Merge release-20210301.0-22-ge668288fa (automated)

author: gVisor bot <gvisor-bot@google.com> 2021-03-07 06:11:49 +0000
committer: gVisor bot <gvisor-bot@google.com> 2021-03-07 06:11:49 +0000
commit: 05c2d6c038777818932d3991c0de9cfa2a7bea51 (patch)
tree: 2a394d8666124ff8188b0c945854e2b7e3281217 /runsc/boot
parent: 2fa12b2aa91ba00211df440f5e6a64e45a2ecb91 (diff)
parent: e668288fafe378ab4dc7fbb23ac933a15a2fff94 (diff)
12 files changed, 255 insertions, 261 deletions
diff --git a/runsc/boot/compat.go b/runsc/boot/compat.go
index a3a76b609..28e82e117 100644
--- a/runsc/boot/compat.go
+++ b/runsc/boot/compat.go
@@ -17,8 +17,8 @@ package boot
 import (
 	"fmt"
 	"os"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"google.golang.org/protobuf/proto"
 	"gvisor.dev/gvisor/pkg/eventchannel"
 	"gvisor.dev/gvisor/pkg/log"
@@ -93,19 +93,19 @@ func (c *compatEmitter) emitUnimplementedSyscall(us *spb.UnimplementedSyscall) {
 	tr := c.trackers[sysnr]
 	if tr == nil {
 		switch sysnr {
-		case syscall.SYS_PRCTL:
+		case unix.SYS_PRCTL:
 			// args: cmd, ...
 			tr = newArgsTracker(0)
 
-		case syscall.SYS_IOCTL, syscall.SYS_EPOLL_CTL, syscall.SYS_SHMCTL, syscall.SYS_FUTEX, syscall.SYS_FALLOCATE:
+		case unix.SYS_IOCTL, unix.SYS_EPOLL_CTL, unix.SYS_SHMCTL, unix.SYS_FUTEX, unix.SYS_FALLOCATE:
 			// args: fd/addr, cmd, ...
 			tr = newArgsTracker(1)
 
-		case syscall.SYS_GETSOCKOPT, syscall.SYS_SETSOCKOPT:
+		case unix.SYS_GETSOCKOPT, unix.SYS_SETSOCKOPT:
 			// args: fd, level, name, ...
 			tr = newArgsTracker(1, 2)
 
-		case syscall.SYS_SEMCTL:
+		case unix.SYS_SEMCTL:
 			// args: semid, semnum, cmd, ...
 			tr = newArgsTracker(2)
 
@@ -131,7 +131,7 @@ func (c *compatEmitter) emitUnimplementedSyscall(us *spb.UnimplementedSyscall) {
 }
 
 func (c *compatEmitter) emitUncaughtSignal(msg *ucspb.UncaughtSignal) {
-	sig := syscall.Signal(msg.SignalNumber)
+	sig := unix.Signal(msg.SignalNumber)
 	c.sink.Infof(
 		"Uncaught signal: %q (%d), PID: %d, TID: %d, fault addr: %#x",
 		sig, msg.SignalNumber, msg.Pid, msg.Tid, msg.FaultAddr)
diff --git a/runsc/boot/compat_amd64.go b/runsc/boot/compat_amd64.go
index 8eb76b2ba..7e13ff87c 100644
--- a/runsc/boot/compat_amd64.go
+++ b/runsc/boot/compat_amd64.go
@@ -16,8 +16,8 @@ package boot
 
 import (
 	"fmt"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi"
 	"gvisor.dev/gvisor/pkg/sentry/arch"
 	rpb "gvisor.dev/gvisor/pkg/sentry/arch/registers_go_proto"
@@ -92,7 +92,7 @@ func syscallNum(regs *rpb.Registers) uint64 {
 
 func newArchArgsTracker(sysnr uint64) syscallTracker {
 	switch sysnr {
-	case syscall.SYS_ARCH_PRCTL:
+	case unix.SYS_ARCH_PRCTL:
 		// args: cmd, ...
 		return newArgsTracker(0)
 	}
diff --git a/runsc/boot/controller.go b/runsc/boot/controller.go
index 5e849cb37..1cd5fba5c 100644
--- a/runsc/boot/controller.go
+++ b/runsc/boot/controller.go
@@ -18,9 +18,9 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"syscall"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/control/server"
 	"gvisor.dev/gvisor/pkg/fd"
 	"gvisor.dev/gvisor/pkg/log"
@@ -366,7 +366,7 @@ func (cm *containerManager) Restore(o *RestoreOpts, _ *struct{}) error {
 	case 2:
 		// The device file is donated to the platform.
 		// Can't take ownership away from os.File. dup them to get a new FD.
-		fd, err := syscall.Dup(int(o.Files[1].Fd()))
+		fd, err := unix.Dup(int(o.Files[1].Fd()))
 		if err != nil {
 			return fmt.Errorf("failed to dup file: %v", err)
 		}
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 2a8c916d5..49b503f99 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -16,7 +16,6 @@ package filter
 
 import (
 	"os"
-	"syscall"
 
