summaryrefslogtreecommitdiffhomepage
path: root/pkg
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2021-01-12 20:47:44 +0000
committergVisor bot <gvisor-bot@google.com>2021-01-12 20:47:44 +0000
commitfbc3a3d984eb113f7487e38ba55e5f813fc72aec (patch)
treed22a96c80f5f9a35c71687740e35c0021475d428 /pkg
parent1ea6658d24215e9fbcdb693b00884e1bdbdcc95d (diff)
parent4e03e87547853523d4ff941935a6ef1712518c61 (diff)
Merge release-20201216.0-87-g4e03e8754 (automated)
Diffstat (limited to 'pkg')
-rw-r--r--pkg/abi/linux/fadvise.go1
-rw-r--r--pkg/abi/linux/ipc.go14
-rw-r--r--pkg/abi/linux/netfilter_ipv6.go1
-rw-r--r--pkg/abi/linux/sched.go1
-rw-r--r--pkg/abi/linux/seccomp.go2
-rw-r--r--pkg/abi/linux/sem.go5
-rw-r--r--pkg/cpuid/cpuid_arm64.go4
-rw-r--r--pkg/p9/client.go2
-rw-r--r--pkg/seccomp/seccomp.go4
-rw-r--r--pkg/sentry/fs/fsutil/dirty_set_impl.go6
-rw-r--r--pkg/sentry/fs/fsutil/file_range_set_impl.go6
-rw-r--r--pkg/sentry/fs/fsutil/frame_ref_set_impl.go6
-rw-r--r--pkg/sentry/fs/fsutil/inode.go1
-rw-r--r--pkg/sentry/fs/inode.go1
-rw-r--r--pkg/sentry/fs/lock/lock_set.go6
-rw-r--r--pkg/sentry/kernel/auth/id.go14
-rw-r--r--pkg/sentry/kernel/auth/id_map_set.go6
-rw-r--r--pkg/sentry/kernel/kernel.go4
-rw-r--r--pkg/sentry/memmap/mapping_set_impl.go6
-rw-r--r--pkg/sentry/mm/file_refcount_set.go6
-rw-r--r--pkg/sentry/mm/pma_set.go6
-rw-r--r--pkg/sentry/mm/vma_set.go6
-rw-r--r--pkg/sentry/pgalloc/evictable_range_set.go6
-rw-r--r--pkg/sentry/pgalloc/reclaim_set.go6
-rw-r--r--pkg/sentry/pgalloc/usage_set.go6
-rw-r--r--pkg/sentry/platform/ring0/kernel_amd64.go1
-rw-r--r--pkg/sentry/socket/netfilter/netfilter.go2
-rw-r--r--pkg/sentry/socket/netfilter/owner_matcher.go1
-rw-r--r--pkg/sentry/socket/unix/unix.go2
-rw-r--r--pkg/sentry/syscalls/linux/sys_sync.go1
-rw-r--r--pkg/sentry/vfs/inotify.go2
-rw-r--r--pkg/shim/v1/shim/api.go13
-rw-r--r--pkg/shim/v2/api.go1
-rw-r--r--pkg/state/addr_set.go6
-rw-r--r--pkg/tcpip/stack/conntrack.go14
-rw-r--r--pkg/tcpip/stack/iptables.go66
-rw-r--r--pkg/tcpip/stack/iptables_types.go10
37 files changed, 143 insertions, 102 deletions
diff --git a/pkg/abi/linux/fadvise.go b/pkg/abi/linux/fadvise.go
index b06ff9964..97e2e4532 100644
--- a/pkg/abi/linux/fadvise.go
+++ b/pkg/abi/linux/fadvise.go
@@ -14,6 +14,7 @@
package linux
+// Fadvise constants.
const (
POSIX_FADV_NORMAL = 0
POSIX_FADV_RANDOM = 1
diff --git a/pkg/abi/linux/ipc.go b/pkg/abi/linux/ipc.go
index c6e65df62..f84144355 100644
--- a/pkg/abi/linux/ipc.go
+++ b/pkg/abi/linux/ipc.go
@@ -14,8 +14,9 @@
package linux
-// Control commands used with semctl, shmctl, and msgctl. Source:
-// include/uapi/linux/ipc.h.
