diff options
45 files changed, 178 insertions, 129 deletions
diff --git a/pkg/abi/linux/fadvise.go b/pkg/abi/linux/fadvise.go index b06ff9964..97e2e4532 100644 --- a/pkg/abi/linux/fadvise.go +++ b/pkg/abi/linux/fadvise.go @@ -14,6 +14,7 @@ package linux +// Fadvise constants. const ( POSIX_FADV_NORMAL = 0 POSIX_FADV_RANDOM = 1 diff --git a/pkg/abi/linux/ipc.go b/pkg/abi/linux/ipc.go index c6e65df62..f84144355 100644 --- a/pkg/abi/linux/ipc.go +++ b/pkg/abi/linux/ipc.go @@ -14,8 +14,9 @@ package linux -// Control commands used with semctl, shmctl, and msgctl. Source: -// include/uapi/linux/ipc.h. +// Control commands used with semctl, shmctl, and msgctl. +// +// Source: include/uapi/linux/ipc.h. const ( IPC_RMID = 0 IPC_SET = 1 @@ -23,14 +24,19 @@ const ( IPC_INFO = 3 ) -// resource get request flags. Source: include/uapi/linux/ipc.h +// Resource get request flags. +// +// Source: include/uapi/linux/ipc.h const ( IPC_CREAT = 00001000 IPC_EXCL = 00002000 IPC_NOWAIT = 00004000 ) -const IPC_PRIVATE = 0 +// IPC flags. +const ( + IPC_PRIVATE = 0 +) // In Linux, amd64 does not enable CONFIG_ARCH_WANT_IPC_PARSE_VERSION, so SysV // IPC unconditionally uses the "new" 64-bit structures that are needed for diff --git a/pkg/abi/linux/netfilter_ipv6.go b/pkg/abi/linux/netfilter_ipv6.go index 6d31eb5e3..bcb57642e 100644 --- a/pkg/abi/linux/netfilter_ipv6.go +++ b/pkg/abi/linux/netfilter_ipv6.go @@ -288,6 +288,7 @@ type IP6TIP struct { _ [3]byte } +// SizeOfIP6TIP is the size of an IP6 header. const SizeOfIP6TIP = 136 // Flags in IP6TIP.Flags. Corresponding constants are in diff --git a/pkg/abi/linux/sched.go b/pkg/abi/linux/sched.go index 70e820823..2a67921e6 100644 --- a/pkg/abi/linux/sched.go +++ b/pkg/abi/linux/sched.go @@ -29,6 +29,7 @@ const ( SCHED_RESET_ON_FORK = 0x40000000 ) +// Scheduling priority group selectors. const ( PRIO_PGRP = 0x1 PRIO_PROCESS = 0x0 diff --git a/pkg/abi/linux/seccomp.go b/pkg/abi/linux/seccomp.go index 5be3f10f9..e64501fac 100644 --- a/pkg/abi/linux/seccomp.go +++ b/pkg/abi/linux/seccomp.go @@ -30,8 +30,10 @@ const ( SECCOMP_GET_ACTION_AVAIL = 2 ) +// BPFAction is an action for a BPF filter. type BPFAction uint32 +// BPFAction definitions. const ( SECCOMP_RET_KILL_PROCESS BPFAction = 0x80000000 SECCOMP_RET_KILL_THREAD BPFAction = 0x00000000 diff --git a/pkg/abi/linux/sem.go b/pkg/abi/linux/sem.go index 2424884c1..bc7b4f0ee 100644 --- a/pkg/abi/linux/sem.go +++ b/pkg/abi/linux/sem.go @@ -49,7 +49,10 @@ const ( SEMUSZ = 20 ) -const SEM_UNDO = 0x1000 +// Semaphore flags. +const ( + SEM_UNDO = 0x1000 +) // Sembuf is equivalent to struct sembuf. // diff --git a/pkg/cpuid/cpuid_arm64.go b/pkg/cpuid/cpuid_arm64.go index ac7bb6774..98c6ec62f 100644 --- a/pkg/cpuid/cpuid_arm64.go +++ b/pkg/cpuid/cpuid_arm64.go @@ -267,7 +267,7 @@ func (fs *FeatureSet) UseXsave() bool { // FlagsString prints out supported CPU "flags" field in /proc/cpuinfo. func (fs *FeatureSet) FlagsString() string { var s []string - for f, _ := range arm64FeatureStrings { + for f := range arm64FeatureStrings { if fs.Set[f] { if fstr := f.flagString(); fstr != "" { s = append(s, fstr) @@ -296,7 +296,7 @@ func (fs FeatureSet) WriteCPUInfoTo(cpu uint, b *bytes.Buffer) { func HostFeatureSet() *FeatureSet { s := make(map[Feature]bool) - for f, _ := range arm64FeatureStrings { + for f := range arm64FeatureStrings { if hwCap&(1<<f) != 0 { s[f] = true } diff --git a/pkg/p9/client.go b/pkg/p9/client.go index eadea390a..3f4324ac1 100644 --- a/pkg/p9/client.go +++ b/pkg/p9/client.go @@ -241,7 +241,7 @@ func (c *Client) watch(socket *unet.Socket) { defer c.closedWg.Done() events := []unix.PollFd{ - unix.PollFd{ + { Fd: int32(socket.FD()), Events: unix.POLLHUP | unix.POLLRDHUP, }, diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go index ec17ebc4d..daea51c4d 100644 --- a/pkg/seccomp/seccomp.go +++ b/pkg/seccomp/seccomp.go @@ -61,7 +61,7 @@ func Install(rules SyscallRules) error { log.Infof("Installing seccomp filters for %d syscalls (action=%v)", len(rules), defaultAction) instrs, err := BuildProgram([]RuleSet{ - RuleSet{ + { Rules: rules, Action: linux.SECCOMP_RET_ALLOW, }, @@ -160,7 +160,7 @@ func buildIndex(rules []RuleSet, program *bpf.ProgramBuilder) error { } } syscalls := make([]uintptr, 0, len(requiredSyscalls)) - for sysno, _ := range requiredSyscalls { + for sysno := range requiredSyscalls { syscalls = append(syscalls, sysno) } sort.Slice(syscalls, func(i, j int) bool { return syscalls[i] < syscalls[j] }) diff --git a/pkg/sentry/fs/fsutil/dirty_set_impl.go b/pkg/sentry/fs/fsutil/dirty_set_impl.go index 9f1463389..2c6a10fc4 100644 --- a/pkg/sentry/fs/fsutil/dirty_set_impl.go +++ b/pkg/sentry/fs/fsutil/dirty_set_impl.go @@ -1560,8 +1560,8 @@ type DirtySegmentDataSlices struct { Values []DirtyInfo } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *DirtySet) ExportSortedSlices() *DirtySegmentDataSlices { var sds DirtySegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1575,7 +1575,7 @@ func (s *DirtySet) ExportSortedSlices() *DirtySegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/fs/fsutil/file_range_set_impl.go b/pkg/sentry/fs/fsutil/file_range_set_impl.go index 374ed79b7..7568fb790 100644 --- a/pkg/sentry/fs/fsutil/file_range_set_impl.go +++ b/pkg/sentry/fs/fsutil/file_range_set_impl.go @@ -1560,8 +1560,8 @@ type FileRangeSegmentDataSlices struct { Values []uint64 } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *FileRangeSet) ExportSortedSlices() *FileRangeSegmentDataSlices { var sds FileRangeSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1575,7 +1575,7 @@ func (s *FileRangeSet) ExportSortedSlices() *FileRangeSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/fs/fsutil/frame_ref_set_impl.go b/pkg/sentry/fs/fsutil/frame_ref_set_impl.go index 619246875..6657addf4 100644 --- a/pkg/sentry/fs/fsutil/frame_ref_set_impl.go +++ b/pkg/sentry/fs/fsutil/frame_ref_set_impl.go @@ -1560,8 +1560,8 @@ type FrameRefSegmentDataSlices struct { Values []uint64 } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *FrameRefSet) ExportSortedSlices() *FrameRefSegmentDataSlices { var sds FrameRefSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1575,7 +1575,7 @@ func (s *FrameRefSet) ExportSortedSlices() *FrameRefSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/fs/fsutil/inode.go b/pkg/sentry/fs/fsutil/inode.go index 1922ff08c..85e7e35db 100644 --- a/pkg/sentry/fs/fsutil/inode.go +++ b/pkg/sentry/fs/fsutil/inode.go @@ -510,6 +510,7 @@ func (InodeDenyWriteChecker) Check(ctx context.Context, inode *fs.Inode, p fs.Pe //InodeNotAllocatable can be used by Inodes that do not support Allocate(). type InodeNotAllocatable struct{} +// Allocate implements fs.InodeOperations.Allocate. func (InodeNotAllocatable) Allocate(_ context.Context, _ *fs.Inode, _, _ int64) error { return syserror.EOPNOTSUPP } diff --git a/pkg/sentry/fs/inode.go b/pkg/sentry/fs/inode.go index 9b3d8166a..41a3c2047 100644 --- a/pkg/sentry/fs/inode.go +++ b/pkg/sentry/fs/inode.go @@ -367,6 +367,7 @@ func (i *Inode) Truncate(ctx context.Context, d *Dirent, size int64) error { return i.InodeOperations.Truncate(ctx, i, size) } +// Allocate calls i.InodeOperations.Allocate with i as the Inode. func (i *Inode) Allocate(ctx context.Context, d *Dirent, offset int64, length int64) error { if i.overlay != nil { return overlayAllocate(ctx, i.overlay, d, offset, length) diff --git a/pkg/sentry/fs/lock/lock_set.go b/pkg/sentry/fs/lock/lock_set.go index 37c216b95..4bc830883 100644 --- a/pkg/sentry/fs/lock/lock_set.go +++ b/pkg/sentry/fs/lock/lock_set.go @@ -1556,8 +1556,8 @@ type LockSegmentDataSlices struct { Values []Lock } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *LockSet) ExportSortedSlices() *LockSegmentDataSlices { var sds LockSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1571,7 +1571,7 @@ func (s *LockSet) ExportSortedSlices() *LockSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/kernel/auth/id.go b/pkg/sentry/kernel/auth/id.go index 4c32ee703..994486ea8 100644 --- a/pkg/sentry/kernel/auth/id.go +++ b/pkg/sentry/kernel/auth/id.go @@ -62,18 +62,28 @@ const ( // field is displayed as 4294967295 (-1 as an unsigned integer);" - // user_namespaces(7) OverflowUID = UID(65534) + + // OverflowGID is the group equivalent to OverflowUID. OverflowGID = GID(65534) // NobodyKUID is the user ID usually reserved for the least privileged user // "nobody". NobodyKUID = KUID(65534) + + // NobodyKGID is the group equivalent to NobodyKUID. NobodyKGID = KGID(65534) // RootKUID is the user ID usually used for the most privileged user "root". RootKUID = KUID(0) + + // RootKGID is the group equivalent to RootKUID. RootKGID = KGID(0) - RootUID = UID(0) - RootGID = GID(0) + + // RootUID is the root user. + RootUID = UID(0) + + // RootGID is the root group. + RootGID = GID(0) ) // Ok returns true if uid is not -1. diff --git a/pkg/sentry/kernel/auth/id_map_set.go b/pkg/sentry/kernel/auth/id_map_set.go index d8a05ce46..479753981 100644 --- a/pkg/sentry/kernel/auth/id_map_set.go +++ b/pkg/sentry/kernel/auth/id_map_set.go @@ -1556,8 +1556,8 @@ type idMapSegmentDataSlices struct { Values []uint32 } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *idMapSet) ExportSortedSlices() *idMapSegmentDataSlices { var sds idMapSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1571,7 +1571,7 @@ func (s *idMapSet) ExportSortedSlices() *idMapSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/kernel/kernel.go b/pkg/sentry/kernel/kernel.go index b8627a54f..303ae8056 100644 --- a/pkg/sentry/kernel/kernel.go +++ b/pkg/sentry/kernel/kernel.go @@ -1433,8 +1433,8 @@ func (k *Kernel) GlobalInit() *ThreadGroup { return k.globalInit } -// TestOnly_SetGlobalInit sets the thread group with ID 1 in the root PID namespace. -func (k *Kernel) TestOnly_SetGlobalInit(tg *ThreadGroup) { +// TestOnlySetGlobalInit sets the thread group with ID 1 in the root PID namespace. +func (k *Kernel) TestOnlySetGlobalInit(tg *ThreadGroup) { k.globalInit = tg } diff --git a/pkg/sentry/memmap/mapping_set_impl.go b/pkg/sentry/memmap/mapping_set_impl.go index eda4579e8..c32df9259 100644 --- a/pkg/sentry/memmap/mapping_set_impl.go +++ b/pkg/sentry/memmap/mapping_set_impl.go @@ -1556,8 +1556,8 @@ type MappingSegmentDataSlices struct { Values []MappingsOfRange } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *MappingSet) ExportSortedSlices() *MappingSegmentDataSlices { var sds MappingSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1571,7 +1571,7 @@ func (s *MappingSet) ExportSortedSlices() *MappingSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/mm/file_refcount_set.go b/pkg/sentry/mm/file_refcount_set.go index 1d956b4b4..602a137d4 100644 --- a/pkg/sentry/mm/file_refcount_set.go +++ b/pkg/sentry/mm/file_refcount_set.go @@ -1560,8 +1560,8 @@ type fileRefcountSegmentDataSlices struct { Values []int32 } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *fileRefcountSet) ExportSortedSlices() *fileRefcountSegmentDataSlices { var sds fileRefcountSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1575,7 +1575,7 @@ func (s *fileRefcountSet) ExportSortedSlices() *fileRefcountSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/mm/pma_set.go b/pkg/sentry/mm/pma_set.go index 09fe6b05f..dbcf2b053 100644 --- a/pkg/sentry/mm/pma_set.go +++ b/pkg/sentry/mm/pma_set.go @@ -1560,8 +1560,8 @@ type pmaSegmentDataSlices struct { Values []pma } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *pmaSet) ExportSortedSlices() *pmaSegmentDataSlices { var sds pmaSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1575,7 +1575,7 @@ func (s *pmaSet) ExportSortedSlices() *pmaSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/mm/vma_set.go b/pkg/sentry/mm/vma_set.go index 3b32d3cb5..333324640 100644 --- a/pkg/sentry/mm/vma_set.go +++ b/pkg/sentry/mm/vma_set.go @@ -1560,8 +1560,8 @@ type vmaSegmentDataSlices struct { Values []vma } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *vmaSet) ExportSortedSlices() *vmaSegmentDataSlices { var sds vmaSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1575,7 +1575,7 @@ func (s *vmaSet) ExportSortedSlices() *vmaSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/pgalloc/evictable_range_set.go b/pkg/sentry/pgalloc/evictable_range_set.go index 7619b106e..c0c712b21 100644 --- a/pkg/sentry/pgalloc/evictable_range_set.go +++ b/pkg/sentry/pgalloc/evictable_range_set.go @@ -1556,8 +1556,8 @@ type evictableRangeSegmentDataSlices struct { Values []evictableRangeSetValue } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *evictableRangeSet) ExportSortedSlices() *evictableRangeSegmentDataSlices { var sds evictableRangeSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1571,7 +1571,7 @@ func (s *evictableRangeSet) ExportSortedSlices() *evictableRangeSegmentDataSlice return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/pgalloc/reclaim_set.go b/pkg/sentry/pgalloc/reclaim_set.go index 5c62c03fe..737f38776 100644 --- a/pkg/sentry/pgalloc/reclaim_set.go +++ b/pkg/sentry/pgalloc/reclaim_set.go @@ -1560,8 +1560,8 @@ type reclaimSegmentDataSlices struct { Values []reclaimSetValue } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *reclaimSet) ExportSortedSlices() *reclaimSegmentDataSlices { var sds reclaimSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1575,7 +1575,7 @@ func (s *reclaimSet) ExportSortedSlices() *reclaimSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/pgalloc/usage_set.go b/pkg/sentry/pgalloc/usage_set.go index edabff0d8..8d96e817a 100644 --- a/pkg/sentry/pgalloc/usage_set.go +++ b/pkg/sentry/pgalloc/usage_set.go @@ -1560,8 +1560,8 @@ type usageSegmentDataSlices struct { Values []usageInfo } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *usageSet) ExportSortedSlices() *usageSegmentDataSlices { var sds usageSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1575,7 +1575,7 @@ func (s *usageSet) ExportSortedSlices() *usageSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/platform/ring0/kernel_amd64.go b/pkg/sentry/platform/ring0/kernel_amd64.go index b55dc29b3..36a60700e 100644 --- a/pkg/sentry/platform/ring0/kernel_amd64.go +++ b/pkg/sentry/platform/ring0/kernel_amd64.go @@ -65,6 +65,7 @@ func (k *Kernel) init(maxCPUs int) { } } +// EntryRegions returns the set of kernel entry regions (must be mapped). func (k *Kernel) EntryRegions() map[uintptr]uintptr { regions := make(map[uintptr]uintptr) diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go index b283d7229..26bd1abd4 100644 --- a/pkg/sentry/socket/netfilter/netfilter.go +++ b/pkg/sentry/socket/netfilter/netfilter.go @@ -205,7 +205,7 @@ func SetEntries(stk *stack.Stack, optVal []byte, ipv6 bool) *syserr.Error { // Go through the list of supported hooks for this table and, for each // one, set the rule it corresponds to. - for hook, _ := range replace.HookEntry { + for hook := range replace.HookEntry { if table.ValidHooks()&(1<<hook) != 0 { hk := hookFromLinux(hook) table.BuiltinChains[hk] = stack.HookUnset diff --git a/pkg/sentry/socket/netfilter/owner_matcher.go b/pkg/sentry/socket/netfilter/owner_matcher.go index 1b4e0ad79..69d13745e 100644 --- a/pkg/sentry/socket/netfilter/owner_matcher.go +++ b/pkg/sentry/socket/netfilter/owner_matcher.go @@ -96,6 +96,7 @@ func (ownerMarshaler) unmarshal(buf []byte, filter stack.IPHeaderFilter) (stack. return &owner, nil } +// OwnerMatcher matches against a UID and/or GID. type OwnerMatcher struct { uid uint32 gid uint32 diff --git a/pkg/sentry/socket/unix/unix.go b/pkg/sentry/socket/unix/unix.go index c59297c80..6c4ec55b2 100644 --- a/pkg/sentry/socket/unix/unix.go +++ b/pkg/sentry/socket/unix/unix.go @@ -471,7 +471,7 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b if len(to) > 0 { switch s.stype { case linux.SOCK_SEQPACKET: - to = nil + // to is ignored. case linux.SOCK_STREAM: if s.State() == linux.SS_CONNECTED { return 0, syserr.ErrAlreadyConnected diff --git a/pkg/sentry/syscalls/linux/sys_sync.go b/pkg/sentry/syscalls/linux/sys_sync.go index 048a21c6e..5ebd4461f 100644 --- a/pkg/sentry/syscalls/linux/sys_sync.go +++ b/pkg/sentry/syscalls/linux/sys_sync.go @@ -125,6 +125,7 @@ func SyncFileRange(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel // // It should be safe to skipped this flag while nobody uses // SYNC_FILE_RANGE_WAIT_BEFORE. + _ = nbytes // SYNC_FILE_RANGE_WAIT_AFTER waits upon write-out of all pages in the // range after performing any write. diff --git a/pkg/sentry/vfs/inotify.go b/pkg/sentry/vfs/inotify.go index 107171b61..a48ac1cd6 100644 --- a/pkg/sentry/vfs/inotify.go +++ b/pkg/sentry/vfs/inotify.go @@ -738,7 +738,7 @@ func InotifyEventFromStatMask(mask uint32) uint32 { } else if mask&linux.STATX_ATIME != 0 { ev |= linux.IN_ACCESS } else if mask&linux.STATX_MTIME != 0 { - mask |= linux.IN_MODIFY + ev |= linux.IN_MODIFY } return ev } diff --git a/pkg/shim/v1/shim/api.go b/pkg/shim/v1/shim/api.go index 5dd8ff172..8200eb012 100644 --- a/pkg/shim/v1/shim/api.go +++ b/pkg/shim/v1/shim/api.go @@ -19,10 +19,23 @@ import ( "github.com/containerd/containerd/api/events" ) +// TaskCreate is an alias for events.TaskCreate. type TaskCreate = events.TaskCreate + +// TaskStart is an alias for events.TaskStart. type TaskStart = events.TaskStart + +// TaskOOM is an alias for events.TaskOOM. type TaskOOM = events.TaskOOM + +// TaskExit is an alias for events.TaskExit. type TaskExit = events.TaskExit + +// TaskDelete is an alias for events.TaskDelete. type TaskDelete = events.TaskDelete + +// TaskExecAdded is an alias for events.TaskExecAdded. type TaskExecAdded = events.TaskExecAdded + +// TaskExecStarted is an alias for events.TaskExecStarted. type TaskExecStarted = events.TaskExecStarted diff --git a/pkg/shim/v2/api.go b/pkg/shim/v2/api.go index dbe5c59f6..5a60a04db 100644 --- a/pkg/shim/v2/api.go +++ b/pkg/shim/v2/api.go @@ -19,4 +19,5 @@ import ( "github.com/containerd/containerd/api/events" ) +// TaskOOM is an alias for events.TaskOOM. type TaskOOM = events.TaskOOM diff --git a/pkg/state/addr_set.go b/pkg/state/addr_set.go index 591af5292..8abc3dd34 100644 --- a/pkg/state/addr_set.go +++ b/pkg/state/addr_set.go @@ -1556,8 +1556,8 @@ type addrSegmentDataSlices struct { Values []*objectEncodeState } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *addrSet) ExportSortedSlices() *addrSegmentDataSlices { var sds addrSegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1571,7 +1571,7 @@ func (s *addrSet) ExportSortedSlices() *addrSegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/tcpip/stack/conntrack.go b/pkg/tcpip/stack/conntrack.go index 9a17efcba..5e649cca6 100644 --- a/pkg/tcpip/stack/conntrack.go +++ b/pkg/tcpip/stack/conntrack.go @@ -142,19 +142,19 @@ func (cn *conn) timedOut(now time.Time) bool { // update the connection tracking state. // -// Precondition: ct.mu must be held. -func (ct *conn) updateLocked(tcpHeader header.TCP, hook Hook) { +// Precondition: cn.mu must be held. +func (cn *conn) updateLocked(tcpHeader header.TCP, hook Hook) { // Update the state of tcb. tcb assumes it's always initialized on the // client. However, we only need to know whether the connection is // established or not, so the client/server distinction isn't important. // TODO(gvisor.dev/issue/170): Add support in tcpconntrack to handle // other tcp states. - if ct.tcb.IsEmpty() { - ct.tcb.Init(tcpHeader) - } else if hook == ct.tcbHook { - ct.tcb.UpdateStateOutbound(tcpHeader) + if cn.tcb.IsEmpty() { + cn.tcb.Init(tcpHeader) + } else if hook == cn.tcbHook { + cn.tcb.UpdateStateOutbound(tcpHeader) } else { - ct.tcb.UpdateStateInbound(tcpHeader) + cn.tcb.UpdateStateInbound(tcpHeader) } } diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go index 2d8c883cd..09c7811fa 100644 --- a/pkg/tcpip/stack/iptables.go +++ b/pkg/tcpip/stack/iptables.go @@ -45,13 +45,13 @@ const reaperDelay = 5 * time.Second func DefaultTables() *IPTables { return &IPTables{ v4Tables: [NumTables]Table{ - NATID: Table{ + NATID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -68,11 +68,11 @@ func DefaultTables() *IPTables { Postrouting: 3, }, }, - MangleID: Table{ + MangleID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -86,12 +86,12 @@ func DefaultTables() *IPTables { Postrouting: HookUnset, }, }, - FilterID: Table{ + FilterID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: HookUnset, @@ -110,13 +110,13 @@ func DefaultTables() *IPTables { }, }, v6Tables: [NumTables]Table{ - NATID: Table{ + NATID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -133,11 +133,11 @@ func DefaultTables() *IPTables { Postrouting: 3, }, }, - MangleID: Table{ + MangleID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -151,12 +151,12 @@ func DefaultTables() *IPTables { Postrouting: HookUnset, }, }, - FilterID: Table{ + FilterID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: HookUnset, @@ -175,9 +175,9 @@ func DefaultTables() *IPTables { }, }, priorities: [NumHooks][]TableID{ - Prerouting: []TableID{MangleID, NATID}, - Input: []TableID{NATID, FilterID}, - Output: []TableID{MangleID, NATID, FilterID}, + Prerouting: {MangleID, NATID}, + Input: {NATID, FilterID}, + Output: {MangleID, NATID, FilterID}, }, connections: ConnTrack{ seed: generateRandUint32(), diff --git a/pkg/tcpip/stack/iptables_types.go b/pkg/tcpip/stack/iptables_types.go index 4b86c1be9..56a3e7861 100644 --- a/pkg/tcpip/stack/iptables_types.go +++ b/pkg/tcpip/stack/iptables_types.go @@ -56,7 +56,7 @@ const ( // Postrouting happens just before a packet goes out on the wire. Postrouting - // The total number of hooks. + // NumHooks is the total number of hooks. NumHooks ) @@ -273,14 +273,12 @@ func (fl IPHeaderFilter) match(pkt *PacketBuffer, hook Hook, nicName string) boo return true } - // If the interface name ends with '+', any interface