diff options
author | gVisor bot <gvisor-bot@google.com> | 2021-03-03 18:43:27 +0000 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-03-03 18:43:27 +0000 |
commit | aae5455fe381c4cbc956f61c971284ee05c52dfc (patch) | |
tree | 2b1cb0233968680dcd0374f20ee826cf311bda95 /pkg/sentry | |
parent | e2599d556573b05eb3714c1e791fa29431dc3d3f (diff) | |
parent | a9441aea2780da8c93da1c73da860219f98438de (diff) |
Merge release-20210301.0-5-ga9441aea2 (automated)
Diffstat (limited to 'pkg/sentry')
109 files changed, 891 insertions, 917 deletions
diff --git a/pkg/sentry/arch/arch_amd64.go b/pkg/sentry/arch/arch_amd64.go index c7d3a206d..15d8ddb40 100644 --- a/pkg/sentry/arch/arch_amd64.go +++ b/pkg/sentry/arch/arch_amd64.go @@ -20,8 +20,8 @@ import ( "bytes" "fmt" "math/rand" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/cpuid" "gvisor.dev/gvisor/pkg/marshal" "gvisor.dev/gvisor/pkg/marshal/primitive" @@ -210,7 +210,7 @@ func mmapRand(max uint64) usermem.Addr { func (c *context64) NewMmapLayout(min, max usermem.Addr, r *limits.LimitSet) (MmapLayout, error) { min, ok := min.RoundUp() if !ok { - return MmapLayout{}, syscall.EINVAL + return MmapLayout{}, unix.EINVAL } if max > maxAddr64 { max = maxAddr64 @@ -218,7 +218,7 @@ func (c *context64) NewMmapLayout(min, max usermem.Addr, r *limits.LimitSet) (Mm max = max.RoundDown() if min > max { - return MmapLayout{}, syscall.EINVAL + return MmapLayout{}, unix.EINVAL } stackSize := r.Get(limits.Stack) @@ -297,7 +297,7 @@ const userStructSize = 928 // PtracePeekUser implements Context.PtracePeekUser. func (c *context64) PtracePeekUser(addr uintptr) (marshal.Marshallable, error) { if addr&7 != 0 || addr >= userStructSize { - return nil, syscall.EIO + return nil, unix.EIO } // PTRACE_PEEKUSER and PTRACE_POKEUSER are only effective on regs and // u_debugreg, returning 0 or silently no-oping for other fields @@ -315,7 +315,7 @@ func (c *context64) PtracePeekUser(addr uintptr) (marshal.Marshallable, error) { // PtracePokeUser implements Context.PtracePokeUser. func (c *context64) PtracePokeUser(addr, data uintptr) error { if addr&7 != 0 || addr >= userStructSize { - return syscall.EIO + return unix.EIO } if addr < uintptr(ptraceRegistersSize) { regs := c.ptraceGetRegs() diff --git a/pkg/sentry/arch/arch_arm64.go b/pkg/sentry/arch/arch_arm64.go index 680d23a9f..0c61a3ff7 100644 --- a/pkg/sentry/arch/arch_arm64.go +++ b/pkg/sentry/arch/arch_arm64.go @@ -19,8 +19,8 @@ package arch import ( "fmt" "math/rand" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/cpuid" "gvisor.dev/gvisor/pkg/marshal" "gvisor.dev/gvisor/pkg/marshal/primitive" @@ -194,7 +194,7 @@ func mmapRand(max uint64) usermem.Addr { func (c *context64) NewMmapLayout(min, max usermem.Addr, r *limits.LimitSet) (MmapLayout, error) { min, ok := min.RoundUp() if !ok { - return MmapLayout{}, syscall.EINVAL + return MmapLayout{}, unix.EINVAL } if max > maxAddr64 { max = maxAddr64 @@ -202,7 +202,7 @@ func (c *context64) NewMmapLayout(min, max usermem.Addr, r *limits.LimitSet) (Mm max = max.RoundDown() if min > max { - return MmapLayout{}, syscall.EINVAL + return MmapLayout{}, unix.EINVAL } stackSize := r.Get(limits.Stack) diff --git a/pkg/sentry/arch/arch_x86.go b/pkg/sentry/arch/arch_x86.go index b9405b320..641ada92f 100644 --- a/pkg/sentry/arch/arch_x86.go +++ b/pkg/sentry/arch/arch_x86.go @@ -19,8 +19,8 @@ package arch import ( "fmt" "io" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/cpuid" "gvisor.dev/gvisor/pkg/log" @@ -334,28 +334,28 @@ func (s *State) PtraceSetRegs(src io.Reader) (int, error) { regs.Ss = uint64(uint16(regs.Ss)) // In Linux this validation is via arch/x86/kernel/ptrace.c:putreg(). if !isUserSegmentSelector(regs.Cs) { - return 0, syscall.EIO + return 0, unix.EIO } if regs.Ds != 0 && !isUserSegmentSelector(regs.Ds) { - return 0, syscall.EIO + return 0, unix.EIO } if regs.Es != 0 && !isUserSegmentSelector(regs.Es) { - return 0, syscall.EIO + return 0, unix.EIO } if regs.Fs != 0 && !isUserSegmentSelector(regs.Fs) { - return 0, syscall.EIO + return 0, unix.EIO } if regs.Gs != 0 && !isUserSegmentSelector(regs.Gs) { - return 0, syscall.EIO + return 0, unix.EIO } if !isUserSegmentSelector(regs.Ss) { - return 0, syscall.EIO + return 0, unix.EIO } if !isValidSegmentBase(regs.Fs_base) { - return 0, syscall.EIO + return 0, unix.EIO } if !isValidSegmentBase(regs.Gs_base) { - return 0, syscall.EIO + return 0, unix.EIO } // CS and SS are validated, but changes to them are otherwise silently // ignored on amd64. @@ -512,7 +512,7 @@ func (s *State) ptraceSetXstateRegs(src io.Reader, maxlen int) (int, error) { // permits setting a register set smaller than minXstateBytes, but it has // the same silent truncation behavior in kernel/ptrace.c:ptrace_regset().) if maxlen < minXstateBytes { - return 0, syscall.EFAULT + return 0, unix.EFAULT } ess, _ := s.FeatureSet.ExtendedStateSize() if maxlen > int(ess) { diff --git a/pkg/sentry/arch/signal_amd64.go b/pkg/sentry/arch/signal_amd64.go index 72e07a988..e6557cab6 100644 --- a/pkg/sentry/arch/signal_amd64.go +++ b/pkg/sentry/arch/signal_amd64.go @@ -18,8 +18,8 @@ package arch import ( "math" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/marshal/primitive" @@ -187,7 +187,7 @@ func (c *context64) SignalSetup(st *Stack, act *SignalAct, info *SignalInfo, alt // for the signal stack. This is not allowed, and should immediately // force signal delivery (reverting to the default handler). if act.IsOnStack() && alt.IsEnabled() && !alt.Contains(frameBottom) { - return syscall.EFAULT + return unix.EFAULT } // Adjust the code. @@ -210,7 +210,7 @@ func (c *context64) SignalSetup(st *Stack, act *SignalAct, info *SignalInfo, alt } } else { // amd64 requires a restorer. - return syscall.EFAULT + return unix.EFAULT } // Set up registers. diff --git a/pkg/sentry/arch/signal_arm64.go b/pkg/sentry/arch/signal_arm64.go index 71596130d..4491008c2 100644 --- a/pkg/sentry/arch/signal_arm64.go +++ b/pkg/sentry/arch/signal_arm64.go @@ -17,8 +17,7 @@ package arch import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/usermem" @@ -115,7 +114,7 @@ func (c *context64) SignalSetup(st *Stack, act *SignalAct, info *SignalInfo, alt // for the signal stack. This is not allowed, and should immediately // force signal delivery (reverting to the default handler). if act.IsOnStack() && alt.IsEnabled() && !alt.Contains(frameBottom) { - return syscall.EFAULT + return unix.EFAULT } // Adjust the code. diff --git a/pkg/sentry/fs/attr.go b/pkg/sentry/fs/attr.go index f60bd423d..b90f7c1be 100644 --- a/pkg/sentry/fs/attr.go +++ b/pkg/sentry/fs/attr.go @@ -17,8 +17,8 @@ package fs import ( "fmt" "os" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/p9" @@ -355,17 +355,17 @@ func (p PermMask) String() string { return fmt.Sprintf("PermMask{Read: %v, Write: %v, Execute: %v}", p.Read, p.Write, p.Execute) } -// Mode returns the system mode (syscall.S_IXOTH, etc.) for these permissions +// Mode returns the system mode (unix.S_IXOTH, etc.) for these permissions // in the "other" bits. func (p PermMask) Mode() (mode os.FileMode) { if p.Read { - mode |= syscall.S_IROTH + mode |= unix.S_IROTH } if p.Write { - mode |= syscall.S_IWOTH + mode |= unix.S_IWOTH } if p.Execute { - mode |= syscall.S_IXOTH + mode |= unix.S_IXOTH } return } diff --git a/pkg/sentry/fs/dirent.go b/pkg/sentry/fs/dirent.go index 00c526b03..9d5d40954 100644 --- a/pkg/sentry/fs/dirent.go +++ b/pkg/sentry/fs/dirent.go @@ -18,8 +18,8 @@ import ( "fmt" "path" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/refs" @@ -418,7 +418,7 @@ func (d *Dirent) descendantOf(p *Dirent) bool { // * name must must not contain "/"s. func (d *Dirent) walk(ctx context.Context, root *Dirent, name string, walkMayUnlock bool) (*Dirent, error) { if !IsDir(d.Inode.StableAttr) { - return nil, syscall.ENOTDIR + return nil, unix.ENOTDIR } if name == "" || name == "." { @@ -452,7 +452,7 @@ func (d *Dirent) walk(ctx context.Context, root *Dirent, name string, walkMayUnl // hard reference on them, and they contain virtually no state). But this is // good house-keeping. child.DecRef(ctx) - return nil, syscall.ENOENT + return nil, unix.ENOENT } // Do we need to revalidate this child? @@ -518,7 +518,7 @@ func (d *Dirent) walk(ctx context.Context, root *Dirent, name string, walkMayUnl if cd.IsNegative() { // If so, don't leak a reference and short circuit. child.DecRef(ctx) - return nil, syscall.ENOENT + return nil, unix.ENOENT } // We make the judgement call that if c raced with cd they are close enough to have @@ -545,7 +545,7 @@ func (d *Dirent) walk(ctx context.Context, root *Dirent, name string, walkMayUnl if c.IsNegative() { // Don't drop a reference on the negative Dirent, it was just installed and this is the // only reference we'll ever get. d owns the reference. - return nil, syscall.ENOENT + return nil, unix.ENOENT } // Return the positive Dirent. @@ -611,7 +611,7 @@ func (d *Dirent) Create(ctx context.Context, root *Dirent, name string, flags Fi // Does something already exist? if d.exists(ctx, root, name) { - return nil, syscall.EEXIST + return nil, unix.EEXIST } // Try the create. We need to trust the file system to return EEXIST (or something @@ -674,7 +674,7 @@ func (d *Dirent) genericCreate(ctx context.Context, root *Dirent, name string, c // Does something already exist? if d.exists(ctx, root, name) { - return syscall.EEXIST + return unix.EEXIST } // Remove any negative Dirent. We've already asserted above with d.exists @@ -718,12 +718,12 @@ func (d *Dirent) CreateLink(ctx context.Context, root *Dirent, oldname, newname func (d *Dirent) CreateHardLink(ctx context.Context, root *Dirent, target *Dirent, name string) error { // Make sure that target does not span filesystems. if d.Inode.MountSource != target.Inode.MountSource { - return syscall.EXDEV + return unix.EXDEV } // Directories are never linkable. See fs/namei.c:vfs_link. if IsDir(target.Inode.StableAttr) { - return syscall.EPERM + return unix.EPERM } return d.genericCreate(ctx, root, name, func() error { @@ -759,8 +759,8 @@ func (d *Dirent) Bind(ctx context.Context, root *Dirent, name string, data trans d.finishCreate(ctx, childDir, name) return nil }) - if err == syscall.EEXIST { - return nil, syscall.EADDRINUSE + if err == unix.EEXIST { + return nil, unix.EADDRINUSE } if err != nil { return nil, err @@ -1033,14 +1033,14 @@ func (d *Dirent) Remove(ctx context.Context, root *Dirent, name string, dirPath // Remove cannot remove directories. if IsDir(child.Inode.StableAttr) { - return syscall.EISDIR + return unix.EISDIR } else if dirPath { - return syscall.ENOTDIR + return unix.ENOTDIR } // Remove cannot remove a mount point. if child.isMountPoint() { - return syscall.EBUSY + return unix.EBUSY } // Try to remove name on the file system. @@ -1087,11 +1087,11 @@ func (d *Dirent) RemoveDirectory(ctx context.Context, root *Dirent, name string) // Check for dots. if name == "." { // Rejected as the last component by rmdir(2). - return syscall.EINVAL + return unix.EINVAL } if name == ".." { // If d was found, then its parent is not empty. - return syscall.ENOTEMPTY + return unix.ENOTEMPTY } // Try to walk to the node. @@ -1104,12 +1104,12 @@ func (d *Dirent) RemoveDirectory(ctx context.Context, root *Dirent, name string) // RemoveDirectory can only remove directories. if !IsDir(child.Inode.StableAttr) { - return syscall.ENOTDIR + return unix.ENOTDIR } // Remove cannot remove a mount point. if child.isMountPoint() { - return syscall.EBUSY + return unix.EBUSY } // Try to remove name on the file system. @@ -1294,7 +1294,7 @@ func lockForRename(oldParent *Dirent, oldName string, newParent *Dirent, newName // more specifically of oldParent/oldName. That is, we're // trying to rename something into a subdirectory of // itself. - err = syscall.EINVAL + err = unix.EINVAL } return func() { newParent.mu.Unlock() @@ -1420,12 +1420,12 @@ func Rename(ctx context.Context, root *Dirent, oldParent *Dirent, oldName string // Check that the renamed dirent is not a mount point. if renamed.isMountPointLocked() { - return syscall.EBUSY + return unix.EBUSY } // Source should not be an ancestor of the target. if newParent.descendantOf(renamed) { - return syscall.EINVAL + return unix.EINVAL } // Per rename(2): "... EACCES: ... or oldpath is a directory and does not @@ -1465,13 +1465,13 @@ func Rename(ctx context.Context, root *Dirent, oldParent *Dirent, oldName string // ancestor of target, but ENOTEMPTY if the target is // an ancestor of source (unless RENAME_EXCHANGE flag // is present). See fs/namei.c:renameat2. - return syscall.ENOTEMPTY + return unix.ENOTEMPTY } // Check that replaced is not a mount point. if replaced.isMountPointLocked() { replaced.DecRef(ctx) - return syscall.EBUSY + return unix.EBUSY } // Require that a directory is replaced by a directory. @@ -1479,11 +1479,11 @@ func Rename(ctx context.Context, root *Dirent, oldParent *Dirent, oldName string newIsDir := IsDir(replaced.Inode.StableAttr) if !newIsDir && oldIsDir { replaced.DecRef(ctx) - return syscall.ENOTDIR + return unix.ENOTDIR } if !oldIsDir && newIsDir { replaced.DecRef(ctx) - return syscall.EISDIR + return unix.EISDIR } // Allow the file system to drop extra references on replaced. diff --git a/pkg/sentry/fs/fdpipe/pipe.go b/pkg/sentry/fs/fdpipe/pipe.go index b99199798..757b7d511 100644 --- a/pkg/sentry/fs/fdpipe/pipe.go +++ b/pkg/sentry/fs/fdpipe/pipe.go @@ -17,8 +17,8 @@ package fdpipe import ( "os" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fd" "gvisor.dev/gvisor/pkg/fdnotifier" @@ -82,16 +82,16 @@ func newPipeOperations(ctx context.Context, opener NonBlockingOpener, flags fs.F // init initializes p.file. func (p *pipeOperations) init() error { - var s syscall.Stat_t - if err := syscall.Fstat(p.file.FD(), &s); err != nil { + var s unix.Stat_t + if err := unix.Fstat(p.file.FD(), &s); err != nil { log.Warningf("pipe: cannot stat fd %d: %v", p.file.FD(), err) - return syscall.EINVAL + return unix.EINVAL } - if (s.Mode & syscall.S_IFMT) != syscall.S_IFIFO { + if (s.Mode & unix.S_IFMT) != unix.S_IFIFO { log.Warningf("pipe: cannot load fd %d as pipe, file type: %o", p.file.FD(), s.Mode) - return syscall.EINVAL + return unix.EINVAL } - if err := syscall.SetNonblock(p.file.FD(), true); err != nil { + if err := unix.SetNonblock(p.file.FD(), true); err != nil { return err } return fdnotifier.AddFD(int32(p.file.FD()), &p.Queue) diff --git a/pkg/sentry/fs/fdpipe/pipe_opener.go b/pkg/sentry/fs/fdpipe/pipe_opener.go index 0c3595998..adda19168 100644 --- a/pkg/sentry/fs/fdpipe/pipe_opener.go +++ b/pkg/sentry/fs/fdpipe/pipe_opener.go @@ -17,9 +17,9 @@ package fdpipe import ( "io" "os" - "syscall" "time" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fd" "gvisor.dev/gvisor/pkg/sentry/fs" @@ -96,7 +96,7 @@ func (p *pipeOpenState) TryOpen(ctx context.Context, opener NonBlockingOpener, f switch { // Reject invalid configurations so they don't accidentally succeed below. case !flags.Read && !flags.Write: - return nil, syscall.EINVAL + return nil, unix.EINVAL // Handle opening RDWR or with O_NONBLOCK: will never block, so try only once. case (flags.Read && flags.Write) || flags.NonBlocking: @@ -155,7 +155,7 @@ func (p *pipeOpenState) TryOpenReadOnly(ctx context.Context, opener NonBlockingO // Any error that is not EWOULDBLOCK also means we're not // ready yet, and probably never will be ready. In this // case we need to close the host pipe we opened. - if unwrapError(rerr) != syscall.EWOULDBLOCK { + if unwrapError(rerr) != unix.EWOULDBLOCK { p.hostFile.Close() return nil, rerr } @@ -183,7 +183,7 @@ func (p *pipeOpenState) TryOpenReadOnly(ctx context.Context, opener NonBlockingO // to an syserror.ErrWouldBlock, to tell callers to retry. func (*pipeOpenState) TryOpenWriteOnly(ctx context.Context, opener NonBlockingOpener) (*pipeOperations, error) { hostFile, err := opener.NonBlockingOpen(ctx, fs.PermMask{Write: true}) - if unwrapError(err) == syscall.ENXIO { + if unwrapError(err) == unix.ENXIO { return nil, syserror.ErrWouldBlock } if err != nil { diff --git a/pkg/sentry/fs/fsutil/host_file_mapper.go b/pkg/sentry/fs/fsutil/host_file_mapper.go index 4468f5dd2..54f7b7cdc 100644 --- a/pkg/sentry/fs/fsutil/host_file_mapper.go +++ b/pkg/sentry/fs/fsutil/host_file_mapper.go @@ -16,8 +16,8 @@ package fsutil import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/safemem" "gvisor.dev/gvisor/pkg/sentry/memmap" @@ -44,7 +44,7 @@ type HostFileMapper struct { mapsMu sync.Mutex `state:"nosave"` // mappings maps chunk start offsets to mappings of those chunks, - // obtained by calling syscall.Mmap. mappings is protected by + // obtained by calling unix.Mmap. mappings is protected by // mapsMu. mappings map[uint64]mapping `state:"nosave"` } @@ -157,19 +157,19 @@ func (f *HostFileMapper) MapInternal(fr memmap.FileRange, fd int, write bool) (s // Preconditions: f.mapsMu must be locked. func (f *HostFileMapper) forEachMappingBlockLocked(fr memmap.FileRange, fd int, write bool, fn func(safemem.Block)) error { - prot := syscall.PROT_READ + prot := unix.PROT_READ if write { - prot |= syscall.PROT_WRITE + prot |= unix.PROT_WRITE } for chunkStart := fr.Start &^ chunkMask; chunkStart < fr.End; chunkStart += chunkSize { m, ok := f.mappings[chunkStart] if !ok { - addr, _, errno := syscall.Syscall6( - syscall.SYS_MMAP, + addr, _, errno := unix.Syscall6( + unix.SYS_MMAP, 0, chunkSize, uintptr(prot), - syscall.MAP_SHARED, + unix.MAP_SHARED, uintptr(fd), uintptr(chunkStart)) if errno != 0 { @@ -178,12 +178,12 @@ func (f *HostFileMapper) forEachMappingBlockLocked(fr memmap.FileRange, fd int, m = mapping{addr, write} f.mappings[chunkStart] = m } else if write && !m.writable { - addr, _, errno := syscall.Syscall6( - syscall.SYS_MMAP, + addr, _, errno := unix.Syscall6( + unix.SYS_MMAP, m.addr, chunkSize, uintptr(prot), - syscall.MAP_SHARED|syscall.MAP_FIXED, + unix.MAP_SHARED|unix.MAP_FIXED, uintptr(fd), uintptr(chunkStart)) if errno != 0 { @@ -219,7 +219,7 @@ func (f *HostFileMapper) UnmapAll() { // * f.mapsMu must be locked. // * f.mappings[chunkStart] == m. func (f *HostFileMapper) unmapAndRemoveLocked(chunkStart uint64, m mapping) { - if _, _, errno := syscall.Syscall(syscall.SYS_MUNMAP, m.addr, chunkSize, 0); errno != 0 { + if _, _, errno := unix.Syscall(unix.SYS_MUNMAP, m.addr, chunkSize, 0); errno != 0 { // This leaks address space and is unexpected, but is otherwise // harmless, so complain but don't panic. log.Warningf("HostFileMapper: failed to unmap mapping %#x for chunk %#x: %v", m.addr, chunkStart, errno) @@ -234,16 +234,16 @@ func (f *HostFileMapper) RegenerateMappings(fd int) error { defer f.mapsMu.Unlock() for chunkStart, m := range f.mappings { - prot := syscall.PROT_READ + prot := unix.PROT_READ if m.writable { - prot |= syscall.PROT_WRITE + prot |= unix.PROT_WRITE } - _, _, errno := syscall.Syscall6( - syscall.SYS_MMAP, + _, _, errno := unix.Syscall6( + unix.SYS_MMAP, m.addr, chunkSize, uintptr(prot), - syscall.MAP_SHARED|syscall.MAP_FIXED, + unix.MAP_SHARED|unix.MAP_FIXED, uintptr(fd), uintptr(chunkStart)) if errno != 0 { diff --git a/pkg/sentry/fs/gofer/attr.go b/pkg/sentry/fs/gofer/attr.go index e5579095b..cffc756cc 100644 --- a/pkg/sentry/fs/gofer/attr.go +++ b/pkg/sentry/fs/gofer/attr.go @@ -15,8 +15,7 @@ package gofer import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/p9" "gvisor.dev/gvisor/pkg/sentry/fs" @@ -36,7 +35,7 @@ func getattr(ctx context.Context, file contextFile) (p9.QID, p9.AttrMask, p9.Att // Require mode, size, and raw device id. if !valid.Mode || !valid.Size || !valid.RDev { - return qid, valid, attr, syscall.EIO + return qid, valid, attr, unix.EIO } return qid, valid, attr, nil diff --git a/pkg/sentry/fs/gofer/file.go b/pkg/sentry/fs/gofer/file.go index bb63448cb..06d450ba6 100644 --- a/pkg/sentry/fs/gofer/file.go +++ b/pkg/sentry/fs/gofer/file.go @@ -16,9 +16,9 @@ package gofer import ( "fmt" - "syscall" "time" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/p9" @@ -307,7 +307,7 @@ func (f *fileOperations) Fsync(ctx context.Context, file *fs.File, start, end in // Sync remote caches. if f.handles.Host != nil { // Sync the host fd directly. - return syscall.Fsync(f.handles.Host.FD()) + return unix.Fsync(f.handles.Host.FD()) } // Otherwise sync on the p9.File handle. return f.handles.File.fsync(ctx) diff --git a/pkg/sentry/fs/gofer/inode.go b/pkg/sentry/fs/gofer/inode.go index e840b6f5e..b97635ec4 100644 --- a/pkg/sentry/fs/gofer/inode.go +++ b/pkg/sentry/fs/gofer/inode.go @@ -16,8 +16,8 @@ package gofer import ( "errors" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fd" @@ -273,7 +273,7 @@ func (i *inodeFileState) recreateReadHandles(ctx context.Context, writer *handle // operations on the old will see the new data. Then, make the new handle take // ownereship of the old FD and mark the old readHandle to not close the FD // when done. - if err := syscall.Dup3(h.Host.FD(), i.readHandles.Host.FD(), syscall.O_CLOEXEC); err != nil { + if err := unix.Dup3(h.Host.FD(), i.readHandles.Host.FD(), unix.O_CLOEXEC); err != nil { return err } @@ -489,7 +489,7 @@ func (i *inodeOperations) GetFile(ctx context.Context, d *fs.Dirent, flags fs.Fi func (i *inodeOperations) getFileSocket(ctx context.Context, d *fs.Dirent, flags fs.FileFlags) (*fs.File, error) { f, err := i.fileState.file.connect(ctx, p9.AnonymousSocket) if err != nil { - return nil, syscall.EIO + return nil, unix.EIO } fsf, err := host.NewSocketWithDirent(ctx, d, f, flags) if err != nil { @@ -654,7 +654,7 @@ func (i *inodeOperations) WriteOut(ctx context.Context, inode *fs.Inode) error { // Readlink implements fs.InodeOperations.Readlink. func (i *inodeOperations) Readlink(ctx context.Context, inode *fs.Inode) (string, error) { if !fs.IsSymlink(inode.StableAttr) { - return "", syscall.ENOLINK + return "", unix.ENOLINK } return i.fileState.file.readlink(ctx) } @@ -704,10 +704,10 @@ func (i *inodeOperations) configureMMap(file *fs.File, opts *memmap.MMapOpts) er } func init() { - syserror.AddErrorUnwrapper(func(err error) (syscall.Errno, bool) { + syserror.AddErrorUnwrapper(func(err error) (unix.Errno, bool) { if _, ok := err.(p9.ErrSocket); ok { // Treat as an I/O error. - return syscall.EIO, true + return unix.EIO, true } return 0, false }) diff --git a/pkg/sentry/fs/gofer/util.go b/pkg/sentry/fs/gofer/util.go index 47a6c69bf..3cc6a7f7b 100644 --- a/pkg/sentry/fs/gofer/util.go +++ b/pkg/sentry/fs/gofer/util.go @@ -15,8 +15,7 @@ package gofer import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/p9" "gvisor.dev/gvisor/pkg/sentry/fs" @@ -67,6 +66,6 @@ func openFlagsFromPerms(p fs.PermMask) (p9.OpenFlags, error) { case p.Read: return p9.ReadOnly, nil default: - return 0, syscall.EINVAL + return 0, unix.EINVAL } } diff --git a/pkg/sentry/fs/host/control.go b/pkg/sentry/fs/host/control.go index 0d8d36afa..e53998be1 100644 --- a/pkg/sentry/fs/host/control.go +++ b/pkg/sentry/fs/host/control.go @@ -15,8 +15,7 @@ package host import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sentry/fs" "gvisor.dev/gvisor/pkg/sentry/socket/control" @@ -59,7 +58,7 @@ func (c *scmRights) Clone() transport.RightsControlMessage { // Release implements transport.RightsControlMessage.Release. func (c *scmRights) Release(ctx context.Context) { for _, fd := range c.fds { - syscall.Close(fd) + unix.Close(fd) } c.fds = nil } @@ -71,7 +70,7 @@ func fdsToFiles(ctx context.Context, fds []int) []*fs.File { for _, fd := range fds { // Get flags. We do it here because they may be modified // by subsequent functions. - fileFlags, _, errno := syscall.Syscall(syscall.SYS_FCNTL, uintptr(fd), syscall.F_GETFL, 0) + fileFlags, _, errno := unix.Syscall(unix.SYS_FCNTL, uintptr(fd), unix.F_GETFL, 0) if errno != 0 { ctx.Warningf("Error retrieving host FD flags: %v", error(errno)) break @@ -86,7 +85,7 @@ func fdsToFiles(ctx context.Context, fds []int) []*fs.File { // Set known flags. file.SetFlags(fs.SettableFileFlags{ - NonBlocking: fileFlags&syscall.O_NONBLOCK != 0, + NonBlocking: fileFlags&unix.O_NONBLOCK != 0, }) files = append(files, file) diff --git a/pkg/sentry/fs/host/descriptor.go b/pkg/sentry/fs/host/descriptor.go index cfdce6a74..5667b94a1 100644 --- a/pkg/sentry/fs/host/descriptor.go +++ b/pkg/sentry/fs/host/descriptor.go @@ -16,8 +16,8 @@ package host import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/fdnotifier" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/waiter" @@ -48,14 +48,14 @@ func newDescriptor(fd int, saveable bool, wouldBlock bool, queue *waiter.Queue) origFD := -1 if saveable { var err error - ownedFD, err = syscall.Dup(fd) + ownedFD, err = unix.Dup(fd) if err != nil { return nil, err } origFD = fd } if wouldBlock { - if err := syscall.SetNonblock(ownedFD, true); err != nil { + if err := unix.SetNonblock(ownedFD, true); err != nil { return nil, err } if err := fdnotifier.AddFD(int32(ownedFD), queue); err != nil { @@ -72,12 +72,12 @@ func newDescriptor(fd int, saveable bool, wouldBlock bool, queue *waiter.Queue) // initAfterLoad initializes the value of the descriptor after Load. func (d *descriptor) initAfterLoad(id uint64, queue *waiter.Queue) error { var err error - d.value, err = syscall.Dup(d.origFD) + d.value, err = unix.Dup(d.origFD) if err != nil { return fmt.Errorf("failed to dup restored fd %d: %v", d.origFD, err) } if d.wouldBlock { - if err := syscall.SetNonblock(d.value, true); err != nil { + if err := unix.SetNonblock(d.value, true); err != nil { return err } if err := fdnotifier.AddFD(int32(d.value), queue); err != nil { @@ -92,7 +92,7 @@ func (d *descriptor) Release() { if d.wouldBlock { fdnotifier.RemoveFD(int32(d.value)) } - if err := syscall.Close(d.value); err != nil { + if err := unix.Close(d.value); err != nil { log.Warningf("error closing fd %d: %v", d.value, err) } d.value = -1 diff --git a/pkg/sentry/fs/host/file.go b/pkg/sentry/fs/host/file.go index fd4e057d8..07bd078b7 100644 --- a/pkg/sentry/fs/host/file.go +++ b/pkg/sentry/fs/host/file.go @@ -16,8 +16,8 @@ package host import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fd" "gvisor.dev/gvisor/pkg/fdnotifier" @@ -78,16 +78,16 @@ func ImportFile(ctx context.Context, fd int, isTTY bool) (*fs.File, error) { // newFileFromDonatedFD returns an fs.File from a donated FD. If the FD is // saveable, then saveable is true. func newFileFromDonatedFD(ctx context.Context, donated int, saveable, isTTY bool) (*fs.File, error) { - var s syscall.Stat_t - if err := syscall.Fstat(donated, &s); err != nil { + var s unix.Stat_t + if err := unix.Fstat(donated, &s); err != nil { return nil, err } flags, err := fileFlagsFromDonatedFD(donated) if err != nil { return nil, err } - switch s.Mode & syscall.S_IFMT { - case syscall.S_IFSOCK: + switch s.Mode & unix.S_IFMT { + case unix.S_IFSOCK: if isTTY { return nil, fmt.Errorf("cannot import host socket as TTY") } @@ -121,19 +121,19 @@ func newFileFromDonatedFD(ctx context.Context, donated int, saveable, isTTY bool } func fileFlagsFromDonatedFD(donated int) (fs.FileFlags, error) { - flags, _, errno := syscall.Syscall(syscall.SYS_FCNTL, uintptr(donated), syscall.F_GETFL, 0) + flags, _, errno := unix.Syscall(unix.SYS_FCNTL, uintptr(donated), unix.F_GETFL, 0) if errno != 0 { log.Warningf("Failed to get file flags for donated FD %d (errno=%d)", donated, errno) - return fs.FileFlags{}, syscall.EIO + return fs.FileFlags{}, unix.EIO } - accmode := flags & syscall.O_ACCMODE + accmode := flags & unix.O_ACCMODE return fs.FileFlags{ - Direct: flags&syscall.O_DIRECT != 0, - NonBlocking: flags&syscall.O_NONBLOCK != 0, - Sync: flags&syscall.O_SYNC != 0, - Append: flags&syscall.O_APPEND != 0, - Read: accmode == syscall.O_RDONLY || accmode == syscall.O_RDWR, - Write: accmode == syscall.O_WRONLY || accmode == syscall.O_RDWR, + Direct: flags&unix.O_DIRECT != 0, + NonBlocking: flags&unix.O_NONBLOCK != 0, + Sync: flags&unix.O_SYNC != 0, + Append: flags&unix.O_APPEND != 0, + Read: accmode == unix.O_RDONLY || accmode == unix.O_RDWR, + Write: accmode == unix.O_WRONLY || accmode == unix.O_RDWR, }, nil } @@ -182,7 +182,7 @@ func (f *fileOperations) Readdir(ctx context.Context, file *fs.File, serializer func (f *fileOperations) IterateDir(ctx context.Context, d *fs.Dirent, dirCtx *fs.DirCtx, offset int) (int, error) { // We only support non-directory file descriptors that have been // imported, so just claim that this isn't a directory, even if it is. - return offset, syscall.ENOTDIR + return offset, unix.ENOTDIR } // Write implements fs.FileOperations.Write. @@ -252,7 +252,7 @@ func (f *fileOperations) Fsync(ctx context.Context, file *fs.File, start int64, } fallthrough case fs.SyncBackingStorage: - return syscall.Fsync(f.iops.fileState.FD()) + return unix.Fsync(f.iops.fileState.FD()) } panic("invalid sync type") } diff --git a/pkg/sentry/fs/host/inode.go b/pkg/sentry/fs/host/inode.go index df4b265fa..e299b532c 100644 --- a/pkg/sentry/fs/host/inode.go +++ b/pkg/sentry/fs/host/inode.go @@ -15,8 +15,7 @@ package host import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fd" "gvisor.dev/gvisor/pkg/safemem" @@ -117,12 +116,12 @@ func (i *inodeFileState) SetMaskedAttributes(ctx context.Context, mask fs.AttrMa return syserror.EPERM } if mask.Perms { - if err := syscall.Fchmod(i.FD(), uint32(attr.Perms.LinuxMode())); err != nil { + if err := unix.Fchmod(i.FD(), uint32(attr.Perms.LinuxMode())); err != nil { return err } } if mask.Size { - if err := syscall.Ftruncate(i.FD(), attr.Size); err != nil { + if err := unix.Ftruncate(i.FD(), attr.Size); err != nil { return err } } @@ -142,7 +141,7 @@ func (i *inodeFileState) SetMaskedAttributes(ctx context.Context, mask fs.AttrMa // Sync implements fsutil.CachedFileObject.Sync. func (i *inodeFileState) Sync(ctx context.Context) error { - return syscall.Fsync(i.FD()) + return unix.Fsync(i.FD()) } // FD implements fsutil.CachedFileObject.FD. @@ -151,8 +150,8 @@ func (i *inodeFileState) FD() int { } func (i *inodeFileState) unstableAttr(ctx context.Context) (fs.UnstableAttr, error) { - var s syscall.Stat_t - if err := syscall.Fstat(i.FD(), &s); err != nil { + var s unix.Stat_t + if err := unix.Fstat(i.FD(), &s); err != nil { return fs.UnstableAttr{}, err } return unstableAttr(&s), nil @@ -160,7 +159,7 @@ func (i *inodeFileState) unstableAttr(ctx context.Context) (fs.UnstableAttr, err // Allocate implements fsutil.CachedFileObject.Allocate. func (i *inodeFileState) Allocate(_ context.Context, offset, length int64) error { - return syscall.Fallocate(i.FD(), 0, offset, length) + return unix.Fallocate(i.FD(), 0, offset, length) } // inodeOperations implements fs.InodeOperations. @@ -169,8 +168,8 @@ var _ fs.InodeOperations = (*inodeOperations)(nil) // newInode returns a new fs.Inode backed by the host FD. func newInode(ctx context.Context, msrc *fs.MountSource, fd int, saveable bool) (*fs.Inode, error) { // Retrieve metadata. - var s syscall.Stat_t - err := syscall.Fstat(fd, &s) + var s unix.Stat_t + err := unix.Fstat(fd, &s) if err != nil { return nil, err } @@ -324,7 +323,7 @@ func (i *inodeOperations) SetPermissions(ctx context.Context, inode *fs.Inode, f // Then just change the timestamps on the FD, the host // will synchronize the metadata update with any host // inode and page cache. - return syscall.Fchmod(i.fileState.FD(), uint32(f.LinuxMode())) == nil + return unix.Fchmod(i.fileState.FD(), uint32(f.LinuxMode())) == nil } // Otherwise update our cached metadata. return i.cachingInodeOps.SetPermissions(ctx, inode, f) @@ -350,7 +349,7 @@ func (i *inodeOperations) Truncate(ctx context.Context, inode *fs.Inode, size in // Then just change the file size on the FD, the host // will synchronize the metadata update with any host // inode and page cache. - return syscall.Ftruncate(i.fileState.FD(), size) + return unix.Ftruncate(i.fileState.FD(), size) } // Otherwise we need to go through cachingInodeOps, even if the host page // cache is in use, to invalidate private copies of truncated pages. diff --git a/pkg/sentry/fs/host/inode_state.go b/pkg/sentry/fs/host/inode_state.go index 1adbd4562..03531b7e7 100644 --- a/pkg/sentry/fs/host/inode_state.go +++ b/pkg/sentry/fs/host/inode_state.go @@ -16,8 +16,8 @@ package host import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/sentry/device" "gvisor.dev/gvisor/pkg/sentry/fs" ) @@ -30,8 +30,8 @@ func (i *inodeFileState) afterLoad() { } // Remap the inode number. - var s syscall.Stat_t - if err := syscall.Fstat(i.FD(), &s); err != nil { + var s unix.Stat_t + if err := unix.Fstat(i.FD(), &s); err != nil { panic(fs.ErrCorruption{fmt.Errorf("failed to get metadata for fd %d: %v", i.FD(), err)}) } key := device.MultiDeviceKey{ diff --git a/pkg/sentry/fs/host/ioctl_unsafe.go b/pkg/sentry/fs/host/ioctl_unsafe.go index 150ac8e19..303ea4d9b 100644 --- a/pkg/sentry/fs/host/ioctl_unsafe.go +++ b/pkg/sentry/fs/host/ioctl_unsafe.go @@ -15,9 +15,9 @@ package host import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) @@ -25,7 +25,7 @@ import ( func ioctlGetTermios(fd int) (*linux.Termios, error) { var t linux.Termios - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), linux.TCGETS, uintptr(unsafe.Pointer(&t))) + _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), linux.TCGETS, uintptr(unsafe.Pointer(&t))) if errno != 0 { return nil, errno } @@ -33,7 +33,7 @@ func ioctlGetTermios(fd int) (*linux.Termios, error) { } func ioctlSetTermios(fd int, req uint64, t *linux.Termios) error { - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), uintptr(req), uintptr(unsafe.Pointer(t))) + _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(req), uintptr(unsafe.Pointer(t))) if errno != 0 { return errno } @@ -42,7 +42,7 @@ func ioctlSetTermios(fd int, req uint64, t *linux.Termios) error { func ioctlGetWinsize(fd int) (*linux.Winsize, error) { var w linux.Winsize - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), linux.TIOCGWINSZ, uintptr(unsafe.Pointer(&w))) + _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), linux.TIOCGWINSZ, uintptr(unsafe.Pointer(&w))) if errno != 0 { return nil, errno } @@ -50,7 +50,7 @@ func ioctlGetWinsize(fd int) (*linux.Winsize, error) { } func ioctlSetWinsize(fd int, w *linux.Winsize) error { - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), linux.TIOCSWINSZ, uintptr(unsafe.Pointer(w))) + _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), linux.TIOCSWINSZ, uintptr(unsafe.Pointer(w))) if errno != 0 { return errno } diff --git a/pkg/sentry/fs/host/socket.go b/pkg/sentry/fs/host/socket.go index 2b58fc52c..f2d96d1ec 100644 --- a/pkg/sentry/fs/host/socket.go +++ b/pkg/sentry/fs/host/socket.go @@ -17,8 +17,8 @@ package host import ( "fmt" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fd" @@ -75,26 +75,26 @@ type ConnectedEndpoint struct { // init performs initialization required for creating new ConnectedEndpoints and // for restoring them. func (c *ConnectedEndpoint) init() *syserr.Error { - family, err := syscall.GetsockoptInt(c.file.FD(), syscall.SOL_SOCKET, syscall.SO_DOMAIN) + family, err := unix.GetsockoptInt(c.file.FD(), unix.SOL_SOCKET, unix.SO_DOMAIN) if err != nil { return syserr.FromError(err) } - if family != syscall.AF_UNIX { + if family != unix.AF_UNIX { // We only allow Unix sockets. return syserr.ErrInvalidEndpointState } - stype, err := syscall.GetsockoptInt(c.file.FD(), syscall.SOL_SOCKET, syscall.SO_TYPE) + stype, err := unix.GetsockoptInt(c.file.FD(), unix.SOL_SOCKET, unix.SO_TYPE) if err != nil { return syserr.FromError(err) } - if err := syscall.SetNonblock(c.file.FD(), true); err != nil { + if err := unix.SetNonblock(c.file.FD(), true); err != nil { return syserr.FromError(err) } - sndbuf, err := syscall.GetsockoptInt(c.file.FD(), syscall.SOL_SOCKET, syscall.SO_SNDBUF) + sndbuf, err := unix.GetsockoptInt(c.file.FD(), unix.SOL_SOCKET, unix.SO_SNDBUF) if err != nil { return syserr.FromError(err) } @@ -168,7 +168,7 @@ func newSocket(ctx context.Context, orgfd int, saveable bool) (*fs.File, error) srfd := -1 if saveable { var err error - ownedfd, err = syscall.Dup(orgfd) + ownedfd, err = unix.Dup(orgfd) if err != nil { return nil, err } @@ -233,7 +233,7 @@ func (c *ConnectedEndpoint) CloseSend() { c.mu.Lock() defer c.mu.Unlock() - if err := syscall.Shutdown(c.file.FD(), syscall.SHUT_WR); err != nil { + if err := unix.Shutdown(c.file.FD(), unix.SHUT_WR); err != nil { // A well-formed UDS shutdown can't fail. See // net/unix/af_unix.c:unix_shutdown. panic(fmt.Sprintf("failed write shutdown on host socket %+v: %v", c, err)) @@ -333,7 +333,7 @@ func (c *ConnectedEndpoint) CloseRecv() { c.mu.Lock() defer c.mu.Unlock() - if err := syscall.Shutdown(c.file.FD(), syscall.SHUT_RD); err != nil { + if err := unix.Shutdown(c.file.FD(), unix.SHUT_RD); err != nil { // A well-formed UDS shutdown can't fail. See // net/unix/af_unix.c:unix_shutdown. panic(fmt.Sprintf("failed read shutdown on host socket %+v: %v", c, err)) diff --git a/pkg/sentry/fs/host/socket_iovec.go b/pkg/sentry/fs/host/socket_iovec.go index 905afb50d..7380d75e7 100644 --- a/pkg/sentry/fs/host/socket_iovec.go +++ b/pkg/sentry/fs/host/socket_iovec.go @@ -15,8 +15,7 @@ package host import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/iovec" "gvisor.dev/gvisor/pkg/syserror" ) @@ -54,7 +53,7 @@ func copyFromMulti(dst []byte, src [][]byte) { // // If intermediate != nil, iovecs references intermediate rather than bufs and // the caller must copy to/from bufs as necessary. -func buildIovec(bufs [][]byte, maxlen int64, truncate bool) (length int64, iovecs []syscall.Iovec, intermediate []byte, err error) { +func buildIovec(bufs [][]byte, maxlen int64, truncate bool) (length int64, iovecs []unix.Iovec, intermediate []byte, err error) { var iovsRequired int for _, b := range bufs { length += int64(len(b)) @@ -78,14 +77,14 @@ func buildIovec(bufs [][]byte, maxlen int64, truncate bool) (length int64, iovec // Use a single intermediate buffer instead. b := make([]byte, stopLen) - return stopLen, []syscall.Iovec{{ + return stopLen, []unix.Iovec{{ Base: &b[0], Len: uint64(stopLen), }}, b, err } var total int64 - iovecs = make([]syscall.Iovec, 0, iovsRequired) + iovecs = make([]unix.Iovec, 0, iovsRequired) for i := range bufs { l := len(bufs[i]) if l == 0 { @@ -97,7 +96,7 @@ func buildIovec(bufs [][]byte, maxlen int64, truncate bool) (length int64, iovec stop = stopLen - total } - iovecs = append(iovecs, syscall.Iovec{ + iovecs = append(iovecs, unix.Iovec{ Base: &bufs[i][0], Len: uint64(stop), }) diff --git a/pkg/sentry/fs/host/socket_state.go b/pkg/sentry/fs/host/socket_state.go index 498018f0a..1d3e5298a 100644 --- a/pkg/sentry/fs/host/socket_state.go +++ b/pkg/sentry/fs/host/socket_state.go @@ -16,8 +16,8 @@ package host import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/fd" ) @@ -30,7 +30,7 @@ func (c *ConnectedEndpoint) beforeSave() { // afterLoad is invoked by stateify. func (c *ConnectedEndpoint) afterLoad() { - f, err := syscall.Dup(c.srfd) + f, err := unix.Dup(c.srfd) if err != nil { panic(fmt.Sprintf("failed to dup restored FD %d: %v", c.srfd, err)) } diff --git a/pkg/sentry/fs/host/socket_unsafe.go b/pkg/sentry/fs/host/socket_unsafe.go index c8231e0aa..95f5d39bd 100644 --- a/pkg/sentry/fs/host/socket_unsafe.go +++ b/pkg/sentry/fs/host/socket_unsafe.go @@ -15,8 +15,9 @@ package host import ( - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) // LINT.IfChange @@ -26,9 +27,9 @@ import ( // If the total length of bufs is > maxlen, fdReadVec will do a partial read // and err will indicate why the message was truncated. func fdReadVec(fd int, bufs [][]byte, control []byte, peek bool, maxlen int64) (readLen int64, msgLen int64, controlLen uint64, controlTrunc bool, err error) { - flags := uintptr(syscall.MSG_DONTWAIT | syscall.MSG_TRUNC) + flags := uintptr(unix.MSG_DONTWAIT | unix.MSG_TRUNC) if peek { - flags |= syscall.MSG_PEEK + flags |= unix.MSG_PEEK } // Always truncate the receive buffer. All socket types will truncate @@ -39,7 +40,7 @@ func fdReadVec(fd int, bufs [][]byte, control []byte, peek bool, maxlen int64) ( return 0, 0, 0, false, err } - var msg syscall.Msghdr + var msg unix.Msghdr if len(control) != 0 { msg.Control = &control[0] msg.Controllen = uint64(len(control)) @@ -50,7 +51,7 @@ func fdReadVec(fd int, bufs [][]byte, control []byte, peek bool, maxlen int64) ( msg.Iovlen = uint64(len(iovecs)) } - rawN, _, e := syscall.RawSyscall(syscall.SYS_RECVMSG, uintptr(fd), uintptr(unsafe.Pointer(&msg)), flags) + rawN, _, e := unix.RawSyscall(unix.SYS_RECVMSG, uintptr(fd), uintptr(unsafe.Pointer(&msg)), flags) if e != 0 { // N.B. prioritize the syscall error over the buildIovec error. return 0, 0, 0, false, e @@ -62,7 +63,7 @@ func fdReadVec(fd int, bufs [][]byte, control []byte, peek bool, maxlen int64) ( copyToMulti(bufs, intermediate) } - controlTrunc = msg.Flags&syscall.MSG_CTRUNC == syscall.MSG_CTRUNC + controlTrunc = msg.Flags&unix.MSG_CTRUNC == unix.MSG_CTRUNC if n > length { return length, n, msg.Controllen, controlTrunc, nil @@ -87,13 +88,13 @@ func fdWriteVec(fd int, bufs [][]byte, maxlen int64, truncate bool) (int64, int6 copyFromMulti(intermediate, bufs) } - var msg syscall.Msghdr + var msg unix.Msghdr if len(iovecs) > 0 { msg.Iov = &iovecs[0] msg.Iovlen = uint64(len(iovecs)) } - n, _, e := syscall.RawSyscall(syscall.SYS_SENDMSG, uintptr(fd), uintptr(unsafe.Pointer(&msg)), syscall.MSG_DONTWAIT|syscall.MSG_NOSIGNAL) + n, _, e := unix.RawSyscall(unix.SYS_SENDMSG, uintptr(fd), uintptr(unsafe.Pointer(&msg)), unix.MSG_DONTWAIT|unix.MSG_NOSIGNAL) if e != 0 { // N.B. prioritize the syscall error over the buildIovec error. return 0, length, e diff --git a/pkg/sentry/fs/host/util.go b/pkg/sentry/fs/host/util.go index 1b0356930..ab74724a3 100644 --- a/pkg/sentry/fs/host/util.go +++ b/pkg/sentry/fs/host/util.go @@ -16,8 +16,8 @@ package host import ( "os" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/sentry/device" @@ -27,21 +27,21 @@ import ( "gvisor.dev/gvisor/pkg/syserror" ) -func nodeType(s *syscall.Stat_t) fs.InodeType { - switch x := (s.Mode & syscall.S_IFMT); x { - case syscall.S_IFLNK: +func nodeType(s *unix.Stat_t) fs.InodeType { + switch x := (s.Mode & unix.S_IFMT); x { + case unix.S_IFLNK: return fs.Symlink - case syscall.S_IFIFO: + case unix.S_IFIFO: return fs.Pipe - case syscall.S_IFCHR: + case unix.S_IFCHR: return fs.CharacterDevice - case syscall.S_IFBLK: + case unix.S_IFBLK: return fs.BlockDevice - case syscall.S_IFSOCK: + case unix.S_IFSOCK: return fs.Socket - case syscall.S_IFDIR: + case unix.S_IFDIR: return fs.Directory - case syscall.S_IFREG: + case unix.S_IFREG: return fs.RegularFile default: // This shouldn't happen, but just in case... @@ -50,12 +50,12 @@ func nodeType(s *syscall.Stat_t) fs.InodeType { } } -func wouldBlock(s *syscall.Stat_t) bool { +func wouldBlock(s *unix.Stat_t) bool { typ := nodeType(s) return typ == fs.Pipe || typ == fs.Socket || typ == fs.CharacterDevice } -func stableAttr(s *syscall.Stat_t) fs.StableAttr { +func stableAttr(s *unix.Stat_t) fs.StableAttr { return fs.StableAttr{ Type: nodeType(s), DeviceID: hostFileDevice.DeviceID(), @@ -67,14 +67,14 @@ func stableAttr(s *syscall.Stat_t) fs.StableAttr { } } -func owner(s *syscall.Stat_t) fs.FileOwner { +func owner(s *unix.Stat_t) fs.FileOwner { return fs.FileOwner{ UID: auth.KUID(s.Uid), GID: auth.KGID(s.Gid), } } -func unstableAttr(s *syscall.Stat_t) fs.UnstableAttr { +func unstableAttr(s *unix.Stat_t) fs.UnstableAttr { return fs.UnstableAttr{ Size: s.Size, Usage: s.Blocks * 512, diff --git a/pkg/sentry/fs/host/util_amd64_unsafe.go b/pkg/sentry/fs/host/util_amd64_unsafe.go index 66da6e9f5..21782f1da 100644 --- a/pkg/sentry/fs/host/util_amd64_unsafe.go +++ b/pkg/sentry/fs/host/util_amd64_unsafe.go @@ -17,18 +17,19 @@ package host import ( - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) -func fstatat(fd int, name string, flags int) (syscall.Stat_t, error) { - var stat syscall.Stat_t - namePtr, err := syscall.BytePtrFromString(name) +func fstatat(fd int, name string, flags int) (unix.Stat_t, error) { + var stat unix.Stat_t + namePtr, err := unix.BytePtrFromString(name) if err != nil { return stat, err } - _, _, errno := syscall.Syscall6( - syscall.SYS_NEWFSTATAT, + _, _, errno := unix.Syscall6( + unix.SYS_NEWFSTATAT, uintptr(fd), uintptr(unsafe.Pointer(namePtr)), uintptr(unsafe.Pointer(&stat)), diff --git a/pkg/sentry/fs/host/util_arm64_unsafe.go b/pkg/sentry/fs/host/util_arm64_unsafe.go index e8cb94aeb..ed8f5242a 100644 --- a/pkg/sentry/fs/host/util_arm64_unsafe.go +++ b/pkg/sentry/fs/host/util_arm64_unsafe.go @@ -17,18 +17,19 @@ package host import ( - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) -func fstatat(fd int, name string, flags int) (syscall.Stat_t, error) { - var stat syscall.Stat_t - namePtr, err := syscall.BytePtrFromString(name) +func fstatat(fd int, name string, flags int) (unix.Stat_t, error) { + var stat unix.Stat_t + namePtr, err := unix.BytePtrFromString(name) if err != nil { return stat, err } - _, _, errno := syscall.Syscall6( - syscall.SYS_FSTATAT, + _, _, errno := unix.Syscall6( + unix.SYS_FSTATAT, uintptr(fd), uintptr(unsafe.Pointer(namePtr)), uintptr(unsafe.Pointer(&stat)), diff --git a/pkg/sentry/fs/host/util_unsafe.go b/pkg/sentry/fs/host/util_unsafe.go index 23bd35d64..3c5e3ed6d 100644 --- a/pkg/sentry/fs/host/util_unsafe.go +++ b/pkg/sentry/fs/host/util_unsafe.go @@ -15,9 +15,9 @@ package host import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/sentry/fs" ktime "gvisor.dev/gvisor/pkg/sentry/kernel/time" @@ -30,8 +30,8 @@ func readLink(fd int) (string, error) { // Buffer sizing copied from os.Readlink. for l := 128; ; l *= 2 { b := make([]byte, l) - n, _, errno := syscall.Syscall6( - syscall.SYS_READLINKAT, + n, _, errno := unix.Syscall6( + unix.SYS_READLINKAT, uintptr(fd), uintptr(unsafe.Pointer(&NulByte)), // "" uintptr(unsafe.Pointer(&b[0])), @@ -46,25 +46,25 @@ func readLink(fd int) (string, error) { } } -func timespecFromTimestamp(t ktime.Time, omit, setSysTime bool) syscall.Timespec { +func timespecFromTimestamp(t ktime.Time, omit, setSysTime bool) unix.Timespec { if omit { - return syscall.Timespec{0, linux.UTIME_OMIT} + return unix.Timespec{0, linux.UTIME_OMIT} } if setSysTime { - return syscall.Timespec{0, linux.UTIME_NOW} + return unix.Timespec{0, linux.UTIME_NOW} } - return syscall.NsecToTimespec(t.Nanoseconds()) + return unix.NsecToTimespec(t.Nanoseconds()) } func setTimestamps(fd int, ts fs.TimeSpec) error { if ts.ATimeOmit && ts.MTimeOmit { return nil } - var sts [2]syscall.Timespec + var sts [2]unix.Timespec sts[0] = timespecFromTimestamp(ts.ATime, ts.ATimeOmit, ts.ATimeSetSystemTime) sts[1] = timespecFromTimestamp(ts.MTime, ts.MTimeOmit, ts.MTimeSetSystemTime) - _, _, errno := syscall.Syscall6( - syscall.SYS_UTIMENSAT, + _, _, errno := unix.Syscall6( + unix.SYS_UTIMENSAT, uintptr(fd), 0, /* path */ uintptr(unsafe.Pointer(&sts)), diff --git a/pkg/sentry/fs/lock/lock.go b/pkg/sentry/fs/lock/lock.go index 57686ce07..7d7a207cc 100644 --- a/pkg/sentry/fs/lock/lock.go +++ b/pkg/sentry/fs/lock/lock.go @@ -52,8 +52,8 @@ package lock import ( "fmt" "math" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sync" @@ -456,7 +456,7 @@ func ComputeRange(start, length, offset int64) (LockRange, error) { // fcntl(2): "l_start can be a negative number provided the offset // does not lie before the start of the file" if offset < 0 { - return LockRange{}, syscall.EINVAL + return LockRange{}, unix.EINVAL } // fcntl(2): Specifying 0 for l_len has the special meaning: lock all @@ -478,10 +478,10 @@ func ComputeRange(start, length, offset int64) (LockRange, error) { // Add to offset using a negative length (subtract). offset += length if offset < 0 { - return LockRange{}, syscall.EINVAL + return LockRange{}, unix.EINVAL } if signedEnd < offset { - return LockRange{}, syscall.EOVERFLOW + return LockRange{}, unix.EOVERFLOW } // At this point signedEnd cannot be negative, // since we asserted that offset is not negative diff --git a/pkg/sentry/fs/mounts.go b/pkg/sentry/fs/mounts.go index d741c4339..243098a09 100644 --- a/pkg/sentry/fs/mounts.go +++ b/pkg/sentry/fs/mounts.go @@ -17,8 +17,8 @@ package fs import ( "fmt" "math" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/refs" "gvisor.dev/gvisor/pkg/sentry/kernel/auth" @@ -571,13 +571,13 @@ func (mns *MountNamespace) resolve(ctx context.Context, root, node *Dirent, rema // Make sure we didn't exhaust the traversal budget. if *remainingTraversals == 0 { target.DecRef(ctx) - return nil, syscall.ELOOP + return nil, unix.ELOOP } node.DecRef(ctx) // Drop the original reference. return target, nil - case syscall.ENOLINK: + case unix.ENOLINK: // Not a symlink. return node, nil @@ -586,7 +586,7 @@ func (mns *MountNamespace) resolve(ctx context.Context, root, node *Dirent, rema // First, check if we should traverse. if *remainingTraversals == 0 { - return nil, syscall.ELOOP + return nil, unix.ELOOP } // Read the target path. diff --git a/pkg/sentry/fs/ramfs/dir.go b/pkg/sentry/fs/ramfs/dir.go index f4fcddecb..19990f9db 100644 --- a/pkg/sentry/fs/ramfs/dir.go +++ b/pkg/sentry/fs/ramfs/dir.go @@ -17,8 +17,8 @@ package ramfs import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sentry/fs" @@ -378,8 +378,8 @@ func (d *Dir) Bind(ctx context.Context, dir *fs.Inode, name string, ep transport inode, err := d.createInodeOperationsCommon(ctx, name, func() (*fs.Inode, error) { return d.NewBoundEndpoint(ctx, dir, ep, perms) }) - if err == syscall.EEXIST { - return nil, syscall.EADDRINUSE + if err == unix.EEXIST { + return nil, unix.EADDRINUSE } if err != nil { return nil, err diff --git a/pkg/sentry/fs/save.go b/pkg/sentry/fs/save.go index fe5c76b44..1de9735dc 100644 --- a/pkg/sentry/fs/save.go +++ b/pkg/sentry/fs/save.go @@ -16,8 +16,8 @@ package fs import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/log" ) @@ -65,7 +65,7 @@ func SaveFileFsyncError(err error) error { case nil: // We succeeded, everything is great. return nil - case syscall.EBADF, syscall.EINVAL, syscall.EROFS, syscall.ENOSYS, syscall.EPERM: + case unix.EBADF, unix.EINVAL, unix.EROFS, unix.ENOSYS, unix.EPERM: // These errors mean that the underlying node might not be syncable, // which we expect to be reported as such even from the gofer. log.Infof("failed to sync during save: %v", err) diff --git a/pkg/sentry/fsimpl/eventfd/eventfd.go b/pkg/sentry/fsimpl/eventfd/eventfd.go index 5b29f2358..7f810f720 100644 --- a/pkg/sentry/fsimpl/eventfd/eventfd.go +++ b/pkg/sentry/fsimpl/eventfd/eventfd.go @@ -18,8 +18,8 @@ package eventfd import ( "math" "sync" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fdnotifier" @@ -92,13 +92,13 @@ func (efd *EventFileDescription) HostFD() (int, error) { flags |= linux.EFD_SEMAPHORE } - fd, _, errno := syscall.Syscall(syscall.SYS_EVENTFD2, uintptr(efd.val), uintptr(flags), 0) + fd, _, errno := unix.Syscall(unix.SYS_EVENTFD2, uintptr(efd.val), uintptr(flags), 0) if errno != 0 { return -1, errno } if err := fdnotifier.AddFD(int32(fd), &efd.queue); err != nil { - if closeErr := syscall.Close(int(fd)); closeErr != nil { + if closeErr := unix.Close(int(fd)); closeErr != nil { log.Warningf("close(%d) eventfd failed: %v", fd, closeErr) } return -1, err @@ -114,7 +114,7 @@ func (efd *EventFileDescription) Release(context.Context) { defer efd.mu.Unlock() if efd.hostfd >= 0 { fdnotifier.RemoveFD(int32(efd.hostfd)) - if closeErr := syscall.Close(int(efd.hostfd)); closeErr != nil { + if closeErr := unix.Close(int(efd.hostfd)); closeErr != nil { log.Warningf("close(%d) eventfd failed: %v", efd.hostfd, closeErr) } efd.hostfd = -1 @@ -124,7 +124,7 @@ func (efd *EventFileDescription) Release(context.Context) { // Read implements vfs.FileDescriptionImpl.Read. func (efd *EventFileDescription) Read(ctx context.Context, dst usermem.IOSequence, _ vfs.ReadOptions) (int64, error) { if dst.NumBytes() < 8 { - return 0, syscall.EINVAL + return 0, unix.EINVAL } if err := efd.read(ctx, dst); err != nil { return 0, err @@ -135,7 +135,7 @@ func (efd *EventFileDescription) Read(ctx context.Context, dst usermem.IOSequenc // Write implements vfs.FileDescriptionImpl.Write. func (efd *EventFileDescription) Write(ctx context.Context, src usermem.IOSequence, _ vfs.WriteOptions) (int64, error) { if src.NumBytes() < 