+// Control commands used with semctl, shmctl, and msgctl.
+//
+// Source: include/uapi/linux/ipc.h.
const (
IPC_RMID = 0
IPC_SET = 1
@@ -23,14 +24,19 @@ const (
IPC_INFO = 3
)
-// resource get request flags. Source: include/uapi/linux/ipc.h
+// Resource get request flags.
+//
+// Source: include/uapi/linux/ipc.h
const (
IPC_CREAT = 00001000
IPC_EXCL = 00002000
IPC_NOWAIT = 00004000
)
-const IPC_PRIVATE = 0
+// IPC flags.
+const (
+ IPC_PRIVATE = 0
+)
// In Linux, amd64 does not enable CONFIG_ARCH_WANT_IPC_PARSE_VERSION, so SysV
// IPC unconditionally uses the "new" 64-bit structures that are needed for
diff --git a/pkg/abi/linux/netfilter_ipv6.go b/pkg/abi/linux/netfilter_ipv6.go
index 6d31eb5e3..bcb57642e 100644
--- a/pkg/abi/linux/netfilter_ipv6.go
+++ b/pkg/abi/linux/netfilter_ipv6.go
@@ -288,6 +288,7 @@ type IP6TIP struct {
_ [3]byte
}
+// SizeOfIP6TIP is the size of an IP6 header.
const SizeOfIP6TIP = 136
// Flags in IP6TIP.Flags. Corresponding constants are in
diff --git a/pkg/abi/linux/sched.go b/pkg/abi/linux/sched.go
index 70e820823..2a67921e6 100644
--- a/pkg/abi/linux/sched.go
+++ b/pkg/abi/linux/sched.go
@@ -29,6 +29,7 @@ const (
SCHED_RESET_ON_FORK = 0x40000000
)
+// Scheduling priority group selectors.
const (
PRIO_PGRP = 0x1
PRIO_PROCESS = 0x0
diff --git a/pkg/abi/linux/seccomp.go b/pkg/abi/linux/seccomp.go
index 5be3f10f9..e64501fac 100644
--- a/pkg/abi/linux/seccomp.go
+++ b/pkg/abi/linux/seccomp.go
@@ -30,8 +30,10 @@ const (
SECCOMP_GET_ACTION_AVAIL = 2
)
+// BPFAction is an action for a BPF filter.
type BPFAction uint32
+// BPFAction definitions.
const (
SECCOMP_RET_KILL_PROCESS BPFAction = 0x80000000
SECCOMP_RET_KILL_THREAD BPFAction = 0x00000000
diff --git a/pkg/abi/linux/sem.go b/pkg/abi/linux/sem.go
index 2424884c1..bc7b4f0ee 100644
--- a/pkg/abi/linux/sem.go
+++ b/pkg/abi/linux/sem.go
@@ -49,7 +49,10 @@ const (
SEMUSZ = 20
)
-const SEM_UNDO = 0x1000
+// Semaphore flags.
+const (
+ SEM_UNDO = 0x1000
+)
// Sembuf is equivalent to struct sembuf.