 	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
@@ -26,19 +25,19 @@ import (
 
 // allowedSyscalls is the set of syscalls executed by the Sentry to the host OS.
 var allowedSyscalls = seccomp.SyscallRules{
-	syscall.SYS_CLOCK_GETTIME: {},
-	syscall.SYS_CLOSE:         {},
-	syscall.SYS_DUP:           {},
-	syscall.SYS_DUP3: []seccomp.Rule{
+	unix.SYS_CLOCK_GETTIME: {},
+	unix.SYS_CLOSE:         {},
+	unix.SYS_DUP:           {},
+	unix.SYS_DUP3: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.O_CLOEXEC),
+			seccomp.EqualTo(unix.O_CLOEXEC),
 		},
 	},
-	syscall.SYS_EPOLL_CREATE1: {},
-	syscall.SYS_EPOLL_CTL:     {},
-	syscall.SYS_EPOLL_PWAIT: []seccomp.Rule{
+	unix.SYS_EPOLL_CREATE1: {},
+	unix.SYS_EPOLL_CTL:     {},
+	unix.SYS_EPOLL_PWAIT: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
@@ -47,34 +46,34 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.EqualTo(0),
 		},
 	},
-	syscall.SYS_EVENTFD2: []seccomp.Rule{
+	unix.SYS_EVENTFD2: []seccomp.Rule{
 		{
 			seccomp.EqualTo(0),
 			seccomp.EqualTo(0),
 		},
 	},
-	syscall.SYS_EXIT:       {},
-	syscall.SYS_EXIT_GROUP: {},
-	syscall.SYS_FALLOCATE:  {},
-	syscall.SYS_FCHMOD:     {},
-	syscall.SYS_FCNTL: []seccomp.Rule{
+	unix.SYS_EXIT:       {},
+	unix.SYS_EXIT_GROUP: {},
+	unix.SYS_FALLOCATE:  {},
+	unix.SYS_FCHMOD:     {},
+	unix.SYS_FCNTL: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.F_GETFL),
+			seccomp.EqualTo(unix.F_GETFL),
 		},
 		{
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.F_SETFL),
+			seccomp.EqualTo(unix.F_SETFL),
 		},
 		{
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.F_GETFD),
+			seccomp.EqualTo(unix.F_GETFD),
 		},
 	},
-	syscall.SYS_FSTAT:     {},
-	syscall.SYS_FSYNC:     {},
-	syscall.SYS_FTRUNCATE: {},
-	syscall.SYS_FUTEX: []seccomp.Rule{
+	unix.SYS_FSTAT:     {},
+	unix.SYS_FSYNC:     {},
+	unix.SYS_FTRUNCATE: {},
+	unix.SYS_FUTEX: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.EqualTo(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG),
@@ -109,35 +108,35 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.EqualTo(0),
 		},
 	},
-	syscall.SYS_GETPID: {},
+	unix.SYS_GETPID:    {},
 	unix.SYS_GETRANDOM: {},
-	syscall.SYS_GETSOCKOPT: []seccomp.Rule{
+	unix.SYS_GETSOCKOPT: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.SOL_SOCKET),
-			seccomp.EqualTo(syscall.SO_DOMAIN),
+			seccomp.EqualTo(unix.SOL_SOCKET),
+			seccomp.EqualTo(unix.SO_DOMAIN),
 		},
 		{
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.SOL_SOCKET),
-			seccomp.EqualTo(syscall.SO_TYPE),
+			seccomp.EqualTo(unix.SOL_SOCKET),
+			seccomp.EqualTo(unix.SO_TYPE),
 		},
 		{
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.SOL_SOCKET),
-			seccomp.EqualTo(syscall.SO_ERROR),
+			seccomp.EqualTo(unix.SOL_SOCKET),
+			seccomp.EqualTo(unix.SO_ERROR),
 		},
 		{
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.SOL_SOCKET),
-			seccomp.EqualTo(syscall.SO_SNDBUF),
+			seccomp.EqualTo(unix.SOL_SOCKET),
+			seccomp.EqualTo(unix.SO_SNDBUF),
 		},
 	},
-	syscall.SYS_GETTID:       {},
-	syscall.SYS_GETTIMEOFDAY: {},
+	unix.SYS_GETTID:       {},
+	unix.SYS_GETTIMEOFDAY: {},
 	// SYS_IOCTL is needed for terminal support, but we only allow
 	// setting/getting termios and winsize.
-	syscall.SYS_IOCTL: []seccomp.Rule{
+	unix.SYS_IOCTL: []seccomp.Rule{
 		{
 			seccomp.MatchAny{}, /* fd */
 			seccomp.EqualTo(linux.TCGETS),
@@ -169,94 +168,94 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.MatchAny{}, /* winsize struct */
 		},
 	},
-	syscall.SYS_LSEEK:   {},
-	syscall.SYS_MADVISE: {},
+	unix.SYS_LSEEK:   {},
+	unix.SYS_MADVISE: {},
 	unix.SYS_MEMBARRIER: []seccomp.Rule{
 		{
 			seccomp.EqualTo(linux.MEMBARRIER_CMD_GLOBAL),
 			seccomp.EqualTo(0),
 		},
 	},
-	syscall.SYS_MINCORE: {},
+	unix.SYS_MINCORE: {},
 	// Used by the Go runtime as a temporarily workaround for a Linux
 	// 5.2-5.4 bug.
 	//
 	// See src/runtime/os_linux_x86.go.
 	//
 	// TODO(b/148688965): Remove once this is gone from Go.
-	syscall.SYS_MLOCK: []seccomp.Rule{
+	unix.SYS_MLOCK: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.EqualTo(4096),
 		},
 	},
-	syscall.SYS_MMAP: []seccomp.Rule{
+	unix.SYS_MMAP: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.MAP_SHARED),
+			seccomp.EqualTo(unix.MAP_SHARED),
 		},
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.MAP_PRIVATE),
+			seccomp.EqualTo(unix.MAP_PRIVATE),
 		},
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS),
+			seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS),
 		},
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS | syscall.MAP_STACK),
+			seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_STACK),
 		},
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS | syscall.MAP_NORESERVE),
+			seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_NORESERVE),
 		},
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.PROT_WRITE | syscall.PROT_READ),
-			seccomp.EqualTo(syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS | syscall.MAP_FIXED),
+			seccomp.EqualTo(unix.PROT_WRITE | unix.PROT_READ),
+			seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_FIXED),
 		},
 	},
-	syscall.SYS_MPROTECT:  {},
-	syscall.SYS_MUNMAP:    {},
-	syscall.SYS_NANOSLEEP: {},
-	syscall.SYS_PPOLL:     {},
-	syscall.SYS_PREAD64:   {},
-	syscall.SYS_PREADV:    {},
-	unix.SYS_PREADV2:      {},
-	syscall.SYS_PWRITE64:  {},
-	syscall.SYS_PWRITEV:   {},
-	unix.SYS_PWRITEV2:     {},
-	syscall.SYS_READ:      {},
-	syscall.SYS_RECVMSG: []seccomp.Rule{
+	unix.SYS_MPROTECT:  {},
+	unix.SYS_MUNMAP:    {},
+	unix.SYS_NANOSLEEP: {},
+	unix.SYS_PPOLL:     {},
+	unix.SYS_PREAD64:   {},
+	unix.SYS_PREADV:    {},
+	unix.SYS_PREADV2:   {},
+	unix.SYS_PWRITE64:  {},
+	unix.SYS_PWRITEV:   {},
+	unix.SYS_PWRITEV2:  {},
+	unix.SYS_READ:      {},
+	unix.SYS_RECVMSG: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.MSG_DONTWAIT | syscall.MSG_TRUNC),