8 { - return 0, syscall.EINVAL + return 0, unix.EINVAL } if err := efd.write(ctx, src); err != nil { return 0, err @@ -146,8 +146,8 @@ func (efd *EventFileDescription) Write(ctx context.Context, src usermem.IOSequen // Preconditions: Must be called with efd.mu locked. func (efd *EventFileDescription) hostReadLocked(ctx context.Context, dst usermem.IOSequence) error { var buf [8]byte - if _, err := syscall.Read(efd.hostfd, buf[:]); err != nil { - if err == syscall.EWOULDBLOCK { + if _, err := unix.Read(efd.hostfd, buf[:]); err != nil { + if err == unix.EWOULDBLOCK { return syserror.ErrWouldBlock } return err @@ -197,8 +197,8 @@ func (efd *EventFileDescription) read(ctx context.Context, dst usermem.IOSequenc func (efd *EventFileDescription) hostWriteLocked(val uint64) error { var buf [8]byte usermem.ByteOrder.PutUint64(buf[:], val) - _, err := syscall.Write(efd.hostfd, buf[:]) - if err == syscall.EWOULDBLOCK { + _, err := unix.Write(efd.hostfd, buf[:]) + if err == unix.EWOULDBLOCK { return syserror.ErrWouldBlock } return err @@ -217,7 +217,7 @@ func (efd *EventFileDescription) write(ctx context.Context, src usermem.IOSequen // Signal is an internal function to signal the event fd. func (efd *EventFileDescription) Signal(val uint64) error { if val == math.MaxUint64 { - return syscall.EINVAL + return unix.EINVAL } efd.mu.Lock() diff --git a/pkg/sentry/fsimpl/fuse/connection_control.go b/pkg/sentry/fsimpl/fuse/connection_control.go index 4ab894965..948502db6 100644 --- a/pkg/sentry/fsimpl/fuse/connection_control.go +++ b/pkg/sentry/fsimpl/fuse/connection_control.go @@ -16,8 +16,8 @@ package fuse import ( "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sentry/kernel/auth" @@ -230,7 +230,7 @@ func (conn *connection) Abort(ctx context.Context) { // sendError() will remove them from `fd.completion` map. // Will enter the path of a normally received error. for _, toTerminate := range terminate { - conn.fd.sendError(ctx, -int32(syscall.ECONNABORTED), toTerminate) + conn.fd.sendError(ctx, -int32(unix.ECONNABORTED), toTerminate) } // 3. The requests not yet written to FUSE device. diff --git a/pkg/sentry/fsimpl/fuse/dev.go b/pkg/sentry/fsimpl/fuse/dev.go index 1bbe6fdb7..1eeb95216 100644 --- a/pkg/sentry/fsimpl/fuse/dev.go +++ b/pkg/sentry/fsimpl/fuse/dev.go @@ -15,8 +15,7 @@ package fuse import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sentry/kernel" @@ -176,9 +175,9 @@ func (fd *DeviceFD) readLocked(ctx context.Context, dst usermem.IOSequence, opts // The request is too large. Cannot process it. All requests must be smaller than the // negotiated size as specified by Connection.MaxWrite set as part of the FUSE_INIT // handshake. - errno := -int32(syscall.EIO) + errno := -int32(unix.EIO) if req.hdr.Opcode == linux.FUSE_SETXATTR { - errno = -int32(syscall.E2BIG) + errno = -int32(unix.E2BIG) } // Return the error to the calling task. diff --git a/pkg/sentry/fsimpl/fuse/request_response.go b/pkg/sentry/fsimpl/fuse/request_response.go index 41d679358..10fb9d7d2 100644 --- a/pkg/sentry/fsimpl/fuse/request_response.go +++ b/pkg/sentry/fsimpl/fuse/request_response.go @@ -16,8 +16,8 @@ package fuse import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/marshal" "gvisor.dev/gvisor/pkg/sentry/kernel" @@ -199,7 +199,7 @@ func (r *Response) Error() error { return nil } - sysErrNo := syscall.Errno(-errno) + sysErrNo := unix.Errno(-errno) return error(sysErrNo) } diff --git a/pkg/sentry/fsimpl/gofer/gofer.go b/pkg/sentry/fsimpl/gofer/gofer.go index 094d993a8..1508cbdf1 100644 --- a/pkg/sentry/fsimpl/gofer/gofer.go +++ b/pkg/sentry/fsimpl/gofer/gofer.go @@ -40,8 +40,8 @@ import ( "strconv" "strings" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/log" @@ -550,10 +550,10 @@ func (fs *filesystem) Release(ctx context.Context) { d.dataMu.Unlock() // Close host FDs if they exist. if d.readFD >= 0 { - syscall.Close(int(d.readFD)) + unix.Close(int(d.readFD)) } if d.writeFD >= 0 && d.readFD != d.writeFD { - syscall.Close(int(d.writeFD)) + unix.Close(int(d.writeFD)) } d.readFD = -1 d.writeFD = -1 @@ -1505,10 +1505,10 @@ func (d *dentry) destroyLocked(ctx context.Context) { d.readFile = p9file{} d.writeFile = p9file{} if d.readFD >= 0 { - syscall.Close(int(d.readFD)) + unix.Close(int(d.readFD)) } if d.writeFD >= 0 && d.readFD != d.writeFD { - syscall.Close(int(d.writeFD)) + unix.Close(int(d.writeFD)) } d.readFD = -1 d.writeFD = -1 @@ -1686,7 +1686,7 @@ func (d *dentry) ensureSharedHandle(ctx context.Context, read, write, trunc bool // may use the old or new file description, but this // doesn't matter since they refer to the same file, and // any racing mappings must be read-only. - if err := syscall.Dup3(int(h.fd), int(d.readFD), syscall.O_CLOEXEC); err != nil { + if err := unix.Dup3(int(h.fd), int(d.readFD), unix.O_CLOEXEC); err != nil { oldFD := d.readFD d.handleMu.Unlock() ctx.Warningf("gofer.dentry.ensureSharedHandle: failed to dup fd %d to fd %d: %v", h.fd, oldFD, err) @@ -1772,7 +1772,7 @@ func (d *dentry) ensureSharedHandle(ctx context.Context, read, write, trunc bool d.mapsMu.Unlock() } for _, fd := range fdsToClose { - syscall.Close(int(fd)) + unix.Close(int(fd)) } return nil @@ -1808,7 +1808,7 @@ func (d *dentry) syncRemoteFileLocked(ctx context.Context) error { // handles otherwise. if d.writeFD >= 0 { ctx.UninterruptibleSleepStart(false) - err := syscall.Fsync(int(d.writeFD)) + err := unix.Fsync(int(d.writeFD)) ctx.UninterruptibleSleepFinish(false) return err } @@ -1817,7 +1817,7 @@ func (d *dentry) syncRemoteFileLocked(ctx context.Context) error { } if d.readFD >= 0 { ctx.UninterruptibleSleepStart(false) - err := syscall.Fsync(int(d.readFD)) + err := unix.Fsync(int(d.readFD)) ctx.UninterruptibleSleepFinish(false) return err } diff --git a/pkg/sentry/fsimpl/gofer/handle.go b/pkg/sentry/fsimpl/gofer/handle.go index a9ebe1206..0bc201d1c 100644 --- a/pkg/sentry/fsimpl/gofer/handle.go +++ b/pkg/sentry/fsimpl/gofer/handle.go @@ -15,8 +15,7 @@ package gofer import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/p9" "gvisor.dev/gvisor/pkg/safemem" @@ -73,7 +72,7 @@ func (h *handle) close(ctx context.Context) { h.file.close(ctx) h.file = p9file{} if h.fd >= 0 { - syscall.Close(int(h.fd)) + unix.Close(int(h.fd)) h.fd = -1 } } diff --git a/pkg/sentry/fsimpl/gofer/socket.go b/pkg/sentry/fsimpl/gofer/socket.go index a21199eac..fe15f8583 100644 --- a/pkg/sentry/fsimpl/gofer/socket.go +++ b/pkg/sentry/fsimpl/gofer/socket.go @@ -15,8 +15,7 @@ package gofer import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/log" @@ -118,7 +117,7 @@ func (e *endpoint) newConnectedEndpoint(ctx context.Context, flags p9.ConnectFla return nil, syserr.ErrConnectionRefused } // Dup the fd so that the new endpoint can manage its lifetime. - hostFD, err := syscall.Dup(hostFile.FD()) + hostFD, err := unix.Dup(hostFile.FD()) if err != nil { log.Warningf("Could not dup host socket fd %d: %v", hostFile.FD(), err) return nil, syserr.FromError(err) diff --git a/pkg/sentry/fsimpl/gofer/special_file.go b/pkg/sentry/fsimpl/gofer/special_file.go index ae972fcb5..ac3b5b621 100644 --- a/pkg/sentry/fsimpl/gofer/special_file.go +++ b/pkg/sentry/fsimpl/gofer/special_file.go @@ -16,8 +16,8 @@ package gofer import ( "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fdnotifier" @@ -376,7 +376,7 @@ func (fd *specialFileFD) sync(ctx context.Context, forFilesystemSync bool) error // RPC. if fd.handle.fd >= 0 { ctx.UninterruptibleSleepStart(false) - err := syscall.Fsync(int(fd.handle.fd)) + err := unix.Fsync(int(fd.handle.fd)) ctx.UninterruptibleSleepFinish(false) return err } diff --git a/pkg/sentry/fsimpl/host/control.go b/pkg/sentry/fsimpl/host/control.go index 13ef48cb5..1680d456e 100644 --- a/pkg/sentry/fsimpl/host/control.go +++ b/pkg/sentry/fsimpl/host/control.go @@ -15,8 +15,7 @@ package host import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sentry/kernel" @@ -60,7 +59,7 @@ func (c *scmRights) Clone() transport.RightsControlMessage { // Release implements transport.RightsControlMessage.Release. func (c *scmRights) Release(ctx context.Context) { for _, fd := range c.fds { - syscall.Close(fd) + unix.Close(fd) } c.fds = nil } @@ -72,7 +71,7 @@ func fdsToFiles(ctx context.Context, fds []int) []*vfs.FileDescription { for _, fd := range fds { // Get flags. We do it here because they may be modified // by subsequent functions. - fileFlags, _, errno := syscall.Syscall(syscall.SYS_FCNTL, uintptr(fd), syscall.F_GETFL, 0) + fileFlags, _, errno := unix.Syscall(unix.SYS_FCNTL, uintptr(fd), unix.F_GETFL, 0) if errno != 0 { ctx.Warningf("Error retrieving host FD flags: %v", error(errno)) break diff --git a/pkg/sentry/fsimpl/host/host.go b/pkg/sentry/fsimpl/host/host.go index 05f11fbd5..ad5de80dc 100644 --- a/pkg/sentry/fsimpl/host/host.go +++ b/pkg/sentry/fsimpl/host/host.go @@ -20,7 +20,6 @@ import ( "fmt" "math" "sync/atomic" - "syscall" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -112,7 +111,7 @@ func newInode(ctx context.Context, fs *filesystem, hostFD int, savable bool, fil seekable := err != syserror.ESPIPE // We expect regular files to be seekable, as this is required for them to // be memory-mappable. - if !seekable && fileType == syscall.S_IFREG { + if !seekable && fileType == unix.S_IFREG { ctx.Infof("host.newInode: host FD %d is a non-seekable regular file", hostFD) return nil, syserror.ESPIPE } @@ -121,7 +120,7 @@ func newInode(ctx context.Context, fs *filesystem, hostFD int, savable bool, fil hostFD: hostFD, ino: fs.NextIno(), ftype: uint16(fileType), - mayBlock: fileType != syscall.S_IFREG && fileType != syscall.S_IFDIR, + mayBlock: fileType != unix.S_IFREG && fileType != unix.S_IFDIR, seekable: seekable, isTTY: isTTY, savable: savable, @@ -132,7 +131,7 @@ func newInode(ctx context.Context, fs *filesystem, hostFD int, savable bool, fil // If the hostFD can return EWOULDBLOCK when set to non-blocking, do so and // handle blocking behavior in the sentry. if i.mayBlock { - if err := syscall.SetNonblock(i.hostFD, true); err != nil { + if err := unix.SetNonblock(i.hostFD, true); err != nil { return nil, err } if err := fdnotifier.AddFD(int32(i.hostFD), &i.queue); err != nil { @@ -175,7 +174,7 @@ func NewFD(ctx context.Context, mnt *vfs.Mount, hostFD int, opts *NewFDOptions) flags := opts.Flags if !opts.HaveFlags { // Get flags for the imported FD. - flagsInt, err := unix.FcntlInt(uintptr(hostFD), syscall.F_GETFL, 0) + flagsInt, err := unix.FcntlInt(uintptr(hostFD), unix.F_GETFL, 0) if err != nil { return nil, err } @@ -263,8 +262,8 @@ func (fs *filesystem) PrependPath(ctx context.Context, vfsroot, vd vfs.VirtualDe // CheckPermissions implements kernfs.Inode.CheckPermissions. func (i *inode) CheckPermissions(ctx context.Context, creds *auth.Credentials, ats vfs.AccessTypes) error { - var s syscall.Stat_t - if err := syscall.Fstat(i.hostFD, &s); err != nil { + var s unix.Stat_t + if err := unix.Fstat(i.hostFD, &s); err != nil { return err } return vfs.GenericCheckPermissions(creds, ats, linux.FileMode(s.Mode), auth.KUID(s.Uid), auth.KGID(s.Gid)) @@ -272,8 +271,8 @@ func (i *inode) CheckPermissions(ctx context.Context, creds *auth.Credentials, a // Mode implements kernfs.Inode.Mode. func (i *inode) Mode() linux.FileMode { - var s syscall.Stat_t - if err := syscall.Fstat(i.hostFD, &s); err != nil { + var s unix.Stat_t + if err := unix.Fstat(i.hostFD, &s); err != nil { // Retrieving the mode from the host fd using fstat(2) should not fail. // If the syscall does not succeed, something is fundamentally wrong. panic(fmt.Sprintf("failed to retrieve mode from host fd %d: %v", i.hostFD, err)) @@ -405,8 +404,8 @@ func (i *inode) SetStat(ctx context.Context, fs *vfs.Filesystem, creds *auth.Cre if m&^(linux.STATX_MODE|linux.STATX_SIZE|linux.STATX_ATIME|linux.STATX_MTIME) != 0 { return syserror.EPERM } - var hostStat syscall.Stat_t - if err := syscall.Fstat(i.hostFD, &hostStat); err != nil { + var hostStat unix.Stat_t + if err := unix.Fstat(i.hostFD, &hostStat); err != nil { return err } if err := vfs.CheckSetStat(ctx, creds, &opts, linux.FileMode(hostStat.Mode), auth.KUID(hostStat.Uid), auth.KGID(hostStat.Gid)); err != nil { @@ -414,7 +413,7 @@ func (i *inode) SetStat(ctx context.Context, fs *vfs.Filesystem, creds *auth.Cre } if m&linux.STATX_MODE != 0 { - if err := syscall.Fchmod(i.hostFD, uint32(s.Mode)); err != nil { + if err := unix.Fchmod(i.hostFD, uint32(s.Mode)); err != nil { return err } } @@ -422,7 +421,7 @@ func (i *inode) SetStat(ctx context.Context, fs *vfs.Filesystem, creds *auth.Cre if hostStat.Mode&linux.S_IFMT != linux.S_IFREG { return syserror.EINVAL } - if err := syscall.Ftruncate(i.hostFD, int64(s.Size)); err != nil { + if err := unix.Ftruncate(i.hostFD, int64(s.Size)); err != nil { return err } oldSize := uint64(hostStat.Size) @@ -435,7 +434,7 @@ func (i *inode) SetStat(ctx context.Context, fs *vfs.Filesystem, creds *auth.Cre } } if m&(linux.STATX_ATIME|linux.STATX_MTIME) != 0 { - ts := [2]syscall.Timespec{ + ts := [2]unix.Timespec{ toTimespec(s.Atime, m&linux.STATX_ATIME == 0), toTimespec(s.Mtime, m&linux.STATX_MTIME == 0), } @@ -468,8 +467,8 @@ func (i *inode) Open(ctx context.Context, rp *vfs.ResolvingPath, d *kernfs.Dentr } func (i *inode) open(ctx context.Context, d *kernfs.Dentry, mnt *vfs.Mount, flags uint32) (*vfs.FileDescription, error) { - var s syscall.Stat_t - if err := syscall.Fstat(i.hostFD, &s); err != nil { + var s unix.Stat_t + if err := unix.Fstat(i.hostFD, &s); err != nil { return nil, err } fileType := s.Mode & linux.FileTypeMask @@ -477,10 +476,10 @@ func (i *inode) open(ctx context.Context, d *kernfs.Dentry, mnt *vfs.Mount, flag // Constrain flags to a subset we can handle. // // TODO(gvisor.dev/issue/2601): Support O_NONBLOCK by adding RWF_NOWAIT to pread/pwrite calls. - flags &= syscall.O_ACCMODE | syscall.O_NONBLOCK | syscall.O_DSYNC | syscall.O_SYNC | syscall.O_APPEND + flags &= unix.O_ACCMODE | unix.O_NONBLOCK | unix.O_DSYNC | unix.O_SYNC | unix.O_APPEND switch fileType { - case syscall.S_IFSOCK: + case unix.S_IFSOCK: if i.isTTY { log.Warningf("cannot use host socket fd %d as TTY", i.hostFD) return nil, syserror.ENOTTY @@ -493,7 +492,7 @@ func (i *inode) open(ctx context.Context, d *kernfs.Dentry, mnt *vfs.Mount, flag // Currently, we only allow Unix sockets to be imported. return unixsocket.NewFileDescription(ep, ep.Type(), flags, mnt, d.VFSDentry(), &i.locks) - case syscall.S_IFREG, syscall.S_IFIFO, syscall.S_IFCHR: + case unix.S_IFREG, unix.S_IFIFO, unix.S_IFCHR: if i.isTTY { fd := &TTYFileDescription{ fileDescription: fileDescription{inode: i}, @@ -675,8 +674,8 @@ func (f *fileDescription) Write(ctx context.Context, src usermem.IOSequence, opt // and writing to the host fd. This is an unavoidable race condition because // we cannot enforce synchronization on the host. if f.vfsfd.StatusFlags()&linux.O_APPEND != 0 { - var s syscall.Stat_t - if err := syscall.Fstat(i.hostFD, &s); err != nil { + var s unix.Stat_t + if err := unix.Fstat(i.hostFD, &s); err != nil { f.offsetMu.Unlock() return 0, err } @@ -737,8 +736,8 @@ func (f *fileDescription) Seek(_ context.Context, offset int64, whence int32) (i f.offset += offset case linux.SEEK_END: - var s syscall.Stat_t - if err := syscall.Fstat(i.hostFD, &s); err != nil { + var s unix.Stat_t + if err := unix.Fstat(i.hostFD, &s); err != nil { return f.offset, err } size := s.Size @@ -781,7 +780,7 @@ func (f *fileDescription) Sync(ctx context.Context) error { func (f *fileDescription) ConfigureMMap(_ context.Context, opts *memmap.MMapOpts) error { // NOTE(b/38213152): Technically, some obscure char devices can be memory // mapped, but we only allow regular files. - if f.inode.ftype != syscall.S_IFREG { + if f.inode.ftype != unix.S_IFREG { return syserror.ENODEV } i := f.inode diff --git a/pkg/sentry/fsimpl/host/ioctl_unsafe.go b/pkg/sentry/fsimpl/host/ioctl_unsafe.go index 0983bf7d8..f666a5875 100644 --- a/pkg/sentry/fsimpl/host/ioctl_unsafe.go +++ b/pkg/sentry/fsimpl/host/ioctl_unsafe.go @@ -15,15 +15,15 @@ package host import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) func ioctlGetTermios(fd int) (*linux.Termios, error) { var t linux.Termios - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), linux.TCGETS, uintptr(unsafe.Pointer(&t))) + _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), linux.TCGETS, uintptr(unsafe.Pointer(&t))) if errno != 0 { return nil, errno } @@ -31,7 +31,7 @@ func ioctlGetTermios(fd int) (*linux.Termios, error) { } func ioctlSetTermios(fd int, req uint64, t *linux.Termios) error { - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), uintptr(req), uintptr(unsafe.Pointer(t))) + _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(req), uintptr(unsafe.Pointer(t))) if errno != 0 { return errno } @@ -40,7 +40,7 @@ func ioctlSetTermios(fd int, req uint64, t *linux.Termios) error { func ioctlGetWinsize(fd int) (*linux.Winsize, error) { var w linux.Winsize - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), linux.TIOCGWINSZ, uintptr(unsafe.Pointer(&w))) + _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), linux.TIOCGWINSZ, uintptr(unsafe.Pointer(&w))) if errno != 0 { return nil, errno } @@ -48,7 +48,7 @@ func ioctlGetWinsize(fd int) (*linux.Winsize, error) { } func ioctlSetWinsize(fd int, w *linux.Winsize) error { - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), linux.TIOCSWINSZ, uintptr(unsafe.Pointer(w))) + _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), linux.TIOCSWINSZ, uintptr(unsafe.Pointer(w))) if errno != 0 { return errno } diff --git a/pkg/sentry/fsimpl/host/save_restore.go b/pkg/sentry/fsimpl/host/save_restore.go index 8800652a9..5688bddc8 100644 --- a/pkg/sentry/fsimpl/host/save_restore.go +++ b/pkg/sentry/fsimpl/host/save_restore.go @@ -18,8 +18,8 @@ import ( "fmt" "io" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/fdnotifier" "gvisor.dev/gvisor/pkg/safemem" "gvisor.dev/gvisor/pkg/sentry/hostfd" @@ -31,7 +31,7 @@ func (i *inode) beforeSave() { if !i.savable { panic("host.inode is not savable") } - if i.ftype == syscall.S_IFIFO { + if i.ftype == unix.S_IFIFO { // If this pipe FD is readable, drain it so that bytes in the pipe can // be read after restore. (This is a legacy VFS1 feature.) We don't // know if the pipe FD is readable, so just try reading and tolerate @@ -45,7 +45,7 @@ func (i *inode) beforeSave() { i.buf = append(i.buf, buf[:n]...) } if err != nil { - if err == io.EOF || err == syscall.EAGAIN || err == syscall.EBADF { + if err == io.EOF || err == unix.EAGAIN || err == unix.EBADF { break } panic(fmt.Errorf("host.inode.beforeSave: buffering from pipe failed: %v", err)) @@ -60,7 +60,7 @@ func (i *inode) beforeSave() { // afterLoad is invoked by stateify. func (i *inode) afterLoad() { if i.mayBlock { - if err := syscall.SetNonblock(i.hostFD, true); err != nil { + if err := unix.SetNonblock(i.hostFD, true); err != nil { panic(fmt.Sprintf("host.inode.afterLoad: failed to set host FD %d non-blocking: %v", i.hostFD, err)) } if err := fdnotifier.AddFD(int32(i.hostFD), &i.queue); err != nil { diff --git a/pkg/sentry/fsimpl/host/socket.go b/pkg/sentry/fsimpl/host/socket.go index 6763f5b0c..056f910aa 100644 --- a/pkg/sentry/fsimpl/host/socket.go +++ b/pkg/sentry/fsimpl/host/socket.go @@ -17,8 +17,8 @@ package host import ( "fmt" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fdnotifier" @@ -87,26 +87,26 @@ type ConnectedEndpoint struct { func (c *ConnectedEndpoint) init() *syserr.Error { c.InitRefs() - family, err := syscall.GetsockoptInt(c.fd, syscall.SOL_SOCKET, syscall.SO_DOMAIN) + family, err := unix.GetsockoptInt(c.fd, unix.SOL_SOCKET, unix.SO_DOMAIN) if err != nil { return syserr.FromError(err) } - if family != syscall.AF_UNIX { + if family != unix.AF_UNIX { // We only allow Unix sockets. return syserr.ErrInvalidEndpointState } - stype, err := syscall.GetsockoptInt(c.fd, syscall.SOL_SOCKET, syscall.SO_TYPE) + stype, err := unix.GetsockoptInt(c.fd, unix.SOL_SOCKET, unix.SO_TYPE) if err != nil { return syserr.FromError(err) } - if err := syscall.SetNonblock(c.fd, true); err != nil { + if err := unix.SetNonblock(c.fd, true); err != nil { return syserr.FromError(err) } - sndbuf, err := syscall.GetsockoptInt(c.fd, syscall.SOL_SOCKET, syscall.SO_SNDBUF) + sndbuf, err := unix.GetsockoptInt(c.fd, unix.SOL_SOCKET, unix.SO_SNDBUF) if err != nil { return syserr.FromError(err) } @@ -177,7 +177,7 @@ func (c *ConnectedEndpoint) CloseSend() { c.mu.Lock() defer c.mu.Unlock() - if err := syscall.Shutdown(c.fd, syscall.SHUT_WR); err != nil { + if err := unix.Shutdown(c.fd, unix.SHUT_WR); err != nil { // A well-formed UDS shutdown can't fail. See // net/unix/af_unix.c:unix_shutdown. panic(fmt.Sprintf("failed write shutdown on host socket %+v: %v", c, err)) @@ -270,7 +270,7 @@ func (c *ConnectedEndpoint) CloseRecv() { c.mu.Lock() defer c.mu.Unlock() - if err := syscall.Shutdown(c.fd, syscall.SHUT_RD); err != nil { + if err := unix.Shutdown(c.fd, unix.SHUT_RD); err != nil { // A well-formed UDS shutdown can't fail. See // net/unix/af_unix.c:unix_shutdown. panic(fmt.Sprintf("failed read shutdown on host socket %+v: %v", c, err)) @@ -358,7 +358,7 @@ func (e *SCMConnectedEndpoint) Release(ctx context.Context) { e.DecRef(func() { e.mu.Lock() fdnotifier.RemoveFD(int32(e.fd)) - if err := syscall.Close(e.fd); err != nil { + if err := unix.Close(e.fd); err != nil { log.Warningf("Failed to close host fd %d: %v", err) } e.destroyLocked() diff --git a/pkg/sentry/fsimpl/host/socket_iovec.go b/pkg/sentry/fsimpl/host/socket_iovec.go index fc0d5fd38..b123a63ee 100644 --- a/pkg/sentry/fsimpl/host/socket_iovec.go +++ b/pkg/sentry/fsimpl/host/socket_iovec.go @@ -15,8 +15,7 @@ package host import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/iovec" "gvisor.dev/gvisor/pkg/syserror" ) @@ -52,7 +51,7 @@ func copyFromMulti(dst []byte, src [][]byte) { // // If intermediate != nil, iovecs references intermediate rather than bufs and // the caller must copy to/from bufs as necessary. -func buildIovec(bufs [][]byte, maxlen int64, truncate bool) (length int64, iovecs []syscall.Iovec, intermediate []byte, err error) { +func buildIovec(bufs [][]byte, maxlen int64, truncate bool) (length int64, iovecs []unix.Iovec, intermediate []byte, err error) { var iovsRequired int for _, b := range bufs { length += int64(len(b)) @@ -76,14 +75,14 @@ func buildIovec(bufs [][]byte, maxlen int64, truncate bool) (length int64, iovec // Use a single intermediate buffer instead. b := make([]byte, stopLen) - return stopLen, []syscall.Iovec{{ + return stopLen, []unix.Iovec{{ Base: &b[0], Len: uint64(stopLen), }}, b, err } var total int64 - iovecs = make([]syscall.Iovec, 0, iovsRequired) + iovecs = make([]unix.Iovec, 0, iovsRequired) for i := range bufs { l := len(bufs[i]) if l == 0 { @@ -95,7 +94,7 @@ func buildIovec(bufs [][]byte, maxlen int64, truncate bool) (length int64, iovec stop = stopLen - total } - iovecs = append(iovecs, syscall.Iovec{ + iovecs = append(iovecs, unix.Iovec{ Base: &bufs[i][0], Len: uint64(stop), }) diff --git a/pkg/sentry/fsimpl/host/socket_unsafe.go b/pkg/sentry/fsimpl/host/socket_unsafe.go index c0bf45f08..34f24e95c 100644 --- a/pkg/sentry/fsimpl/host/socket_unsafe.go +++ b/pkg/sentry/fsimpl/host/socket_unsafe.go @@ -15,8 +15,9 @@ package host import ( - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) // fdReadVec receives from fd to bufs. @@ -24,9 +25,9 @@ import ( // If the total length of bufs is > maxlen, fdReadVec will do a partial read // and err will indicate why the message was truncated. func fdReadVec(fd int, bufs [][]byte, control []byte, peek bool, maxlen int64) (readLen int64, msgLen int64, controlLen uint64, controlTrunc bool, err error) { - flags := uintptr(syscall.MSG_DONTWAIT | syscall.MSG_TRUNC) + flags := uintptr(unix.MSG_DONTWAIT | unix.MSG_TRUNC) if peek { - flags |= syscall.MSG_PEEK + flags |= unix.MSG_PEEK } // Always truncate the receive buffer. All socket types will truncate @@ -37,7 +38,7 @@ func fdReadVec(fd int, bufs [][]byte, control []byte, peek bool, maxlen int64) ( return 0, 0, 0, false, err } - var msg syscall.Msghdr + var msg unix.Msghdr if len(control) != 0 { msg.Control = &control[0] msg.Controllen = uint64(len(control)) @@ -48,7 +49,7 @@ func fdReadVec(fd int, bufs [][]byte, control []byte, peek bool, maxlen int64) ( msg.Iovlen = uint64(len(iovecs)) } - rawN, _, e := syscall.RawSyscall(syscall.SYS_RECVMSG, uintptr(fd), uintptr(unsafe.Pointer(&msg)), flags) + rawN, _, e := unix.RawSyscall(unix.SYS_RECVMSG, uintptr(fd), uintptr(unsafe.Pointer(&msg)), flags) if e != 0 { // N.B. prioritize the syscall error over the buildIovec error. return 0, 0, 0, false, e @@ -60,7 +61,7 @@ func fdReadVec(fd int, bufs [][]byte, control []byte, peek bool, maxlen int64) ( copyToMulti(bufs, intermediate) } - controlTrunc = msg.Flags&syscall.MSG_CTRUNC == syscall.MSG_CTRUNC + controlTrunc = msg.Flags&unix.MSG_CTRUNC == unix.MSG_CTRUNC if n > length { return length, n, msg.Controllen, controlTrunc, nil @@ -85,13 +86,13 @@ func fdWriteVec(fd int, bufs [][]byte, maxlen int64, truncate bool) (int64, int6 copyFromMulti(intermediate, bufs) } - var msg syscall.Msghdr + var msg unix.Msghdr if len(iovecs) > 0 { msg.Iov = &iovecs[0] msg.Iovlen = uint64(len(iovecs)) } - n, _, e := syscall.RawSyscall(syscall.SYS_SENDMSG, uintptr(fd), uintptr(unsafe.Pointer(&msg)), syscall.MSG_DONTWAIT|syscall.MSG_NOSIGNAL) + n, _, e := unix.RawSyscall(unix.SYS_SENDMSG, uintptr(fd), uintptr(unsafe.Pointer(&msg)), unix.MSG_DONTWAIT|unix.MSG_NOSIGNAL) if e != 0 { // N.B. prioritize the syscall error over the buildIovec error. return 0, length, e diff --git a/pkg/sentry/fsimpl/host/util.go b/pkg/sentry/fsimpl/host/util.go index b2f43a119..63b465859 100644 --- a/pkg/sentry/fsimpl/host/util.go +++ b/pkg/sentry/fsimpl/host/util.go @@ -15,21 +15,19 @@ package host import ( - "syscall" - "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/syserror" ) -func toTimespec(ts linux.StatxTimestamp, omit bool) syscall.Timespec { +func toTimespec(ts linux.StatxTimestamp, omit bool) unix.Timespec { if omit { - return syscall.Timespec{ + return unix.Timespec{ Sec: 0, Nsec: unix.UTIME_OMIT, } } - return syscall.Timespec{ + return unix.Timespec{ Sec: ts.Sec, Nsec: int64(ts.Nsec), } diff --git a/pkg/sentry/fsimpl/host/util_unsafe.go b/pkg/sentry/fsimpl/host/util_unsafe.go index 5136ac844..b36eed2e2 100644 --- a/pkg/sentry/fsimpl/host/util_unsafe.go +++ b/pkg/sentry/fsimpl/host/util_unsafe.go @@ -15,13 +15,14 @@ package host import ( - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) -func setTimestamps(fd int, ts *[2]syscall.Timespec) error { - _, _, errno := syscall.Syscall6( - syscall.SYS_UTIMENSAT, +func setTimestamps(fd int, ts *[2]unix.Timespec) error { + _, _, errno := unix.Syscall6( + unix.SYS_UTIMENSAT, uintptr(fd), 0, /* path */ uintptr(unsafe.Pointer(ts)), diff --git a/pkg/sentry/hostfd/hostfd_unsafe.go b/pkg/sentry/hostfd/hostfd_unsafe.go index 694371b1c..03c6d2a16 100644 --- a/pkg/sentry/hostfd/hostfd_unsafe.go +++ b/pkg/sentry/hostfd/hostfd_unsafe.go @@ -16,7 +16,6 @@ package hostfd import ( "io" - "syscall" "unsafe" "golang.org/x/sys/unix" @@ -33,15 +32,15 @@ func Preadv2(fd int32, dsts safemem.BlockSeq, offset int64, flags uint32) (uint6 // return EFAULT if appropriate, instead of raising SIGBUS. var ( n uintptr - e syscall.Errno + e unix.Errno ) if flags == 0 && dsts.NumBlocks() == 1 { // Use read() or pread() to avoid iovec allocation and copying. dst := dsts.Head() if offset == -1 { - n, _, e = syscall.Syscall(unix.SYS_READ, uintptr(fd), dst.Addr(), uintptr(dst.Len())) + n, _, e = unix.Syscall(unix.SYS_READ, uintptr(fd), dst.Addr(), uintptr(dst.Len())) } else { - n, _, e = syscall.Syscall6(unix.SYS_PREAD64, uintptr(fd), dst.Addr(), uintptr(dst.Len()), uintptr(offset), 0 /* pos_h */, 0 /* unused */) + n, _, e = unix.Syscall6(unix.SYS_PREAD64, uintptr(fd), dst.Addr(), uintptr(dst.Len()), uintptr(offset), 0 /* pos_h */, 0 /* unused */) } } else { iovs := safemem.IovecsFromBlockSeq(dsts) @@ -49,7 +48,7 @@ func Preadv2(fd int32, dsts safemem.BlockSeq, offset int64, flags uint32) (uint6 log.Debugf("hostfd.Preadv2: truncating from %d iovecs to %d", len(iovs), maxIov) iovs = iovs[:maxIov] } - n, _, e = syscall.Syscall6(unix.SYS_PREADV2, uintptr(fd), uintptr((unsafe.Pointer)(&iovs[0])), uintptr(len(iovs)), uintptr(offset), 0 /* pos_h */, uintptr(flags)) + n, _, e = unix.Syscall6(unix.SYS_PREADV2, uintptr(fd), uintptr((unsafe.Pointer)(&iovs[0])), uintptr(len(iovs)), uintptr(offset), 0 /* pos_h */, uintptr(flags)) } if e != 0 { return 0, e @@ -69,15 +68,15 @@ func Pwritev2(fd int32, srcs safemem.BlockSeq, offset int64, flags uint32) (uint // return EFAULT if appropriate, instead of raising SIGBUS. var ( n uintptr - e syscall.Errno + e unix.Errno ) if flags == 0 && srcs.NumBlocks() == 1 { // Use write() or pwrite() to avoid iovec allocation and copying. src := srcs.Head() if offset == -1 { - n, _, e = syscall.Syscall(unix.SYS_WRITE, uintptr(fd), src.Addr(), uintptr(src.Len())) + n, _, e = unix.Syscall(unix.SYS_WRITE, uintptr(fd), src.Addr(), uintptr(src.Len())) } else { - n, _, e = syscall.Syscall6(unix.SYS_PWRITE64, uintptr(fd), src.Addr(), uintptr(src.Len()), uintptr(offset), 0 /* pos_h */, 0 /* unused */) + n, _, e = unix.Syscall6(unix.SYS_PWRITE64, uintptr(fd), src.Addr(), uintptr(src.Len()), uintptr(offset), 0 /* pos_h */, 0 /* unused */) } } else { iovs := safemem.IovecsFromBlockSeq(srcs) @@ -85,7 +84,7 @@ func Pwritev2(fd int32, srcs safemem.BlockSeq, offset int64, flags uint32) (uint log.Debugf("hostfd.Preadv2: truncating from %d iovecs to %d", len(iovs), maxIov) iovs = iovs[:maxIov] } - n, _, e = syscall.Syscall6(unix.SYS_PWRITEV2, uintptr(fd), uintptr((unsafe.Pointer)(&iovs[0])), uintptr(len(iovs)), uintptr(offset), 0 /* pos_h */, uintptr(flags)) + n, _, e = unix.Syscall6(unix.SYS_PWRITEV2, uintptr(fd), uintptr((unsafe.Pointer)(&iovs[0])), uintptr(len(iovs)), uintptr(offset), 0 /* pos_h */, uintptr(flags)) } if e != 0 { return 0, e diff --git a/pkg/sentry/hostmm/hostmm.go b/pkg/sentry/hostmm/hostmm.go index 506c7864a..c47b96b54 100644 --- a/pkg/sentry/hostmm/hostmm.go +++ b/pkg/sentry/hostmm/hostmm.go @@ -20,8 +20,8 @@ import ( "fmt" "os" "path" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/fd" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/usermem" @@ -60,7 +60,7 @@ func NotifyCurrentMemcgPressureCallback(f func(), level string) (func(), error) } // Don't use fmt.Fprintf since the whole string needs to be written in a - // single syscall. + // single unix. eventControlStr := fmt.Sprintf("%d %d %s", eventFD.FD(), pressureFile.Fd(), level) if n, err := eventControlFile.Write([]byte(eventControlStr)); n != len(eventControlStr) || err != nil { eventFD.Close() @@ -80,7 +80,7 @@ func NotifyCurrentMemcgPressureCallback(f func(), level string) (func(), error) for { n, err := rw.Read(buf[:]) if err != nil { - if err == syscall.EINTR { + if err == unix.EINTR { continue } panic(fmt.Sprintf("failed to read from memory pressure level eventfd: %v", err)) @@ -107,7 +107,7 @@ func NotifyCurrentMemcgPressureCallback(f func(), level string) (func(), error) for { n, err := rw.Write(buf[:]) if err != nil { - if err == syscall.EINTR { + if err == unix.EINTR { continue } panic(fmt.Sprintf("failed to write to memory pressure level eventfd: %v", err)) @@ -122,7 +122,7 @@ func NotifyCurrentMemcgPressureCallback(f func(), level string) (func(), error) } func newEventFD() (*fd.FD, error) { - f, _, e := syscall.Syscall(syscall.SYS_EVENTFD2, 0, 0, 0) + f, _, e := unix.Syscall(unix.SYS_EVENTFD2, 0, 0, 0) if e != 0 { return nil, fmt.Errorf("failed to create eventfd: %v", e) } diff --git a/pkg/sentry/hostmm/membarrier.go b/pkg/sentry/hostmm/membarrier.go index 4468d75f1..e4e61a398 100644 --- a/pkg/sentry/hostmm/membarrier.go +++ b/pkg/sentry/hostmm/membarrier.go @@ -15,8 +15,6 @@ package hostmm import ( - "syscall" - "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/log" @@ -28,9 +26,9 @@ var ( ) func init() { - supported, _, e := syscall.RawSyscall(unix.SYS_MEMBARRIER, linux.MEMBARRIER_CMD_QUERY, 0 /* flags */, 0 /* unused */) + supported, _, e := unix.RawSyscall(unix.SYS_MEMBARRIER, linux.MEMBARRIER_CMD_QUERY, 0 /* flags */, 0 /* unused */) if e != 0 { - if e != syscall.ENOSYS { + if e != unix.ENOSYS { log.Warningf("membarrier(MEMBARRIER_CMD_QUERY) failed: %s", e.Error()) } return @@ -46,7 +44,7 @@ func init() { haveMembarrierGlobal = true } if req := uintptr(linux.MEMBARRIER_CMD_PRIVATE_EXPEDITED | linux.MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED); supported&req == req { - if _, _, e := syscall.RawSyscall(unix.SYS_MEMBARRIER, linux.MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED, 0 /* flags */, 0 /* unused */); e != 0 { + if _, _, e := unix.RawSyscall(unix.SYS_MEMBARRIER, linux.MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED, 0 /* flags */, 0 /* unused */); e != 0 { log.Warningf("membarrier(MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED) failed: %s", e.Error()) } else { haveMembarrierPrivateExpedited = true @@ -66,7 +64,7 @@ func HaveGlobalMemoryBarrier() bool { // // Preconditions: HaveGlobalMemoryBarrier() == true. func GlobalMemoryBarrier() error { - if _, _, e := syscall.Syscall(unix.SYS_MEMBARRIER, linux.MEMBARRIER_CMD_GLOBAL, 0 /* flags */, 0 /* unused */); e != 0 { + if _, _, e := unix.Syscall(unix.SYS_MEMBARRIER, linux.MEMBARRIER_CMD_GLOBAL, 0 /* flags */, 0 /* unused */); e != 0 { return e } return nil @@ -83,7 +81,7 @@ func HaveProcessMemoryBarrier() bool { // // Preconditions: HaveProcessMemoryBarrier() == true. func ProcessMemoryBarrier() error { - if _, _, e := syscall.RawSyscall(unix.SYS_MEMBARRIER, linux.MEMBARRIER_CMD_PRIVATE_EXPEDITED, 0 /* flags */, 0 /* unused */); e != 0 { + if _, _, e := unix.RawSyscall(unix.SYS_MEMBARRIER, linux.MEMBARRIER_CMD_PRIVATE_EXPEDITED, 0 /* flags */, 0 /* unused */); e != 0 { return e } return nil diff --git a/pkg/sentry/kernel/abstract_socket_namespace.go b/pkg/sentry/kernel/abstract_socket_namespace.go index 0ddbe5ff6..d100e58d7 100644 --- a/pkg/sentry/kernel/abstract_socket_namespace.go +++ b/pkg/sentry/kernel/abstract_socket_namespace.go @@ -16,8 +16,8 @@ package kernel import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/refsvfs2" "gvisor.dev/gvisor/pkg/sentry/socket/unix/transport" @@ -97,7 +97,7 @@ func (a *AbstractSocketNamespace) Bind(ctx context.Context, name string, ep tran if ep, ok := a.endpoints[name]; ok { if ep.socket.TryIncRef() { ep.socket.DecRef(ctx) - return syscall.EADDRINUSE + return unix.EADDRINUSE } } diff --git a/pkg/sentry/kernel/epoll/epoll.go b/pkg/sentry/kernel/epoll/epoll.go index 407b6e917..ba73a7812 100644 --- a/pkg/sentry/kernel/epoll/epoll.go +++ b/pkg/sentry/kernel/epoll/epoll.go @@ -24,8 +24,8 @@ package epoll import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/refs" @@ -173,12 +173,12 @@ func (e *EventPoll) Release(ctx context.Context) { // Read implements fs.FileOperations.Read. func (*EventPoll) Read(context.Context, *fs.File, usermem.IOSequence, int64) (int64, error) { - return 0, syscall.ENOSYS + return 0, unix.ENOSYS } // Write implements fs.FileOperations.Write. func (*EventPoll) Write(context.Context, *fs.File, usermem.IOSequence, int64) (int64, error) { - return 0, syscall.ENOSYS + return 0, unix.ENOSYS } // eventsAvailable determines if 'e' has events available for delivery. @@ -358,18 +358,18 @@ func (e *EventPoll) AddEntry(id FileIdentifier, flags EntryFlags, mask waiter.Ev // Fail if the file already has an entry. if _, ok := e.files[id]; ok { - return syscall.EEXIST + return unix.EEXIST } // Check if a cycle would be created. We use 4 as the limit because // that's the value used by linux and we want to emulate it. if ep != nil { if e == ep { - return syscall.EINVAL + return unix.EINVAL } if ep.observes(e, 4) { - return syscall.ELOOP + return unix.ELOOP } } @@ -404,7 +404,7 @@ func (e *EventPoll) UpdateEntry(id FileIdentifier, flags EntryFlags, mask waiter // Fail if the file doesn't have an entry. entry, ok := e.files[id] if !ok { - return syscall.ENOENT + return unix.ENOENT } // Unregister the old mask and remove entry from the list it's in, so @@ -435,7 +435,7 @@ func (e *EventPoll) RemoveEntry(ctx context.Context, id FileIdentifier) error { // Fail if the file doesn't have an entry. entry, ok := e.files[id] if !ok { - return syscall.ENOENT + return unix.ENOENT } // Unregister from file first so that no concurrent attempts will be diff --git a/pkg/sentry/kernel/eventfd/eventfd.go b/pkg/sentry/kernel/eventfd/eventfd.go index bbf568dfc..64f1cc631 100644 --- a/pkg/sentry/kernel/eventfd/eventfd.go +++ b/pkg/sentry/kernel/eventfd/eventfd.go @@ -18,8 +18,8 @@ package eventfd import ( "math" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fdnotifier" @@ -91,13 +91,13 @@ func (e *EventOperations) HostFD() (int, error) { flags |= linux.EFD_SEMAPHORE } - fd, _, err := syscall.Syscall(syscall.SYS_EVENTFD2, uintptr(e.val), uintptr(flags), 0) + fd, _, err := unix.Syscall(unix.SYS_EVENTFD2, uintptr(e.val), uintptr(flags), 0) if err != 0 { return -1, err } if err := fdnotifier.AddFD(int32(fd), &e.wq); err != nil { - syscall.Close(int(fd)) + unix.Close(int(fd)) return -1, err } @@ -111,7 +111,7 @@ func (e *EventOperations) Release(context.Context) { defer e.mu.Unlock() if e.hostfd >= 0 { fdnotifier.RemoveFD(int32(e.hostfd)) - syscall.Close(e.hostfd) + unix.Close(e.hostfd) e.hostfd = -1 } } @@ -119,7 +119,7 @@ func (e *EventOperations) Release(context.Context) { // Read implements fs.FileOperations.Read. func (e *EventOperations) Read(ctx context.Context, _ *fs.File, dst usermem.IOSequence, _ int64) (int64, error) { if dst.NumBytes() < 8 { - return 0, syscall.EINVAL + return 0, unix.EINVAL } if err := e.read(ctx, dst); err != nil { return 0, err @@ -130,7 +130,7 @@ func (e *EventOperations) Read(ctx context.Context, _ *fs.File, dst usermem.IOSe // Write implements fs.FileOperations.Write. func (e *EventOperations) Write(ctx context.Context, _ *fs.File, src usermem.IOSequence, _ int64) (int64, error) { if src.NumBytes() < 8 { - return 0, syscall.EINVAL + return 0, unix.EINVAL } if err := e.write(ctx, src); err != nil { return 0, err @@ -142,8 +142,8 @@ func (e *EventOperations) Write(ctx context.Context, _ *fs.File, src usermem.IOS func (e *EventOperations) hostRead(ctx context.Context, dst usermem.IOSequence) error { var buf [8]byte - if _, err := syscall.Read(e.hostfd, buf[:]); err != nil { - if err == syscall.EWOULDBLOCK { + if _, err := unix.Read(e.hostfd, buf[:]); err != nil { + if err == unix.EWOULDBLOCK { return syserror.ErrWouldBlock } return err @@ -195,8 +195,8 @@ func (e *EventOperations) read(ctx context.Context, dst usermem.IOSequence) erro func (e *EventOperations) hostWrite(val uint64) error { var buf [8]byte usermem.ByteOrder.PutUint64(buf[:], val) - _, err := syscall.Write(e.hostfd, buf[:]) - if err == syscall.EWOULDBLOCK { + _, err := unix.Write(e.hostfd, buf[:]) + if err == unix.EWOULDBLOCK { return syserror.ErrWouldBlock } return err @@ -215,7 +215,7 @@ func (e *EventOperations) write(ctx context.Context, src usermem.IOSequence) err // Signal is an internal function to signal the event fd. func (e *EventOperations) Signal(val uint64) error { if val == math.MaxUint64 { - return syscall.EINVAL + return unix.EINVAL } e.mu.Lock() diff --git a/pkg/sentry/kernel/fd_table.go b/pkg/sentry/kernel/fd_table.go index a6afabb1c..10885688c 100644 --- a/pkg/sentry/kernel/fd_table.go +++ b/pkg/sentry/kernel/fd_table.go @@ -19,8 +19,8 @@ import ( "math" "strings" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sentry/fs" @@ -253,7 +253,7 @@ func (f *FDTable) String() string { func (f *FDTable) NewFDs(ctx context.Context, fd int32, files []*fs.File, flags FDFlags) (fds []int32, err error) { if fd < 0 { // Don't accept negative FDs. - return nil, syscall.EINVAL + return nil, unix.EINVAL } // Default limit. @@ -266,7 +266,7 @@ func (f *FDTable) NewFDs(ctx context.Context, fd int32, files []*fs.File, flags end = int32(lim.Cur) } if fd >= end { - return nil, syscall.EMFILE + return nil, unix.EMFILE } } @@ -300,7 +300,7 @@ func (f *FDTable) NewFDs(ctx context.Context, fd int32, files []*fs.File, flags for _, file := range files[:len(fds)] { file.DecRef(ctx) } - return nil, syscall.EMFILE + return nil, unix.EMFILE } if fd == f.next { @@ -318,7 +318,7 @@ func (f *FDTable) NewFDs(ctx context.Context, fd int32, files []*fs.File, flags func (f *FDTable) NewFDsVFS2(ctx context.Context, fd int32, files []*vfs.FileDescription, flags FDFlags) (fds []int32, err error) { if fd < 0 { // Don't accept negative FDs. - return nil, syscall.EINVAL + return nil, unix.EINVAL } // Default limit. @@ -331,7 +331,7 @@ func (f *FDTable) NewFDsVFS2(ctx context.Context, fd int32, files []*vfs.FileDes end = int32(lim.Cur) } if fd >= end { - return nil, syscall.EMFILE + return nil, unix.EMFILE } } @@ -365,7 +365,7 @@ func (f *FDTable) NewFDsVFS2(ctx context.Context, fd int32, files []*vfs.FileDes for _, file := range files[:len(fds)] { file.DecRef(ctx) } - return nil, syscall.EMFILE + return nil, unix.EMFILE } if fd == f.next { @@ -382,7 +382,7 @@ func (f *FDTable) NewFDsVFS2(ctx context.Context, fd int32, files []*vfs.FileDes func (f *FDTable) NewFDVFS2(ctx context.Context, minfd int32, file *vfs.FileDescription, flags FDFlags) (int32, error) { if minfd < 0 { // Don't accept negative FDs. - return -1, syscall.EINVAL + return -1, unix.EINVAL } // Default limit. @@ -395,7 +395,7 @@ func (f *FDTable) NewFDVFS2(ctx context.Context, minfd int32, file *vfs.FileDesc end = int32(lim.Cur) } if minfd >= end { - return -1, syscall.EMFILE + return -1, unix.EMFILE } } @@ -418,7 +418,7 @@ func (f *FDTable) NewFDVFS2(ctx context.Context, minfd int32, file *vfs.FileDesc } fd++ } - return -1, syscall.EMFILE + return -1, unix.EMFILE } // NewFDAt sets the file reference for the given FD. If there is an active @@ -452,13 +452,13 @@ func (f *FDTable) NewFDAtVFS2(ctx context.Context, fd int32, file *vfs.FileDescr func (f *FDTable) newFDAt(ctx context.Context, fd int32, file *fs.File, fileVFS2 *vfs.FileDescription, flags FDFlags) (*fs.File, *vfs.FileDescription, error) { if fd < 0 { // Don't accept negative FDs. - return nil, nil, syscall.EBADF + return nil, nil, unix.EBADF } // Check the limit for the provided file. if limitSet := limits.FromContext(ctx); limitSet != nil { if lim := limitSet.Get(limits.NumberOfFiles); lim.Cur != limits.Infinity && uint64(fd) >= lim.Cur { - return nil, nil, syscall.EMFILE + return nil, nil, unix.EMFILE } } @@ -476,7 +476,7 @@ func (f *FDTable) newFDAt(ctx context.Context, fd int32, file *fs.File, fileVFS2 func (f *FDTable) SetFlags(ctx context.Context, fd int32, flags FDFlags) error { if fd < 0 { // Don't accept negative FDs. - return syscall.EBADF + return unix.EBADF } f.mu.Lock() @@ -485,7 +485,7 @@ func (f *FDTable) SetFlags(ctx context.Context, fd int32, flags FDFlags) error { file, _, _ := f.get(fd) if file == nil { // No file found. - return syscall.EBADF + return unix.EBADF } // Update the flags. @@ -499,7 +499,7 @@ func (f *FDTable) SetFlags(ctx context.Context, fd int32, flags FDFlags) error { func (f *FDTable) SetFlagsVFS2(ctx context.Context, fd int32, flags FDFlags) error { if fd < 0 { // Don't accept negative FDs. - return syscall.EBADF + return unix.EBADF } f.mu.Lock() @@ -508,7 +508,7 @@ func (f *FDTable) SetFlagsVFS2(ctx context.Context, fd int32, flags FDFlags) err file, _, _ := f.getVFS2(fd) if file == nil { // No file found. - return syscall.EBADF + return unix.EBADF } // Update the flags. diff --git a/pkg/sentry/kernel/pipe/pipe.go b/pkg/sentry/kernel/pipe/pipe.go index 2c8668fc4..68a55a186 100644 --- a/pkg/sentry/kernel/pipe/pipe.go +++ b/pkg/sentry/kernel/pipe/pipe.go @@ -19,8 +19,8 @@ import ( "fmt" "io" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/safemem" "gvisor.dev/gvisor/pkg/sentry/fs" @@ -244,7 +244,7 @@ func (p *Pipe) consumeLocked(n int64) { func (p *Pipe) writeLocked(count int64, f func(safemem.BlockSeq) (uint64, error)) (int64, error) { // Can't write to a pipe with no readers. if !p.HasReaders() { - return 0, syscall.EPIPE + return 0, unix.EPIPE } avail := p.max - p.size diff --git a/pkg/sentry/kernel/pipe/pipe_util.go b/pkg/sentry/kernel/pipe/pipe_util.go index 77246edbe..76ea389ca 100644 --- a/pkg/sentry/kernel/pipe/pipe_util.go +++ b/pkg/sentry/kernel/pipe/pipe_util.go @@ -17,8 +17,8 @@ package pipe import ( "io" "math" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/amutex" "gvisor.dev/gvisor/pkg/context" @@ -139,7 +139,7 @@ func (p *Pipe) Ioctl(ctx context.Context, io usermem.IO, args arch.SyscallArgume _, err := primitive.CopyInt32Out(&iocc, args[2].Pointer(), int32(v)) return 0, err default: - return 0, syscall.ENOTTY + return 0, unix.ENOTTY } } diff --git a/pkg/sentry/kernel/seccomp.go b/pkg/sentry/kernel/seccomp.go index 60917e7d3..8163a6132 100644 --- a/pkg/sentry/kernel/seccomp.go +++ b/pkg/sentry/kernel/seccomp.go @@ -15,8 +15,7 @@ package kernel import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/bpf" "gvisor.dev/gvisor/pkg/sentry/arch" @@ -83,7 +82,7 @@ func (t *Task) checkSeccompSyscall(sysno int32, args arch.SyscallArguments, ip u // the system call is not executed." if !t.ptraceSeccomp(result.Data()) { // This useless-looking temporary is needed because Go. - tmp := uintptr(syscall.ENOSYS) + tmp := uintptr(unix.ENOSYS) t.Arch().SetReturn(-tmp) return linux.SECCOMP_RET_ERRNO } diff --git a/pkg/sentry/kernel/task_syscall.go b/pkg/sentry/kernel/task_syscall.go index 0141459e7..2e84bd88a 100644 --- a/pkg/sentry/kernel/task_syscall.go +++ b/pkg/sentry/kernel/task_syscall.go @@ -18,8 +18,8 @@ import ( "fmt" "os" "runtime/trace" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/bits" "gvisor.dev/gvisor/pkg/marshal" @@ -113,7 +113,7 @@ func (t *Task) executeSyscall(sysno uintptr, args arch.SyscallArguments) (rval u if bits.IsOn32(fe, ExternalAfterEnable) && (s.ExternalFilterAfter == nil || s.ExternalFilterAfter(t, sysno, args)) { t.invokeExternal() - // Don't reinvoke the syscall. + // Don't reinvoke the unix. } if bits.IsAnyOn32(fe, StraceEnableBits) { @@ -147,7 +147,7 @@ func (t *Task) doSyscall() taskRunState { // Tracers expect to see this between when the task traps into the kernel // to perform a syscall and when the syscall is actually invoked. // This useless-looking temporary is needed because Go. - tmp := uintptr(syscall.ENOSYS) + tmp := uintptr(unix.ENOSYS) t.Arch().SetReturn(-tmp) // Check seccomp filters. The nil check is for performance (as seccomp use @@ -379,7 +379,7 @@ func ExtractErrno(err error, sysno int) int { switch err := err.(type) { case nil: return 0 - case syscall.Errno: + case unix.Errno: return int(err) case syserror.SyscallRestartErrno: return int(err) @@ -387,7 +387,7 @@ func ExtractErrno(err error, sysno int) int { // Bus errors may generate SIGBUS, but for syscalls they still // return EFAULT. See case in task_run.go where the fault is // handled (and the SIGBUS is delivered). - return int(syscall.EFAULT) + return int(unix.EFAULT) case *os.PathError: return ExtractErrno(err.Err, sysno) case *os.LinkError: diff --git a/pkg/sentry/limits/limits.go b/pkg/sentry/limits/limits.go index 31b9e9ff6..7c6c4df01 100644 --- a/pkg/sentry/limits/limits.go +++ b/pkg/sentry/limits/limits.go @@ -16,8 +16,7 @@ package limits import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/sync" ) @@ -125,10 +124,10 @@ func (l *LimitSet) Set(t LimitType, v Limit, privileged bool) (Limit, error) { if _, ok := l.data[t]; ok { // Unprivileged users can only lower their hard limits. if l.data[t].Max < v.Max && !privileged { - return Limit{}, syscall.EPERM + return Limit{}, unix.EPERM } if v.Cur > v.Max { - return Limit{}, syscall.EINVAL + return Limit{}, unix.EINVAL } } old := l.data[t] diff --git a/pkg/sentry/pgalloc/pgalloc.go b/pkg/sentry/pgalloc/pgalloc.go index d99be7f46..58cc11a13 100644 --- a/pkg/sentry/pgalloc/pgalloc.go +++ b/pkg/sentry/pgalloc/pgalloc.go @@ -26,9 +26,9 @@ import ( "math" "os" "sync/atomic" - "syscall" "time" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/log" @@ -341,12 +341,12 @@ func NewMemoryFile(file *os.File, opts MemoryFileOpts) (*MemoryFile, error) { // Work around IMA by immediately creating a temporary PROT_EXEC mapping, // while the backing file is still small. IMA will ignore any future // mappings. - m, _, errno := syscall.Syscall6( - syscall.SYS_MMAP, + m, _, errno := unix.Syscall6( + unix.SYS_MMAP, 0, usermem.PageSize, - syscall.PROT_EXEC, - syscall.MAP_SHARED, + unix.PROT_EXEC, + unix.MAP_SHARED, file.Fd(), 0) if errno != 0 { @@ -354,8 +354,8 @@ func NewMemoryFile(file *os.File, opts MemoryFileOpts) (*MemoryFile, error) { // don't return it. log.Warningf("Failed to pre-map MemoryFile PROT_EXEC: %v", errno) } else { - if _, _, errno := syscall.Syscall( - syscall.SYS_MUNMAP, + if _, _, errno := unix.Syscall( + unix.SYS_MUNMAP, m, usermem.PageSize, 0); errno != 0 { @@ -584,7 +584,7 @@ func (f *MemoryFile) decommitFile(fr memmap.FileRange) error { // "After a successful call, subsequent reads from this range will // return zeroes. The FALLOC_FL_PUNCH_HOLE flag must be ORed with // FALLOC_FL_KEEP_SIZE in mode ..." - fallocate(2) - return syscall.Fallocate( + return unix.Fallocate( int(f.file.Fd()), _FALLOC_FL_PUNCH_HOLE|_FALLOC_FL_KEEP_SIZE, int64(fr.Start), @@ -730,12 +730,12 @@ func (f *MemoryFile) getChunkMapping(chunk int) ([]uintptr, uintptr, error) { if m := mappings[chunk]; m != 0 { return mappings, m, nil } - m, _, errno := syscall.Syscall6( - syscall.SYS_MMAP, + m, _, errno := unix.Syscall6( + unix.SYS_MMAP, 0, chunkSize, - syscall.PROT_READ|syscall.PROT_WRITE, - syscall.MAP_SHARED, + unix.PROT_READ|unix.PROT_WRITE, + unix.MAP_SHARED, f.file.Fd(), uintptr(chunk<<chunkShift)) if errno != 0 { @@ -1012,8 +1012,8 @@ func (f *MemoryFile) TotalUsage() (uint64, error) { // Stat the underlying file to discover the underlying usage. stat(2) // always reports the allocated block count in units of 512 bytes. This // includes pages in the page cache and swapped pages. - var stat syscall.Stat_t - if err := syscall.Fstat(int(f.file.Fd()), &stat); err != nil { + var stat unix.Stat_t + if err := unix.Fstat(int(f.file.Fd()), &stat); err != nil { return 0, err } return uint64(stat.Blocks * 512), nil @@ -1093,7 +1093,7 @@ func (f *MemoryFile) runReclaim() { mappings := f.mappings.Load().