//
diff --git a/pkg/cpuid/cpuid_arm64.go b/pkg/cpuid/cpuid_arm64.go
index ac7bb6774..98c6ec62f 100644
--- a/pkg/cpuid/cpuid_arm64.go
+++ b/pkg/cpuid/cpuid_arm64.go
@@ -267,7 +267,7 @@ func (fs *FeatureSet) UseXsave() bool {
// FlagsString prints out supported CPU "flags" field in /proc/cpuinfo.
func (fs *FeatureSet) FlagsString() string {
var s []string
- for f, _ := range arm64FeatureStrings {
+ for f := range arm64FeatureStrings {
if fs.Set[f] {
if fstr := f.flagString(); fstr != "" {
s = append(s, fstr)
@@ -296,7 +296,7 @@ func (fs FeatureSet) WriteCPUInfoTo(cpu uint, b *bytes.Buffer) {
func HostFeatureSet() *FeatureSet {
s := make(map[Feature]bool)
- for f, _ := range arm64FeatureStrings {
+ for f := range arm64FeatureStrings {
if hwCap&(1<<f) != 0 {
s[f] = true
}
diff --git a/pkg/p9/client.go b/pkg/p9/client.go
index eadea390a..3f4324ac1 100644
--- a/pkg/p9/client.go
+++ b/pkg/p9/client.go
@@ -241,7 +241,7 @@ func (c *Client) watch(socket *unet.Socket) {
defer c.closedWg.Done()
events := []unix.PollFd{
- unix.PollFd{
+ {
Fd: int32(socket.FD()),
Events: unix.POLLHUP | unix.POLLRDHUP,
},
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
index ec17ebc4d..daea51c4d 100644
--- a/pkg/seccomp/seccomp.go
+++ b/pkg/seccomp/seccomp.go
@@ -61,7 +61,7 @@ func Install(rules SyscallRules) error {
log.Infof("Installing seccomp filters for %d syscalls (action=%v)", len(rules), defaultAction)
instrs, err := BuildProgram([]RuleSet{
- RuleSet{
+ {
Rules: rules,
Action: linux.SECCOMP_RET_ALLOW,
},
@@ -160,7 +160,7 @@ func buildIndex(rules []RuleSet, program *bpf.ProgramBuilder) error {
}
}
syscalls := make([]uintptr, 0, len(requiredSyscalls))
- for sysno, _ := range requiredSyscalls {
+ for sysno := range requiredSyscalls {
syscalls = append(syscalls, sysno)
}
sort.Slice(syscalls, func(i, j int) bool { return syscalls[i] < syscalls[j] })
diff --git a/pkg/sentry/fs/fsutil/dirty_set_impl.go b/pkg/sentry/fs/fsutil/dirty_set_impl.go
index 9f1463389..2c6a10fc4 100644
--- a/pkg/sentry/fs/fsutil/dirty_set_impl.go
+++ b/pkg/sentry/fs/fsutil/dirty_set_impl.go
@@ -1560,8 +1560,8 @@ type DirtySegmentDataSlices struct {
Values []DirtyInfo
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *DirtySet) ExportSortedSlices() *DirtySegmentDataSlices {
var sds DirtySegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1575,7 +1575,7 @@ func (s *DirtySet) ExportSortedSlices() *DirtySegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/fs/fsutil/file_range_set_impl.go b/pkg/sentry/fs/fsutil/file_range_set_impl.go
index 374ed79b7..7568fb790 100644
--- a/pkg/sentry/fs/fsutil/file_range_set_impl.go
+++ b/pkg/sentry/fs/fsutil/file_range_set_impl.go
@@ -1560,8 +1560,8 @@ type FileRangeSegmentDataSlices struct {
Values []uint64
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *FileRangeSet) ExportSortedSlices() *FileRangeSegmentDataSlices {
var sds FileRangeSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1575,7 +1575,7 @@ func (s *FileRangeSet) ExportSortedSlices() *FileRangeSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/fs/fsutil/frame_ref_set_impl.go b/pkg/sentry/fs/fsutil/frame_ref_set_impl.go
index 619246875..6657addf4 100644
--- a/pkg/sentry/fs/fsutil/frame_ref_set_impl.go
+++ b/pkg/sentry/fs/fsutil/frame_ref_set_impl.go
@@ -1560,8 +1560,8 @@ type FrameRefSegmentDataSlices struct {
Values []uint64
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *FrameRefSet) ExportSortedSlices() *FrameRefSegmentDataSlices {
var sds FrameRefSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1575,7 +1575,7 @@ func (s *FrameRefSet) ExportSortedSlices() *FrameRefSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/fs/fsutil/inode.go b/pkg/sentry/fs/fsutil/inode.go
index 1922ff08c..85e7e35db 100644
--- a/pkg/sentry/fs/fsutil/inode.go
+++ b/pkg/sentry/fs/fsutil/inode.go
@@ -510,6 +510,7 @@ func (InodeDenyWriteChecker) Check(ctx context.Context, inode *fs.Inode, p fs.Pe
//InodeNotAllocatable can be used by Inodes that do not support Allocate().
