13 files changed, 74 insertions, 91 deletions
diff --git a/pkg/sentry/kernel/BUILD b/pkg/sentry/kernel/BUILD
index a1ec6daab..188c0ebff 100644
--- a/pkg/sentry/kernel/BUILD
+++ b/pkg/sentry/kernel/BUILD
@@ -32,7 +32,7 @@ go_template_instance(
     out = "seqatomic_taskgoroutineschedinfo_unsafe.go",
     package = "kernel",
     suffix = "TaskGoroutineSchedInfo",
-    template = "//pkg/sync:generic_seqatomic",
+    template = "//pkg/sync/seqatomic:generic_seqatomic",
     types = {
         "Value": "TaskGoroutineSchedInfo",
     },
diff --git a/pkg/sentry/kernel/auth/BUILD b/pkg/sentry/kernel/auth/BUILD
index 869e49ebc..12180351d 100644
--- a/pkg/sentry/kernel/auth/BUILD
+++ b/pkg/sentry/kernel/auth/BUILD
@@ -8,7 +8,7 @@ go_template_instance(
     out = "atomicptr_credentials_unsafe.go",
     package = "auth",
     suffix = "Credentials",
-    template = "//pkg/sync:generic_atomicptr",
+    template = "//pkg/sync/atomicptr:generic_atomicptr",
     types = {
         "Value": "Credentials",
     },
diff --git a/pkg/sentry/kernel/auth/credentials.go b/pkg/sentry/kernel/auth/credentials.go
index 6862f2ef5..3325fedcb 100644
--- a/pkg/sentry/kernel/auth/credentials.go
+++ b/pkg/sentry/kernel/auth/credentials.go
@@ -125,7 +125,7 @@ func NewUserCredentials(kuid KUID, kgid KGID, extraKGIDs []KGID, capabilities *T
 		creds.EffectiveCaps = capabilities.EffectiveCaps
 		creds.BoundingCaps = capabilities.BoundingCaps
 		creds.InheritableCaps = capabilities.InheritableCaps
-		// TODO(nlacasse): Support ambient capabilities.
+		// TODO(gvisor.dev/issue/3166): Support ambient capabilities.
 	} else {
 		// If no capabilities are specified, grant capabilities consistent with
 		// setresuid + setresgid from NewRootCredentials to the given uid and
diff --git a/pkg/sentry/kernel/futex/BUILD b/pkg/sentry/kernel/futex/BUILD
index a75686cf3..6c31e082c 100644
--- a/pkg/sentry/kernel/futex/BUILD
+++ b/pkg/sentry/kernel/futex/BUILD
@@ -8,7 +8,7 @@ go_template_instance(
     out = "atomicptr_bucket_unsafe.go",
     package = "futex",
     suffix = "Bucket",
-    template = "//pkg/sync:generic_atomicptr",
+    template = "//pkg/sync/atomicptr:generic_atomicptr",
     types = {
         "Value": "bucket",
     },
diff --git a/pkg/sentry/kernel/kernel.go b/pkg/sentry/kernel/kernel.go
index febe7fe50..c666be2cb 100644
--- a/pkg/sentry/kernel/kernel.go
+++ b/pkg/sentry/kernel/kernel.go
@@ -1861,7 +1861,9 @@ func (k *Kernel) PopulateNewCgroupHierarchy(root Cgroup) {
 			return
 		}
 		t.mu.Lock()
-		t.enterCgroupLocked(root)
+		// A task can be in the cgroup if it has been created after the
+		// cgroup hierarchy was registered.
+		t.enterCgroupIfNotYetLocked(root)
 		t.mu.Unlock()
 	})
 	k.tasks.mu.RUnlock()
diff --git a/pkg/sentry/kernel/signal_handlers.go b/pkg/sentry/kernel/signal_handlers.go
index 768fda220..147cc41bb 100644
--- a/pkg/sentry/kernel/signal_handlers.go
+++ b/pkg/sentry/kernel/signal_handlers.go
@@ -16,7 +16,6 @@ package kernel
 
 import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
-	"gvisor.dev/gvisor/pkg/sentry/arch"
 	"gvisor.dev/gvisor/pkg/sync"
 )
 
