14 files changed, 55 insertions, 51 deletions

diff --git a/pkg/sentry/kernel/BUILD b/pkg/sentry/kernel/BUILD
index 8a5b11d40..c53e3e720 100644
--- a/pkg/sentry/kernel/BUILD
+++ b/pkg/sentry/kernel/BUILD
@@ -277,6 +277,7 @@ go_library(
         "//pkg/tcpip/stack",
         "//pkg/usermem",
         "//pkg/waiter",
+        "@org_golang_x_sys//unix:go_default_library",
     ],
 )
 
diff --git a/pkg/sentry/kernel/abstract_socket_namespace.go b/pkg/sentry/kernel/abstract_socket_namespace.go
index 0ddbe5ff6..d100e58d7 100644
--- a/pkg/sentry/kernel/abstract_socket_namespace.go
+++ b/pkg/sentry/kernel/abstract_socket_namespace.go
@@ -16,8 +16,8 @@ package kernel
 
 import (
 	"fmt"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/refsvfs2"
 	"gvisor.dev/gvisor/pkg/sentry/socket/unix/transport"
@@ -97,7 +97,7 @@ func (a *AbstractSocketNamespace) Bind(ctx context.Context, name string, ep tran
 	if ep, ok := a.endpoints[name]; ok {
 		if ep.socket.TryIncRef() {
 			ep.socket.DecRef(ctx)
-			return syscall.EADDRINUSE
+			return unix.EADDRINUSE
 		}
 	}
 
diff --git a/pkg/sentry/kernel/epoll/BUILD b/pkg/sentry/kernel/epoll/BUILD
index 75eedd5a2..723a85f64 100644
--- a/pkg/sentry/kernel/epoll/BUILD
+++ b/pkg/sentry/kernel/epoll/BUILD
@@ -33,6 +33,7 @@ go_library(
         "//pkg/sync",
         "//pkg/usermem",
         "//pkg/waiter",
+        "@org_golang_x_sys//unix:go_default_library",
     ],
 )
 
diff --git a/pkg/sentry/kernel/epoll/epoll.go b/pkg/sentry/kernel/epoll/epoll.go
index 407b6e917..ba73a7812 100644
--- a/pkg/sentry/kernel/epoll/epoll.go
+++ b/pkg/sentry/kernel/epoll/epoll.go
@@ -24,8 +24,8 @@ package epoll
 
 import (
 	"fmt"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/refs"
@@ -173,12 +173,12 @@ func (e *EventPoll) Release(ctx context.Context) {
 
 // Read implements fs.FileOperations.Read.
 func (*EventPoll) Read(context.Context, *fs.File, usermem.IOSequence, int64) (int64, error) {
-	return 0, syscall.ENOSYS
+	return 0, unix.ENOSYS
 }
 
 // Write implements fs.FileOperations.Write.
 func (*EventPoll) Write(context.Context, *fs.File, usermem.IOSequence, int64) (int64, error) {
-	return 0, syscall.ENOSYS
+	return 0, unix.ENOSYS
 }
 
 // eventsAvailable determines if 'e' has events available for delivery.
@@ -358,18 +358,18 @@ func (e *EventPoll) AddEntry(id FileIdentifier, flags EntryFlags, mask waiter.Ev
 
 	// Fail if the file already has an entry.
 	if _, ok := e.files[id]; ok {
-		return syscall.EEXIST
+		return unix.EEXIST
 	}
 
 	// Check if a cycle would be created. We use 4 as the limit because
 	// that's the value used by linux and we want to emulate it.
 	if ep != nil {
 		if e == ep {
-			return syscall.EINVAL
+			return unix.EINVAL
 		}
 
 		if ep.observes(e, 4) {
-			return syscall.ELOOP
+			return unix.ELOOP
 		}
 	}
 
@@ -404,7 +404,7 @@ func (e *EventPoll) UpdateEntry(id FileIdentifier, flags EntryFlags, mask waiter
 	// Fail if the file doesn't have an entry.
 	entry, ok := e.files[id]
 	if !ok {
-		return syscall.ENOENT
+		return unix.ENOENT
 	}
 
 	// Unregister the old mask and remove entry from the list it's in, so
@@ -435,7 +435,7 @@ func (e *EventPoll) RemoveEntry(ctx context.Context, id FileIdentifier) error {
 	// Fail if the file doesn't have an entry.
 	entry, ok := e.files[id]
 	if !ok {
-		return syscall.ENOENT
+		return unix.ENOENT
 	}
 