type InodeNotAllocatable struct{}
+// Allocate implements fs.InodeOperations.Allocate.
func (InodeNotAllocatable) Allocate(_ context.Context, _ *fs.Inode, _, _ int64) error {
return syserror.EOPNOTSUPP
}
diff --git a/pkg/sentry/fs/inode.go b/pkg/sentry/fs/inode.go
index 9b3d8166a..41a3c2047 100644
--- a/pkg/sentry/fs/inode.go
+++ b/pkg/sentry/fs/inode.go
@@ -367,6 +367,7 @@ func (i *Inode) Truncate(ctx context.Context, d *Dirent, size int64) error {
return i.InodeOperations.Truncate(ctx, i, size)
}
+// Allocate calls i.InodeOperations.Allocate with i as the Inode.
func (i *Inode) Allocate(ctx context.Context, d *Dirent, offset int64, length int64) error {
if i.overlay != nil {
return overlayAllocate(ctx, i.overlay, d, offset, length)
diff --git a/pkg/sentry/fs/lock/lock_set.go b/pkg/sentry/fs/lock/lock_set.go
index 37c216b95..4bc830883 100644
--- a/pkg/sentry/fs/lock/lock_set.go
+++ b/pkg/sentry/fs/lock/lock_set.go
@@ -1556,8 +1556,8 @@ type LockSegmentDataSlices struct {
Values []Lock
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *LockSet) ExportSortedSlices() *LockSegmentDataSlices {
var sds LockSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1571,7 +1571,7 @@ func (s *LockSet) ExportSortedSlices() *LockSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/kernel/auth/id.go b/pkg/sentry/kernel/auth/id.go
index 4c32ee703..994486ea8 100644
--- a/pkg/sentry/kernel/auth/id.go
+++ b/pkg/sentry/kernel/auth/id.go
@@ -62,18 +62,28 @@ const (
// field is displayed as 4294967295 (-1 as an unsigned integer);" -
// user_namespaces(7)
OverflowUID = UID(65534)
+
+ // OverflowGID is the group equivalent to OverflowUID.
OverflowGID = GID(65534)
// NobodyKUID is the user ID usually reserved for the least privileged user
// "nobody".
NobodyKUID = KUID(65534)
+
+ // NobodyKGID is the group equivalent to NobodyKUID.
NobodyKGID = KGID(65534)
// RootKUID is the user ID usually used for the most privileged user "root".
RootKUID = KUID(0)
+
+ // RootKGID is the group equivalent to RootKUID.
RootKGID = KGID(0)
- RootUID = UID(0)
- RootGID = GID(0)
+
+ // RootUID is the root user.
+ RootUID = UID(0)
+
+ // RootGID is the root group.
+ RootGID = GID(0)
)
// Ok returns true if uid is not -1.
diff --git a/pkg/sentry/kernel/auth/id_map_set.go b/pkg/sentry/kernel/auth/id_map_set.go
index d8a05ce46..479753981 100644
--- a/pkg/sentry/kernel/auth/id_map_set.go
+++ b/pkg/sentry/kernel/auth/id_map_set.go
@@ -1556,8 +1556,8 @@ type idMapSegmentDataSlices struct {
Values []uint32
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *idMapSet) ExportSortedSlices() *idMapSegmentDataSlices {
var sds idMapSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1571,7 +1571,7 @@ func (s *idMapSet) ExportSortedSlices() *idMapSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/kernel/kernel.go b/pkg/sentry/kernel/kernel.go
index b8627a54f..303ae8056 100644
--- a/pkg/sentry/kernel/kernel.go
+++ b/pkg/sentry/kernel/kernel.go
@@ -1433,8 +1433,8 @@ func (k *Kernel) GlobalInit() *ThreadGroup {
return k.globalInit
}
-// TestOnly_SetGlobalInit sets the thread group with ID 1 in the root PID namespace.