@@ -30,14 +29,14 @@ type SignalHandlers struct {
 	mu sync.Mutex `state:"nosave"`
 
 	// actions is the action to be taken upon receiving each signal.
-	actions map[linux.Signal]arch.SignalAct
+	actions map[linux.Signal]linux.SigAction
 }
 
 // NewSignalHandlers returns a new SignalHandlers specifying all default
 // actions.
 func NewSignalHandlers() *SignalHandlers {
 	return &SignalHandlers{
-		actions: make(map[linux.Signal]arch.SignalAct),
+		actions: make(map[linux.Signal]linux.SigAction),
 	}
 }
 
@@ -59,9 +58,9 @@ func (sh *SignalHandlers) CopyForExec() *SignalHandlers {
 	sh.mu.Lock()
 	defer sh.mu.Unlock()
 	for sig, act := range sh.actions {
-		if act.Handler == arch.SignalActIgnore {
-			sh2.actions[sig] = arch.SignalAct{
-				Handler: arch.SignalActIgnore,
+		if act.Handler == linux.SIG_IGN {
+			sh2.actions[sig] = linux.SigAction{
+				Handler: linux.SIG_IGN,
 			}
 		}
 	}
@@ -73,15 +72,15 @@ func (sh *SignalHandlers) IsIgnored(sig linux.Signal) bool {
 	sh.mu.Lock()
 	defer sh.mu.Unlock()
 	sa, ok := sh.actions[sig]
-	return ok && sa.Handler == arch.SignalActIgnore
+	return ok && sa.Handler == linux.SIG_IGN
 }
 
 // dequeueActionLocked returns the SignalAct that should be used to handle sig.
 //
 // Preconditions: sh.mu must be locked.
-func (sh *SignalHandlers) dequeueAction(sig linux.Signal) arch.SignalAct {
+func (sh *SignalHandlers) dequeueAction(sig linux.Signal) linux.SigAction {
 	act := sh.actions[sig]
-	if act.IsResetHandler() {
+	if act.Flags&linux.SA_RESETHAND != 0 {
 		delete(sh.actions, sig)
 	}
 	return act
diff --git a/pkg/sentry/kernel/task.go b/pkg/sentry/kernel/task.go
index be1371855..9290dc52b 100644
--- a/pkg/sentry/kernel/task.go
+++ b/pkg/sentry/kernel/task.go
@@ -151,7 +151,7 @@ type Task struct {
 	// which the SA_ONSTACK flag is set.
 	//
 	// signalStack is exclusive to the task goroutine.
-	signalStack arch.SignalStack
+	signalStack linux.SignalStack
 
 	// signalQueue is a set of registered waiters for signal-related events.
 	//
diff --git a/pkg/sentry/kernel/task_cgroup.go b/pkg/sentry/kernel/task_cgroup.go
index 25d2504fa..7c138e80f 100644
--- a/pkg/sentry/kernel/task_cgroup.go
+++ b/pkg/sentry/kernel/task_cgroup.go
@@ -85,6 +85,14 @@ func (t *Task) enterCgroupLocked(c Cgroup) {
 	c.Enter(t)
 }
 
+// +checklocks:t.mu
+func (t *Task) enterCgroupIfNotYetLocked(c Cgroup) {
+	if _, ok := t.cgroups[c]; ok {
+		return
+	}
+	t.enterCgroupLocked(c)
+}
+
 // LeaveCgroups removes t out from all its cgroups.
 func (t *Task) LeaveCgroups() {
 	t.mu.Lock()
diff --git a/pkg/sentry/kernel/task_exec.go b/pkg/sentry/kernel/task_exec.go
index d9897e802..cf8571262 100644
--- a/pkg/sentry/kernel/task_exec.go
+++ b/pkg/sentry/kernel/task_exec.go
@@ -66,7 +66,6 @@ package kernel
 