+			seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC),
 		},
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.MSG_DONTWAIT | syscall.MSG_TRUNC | syscall.MSG_PEEK),
+			seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC | unix.MSG_PEEK),
 		},
 	},
-	syscall.SYS_RECVMMSG: []seccomp.Rule{
+	unix.SYS_RECVMMSG: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
 			seccomp.EqualTo(fdbased.MaxMsgsPerRecv),
-			seccomp.EqualTo(syscall.MSG_DONTWAIT),
+			seccomp.EqualTo(unix.MSG_DONTWAIT),
 			seccomp.EqualTo(0),
 		},
 	},
@@ -265,34 +264,34 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.MSG_DONTWAIT),
+			seccomp.EqualTo(unix.MSG_DONTWAIT),
 			seccomp.EqualTo(0),
 		},
 	},
-	syscall.SYS_RESTART_SYSCALL: {},
-	syscall.SYS_RT_SIGACTION:    {},
-	syscall.SYS_RT_SIGPROCMASK:  {},
-	syscall.SYS_RT_SIGRETURN:    {},
-	syscall.SYS_SCHED_YIELD:     {},
-	syscall.SYS_SENDMSG: []seccomp.Rule{
+	unix.SYS_RESTART_SYSCALL: {},
+	unix.SYS_RT_SIGACTION:    {},
+	unix.SYS_RT_SIGPROCMASK:  {},
+	unix.SYS_RT_SIGRETURN:    {},
+	unix.SYS_SCHED_YIELD:     {},
+	unix.SYS_SENDMSG: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
-			seccomp.EqualTo(syscall.MSG_DONTWAIT | syscall.MSG_NOSIGNAL),
+			seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_NOSIGNAL),
 		},
 	},
-	syscall.SYS_SETITIMER: {},
-	syscall.SYS_SHUTDOWN: []seccomp.Rule{
+	unix.SYS_SETITIMER: {},
+	unix.SYS_SHUTDOWN: []seccomp.Rule{
 		// Used by fs/host to shutdown host sockets.
-		{seccomp.MatchAny{}, seccomp.EqualTo(syscall.SHUT_RD)},
-		{seccomp.MatchAny{}, seccomp.EqualTo(syscall.SHUT_WR)},
+		{seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_RD)},
+		{seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_WR)},
 		// Used by unet to shutdown connections.
-		{seccomp.MatchAny{}, seccomp.EqualTo(syscall.SHUT_RDWR)},
+		{seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_RDWR)},
 	},
-	syscall.SYS_SIGALTSTACK:     {},
-	unix.SYS_STATX:              {},
-	syscall.SYS_SYNC_FILE_RANGE: {},
-	syscall.SYS_TEE: []seccomp.Rule{
+	unix.SYS_SIGALTSTACK:     {},
+	unix.SYS_STATX:           {},
+	unix.SYS_SYNC_FILE_RANGE: {},
+	unix.SYS_TEE: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
@@ -300,12 +299,12 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.EqualTo(unix.SPLICE_F_NONBLOCK), /* flags */
 		},
 	},
-	syscall.SYS_TGKILL: []seccomp.Rule{
+	unix.SYS_TGKILL: []seccomp.Rule{
 		{
 			seccomp.EqualTo(uint64(os.Getpid())),
 		},
 	},
-	syscall.SYS_UTIMENSAT: []seccomp.Rule{
+	unix.SYS_UTIMENSAT: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.EqualTo(0), /* null pathname */
@@ -313,9 +312,9 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.EqualTo(0), /* flags */
 		},
 	},
-	syscall.SYS_WRITE: {},
+	unix.SYS_WRITE: {},
 	// For rawfile.NonBlockingWriteIovec.
-	syscall.SYS_WRITEV: []seccomp.Rule{
+	unix.SYS_WRITEV: []seccomp.Rule{
 		{
 			seccomp.MatchAny{},
 			seccomp.MatchAny{},
@@ -327,313 +326,313 @@ var allowedSyscalls = seccomp.SyscallRules{
 // hostInetFilters contains syscalls that are needed by sentry/socket/hostinet.
 func hostInetFilters() seccomp.SyscallRules {
 	return seccomp.SyscallRules{
-		syscall.SYS_ACCEPT4: []seccomp.Rule{
+		unix.SYS_ACCEPT4: []seccomp.Rule{
 			{
 				seccomp.MatchAny{},
 				seccomp.MatchAny{},
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC),
+				seccomp.EqualTo(unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC),
 			},
 		},
-		syscall.SYS_BIND:        {},
-		syscall.SYS_CONNECT:     {},
-		syscall.SYS_GETPEERNAME: {},
-		syscall.SYS_GETSOCKNAME: {},
-		syscall.SYS_GETSOCKOPT: []seccomp.Rule{
+		unix.SYS_BIND:        {},
+		unix.SYS_CONNECT:     {},
+		unix.SYS_GETPEERNAME: {},
+		unix.SYS_GETSOCKNAME: {},
+		unix.SYS_GETSOCKOPT: []seccomp.Rule{
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_TOS),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_TOS),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_RECVTOS),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_RECVTOS),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_PKTINFO),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_PKTINFO),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_RECVORIGDSTADDR),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_RECVORIGDSTADDR),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_RECVERR),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_RECVERR),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
-				seccomp.EqualTo(syscall.IPV6_TCLASS),
+				seccomp.EqualTo(unix.SOL_IPV6),
+				seccomp.EqualTo(unix.IPV6_TCLASS),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
-				seccomp.EqualTo(syscall.IPV6_RECVTCLASS),
+				seccomp.EqualTo(unix.SOL_IPV6),
+				seccomp.EqualTo(unix.IPV6_RECVTCLASS),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
-				seccomp.EqualTo(syscall.IPV6_RECVERR),
+				seccomp.EqualTo(unix.SOL_IPV6),
+				seccomp.EqualTo(unix.IPV6_RECVERR),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
-				seccomp.EqualTo(syscall.IPV6_V6ONLY),
+				seccomp.EqualTo(unix.SOL_IPV6),
+				seccomp.EqualTo(unix.IPV6_V6ONLY),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
+				seccomp.EqualTo(unix.SOL_IPV6),
 				seccomp.EqualTo(linux.IPV6_RECVORIGDSTADDR),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_ERROR),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_ERROR),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_KEEPALIVE),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_KEEPALIVE),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_SNDBUF),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_SNDBUF),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_RCVBUF),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_RCVBUF),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_REUSEADDR),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_REUSEADDR),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_TYPE),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_TYPE),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_LINGER),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_LINGER),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_TIMESTAMP),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_TIMESTAMP),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_TCP),