([]uintptr) for i, m := range mappings { if m != 0 { - _, _, errno := syscall.Syscall(syscall.SYS_MUNMAP, m, chunkSize, 0) + _, _, errno := unix.Syscall(unix.SYS_MUNMAP, m, chunkSize, 0) if errno != 0 { log.Warningf("Failed to unmap mapping %#x for MemoryFile chunk %d: %v", m, i, errno) } diff --git a/pkg/sentry/pgalloc/pgalloc_unsafe.go b/pkg/sentry/pgalloc/pgalloc_unsafe.go index a4b5d581c..71f8f66c1 100644 --- a/pkg/sentry/pgalloc/pgalloc_unsafe.go +++ b/pkg/sentry/pgalloc/pgalloc_unsafe.go @@ -16,8 +16,9 @@ package pgalloc import ( "reflect" - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) func unsafeSlice(addr uintptr, length int) (slice []byte) { @@ -29,8 +30,8 @@ func unsafeSlice(addr uintptr, length int) (slice []byte) { } func mincore(s []byte, buf []byte) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_MINCORE, + if _, _, errno := unix.RawSyscall( + unix.SYS_MINCORE, uintptr(unsafe.Pointer(&s[0])), uintptr(len(s)), uintptr(unsafe.Pointer(&buf[0]))); errno != 0 { diff --git a/pkg/sentry/pgalloc/save_restore.go b/pkg/sentry/pgalloc/save_restore.go index 78317fa35..e05c8d074 100644 --- a/pkg/sentry/pgalloc/save_restore.go +++ b/pkg/sentry/pgalloc/save_restore.go @@ -21,8 +21,8 @@ import ( "io" "runtime" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/sentry/usage" "gvisor.dev/gvisor/pkg/state" @@ -66,7 +66,7 @@ func (f *MemoryFile) SaveTo(ctx context.Context, w wire.Writer) error { // associated backing store. This is equivalent to punching a hole // in the corresponding byte range of the backing store (see // fallocate(2))." - madvise(2) - if err := syscall.Madvise(pg, syscall.MADV_REMOVE); err != nil { + if err := unix.Madvise(pg, unix.MADV_REMOVE); err != nil { // This doesn't impact the correctness of saved memory, it // just means that we're incrementally more likely to OOM. // Complain, but don't abort saving. diff --git a/pkg/sentry/platform/kvm/bluepill.go b/pkg/sentry/platform/kvm/bluepill.go index 2c970162e..fd1131638 100644 --- a/pkg/sentry/platform/kvm/bluepill.go +++ b/pkg/sentry/platform/kvm/bluepill.go @@ -17,8 +17,8 @@ package kvm import ( "fmt" "reflect" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/safecopy" "gvisor.dev/gvisor/pkg/sentry/arch" @@ -41,7 +41,7 @@ var ( // // We use SIGCHLD because it is not masked by the runtime, and // it will be ignored properly by other parts of the kernel. - bounceSignal = syscall.SIGCHLD + bounceSignal = unix.SIGCHLD // bounceSignalMask has only bounceSignal set. bounceSignalMask = uint64(1 << (uint64(bounceSignal) - 1)) @@ -62,7 +62,7 @@ var ( // //go:nosplit func redpill() { - syscall.RawSyscall(^uintptr(0), 0, 0, 0) + unix.RawSyscall(^uintptr(0), 0, 0, 0) } // dieHandler is called by dieTrampoline. diff --git a/pkg/sentry/platform/kvm/bluepill_amd64.go b/pkg/sentry/platform/kvm/bluepill_amd64.go index 83a4766fb..f4b9a5321 100644 --- a/pkg/sentry/platform/kvm/bluepill_amd64.go +++ b/pkg/sentry/platform/kvm/bluepill_amd64.go @@ -17,15 +17,14 @@ package kvm import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/sentry/arch" ) var ( // The action for bluepillSignal is changed by sigaction(). - bluepillSignal = syscall.SIGSEGV + bluepillSignal = unix.SIGSEGV ) // bluepillArchEnter is called during bluepillEnter. diff --git a/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go b/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go index 0063e947b..198bafdea 100644 --- a/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go +++ b/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go @@ -17,9 +17,9 @@ package kvm import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/sentry/arch" ) @@ -68,8 +68,8 @@ func getHypercallID(addr uintptr) int { func bluepillStopGuest(c *vCPU) { // Interrupt: we must have requested an interrupt // window; set the interrupt line. - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_INTERRUPT, uintptr(unsafe.Pointer(&bounce))); errno != 0 { @@ -83,8 +83,8 @@ func bluepillStopGuest(c *vCPU) { // //go:nosplit func bluepillSigBus(c *vCPU) { - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_NMI, 0); errno != 0 { throw("NMI injection failed") diff --git a/pkg/sentry/platform/kvm/bluepill_arm64.go b/pkg/sentry/platform/kvm/bluepill_arm64.go index 6846abee9..e26b7da8d 100644 --- a/pkg/sentry/platform/kvm/bluepill_arm64.go +++ b/pkg/sentry/platform/kvm/bluepill_arm64.go @@ -17,15 +17,14 @@ package kvm import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/sentry/arch" ) var ( // The action for bluepillSignal is changed by sigaction(). - bluepillSignal = syscall.SIGILL + bluepillSignal = unix.SIGILL // vcpuSErrBounce is the event of system error for bouncing KVM. vcpuSErrBounce = kvmVcpuEvents{ diff --git a/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go b/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go index dbbf2a897..07fc4f216 100644 --- a/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go +++ b/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go @@ -17,9 +17,9 @@ package kvm import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/sentry/arch" ) @@ -80,8 +80,8 @@ func getHypercallID(addr uintptr) int { // //go:nosplit func bluepillStopGuest(c *vCPU) { - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_VCPU_EVENTS, uintptr(unsafe.Pointer(&vcpuSErrBounce))); errno != 0 { @@ -94,12 +94,12 @@ func bluepillStopGuest(c *vCPU) { //go:nosplit func bluepillSigBus(c *vCPU) { // Host must support ARM64_HAS_RAS_EXTN. - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_VCPU_EVENTS, uintptr(unsafe.Pointer(&vcpuSErrNMI))); errno != 0 { - if errno == syscall.EINVAL { + if errno == unix.EINVAL { throw("No ARM64_HAS_RAS_EXTN feature in host.") } throw("nmi sErr injection failed") @@ -110,8 +110,8 @@ func bluepillSigBus(c *vCPU) { // //go:nosplit func bluepillExtDabt(c *vCPU) { - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_VCPU_EVENTS, uintptr(unsafe.Pointer(&vcpuExtDabt))); errno != 0 { diff --git a/pkg/sentry/platform/kvm/bluepill_fault.go b/pkg/sentry/platform/kvm/bluepill_fault.go index a182e4f22..37c53fa02 100644 --- a/pkg/sentry/platform/kvm/bluepill_fault.go +++ b/pkg/sentry/platform/kvm/bluepill_fault.go @@ -16,8 +16,8 @@ package kvm import ( "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/usermem" ) @@ -40,7 +40,7 @@ const ( // //go:nosplit func yield() { - syscall.RawSyscall(syscall.SYS_SCHED_YIELD, 0, 0, 0) + unix.RawSyscall(unix.SYS_SCHED_YIELD, 0, 0, 0) } // calculateBluepillFault calculates the fault address range. @@ -112,16 +112,16 @@ func handleBluepillFault(m *machine, physical uintptr, phyRegions []physicalRegi atomic.StoreUint32(&m.nextSlot, slot) switch errno { - case syscall.EEXIST: + case unix.EEXIST: // The region already exists. It's possible that we raced with // another vCPU here. We just revert nextSlot and return true, // because this must have been satisfied by some other vCPU. return virtualStart + (physical - physicalStart), true - case syscall.EINVAL: + case unix.EINVAL: throw("set memory region failed; out of slots") - case syscall.ENOMEM: + case unix.ENOMEM: throw("set memory region failed: out of memory") - case syscall.EFAULT: + case unix.EFAULT: throw("set memory region failed: invalid physical range") default: throw("set memory region failed: unknown reason") diff --git a/pkg/sentry/platform/kvm/bluepill_unsafe.go b/pkg/sentry/platform/kvm/bluepill_unsafe.go index 55da6dd95..6f87236ad 100644 --- a/pkg/sentry/platform/kvm/bluepill_unsafe.go +++ b/pkg/sentry/platform/kvm/bluepill_unsafe.go @@ -21,9 +21,9 @@ package kvm import ( "sync/atomic" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/sentry/arch" ) @@ -102,23 +102,23 @@ func bluepillHandler(context unsafe.Pointer) { } for { - _, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(c.fd), _KVM_RUN, 0) // escapes: no. + _, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(c.fd), _KVM_RUN, 0) // escapes: no. switch errno { case 0: // Expected case. - case syscall.EINTR: + case unix.EINTR: // First, we process whatever pending signal // interrupted KVM. Since we're in a signal handler // currently, all signals are masked and the signal // must have been delivered directly to this thread. - timeout := syscall.Timespec{} - sig, _, errno := syscall.RawSyscall6( // escapes: no. - syscall.SYS_RT_SIGTIMEDWAIT, + timeout := unix.Timespec{} + sig, _, errno := unix.RawSyscall6( // escapes: no. + unix.SYS_RT_SIGTIMEDWAIT, uintptr(unsafe.Pointer(&bounceSignalMask)), 0, // siginfo. uintptr(unsafe.Pointer(&timeout)), // timeout. 8, // sigset size. 0, 0) - if errno == syscall.EAGAIN { + if errno == unix.EAGAIN { continue } if errno != 0 { @@ -140,7 +140,7 @@ func bluepillHandler(context unsafe.Pointer) { c.runData.requestInterruptWindow = 1 continue // Rerun vCPU. } - case syscall.EFAULT: + case unix.EFAULT: // If a fault is not serviceable due to the host // backing pages having page permissions, instead of an // MMIO exit we receive EFAULT from the run ioctl. We @@ -148,7 +148,7 @@ func bluepillHandler(context unsafe.Pointer) { // mode and have interrupts disabled. bluepillSigBus(c) continue // Rerun vCPU. - case syscall.ENOSYS: + case unix.ENOSYS: bluepillHandleEnosys(c) continue default: diff --git a/pkg/sentry/platform/kvm/filters_amd64.go b/pkg/sentry/platform/kvm/filters_amd64.go index d3d216aa5..a78be3403 100644 --- a/pkg/sentry/platform/kvm/filters_amd64.go +++ b/pkg/sentry/platform/kvm/filters_amd64.go @@ -15,8 +15,6 @@ package kvm import ( - "syscall" - "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -26,17 +24,17 @@ import ( // SyscallFilters returns syscalls made exclusively by the KVM platform. func (*KVM) SyscallFilters() seccomp.SyscallRules { return seccomp.SyscallRules{ - syscall.SYS_ARCH_PRCTL: {}, - syscall.SYS_IOCTL: {}, + unix.SYS_ARCH_PRCTL: {}, + unix.SYS_IOCTL: {}, unix.SYS_MEMBARRIER: []seccomp.Rule{ { seccomp.EqualTo(linux.MEMBARRIER_CMD_PRIVATE_EXPEDITED), seccomp.EqualTo(0), }, }, - syscall.SYS_MMAP: {}, - syscall.SYS_RT_SIGSUSPEND: {}, - syscall.SYS_RT_SIGTIMEDWAIT: {}, - 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host. + unix.SYS_MMAP: {}, + unix.SYS_RT_SIGSUSPEND: {}, + unix.SYS_RT_SIGTIMEDWAIT: {}, + 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host. } } diff --git a/pkg/sentry/platform/kvm/filters_arm64.go b/pkg/sentry/platform/kvm/filters_arm64.go index 21abc2a3d..4e5b91048 100644 --- a/pkg/sentry/platform/kvm/filters_arm64.go +++ b/pkg/sentry/platform/kvm/filters_arm64.go @@ -15,8 +15,6 @@ package kvm import ( - "syscall" - "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -26,16 +24,16 @@ import ( // SyscallFilters returns syscalls made exclusively by the KVM platform. func (*KVM) SyscallFilters() seccomp.SyscallRules { return seccomp.SyscallRules{ - syscall.SYS_IOCTL: {}, + unix.SYS_IOCTL: {}, unix.SYS_MEMBARRIER: []seccomp.Rule{ { seccomp.EqualTo(linux.MEMBARRIER_CMD_PRIVATE_EXPEDITED), seccomp.EqualTo(0), }, }, - syscall.SYS_MMAP: {}, - syscall.SYS_RT_SIGSUSPEND: {}, - syscall.SYS_RT_SIGTIMEDWAIT: {}, - 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host. + unix.SYS_MMAP: {}, + unix.SYS_RT_SIGSUSPEND: {}, + unix.SYS_RT_SIGTIMEDWAIT: {}, + 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host. } } diff --git a/pkg/sentry/platform/kvm/kvm.go b/pkg/sentry/platform/kvm/kvm.go index 7bdf57436..92c05a9ad 100644 --- a/pkg/sentry/platform/kvm/kvm.go +++ b/pkg/sentry/platform/kvm/kvm.go @@ -18,8 +18,8 @@ package kvm import ( "fmt" "os" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/ring0/pagetables" "gvisor.dev/gvisor/pkg/sentry/platform" @@ -77,7 +77,7 @@ var ( // OpenDevice opens the KVM device at /dev/kvm and returns the File. func OpenDevice() (*os.File, error) { - f, err := os.OpenFile("/dev/kvm", syscall.O_RDWR, 0) + f, err := os.OpenFile("/dev/kvm", unix.O_RDWR, 0) if err != nil { return nil, fmt.Errorf("error opening /dev/kvm: %v", err) } @@ -99,11 +99,11 @@ func New(deviceFile *os.File) (*KVM, error) { // Create a new VM fd. var ( vm uintptr - errno syscall.Errno + errno unix.Errno ) for { - vm, _, errno = syscall.Syscall(syscall.SYS_IOCTL, fd, _KVM_CREATE_VM, 0) - if errno == syscall.EINTR { + vm, _, errno = unix.Syscall(unix.SYS_IOCTL, fd, _KVM_CREATE_VM, 0) + if errno == unix.EINTR { continue } if errno != 0 { diff --git a/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go b/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go index 46c4b9113..0c43d72f4 100644 --- a/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go +++ b/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go @@ -18,8 +18,9 @@ package kvm import ( "fmt" - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) var ( @@ -30,7 +31,7 @@ var ( func updateSystemValues(fd int) error { // Extract the mmap size. - sz, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0) + sz, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0) if errno != 0 { return fmt.Errorf("getting VCPU mmap size: %v", errno) } @@ -39,19 +40,19 @@ func updateSystemValues(fd int) error { runDataSize = int(sz) // Must do the dance to figure out the number of entries. - _, _, errno = syscall.RawSyscall( - syscall.SYS_IOCTL, + _, _, errno = unix.RawSyscall( + unix.SYS_IOCTL, uintptr(fd), _KVM_GET_SUPPORTED_CPUID, uintptr(unsafe.Pointer(&cpuidSupported))) - if errno != 0 && errno != syscall.ENOMEM { + if errno != 0 && errno != unix.ENOMEM { // Some other error occurred. return fmt.Errorf("getting supported CPUID: %v", errno) } // The number should now be correct. - _, _, errno = syscall.RawSyscall( - syscall.SYS_IOCTL, + _, _, errno = unix.RawSyscall( + unix.SYS_IOCTL, uintptr(fd), _KVM_GET_SUPPORTED_CPUID, uintptr(unsafe.Pointer(&cpuidSupported))) diff --git a/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go b/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go index 48ccf8474..f07a9f34d 100644 --- a/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go +++ b/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go @@ -18,7 +18,8 @@ package kvm import ( "fmt" - "syscall" + + "golang.org/x/sys/unix" ) var ( @@ -28,7 +29,7 @@ var ( func updateSystemValues(fd int) error { // Extract the mmap size. - sz, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0) + sz, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0) if errno != 0 { return fmt.Errorf("getting VCPU mmap size: %v", errno) } diff --git a/pkg/sentry/platform/kvm/machine.go b/pkg/sentry/platform/kvm/machine.go index 1ece1b8d8..0e4cf01e1 100644 --- a/pkg/sentry/platform/kvm/machine.go +++ b/pkg/sentry/platform/kvm/machine.go @@ -18,8 +18,8 @@ import ( "fmt" "runtime" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/atomicbitops" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/procid" @@ -153,7 +153,7 @@ type dieState struct { func (m *machine) newVCPU() *vCPU { // Create the vCPU. id := int(atomic.AddUint32(&m.nextID, 1) - 1) - fd, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(m.fd), _KVM_CREATE_VCPU, uintptr(id)) + fd, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), _KVM_CREATE_VCPU, uintptr(id)) if errno != 0 { panic(fmt.Sprintf("error creating new vCPU: %v", errno)) } @@ -193,7 +193,7 @@ func newMachine(vm int) (*machine, error) { m.available.L = &m.mu // Pull the maximum vCPUs. - maxVCPUs, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_VCPUS) + maxVCPUs, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_VCPUS) if errno != 0 { m.maxVCPUs = _KVM_NR_VCPUS } else { @@ -205,7 +205,7 @@ func newMachine(vm int) (*machine, error) { m.kernel.Init(m.maxVCPUs) // Pull the maximum slots. - maxSlots, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_MEMSLOTS) + maxSlots, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_MEMSLOTS) if errno != 0 { m.maxSlots = _KVM_NR_MEMSLOTS } else { @@ -357,13 +357,13 @@ func (m *machine) Destroy() { panic(fmt.Sprintf("error unmapping rundata: %v", err)) } } - if err := syscall.Close(int(c.fd)); err != nil { + if err := unix.Close(int(c.fd)); err != nil { panic(fmt.Sprintf("error closing vCPU fd: %v", err)) } } // vCPUs are gone: teardown machine state. - if err := syscall.Close(m.fd); err != nil { + if err := unix.Close(m.fd); err != nil { panic(fmt.Sprintf("error closing VM fd: %v", err)) } } @@ -546,7 +546,7 @@ func (c *vCPU) NotifyInterrupt() { } // pid is used below in bounce. -var pid = syscall.Getpid() +var pid = unix.Getpid() // bounce forces a return to the kernel or to host mode. // @@ -588,9 +588,9 @@ func (c *vCPU) bounce(forceGuestExit bool) { // under memory pressure. Since we already // marked ourselves as a waiter, we need to // ensure that a signal is actually delivered. - if err := syscall.Tgkill(pid, int(atomic.LoadUint64(&c.tid)), bounceSignal); err == nil { + if err := unix.Tgkill(pid, int(atomic.LoadUint64(&c.tid)), bounceSignal); err == nil { break - } else if err.(syscall.Errno) == syscall.EAGAIN { + } else if err.(unix.Errno) == unix.EAGAIN { continue } else { // Nothing else should be returned by tgkill. diff --git a/pkg/sentry/platform/kvm/machine_amd64.go b/pkg/sentry/platform/kvm/machine_amd64.go index 59c752d73..6e583baa3 100644 --- a/pkg/sentry/platform/kvm/machine_amd64.go +++ b/pkg/sentry/platform/kvm/machine_amd64.go @@ -21,8 +21,8 @@ import ( "math/big" "reflect" "runtime/debug" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/cpuid" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/ring0/pagetables" @@ -36,8 +36,8 @@ import ( func (m *machine) initArchState() error { // Set the legacy TSS address. This address is covered by the reserved // range (up to 4GB). In fact, this is a main reason it exists. - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(m.fd), _KVM_SET_TSS_ADDR, uintptr(reservedMemory-(3*usermem.PageSize))); errno != 0 { @@ -297,13 +297,13 @@ func (c *vCPU) fault(signal int32, info *arch.SignalInfo) (usermem.AccessType, e func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) (usermem.AccessType, error) { // Check for canonical addresses. if regs := switchOpts.Registers; !ring0.IsCanonical(regs.Rip) { - return nonCanonical(regs.Rip, int32(syscall.SIGSEGV), info) + return nonCanonical(regs.Rip, int32(unix.SIGSEGV), info) } else if !ring0.IsCanonical(regs.Rsp) { - return nonCanonical(regs.Rsp, int32(syscall.SIGBUS), info) + return nonCanonical(regs.Rsp, int32(unix.SIGBUS), info) } else if !ring0.IsCanonical(regs.Fs_base) { - return nonCanonical(regs.Fs_base, int32(syscall.SIGBUS), info) + return nonCanonical(regs.Fs_base, int32(unix.SIGBUS), info) } else if !ring0.IsCanonical(regs.Gs_base) { - return nonCanonical(regs.Gs_base, int32(syscall.SIGBUS), info) + return nonCanonical(regs.Gs_base, int32(unix.SIGBUS), info) } // Assign PCIDs. @@ -332,11 +332,11 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) return usermem.NoAccess, nil case ring0.PageFault: - return c.fault(int32(syscall.SIGSEGV), info) + return c.fault(int32(unix.SIGSEGV), info) case ring0.Debug, ring0.Breakpoint: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGTRAP), + Signo: int32(unix.SIGTRAP), Code: 1, // TRAP_BRKPT (breakpoint). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -348,7 +348,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) ring0.InvalidTSS, ring0.StackSegmentFault: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGSEGV), + Signo: int32(unix.SIGSEGV), Code: arch.SignalInfoKernel, } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -362,7 +362,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.InvalidOpcode: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGILL), + Signo: int32(unix.SIGILL), Code: 1, // ILL_ILLOPC (illegal opcode). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -370,7 +370,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.DivideByZero: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGFPE), + Signo: int32(unix.SIGFPE), Code: 1, // FPE_INTDIV (divide by zero). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -378,7 +378,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.Overflow: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGFPE), + Signo: int32(unix.SIGFPE), Code: 2, // FPE_INTOVF (integer overflow). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -387,7 +387,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.X87FloatingPointException, ring0.SIMDFloatingPointException: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGFPE), + Signo: int32(unix.SIGFPE), Code: 7, // FPE_FLTINV (invalid operation). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -398,7 +398,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.AlignmentCheck: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGBUS), + Signo: int32(unix.SIGBUS), Code: 2, // BUS_ADRERR (physical address does not exist). } return usermem.NoAccess, platform.ErrContextSignal @@ -409,7 +409,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) // really not. This could happen, e.g. if some file is // truncated (and would generate a SIGBUS) and we map it // directly into the instance. - return c.fault(int32(syscall.SIGBUS), info) + return c.fault(int32(unix.SIGBUS), info) case ring0.DeviceNotAvailable, ring0.DoubleFault, diff --git a/pkg/sentry/platform/kvm/machine_amd64_unsafe.go b/pkg/sentry/platform/kvm/machine_amd64_unsafe.go index b430f92c6..83bcc7406 100644 --- a/pkg/sentry/platform/kvm/machine_amd64_unsafe.go +++ b/pkg/sentry/platform/kvm/machine_amd64_unsafe.go @@ -19,9 +19,9 @@ package kvm import ( "fmt" "sync/atomic" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) @@ -31,15 +31,15 @@ import ( // //go:nosplit func (c *vCPU) loadSegments(tid uint64) { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_ARCH_PRCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_ARCH_PRCTL, linux.ARCH_GET_FS, uintptr(unsafe.Pointer(&c.CPU.Registers().Fs_base)), 0); errno != 0 { throw("getting FS segment") } - if _, _, errno := syscall.RawSyscall( - syscall.SYS_ARCH_PRCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_ARCH_PRCTL, linux.ARCH_GET_GS, uintptr(unsafe.Pointer(&c.CPU.Registers().Gs_base)), 0); errno != 0 { @@ -50,8 +50,8 @@ func (c *vCPU) loadSegments(tid uint64) { // setCPUID sets the CPUID to be used by the guest. func (c *vCPU) setCPUID() error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_CPUID2, uintptr(unsafe.Pointer(&cpuidSupported))); errno != 0 { @@ -64,8 +64,8 @@ func (c *vCPU) setCPUID() error { // // If mustSucceed is true, then this function panics on error. func (c *vCPU) getTSCFreq() (uintptr, error) { - rawFreq, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + rawFreq, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_GET_TSC_KHZ, 0 /* ignored */) @@ -77,8 +77,8 @@ func (c *vCPU) getTSCFreq() (uintptr, error) { // setTSCFreq sets the TSC frequency. func (c *vCPU) setTSCFreq(freq uintptr) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_TSC_KHZ, freq /* khz */); errno != 0 { @@ -95,8 +95,8 @@ func (c *vCPU) setTSC(value uint64) error { } registers.entries[0].index = _MSR_IA32_TSC registers.entries[0].data = value - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_MSRS, uintptr(unsafe.Pointer(®isters))); errno != 0 { @@ -108,9 +108,9 @@ func (c *vCPU) setTSC(value uint64) error { // setUserRegisters sets user registers in the vCPU. // //go:nosplit -func (c *vCPU) setUserRegisters(uregs *userRegs) syscall.Errno { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, +func (c *vCPU) setUserRegisters(uregs *userRegs) unix.Errno { + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_REGS, uintptr(unsafe.Pointer(uregs))); errno != 0 { @@ -124,9 +124,9 @@ func (c *vCPU) setUserRegisters(uregs *userRegs) syscall.Errno { // This is safe to call from a nosplit context. // //go:nosplit -func (c *vCPU) getUserRegisters(uregs *userRegs) syscall.Errno { - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, +func (c *vCPU) getUserRegisters(uregs *userRegs) unix.Errno { + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_GET_REGS, uintptr(unsafe.Pointer(uregs))); errno != 0 { @@ -137,8 +137,8 @@ func (c *vCPU) getUserRegisters(uregs *userRegs) syscall.Errno { // setSystemRegisters sets system registers. func (c *vCPU) setSystemRegisters(sregs *systemRegs) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_SREGS, uintptr(unsafe.Pointer(sregs))); errno != 0 { @@ -150,9 +150,9 @@ func (c *vCPU) setSystemRegisters(sregs *systemRegs) error { // getSystemRegisters sets system registers. // //go:nosplit -func (c *vCPU) getSystemRegisters(sregs *systemRegs) syscall.Errno { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, +func (c *vCPU) getSystemRegisters(sregs *systemRegs) unix.Errno { + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_GET_SREGS, uintptr(unsafe.Pointer(sregs))); errno != 0 { diff --git a/pkg/sentry/platform/kvm/machine_arm64_unsafe.go b/pkg/sentry/platform/kvm/machine_arm64_unsafe.go index 78cbd9701..059aa43d0 100644 --- a/pkg/sentry/platform/kvm/machine_arm64_unsafe.go +++ b/pkg/sentry/platform/kvm/machine_arm64_unsafe.go @@ -20,9 +20,9 @@ import ( "fmt" "reflect" "sync/atomic" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/ring0/pagetables" "gvisor.dev/gvisor/pkg/sentry/arch" @@ -39,8 +39,8 @@ var vcpuInit kvmVcpuInit // initArchState initializes architecture-specific state. func (m *machine) initArchState() error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(m.fd), _KVM_ARM_PREFERRED_TARGET, uintptr(unsafe.Pointer(&vcpuInit))); errno != 0 { @@ -62,8 +62,8 @@ func (c *vCPU) initArchState() error { regGet.addr = uint64(reflect.ValueOf(&dataGet).Pointer()) vcpuInit.features[0] |= (1 << _KVM_ARM_VCPU_PSCI_0_2) - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_ARM_VCPU_INIT, uintptr(unsafe.Pointer(&vcpuInit))); errno != 0 { @@ -186,8 +186,8 @@ func (c *vCPU) loadSegments(tid uint64) { } func (c *vCPU) setOneRegister(reg *kvmOneReg) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_ONE_REG, uintptr(unsafe.Pointer(reg))); errno != 0 { @@ -197,8 +197,8 @@ func (c *vCPU) setOneRegister(reg *kvmOneReg) error { } func (c *vCPU) getOneRegister(reg *kvmOneReg) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_GET_ONE_REG, uintptr(unsafe.Pointer(reg))); errno != 0 { @@ -211,9 +211,9 @@ func (c *vCPU) getOneRegister(reg *kvmOneReg) error { func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) (usermem.AccessType, error) { // Check for canonical addresses. if regs := switchOpts.Registers; !ring0.IsCanonical(regs.Pc) { - return nonCanonical(regs.Pc, int32(syscall.SIGSEGV), info) + return nonCanonical(regs.Pc, int32(unix.SIGSEGV), info) } else if !ring0.IsCanonical(regs.Sp) { - return nonCanonical(regs.Sp, int32(syscall.SIGSEGV), info) + return nonCanonical(regs.Sp, int32(unix.SIGSEGV), info) } // Assign PCIDs. @@ -247,23 +247,23 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) // Fast path: system call executed. return usermem.NoAccess, nil case ring0.PageFault: - return c.fault(int32(syscall.SIGSEGV), info) + return c.fault(int32(unix.SIGSEGV), info) case ring0.El0ErrNMI: - return c.fault(int32(syscall.SIGBUS), info) + return c.fault(int32(unix.SIGBUS), info) case ring0.Vector(bounce): // ring0.VirtualizationException. return usermem.NoAccess, platform.ErrContextInterrupt case ring0.El0SyncUndef: - return c.fault(int32(syscall.SIGILL), info) + return c.fault(int32(unix.SIGILL), info) case ring0.El0SyncDbg: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGTRAP), + Signo: int32(unix.SIGTRAP), Code: 1, // TRAP_BRKPT (breakpoint). } info.SetAddr(switchOpts.Registers.Pc) // Include address. return usermem.AccessType{}, platform.ErrContextSignal case ring0.El0SyncSpPc: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGBUS), + Signo: int32(unix.SIGBUS), Code: 2, // BUS_ADRERR (physical address does not exist). } return usermem.NoAccess, platform.ErrContextSignal diff --git a/pkg/sentry/platform/kvm/machine_unsafe.go b/pkg/sentry/platform/kvm/machine_unsafe.go