which begins - // with the name should be matched. + // If the interface name ends with '+', any interface which + // begins with the name should be matched. ifName := fl.OutputInterface - matches := true + matches := nicName == ifName if strings.HasSuffix(ifName, "+") { matches = strings.HasPrefix(nicName, ifName[:n-1]) - } else { - matches = nicName == ifName } return fl.OutputInterfaceInvert != matches } diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index d7afd3dc1..d37528ee7 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -75,12 +75,14 @@ import ( "gvisor.dev/gvisor/runsc/specutils" "gvisor.dev/gvisor/runsc/specutils/seccomp" - // Include supported socket providers. + // Top-level inet providers. "gvisor.dev/gvisor/pkg/sentry/socket/hostinet" + "gvisor.dev/gvisor/pkg/sentry/socket/netstack" + + // Include other supported socket providers. _ "gvisor.dev/gvisor/pkg/sentry/socket/netlink" _ "gvisor.dev/gvisor/pkg/sentry/socket/netlink/route" _ "gvisor.dev/gvisor/pkg/sentry/socket/netlink/uevent" - "gvisor.dev/gvisor/pkg/sentry/socket/netstack" _ "gvisor.dev/gvisor/pkg/sentry/socket/unix" ) diff --git a/runsc/cgroup/cgroup.go b/runsc/cgroup/cgroup.go index e5294de55..13c6a16a0 100644 --- a/runsc/cgroup/cgroup.go +++ b/runsc/cgroup/cgroup.go @@ -41,22 +41,22 @@ const ( ) var controllers = map[string]config{ - "blkio": config{ctrlr: &blockIO{}}, - "cpu": config{ctrlr: &cpu{}}, - "cpuset": config{ctrlr: &cpuSet{}}, - "hugetlb": config{ctrlr: &hugeTLB{}, optional: true}, - "memory": config{ctrlr: &memory{}}, - "net_cls": config{ctrlr: &networkClass{}}, - "net_prio": config{ctrlr: &networkPrio{}}, - "pids": config{ctrlr: &pids{}}, + "blkio": {ctrlr: &blockIO{}}, + "cpu": {ctrlr: &cpu{}}, + "cpuset": {ctrlr: &cpuSet{}}, + "hugetlb": {ctrlr: &hugeTLB{}, optional: true}, + "memory": {ctrlr: &memory{}}, + "net_cls": {ctrlr: &networkClass{}}, + "net_prio": {ctrlr: &networkPrio{}}, + "pids": {ctrlr: &pids{}}, // These controllers either don't have anything in the OCI spec or is // irrelevant for a sandbox. - "devices": config{ctrlr: &noop{}}, - "freezer": config{ctrlr: &noop{}}, - "perf_event": config{ctrlr: &noop{}}, - "rdma": config{ctrlr: &noop{}, optional: true}, - "systemd": config{ctrlr: &noop{}}, + "devices": {ctrlr: &noop{}}, + "freezer": {ctrlr: &noop{}}, + "perf_event": {ctrlr: &noop{}}, + "rdma": {ctrlr: &noop{}, optional: true}, + "systemd": {ctrlr: &noop{}}, } func setOptionalValueInt(path, name string, val *int64) error { @@ -371,6 +371,7 @@ func (c *Cgroup) Join() (func(), error) { return undo, nil } +// CPUQuota returns the CFS CPU quota. func (c *Cgroup) CPUQuota() (float64, error) { path := c.makePath("cpu") quota, err := getInt(path, "cpu.cfs_quota_us") diff --git a/runsc/cmd/syscalls.go b/runsc/cmd/syscalls.go index a37d66139..a8c83d662 100644 --- a/runsc/cmd/syscalls.go +++ b/runsc/cmd/syscalls.go @@ -147,7 +147,7 @@ func getCompatibilityInfo(osName string, archName string) (CompatibilityInfo, er info := CompatibilityInfo(make(map[string]map[string]ArchInfo)) if osName == osAll { // Special processing for the 'all' OS name. - for osName, _ := range syscallTableMap { + for osName := range syscallTableMap { info[osName] = make(map[string]ArchInfo) // osName is a specific OS name. if err := addToCompatibilityInfo(info, osName, archName); err != nil { @@ -171,7 +171,7 @@ func getCompatibilityInfo(osName string, archName string) (CompatibilityInfo, er func addToCompatibilityInfo(info CompatibilityInfo, osName string, archName string) error { if archName == archAll { // Special processing for the 'all' architecture name. - for archName, _ := range syscallTableMap[osName] { + for archName := range syscallTableMap[osName] { archInfo, err := getArchInfo(osName, archName) if err != nil { return err diff --git a/runsc/container/container.go b/runsc/container/container.go index 8b78660f7..5a0f8d5dc 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -983,6 +983,7 @@ func (c *Container) changeStatus(s Status) { c.Status = s } +// IsSandboxRunning returns true if the sandbox exists and is running. func (c *Container) IsSandboxRunning() bool { return c.Sandbox != nil && c.Sandbox.IsRunning() } diff --git a/runsc/flag/flag.go b/runsc/flag/flag.go index 775325c06..f921a8107 100644 --- a/runsc/flag/flag.go +++ b/runsc/flag/flag.go @@ -19,8 +19,10 @@ import ( "flag" ) +// FlagSet is an alias for flag.FlagSet. type FlagSet = flag.FlagSet +// Aliases for flag functions. var ( Bool = flag.Bool CommandLine = flag.CommandLine @@ -32,6 +34,7 @@ var ( Var = flag.Var ) +// ContinueOnError is an alias for flag.ContinueOnError. const ContinueOnError = flag.ContinueOnError // Get returns the flag's underlying object. diff --git a/runsc/fsgofer/fsgofer.go b/runsc/fsgofer/fsgofer.go index 3d94ffeb4..c3bba0973 100644 --- a/runsc/fsgofer/fsgofer.go +++ b/runsc/fsgofer/fsgofer.go @@ -758,15 +758,15 @@ func (l *localFile) SetAttr(valid p9.SetAttrMask, attr p9.SetAttr) error { // utimensat operates different that other syscalls. To operate on a // symlink it *requires* AT_SYMLINK_NOFOLLOW with dirFD and a non-empty // name. - parent, err := unix.Open(path.Dir(l.hostPath), openFlags|unix.O_PATH, 0) - if err != nil { - return extractErrno(err) + parent, oErr := unix.Open(path.Dir(l.hostPath), openFlags|unix.O_PATH, 0) + if oErr != nil { + return extractErrno(oErr) } defer unix.Close(parent) - if terr := utimensat(parent, path.Base(l.hostPath), utimes, linux.AT_SYMLINK_NOFOLLOW); terr != nil { - log.Debugf("SetAttr utimens failed %q, err: %v", l.hostPath, terr) - err = extractErrno(terr) + if tErr := utimensat(parent, path.Base(l.hostPath), utimes, linux.AT_SYMLINK_NOFOLLOW); tErr != nil { + log.Debugf("SetAttr utimens failed %q, err: %v", l.hostPath, tErr) + err = extractErrno(tErr) } } else { // Directories and regular files can operate directly on the fd @@ -787,9 +787,9 @@ func (l *localFile) SetAttr(valid p9.SetAttrMask, attr p9.SetAttr) error { if valid.GID { gid = int(attr.GID) } - if oerr := unix.Fchownat(f.FD(), "", uid, gid, linux.AT_EMPTY_PATH|linux.AT_SYMLINK_NOFOLLOW); oerr != nil { - log.Debugf("SetAttr fchownat failed %q, err: %v", l.hostPath, oerr) - err = extractErrno(oerr) + if oErr := unix.Fchownat(f.FD(), "", uid, gid, linux.AT_EMPTY_PATH|linux.AT_SYMLINK_NOFOLLOW); oErr != nil { + log.Debugf("SetAttr fchownat failed %q, err: %v", l.hostPath, oErr) + err = extractErrno(oErr) } } diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go index cfee9e63d..266bc0bdc 100644 --- a/runsc/sandbox/sandbox.go +++ b/runsc/sandbox/sandbox.go @@ -719,6 +719,8 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn nextFD++ } + _ = nextFD // All FD assignment is finished. + if args.Attached { // Kill sandbox if parent process exits in attached mode. cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL diff --git a/shim/v1/cli/cli.go b/shim/v1/cli/cli.go index 1a502eabd..cdf60cc2e 100644 --- a/shim/v1/cli/cli.go +++ b/shim/v1/cli/cli.go @@ -164,7 +164,6 @@ func serve(server *ttrpc.Server, path string) error { ) if path == "" { l, err = net.FileListener(os.NewFile(3, "socket")) - path = "[inherited from parent]" } else { if len(path) > 106 { return fmt.Errorf("%q: unix socket path too long (> 106)", path) |