-				seccomp.EqualTo(syscall.TCP_NODELAY),
+				seccomp.EqualTo(unix.SOL_TCP),
+				seccomp.EqualTo(unix.TCP_NODELAY),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_TCP),
-				seccomp.EqualTo(syscall.TCP_INFO),
+				seccomp.EqualTo(unix.SOL_TCP),
+				seccomp.EqualTo(unix.TCP_INFO),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_TCP),
+				seccomp.EqualTo(unix.SOL_TCP),
 				seccomp.EqualTo(linux.TCP_INQ),
 			},
 		},
-		syscall.SYS_IOCTL: []seccomp.Rule{
+		unix.SYS_IOCTL: []seccomp.Rule{
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.TIOCOUTQ),
+				seccomp.EqualTo(unix.TIOCOUTQ),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.TIOCINQ),
+				seccomp.EqualTo(unix.TIOCINQ),
 			},
 		},
-		syscall.SYS_LISTEN:   {},
-		syscall.SYS_READV:    {},
-		syscall.SYS_RECVFROM: {},
-		syscall.SYS_RECVMSG:  {},
-		syscall.SYS_SENDMSG:  {},
-		syscall.SYS_SENDTO:   {},
-		syscall.SYS_SETSOCKOPT: []seccomp.Rule{
+		unix.SYS_LISTEN:   {},
+		unix.SYS_READV:    {},
+		unix.SYS_RECVFROM: {},
+		unix.SYS_RECVMSG:  {},
+		unix.SYS_SENDMSG:  {},
+		unix.SYS_SENDTO:   {},
+		unix.SYS_SETSOCKOPT: []seccomp.Rule{
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_SNDBUF),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_SNDBUF),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_RCVBUF),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_RCVBUF),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_REUSEADDR),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_REUSEADDR),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_TIMESTAMP),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_TIMESTAMP),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_TCP),
-				seccomp.EqualTo(syscall.TCP_NODELAY),
+				seccomp.EqualTo(unix.SOL_TCP),
+				seccomp.EqualTo(unix.TCP_NODELAY),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_TCP),
+				seccomp.EqualTo(unix.SOL_TCP),
 				seccomp.EqualTo(linux.TCP_INQ),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_TOS),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_TOS),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_RECVTOS),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_RECVTOS),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_PKTINFO),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_PKTINFO),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_RECVORIGDSTADDR),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_RECVORIGDSTADDR),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IP),
-				seccomp.EqualTo(syscall.IP_RECVERR),
+				seccomp.EqualTo(unix.SOL_IP),
+				seccomp.EqualTo(unix.IP_RECVERR),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
-				seccomp.EqualTo(syscall.IPV6_TCLASS),
+				seccomp.EqualTo(unix.SOL_IPV6),
+				seccomp.EqualTo(unix.IPV6_TCLASS),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
-				seccomp.EqualTo(syscall.IPV6_RECVTCLASS),
+				seccomp.EqualTo(unix.SOL_IPV6),
+				seccomp.EqualTo(unix.IPV6_RECVTCLASS),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
+				seccomp.EqualTo(unix.SOL_IPV6),
 				seccomp.EqualTo(linux.IPV6_RECVORIGDSTADDR),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
-				seccomp.EqualTo(syscall.IPV6_RECVERR),
+				seccomp.EqualTo(unix.SOL_IPV6),
+				seccomp.EqualTo(unix.IPV6_RECVERR),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_IPV6),
-				seccomp.EqualTo(syscall.IPV6_V6ONLY),
+				seccomp.EqualTo(unix.SOL_IPV6),
+				seccomp.EqualTo(unix.IPV6_V6ONLY),
 				seccomp.MatchAny{},
 				seccomp.EqualTo(4),
 			},
 		},
-		syscall.SYS_SHUTDOWN: []seccomp.Rule{
+		unix.SYS_SHUTDOWN: []seccomp.Rule{
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SHUT_RD),
+				seccomp.EqualTo(unix.SHUT_RD),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SHUT_WR),
+				seccomp.EqualTo(unix.SHUT_WR),
 			},
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SHUT_RDWR),
+				seccomp.EqualTo(unix.SHUT_RDWR),
 			},
 		},
-		syscall.SYS_SOCKET: []seccomp.Rule{
+		unix.SYS_SOCKET: []seccomp.Rule{
 			{
-				seccomp.EqualTo(syscall.AF_INET),
-				seccomp.EqualTo(syscall.SOCK_STREAM | syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC),
+				seccomp.EqualTo(unix.AF_INET),
+				seccomp.EqualTo(unix.SOCK_STREAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC),
 				seccomp.EqualTo(0),
 			},
 			{
-				seccomp.EqualTo(syscall.AF_INET),
-				seccomp.EqualTo(syscall.SOCK_DGRAM | syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC),
+				seccomp.EqualTo(unix.AF_INET),
+				seccomp.EqualTo(unix.SOCK_DGRAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC),
 				seccomp.EqualTo(0),
 			},
 			{
-				seccomp.EqualTo(syscall.AF_INET6),
-				seccomp.EqualTo(syscall.SOCK_STREAM | syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC),
+				seccomp.EqualTo(unix.AF_INET6),
+				seccomp.EqualTo(unix.SOCK_STREAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC),
 				seccomp.EqualTo(0),
 			},
 			{
-				seccomp.EqualTo(syscall.AF_INET6),
-				seccomp.EqualTo(syscall.SOCK_DGRAM | syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC),
+				seccomp.EqualTo(unix.AF_INET6),
+				seccomp.EqualTo(unix.SOCK_DGRAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC),
 				seccomp.EqualTo(0),
 			},
 		},
-		syscall.SYS_WRITEV: {},
+		unix.SYS_WRITEV: {},
 	}
 }
 