 import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
-	"gvisor.dev/gvisor/pkg/sentry/arch"
 	"gvisor.dev/gvisor/pkg/sentry/fs"
 	"gvisor.dev/gvisor/pkg/sentry/mm"
 	"gvisor.dev/gvisor/pkg/sentry/vfs"
@@ -181,7 +180,7 @@ func (r *runSyscallAfterExecStop) execute(t *Task) taskRunState {
 	t.tg.signalHandlers = t.tg.signalHandlers.CopyForExec()
 	t.endStopCond.L = &t.tg.signalHandlers.mu
 	// "Any alternate signal stack is not preserved (sigaltstack(2))." - execve(2)
-	t.signalStack = arch.SignalStack{Flags: arch.SignalStackFlagDisable}
+	t.signalStack = linux.SignalStack{Flags: linux.SS_DISABLE}
 	// "The termination signal is reset to SIGCHLD (see clone(2))."
 	t.tg.terminationSignal = linux.SIGCHLD
 	// execed indicates that the process can no longer join a process group
diff --git a/pkg/sentry/kernel/task_exit.go b/pkg/sentry/kernel/task_exit.go
index b1af1a7ef..5b17c0065 100644
--- a/pkg/sentry/kernel/task_exit.go
+++ b/pkg/sentry/kernel/task_exit.go
@@ -28,6 +28,7 @@ import (
 	"errors"
 	"fmt"
 	"strconv"
+	"strings"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/sentry/arch"
@@ -50,6 +51,23 @@ type ExitStatus struct {
 	Signo int
 }
 
+func (es ExitStatus) String() string {
+	var b strings.Builder
+	if code := es.Code; code != 0 {
+		if b.Len() != 0 {
+			b.WriteByte(' ')
+		}
+		_, _ = fmt.Fprintf(&b, "Code=%d", code)
+	}
+	if signal := es.Signo; signal != 0 {
+		if b.Len() != 0 {
+			b.WriteByte(' ')
+		}
+		_, _ = fmt.Fprintf(&b, "Signal=%d", signal)
+	}
+	return b.String()
+}
+
 // Signaled returns true if the ExitStatus indicates that the exiting task or
 // thread group was killed by a signal.
 func (es ExitStatus) Signaled() bool {
@@ -652,10 +670,10 @@ func (t *Task) exitNotifyLocked(fromPtraceDetach bool) {
 				t.parent.tg.signalHandlers.mu.Lock()
 				if t.tg.terminationSignal == linux.SIGCHLD || fromPtraceDetach {
 					if act, ok := t.parent.tg.signalHandlers.actions[linux.SIGCHLD]; ok {
-						if act.Handler == arch.SignalActIgnore {
+						if act.Handler == linux.SIG_IGN {
 							t.exitParentAcked = true
 							signalParent = false
-						} else if act.Flags&arch.SignalFlagNoCldWait != 0 {
+						} else if act.Flags&linux.SA_NOCLDWAIT != 0 {
 							t.exitParentAcked = true
 						}
 					}
diff --git a/pkg/sentry/kernel/task_signals.go b/pkg/sentry/kernel/task_signals.go
index c2b9fc08f..b0ed0e023 100644
--- a/pkg/sentry/kernel/task_signals.go
+++ b/pkg/sentry/kernel/task_signals.go
@@ -86,7 +86,7 @@ var defaultActions = map[linux.Signal]SignalAction{
 }
 
 // computeAction figures out what to do given a signal number
-// and an arch.SignalAct. SIGSTOP always results in a SignalActionStop,
+// and an linux.SigAction. SIGSTOP always results in a SignalActionStop,
 // and SIGKILL always results in a SignalActionTerm.
 // Signal 0 is always ignored as many programs use it for various internal functions
 // and don't expect it to do anything.
@@ -97,7 +97,7 @@ var defaultActions = map[linux.Signal]SignalAction{
 // 0, the default action is taken;
 // 1, the signal is ignored;
 // anything else, the function returns SignalActionHandler.
-func computeAction(sig linux.Signal, act arch.SignalAct) SignalAction {
+func computeAction(sig linux.Signal, act linux.SigAction) SignalAction {
 	switch sig {
 	case linux.SIGSTOP:
 		return SignalActionStop
@@ -108,9 +108,9 @@ func computeAction(sig linux.Signal, act arch.SignalAct) SignalAction {
 	}
 
 	switch act.Handler {
-	case arch.SignalActDefault:
+	case linux.SIG_DFL:
 		return defaultActions[sig]
-	case arch.SignalActIgnore:
+	case linux.SIG_IGN:
 		return SignalActionIgnore
 	default:
 		return SignalActionHandler
@@ -155,7 +155,7 @@ func (t *Task) PendingSignals() linux.SignalSet {
 }
 
 // deliverSignal delivers the given signal and returns the following run state.
-func (t *Task) deliverSignal(info *arch.SignalInfo, act arch.SignalAct) taskRunState {
+func (t *Task) deliverSignal(info *arch.SignalInfo, act linux.SigAction) taskRunState {
 	sigact := computeAction(linux.Signal(info.Signo), act)
 
 	if t.haveSyscallReturn {
@@ -172,7 +172,7 @@ func (t *Task) deliverSignal(info *arch.SignalInfo, act arch.SignalAct) taskRunS
 					fallthrough
 				case sre == syserror.ERESTART_RESTARTBLOCK:
 					fallthrough
-				case (sre == syserror.ERESTARTSYS && !act.IsRestart()):
+				case (sre == syserror.ERESTARTSYS && act.Flags&linux.SA_RESTART == 0):
 					t.Debugf("Not restarting syscall %d after errno %d: interrupted by signal %d", t.Arch().SyscallNo(), sre, info.Signo)
 					t.Arch().SetReturn(uintptr(-ExtractErrno(syserror.EINTR, -1)))
 				default:
@@ -236,7 +236,7 @@ func (t *Task) deliverSignal(info *arch.SignalInfo, act arch.SignalAct) taskRunS
 
 // deliverSignalToHandler changes the task's userspace state to enter the given
 // user-configured handler for the given signal.
-func (t *Task) deliverSignalToHandler(info *arch.SignalInfo, act arch.SignalAct) error {
+func (t *Task) deliverSignalToHandler(info *arch.SignalInfo, act linux.SigAction) error {
 	// Signal delivery to an application handler interrupts restartable
 	// sequences.
 	t.rseqInterrupt()
@@ -248,8 +248,8 @@ func (t *Task) deliverSignalToHandler(info *arch.SignalInfo, act arch.SignalAct)
 	// N.B. This is a *copy* of the alternate stack that the user's signal
 	// handler expects to see in its ucontext (even if it's not in use).
 	alt := t.signalStack
-	if act.IsOnStack() && alt.IsEnabled() {
-		alt.SetOnStack()
+	if act.Flags&linux.SA_ONSTACK != 0 && alt.IsEnabled() {
+		alt.Flags |= linux.SS_ONSTACK
 		if !alt.Contains(sp) {
 			sp = hostarch.Addr(alt.Top())
 		}
@@ -289,7 +289,7 @@ func (t *Task) deliverSignalToHandler(info *arch.SignalInfo, act arch.SignalAct)
 
 	// Add our signal mask.
 	newMask := t.signalMask | act.Mask
-	if !act.IsNoDefer() {
+	if act.Flags&linux.SA_NODEFER == 0 {
 		newMask |= linux.SignalSetOf(linux.Signal(info.Signo))
 	}
 	t.SetSignalMask(newMask)
@@ -572,9 +572,9 @@ func (t *Task) forceSignal(sig linux.Signal, unconditional bool) {
 func (t *Task) forceSignalLocked(sig linux.Signal, unconditional bool) {
 	blocked := linux.SignalSetOf(sig)&t.signalMask != 0
 	act := t.tg.signalHandlers.actions[sig]
-	ignored := act.Handler == arch.SignalActIgnore
+	ignored := act.Handler == linux.SIG_IGN
 	if blocked || ignored || unconditional {
-		act.Handler = arch.SignalActDefault
+		act.Handler = linux.SIG_DFL
 		t.tg.signalHandlers.actions[sig] = act
 		if blocked {
 			t.setSignalMaskLocked(t.signalMask &^ linux.SignalSetOf(sig))
@@ -641,17 +641,17 @@ func (t *Task) SetSavedSignalMask(mask linux.SignalSet) {
 }
 
 // SignalStack returns the task-private signal stack.
-func (t *Task) SignalStack() arch.SignalStack {
+func (t *Task) SignalStack() linux.SignalStack {
 	t.p.PullFullState(t.MemoryManager().AddressSpace(), t.Arch())
 	alt := t.signalStack
 	if t.onSignalStack(alt) {
-		alt.Flags |= arch.SignalStackFlagOnStack
+		alt.Flags |= linux.SS_ONSTACK
 	}
 	return alt
 }
 
 // onSignalStack returns true if the task is executing on the given signal stack.
-func (t *Task) onSignalStack(alt arch.SignalStack) bool {
+func (t *Task) onSignalStack(alt linux.SignalStack) bool {
 	sp := hostarch.Addr(t.Arch().Stack())
 	return alt.Contains(sp)
 }
@@ -661,30 +661,30 @@ func (t *Task) onSignalStack(alt arch.SignalStack) bool {
 // This value may not be changed if the task is currently executing on the
 // signal stack, i.e. if t.onSignalStack returns true. In this case, this
 // function will return false. Otherwise, true is returned.
-func (t *Task) SetSignalStack(alt arch.SignalStack) bool {
+func (t *Task) SetSignalStack(alt linux.SignalStack) bool {
 	// Check that we're not executing on the stack.
 	if t.onSignalStack(t.signalStack) {
 		return false
 	}
 
-	if alt.Flags&arch.SignalStackFlagDisable != 0 {
+	if alt.Flags&linux.SS_DISABLE != 0 {
 		// Don't record anything beyond the flags.
-		t.signalStack = arch.SignalStack{
-			Flags: arch.SignalStackFlagDisable,
+		t.signalStack = linux.SignalStack{
+			Flags: linux.SS_DISABLE,
 		}
 	} else {
 		// Mask out irrelevant parts: only disable matters.
-		alt.Flags &= arch.SignalStackFlagDisable
+		alt.Flags &= linux.SS_DISABLE
 		t.signalStack = alt
 	}
 	return true
 }
 
-// SetSignalAct atomically sets the thread group's signal action for signal sig
+// SetSigAction atomically sets the thread group's signal action for signal sig
 // to *actptr (if actptr is not nil) and returns the old signal action.
-func (tg *ThreadGroup) SetSignalAct(sig linux.Signal, actptr *arch.SignalAct) (arch.SignalAct, error) {
+func (tg *ThreadGroup) SetSigAction(sig linux.Signal, actptr *linux.SigAction) (linux.SigAction, error) {
 	if !sig.IsValid() {
-		return arch.SignalAct{}, syserror.EINVAL
+		return linux.SigAction{}, syserror.EINVAL
 	}
 
 	tg.pidns.owner.mu.RLock()
@@ -718,48 +718,6 @@ func (tg *ThreadGroup) SetSignalAct(sig linux.Signal, actptr *arch.SignalAct) (a
 	return oldact, nil
 }
 
-// CopyOutSignalAct converts the given SignalAct into an architecture-specific
-// type and then copies it out to task memory.
-func (t *Task) CopyOutSignalAct(addr hostarch.Addr, s *arch.SignalAct) error {
-	n := t.Arch().NewSignalAct()
-	n.SerializeFrom(s)
-	_, err := n.CopyOut(t, addr)
-	return err
-}
-
-// CopyInSignalAct copies an architecture-specific sigaction type from task
-// memory and then converts it into a SignalAct.
-func (t *Task) CopyInSignalAct(addr hostarch.Addr) (arch.SignalAct, error) {
-	n := t.Arch().NewSignalAct()
-	var s arch.SignalAct
-	if _, err := n.CopyIn(t, addr); err != nil {
-		return s, err
-	}
-	n.DeserializeTo(&s)
-	return s, nil
-}
-
-// CopyOutSignalStack converts the given SignalStack into an
-// architecture-specific type and then copies it out to task memory.
-func (t *Task) CopyOutSignalStack(addr hostarch.Addr, s *arch.SignalStack) error {
-	n := t.Arch().NewSignalStack()
-	n.SerializeFrom(s)
-	_, err := n.CopyOut(t, addr)
-	return err
-}
-
-// CopyInSignalStack copies an architecture-specific stack_t from task memory
-// and then converts it into a SignalStack.
-func (t *Task) CopyInSignalStack(addr hostarch.Addr) (arch.SignalStack, error) {
-	n := t.Arch().NewSignalStack()
-	var s arch.SignalStack
-	if _, err := n.CopyIn(t, addr); err != nil {
-		return s, err
-	}
-	n.DeserializeTo(&s)
-	return s, nil
-}
-
 // groupStop is a TaskStop placed on tasks that have received a stop signal
 // (SIGSTOP, SIGTSTP, SIGTTIN, SIGTTOU). (The term "group-stop" originates from
 // the ptrace man page.)
@@ -909,7 +867,7 @@ func (t *Task) signalStop(target *Task, code int32, status int32) {
 	t.tg.signalHandlers.mu.Lock()
 	defer t.tg.signalHandlers.mu.Unlock()
 	act, ok := t.tg.signalHandlers.actions[linux.SIGCHLD]
-	if !ok || (act.Handler != arch.SignalActIgnore && act.Flags&arch.SignalFlagNoCldStop == 0) {
+	if !ok || (act.Handler != linux.SIG_IGN && act.Flags&linux.SA_NOCLDSTOP == 0) {
 		sigchld := &arch.SignalInfo{
 			Signo: int32(linux.SIGCHLD),
 			Code:  code,
diff --git a/pkg/sentry/kernel/task_start.go b/pkg/sentry/kernel/task_start.go
index 32031cd70..41fd2d471 100644
--- a/pkg/sentry/kernel/task_start.go
+++ b/pkg/sentry/kernel/task_start.go
@@ -18,7 +18,6 @@ import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/hostarch"
-	"gvisor.dev/gvisor/pkg/sentry/arch"
 	"gvisor.dev/gvisor/pkg/sentry/inet"
 	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.dev/gvisor/pkg/sentry/kernel/futex"
@@ -131,7 +130,7 @@ func (ts *TaskSet) newTask(cfg *TaskConfig) (*Task, error) {
 		runState:           (*runApp)(nil),
 		interruptChan:      make(chan struct{}, 1),
 		signalMask:         cfg.SignalMask,
-		signalStack:        arch.SignalStack{Flags: arch.SignalStackFlagDisable},
+		signalStack:        linux.SignalStack{Flags: linux.SS_DISABLE},
 		image:              *image,
 		fsContext:          cfg.FSContext,
 		fdTable:            cfg.FDTable,
diff --git a/pkg/sentry/kernel/thread_group.go b/pkg/sentry/kernel/thread_group.go
index b92e98fa1..e22ddcd21 100644
--- a/pkg/sentry/kernel/thread_group.go
+++ b/pkg/sentry/kernel/thread_group.go
@@ -490,10 +490,10 @@ func (tg *ThreadGroup) SetForegroundProcessGroup(tty *TTY, pgid ProcessGroupID)
 	tg.signalHandlers.mu.Lock()
 	defer tg.signalHandlers.mu.Unlock()
 
-	// TODO(b/129283598): "If tcsetpgrp() is called by a member of a
-	// background process group in its session, and the calling process is
-	// not blocking or ignoring SIGTTOU, a SIGTTOU signal is sent to all
-	// members of this background process group."
+	// TODO(gvisor.dev/issue/6148): "If tcsetpgrp() is called by a member of a
+	// background process group in its session, and the calling process is not
+	// blocking or ignoring SIGTTOU, a SIGTTOU signal is sent to all members of
+	// this background process group."
 
 	// tty must be the controlling terminal.
 	if tg.tty != tty {