index c322551d2..49e1c7136 100644 --- a/pkg/sentry/platform/kvm/machine_unsafe.go +++ b/pkg/sentry/platform/kvm/machine_unsafe.go @@ -23,9 +23,9 @@ import ( "fmt" "math" "sync/atomic" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) @@ -41,7 +41,7 @@ func exitsyscall() // directly (instead of wrapping in an error) to avoid allocations. // //go:nosplit -func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, flags uint32) syscall.Errno { +func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, flags uint32) unix.Errno { userRegion := userMemoryRegion{ slot: uint32(slot), flags: uint32(flags), @@ -51,8 +51,8 @@ func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, f } // Set the region. - _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(m.fd), _KVM_SET_USER_MEMORY_REGION, uintptr(unsafe.Pointer(&userRegion))) @@ -61,12 +61,12 @@ func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, f // mapRunData maps the vCPU run data. func mapRunData(fd int) (*runData, error) { - r, _, errno := syscall.RawSyscall6( - syscall.SYS_MMAP, + r, _, errno := unix.RawSyscall6( + unix.SYS_MMAP, 0, uintptr(runDataSize), - syscall.PROT_READ|syscall.PROT_WRITE, - syscall.MAP_SHARED, + unix.PROT_READ|unix.PROT_WRITE, + unix.MAP_SHARED, uintptr(fd), 0) if errno != 0 { @@ -77,8 +77,8 @@ func mapRunData(fd int) (*runData, error) { // unmapRunData unmaps the vCPU run data. func unmapRunData(r *runData) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_MUNMAP, + if _, _, errno := unix.RawSyscall( + unix.SYS_MUNMAP, uintptr(unsafe.Pointer(r)), uintptr(runDataSize), 0); errno != 0 { @@ -115,8 +115,8 @@ func (a *atomicAddressSpace) get() *addressSpace { // //go:nosplit func (c *vCPU) notify() { - _, _, errno := syscall.RawSyscall6( // escapes: no. - syscall.SYS_FUTEX, + _, _, errno := unix.RawSyscall6( // escapes: no. + unix.SYS_FUTEX, uintptr(unsafe.Pointer(&c.state)), linux.FUTEX_WAKE|linux.FUTEX_PRIVATE_FLAG, math.MaxInt32, // Number of waiters. @@ -133,13 +133,13 @@ func (c *vCPU) notify() { // // This panics on error. func (c *vCPU) waitUntilNot(state uint32) { - _, _, errno := syscall.Syscall6( - syscall.SYS_FUTEX, + _, _, errno := unix.Syscall6( + unix.SYS_FUTEX, uintptr(unsafe.Pointer(&c.state)), linux.FUTEX_WAIT|linux.FUTEX_PRIVATE_FLAG, uintptr(state), 0, 0, 0) - if errno != 0 && errno != syscall.EINTR && errno != syscall.EAGAIN { + if errno != 0 && errno != unix.EINTR && errno != unix.EAGAIN { panic("futex wait error") } } @@ -159,8 +159,8 @@ func (c *vCPU) setSignalMask() error { data.length = 8 // Fixed sigset size. data.mask1 = ^uint32(bounceSignalMask & 0xffffffff) data.mask2 = ^uint32(bounceSignalMask >> 32) - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_SIGNAL_MASK, uintptr(unsafe.Pointer(&data))); errno != 0 { diff --git a/pkg/sentry/platform/kvm/physical_map.go b/pkg/sentry/platform/kvm/physical_map.go index 8bdec93ae..7376d8b8d 100644 --- a/pkg/sentry/platform/kvm/physical_map.go +++ b/pkg/sentry/platform/kvm/physical_map.go @@ -17,8 +17,8 @@ package kvm import ( "fmt" "sort" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/usermem" @@ -90,12 +90,12 @@ func fillAddressSpace() (excludedRegions []region) { required := uintptr(requiredAddr) current := required // Attempted mmap size. for filled := uintptr(0); filled < required && current > 0; { - addr, _, errno := syscall.RawSyscall6( - syscall.SYS_MMAP, + addr, _, errno := unix.RawSyscall6( + unix.SYS_MMAP, 0, // Suggested address. current, - syscall.PROT_NONE, - syscall.MAP_ANONYMOUS|syscall.MAP_PRIVATE|syscall.MAP_NORESERVE, + unix.PROT_NONE, + unix.MAP_ANONYMOUS|unix.MAP_PRIVATE|unix.MAP_NORESERVE, 0, 0) if errno != 0 { // Attempt half the size; overflow not possible. diff --git a/pkg/sentry/platform/ptrace/filters.go b/pkg/sentry/platform/ptrace/filters.go index 20fc62acb..ba4503b0d 100644 --- a/pkg/sentry/platform/ptrace/filters.go +++ b/pkg/sentry/platform/ptrace/filters.go @@ -15,16 +15,15 @@ package ptrace import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/seccomp" ) // SyscallFilters returns syscalls made exclusively by the ptrace platform. func (*PTrace) SyscallFilters() seccomp.SyscallRules { return seccomp.SyscallRules{ - syscall.SYS_PTRACE: {}, - syscall.SYS_TGKILL: {}, - syscall.SYS_WAIT4: {}, + unix.SYS_PTRACE: {}, + unix.SYS_TGKILL: {}, + unix.SYS_WAIT4: {}, } } diff --git a/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go b/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go index 32b8a6be9..4f7fe993a 100644 --- a/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go +++ b/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go @@ -17,21 +17,21 @@ package ptrace import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) // getTLS gets the thread local storage register. func (t *thread) getTLS(tls *uint64) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(unsafe.Pointer(tls)), Len: uint64(unsafe.Sizeof(*tls)), } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETREGSET, uintptr(t.tid), linux.NT_ARM_TLS, uintptr(unsafe.Pointer(&iovec)), @@ -44,13 +44,13 @@ func (t *thread) getTLS(tls *uint64) error { // setTLS sets the thread local storage register. func (t *thread) setTLS(tls *uint64) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(unsafe.Pointer(tls)), Len: uint64(unsafe.Sizeof(*tls)), } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_SETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_SETREGSET, uintptr(t.tid), linux.NT_ARM_TLS, uintptr(unsafe.Pointer(&iovec)), diff --git a/pkg/sentry/platform/ptrace/ptrace_unsafe.go b/pkg/sentry/platform/ptrace/ptrace_unsafe.go index 8b72d24e8..2c21f946e 100644 --- a/pkg/sentry/platform/ptrace/ptrace_unsafe.go +++ b/pkg/sentry/platform/ptrace/ptrace_unsafe.go @@ -15,9 +15,9 @@ package ptrace import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/sentry/arch" "gvisor.dev/gvisor/pkg/usermem" @@ -25,13 +25,13 @@ import ( // getRegs gets the general purpose register set. func (t *thread) getRegs(regs *arch.Registers) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(unsafe.Pointer(regs)), Len: uint64(unsafe.Sizeof(*regs)), } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETREGSET, uintptr(t.tid), linux.NT_PRSTATUS, uintptr(unsafe.Pointer(&iovec)), @@ -44,13 +44,13 @@ func (t *thread) getRegs(regs *arch.Registers) error { // setRegs sets the general purpose register set. func (t *thread) setRegs(regs *arch.Registers) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(unsafe.Pointer(regs)), Len: uint64(unsafe.Sizeof(*regs)), } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_SETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_SETREGSET, uintptr(t.tid), linux.NT_PRSTATUS, uintptr(unsafe.Pointer(&iovec)), @@ -61,15 +61,15 @@ func (t *thread) setRegs(regs *arch.Registers) error { return nil } -// getFPRegs gets the floating-point data via the GETREGSET ptrace syscall. +// getFPRegs gets the floating-point data via the GETREGSET ptrace unix. func (t *thread) getFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsave bool) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(fpState), Len: fpLen, } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETREGSET, uintptr(t.tid), fpRegSet(useXsave), uintptr(unsafe.Pointer(&iovec)), @@ -80,15 +80,15 @@ func (t *thread) getFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsa return nil } -// setFPRegs sets the floating-point data via the SETREGSET ptrace syscall. +// setFPRegs sets the floating-point data via the SETREGSET ptrace unix. func (t *thread) setFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsave bool) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(fpState), Len: fpLen, } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_SETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_SETREGSET, uintptr(t.tid), fpRegSet(useXsave), uintptr(unsafe.Pointer(&iovec)), @@ -101,9 +101,9 @@ func (t *thread) setFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsa // getSignalInfo retrieves information about the signal that caused the stop. func (t *thread) getSignalInfo(si *arch.SignalInfo) error { - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETSIGINFO, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETSIGINFO, uintptr(t.tid), 0, uintptr(unsafe.Pointer(si)), @@ -123,18 +123,18 @@ func (t *thread) getSignalInfo(si *arch.SignalInfo) error { func (t *thread) clone() (*thread, error) { r, ok := usermem.Addr(stackPointer(&t.initRegs)).RoundUp() if !ok { - return nil, syscall.EINVAL + return nil, unix.EINVAL } rval, err := t.syscallIgnoreInterrupt( &t.initRegs, - syscall.SYS_CLONE, + unix.SYS_CLONE, arch.SyscallArgument{Value: uintptr( - syscall.CLONE_FILES | - syscall.CLONE_FS | - syscall.CLONE_SIGHAND | - syscall.CLONE_THREAD | - syscall.CLONE_PTRACE | - syscall.CLONE_VM)}, + unix.CLONE_FILES | + unix.CLONE_FS | + unix.CLONE_SIGHAND | + unix.CLONE_THREAD | + unix.CLONE_PTRACE | + unix.CLONE_VM)}, // The stack pointer is just made up, but we have it be // something sensible so the kernel doesn't think we're // up to no good. Which we are. @@ -158,9 +158,9 @@ func (t *thread) clone() (*thread, error) { // getEventMessage retrieves a message about the ptrace event that just happened. func (t *thread) getEventMessage() (uintptr, error) { var msg uintptr - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETEVENTMSG, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETEVENTMSG, uintptr(t.tid), 0, uintptr(unsafe.Pointer(&msg)), diff --git a/pkg/sentry/platform/ptrace/stub_unsafe.go b/pkg/sentry/platform/ptrace/stub_unsafe.go index 341dde143..780227248 100644 --- a/pkg/sentry/platform/ptrace/stub_unsafe.go +++ b/pkg/sentry/platform/ptrace/stub_unsafe.go @@ -16,9 +16,9 @@ package ptrace import ( "reflect" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/safecopy" "gvisor.dev/gvisor/pkg/usermem" ) @@ -56,17 +56,17 @@ func stubInit() { // something that may have been there already. We just walk // down the address space until we find a place where the stub // can be placed. - addr, _, errno := syscall.RawSyscall6( - syscall.SYS_MMAP, + addr, _, errno := unix.RawSyscall6( + unix.SYS_MMAP, stubStart, mapLen, - syscall.PROT_WRITE|syscall.PROT_READ, - syscall.MAP_PRIVATE|syscall.MAP_ANONYMOUS, + unix.PROT_WRITE|unix.PROT_READ, + unix.MAP_PRIVATE|unix.MAP_ANONYMOUS, 0 /* fd */, 0 /* offset */) if addr != stubStart || errno != 0 { if addr != 0 { // Unmap the region we've mapped accidentally. - syscall.RawSyscall(syscall.SYS_MUNMAP, addr, mapLen, 0) + unix.RawSyscall(unix.SYS_MUNMAP, addr, mapLen, 0) } // Attempt to begin at a lower address. @@ -79,11 +79,11 @@ func stubInit() { copy(targetSlice, stubSlice) // Make the stub executable. - if _, _, errno := syscall.RawSyscall( - syscall.SYS_MPROTECT, + if _, _, errno := unix.RawSyscall( + unix.SYS_MPROTECT, stubStart, mapLen, - syscall.PROT_EXEC|syscall.PROT_READ); errno != 0 { + unix.PROT_EXEC|unix.PROT_READ); errno != 0 { panic("mprotect failed: " + errno.Error()) } diff --git a/pkg/sentry/platform/ptrace/subprocess.go b/pkg/sentry/platform/ptrace/subprocess.go index 17fb0a0d8..acccbfe2e 100644 --- a/pkg/sentry/platform/ptrace/subprocess.go +++ b/pkg/sentry/platform/ptrace/subprocess.go @@ -18,7 +18,6 @@ import ( "fmt" "os" "runtime" - "syscall" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/log" @@ -35,9 +34,9 @@ import ( // // These constants are only used in subprocess.go. const ( - ERESTARTSYS = syscall.Errno(512) - ERESTARTNOINTR = syscall.Errno(513) - ERESTARTNOHAND = syscall.Errno(514) + ERESTARTSYS = unix.Errno(512) + ERESTARTNOINTR = unix.Errno(513) + ERESTARTNOHAND = unix.Errno(514) ) // globalPool exists to solve two distinct problems: @@ -96,7 +95,7 @@ func (tp *threadPool) lookupOrCreate(currentTID int32, newThread func() *thread) // threads never exiting. for origTID, t := range tp.threads { // Signal zero is an easy existence check. - if err := syscall.Tgkill(syscall.Getpid(), int(origTID), 0); err != nil { + if err := unix.Tgkill(unix.Getpid(), int(origTID), 0); err != nil { // This thread has been abandoned; reuse it. delete(tp.threads, origTID) tp.threads[currentTID] = t @@ -186,7 +185,7 @@ func newSubprocess(create func() (*thread, error)) (*subprocess, error) { // (Hopefully nobody tgkilled it with a signal < // SIGSTOP before the SIGSTOP was delivered, in which // case that signal would be delivered before SIGSTOP.) - if sig := t.wait(stopped); sig != syscall.SIGSTOP { + if sig := t.wait(stopped); sig != unix.SIGSTOP { panic(fmt.Sprintf("error waiting for new clone: expected SIGSTOP, got %v", sig)) } @@ -269,7 +268,7 @@ func (s *subprocess) newThread() *thread { // attach attaches to the thread. func (t *thread) attach() { - if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, syscall.PTRACE_ATTACH, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { + if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_ATTACH, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("unable to attach: %v", errno)) } @@ -277,7 +276,7 @@ func (t *thread) attach() { // stopped from the SIGSTOP queued by CLONE_PTRACE (see inner loop of // newSubprocess), so we always expect to see signal-delivery-stop with // SIGSTOP. - if sig := t.wait(stopped); sig != syscall.SIGSTOP { + if sig := t.wait(stopped); sig != unix.SIGSTOP { panic(fmt.Sprintf("wait failed: expected SIGSTOP, got %v", sig)) } @@ -301,7 +300,7 @@ func (t *thread) grabInitRegs() { // // Because the SIGSTOP is not suppressed, the thread will enter group-stop. func (t *thread) detach() { - if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, syscall.PTRACE_DETACH, uintptr(t.tid), 0, uintptr(syscall.SIGSTOP), 0, 0); errno != 0 { + if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_DETACH, uintptr(t.tid), 0, uintptr(unix.SIGSTOP), 0, 0); errno != 0 { panic(fmt.Sprintf("can't detach new clone: %v", errno)) } } @@ -331,14 +330,14 @@ func (t *thread) dumpAndPanic(message string) { func (t *thread) unexpectedStubExit() { msg, err := t.getEventMessage() - status := syscall.WaitStatus(msg) - if status.Signaled() && status.Signal() == syscall.SIGKILL { + status := unix.WaitStatus(msg) + if status.Signaled() && status.Signal() == unix.SIGKILL { // SIGKILL can be only sent by a user or OOM-killer. In both // these cases, we don't need to panic. There is no reasons to // think that something wrong in gVisor. log.Warningf("The ptrace stub process %v has been killed by SIGKILL.", t.tgid) pid := os.Getpid() - syscall.Tgkill(pid, pid, syscall.Signal(syscall.SIGKILL)) + unix.Tgkill(pid, pid, unix.Signal(unix.SIGKILL)) } t.dumpAndPanic(fmt.Sprintf("wait failed: the process %d:%d exited: %x (err %v)", t.tgid, t.tid, msg, err)) } @@ -346,12 +345,12 @@ func (t *thread) unexpectedStubExit() { // wait waits for a stop event. // // Precondition: outcome is a valid waitOutcome. -func (t *thread) wait(outcome waitOutcome) syscall.Signal { - var status syscall.WaitStatus +func (t *thread) wait(outcome waitOutcome) unix.Signal { + var status unix.WaitStatus for { - r, err := syscall.Wait4(int(t.tid), &status, syscall.WALL|syscall.WUNTRACED, nil) - if err == syscall.EINTR || err == syscall.EAGAIN { + r, err := unix.Wait4(int(t.tid), &status, unix.WALL|unix.WUNTRACED, nil) + if err == unix.EINTR || err == unix.EAGAIN { // Wait was interrupted; wait again. continue } else if err != nil { @@ -369,12 +368,12 @@ func (t *thread) wait(outcome waitOutcome) syscall.Signal { if stopSig == 0 { continue // Spurious stop. } - if stopSig == syscall.SIGTRAP { - if status.TrapCause() == syscall.PTRACE_EVENT_EXIT { + if stopSig == unix.SIGTRAP { + if status.TrapCause() == unix.PTRACE_EVENT_EXIT { t.unexpectedStubExit() } // Re-encode the trap cause the way it's expected. - return stopSig | syscall.Signal(status.TrapCause()<<8) + return stopSig | unix.Signal(status.TrapCause()<<8) } // Not a trap signal. return stopSig @@ -382,7 +381,7 @@ func (t *thread) wait(outcome waitOutcome) syscall.Signal { if !status.Exited() && !status.Signaled() { t.dumpAndPanic(fmt.Sprintf("ptrace status unexpected: got %v, wanted exited", status)) } - return syscall.Signal(status.ExitStatus()) + return unix.Signal(status.ExitStatus()) default: // Should not happen. t.dumpAndPanic(fmt.Sprintf("unknown outcome: %v", outcome)) @@ -397,7 +396,7 @@ func (t *thread) wait(outcome waitOutcome) syscall.Signal { // manually created threads. func (t *thread) destroy() { t.detach() - syscall.Tgkill(int(t.tgid), int(t.tid), syscall.Signal(syscall.SIGKILL)) + unix.Tgkill(int(t.tgid), int(t.tid), unix.Signal(unix.SIGKILL)) t.wait(killed) } @@ -407,12 +406,12 @@ func (t *thread) init() { // set PTRACE_O_EXITKILL to ensure that the unexpected exit of the // sentry will immediately kill the associated stubs. const PTRACE_O_EXITKILL = 0x100000 - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_SETOPTIONS, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_SETOPTIONS, uintptr(t.tid), 0, - syscall.PTRACE_O_TRACESYSGOOD|syscall.PTRACE_O_TRACEEXIT|PTRACE_O_EXITKILL, + unix.PTRACE_O_TRACESYSGOOD|unix.PTRACE_O_TRACEEXIT|PTRACE_O_EXITKILL, 0, 0) if errno != 0 { panic(fmt.Sprintf("ptrace set options failed: %v", errno)) @@ -434,17 +433,17 @@ func (t *thread) syscall(regs *arch.Registers) (uintptr, error) { // Execute the syscall instruction. The task has to stop on the // trap instruction which is right after the syscall // instruction. - if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, syscall.PTRACE_CONT, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { + if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_CONT, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace syscall-enter failed: %v", errno)) } sig := t.wait(stopped) - if sig == syscall.SIGTRAP { + if sig == unix.SIGTRAP { // Reached syscall-enter-stop. break } else { // Some other signal caused a thread stop; ignore. - if sig != syscall.SIGSTOP && sig != syscall.SIGCHLD { + if sig != unix.SIGSTOP && sig != unix.SIGCHLD { log.Warningf("The thread %d:%d has been interrupted by %d", t.tgid, t.tid, sig) } continue @@ -483,7 +482,7 @@ func (t *thread) syscallIgnoreInterrupt( // NotifyInterrupt implements interrupt.Receiver.NotifyInterrupt. func (t *thread) NotifyInterrupt() { - syscall.Tgkill(int(t.tgid), int(t.tid), syscall.Signal(platform.SignalInterrupt)) + unix.Tgkill(int(t.tgid), int(t.tid), unix.Signal(platform.SignalInterrupt)) } // switchToApp is called from the main SwitchToApp entrypoint. @@ -532,15 +531,15 @@ func (s *subprocess) switchToApp(c *context, ac arch.Context) bool { for { // Start running until the next system call. if isSingleStepping(regs) { - if _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, + if _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, unix.PTRACE_SYSEMU_SINGLESTEP, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace sysemu failed: %v", errno)) } } else { - if _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, + if _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace sysemu failed: %v", errno)) @@ -550,7 +549,7 @@ func (s *subprocess) switchToApp(c *context, ac arch.Context) bool { // Wait for the syscall-enter stop. sig := t.wait(stopped) - if sig == syscall.SIGSTOP { + if sig == unix.SIGSTOP { // SIGSTOP was delivered to another thread in the same thread // group, which initiated another group stop. Just ignore it. continue @@ -571,7 +570,7 @@ func (s *subprocess) switchToApp(c *context, ac arch.Context) bool { } // Is it a system call? - if sig == (syscallEvent | syscall.SIGTRAP) { + if sig == (syscallEvent | unix.SIGTRAP) { s.arm64SyscallWorkaround(t, regs) // Ensure registers are sane. @@ -619,14 +618,14 @@ func (s *subprocess) syscall(sysno uintptr, args ...arch.SyscallArgument) (uintp func (s *subprocess) MapFile(addr usermem.Addr, f memmap.File, fr memmap.FileRange, at usermem.AccessType, precommit bool) error { var flags int if precommit { - flags |= syscall.MAP_POPULATE + flags |= unix.MAP_POPULATE } _, err := s.syscall( - syscall.SYS_MMAP, + unix.SYS_MMAP, arch.SyscallArgument{Value: uintptr(addr)}, arch.SyscallArgument{Value: uintptr(fr.Length())}, arch.SyscallArgument{Value: uintptr(at.Prot())}, - arch.SyscallArgument{Value: uintptr(flags | syscall.MAP_SHARED | syscall.MAP_FIXED)}, + arch.SyscallArgument{Value: uintptr(flags | unix.MAP_SHARED | unix.MAP_FIXED)}, arch.SyscallArgument{Value: uintptr(f.FD())}, arch.SyscallArgument{Value: uintptr(fr.Start)}) return err @@ -653,7 +652,7 @@ func (s *subprocess) Unmap(addr usermem.Addr, length uint64) { } s.mu.Unlock() _, err := s.syscall( - syscall.SYS_MUNMAP, + unix.SYS_MUNMAP, arch.SyscallArgument{Value: uintptr(addr)}, arch.SyscallArgument{Value: uintptr(length)}) if err != nil { diff --git a/pkg/sentry/platform/ptrace/subprocess_amd64.go b/pkg/sentry/platform/ptrace/subprocess_amd64.go index 04815282b..9252c0bd7 100644 --- a/pkg/sentry/platform/ptrace/subprocess_amd64.go +++ b/pkg/sentry/platform/ptrace/subprocess_amd64.go @@ -19,7 +19,6 @@ package ptrace import ( "fmt" "strings" - "syscall" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -96,7 +95,7 @@ func updateSyscallRegs(regs *arch.Registers) { func syscallReturnValue(regs *arch.Registers) (uintptr, error) { rval := int64(regs.Rax) if rval < 0 { - return 0, syscall.Errno(-rval) + return 0, unix.Errno(-rval) } return uintptr(rval), nil } @@ -179,7 +178,7 @@ func patchSignalInfo(regs *arch.Registers, signalInfo *arch.SignalInfo) { // //go:nosplit func enableCpuidFault() { - syscall.RawSyscall6(syscall.SYS_ARCH_PRCTL, linux.ARCH_SET_CPUID, 0, 0, 0, 0, 0) + unix.RawSyscall6(unix.SYS_ARCH_PRCTL, linux.ARCH_SET_CPUID, 0, 0, 0, 0, 0) } // appendArchSeccompRules append architecture specific seccomp rules when creating BPF program. @@ -189,9 +188,9 @@ func appendArchSeccompRules(rules []seccomp.RuleSet, defaultAction linux.BPFActi // Rules for trapping vsyscall access. seccomp.RuleSet{ Rules: seccomp.SyscallRules{ - syscall.SYS_GETTIMEOFDAY: {}, - syscall.SYS_TIME: {}, - unix.SYS_GETCPU: {}, // SYS_GETCPU was not defined in package syscall on amd64. + unix.SYS_GETTIMEOFDAY: {}, + unix.SYS_TIME: {}, + unix.SYS_GETCPU: {}, // SYS_GETCPU was not defined in package syscall on amd64. }, Action: linux.SECCOMP_RET_TRAP, Vsyscall: true, @@ -200,7 +199,7 @@ func appendArchSeccompRules(rules []seccomp.RuleSet, defaultAction linux.BPFActi rules = append(rules, seccomp.RuleSet{ Rules: seccomp.SyscallRules{ - syscall.SYS_ARCH_PRCTL: []seccomp.Rule{ + unix.SYS_ARCH_PRCTL: []seccomp.Rule{ {seccomp.EqualTo(linux.ARCH_SET_CPUID), seccomp.EqualTo(0)}, }, }, @@ -227,19 +226,19 @@ func probeSeccomp() bool { // Set registers to the yield system call. This call is not allowed // by the filters specified in the attachThread function. - regs := createSyscallRegs(&t.initRegs, syscall.SYS_SCHED_YIELD) + regs := createSyscallRegs(&t.initRegs, unix.SYS_SCHED_YIELD) if err := t.setRegs(®s); err != nil { panic(fmt.Sprintf("ptrace set regs failed: %v", err)) } for { // Attempt an emulation. - if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { + if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace syscall-enter failed: %v", errno)) } sig := t.wait(stopped) - if sig == (syscallEvent | syscall.SIGTRAP) { + if sig == (syscallEvent | unix.SIGTRAP) { // Did the seccomp errno hook already run? This would // indicate that seccomp is first in line and we're // less than 4.8. diff --git a/pkg/sentry/platform/ptrace/subprocess_arm64.go b/pkg/sentry/platform/ptrace/subprocess_arm64.go index 416132967..c0cbc0686 100644 --- a/pkg/sentry/platform/ptrace/subprocess_arm64.go +++ b/pkg/sentry/platform/ptrace/subprocess_arm64.go @@ -19,7 +19,6 @@ package ptrace import ( "fmt" "strings" - "syscall" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -99,7 +98,7 @@ func updateSyscallRegs(regs *arch.Registers) { func syscallReturnValue(regs *arch.Registers) (uintptr, error) { rval := int64(regs.Regs[0]) if rval < 0 { - return 0, syscall.Errno(-rval) + return 0, unix.Errno(-rval) } return uintptr(rval), nil } @@ -185,8 +184,8 @@ func (s *subprocess) arm64SyscallWorkaround(t *thread, regs *arch.Registers) { // signal, resume a stub thread and catch it on a signal handling. t.NotifyInterrupt() for { - if _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, + if _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace sysemu failed: %v", errno)) @@ -194,12 +193,12 @@ func (s *subprocess) arm64SyscallWorkaround(t *thread, regs *arch.Registers) { // Wait for the syscall-enter stop. sig := t.wait(stopped) - if sig == syscall.SIGSTOP { + if sig == unix.SIGSTOP { // SIGSTOP was delivered to another thread in the same thread // group, which initiated another group stop. Just ignore it. continue } - if sig == (syscallEvent | syscall.SIGTRAP) { + if sig == (syscallEvent | unix.SIGTRAP) { t.dumpAndPanic(fmt.Sprintf("unexpected syscall event")) } break diff --git a/pkg/sentry/platform/ptrace/subprocess_linux.go b/pkg/sentry/platform/ptrace/subprocess_linux.go index 8548853da..4f0260432 100644 --- a/pkg/sentry/platform/ptrace/subprocess_linux.go +++ b/pkg/sentry/platform/ptrace/subprocess_linux.go @@ -18,8 +18,8 @@ package ptrace import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/procid" @@ -27,7 +27,7 @@ import ( "gvisor.dev/gvisor/pkg/sentry/arch" ) -const syscallEvent syscall.Signal = 0x80 +const syscallEvent unix.Signal = 0x80 // createStub creates a fresh stub processes. // @@ -63,7 +63,7 @@ func createStub() (*thread, error) { // // In addition, we set the PTRACE_O_TRACEEXIT option to log more // information about a stub process when it receives a fatal signal. - return attachedThread(uintptr(syscall.SIGKILL)|syscall.CLONE_FILES, defaultAction) + return attachedThread(uintptr(unix.SIGKILL)|unix.CLONE_FILES, defaultAction) } // attachedThread returns a new attached thread. @@ -78,38 +78,38 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro if defaultAction != linux.SECCOMP_RET_ALLOW { rules = append(rules, seccomp.RuleSet{ Rules: seccomp.SyscallRules{ - syscall.SYS_CLONE: []seccomp.Rule{ + unix.SYS_CLONE: []seccomp.Rule{ // Allow creation of new subprocesses (used by the master). - {seccomp.EqualTo(syscall.CLONE_FILES | syscall.SIGKILL)}, + {seccomp.EqualTo(unix.CLONE_FILES | unix.SIGKILL)}, // Allow creation of new threads within a single address space (used by addresss spaces). {seccomp.EqualTo( - syscall.CLONE_FILES | - syscall.CLONE_FS | - syscall.CLONE_SIGHAND | - syscall.CLONE_THREAD | - syscall.CLONE_PTRACE | - syscall.CLONE_VM)}, + unix.CLONE_FILES | + unix.CLONE_FS | + unix.CLONE_SIGHAND | + unix.CLONE_THREAD | + unix.CLONE_PTRACE | + unix.CLONE_VM)}, }, // For the initial process creation. - syscall.SYS_WAIT4: {}, - syscall.SYS_EXIT: {}, + unix.SYS_WAIT4: {}, + unix.SYS_EXIT: {}, // For the stub prctl dance (all). - syscall.SYS_PRCTL: []seccomp.Rule{ - {seccomp.EqualTo(syscall.PR_SET_PDEATHSIG), seccomp.EqualTo(syscall.SIGKILL)}, + unix.SYS_PRCTL: []seccomp.Rule{ + {seccomp.EqualTo(unix.PR_SET_PDEATHSIG), seccomp.EqualTo(unix.SIGKILL)}, }, - syscall.SYS_GETPPID: {}, + unix.SYS_GETPPID: {}, // For the stub to stop itself (all). - syscall.SYS_GETPID: {}, - syscall.SYS_KILL: []seccomp.Rule{ - {seccomp.MatchAny{}, seccomp.EqualTo(syscall.SIGSTOP)}, + unix.SYS_GETPID: {}, + unix.SYS_KILL: []seccomp.Rule{ + {seccomp.MatchAny{}, seccomp.EqualTo(unix.SIGSTOP)}, }, // Injected to support the address space operations. - syscall.SYS_MMAP: {}, - syscall.SYS_MUNMAP: {}, + unix.SYS_MMAP: {}, + unix.SYS_MUNMAP: {}, }, Action: linux.SECCOMP_RET_ALLOW, }) @@ -125,17 +125,17 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro var ( pid uintptr ppid uintptr - errno syscall.Errno + errno unix.Errno ) // Remember the current ppid for the pdeathsig race. - ppid, _, _ = syscall.RawSyscall(syscall.SYS_GETPID, 0, 0, 0) + ppid, _, _ = unix.RawSyscall(unix.SYS_GETPID, 0, 0, 0) // Among other things, beforeFork masks all signals. beforeFork() // Do the clone. - pid, _, errno = syscall.RawSyscall6(syscall.SYS_CLONE, flags, 0, 0, 0, 0, 0) + pid, _, errno = unix.RawSyscall6(unix.SYS_CLONE, flags, 0, 0, 0, 0, 0) if errno != 0 { afterFork() return nil, errno @@ -152,7 +152,7 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro tid: int32(pid), cpu: ^uint32(0), } - if sig := t.wait(stopped); sig != syscall.SIGSTOP { + if sig := t.wait(stopped); sig != unix.SIGSTOP { return nil, fmt.Errorf("wait failed: expected SIGSTOP, got %v", sig) } t.attach() @@ -165,8 +165,8 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro // prevents the stub from getting PTY job control signals intended only // for the sentry process. We must call this before restoring signal // mask. - if _, _, errno := syscall.RawSyscall(syscall.SYS_SETSID, 0, 0, 0); errno != 0 { - syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0) + if _, _, errno := unix.RawSyscall(unix.SYS_SETSID, 0, 0, 0); errno != 0 { + unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0) } // afterForkInChild resets all signals to their default dispositions @@ -176,13 +176,13 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro // Explicitly unmask all signals to ensure that the tracer can see // them. if errno := unmaskAllSignals(); errno != 0 { - syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0) + unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0) } // Set an aggressive BPF filter for the stub and all it's children. See // the description of the BPF program built above. if errno := seccomp.SetFilter(instrs); errno != 0 { - syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0) + unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0) } // Enable cpuid-faulting. @@ -218,8 +218,8 @@ func (s *subprocess) createStub() (*thread, error) { // See above re: SIGKILL. pid, err := t.syscallIgnoreInterrupt( ®s, - syscall.SYS_CLONE, - arch.SyscallArgument{Value: uintptr(syscall.SIGKILL | syscall.CLONE_FILES)}, + unix.SYS_CLONE, + arch.SyscallArgument{Value: uintptr(unix.SIGKILL | unix.CLONE_FILES)}, arch.SyscallArgument{Value: 0}, arch.SyscallArgument{Value: 0}, arch.SyscallArgument{Value: 0}, @@ -237,10 +237,10 @@ func (s *subprocess) createStub() (*thread, error) { // If the child actually exited, the attach below will fail. _, err = t.syscallIgnoreInterrupt( &t.initRegs, - syscall.SYS_WAIT4, + unix.SYS_WAIT4, arch.SyscallArgument{Value: uintptr(pid)}, arch.SyscallArgument{Value: 0}, - arch.SyscallArgument{Value: syscall.WALL | syscall.WUNTRACED}, + arch.SyscallArgument{Value: unix.WALL | unix.WUNTRACED}, arch.SyscallArgument{Value: 0}, arch.SyscallArgument{Value: 0}, arch.SyscallArgument{Value: 0}) diff --git a/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go b/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go index 533e45497..9c342c59b 100644 --- a/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go +++ b/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go @@ -18,17 +18,17 @@ package ptrace import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) // unmaskAllSignals unmasks all signals on the current thread. // //go:nosplit -func unmaskAllSignals() syscall.Errno { +func unmaskAllSignals() unix.Errno { var set linux.SignalSet - _, _, errno := syscall.RawSyscall6(syscall.SYS_RT_SIGPROCMASK, linux.SIG_SETMASK, uintptr(unsafe.Pointer(&set)), 0, linux.SignalSetSize, 0, 0) + _, _, errno := unix.RawSyscall6(unix.SYS_RT_SIGPROCMASK, linux.SIG_SETMASK, uintptr(unsafe.Pointer(&set)), 0, linux.SignalSetSize, 0, 0) return errno } diff --git a/pkg/sentry/sighandling/sighandling.go b/pkg/sentry/sighandling/sighandling.go index 83195d5a1..bdaf8af29 100644 --- a/pkg/sentry/sighandling/sighandling.go +++ b/pkg/sentry/sighandling/sighandling.go @@ -19,8 +19,8 @@ import ( "os" "os/signal" "reflect" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) @@ -90,7 +90,7 @@ func StartSignalForwarding(handler func(linux.Signal)) func() { if sig == int(linux.SIGURG) { continue } - signal.Notify(sigchan, syscall.Signal(sig)) + signal.Notify(sigchan, unix.Signal(sig)) } // Start up our listener. go handleSignals(sigchans, handler, stop, done) // S/R-SAFE: synchronized by Kernel.extMu. diff --git a/pkg/sentry/sighandling/sighandling_unsafe.go b/pkg/sentry/sighandling/sighandling_unsafe.go index 1ebe22d34..d6a2fbe34 100644 --- a/pkg/sentry/sighandling/sighandling_unsafe.go +++ b/pkg/sentry/sighandling/sighandling_unsafe.go @@ -15,9 +15,9 @@ package sighandling import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) @@ -36,11 +36,11 @@ func IgnoreChildStop() error { var sa sigaction // Get the existing signal handler information, and set the flag. - if _, _, e := syscall.RawSyscall6(syscall.SYS_RT_SIGACTION, uintptr(syscall.SIGCHLD), 0, uintptr(unsafe.Pointer(&sa)), linux.SignalSetSize, 0, 0); e != 0 { + if _, _, e := unix.RawSyscall6(unix.SYS_RT_SIGACTION, uintptr(unix.SIGCHLD), 0, uintptr(unsafe.Pointer(&sa)), linux.SignalSetSize, 0, 0); e != 0 { return e } sa.flags |= linux.SA_NOCLDSTOP - if _, _, e := syscall.RawSyscall6(syscall.SYS_RT_SIGACTION, uintptr(syscall.SIGCHLD), uintptr(unsafe.Pointer(&sa)), 0, linux.SignalSetSize, 0, 0); e != 0 { + if _, _, e := unix.RawSyscall6(unix.SYS_RT_SIGACTION, uintptr(unix.SIGCHLD), uintptr(unsafe.Pointer(&sa)), 0, linux.SignalSetSize, 0, 0); e != 0 { return e } diff --git a/pkg/sentry/socket/hostinet/socket.go b/pkg/sentry/socket/hostinet/socket.go index 17f59ba1f..c711d0684 100644 --- a/pkg/sentry/socket/hostinet/socket.go +++ b/pkg/sentry/socket/hostinet/socket.go @@ -16,7 +16,6 @@ package hostinet import ( "fmt" - "syscall" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -45,10 +44,10 @@ const ( // sizeofSockaddr is the size in bytes of the largest sockaddr type // supported by this package. - sizeofSockaddr = syscall.SizeofSockaddrInet6 // sizeof(sockaddr_in6) > sizeof(sockaddr_in) + sizeofSockaddr = unix.SizeofSockaddrInet6 // sizeof(sockaddr_in6) > sizeof(sockaddr_in) // maxControlLen is the maximum size of a control message buffer used in a - // recvmsg or sendmsg syscall. + // recvmsg or sendmsg unix. maxControlLen = 1024 ) @@ -107,7 +106,7 @@ func newSocketFile(ctx context.Context, family int, stype linux.SockType, protoc // Release implements fs.FileOperations.Release. func (s *socketOpsCommon) Release(context.Context) { fdnotifier.RemoveFD(int32(s.fd)) - syscall.Close(s.fd) + unix.Close(s.fd) } // Readiness implements waiter.Waitable.Readiness. @@ -143,8 +142,8 @@ func (s *socketOperations) Read(ctx context.Context, _ *fs.File, dst usermem.IOS return 0, nil } if dsts.NumBlocks() == 1 { - // Skip allocating []syscall.Iovec. - n, err := syscall.Read(s.fd, dsts.Head().ToSlice()) + // Skip allocating []unix.Iovec. + n, err := unix.Read(s.fd, dsts.Head().ToSlice()) if err != nil { return 0, translateIOSyscallError(err) } @@ -166,8 +165,8 @@ func (s *socketOperations) Write(ctx context.Context, _ *fs.File, src usermem.IO return 0, nil } if srcs.NumBlocks() == 1 { - // Skip allocating []syscall.Iovec. - n, err := syscall.Write(s.fd, srcs.Head().ToSlice()) + // Skip allocating []unix.Iovec. + n, err := unix.Write(s.fd, srcs.Head().ToSlice()) if err != nil { return 0, translateIOSyscallError(err) } @@ -184,12 +183,12 @@ func (s *socketOpsCommon) Connect(t *kernel.Task, sockaddr []byte, blocking bool sockaddr = sockaddr[:sizeofSockaddr] } - _, _, errno := syscall.Syscall(syscall.SYS_CONNECT, uintptr(s.fd), uintptr(firstBytePtr(sockaddr)), uintptr(len(sockaddr))) + _, _, errno := unix.Syscall(unix.SYS_CONNECT, uintptr(s.fd), uintptr(firstBytePtr(sockaddr)), uintptr(len(sockaddr))) if errno == 0 { return nil } - if errno != syscall.EINPROGRESS || !blocking { + if errno != unix.EINPROGRESS || !blocking { return syserr.FromError(translateIOSyscallError(errno)) } @@ -208,12 +207,12 @@ func (s *socketOpsCommon) Connect(t *kernel.Task, sockaddr []byte, blocking bool return syserr.FromError(err) } } - val, err := syscall.GetsockoptInt(s.fd, syscall.SOL_SOCKET, syscall.SO_ERROR) + val, err := unix.GetsockoptInt(s.fd, unix.SOL_SOCKET, unix.SO_ERROR) if err != nil { return syserr.FromError(err) } if val != 0 { - return syserr.FromError(syscall.Errno(uintptr(val))) + return syserr.FromError(unix.Errno(uintptr(val))) } return nil } @@ -234,7 +233,7 @@ func (s *socketOpsCommon) Accept(t *kernel.Task, peerRequested bool, flags int, // Conservatively ignore all flags specified by the application and add // SOCK_NONBLOCK since socketOpsCommon requires it. - fd, syscallErr := accept4(s.fd, peerAddrPtr, peerAddrlenPtr, syscall.SOCK_NONBLOCK|syscall.SOCK_CLOEXEC) + fd, syscallErr := accept4(s.fd, peerAddrPtr, peerAddrlenPtr, unix.SOCK_NONBLOCK|unix.SOCK_CLOEXEC) if blocking { var ch chan struct{} for syscallErr == syserror.ErrWouldBlock { @@ -248,7 +247,7 @@ func (s *socketOpsCommon) Accept(t *kernel.Task, peerRequested bool, flags int, s.EventRegister(&e, waiter.EventIn) defer s.EventUnregister(&e) } - fd, syscallErr = accept4(s.fd, peerAddrPtr, peerAddrlenPtr, syscall.SOCK_NONBLOCK|syscall.SOCK_CLOEXEC) + fd, syscallErr = accept4(s.fd, peerAddrPtr, peerAddrlenPtr, unix.SOCK_NONBLOCK|unix.SOCK_CLOEXEC) } } @@ -264,27 +263,27 @@ func (s *socketOpsCommon) Accept(t *kernel.Task, peerRequested bool, flags int, kerr error ) if kernel.VFS2Enabled { - f, err := newVFS2Socket(t, s.family, s.stype, s.protocol, fd, uint32(flags&syscall.SOCK_NONBLOCK)) + f, err := newVFS2Socket(t, s.family, s.stype, s.protocol, fd, uint32(flags&unix.SOCK_NONBLOCK)) if err != nil { - syscall.Close(fd) + unix.Close(fd) return 0, nil, 0, err } defer f.DecRef(t) kfd, kerr = t.NewFDFromVFS2(0, f, kernel.FDFlags{ - CloseOnExec: flags&syscall.SOCK_CLOEXEC != 0, + CloseOnExec: flags&unix.SOCK_CLOEXEC != 0, }) t.Kernel().RecordSocketVFS2(f) } else { - f, err := newSocketFile(t, s.family, s.stype, s.protocol, fd, flags&syscall.SOCK_NONBLOCK != 0) + f, err := newSocketFile(t, s.family, s.stype, s.protocol, fd, flags&unix.SOCK_NONBLOCK != 0) if err != nil { - syscall.Close(fd) + unix.Close(fd) return 0, nil, 0, err } defer f.DecRef(t) kfd, kerr = t.NewFDFrom(0, f, kernel.FDFlags{ - CloseOnExec: flags&syscall.SOCK_CLOEXEC != 0, + CloseOnExec: flags&unix.SOCK_CLOEXEC != 0, }) t.Kernel().RecordSocket(f) } @@ -298,7 +297,7 @@ func (s *socketOpsCommon) Bind(t *kernel.Task, sockaddr []byte) *syserr.Error { sockaddr = sockaddr[:sizeofSockaddr] } - _, _, errno := syscall.Syscall(syscall.SYS_BIND, uintptr(s.fd), uintptr(firstBytePtr(sockaddr)), uintptr(len(sockaddr))) + _, _, errno := unix.Syscall(unix.SYS_BIND, uintptr(s.fd), uintptr(firstBytePtr(sockaddr)), uintptr(len(sockaddr))) if errno != 0 { return syserr.FromError(errno) } @@ -307,14 +306,14 @@ func (s *socketOpsCommon) Bind(t *kernel.Task, sockaddr []byte) *syserr.Error { // Listen implements socket.Socket.Listen. func (s *socketOpsCommon) Listen(t *kernel.Task, backlog int) *syserr.Error { - return syserr.FromError(syscall.Listen(s.fd, backlog)) + return syserr.FromError(unix.Listen(s.fd, backlog)) } // Shutdown implements socket.Socket.Shutdown. func (s *socketOpsCommon) Shutdown(t *kernel.Task, how int) *syserr.Error { switch how { - case syscall.SHUT_RD, syscall.SHUT_WR, syscall.SHUT_RDWR: - return syserr.FromError(syscall.Shutdown(s.fd, how)) + case unix.SHUT_RD, unix.SHUT_WR, unix.SHUT_RDWR: + return syserr.FromError(unix.Shutdown(s.fd, how)) default: return syserr.ErrInvalidArgument } @@ -344,7 +343,7 @@ func (s *socketOpsCommon) GetSockOpt(t *kernel.Task, level int, name int, outPtr case linux.SO_ERROR, linux.SO_KEEPALIVE, linux.SO_SNDBUF, linux.SO_RCVBUF, linux.SO_REUSEADDR, linux.SO_TIMESTAMP: optlen = sizeofInt32 case linux.SO_LINGER: - optlen = syscall.SizeofLinger + optlen = unix.SizeofLinger } case linux.SOL_TCP: switch name { @@ -407,18 +406,18 @@ func (s *socketOpsCommon) SetSockOpt(t *kernel.Task, level int, name int, opt [] } opt = opt[:optlen] - _, _, errno := syscall.Syscall6(syscall.SYS_SETSOCKOPT, uintptr(s.fd), uintptr(level), uintptr(name), uintptr(firstBytePtr(opt)), uintptr(len(opt)), 0) + _, _, errno := unix.Syscall6(unix.SYS_SETSOCKOPT, uintptr(s.fd), uintptr(level), uintptr(name), uintptr(firstBytePtr(opt)), uintptr(len(opt)), 0) if errno != 0 { return syserr.FromError(errno) } return nil } -func (s *socketOpsCommon) recvMsgFromHost(iovs []syscall.Iovec, flags int, senderRequested bool, controlLen uint64) (uint64, int, []byte, []byte, error) { +func (s *socketOpsCommon) recvMsgFromHost(iovs []unix.Iovec, flags int, senderRequested bool, controlLen uint64) (uint64, int, []byte, []byte, error) { // We always do a non-blocking recv*(). - sysflags := flags | syscall.MSG_DONTWAIT + sysflags := flags | unix.MSG_DONTWAIT - msg := syscall.Msghdr{} + msg := unix.Msghdr{} if len(iovs) > 0 { msg.Iov = &iovs[0] msg.Iovlen = uint64(len(iovs)) @@ -448,7 +447,7 @@ func (s *socketOpsCommon) recvMsgFromHost(iovs []syscall.Iovec, flags int, sende // RecvMsg implements socket.Socket.RecvMsg. func (s *socketOpsCommon) RecvMsg(t *kernel.Task, dst usermem.IOSequence, flags int, haveDeadline bool, deadline ktime.Time, senderRequested bool, controlLen uint64) (int, int, linux.SockAddr, uint32, socket.ControlMessages, *syserr.Error) { // Only allow known and safe flags. - if flags&^(syscall.MSG_DONTWAIT|syscall.MSG_PEEK|syscall.MSG_TRUNC|syscall.MSG_ERRQUEUE) != 0 { + if flags&^(unix.MSG_DONTWAIT|unix.MSG_PEEK|unix.MSG_TRUNC|unix.MSG_ERRQUEUE) != 0 { return 0, 0, nil, 0, socket.ControlMessages{}, syserr.ErrInvalidArgument } @@ -483,7 +482,7 @@ func (s *socketOpsCommon) RecvMsg(t *kernel.Task, dst usermem.IOSequence, flags var ch chan struct{} n, err := copyToDst() // recv*(MSG_ERRQUEUE) never blocks, even without MSG_DONTWAIT. - if flags&(syscall.MSG_DONTWAIT|syscall.MSG_ERRQUEUE) == 0 { + if flags&(unix.MSG_DONTWAIT|unix.MSG_ERRQUEUE) == 0 { for err == syserror.ErrWouldBlock { // We only expect blocking to come from the actual syscall, in which // case it can't have returned any data. @@ -547,7 +546,7 @@ func parseUnixControlMessages(unixControlMessages []unix.SocketControlMessage) s binary.Unmarshal(unixCmsg.Data[:addr.SizeBytes()], usermem.ByteOrder, &addr) controlMessages.IP.OriginalDstAddress = &addr - case syscall.IP_RECVERR: + case unix.IP_RECVERR: var errCmsg linux.SockErrCMsgIPv4 errCmsg.UnmarshalBytes(unixCmsg.Data) controlMessages.IP.SockErr = &errCmsg @@ -564,7 +563,7 @@ func parseUnixControlMessages(unixControlMessages []unix.SocketControlMessage) s binary.Unmarshal(unixCmsg.Data[:addr.SizeBytes()], usermem.ByteOrder, &addr) controlMessages.IP.OriginalDstAddress = &addr - case syscall.IPV6_RECVERR: + case unix.IPV6_RECVERR: var errCmsg linux.SockErrCMsgIPv6 errCmsg.UnmarshalBytes(unixCmsg.Data) controlMessages.IP.SockErr = &errCmsg @@ -584,7 +583,7 @@ func parseUnixControlMessages(unixControlMessages []unix.SocketControlMessage) s // SendMsg implements socket.Socket.SendMsg. func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []byte, flags int, haveDeadline bool, deadline ktime.Time, controlMessages socket.ControlMessages) (int, *syserr.Error) { // Only allow known and safe flags. - if flags&^(syscall.MSG_DONTWAIT|syscall.MSG_EOR|syscall.MSG_FASTOPEN|syscall.MSG_MORE|syscall.MSG_NOSIGNAL) != 0 { + if flags&^(unix.MSG_DONTWAIT|unix.MSG_EOR|unix.MSG_FASTOPEN|unix.MSG_MORE|unix.MSG_NOSIGNAL) != 0 { return 0, syserr.ErrInvalidArgument } @@ -606,12 +605,12 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b } // We always do a non-blocking send*(). - sysflags := flags | syscall.MSG_DONTWAIT + sysflags := flags | unix.MSG_DONTWAIT if srcs.NumBlocks() == 1 && len(controlBuf) == 0 { - // Skip allocating []syscall.Iovec. + // Skip allocating []unix.Iovec. src := srcs.Head() - n, _, errno := syscall.Syscall6(syscall.SYS_SENDTO, uintptr(s.fd), src.Addr(), uintptr(src.Len()), uintptr(sysflags), uintptr(firstBytePtr(to)), uintptr(len(to))) + n, _, errno := unix.Syscall6(unix.SYS_SENDTO, uintptr(s.fd), src.Addr(), uintptr(src.Len()), uintptr(sysflags), uintptr(firstBytePtr(to)), uintptr(len(to))) if errno != 0 { return 0, translateIOSyscallError(errno) } @@ -619,7 +618,7 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b } iovs := safemem.IovecsFromBlockSeq(srcs) - msg := syscall.Msghdr{ + msg := unix.Msghdr{ Iov: &iovs[0], Iovlen: uint64(len(iovs)), } @@ -636,7 +635,7 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b var ch chan struct{} n, err := src.CopyInTo(t, sendmsgFromBlocks) - if flags&syscall.MSG_DONTWAIT == 0 { + if flags&unix.MSG_DONTWAIT == 0 { for err == syserror.ErrWouldBlock { // We only expect blocking to come from the actual syscall, in which // case it can't have returned any data. @@ -664,7 +663,7 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b } func translateIOSyscallError(err error) error { - if err == syscall.EAGAIN || err == syscall.EWOULDBLOCK { + if err == unix.EAGAIN || err == unix.EWOULDBLOCK { return syserror.ErrWouldBlock } return err @@ -673,9 +672,9 @@ func translateIOSyscallError(err error) error { // State implements socket.Socket.State. func (s *socketOpsCommon) State() uint32 { info := linux.TCPInfo{} - buf, err := getsockopt(s.fd, syscall.SOL_TCP, syscall.TCP_INFO, linux.SizeOfTCPInfo) + buf, err := getsockopt(s.fd, unix.SOL_TCP, unix.TCP_INFO, linux.SizeOfTCPInfo) if err != nil { - if err != syscall.ENOPROTOOPT { + if err != unix.ENOPROTOOPT { log.Warningf("Failed to get TCP socket info from %+v: %v", s, err) } // For non-TCP sockets, silently ignore the failure. @@ -715,16 +714,16 @@ func (p *socketProvider) Socket(t *kernel.Task, stypeflags linux.SockType, proto // Only accept TCP and UDP. stype := stypeflags & linux.SOCK_TYPE_MASK switch stype { - case syscall.SOCK_STREAM: + case unix.SOCK_STREAM: switch protocol { - case 0, syscall.IPPROTO_TCP: + case 0, unix.IPPROTO_TCP: // ok default: return nil, nil } - case syscall.SOCK_DGRAM: + case unix.SOCK_DGRAM: switch protocol { - case 0, syscall.IPPROTO_UDP: + case 0, unix.IPPROTO_UDP: // ok default: return nil, nil @@ -736,11 +735,11 @@ func (p *socketProvider) Socket(t *kernel.Task, stypeflags linux.SockType, proto // Conservatively ignore all flags specified by the application and add // SOCK_NONBLOCK since socketOperations requires it. Pass a protocol of 0 // to simplify the syscall filters, since 0 and IPPROTO_* are equivalent. - fd, err := syscall.Socket(p.family, int(stype)|syscall.SOCK_NONBLOCK|syscall.SOCK_CLOEXEC, 0) + fd, err := unix.Socket(p.family, int(stype)|unix.SOCK_NONBLOCK|unix.SOCK_CLOEXEC, 0) if err != nil { return nil, syserr.FromError(err) } - return newSocketFile(t, p.family, stype, protocol, fd, stypeflags&syscall.SOCK_NONBLOCK != 0) + return newSocketFile(t, p.family, stype, protocol, fd, stypeflags&unix.SOCK_NONBLOCK != 0) } // Pair implements socket.Provider.Pair. @@ -752,7 +751,7 @@ func (p *socketProvider) Pair(t *kernel.Task, stype linux.SockType, protocol int // LINT.ThenChange(./socket_vfs2.go) func init() { - for _, family := range []int{syscall.AF_INET, syscall.AF_INET6} { + for _, family := range []int{unix.AF_INET, unix.AF_INET6} { socket.RegisterProvider(family, &socketProvider{family}) socket.RegisterProviderVFS2(family, &socketProviderVFS2{family}) } diff --git a/pkg/sentry/socket/hostinet/socket_unsafe.go b/pkg/sentry/socket/hostinet/socket_unsafe.go index 3f420c2ec..2890e640d 100644 --- a/pkg/sentry/socket/hostinet/socket_unsafe.go +++ b/pkg/sentry/socket/hostinet/socket_unsafe.go @@ -15,9 +15,9 @@ package hostinet import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sentry/arch" @@ -36,8 +36,8 @@ func firstBytePtr(bs []byte) unsafe.Pointer { } // Preconditions: len(dsts) != 0. -func readv(fd int, dsts []syscall.Iovec) (uint64, error) { - n, _, errno := syscall.Syscall(syscall.SYS_READV, uintptr(fd), uintptr(unsafe.Pointer(&dsts[0])), uintptr(len(dsts))) +func readv(fd int, dsts []unix.Iovec) (uint64, error) { + n, _, errno := unix.Syscall(unix.SYS_READV, uintptr(fd), uintptr(unsafe.Pointer(&dsts[0])), uintptr(len(dsts))) if errno != 0 { return 0, translateIOSyscallError(errno) } @@ -45,8 +45,8 @@ func readv(fd int, dsts []syscall.Iovec) (uint64, error) { } // Preconditions: len(srcs) != 0. -func writev(fd int, srcs []syscall.Iovec) (uint64, error) { - n, _, errno := syscall.Syscall(syscall.SYS_WRITEV, uintptr(fd), uintptr(unsafe.Pointer(&srcs[0])), uintptr(len(srcs))) +func writev(fd int, srcs []unix.Iovec) (uint64, error) { + n, _, errno := unix.Syscall(unix.SYS_WRITEV, uintptr(fd), uintptr(unsafe.Pointer(&srcs[0])), uintptr(len(srcs))) if errno != 0 { return 0, translateIOSyscallError(errno) } @@ -55,9 +55,9 @@ func writev(fd int, srcs []syscall.Iovec) (uint64, error) { func ioctl(ctx context.Context, fd int, io usermem.IO, args arch.SyscallArguments) (uintptr, error) { switch cmd := uintptr(args[1].Int()); cmd { - case syscall.TIOCINQ, syscall.TIOCOUTQ: + case unix.TIOCINQ, unix.TIOCOUTQ: var val int32 - if _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), cmd, uintptr(unsafe.Pointer(&val))); errno != 0 { + if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), cmd, uintptr(unsafe.Pointer(&val))); errno != 0 { return 0, translateIOSyscallError(errno) } var buf [4]byte @@ -73,7 +73,7 @@ func ioctl(ctx context.Context, fd int, io usermem.IO, args arch.SyscallArgument } func accept4(fd int, addr *byte, addrlen *uint32, flags int) (int, error) { - afd, _, errno := syscall.Syscall6(syscall.SYS_ACCEPT4, uintptr(fd), uintptr(unsafe.Pointer(addr)), uintptr(unsafe.Pointer(addrlen)), uintptr(flags), 0, 0) + afd, _, errno := unix.Syscall6(unix.SYS_ACCEPT4, uintptr(fd), uintptr(unsafe.Pointer(addr)), uintptr(unsafe.Pointer(addrlen)), uintptr(flags), 0, 0) if errno != 0 { return 0, translateIOSyscallError(errno) } @@ -83,7 +83,7 @@ func accept4(fd int, addr *byte, addrlen *uint32, flags int) (int, error) { func getsockopt(fd int, level, name int, optlen int) ([]byte, error) { opt := make([]byte, optlen) optlen32 := int32(len(opt)) - _, _, errno := syscall.Syscall6(syscall.SYS_GETSOCKOPT, uintptr(fd), uintptr(level), uintptr(name), uintptr(firstBytePtr(opt)), uintptr(unsafe.Pointer(&optlen32)), 0) + _, _, errno := unix.Syscall6(unix.SYS_GETSOCKOPT, uintptr(fd), uintptr(level), uintptr(name), uintptr(firstBytePtr(opt)), uintptr(unsafe.Pointer(&optlen32)), 0) if errno != 0 { return nil, errno } @@ -94,7 +94,7 @@ func getsockopt(fd int, level, name int, optlen int) ([]byte, error) { func (s *socketOpsCommon) GetSockName(t *kernel.Task) (linux.SockAddr, uint32, *syserr.Error) { addr := make([]byte, sizeofSockaddr) addrlen := uint32(len(addr)) - _, _, errno := syscall.Syscall(syscall.SYS_GETSOCKNAME, uintptr(s.fd), uintptr(unsafe.Pointer(&addr[0])), uintptr(unsafe.Pointer(&addrlen))) + _, _, errno := unix.Syscall(unix.SYS_GETSOCKNAME, uintptr(s.fd), uintptr(unsafe.Pointer(&addr[0])), uintptr(unsafe.Pointer(&addrlen))) if errno != 0 { return nil, 0, syserr.FromError(errno) } @@ -105,7 +105,7 @@ func (s *socketOpsCommon) GetSockName(t *kernel.Task) (linux.SockAddr, uint32, * func (s *socketOpsCommon) GetPeerName(t *kernel.Task) (linux.SockAddr, uint32, *syserr.Error) { addr := make([]byte, sizeofSockaddr) addrlen := uint32(len(addr)) - _, _, errno := syscall.Syscall(syscall.SYS_GETPEERNAME, uintptr(s.fd), uintptr(unsafe.Pointer(&addr[0])), uintptr(unsafe.Pointer(&addrlen))) + _, _, errno := unix.Syscall(unix.SYS_GETPEERNAME, uintptr(s.fd), uintptr(unsafe.Pointer(&addr[0])), uintptr(unsafe.Pointer(&addrlen))) if errno != 0 { return nil, 0, syserr.FromError(errno) } @@ -114,7 +114,7 @@ func (s *socketOpsCommon) GetPeerName(t *kernel.Task) (linux.SockAddr, uint32, * func recvfrom(fd int, dst []byte, flags int, from *[]byte) (uint64, error) { fromLen := uint32(len(*from)) - n, _, errno := syscall.Syscall6(syscall.SYS_RECVFROM, uintptr(fd), uintptr(firstBytePtr(dst)), uintptr(len(dst)), uintptr(flags), uintptr(firstBytePtr(*from)), uintptr(unsafe.Pointer(&fromLen))) + n, _, errno := unix.Syscall6(unix.SYS_RECVFROM, uintptr(fd), uintptr(firstBytePtr(dst)), uintptr(len(dst)), uintptr(flags), uintptr(firstBytePtr(*from)), uintptr(unsafe.Pointer(&fromLen))) if errno != 0 { return 0, translateIOSyscallError(errno) } @@ -122,16 +122,16 @@ func recvfrom(fd int, dst []byte, flags int, from *[]byte) (uint64, error) { return uint64(n), nil } -func recvmsg(fd