Merge release-20210823.0-44-gdfb3273f8 (automated)

author: gVisor bot <gvisor-bot@google.com> 2021-09-02 02:48:40 +0000
committer: gVisor bot <gvisor-bot@google.com> 2021-09-02 02:48:40 +0000
commit: c7facf4b01f7c5a3d4f998ffda3f5ef400229078 (patch)
tree: b74e0d63f5c7f2f24f121994cbaf5555f48d701d /runsc
parent: b7e54559b3725cfb23f753143aac0c2c0b116e12 (diff)
parent: dfb3273f887a80c25a6d133fd5a082153ba58570 (diff)
4 files changed, 20 insertions, 10 deletions
diff --git a/runsc/boot/boot_state_autogen.go b/runsc/boot/boot_state_autogen.go
index 0f6746d1f..95494a4c1 100644
--- a/runsc/boot/boot_state_autogen.go
+++ b/runsc/boot/boot_state_autogen.go
@@ -14,6 +14,7 @@ func (f *sandboxNetstackCreator) StateFields() []string {
 	return []string{
 		"clock",
 		"uniqueID",
+		"allowPacketEndpointWrite",
 	}
 }
 
@@ -24,6 +25,7 @@ func (f *sandboxNetstackCreator) StateSave(stateSinkObject state.Sink) {
 	f.beforeSave()
 	stateSinkObject.Save(0, &f.clock)
 	stateSinkObject.Save(1, &f.uniqueID)
+	stateSinkObject.Save(2, &f.allowPacketEndpointWrite)
 }
 
 func (f *sandboxNetstackCreator) afterLoad() {}
@@ -32,6 +34,7 @@ func (f *sandboxNetstackCreator) afterLoad() {}
 func (f *sandboxNetstackCreator) StateLoad(stateSourceObject state.Source) {
 	stateSourceObject.Load(0, &f.clock)
 	stateSourceObject.Load(1, &f.uniqueID)
+	stateSourceObject.Load(2, &f.allowPacketEndpointWrite)
 }
 
 func init() {
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 3f667cd74..1dd0048ac 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -1089,13 +1089,14 @@ func newRootNetworkNamespace(conf *config.Config, clock tcpip.Clock, uniqueID st
 		return inet.NewRootNamespace(hostinet.NewStack(), nil), nil
 
 	case config.NetworkNone, config.NetworkSandbox:
-		s, err := newEmptySandboxNetworkStack(clock, uniqueID)
+		s, err := newEmptySandboxNetworkStack(clock, uniqueID, conf.AllowPacketEndpointWrite)
 		if err != nil {
 			return nil, err
 		}
 		creator := &sandboxNetstackCreator{
-			clock:    clock,
-			uniqueID: uniqueID,
+			clock:                    clock,
+			uniqueID:                 uniqueID,
+			allowPacketEndpointWrite: conf.AllowPacketEndpointWrite,
 		}
 		return inet.NewRootNamespace(s, creator), nil
 
@@ -1105,7 +1106,7 @@ func newRootNetworkNamespace(conf *config.Config, clock tcpip.Clock, uniqueID st
 
 }
 
-func newEmptySandboxNetworkStack(clock tcpip.Clock, uniqueID stack.UniqueID) (inet.Stack, error) {
+func newEmptySandboxNetworkStack(clock tcpip.Clock, uniqueID stack.UniqueID, allowPacketEndpointWrite bool) (inet.Stack, error) {
 	netProtos := []stack.NetworkProtocolFactory{ipv4.NewProtocol, ipv6.NewProtocol, arp.NewProtocol}
 	transProtos := []stack.TransportProtocolFactory{
 		tcp.NewProtocol,
@@ -1121,9 +1122,10 @@ func newEmptySandboxNetworkStack(clock tcpip.Clock, uniqueID stack.UniqueID) (in
 		HandleLocal:        true,
 		// Enable raw sockets for users with sufficient
 		// privileges.
-		RawFactory:      raw.EndpointFactory{},
-		UniqueID:        uniqueID,
-		DefaultIPTables: netfilter.DefaultLinuxTables,
+		RawFactory:               raw.EndpointFactory{},
+		AllowPacketEndpointWrite: allowPacketEndpointWrite,
+		UniqueID:                 uniqueID,
+		DefaultIPTables:          netfilter.DefaultLinuxTables,
 	})}
 
 	// Enable SACK Recovery.
@@ -1160,13 +1162,14 @@ func newEmptySandboxNetworkStack(clock tcpip.Clock, uniqueID stack.UniqueID) (in
 //
 // +stateify savable
 type sandboxNetstackCreator struct {
-	clock    tcpip.Clock
-	uniqueID stack.UniqueID
+	clock                    tcpip.Clock
+	uniqueID                 stack.UniqueID
+	allowPacketEndpointWrite bool
 }
 
 // CreateStack implements kernel.NetworkStackCreator.CreateStack.
 func (f *sandboxNetstackCreator) CreateStack() (inet.Stack, error) {
-	s, err := newEmptySandboxNetworkStack(f.clock, f.uniqueID)
+	s, err := newEmptySandboxNetworkStack(f.clock, f.uniqueID, f.allowPacketEndpointWrite)
 	if err != nil {
 		return nil, err
 	}
diff --git a/runsc/config/config.go b/runsc/config/config.go
index 2f52863ff..2ce8cc006 100644
--- a/runsc/config/config.go
+++ b/runsc/config/config.go
@@ -86,6 +86,9 @@ type Config struct {
 	// capabilities.
 	EnableRaw bool `flag:"net-raw"`
 
+	// AllowPacketEndpointWrite enables write operations on packet endpoints.
+	AllowPacketEndpointWrite bool `flag:"TESTONLY-allow-packet-endpoint-write"`
+
 	// HardwareGSO indicates that hardware segmentation offload is enabled.
 	HardwareGSO bool `flag:"gso"`
 
diff --git a/runsc/config/flags.go b/runsc/config/flags.go
index 85507902a..cc5aba474 100644
--- a/runsc/config/flags.go
+++ b/runsc/config/flags.go
@@ -92,6 +92,7 @@ func RegisterFlags() {
 		// Test flags, not to be used outside tests, ever.
 		flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
 		flag.String("TESTONLY-test-name-env", "", "TEST ONLY; do not ever use! Used for automated tests to improve logging.")
+		flag.Bool("TESTONLY-allow-packet-endpoint-write", false, "TEST ONLY; do not ever use! Used for tests to allow writes on packet sockets.")
 	})
 }
author	gVisor bot <gvisor-bot@google.com>	2021-09-02 02:48:40 +0000
committer	gVisor bot <gvisor-bot@google.com>	2021-09-02 02:48:40 +0000
commit	c7facf4b01f7c5a3d4f998ffda3f5ef400229078 (patch)
tree	b74e0d63f5c7f2f24f121994cbaf5555f48d701d /runsc
parent	b7e54559b3725cfb23f753143aac0c2c0b116e12 (diff)
parent	dfb3273f887a80c25a6d133fd5a082153ba58570 (diff)