 	// Unregister from file first so that no concurrent attempts will be
diff --git a/pkg/sentry/kernel/eventfd/BUILD b/pkg/sentry/kernel/eventfd/BUILD
index 9983a32e5..7ecbd29ab 100644
--- a/pkg/sentry/kernel/eventfd/BUILD
+++ b/pkg/sentry/kernel/eventfd/BUILD
@@ -17,6 +17,7 @@ go_library(
         "//pkg/syserror",
         "//pkg/usermem",
         "//pkg/waiter",
+        "@org_golang_x_sys//unix:go_default_library",
     ],
 )
 
diff --git a/pkg/sentry/kernel/eventfd/eventfd.go b/pkg/sentry/kernel/eventfd/eventfd.go
index bbf568dfc..64f1cc631 100644
--- a/pkg/sentry/kernel/eventfd/eventfd.go
+++ b/pkg/sentry/kernel/eventfd/eventfd.go
@@ -18,8 +18,8 @@ package eventfd
 
 import (
 	"math"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/fdnotifier"
@@ -91,13 +91,13 @@ func (e *EventOperations) HostFD() (int, error) {
 		flags |= linux.EFD_SEMAPHORE
 	}
 
-	fd, _, err := syscall.Syscall(syscall.SYS_EVENTFD2, uintptr(e.val), uintptr(flags), 0)
+	fd, _, err := unix.Syscall(unix.SYS_EVENTFD2, uintptr(e.val), uintptr(flags), 0)
 	if err != 0 {
 		return -1, err
 	}
 
 	if err := fdnotifier.AddFD(int32(fd), &e.wq); err != nil {
-		syscall.Close(int(fd))
+		unix.Close(int(fd))
 		return -1, err
 	}
 
@@ -111,7 +111,7 @@ func (e *EventOperations) Release(context.Context) {
 	defer e.mu.Unlock()
 	if e.hostfd >= 0 {
 		fdnotifier.RemoveFD(int32(e.hostfd))
-		syscall.Close(e.hostfd)
+		unix.Close(e.hostfd)
 		e.hostfd = -1
 	}
 }
@@ -119,7 +119,7 @@ func (e *EventOperations) Release(context.Context) {
 // Read implements fs.FileOperations.Read.
 func (e *EventOperations) Read(ctx context.Context, _ *fs.File, dst usermem.IOSequence, _ int64) (int64, error) {
 	if dst.NumBytes() < 8 {
-		return 0, syscall.EINVAL
+		return 0, unix.EINVAL
 	}
 	if err := e.read(ctx, dst); err != nil {
 		return 0, err
@@ -130,7 +130,7 @@ func (e *EventOperations) Read(ctx context.Context, _ *fs.File, dst usermem.IOSe
 // Write implements fs.FileOperations.Write.
 func (e *EventOperations) Write(ctx context.Context, _ *fs.File, src usermem.IOSequence, _ int64) (int64, error) {
 	if src.NumBytes() < 8 {
-		return 0, syscall.EINVAL
+		return 0, unix.EINVAL
 	}
 	if err := e.write(ctx, src); err != nil {
 		return 0, err
@@ -142,8 +142,8 @@ func (e *EventOperations) Write(ctx context.Context, _ *fs.File, src usermem.IOS
 func (e *EventOperations) hostRead(ctx context.Context, dst usermem.IOSequence) error {
 	var buf [8]byte
 
-	if _, err := syscall.Read(e.hostfd, buf[:]); err != nil {
-		if err == syscall.EWOULDBLOCK {
+	if _, err := unix.Read(e.hostfd, buf[:]); err != nil {
+		if err == unix.EWOULDBLOCK {
 			return syserror.ErrWouldBlock
 		}
 		return err
@@ -195,8 +195,8 @@ func (e *EventOperations) read(ctx context.Context, dst usermem.IOSequence) erro
 func (e *EventOperations) hostWrite(val uint64) error {
 	var buf [8]byte
 	usermem.ByteOrder.PutUint64(buf[:], val)
-	_, err := syscall.Write(e.hostfd, buf[:])
-	if err == syscall.EWOULDBLOCK {
+	_, err := unix.Write(e.hostfd, buf[:])
+	if err == unix.EWOULDBLOCK {
 		return syserror.ErrWouldBlock
 	}
 	return err
@@ -215,7 +215,7 @@ func (e *EventOperations) write(ctx context.Context, src usermem.IOSequence) err
 // Signal is an internal function to signal the event fd.
 func (e *EventOperations) Signal(val uint64) error {
 	if val == math.MaxUint64 {
-		return syscall.EINVAL
+		return unix.EINVAL
 	}
 