-func (k *Kernel) TestOnly_SetGlobalInit(tg *ThreadGroup) {
+// TestOnlySetGlobalInit sets the thread group with ID 1 in the root PID namespace.
+func (k *Kernel) TestOnlySetGlobalInit(tg *ThreadGroup) {
k.globalInit = tg
}
diff --git a/pkg/sentry/memmap/mapping_set_impl.go b/pkg/sentry/memmap/mapping_set_impl.go
index eda4579e8..c32df9259 100644
--- a/pkg/sentry/memmap/mapping_set_impl.go
+++ b/pkg/sentry/memmap/mapping_set_impl.go
@@ -1556,8 +1556,8 @@ type MappingSegmentDataSlices struct {
Values []MappingsOfRange
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *MappingSet) ExportSortedSlices() *MappingSegmentDataSlices {
var sds MappingSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1571,7 +1571,7 @@ func (s *MappingSet) ExportSortedSlices() *MappingSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/mm/file_refcount_set.go b/pkg/sentry/mm/file_refcount_set.go
index 1d956b4b4..602a137d4 100644
--- a/pkg/sentry/mm/file_refcount_set.go
+++ b/pkg/sentry/mm/file_refcount_set.go
@@ -1560,8 +1560,8 @@ type fileRefcountSegmentDataSlices struct {
Values []int32
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *fileRefcountSet) ExportSortedSlices() *fileRefcountSegmentDataSlices {
var sds fileRefcountSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1575,7 +1575,7 @@ func (s *fileRefcountSet) ExportSortedSlices() *fileRefcountSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/mm/pma_set.go b/pkg/sentry/mm/pma_set.go
index 09fe6b05f..dbcf2b053 100644
--- a/pkg/sentry/mm/pma_set.go
+++ b/pkg/sentry/mm/pma_set.go
@@ -1560,8 +1560,8 @@ type pmaSegmentDataSlices struct {
Values []pma
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *pmaSet) ExportSortedSlices() *pmaSegmentDataSlices {
var sds pmaSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1575,7 +1575,7 @@ func (s *pmaSet) ExportSortedSlices() *pmaSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/mm/vma_set.go b/pkg/sentry/mm/vma_set.go
index 3b32d3cb5..333324640 100644
--- a/pkg/sentry/mm/vma_set.go
+++ b/pkg/sentry/mm/vma_set.go
@@ -1560,8 +1560,8 @@ type vmaSegmentDataSlices struct {
Values []vma
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *vmaSet) ExportSortedSlices() *vmaSegmentDataSlices {
var sds vmaSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1575,7 +1575,7 @@ func (s *vmaSet) ExportSortedSlices() *vmaSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/pgalloc/evictable_range_set.go b/pkg/sentry/pgalloc/evictable_range_set.go
index 7619b106e..c0c712b21 100644
--- a/pkg/sentry/pgalloc/evictable_range_set.go
+++ b/pkg/sentry/pgalloc/evictable_range_set.go
@@ -1556,8 +1556,8 @@ type evictableRangeSegmentDataSlices struct {
Values []evictableRangeSetValue
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *evictableRangeSet) ExportSortedSlices() *evictableRangeSegmentDataSlices {
var sds evictableRangeSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1571,7 +1571,7 @@ func (s *evictableRangeSet) ExportSortedSlices() *evictableRangeSegmentDataSlice
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/pgalloc/reclaim_set.go b/pkg/sentry/pgalloc/reclaim_set.go
index 5c62c03fe..737f38776 100644
--- a/pkg/sentry/pgalloc/reclaim_set.go
+++ b/pkg/sentry/pgalloc/reclaim_set.go