 func controlServerFilters(fd int) seccomp.SyscallRules {
 	return seccomp.SyscallRules{
-		syscall.SYS_ACCEPT: []seccomp.Rule{
+		unix.SYS_ACCEPT: []seccomp.Rule{
 			{
 				seccomp.EqualTo(fd),
 			},
 		},
-		syscall.SYS_LISTEN: []seccomp.Rule{
+		unix.SYS_LISTEN: []seccomp.Rule{
 			{
 				seccomp.EqualTo(fd),
 				seccomp.EqualTo(16 /* unet.backlog */),
 			},
 		},
-		syscall.SYS_GETSOCKOPT: []seccomp.Rule{
+		unix.SYS_GETSOCKOPT: []seccomp.Rule{
 			{
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.SOL_SOCKET),
-				seccomp.EqualTo(syscall.SO_PEERCRED),
+				seccomp.EqualTo(unix.SOL_SOCKET),
+				seccomp.EqualTo(unix.SO_PEERCRED),
 			},
 		},
 	}
diff --git a/runsc/boot/filter/config_amd64.go b/runsc/boot/filter/config_amd64.go
index cea5613b8..42cb8ed3a 100644
--- a/runsc/boot/filter/config_amd64.go
+++ b/runsc/boot/filter/config_amd64.go
@@ -17,30 +17,29 @@
 package filter
 