 	e.mu.Lock()
diff --git a/pkg/sentry/kernel/fd_table.go b/pkg/sentry/kernel/fd_table.go
index a6afabb1c..10885688c 100644
--- a/pkg/sentry/kernel/fd_table.go
+++ b/pkg/sentry/kernel/fd_table.go
@@ -19,8 +19,8 @@ import (
 	"math"
 	"strings"
 	"sync/atomic"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/sentry/fs"
@@ -253,7 +253,7 @@ func (f *FDTable) String() string {
 func (f *FDTable) NewFDs(ctx context.Context, fd int32, files []*fs.File, flags FDFlags) (fds []int32, err error) {
 	if fd < 0 {
 		// Don't accept negative FDs.
-		return nil, syscall.EINVAL
+		return nil, unix.EINVAL
 	}
 
 	// Default limit.
@@ -266,7 +266,7 @@ func (f *FDTable) NewFDs(ctx context.Context, fd int32, files []*fs.File, flags
 			end = int32(lim.Cur)
 		}
 		if fd >= end {
-			return nil, syscall.EMFILE
+			return nil, unix.EMFILE
 		}
 	}
 
@@ -300,7 +300,7 @@ func (f *FDTable) NewFDs(ctx context.Context, fd int32, files []*fs.File, flags
 		for _, file := range files[:len(fds)] {
 			file.DecRef(ctx)
 		}
-		return nil, syscall.EMFILE
+		return nil, unix.EMFILE
 	}
 
 	if fd == f.next {
@@ -318,7 +318,7 @@ func (f *FDTable) NewFDs(ctx context.Context, fd int32, files []*fs.File, flags
 func (f *FDTable) NewFDsVFS2(ctx context.Context, fd int32, files []*vfs.FileDescription, flags FDFlags) (fds []int32, err error) {
 	if fd < 0 {
 		// Don't accept negative FDs.
-		return nil, syscall.EINVAL
+		return nil, unix.EINVAL
 	}
 
 	// Default limit.
@@ -331,7 +331,7 @@ func (f *FDTable) NewFDsVFS2(ctx context.Context, fd int32, files []*vfs.FileDes
 			end = int32(lim.Cur)
 		}
 		if fd >= end {
-			return nil, syscall.EMFILE
+			return nil, unix.EMFILE
 		}
 	}
 
@@ -365,7 +365,7 @@ func (f *FDTable) NewFDsVFS2(ctx context.Context, fd int32, files []*vfs.FileDes
 		for _, file := range files[:len(fds)] {
 			file.DecRef(ctx)
 		}
-		return nil, syscall.EMFILE
+		return nil, unix.EMFILE
 	}
 
 	if fd == f.next {
@@ -382,7 +382,7 @@ func (f *FDTable) NewFDsVFS2(ctx context.Context, fd int32, files []*vfs.FileDes
 func (f *FDTable) NewFDVFS2(ctx context.Context, minfd int32, file *vfs.FileDescription, flags FDFlags) (int32, error) {
 	if minfd < 0 {
 		// Don't accept negative FDs.
-		return -1, syscall.EINVAL
+		return -1, unix.EINVAL
 	}
 
 	// Default limit.
@@ -395,7 +395,7 @@ func (f *FDTable) NewFDVFS2(ctx context.Context, minfd int32, file *vfs.FileDesc
 			end = int32(lim.Cur)
 		}
 		if minfd >= end {
-			return -1, syscall.EMFILE
+			return -1, unix.EMFILE
 		}
 	}
 
@@ -418,7 +418,7 @@ func (f *FDTable) NewFDVFS2(ctx context.Context, minfd int32, file *vfs.FileDesc
 		}
 		fd++
 	}
-	return -1, syscall.EMFILE
+	return -1, unix.EMFILE
 }
 
 // NewFDAt sets the file reference for the given FD. If there is an active
@@ -452,13 +452,13 @@ func (f *FDTable) NewFDAtVFS2(ctx context.Context, fd int32, file *vfs.FileDescr
 func (f *FDTable) newFDAt(ctx context.Context, fd int32, file *fs.File, fileVFS2 *vfs.FileDescription, flags FDFlags) (*fs.File, *vfs.FileDescription, error) {
 	if fd < 0 {
 		// Don't accept negative FDs.
-		return nil, nil, syscall.EBADF
+		return nil, nil, unix.EBADF
 	}
 