@@ -1560,8 +1560,8 @@ type reclaimSegmentDataSlices struct {
Values []reclaimSetValue
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *reclaimSet) ExportSortedSlices() *reclaimSegmentDataSlices {
var sds reclaimSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1575,7 +1575,7 @@ func (s *reclaimSet) ExportSortedSlices() *reclaimSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/pgalloc/usage_set.go b/pkg/sentry/pgalloc/usage_set.go
index edabff0d8..8d96e817a 100644
--- a/pkg/sentry/pgalloc/usage_set.go
+++ b/pkg/sentry/pgalloc/usage_set.go
@@ -1560,8 +1560,8 @@ type usageSegmentDataSlices struct {
Values []usageInfo
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *usageSet) ExportSortedSlices() *usageSegmentDataSlices {
var sds usageSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1575,7 +1575,7 @@ func (s *usageSet) ExportSortedSlices() *usageSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/sentry/platform/ring0/kernel_amd64.go b/pkg/sentry/platform/ring0/kernel_amd64.go
index b55dc29b3..36a60700e 100644
--- a/pkg/sentry/platform/ring0/kernel_amd64.go
+++ b/pkg/sentry/platform/ring0/kernel_amd64.go
@@ -65,6 +65,7 @@ func (k *Kernel) init(maxCPUs int) {
}
}
+// EntryRegions returns the set of kernel entry regions (must be mapped).
func (k *Kernel) EntryRegions() map[uintptr]uintptr {
regions := make(map[uintptr]uintptr)
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index b283d7229..26bd1abd4 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -205,7 +205,7 @@ func SetEntries(stk *stack.Stack, optVal []byte, ipv6 bool) *syserr.Error {
// Go through the list of supported hooks for this table and, for each
// one, set the rule it corresponds to.
- for hook, _ := range replace.HookEntry {
+ for hook := range replace.HookEntry {
if table.ValidHooks()&(1<<hook) != 0 {
hk := hookFromLinux(hook)
table.BuiltinChains[hk] = stack.HookUnset
diff --git a/pkg/sentry/socket/netfilter/owner_matcher.go b/pkg/sentry/socket/netfilter/owner_matcher.go
index 1b4e0ad79..69d13745e 100644
--- a/pkg/sentry/socket/netfilter/owner_matcher.go
+++ b/pkg/sentry/socket/netfilter/owner_matcher.go
@@ -96,6 +96,7 @@ func (ownerMarshaler) unmarshal(buf []byte, filter stack.IPHeaderFilter) (stack.
return &owner, nil
}
+// OwnerMatcher matches against a UID and/or GID.
type OwnerMatcher struct {
uid uint32
gid uint32
diff --git a/pkg/sentry/socket/unix/unix.go b/pkg/sentry/socket/unix/unix.go
index c59297c80..6c4ec55b2 100644
--- a/pkg/sentry/socket/unix/unix.go
+++ b/pkg/sentry/socket/unix/unix.go
@@ -471,7 +471,7 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b
if len(to) > 0 {
switch s.stype {
case linux.SOCK_SEQPACKET:
- to = nil
+ // to is ignored.
case linux.SOCK_STREAM:
if s.State() == linux.SS_CONNECTED {
return 0, syserr.ErrAlreadyConnected
diff --git a/pkg/sentry/syscalls/linux/sys_sync.go b/pkg/sentry/syscalls/linux/sys_sync.go
index 048a21c6e..5ebd4461f 100644
--- a/pkg/sentry/syscalls/linux/sys_sync.go
+++ b/pkg/sentry/syscalls/linux/sys_sync.go
@@ -125,6 +125,7 @@ func SyncFileRange(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel
//
// It should be safe to skipped this flag while nobody uses
// SYNC_FILE_RANGE_WAIT_BEFORE.
+ _ = nbytes
// SYNC_FILE_RANGE_WAIT_AFTER waits upon write-out of all pages in the
// range after performing any write.
diff --git a/pkg/sentry/vfs/inotify.go b/pkg/sentry/vfs/inotify.go
index 107171b61..a48ac1cd6 100644
--- a/pkg/sentry/vfs/inotify.go
+++ b/pkg/sentry/vfs/inotify.go
@@ -738,7 +738,7 @@ func InotifyEventFromStatMask(mask uint32) uint32 {
} else if mask&linux.STATX_ATIME != 0 {
ev |= linux.IN_ACCESS
} else if mask&linux.STATX_MTIME != 0 {
- mask |= linux.IN_MODIFY
+ ev |= linux.IN_MODIFY
}
return ev
}
diff --git a/pkg/shim/v1/shim/api.go b/pkg/shim/v1/shim/api.go
index 5dd8ff172..8200eb012 100644
--- a/pkg/shim/v1/shim/api.go
+++ b/pkg/shim/v1/shim/api.go
@@ -19,10 +19,23 @@ import (
"github.com/containerd/containerd/api/events"
)
+// TaskCreate is an alias for events.TaskCreate.
type TaskCreate = events.TaskCreate
+
+// TaskStart is an alias for events.TaskStart.
type TaskStart = events.TaskStart
+
+// TaskOOM is an alias for events.TaskOOM.
type TaskOOM = events.TaskOOM
+
+// TaskExit is an alias for events.TaskExit.
type TaskExit = events.TaskExit
+
+// TaskDelete is an alias for events.TaskDelete.
type TaskDelete = events.TaskDelete
+
+// TaskExecAdded is an alias for events.TaskExecAdded.
type TaskExecAdded = events.TaskExecAdded
+
+// TaskExecStarted is an alias for events.TaskExecStarted.
type TaskExecStarted = events.TaskExecStarted
diff --git a/pkg/shim/v2/api.go b/pkg/shim/v2/api.go
index dbe5c59f6..5a60a04db 100644
--- a/pkg/shim/v2/api.go
+++ b/pkg/shim/v2/api.go
@@ -19,4 +19,5 @@ import (
"github.com/containerd/containerd/api/events"
)
+// TaskOOM is an alias for events.TaskOOM.
type TaskOOM = events.TaskOOM
diff --git a/pkg/state/addr_set.go b/pkg/state/addr_set.go
index 591af5292..8abc3dd34 100644
--- a/pkg/state/addr_set.go
+++ b/pkg/state/addr_set.go
@@ -1556,8 +1556,8 @@ type addrSegmentDataSlices struct {
Values []*objectEncodeState
}
-// ExportSortedSlice returns a copy of all segments in the given set, in ascending
-// key order.
+// ExportSortedSlices returns a copy of all segments in the given set, in
+// ascending key order.
func (s *addrSet) ExportSortedSlices() *addrSegmentDataSlices {
var sds addrSegmentDataSlices
for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() {
@@ -1571,7 +1571,7 @@ func (s *addrSet) ExportSortedSlices() *addrSegmentDataSlices {
return &sds
}
-// ImportSortedSlice initializes the given set from the given slice.
+// ImportSortedSlices initializes the given set from the given slice.
//
// Preconditions:
// * s must be empty.
diff --git a/pkg/tcpip/stack/conntrack.go b/pkg/tcpip/stack/conntrack.go
index 9a17efcba..5e649cca6 100644
--- a/pkg/tcpip/stack/conntrack.go
+++ b/pkg/tcpip/stack/conntrack.go
@@ -142,19 +142,19 @@ func (cn *conn) timedOut(now time.Time) bool {
// update the connection tracking state.
//
-// Precondition: ct.mu must be held.
