summaryrefslogtreecommitdiffhomepage
path: root/runsc/boot
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2018-10-20 11:12:26 -0700
committerShentubot <shentubot@google.com>2018-10-20 11:14:23 -0700
commitb2068cf5a5d43f3898cf389ab2d6151cf61908ac (patch)
tree71ec95233e3c3cfa32757ecb4b01aa73ee9adb1b /runsc/boot
parent8fce67af24945f82378b4c2731cca1788936d074 (diff)
Add more unimplemented syscall events
Added events for *ctl syscalls that may have multiple different commands. For runsc, each syscall event is only logged once. For *ctl syscalls, use the cmd as identifier, not only the syscall number. PiperOrigin-RevId: 218015941 Change-Id: Ie3c19131ae36124861e9b492a7dbe1765d9e5e59
Diffstat (limited to 'runsc/boot')
-rw-r--r--runsc/boot/BUILD9
-rw-r--r--runsc/boot/compat.go72
-rw-r--r--runsc/boot/compat_amd64.go54
-rw-r--r--runsc/boot/compat_test.go66
4 files changed, 193 insertions, 8 deletions
diff --git a/runsc/boot/BUILD b/runsc/boot/BUILD
index f8f848ebf..04cc0e854 100644
--- a/runsc/boot/BUILD
+++ b/runsc/boot/BUILD
@@ -6,6 +6,7 @@ go_library(
name = "boot",
srcs = [
"compat.go",
+ "compat_amd64.go",
"config.go",
"controller.go",
"debug.go",
@@ -59,9 +60,9 @@ go_library(
"//pkg/sentry/socket/unix",
"//pkg/sentry/state",
"//pkg/sentry/strace",
- "//pkg/sentry/syscalls:unimplemented_syscall_go_proto",
"//pkg/sentry/syscalls/linux",
"//pkg/sentry/time",
+ "//pkg/sentry/unimpl:unimplemented_syscall_go_proto",
"//pkg/sentry/usage",
"//pkg/sentry/watchdog",
"//pkg/syserror",
@@ -87,12 +88,16 @@ go_library(
go_test(
name = "boot_test",
size = "small",
- srcs = ["loader_test.go"],
+ srcs = [
+ "compat_test.go",
+ "loader_test.go",
+ ],
embed = [":boot"],
deps = [
"//pkg/control/server",
"//pkg/log",
"//pkg/p9",
+ "//pkg/sentry/arch:registers_go_proto",
"//pkg/sentry/context/contexttest",
"//pkg/sentry/fs",
"//pkg/unet",
diff --git a/runsc/boot/compat.go b/runsc/boot/compat.go
index 6766953b3..d18c2f802 100644
--- a/runsc/boot/compat.go
+++ b/runsc/boot/compat.go
@@ -17,6 +17,8 @@ package boot
import (
"fmt"
"os"
+ "sync"
+ "syscall"
"github.com/golang/protobuf/proto"
"gvisor.googlesource.com/gvisor/pkg/abi"
@@ -25,7 +27,7 @@ import (
"gvisor.googlesource.com/gvisor/pkg/sentry/arch"
rpb "gvisor.googlesource.com/gvisor/pkg/sentry/arch/registers_go_proto"
"gvisor.googlesource.com/gvisor/pkg/sentry/strace"
- spb "gvisor.googlesource.com/gvisor/pkg/sentry/syscalls/unimplemented_syscall_go_proto"
+ spb "gvisor.googlesource.com/gvisor/pkg/sentry/unimpl/unimplemented_syscall_go_proto"
)
func initCompatLogs(fd int) error {
@@ -40,15 +42,27 @@ func initCompatLogs(fd int) error {
type compatEmitter struct {
sink *log.BasicLogger
nameMap strace.SyscallMap
+
+ // mu protects the fields below.
+ mu sync.Mutex
+
+ // trackers map syscall number to the respective tracker instance.
+ // Protected by 'mu'.
+ trackers map[uint64]syscallTracker
}
func newCompatEmitter(logFD int) (*compatEmitter, error) {
- // Always logs to default logger.
nameMap, ok := strace.Lookup(abi.Linux, arch.AMD64)
if !ok {
return nil, fmt.Errorf("amd64 Linux syscall table not found")
}
- c := &compatEmitter{sink: log.Log(), nameMap: nameMap}
+
+ c := &compatEmitter{
+ // Always logs to default logger.
+ sink: log.Log(),
+ nameMap: nameMap,
+ trackers: make(map[uint64]syscallTracker),
+ }
if logFD > 0 {
f := os.NewFile(uintptr(logFD), "user log file")
@@ -61,10 +75,33 @@ func newCompatEmitter(logFD int) (*compatEmitter, error) {
// Emit implements eventchannel.Emitter.
func (c *compatEmitter) Emit(msg proto.Message) (hangup bool, err error) {
// Only interested in UnimplementedSyscall, skip the rest.
- if us, ok := msg.(*spb.UnimplementedSyscall); ok {
- regs := us.Registers.GetArch().(*rpb.Registers_Amd64).Amd64
- sysnr := regs.OrigRax
+ us, ok := msg.(*spb.UnimplementedSyscall)
+ if !ok {
+ return false, nil
+ }
+ regs := us.Registers.GetArch().(*rpb.Registers_Amd64).Amd64
+
+ c.mu.Lock()
+ defer c.mu.Unlock()
+
+ sysnr := regs.OrigRax
+ tr := c.trackers[sysnr]
+ if tr == nil {
+ switch sysnr {
+ case syscall.SYS_PRCTL, syscall.SYS_ARCH_PRCTL:
+ tr = newCmdTracker(0)
+
+ case syscall.SYS_IOCTL, syscall.SYS_EPOLL_CTL, syscall.SYS_SHMCTL:
+ tr = newCmdTracker(1)
+
+ default:
+ tr = &onceTracker{}
+ }
+ c.trackers[sysnr] = tr
+ }
+ if tr.shouldReport(regs) {
c.sink.Infof("Unsupported syscall: %s, regs: %+v", c.nameMap.Name(uintptr(sysnr)), regs)
+ tr.onReported(regs)
}
return false, nil
}
@@ -74,3 +111,26 @@ func (c *compatEmitter) Close() error {
c.sink = nil
return nil
}
+
+// syscallTracker interface allows filters to apply differently depending on
+// the syscall and arguments.
+type syscallTracker interface {
+ // shouldReport returns true is the syscall should be reported.
+ shouldReport(regs *rpb.AMD64Registers) bool
+
+ // onReported marks the syscall as reported.
+ onReported(regs *rpb.AMD64Registers)
+}
+
+// onceTracker reports only a single time, used for most syscalls.
+type onceTracker struct {
+ reported bool
+}
+
+func (o *onceTracker) shouldReport(_ *rpb.AMD64Registers) bool {
+ return !o.reported
+}
+
+func (o *onceTracker) onReported(_ *rpb.AMD64Registers) {
+ o.reported = true
+}
diff --git a/runsc/boot/compat_amd64.go b/runsc/boot/compat_amd64.go
new file mode 100644
index 000000000..2bb769a49
--- /dev/null
+++ b/runsc/boot/compat_amd64.go
@@ -0,0 +1,54 @@
+// Copyright 2018 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package boot
+
+import (
+ "fmt"
+
+ rpb "gvisor.googlesource.com/gvisor/pkg/sentry/arch/registers_go_proto"
+)
+
+// cmdTracker reports only a single time for each different command argument in
+// the syscall. It's used for generic syscalls like ioctl to report once per
+// 'cmd'
+type cmdTracker struct {
+ // argIdx is the syscall argument index where the command is located.
+ argIdx int
+ cmds map[uint32]struct{}
+}
+
+func newCmdTracker(argIdx int) *cmdTracker {
+ return &cmdTracker{argIdx: argIdx, cmds: make(map[uint32]struct{})}
+}
+
+// cmd returns the command based on the syscall argument index.
+func (c *cmdTracker) cmd(regs *rpb.AMD64Registers) uint32 {
+ switch c.argIdx {
+ case 0:
+ return uint32(regs.Rdi)
+ case 1:
+ return uint32(regs.Rsi)
+ }
+ panic(fmt.Sprintf("unsupported syscall argument index %d", c.argIdx))
+}
+
+func (c *cmdTracker) shouldReport(regs *rpb.AMD64Registers) bool {
+ _, ok := c.cmds[c.cmd(regs)]
+ return !ok
+}
+
+func (c *cmdTracker) onReported(regs *rpb.AMD64Registers) {
+ c.cmds[c.cmd(regs)] = struct{}{}
+}
diff --git a/runsc/boot/compat_test.go b/runsc/boot/compat_test.go
new file mode 100644
index 000000000..30b94798a
--- /dev/null
+++ b/runsc/boot/compat_test.go
@@ -0,0 +1,66 @@
+// Copyright 2018 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package boot
+
+import (
+ "testing"
+
+ rpb "gvisor.googlesource.com/gvisor/pkg/sentry/arch/registers_go_proto"
+)
+
+func TestOnceTracker(t *testing.T) {
+ o := onceTracker{}
+ if !o.shouldReport(nil) {
+ t.Error("first call to checkAndMark, got: false, want: true")
+ }
+ o.onReported(nil)
+ for i := 0; i < 2; i++ {
+ if o.shouldReport(nil) {
+ t.Error("after first call to checkAndMark, got: true, want: false")
+ }
+ }
+}
+
+func TestCmdTracker(t *testing.T) {
+ for _, tc := range []struct {
+ name string
+ idx int
+ rdi1 uint64
+ rdi2 uint64
+ rsi1 uint64
+ rsi2 uint64
+ want bool
+ }{
+ {name: "same rdi", idx: 0, rdi1: 123, rdi2: 123, want: false},
+ {name: "same rsi", idx: 1, rsi1: 123, rsi2: 123, want: false},
+ {name: "diff rdi", idx: 0, rdi1: 123, rdi2: 321, want: true},
+ {name: "diff rsi", idx: 1, rsi1: 123, rsi2: 321, want: true},
+ {name: "cmd is uint32", idx: 0, rsi1: 0xdead00000123, rsi2: 0xbeef00000123, want: false},
+ } {
+ t.Run(tc.name, func(t *testing.T) {
+ c := newCmdTracker(tc.idx)
+ regs := &rpb.AMD64Registers{Rdi: tc.rdi1, Rsi: tc.rsi1}
+ if !c.shouldReport(regs) {
+ t.Error("first call to checkAndMark, got: false, want: true")
+ }
+ c.onReported(regs)
+
+ regs.Rdi, regs.Rsi = tc.rdi2, tc.rsi2
+ if got := c.shouldReport(regs); tc.want != got {
+ t.Errorf("after first call to checkAndMark, got: %t, want: %t", got, tc.want)
+ }
+ })
+ }
+}