 	// Check the limit for the provided file.
 	if limitSet := limits.FromContext(ctx); limitSet != nil {
 		if lim := limitSet.Get(limits.NumberOfFiles); lim.Cur != limits.Infinity && uint64(fd) >= lim.Cur {
-			return nil, nil, syscall.EMFILE
+			return nil, nil, unix.EMFILE
 		}
 	}
 
@@ -476,7 +476,7 @@ func (f *FDTable) newFDAt(ctx context.Context, fd int32, file *fs.File, fileVFS2
 func (f *FDTable) SetFlags(ctx context.Context, fd int32, flags FDFlags) error {
 	if fd < 0 {
 		// Don't accept negative FDs.
-		return syscall.EBADF
+		return unix.EBADF
 	}
 
 	f.mu.Lock()
@@ -485,7 +485,7 @@ func (f *FDTable) SetFlags(ctx context.Context, fd int32, flags FDFlags) error {
 	file, _, _ := f.get(fd)
 	if file == nil {
 		// No file found.
-		return syscall.EBADF
+		return unix.EBADF
 	}
 
 	// Update the flags.
@@ -499,7 +499,7 @@ func (f *FDTable) SetFlags(ctx context.Context, fd int32, flags FDFlags) error {
 func (f *FDTable) SetFlagsVFS2(ctx context.Context, fd int32, flags FDFlags) error {
 	if fd < 0 {
 		// Don't accept negative FDs.
-		return syscall.EBADF
+		return unix.EBADF
 	}
 
 	f.mu.Lock()
@@ -508,7 +508,7 @@ func (f *FDTable) SetFlagsVFS2(ctx context.Context, fd int32, flags FDFlags) err
 	file, _, _ := f.getVFS2(fd)
 	if file == nil {
 		// No file found.
-		return syscall.EBADF
+		return unix.EBADF
 	}
 
 	// Update the flags.
diff --git a/pkg/sentry/kernel/futex/BUILD b/pkg/sentry/kernel/futex/BUILD
index daa2dae76..041e3d4ca 100644
--- a/pkg/sentry/kernel/futex/BUILD
+++ b/pkg/sentry/kernel/futex/BUILD
@@ -54,5 +54,6 @@ go_test(
         "//pkg/context",
         "//pkg/sync",
         "//pkg/usermem",
+        "@org_golang_x_sys//unix:go_default_library",
     ],
 )
diff --git a/pkg/sentry/kernel/futex/futex_test.go b/pkg/sentry/kernel/futex/futex_test.go
index d0128c548..ba7f95d8a 100644
--- a/pkg/sentry/kernel/futex/futex_test.go
+++ b/pkg/sentry/kernel/futex/futex_test.go
@@ -18,10 +18,10 @@ import (
 	"math"
 	"runtime"
 	"sync/atomic"
-	"syscall"
 	"testing"
 	"unsafe"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/sync"
 	"gvisor.dev/gvisor/pkg/usermem"
@@ -488,7 +488,7 @@ func (t *testMutex) Lock() {
 		// Wait for it to be "not locked".
 		w := NewWaiter()
 		err := t.m.WaitPrepare(w, t.d, t.a, true, testMutexLocked, ^uint32(0))
-		if err == syscall.EAGAIN {
+		if err == unix.EAGAIN {
 			continue
 		}
 		if err != nil {
diff --git a/pkg/sentry/kernel/pipe/BUILD b/pkg/sentry/kernel/pipe/BUILD
index 71daa9f4b..beba6d97d 100644
--- a/pkg/sentry/kernel/pipe/BUILD
+++ b/pkg/sentry/kernel/pipe/BUILD
@@ -32,6 +32,7 @@ go_library(
         "//pkg/syserror",
         "//pkg/usermem",
         "//pkg/waiter",
+        "@org_golang_x_sys//unix:go_default_library",
     ],
 )
 
diff --git a/pkg/sentry/kernel/pipe/pipe.go b/pkg/sentry/kernel/pipe/pipe.go
index 2c8668fc4..68a55a186 100644
--- a/pkg/sentry/kernel/pipe/pipe.go
+++ b/pkg/sentry/kernel/pipe/pipe.go
@@ -19,8 +19,8 @@ import (
 	"fmt"
 	"io"
 	"sync/atomic"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/safemem"
 	"gvisor.dev/gvisor/pkg/sentry/fs"
@@ -244,7 +244,7 @@ func (p *Pipe) consumeLocked(n int64) {
 func (p *Pipe) writeLocked(count int64, f func(safemem.BlockSeq) (uint64, error)) (int64, error) {
 	// Can't write to a pipe with no readers.
 	if !p.HasReaders() {
-		return 0, syscall.EPIPE
+		return 0, unix.EPIPE
 	}
 