int, msg *syscall.Msghdr, flags int) (uint64, error) { - n, _, errno := syscall.Syscall(syscall.SYS_RECVMSG, uintptr(fd), uintptr(unsafe.Pointer(msg)), uintptr(flags)) +func recvmsg(fd int, msg *unix.Msghdr, flags int) (uint64, error) { + n, _, errno := unix.Syscall(unix.SYS_RECVMSG, uintptr(fd), uintptr(unsafe.Pointer(msg)), uintptr(flags)) if errno != 0 { return 0, translateIOSyscallError(errno) } return uint64(n), nil } -func sendmsg(fd int, msg *syscall.Msghdr, flags int) (uint64, error) { - n, _, errno := syscall.Syscall(syscall.SYS_SENDMSG, uintptr(fd), uintptr(unsafe.Pointer(msg)), uintptr(flags)) +func sendmsg(fd int, msg *unix.Msghdr, flags int) (uint64, error) { + n, _, errno := unix.Syscall(unix.SYS_SENDMSG, uintptr(fd), uintptr(unsafe.Pointer(msg)), uintptr(flags)) if errno != 0 { return 0, translateIOSyscallError(errno) } diff --git a/pkg/sentry/socket/hostinet/socket_vfs2.go b/pkg/sentry/socket/hostinet/socket_vfs2.go index dc03ccb47..5d55cc64d 100644 --- a/pkg/sentry/socket/hostinet/socket_vfs2.go +++ b/pkg/sentry/socket/hostinet/socket_vfs2.go @@ -15,8 +15,7 @@ package hostinet import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fdnotifier" @@ -160,16 +159,16 @@ func (p *socketProviderVFS2) Socket(t *kernel.Task, stypeflags linux.SockType, p // Only accept TCP and UDP. stype := stypeflags & linux.SOCK_TYPE_MASK switch stype { - case syscall.SOCK_STREAM: + case unix.SOCK_STREAM: switch protocol { - case 0, syscall.IPPROTO_TCP: + case 0, unix.IPPROTO_TCP: // ok default: return nil, nil } - case syscall.SOCK_DGRAM: + case unix.SOCK_DGRAM: switch protocol { - case 0, syscall.IPPROTO_UDP: + case 0, unix.IPPROTO_UDP: // ok default: return nil, nil @@ -181,11 +180,11 @@ func (p *socketProviderVFS2) Socket(t *kernel.Task, stypeflags linux.SockType, p // Conservatively ignore all flags specified by the application and add // SOCK_NONBLOCK since socketOperations requires it. Pass a protocol of 0 // to simplify the syscall filters, since 0 and IPPROTO_* are equivalent. - fd, err := syscall.Socket(p.family, int(stype)|syscall.SOCK_NONBLOCK|syscall.SOCK_CLOEXEC, 0) + fd, err := unix.Socket(p.family, int(stype)|unix.SOCK_NONBLOCK|unix.SOCK_CLOEXEC, 0) if err != nil { return nil, syserr.FromError(err) } - return newVFS2Socket(t, p.family, stype, protocol, fd, uint32(stypeflags&syscall.SOCK_NONBLOCK)) + return newVFS2Socket(t, p.family, stype, protocol, fd, uint32(stypeflags&unix.SOCK_NONBLOCK)) } // Pair implements socket.Provider.Pair. diff --git a/pkg/sentry/socket/hostinet/stack.go b/pkg/sentry/socket/hostinet/stack.go index 7e7857ac3..e6323244c 100644 --- a/pkg/sentry/socket/hostinet/stack.go +++ b/pkg/sentry/socket/hostinet/stack.go @@ -24,6 +24,7 @@ import ( "strings" "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/binary" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/log" @@ -138,14 +139,14 @@ func (s *Stack) Configure() error { // netlink messages. func ExtractHostInterfaces(links []syscall.NetlinkMessage, addrs []syscall.NetlinkMessage, interfaces map[int32]inet.Interface, interfaceAddrs map[int32][]inet.InterfaceAddr) error { for _, link := range links { - if link.Header.Type != syscall.RTM_NEWLINK { + if link.Header.Type != unix.RTM_NEWLINK { continue } - if len(link.Data) < syscall.SizeofIfInfomsg { - return fmt.Errorf("RTM_GETLINK returned RTM_NEWLINK message with invalid data length (%d bytes, expected at least %d bytes)", len(link.Data), syscall.SizeofIfInfomsg) + if len(link.Data) < unix.SizeofIfInfomsg { + return fmt.Errorf("RTM_GETLINK returned RTM_NEWLINK message with invalid data length (%d bytes, expected at least %d bytes)", len(link.Data), unix.SizeofIfInfomsg) } - var ifinfo syscall.IfInfomsg - binary.Unmarshal(link.Data[:syscall.SizeofIfInfomsg], usermem.ByteOrder, &ifinfo) + var ifinfo unix.IfInfomsg + binary.Unmarshal(link.Data[:unix.SizeofIfInfomsg], usermem.ByteOrder, &ifinfo) inetIF := inet.Interface{ DeviceType: ifinfo.Type, Flags: ifinfo.Flags, @@ -159,9 +160,9 @@ func ExtractHostInterfaces(links []syscall.NetlinkMessage, addrs []syscall.Netli } for _, attr := range attrs { switch attr.Attr.Type { - case syscall.IFLA_ADDRESS: + case unix.IFLA_ADDRESS: inetIF.Addr = attr.Value - case syscall.IFLA_IFNAME: + case unix.IFLA_IFNAME: inetIF.Name = string(attr.Value[:len(attr.Value)-1]) } } @@ -169,14 +170,14 @@ func ExtractHostInterfaces(links []syscall.NetlinkMessage, addrs []syscall.Netli } for _, addr := range addrs { - if addr.Header.Type != syscall.RTM_NEWADDR { + if addr.Header.Type != unix.RTM_NEWADDR { continue } - if len(addr.Data) < syscall.SizeofIfAddrmsg { - return fmt.Errorf("RTM_GETADDR returned RTM_NEWADDR message with invalid data length (%d bytes, expected at least %d bytes)", len(addr.Data), syscall.SizeofIfAddrmsg) + if len(addr.Data) < unix.SizeofIfAddrmsg { + return fmt.Errorf("RTM_GETADDR returned RTM_NEWADDR message with invalid data length (%d bytes, expected at least %d bytes)", len(addr.Data), unix.SizeofIfAddrmsg) } - var ifaddr syscall.IfAddrmsg - binary.Unmarshal(addr.Data[:syscall.SizeofIfAddrmsg], usermem.ByteOrder, &ifaddr) + var ifaddr unix.IfAddrmsg + binary.Unmarshal(addr.Data[:unix.SizeofIfAddrmsg], usermem.ByteOrder, &ifaddr) inetAddr := inet.InterfaceAddr{ Family: ifaddr.Family, PrefixLen: ifaddr.Prefixlen, @@ -188,7 +189,7 @@ func ExtractHostInterfaces(links []syscall.NetlinkMessage, addrs []syscall.Netli } for _, attr := range attrs { switch attr.Attr.Type { - case syscall.IFA_ADDRESS: + case unix.IFA_ADDRESS: inetAddr.Addr = attr.Value } } @@ -203,12 +204,12 @@ func ExtractHostInterfaces(links []syscall.NetlinkMessage, addrs []syscall.Netli func ExtractHostRoutes(routeMsgs []syscall.NetlinkMessage) ([]inet.Route, error) { var routes []inet.Route for _, routeMsg := range routeMsgs { - if routeMsg.Header.Type != syscall.RTM_NEWROUTE { + if routeMsg.Header.Type != unix.RTM_NEWROUTE { continue } - var ifRoute syscall.RtMsg - binary.Unmarshal(routeMsg.Data[:syscall.SizeofRtMsg], usermem.ByteOrder, &ifRoute) + var ifRoute unix.RtMsg + binary.Unmarshal(routeMsg.Data[:unix.SizeofRtMsg], usermem.ByteOrder, &ifRoute) inetRoute := inet.Route{ Family: ifRoute.Family, DstLen: ifRoute.Dst_len, @@ -231,13 +232,13 @@ func ExtractHostRoutes(routeMsgs []syscall.NetlinkMessage) ([]inet.Route, error) for _, attr := range attrs { switch attr.Attr.Type { - case syscall.RTA_DST: + case unix.RTA_DST: inetRoute.DstAddr = attr.Value - case syscall.RTA_SRC: + case unix.RTA_SRC: inetRoute.SrcAddr = attr.Value - case syscall.RTA_GATEWAY: + case unix.RTA_GATEWAY: inetRoute.GatewayAddr = attr.Value - case syscall.RTA_OIF: + case unix.RTA_OIF: expected := int(binary.Size(inetRoute.OutputInterface)) if len(attr.Value) != expected { return nil, fmt.Errorf("RTM_GETROUTE returned RTM_NEWROUTE message with invalid attribute data length (%d bytes, expected %d bytes)", len(attr.Value), expected) @@ -253,12 +254,12 @@ func ExtractHostRoutes(routeMsgs []syscall.NetlinkMessage) ([]inet.Route, error) } func addHostInterfaces(s *Stack) error { - links, err := doNetlinkRouteRequest(syscall.RTM_GETLINK) + links, err := doNetlinkRouteRequest(unix.RTM_GETLINK) if err != nil { return fmt.Errorf("RTM_GETLINK failed: %v", err) } - addrs, err := doNetlinkRouteRequest(syscall.RTM_GETADDR) + addrs, err := doNetlinkRouteRequest(unix.RTM_GETADDR) if err != nil { return fmt.Errorf("RTM_GETADDR failed: %v", err) } @@ -267,7 +268,7 @@ func addHostInterfaces(s *Stack) error { } func addHostRoutes(s *Stack) error { - routes, err := doNetlinkRouteRequest(syscall.RTM_GETROUTE) + routes, err := doNetlinkRouteRequest(unix.RTM_GETROUTE) if err != nil { return fmt.Errorf("RTM_GETROUTE failed: %v", err) } diff --git a/pkg/sentry/socket/netlink/route/protocol.go b/pkg/sentry/socket/netlink/route/protocol.go index f4d034c13..5a2255db3 100644 --- a/pkg/sentry/socket/netlink/route/protocol.go +++ b/pkg/sentry/socket/netlink/route/protocol.go @@ -17,8 +17,8 @@ package route import ( "bytes" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sentry/inet" @@ -436,7 +436,7 @@ func (p *Protocol) newAddr(ctx context.Context, msg *netlink.Message, ms *netlin Flags: ifa.Flags, Addr: value, }) - if err == syscall.EEXIST { + if err == unix.EEXIST { flags := msg.Header().Flags if flags&linux.NLM_F_EXCL != 0 { return syserr.ErrExists diff --git a/pkg/sentry/socket/netstack/netstack.go b/pkg/sentry/socket/netstack/netstack.go index f77a867f1..f2dc7c90b 100644 --- a/pkg/sentry/socket/netstack/netstack.go +++ b/pkg/sentry/socket/netstack/netstack.go @@ -31,7 +31,6 @@ import ( "io/ioutil" "math" "reflect" - "syscall" "time" "golang.org/x/sys/unix" @@ -835,7 +834,7 @@ func getSockOptSocket(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, fam return &optP, nil case linux.SO_PEERCRED: - if family != linux.AF_UNIX || outLen < syscall.SizeofUcred { + if family != linux.AF_UNIX || outLen < unix.SizeofUcred { return nil, syserr.ErrInvalidArgument } @@ -3199,15 +3198,15 @@ func nicStateFlagsToLinux(f stack.NICStateFlags) uint32 { } func isTCPSocket(skType linux.SockType, skProto int) bool { - return skType == linux.SOCK_STREAM && (skProto == 0 || skProto == syscall.IPPROTO_TCP) + return skType == linux.SOCK_STREAM && (skProto == 0 || skProto == unix.IPPROTO_TCP) } func isUDPSocket(skType linux.SockType, skProto int) bool { - return skType == linux.SOCK_DGRAM && (skProto == 0 || skProto == syscall.IPPROTO_UDP) + return skType == linux.SOCK_DGRAM && (skProto == 0 || skProto == unix.IPPROTO_UDP) } func isICMPSocket(skType linux.SockType, skProto int) bool { - return skType == linux.SOCK_DGRAM && (skProto == syscall.IPPROTO_ICMP || skProto == syscall.IPPROTO_ICMPV6) + return skType == linux.SOCK_DGRAM && (skProto == unix.IPPROTO_ICMP || skProto == unix.IPPROTO_ICMPV6) } // State implements socket.Socket.State. State translates the internal state diff --git a/pkg/sentry/socket/netstack/provider.go b/pkg/sentry/socket/netstack/provider.go index 2515dda80..8605ad507 100644 --- a/pkg/sentry/socket/netstack/provider.go +++ b/pkg/sentry/socket/netstack/provider.go @@ -15,8 +15,7 @@ package netstack import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/sentry/fs" @@ -48,18 +47,18 @@ type provider struct { func getTransportProtocol(ctx context.Context, stype linux.SockType, protocol int) (tcpip.TransportProtocolNumber, bool, *syserr.Error) { switch stype { case linux.SOCK_STREAM: - if protocol != 0 && protocol != syscall.IPPROTO_TCP { + if protocol != 0 && protocol != unix.IPPROTO_TCP { return 0, true, syserr.ErrInvalidArgument } return tcp.ProtocolNumber, true, nil case linux.SOCK_DGRAM: switch protocol { - case 0, syscall.IPPROTO_UDP: + case 0, unix.IPPROTO_UDP: return udp.ProtocolNumber, true, nil - case syscall.IPPROTO_ICMP: + case unix.IPPROTO_ICMP: return header.ICMPv4ProtocolNumber, true, nil - case syscall.IPPROTO_ICMPV6: + case unix.IPPROTO_ICMPV6: return header.ICMPv6ProtocolNumber, true, nil } @@ -71,18 +70,18 @@ func getTransportProtocol(ctx context.Context, stype linux.SockType, protocol in } switch protocol { - case syscall.IPPROTO_ICMP: + case unix.IPPROTO_ICMP: return header.ICMPv4ProtocolNumber, true, nil - case syscall.IPPROTO_ICMPV6: + case unix.IPPROTO_ICMPV6: return header.ICMPv6ProtocolNumber, true, nil - case syscall.IPPROTO_UDP: + case unix.IPPROTO_UDP: return header.UDPProtocolNumber, true, nil - case syscall.IPPROTO_TCP: + case unix.IPPROTO_TCP: return header.TCPProtocolNumber, true, nil // IPPROTO_RAW signifies that the raw socket isn't assigned to // a transport protocol. Users will be able to write packets' // IP headers and won't receive anything. - case syscall.IPPROTO_RAW: + case unix.IPPROTO_RAW: return tcpip.TransportProtocolNumber(0), false, nil } } diff --git a/pkg/sentry/socket/socket.go b/pkg/sentry/socket/socket.go index cc535d794..909341dcf 100644 --- a/pkg/sentry/socket/socket.go +++ b/pkg/sentry/socket/socket.go @@ -21,8 +21,8 @@ import ( "bytes" "fmt" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/binary" "gvisor.dev/gvisor/pkg/context" @@ -198,42 +198,42 @@ type SocketVFS2 interface { // // It is implemented by both Socket and SocketVFS2. type SocketOps interface { - // Connect implements the connect(2) linux syscall. + // Connect implements the connect(2) linux unix. Connect(t *kernel.Task, sockaddr []byte, blocking bool) *syserr.Error - // Accept implements the accept4(2) linux syscall. + // Accept implements the accept4(2) linux unix. // Returns fd, real peer address length and error. Real peer address // length is only set if len(peer) > 0. Accept(t *kernel.Task, peerRequested bool, flags int, blocking bool) (int32, linux.SockAddr, uint32, *syserr.Error) - // Bind implements the bind(2) linux syscall. + // Bind implements the bind(2) linux unix. Bind(t *kernel.Task, sockaddr []byte) *syserr.Error - // Listen implements the listen(2) linux syscall. + // Listen implements the listen(2) linux unix. Listen(t *kernel.Task, backlog int) *syserr.Error - // Shutdown implements the shutdown(2) linux syscall. + // Shutdown implements the shutdown(2) linux unix. Shutdown(t *kernel.Task, how int) *syserr.Error - // GetSockOpt implements the getsockopt(2) linux syscall. + // GetSockOpt implements the getsockopt(2) linux unix. GetSockOpt(t *kernel.Task, level int, name int, outPtr usermem.Addr, outLen int) (marshal.Marshallable, *syserr.Error) - // SetSockOpt implements the setsockopt(2) linux syscall. + // SetSockOpt implements the setsockopt(2) linux unix. SetSockOpt(t *kernel.Task, level int, name int, opt []byte) *syserr.Error - // GetSockName implements the getsockname(2) linux syscall. + // GetSockName implements the getsockname(2) linux unix. // // addrLen is the address length to be returned to the application, not // necessarily the actual length of the address. GetSockName(t *kernel.Task) (addr linux.SockAddr, addrLen uint32, err *syserr.Error) - // GetPeerName implements the getpeername(2) linux syscall. + // GetPeerName implements the getpeername(2) linux unix. // // addrLen is the address length to be returned to the application, not // necessarily the actual length of the address. GetPeerName(t *kernel.Task) (addr linux.SockAddr, addrLen uint32, err *syserr.Error) - // RecvMsg implements the recvmsg(2) linux syscall. + // RecvMsg implements the recvmsg(2) linux unix. // // senderAddrLen is the address length to be returned to the application, // not necessarily the actual length of the address. @@ -246,7 +246,7 @@ type SocketOps interface { // If err != nil, the recv was not successful. RecvMsg(t *kernel.Task, dst usermem.IOSequence, flags int, haveDeadline bool, deadline ktime.Time, senderRequested bool, controlDataLen uint64) (n int, msgFlags int, senderAddr linux.SockAddr, senderAddrLen uint32, controlMessages ControlMessages, err *syserr.Error) - // SendMsg implements the sendmsg(2) linux syscall. SendMsg does not take + // SendMsg implements the sendmsg(2) linux unix. SendMsg does not take // ownership of the ControlMessage on error. // // If n > 0, err will either be nil or an error from t.Block. @@ -569,21 +569,21 @@ func emitUnimplementedEvent(t *kernel.Task, name int) { // given family. func UnmarshalSockAddr(family int, data []byte) linux.SockAddr { switch family { - case syscall.AF_INET: + case unix.AF_INET: var addr linux.SockAddrInet - binary.Unmarshal(data[:syscall.SizeofSockaddrInet4], usermem.ByteOrder, &addr) + binary.Unmarshal(data[:unix.SizeofSockaddrInet4], usermem.ByteOrder, &addr) return &addr - case syscall.AF_INET6: + case unix.AF_INET6: var addr linux.SockAddrInet6 - binary.Unmarshal(data[:syscall.SizeofSockaddrInet6], usermem.ByteOrder, &addr) + binary.Unmarshal(data[:unix.SizeofSockaddrInet6], usermem.ByteOrder, &addr) return &addr - case syscall.AF_UNIX: + case unix.AF_UNIX: var addr linux.SockAddrUnix - binary.Unmarshal(data[:syscall.SizeofSockaddrUnix], usermem.ByteOrder, &addr) + binary.Unmarshal(data[:unix.SizeofSockaddrUnix], usermem.ByteOrder, &addr) return &addr - case syscall.AF_NETLINK: + case unix.AF_NETLINK: var addr linux.SockAddrNetlink - binary.Unmarshal(data[:syscall.SizeofSockaddrNetlink], usermem.ByteOrder, &addr) + binary.Unmarshal(data[:unix.SizeofSockaddrNetlink], usermem.ByteOrder, &addr) return &addr default: panic(fmt.Sprintf("Unsupported socket family %v", family)) diff --git a/pkg/sentry/socket/unix/unix.go b/pkg/sentry/socket/unix/unix.go index 32e5d2304..63165e1d4 100644 --- a/pkg/sentry/socket/unix/unix.go +++ b/pkg/sentry/socket/unix/unix.go @@ -19,8 +19,8 @@ package unix import ( "fmt" "strings" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fspath" @@ -600,14 +600,14 @@ func (s *socketOpsCommon) RecvMsg(t *kernel.Task, dst usermem.IOSequence, flags // Calculate the number of FDs for which we have space and if we are // requesting credentials. var wantCreds bool - rightsLen := int(controlDataLen) - syscall.SizeofCmsghdr + rightsLen := int(controlDataLen) - unix.SizeofCmsghdr if s.Passcred() { // Credentials take priority if they are enabled and there is space. wantCreds = rightsLen > 0 if !wantCreds { msgFlags |= linux.MSG_CTRUNC } - credLen := syscall.CmsgSpace(syscall.SizeofUcred) + credLen := unix.CmsgSpace(unix.SizeofUcred) rightsLen -= credLen } // FDs are 32 bit (4 byte) ints. diff --git a/pkg/sentry/state/state_unsafe.go b/pkg/sentry/state/state_unsafe.go index d271c6fc9..a3da028c4 100644 --- a/pkg/sentry/state/state_unsafe.go +++ b/pkg/sentry/state/state_unsafe.go @@ -16,17 +16,17 @@ package state import ( "fmt" - "syscall" "time" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) // CPUTime returns the CPU time usage by Sentry and app. func CPUTime() (time.Duration, error) { - var ts syscall.Timespec - _, _, errno := syscall.RawSyscall(syscall.SYS_CLOCK_GETTIME, uintptr(linux.CLOCK_PROCESS_CPUTIME_ID), uintptr(unsafe.Pointer(&ts)), 0) + var ts unix.Timespec + _, _, errno := unix.RawSyscall(unix.SYS_CLOCK_GETTIME, uintptr(linux.CLOCK_PROCESS_CPUTIME_ID), uintptr(unsafe.Pointer(&ts)), 0) if errno != 0 { return 0, fmt.Errorf("failed calling clock_gettime(CLOCK_PROCESS_CPUTIME_ID): errno=%d", errno) } diff --git a/pkg/sentry/strace/clone.go b/pkg/sentry/strace/clone.go index e99158712..ab1060426 100644 --- a/pkg/sentry/strace/clone.go +++ b/pkg/sentry/strace/clone.go @@ -15,99 +15,98 @@ package strace import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi" ) // CloneFlagSet is the set of clone(2) flags. var CloneFlagSet = abi.FlagSet{ { - Flag: syscall.CLONE_VM, + Flag: unix.CLONE_VM, Name: "CLONE_VM", }, { - Flag: syscall.CLONE_FS, + Flag: unix.CLONE_FS, Name: "CLONE_FS", }, { - Flag: syscall.CLONE_FILES, + Flag: unix.CLONE_FILES, Name: "CLONE_FILES", }, { - Flag: syscall.CLONE_SIGHAND, + Flag: unix.CLONE_SIGHAND, Name: "CLONE_SIGHAND", }, { - Flag: syscall.CLONE_PTRACE, + Flag: unix.CLONE_PTRACE, Name: "CLONE_PTRACE", }, { - Flag: syscall.CLONE_VFORK, + Flag: unix.CLONE_VFORK, Name: "CLONE_VFORK", }, { - Flag: syscall.CLONE_PARENT, + Flag: unix.CLONE_PARENT, Name: "CLONE_PARENT", }, { - Flag: syscall.CLONE_THREAD, + Flag: unix.CLONE_THREAD, Name: "CLONE_THREAD", }, { - Flag: syscall.CLONE_NEWNS, + Flag: unix.CLONE_NEWNS, Name: "CLONE_NEWNS", }, { - Flag: syscall.CLONE_SYSVSEM, + Flag: unix.CLONE_SYSVSEM, Name: "CLONE_SYSVSEM", }, { - Flag: syscall.CLONE_SETTLS, + Flag: unix.CLONE_SETTLS, Name: "CLONE_SETTLS", }, { - Flag: syscall.CLONE_PARENT_SETTID, + Flag: unix.CLONE_PARENT_SETTID, Name: "CLONE_PARENT_SETTID", }, { - Flag: syscall.CLONE_CHILD_CLEARTID, + Flag: unix.CLONE_CHILD_CLEARTID, Name: "CLONE_CHILD_CLEARTID", }, { - Flag: syscall.CLONE_DETACHED, + Flag: unix.CLONE_DETACHED, Name: "CLONE_DETACHED", }, { - Flag: syscall.CLONE_UNTRACED, + Flag: unix.CLONE_UNTRACED, Name: "CLONE_UNTRACED", }, { - Flag: syscall.CLONE_CHILD_SETTID, + Flag: unix.CLONE_CHILD_SETTID, Name: "CLONE_CHILD_SETTID", }, { - Flag: syscall.CLONE_NEWUTS, + Flag: unix.CLONE_NEWUTS, Name: "CLONE_NEWUTS", }, { - Flag: syscall.CLONE_NEWIPC, + Flag: unix.CLONE_NEWIPC, Name: "CLONE_NEWIPC", }, { - Flag: syscall.CLONE_NEWUSER, + Flag: unix.CLONE_NEWUSER, Name: "CLONE_NEWUSER", }, { - Flag: syscall.CLONE_NEWPID, + Flag: unix.CLONE_NEWPID, Name: "CLONE_NEWPID", }, { - Flag: syscall.CLONE_NEWNET, + Flag: unix.CLONE_NEWNET, Name: "CLONE_NEWNET", }, { - Flag: syscall.CLONE_IO, + Flag: unix.CLONE_IO, Name: "CLONE_IO", }, } diff --git a/pkg/sentry/strace/open.go b/pkg/sentry/strace/open.go index e40bcb53b..5769360da 100644 --- a/pkg/sentry/strace/open.go +++ b/pkg/sentry/strace/open.go @@ -15,62 +15,61 @@ package strace import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi" ) // OpenMode represents the mode to open(2) a file. var OpenMode = abi.ValueSet{ - syscall.O_RDWR: "O_RDWR", - syscall.O_WRONLY: "O_WRONLY", - syscall.O_RDONLY: "O_RDONLY", + unix.O_RDWR: "O_RDWR", + unix.O_WRONLY: "O_WRONLY", + unix.O_RDONLY: "O_RDONLY", } // OpenFlagSet is the set of open(2) flags. var OpenFlagSet = abi.FlagSet{ { - Flag: syscall.O_APPEND, + Flag: unix.O_APPEND, Name: "O_APPEND", }, { - Flag: syscall.O_ASYNC, + Flag: unix.O_ASYNC, Name: "O_ASYNC", }, { - Flag: syscall.O_CLOEXEC, + Flag: unix.O_CLOEXEC, Name: "O_CLOEXEC", }, { - Flag: syscall.O_CREAT, + Flag: unix.O_CREAT, Name: "O_CREAT", }, { - Flag: syscall.O_DIRECT, + Flag: unix.O_DIRECT, Name: "O_DIRECT", }, { - Flag: syscall.O_DIRECTORY, + Flag: unix.O_DIRECTORY, Name: "O_DIRECTORY", }, { - Flag: syscall.O_EXCL, + Flag: unix.O_EXCL, Name: "O_EXCL", }, { - Flag: syscall.O_NOATIME, + Flag: unix.O_NOATIME, Name: "O_NOATIME", }, { - Flag: syscall.O_NOCTTY, + Flag: unix.O_NOCTTY, Name: "O_NOCTTY", }, { - Flag: syscall.O_NOFOLLOW, + Flag: unix.O_NOFOLLOW, Name: "O_NOFOLLOW", }, { - Flag: syscall.O_NONBLOCK, + Flag: unix.O_NONBLOCK, Name: "O_NONBLOCK", }, { @@ -78,18 +77,18 @@ var OpenFlagSet = abi.FlagSet{ Name: "O_PATH", }, { - Flag: syscall.O_SYNC, + Flag: unix.O_SYNC, Name: "O_SYNC", }, { - Flag: syscall.O_TRUNC, + Flag: unix.O_TRUNC, Name: "O_TRUNC", }, } func open(val uint64) string { - s := OpenMode.Parse(val & syscall.O_ACCMODE) - if flags := OpenFlagSet.Parse(val &^ syscall.O_ACCMODE); flags != "" { + s := OpenMode.Parse(val & unix.O_ACCMODE) + if flags := OpenFlagSet.Parse(val &^ unix.O_ACCMODE); flags != "" { s += "|" + flags } return s diff --git a/pkg/sentry/syscalls/linux/sys_file.go b/pkg/sentry/syscalls/linux/sys_file.go index a6253626e..fd9649340 100644 --- a/pkg/sentry/syscalls/linux/sys_file.go +++ b/pkg/sentry/syscalls/linux/sys_file.go @@ -15,8 +15,7 @@ package linux import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/marshal/primitive" @@ -368,7 +367,7 @@ func createAt(t *kernel.Task, dirFD int32, addr usermem.Addr, flags uint, mode l // Are we able to resolve further? if remainingTraversals == 0 { - return syscall.ELOOP + return unix.ELOOP } // Resolve the symlink to a path via Readlink. @@ -2217,7 +2216,7 @@ func MemfdCreate(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.S allowSeals := flags&linux.MFD_ALLOW_SEALING != 0 cloExec := flags&linux.MFD_CLOEXEC != 0 - name, err := t.CopyInString(addr, syscall.PathMax-len(memfdPrefix)) + name, err := t.CopyInString(addr, unix.PathMax-len(memfdPrefix)) if err != nil { return 0, nil, err } diff --git a/pkg/sentry/syscalls/linux/sys_thread.go b/pkg/sentry/syscalls/linux/sys_thread.go index 8e7ac0ffe..44738c40c 100644 --- a/pkg/sentry/syscalls/linux/sys_thread.go +++ b/pkg/sentry/syscalls/linux/sys_thread.go @@ -16,8 +16,8 @@ package linux import ( "path" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/marshal/primitive" "gvisor.dev/gvisor/pkg/sentry/arch" @@ -417,7 +417,7 @@ func Waitid(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscal si.SetUID(int32(wr.UID)) // TODO(b/73541790): convert kernel.ExitStatus to functions and make // WaitResult.Status a linux.WaitStatus. - s := syscall.WaitStatus(wr.Status) + s := unix.WaitStatus(wr.Status) switch { case s.Exited(): si.Code = arch.CLD_EXITED diff --git a/pkg/sentry/time/sampler_unsafe.go b/pkg/sentry/time/sampler_unsafe.go index e76180217..2ab57c5f8 100644 --- a/pkg/sentry/time/sampler_unsafe.go +++ b/pkg/sentry/time/sampler_unsafe.go @@ -15,8 +15,9 @@ package time import ( - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) // syscallTSCReferenceClocks is the standard referenceClocks, collecting @@ -32,8 +33,8 @@ func (syscallTSCReferenceClocks) Sample(c ClockID) (sample, error) { s.before = Rdtsc() // Don't call clockGettime to avoid a call which may call morestack. - var ts syscall.Timespec - _, _, e := syscall.RawSyscall(syscall.SYS_CLOCK_GETTIME, uintptr(c), uintptr(unsafe.Pointer(&ts)), 0) + var ts unix.Timespec + _, _, e := unix.RawSyscall(unix.SYS_CLOCK_GETTIME, uintptr(c), uintptr(unsafe.Pointer(&ts)), 0) if e != 0 { return sample{}, e } @@ -46,8 +47,8 @@ func (syscallTSCReferenceClocks) Sample(c ClockID) (sample, error) { // clockGettime calls SYS_CLOCK_GETTIME, returning time in nanoseconds. func clockGettime(c ClockID) (ReferenceNS, error) { - var ts syscall.Timespec - _, _, e := syscall.RawSyscall(syscall.SYS_CLOCK_GETTIME, uintptr(c), uintptr(unsafe.Pointer(&ts)), 0) + var ts unix.Timespec + _, _, e := unix.RawSyscall(unix.SYS_CLOCK_GETTIME, uintptr(c), uintptr(unsafe.Pointer(&ts)), 0) if e != 0 { return 0, e } diff --git a/pkg/sentry/usage/memory.go b/pkg/sentry/usage/memory.go index 5ed6726ab..581862ee2 100644 --- a/pkg/sentry/usage/memory.go +++ b/pkg/sentry/usage/memory.go @@ -18,8 +18,8 @@ import ( "fmt" "os" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/bits" "gvisor.dev/gvisor/pkg/memutil" "gvisor.dev/gvisor/pkg/sync" @@ -132,7 +132,7 @@ func Init() error { // always be the case for a newly mapped page from /dev/shm. If we obtain // the shared memory through some other means in the future, we may have to // explicitly zero the page. - mmap, err := syscall.Mmap(int(file.Fd()), 0, int(RTMemoryStatsSize), syscall.PROT_READ|syscall.PROT_WRITE, syscall.MAP_SHARED) + mmap, err := unix.Mmap(int(file.Fd()), 0, int(RTMemoryStatsSize), unix.PROT_READ|unix.PROT_WRITE, unix.MAP_SHARED) if err != nil { return fmt.Errorf("error mapping usage file: %v", err) } |