 import (
-	"syscall"
-
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/seccomp"
 )
 
 func init() {
-	allowedSyscalls[syscall.SYS_ARCH_PRCTL] = []seccomp.Rule{
+	allowedSyscalls[unix.SYS_ARCH_PRCTL] = []seccomp.Rule{
 		// TODO(b/168828518): No longer used in Go 1.16+.
 		{seccomp.EqualTo(linux.ARCH_SET_FS)},
 	}
 
-	allowedSyscalls[syscall.SYS_CLONE] = []seccomp.Rule{
+	allowedSyscalls[unix.SYS_CLONE] = []seccomp.Rule{
 		// parent_tidptr and child_tidptr are always 0 because neither
 		// CLONE_PARENT_SETTID nor CLONE_CHILD_SETTID are used.
 		{
 			seccomp.EqualTo(
-				syscall.CLONE_VM |
-					syscall.CLONE_FS |
-					syscall.CLONE_FILES |
-					syscall.CLONE_SETTLS |
-					syscall.CLONE_SIGHAND |
-					syscall.CLONE_SYSVSEM |
-					syscall.CLONE_THREAD),
+				unix.CLONE_VM |
+					unix.CLONE_FS |
+					unix.CLONE_FILES |
+					unix.CLONE_SETTLS |
+					unix.CLONE_SIGHAND |
+					unix.CLONE_SYSVSEM |
+					unix.CLONE_THREAD),
 			seccomp.MatchAny{}, // newsp
 			seccomp.EqualTo(0), // parent_tidptr
 			seccomp.EqualTo(0), // child_tidptr
@@ -49,12 +48,12 @@ func init() {
 		{
 			// TODO(b/168828518): No longer used in Go 1.16+ (on amd64).
 			seccomp.EqualTo(
-				syscall.CLONE_VM |
-					syscall.CLONE_FS |
-					syscall.CLONE_FILES |
-					syscall.CLONE_SIGHAND |
-					syscall.CLONE_SYSVSEM |
-					syscall.CLONE_THREAD),
+				unix.CLONE_VM |
+					unix.CLONE_FS |
+					unix.CLONE_FILES |
+					unix.CLONE_SIGHAND |
+					unix.CLONE_SYSVSEM |
+					unix.CLONE_THREAD),
 			seccomp.MatchAny{}, // newsp
 			seccomp.EqualTo(0), // parent_tidptr
 			seccomp.EqualTo(0), // child_tidptr
diff --git a/runsc/boot/filter/config_arm64.go b/runsc/boot/filter/config_arm64.go
index 37313f97f..f162f87ff 100644
--- a/runsc/boot/filter/config_arm64.go
+++ b/runsc/boot/filter/config_arm64.go
@@ -17,21 +17,20 @@
 package filter
 
 import (
-	"syscall"
-
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/seccomp"
 )
 
 func init() {
-	allowedSyscalls[syscall.SYS_CLONE] = []seccomp.Rule{
+	allowedSyscalls[unix.SYS_CLONE] = []seccomp.Rule{
 		{
 			seccomp.EqualTo(
-				syscall.CLONE_VM |
-					syscall.CLONE_FS |
-					syscall.CLONE_FILES |
-					syscall.CLONE_SIGHAND |
-					syscall.CLONE_SYSVSEM |
-					syscall.CLONE_THREAD),
+				unix.CLONE_VM |
+					unix.CLONE_FS |
+					unix.CLONE_FILES |
+					unix.CLONE_SIGHAND |
+					unix.CLONE_SYSVSEM |
+					unix.CLONE_THREAD),
 			seccomp.MatchAny{}, // newsp
 			// These arguments are left uninitialized by the Go
 			// runtime, so they may be anything (and are unused by
diff --git a/runsc/boot/filter/config_profile.go b/runsc/boot/filter/config_profile.go
index 7b8669595..89b66a6da 100644
--- a/runsc/boot/filter/config_profile.go
+++ b/runsc/boot/filter/config_profile.go
@@ -15,19 +15,18 @@
 package filter
 
 import (
-	"syscall"
-
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/seccomp"
 )
 
 // profileFilters returns extra syscalls made by runtime/pprof package.
 func profileFilters() seccomp.SyscallRules {
 	return seccomp.SyscallRules{
-		syscall.SYS_OPENAT: []seccomp.Rule{
+		unix.SYS_OPENAT: []seccomp.Rule{
 			{
 				seccomp.MatchAny{},
 				seccomp.MatchAny{},
-				seccomp.EqualTo(syscall.O_RDONLY | syscall.O_LARGEFILE | syscall.O_CLOEXEC),
+				seccomp.EqualTo(unix.O_RDONLY | unix.O_LARGEFILE | unix.O_CLOEXEC),
 			},
 		},
 	}
diff --git a/runsc/boot/filter/extra_filters_msan.go b/runsc/boot/filter/extra_filters_msan.go
index 209e646a7..41baa78cd 100644
--- a/runsc/boot/filter/extra_filters_msan.go
+++ b/runsc/boot/filter/extra_filters_msan.go
@@ -17,8 +17,7 @@
 package filter
 
 import (
-	"syscall"
-
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/seccomp"
 )
 
@@ -26,9 +25,9 @@ import (
 func instrumentationFilters() seccomp.SyscallRules {
 	Report("MSAN is enabled: syscall filters less restrictive!")
 	return seccomp.SyscallRules{
-		syscall.SYS_CLONE:             {},
-		syscall.SYS_MMAP:              {},
-		syscall.SYS_SCHED_GETAFFINITY: {},
-		syscall.SYS_SET_ROBUST_LIST:   {},
+		unix.SYS_CLONE:             {},
+		unix.SYS_MMAP:              {},
+		unix.SYS_SCHED_GETAFFINITY: {},
+		unix.SYS_SET_ROBUST_LIST:   {},
 	}
 }
diff --git a/runsc/boot/filter/extra_filters_race.go b/runsc/boot/filter/extra_filters_race.go
index 5b99eb8cd..79b2104f0 100644
--- a/runsc/boot/filter/extra_filters_race.go
+++ b/runsc/boot/filter/extra_filters_race.go
@@ -17,8 +17,7 @@
 package filter
 
 import (
-	"syscall"
-
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/seccomp"
 )
 
@@ -26,17 +25,17 @@ import (
 func instrumentationFilters() seccomp.SyscallRules {
 	Report("TSAN is enabled: syscall filters less restrictive!")
 	return seccomp.SyscallRules{
-		syscall.SYS_BRK:             {},
-		syscall.SYS_CLOCK_NANOSLEEP: {},
-		syscall.SYS_CLONE:           {},
-		syscall.SYS_FUTEX:           {},
-		syscall.SYS_MMAP:            {},
-		syscall.SYS_MUNLOCK:         {},
-		syscall.SYS_NANOSLEEP:       {},
-		syscall.SYS_OPEN:            {},
-		syscall.SYS_OPENAT:          {},
-		syscall.SYS_SET_ROBUST_LIST: {},
+		unix.SYS_BRK:             {},
+		unix.SYS_CLOCK_NANOSLEEP: {},
+		unix.SYS_CLONE:           {},
+		unix.SYS_FUTEX:           {},
+		unix.SYS_MMAP:            {},
+		unix.SYS_MUNLOCK:         {},
+		unix.SYS_NANOSLEEP:       {},
+		unix.SYS_OPEN:            {},
+		unix.SYS_OPENAT:          {},
+		unix.SYS_SET_ROBUST_LIST: {},
 		// Used within glibc's malloc.
-		syscall.SYS_TIME: {},
+		unix.SYS_TIME: {},
 	}
 }
diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go
index 2b0d2cd51..77f632bb9 100644
--- a/runsc/boot/fs.go
+++ b/runsc/boot/fs.go
@@ -20,9 +20,9 @@ import (
 	"sort"
 	"strconv"
 	"strings"
-	"syscall"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/fd"
@@ -312,11 +312,11 @@ func setupContainerFS(ctx context.Context, conf *config.Config, mntr *containerM
 }
 
 func adjustDirentCache(k *kernel.Kernel) error {
-	var hl syscall.Rlimit
-	if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, &hl); err != nil {
+	var hl unix.Rlimit
+	if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &hl); err != nil {
 		return fmt.Errorf("getting RLIMIT_NOFILE: %v", err)
 	}
-	if int64(hl.Cur) != syscall.RLIM_INFINITY {
+	if hl.Cur != unix.RLIM_INFINITY {
 		newSize := hl.Cur / 2
 		if newSize < gofer.DefaultDirentCacheSize {
 			log.Infof("Setting gofer dirent cache size to %d", newSize)
@@ -844,10 +844,10 @@ func (c *containerMounter) mountSubmount(ctx context.Context, conf *config.Confi
 		// than simply printed to the logs for the 'runsc boot' command.
 		//
 		// We check the error message string rather than type because the
-		// actual error types (syscall.EIO, syscall.EPIPE) are lost by file system
+		// actual error types (unix.EIO, unix.EPIPE) are lost by file system
 		// implementation (e.g. p9).
 		// TODO(gvisor.dev/issue/1765): Remove message when bug is resolved.
-		if strings.Contains(err.Error(), syscall.EIO.Error()) || strings.Contains(err.Error(), syscall.EPIPE.Error()) {
+		if strings.Contains(err.Error(), unix.EIO.Error()) || strings.Contains(err.Error(), unix.EPIPE.Error()) {
 			return fmt.Errorf("%v: %s", err, specutils.FaqErrorMsg("memlock", "you may be encountering a Linux kernel bug"))
 		}
 		return err
diff --git a/runsc/boot/limits.go b/runsc/boot/limits.go
index ce62236e5..3d2b3506d 100644
--- a/runsc/boot/limits.go
+++ b/runsc/boot/limits.go
@@ -16,9 +16,9 @@ package boot
 
 import (
 	"fmt"
-	"syscall"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/sentry/limits"
 	"gvisor.dev/gvisor/pkg/sync"
@@ -104,9 +104,9 @@ func (d *defs) initDefaults() error {
 
 	// Read host limits that directly affect the sandbox and adjust the defaults
 	// based on them.
-	for _, res := range []int{syscall.RLIMIT_FSIZE, syscall.RLIMIT_NOFILE} {
-		var hl syscall.Rlimit
-		if err := syscall.Getrlimit(res, &hl); err != nil {
+	for _, res := range []int{unix.RLIMIT_FSIZE, unix.RLIMIT_NOFILE} {
+		var hl unix.Rlimit
+		if err := unix.Getrlimit(res, &hl); err != nil {
 			return err
 		}
 
diff --git a/runsc/boot/network.go b/runsc/boot/network.go
index 3d3a813df..7e627e4c6 100644
--- a/runsc/boot/network.go
+++ b/runsc/boot/network.go
@@ -19,8 +19,8 @@ import (
 	"net"
 	"runtime"
 	"strings"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/link/fdbased"
@@ -195,7 +195,7 @@ func (n *Network) CreateLinksAndRoutes(args *CreateLinksAndRoutesArgs, _ *struct
 		for j := 0; j < link.NumChannels; j++ {
 			// Copy the underlying FD.
 			oldFD := args.FilePayload.Files[fdOffset].Fd()
-			newFD, err := syscall.Dup(int(oldFD))
+			newFD, err := unix.Dup(int(oldFD))
 			if err != nil {
 				return fmt.Errorf("failed to dup FD %v: %v", oldFD, err)
 			}
author	gVisor bot <gvisor-bot@google.com>	2021-03-07 06:11:49 +0000
committer	gVisor bot <gvisor-bot@google.com>	2021-03-07 06:11:49 +0000
commit	05c2d6c038777818932d3991c0de9cfa2a7bea51 (patch)
tree	2a394d8666124ff8188b0c945854e2b7e3281217 /runsc/boot
parent	2fa12b2aa91ba00211df440f5e6a64e45a2ecb91 (diff)
parent	e668288fafe378ab4dc7fbb23ac933a15a2fff94 (diff)