 	avail := p.max - p.size
diff --git a/pkg/sentry/kernel/pipe/pipe_util.go b/pkg/sentry/kernel/pipe/pipe_util.go
index 77246edbe..76ea389ca 100644
--- a/pkg/sentry/kernel/pipe/pipe_util.go
+++ b/pkg/sentry/kernel/pipe/pipe_util.go
@@ -17,8 +17,8 @@ package pipe
 import (
 	"io"
 	"math"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/amutex"
 	"gvisor.dev/gvisor/pkg/context"
@@ -139,7 +139,7 @@ func (p *Pipe) Ioctl(ctx context.Context, io usermem.IO, args arch.SyscallArgume
 		_, err := primitive.CopyInt32Out(&iocc, args[2].Pointer(), int32(v))
 		return 0, err
 	default:
-		return 0, syscall.ENOTTY
+		return 0, unix.ENOTTY
 	}
 }
 
diff --git a/pkg/sentry/kernel/seccomp.go b/pkg/sentry/kernel/seccomp.go
index 60917e7d3..8163a6132 100644
--- a/pkg/sentry/kernel/seccomp.go
+++ b/pkg/sentry/kernel/seccomp.go
@@ -15,8 +15,7 @@
 package kernel
 
 import (
-	"syscall"
-
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/bpf"
 	"gvisor.dev/gvisor/pkg/sentry/arch"
@@ -83,7 +82,7 @@ func (t *Task) checkSeccompSyscall(sysno int32, args arch.SyscallArguments, ip u
 		// the system call is not executed."
 		if !t.ptraceSeccomp(result.Data()) {
 			// This useless-looking temporary is needed because Go.
-			tmp := uintptr(syscall.ENOSYS)
+			tmp := uintptr(unix.ENOSYS)
 			t.Arch().SetReturn(-tmp)
 			return linux.SECCOMP_RET_ERRNO
 		}
diff --git a/pkg/sentry/kernel/task_syscall.go b/pkg/sentry/kernel/task_syscall.go
index 0141459e7..2e84bd88a 100644
--- a/pkg/sentry/kernel/task_syscall.go
+++ b/pkg/sentry/kernel/task_syscall.go
@@ -18,8 +18,8 @@ import (
 	"fmt"
 	"os"
 	"runtime/trace"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/bits"
 	"gvisor.dev/gvisor/pkg/marshal"
@@ -113,7 +113,7 @@ func (t *Task) executeSyscall(sysno uintptr, args arch.SyscallArguments) (rval u
 
 	if bits.IsOn32(fe, ExternalAfterEnable) && (s.ExternalFilterAfter == nil || s.ExternalFilterAfter(t, sysno, args)) {
 		t.invokeExternal()
-		// Don't reinvoke the syscall.
+		// Don't reinvoke the unix.
 	}
 
 	if bits.IsAnyOn32(fe, StraceEnableBits) {
@@ -147,7 +147,7 @@ func (t *Task) doSyscall() taskRunState {
 	// Tracers expect to see this between when the task traps into the kernel
 	// to perform a syscall and when the syscall is actually invoked.
 	// This useless-looking temporary is needed because Go.
-	tmp := uintptr(syscall.ENOSYS)
+	tmp := uintptr(unix.ENOSYS)
 	t.Arch().SetReturn(-tmp)
 
 	// Check seccomp filters. The nil check is for performance (as seccomp use
@@ -379,7 +379,7 @@ func ExtractErrno(err error, sysno int) int {
 	switch err := err.(type) {
 	case nil:
 		return 0
-	case syscall.Errno:
+	case unix.Errno:
 		return int(err)
 	case syserror.SyscallRestartErrno:
 		return int(err)
@@ -387,7 +387,7 @@ func ExtractErrno(err error, sysno int) int {
 		// Bus errors may generate SIGBUS, but for syscalls they still
 		// return EFAULT. See case in task_run.go where the fault is
 		// handled (and the SIGBUS is delivered).
-		return int(syscall.EFAULT)
+		return int(unix.EFAULT)
 	case *os.PathError:
 		return ExtractErrno(err.Err, sysno)
 	case *os.LinkError: