memmap.File, fr memmap.FileRange, at usermem.AccessType, precommit bool) error {
var flags int
if precommit {
- flags |= syscall.MAP_POPULATE
+ flags |= unix.MAP_POPULATE
}
_, err := s.syscall(
- syscall.SYS_MMAP,
+ unix.SYS_MMAP,
arch.SyscallArgument{Value: uintptr(addr)},
arch.SyscallArgument{Value: uintptr(fr.Length())},
arch.SyscallArgument{Value: uintptr(at.Prot())},
- arch.SyscallArgument{Value: uintptr(flags | syscall.MAP_SHARED | syscall.MAP_FIXED)},
+ arch.SyscallArgument{Value: uintptr(flags | unix.MAP_SHARED | unix.MAP_FIXED)},
arch.SyscallArgument{Value: uintptr(f.FD())},
arch.SyscallArgument{Value: uintptr(fr.Start)})
return err
@@ -653,7 +652,7 @@ func (s *subprocess) Unmap(addr usermem.Addr, length uint64) {
}
s.mu.Unlock()
_, err := s.syscall(
- syscall.SYS_MUNMAP,
+ unix.SYS_MUNMAP,
arch.SyscallArgument{Value: uintptr(addr)},
arch.SyscallArgument{Value: uintptr(length)})
if err != nil {
diff --git a/pkg/sentry/platform/ptrace/subprocess_amd64.go b/pkg/sentry/platform/ptrace/subprocess_amd64.go
index 04815282b..9252c0bd7 100644
--- a/pkg/sentry/platform/ptrace/subprocess_amd64.go
+++ b/pkg/sentry/platform/ptrace/subprocess_amd64.go
@@ -19,7 +19,6 @@ package ptrace
import (
"fmt"
"strings"
- "syscall"
"golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
@@ -96,7 +95,7 @@ func updateSyscallRegs(regs *arch.Registers) {
func syscallReturnValue(regs *arch.Registers) (uintptr, error) {
rval := int64(regs.Rax)
if rval < 0 {
- return 0, syscall.Errno(-rval)
+ return 0, unix.Errno(-rval)
}
return uintptr(rval), nil
}
@@ -179,7 +178,7 @@ func patchSignalInfo(regs *arch.Registers, signalInfo *arch.SignalInfo) {
//
//go:nosplit
func enableCpuidFault() {
- syscall.RawSyscall6(syscall.SYS_ARCH_PRCTL, linux.ARCH_SET_CPUID, 0, 0, 0, 0, 0)
+ unix.RawSyscall6(unix.SYS_ARCH_PRCTL, linux.ARCH_SET_CPUID, 0, 0, 0, 0, 0)
}
// appendArchSeccompRules append architecture specific seccomp rules when creating BPF program.
@@ -189,9 +188,9 @@ func appendArchSeccompRules(rules []seccomp.RuleSet, defaultAction linux.BPFActi
// Rules for trapping vsyscall access.
seccomp.RuleSet{
Rules: seccomp.SyscallRules{
- syscall.SYS_GETTIMEOFDAY: {},
- syscall.SYS_TIME: {},
- unix.SYS_GETCPU: {}, // SYS_GETCPU was not defined in package syscall on amd64.
+ unix.SYS_GETTIMEOFDAY: {},
+ unix.SYS_TIME: {},
+ unix.SYS_GETCPU: {}, // SYS_GETCPU was not defined in package syscall on amd64.
},
Action: linux.SECCOMP_RET_TRAP,
Vsyscall: true,
@@ -200,7 +199,7 @@ func appendArchSeccompRules(rules []seccomp.RuleSet, defaultAction linux.BPFActi
rules = append(rules,
seccomp.RuleSet{
Rules: seccomp.SyscallRules{
- syscall.SYS_ARCH_PRCTL: []seccomp.Rule{
+ unix.SYS_ARCH_PRCTL: []seccomp.Rule{
{seccomp.EqualTo(linux.ARCH_SET_CPUID), seccomp.EqualTo(0)},
},
},
@@ -227,19 +226,19 @@ func probeSeccomp() bool {
// Set registers to the yield system call. This call is not allowed
// by the filters specified in the attachThread function.
- regs := createSyscallRegs(&t.initRegs, syscall.SYS_SCHED_YIELD)
+ regs := createSyscallRegs(&t.initRegs, unix.SYS_SCHED_YIELD)
if err := t.setRegs(&regs); err != nil {
panic(fmt.Sprintf("ptrace set regs failed: %v", err))
}
for {
// Attempt an emulation.
- if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 {
+ if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 {
panic(fmt.Sprintf("ptrace syscall-enter failed: %v", errno))
}
sig := t.wait(stopped)
- if sig == (syscallEvent | syscall.SIGTRAP) {
+ if sig == (syscallEvent | unix.SIGTRAP) {
// Did the seccomp errno hook already run? This would
// indicate that seccomp is first in line and we're
// less than 4.8.
diff --git a/pkg/sentry/platform/ptrace/subprocess_arm64.go b/pkg/sentry/platform/ptrace/subprocess_arm64.go
index 416132967..c0cbc0686 100644
--- a/pkg/sentry/platform/ptrace/subprocess_arm64.go
+++ b/pkg/sentry/platform/ptrace/subprocess_arm64.go
@@ -19,7 +19,6 @@ package ptrace
import (
"fmt"
"strings"
- "syscall"
"golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
@@ -99,7 +98,7 @@ func updateSyscallRegs(regs *arch.Registers) {
func syscallReturnValue(regs *arch.Registers) (uintptr, error) {
rval := int64(regs.Regs[0])
if rval < 0 {
- return 0, syscall.Errno(-rval)
+ return 0, unix.Errno(-rval)
}
return uintptr(rval), nil
}
@@ -185,8 +184,8 @@ func (s *subprocess) arm64SyscallWorkaround(t *thread, regs *arch.Registers) {
// signal, resume a stub thread and catch it on a signal handling.
t.NotifyInterrupt()
for {
- if _, _, errno := syscall.RawSyscall6(
- syscall.SYS_PTRACE,
+ if _, _, errno := unix.RawSyscall6(
+ unix.SYS_PTRACE,
unix.PTRACE_SYSEMU,
uintptr(t.tid), 0, 0, 0, 0); errno != 0 {
panic(fmt.Sprintf("ptrace sysemu failed: %v", errno))
@@ -194,12 +193,12 @@ func (s *subprocess) arm64SyscallWorkaround(t *thread, regs *arch.Registers) {
// Wait for the syscall-enter stop.
sig := t.wait(stopped)
- if sig == syscall.SIGSTOP {
+ if sig == unix.SIGSTOP {
// SIGSTOP was delivered to another thread in the same thread
// group, which initiated another group stop. Just ignore it.
continue
}
- if sig == (syscallEvent | syscall.SIGTRAP) {
+ if sig == (syscallEvent | unix.SIGTRAP) {
t.dumpAndPanic(fmt.Sprintf("unexpected syscall event"))
}
break
diff --git a/pkg/sentry/platform/ptrace/subprocess_linux.go b/pkg/sentry/platform/ptrace/subprocess_linux.go
index 8548853da..4f0260432 100644
--- a/pkg/sentry/platform/ptrace/subprocess_linux.go
+++ b/pkg/sentry/platform/ptrace/subprocess_linux.go
@@ -18,8 +18,8 @@ package ptrace
import (
"fmt"
- "syscall"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
"gvisor.dev/gvisor/pkg/log"
"gvisor.dev/gvisor/pkg/procid"
@@ -27,7 +27,7 @@ import (
"gvisor.dev/gvisor/pkg/sentry/arch"
)
-const syscallEvent syscall.Signal = 0x80
+const syscallEvent unix.Signal = 0x80
// createStub creates a fresh stub processes.
//
@@ -63,7 +63,7 @@ func createStub() (*thread, error) {
//
// In addition, we set the PTRACE_O_TRACEEXIT option to log more
// information about a stub process when it receives a fatal signal.
- return attachedThread(uintptr(syscall.SIGKILL)|syscall.CLONE_FILES, defaultAction)
+ return attachedThread(uintptr(unix.SIGKILL)|unix.CLONE_FILES, defaultAction)
}
// attachedThread returns a new attached thread.
@@ -78,38 +78,38 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro
if defaultAction != linux.SECCOMP_RET_ALLOW {
rules = append(rules, seccomp.RuleSet{
Rules: seccomp.SyscallRules{
- syscall.SYS_CLONE: []seccomp.Rule{
+ unix.SYS_CLONE: []seccomp.Rule{
// Allow creation of new subprocesses (used by the master).
- {seccomp.EqualTo(syscall.CLONE_FILES | syscall.SIGKILL)},
+ {seccomp.EqualTo(unix.CLONE_FILES | unix.SIGKILL)},
// Allow creation of new threads within a single address space (used by addresss spaces).
{seccomp.EqualTo(
- syscall.CLONE_FILES |
- syscall.CLONE_FS |
- syscall.CLONE_SIGHAND |
- syscall.CLONE_THREAD |
- syscall.CLONE_PTRACE |
- syscall.CLONE_VM)},
+ unix.CLONE_FILES |
+ unix.CLONE_FS |
+ unix.CLONE_SIGHAND |
+ unix.CLONE_THREAD |
+ unix.CLONE_PTRACE |
+ unix.CLONE_VM)},
},
// For the initial process creation.
- syscall.SYS_WAIT4: {},
- syscall.SYS_EXIT: {},
+ unix.SYS_WAIT4: {},
+ unix.SYS_EXIT: {},
// For the stub prctl dance (all).
- syscall.SYS_PRCTL: []seccomp.Rule{
- {seccomp.EqualTo(syscall.PR_SET_PDEATHSIG), seccomp.EqualTo(syscall.SIGKILL)},
+ unix.SYS_PRCTL: []seccomp.Rule{
+ {seccomp.EqualTo(unix.PR_SET_PDEATHSIG), seccomp.EqualTo(unix.SIGKILL)},
},
- syscall.SYS_GETPPID: {},
+ unix.SYS_GETPPID: {},
// For the stub to stop itself (all).
- syscall.SYS_GETPID: {},
- syscall.SYS_KILL: []seccomp.Rule{
- {seccomp.MatchAny{}, seccomp.EqualTo(syscall.SIGSTOP)},
+ unix.SYS_GETPID: {},
+ unix.SYS_KILL: []seccomp.Rule{
+ {seccomp.MatchAny{}, seccomp.EqualTo(unix.SIGSTOP)},
},
// Injected to support the address space operations.
- syscall.SYS_MMAP: {},
- syscall.SYS_MUNMAP: {},
+ unix.SYS_MMAP: {},
+ unix.SYS_MUNMAP: {},
},
Action: linux.SECCOMP_RET_ALLOW,
})
@@ -125,17 +125,17 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro
var (
pid uintptr
ppid uintptr
- errno syscall.Errno
+ errno unix.Errno
)
// Remember the current ppid for the pdeathsig race.
- ppid, _, _ = syscall.RawSyscall(syscall.SYS_GETPID, 0, 0, 0)
+ ppid, _, _ = unix.RawSyscall(unix.SYS_GETPID, 0, 0, 0)
// Among other things, beforeFork masks all signals.
beforeFork()
// Do the clone.
- pid, _, errno = syscall.RawSyscall6(syscall.SYS_CLONE, flags, 0, 0, 0, 0, 0)
+ pid, _, errno = unix.RawSyscall6(unix.SYS_CLONE, flags, 0, 0, 0, 0, 0)
if errno != 0 {
afterFork()
return nil, errno
@@ -152,7 +152,7 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro
tid: int32(pid),
cpu: ^uint32(0),
}
- if sig := t.wait(stopped); sig != syscall.SIGSTOP {
+ if sig := t.wait(stopped); sig != unix.SIGSTOP {
return nil, fmt.Errorf("wait failed: expected SIGSTOP, got %v", sig)
}
t.attach()
@@ -165,8 +165,8 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro
// prevents the stub from getting PTY job control signals intended only
// for the sentry process. We must call this before restoring signal
// mask.
- if _, _, errno := syscall.RawSyscall(syscall.SYS_SETSID, 0, 0, 0); errno != 0 {
- syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0)
+ if _, _, errno := unix.RawSyscall(unix.SYS_SETSID, 0, 0, 0); errno != 0 {
+ unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0)
}
// afterForkInChild resets all signals to their default dispositions
@@ -176,13 +176,13 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro
// Explicitly unmask all signals to ensure that the tracer can see
// them.
if errno := unmaskAllSignals(); errno != 0 {
- syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0)
+ unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0)
}
// Set an aggressive BPF filter for the stub and all it's children. See
// the description of the BPF program built above.
if errno := seccomp.SetFilter(instrs); errno != 0 {
- syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0)
+ unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0)
}
// Enable cpuid-faulting.
@@ -218,8 +218,8 @@ func (s *subprocess) createStub() (*thread, error) {
// See above re: SIGKILL.
pid, err := t.syscallIgnoreInterrupt(
&regs,
- syscall.SYS_CLONE,
- arch.SyscallArgument{Value: uintptr(syscall.SIGKILL | syscall.CLONE_FILES)},
+ unix.SYS_CLONE,
+ arch.SyscallArgument{Value: uintptr(unix.SIGKILL | unix.CLONE_FILES)},
arch.SyscallArgument{Value: 0},
arch.SyscallArgument{Value: 0},
arch.SyscallArgument{Value: 0},
@@ -237,10 +237,10 @@ func (s *subprocess) createStub() (*thread, error) {
// If the child actually exited, the attach below will fail.
_, err = t.syscallIgnoreInterrupt(
&t.initRegs,
- syscall.SYS_WAIT4,
+ unix.SYS_WAIT4,
arch.SyscallArgument{Value: uintptr(pid)},
arch.SyscallArgument{Value: 0},
- arch.SyscallArgument{Value: syscall.WALL | syscall.WUNTRACED},
+ arch.SyscallArgument{Value: unix.WALL | unix.WUNTRACED},
arch.SyscallArgument{Value: 0},
arch.SyscallArgument{Value: 0},
arch.SyscallArgument{Value: 0})
diff --git a/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go b/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go
index 533e45497..9c342c59b 100644
--- a/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go
+++ b/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go
@@ -18,17 +18,17 @@
package ptrace
import (
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
)
// unmaskAllSignals unmasks all signals on the current thread.
//
//go:nosplit
-func unmaskAllSignals() syscall.Errno {
+func unmaskAllSignals() unix.Errno {
var set linux.SignalSet
- _, _, errno := syscall.RawSyscall6(syscall.SYS_RT_SIGPROCMASK, linux.SIG_SETMASK, uintptr(unsafe.Pointer(&set)), 0, linux.SignalSetSize, 0, 0)
+ _, _, errno := unix.RawSyscall6(unix.SYS_RT_SIGPROCMASK, linux.SIG_SETMASK, uintptr(unsafe.Pointer(&set)), 0, linux.SignalSetSize, 0, 0)
return errno
}