-func (ct *conn) updateLocked(tcpHeader header.TCP, hook Hook) {
+// Precondition: cn.mu must be held.
+func (cn *conn) updateLocked(tcpHeader header.TCP, hook Hook) {
// Update the state of tcb. tcb assumes it's always initialized on the
// client. However, we only need to know whether the connection is
// established or not, so the client/server distinction isn't important.
// TODO(gvisor.dev/issue/170): Add support in tcpconntrack to handle
// other tcp states.
- if ct.tcb.IsEmpty() {
- ct.tcb.Init(tcpHeader)
- } else if hook == ct.tcbHook {
- ct.tcb.UpdateStateOutbound(tcpHeader)
+ if cn.tcb.IsEmpty() {
+ cn.tcb.Init(tcpHeader)
+ } else if hook == cn.tcbHook {
+ cn.tcb.UpdateStateOutbound(tcpHeader)
} else {
- ct.tcb.UpdateStateInbound(tcpHeader)
+ cn.tcb.UpdateStateInbound(tcpHeader)
}
}
diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
index 2d8c883cd..09c7811fa 100644
--- a/pkg/tcpip/stack/iptables.go
+++ b/pkg/tcpip/stack/iptables.go
@@ -45,13 +45,13 @@ const reaperDelay = 5 * time.Second
func DefaultTables() *IPTables {
return &IPTables{
v4Tables: [NumTables]Table{
- NATID: Table{
+ NATID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: 0,
@@ -68,11 +68,11 @@ func DefaultTables() *IPTables {
Postrouting: 3,
},
},
- MangleID: Table{
+ MangleID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: 0,
@@ -86,12 +86,12 @@ func DefaultTables() *IPTables {
Postrouting: HookUnset,
},
},
- FilterID: Table{
+ FilterID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: HookUnset,
@@ -110,13 +110,13 @@ func DefaultTables() *IPTables {
},
},
v6Tables: [NumTables]Table{
- NATID: Table{
+ NATID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: 0,
@@ -133,11 +133,11 @@ func DefaultTables() *IPTables {
Postrouting: 3,
},
},
- MangleID: Table{
+ MangleID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: 0,
@@ -151,12 +151,12 @@ func DefaultTables() *IPTables {
Postrouting: HookUnset,
},
},
- FilterID: Table{
+ FilterID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: HookUnset,
@@ -175,9 +175,9 @@ func DefaultTables() *IPTables {
},
},
priorities: [NumHooks][]TableID{
- Prerouting: []TableID{MangleID, NATID},
- Input: []TableID{NATID, FilterID},
- Output: []TableID{MangleID, NATID, FilterID},
+ Prerouting: {MangleID, NATID},
+ Input: {NATID, FilterID},
+ Output: {MangleID, NATID, FilterID},
},
connections: ConnTrack{
seed: generateRandUint32(),
diff --git a/pkg/tcpip/stack/iptables_types.go b/pkg/tcpip/stack/iptables_types.go
index 4b86c1be9..56a3e7861 100644
--- a/pkg/tcpip/stack/iptables_types.go
+++ b/pkg/tcpip/stack/iptables_types.go
@@ -56,7 +56,7 @@ const (
// Postrouting happens just before a packet goes out on the wire.
Postrouting
- // The total number of hooks.
+ // NumHooks is the total number of hooks.
NumHooks
)
@@ -273,14 +273,12 @@ func (fl IPHeaderFilter) match(pkt *PacketBuffer, hook Hook, nicName string) boo
return true
}
- // If the interface name ends with '+', any interface which begins
- // with the name should be matched.
+ // If the interface name ends with '+', any interface which
+ // begins with the name should be matched.
ifName := fl.OutputInterface
- matches := true
+ matches := nicName == ifName
if strings.HasSuffix(ifName, "+") {
matches = strings.HasPrefix(nicName, ifName[:n-1])
- } else {
- matches = nicName == ifName
}
return fl.OutputInterfaceInvert != matches
}