diff options
Diffstat (limited to 'pkg/sentry/platform/ptrace')
-rw-r--r-- | pkg/sentry/platform/ptrace/filters.go | 9 | ||||
-rw-r--r-- | pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go | 18 | ||||
-rw-r--r-- | pkg/sentry/platform/ptrace/ptrace_unsafe.go | 66 | ||||
-rw-r--r-- | pkg/sentry/platform/ptrace/stub_unsafe.go | 18 | ||||
-rw-r--r-- | pkg/sentry/platform/ptrace/subprocess.go | 77 | ||||
-rw-r--r-- | pkg/sentry/platform/ptrace/subprocess_amd64.go | 19 | ||||
-rw-r--r-- | pkg/sentry/platform/ptrace/subprocess_arm64.go | 11 | ||||
-rw-r--r-- | pkg/sentry/platform/ptrace/subprocess_linux.go | 66 | ||||
-rw-r--r-- | pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go | 6 |
9 files changed, 143 insertions, 147 deletions
diff --git a/pkg/sentry/platform/ptrace/filters.go b/pkg/sentry/platform/ptrace/filters.go index 20fc62acb..ba4503b0d 100644 --- a/pkg/sentry/platform/ptrace/filters.go +++ b/pkg/sentry/platform/ptrace/filters.go @@ -15,16 +15,15 @@ package ptrace import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/seccomp" ) // SyscallFilters returns syscalls made exclusively by the ptrace platform. func (*PTrace) SyscallFilters() seccomp.SyscallRules { return seccomp.SyscallRules{ - syscall.SYS_PTRACE: {}, - syscall.SYS_TGKILL: {}, - syscall.SYS_WAIT4: {}, + unix.SYS_PTRACE: {}, + unix.SYS_TGKILL: {}, + unix.SYS_WAIT4: {}, } } diff --git a/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go b/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go index 32b8a6be9..4f7fe993a 100644 --- a/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go +++ b/pkg/sentry/platform/ptrace/ptrace_arm64_unsafe.go @@ -17,21 +17,21 @@ package ptrace import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) // getTLS gets the thread local storage register. func (t *thread) getTLS(tls *uint64) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(unsafe.Pointer(tls)), Len: uint64(unsafe.Sizeof(*tls)), } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETREGSET, uintptr(t.tid), linux.NT_ARM_TLS, uintptr(unsafe.Pointer(&iovec)), @@ -44,13 +44,13 @@ func (t *thread) getTLS(tls *uint64) error { // setTLS sets the thread local storage register. func (t *thread) setTLS(tls *uint64) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(unsafe.Pointer(tls)), Len: uint64(unsafe.Sizeof(*tls)), } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_SETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_SETREGSET, uintptr(t.tid), linux.NT_ARM_TLS, uintptr(unsafe.Pointer(&iovec)), diff --git a/pkg/sentry/platform/ptrace/ptrace_unsafe.go b/pkg/sentry/platform/ptrace/ptrace_unsafe.go index 8b72d24e8..2c21f946e 100644 --- a/pkg/sentry/platform/ptrace/ptrace_unsafe.go +++ b/pkg/sentry/platform/ptrace/ptrace_unsafe.go @@ -15,9 +15,9 @@ package ptrace import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/sentry/arch" "gvisor.dev/gvisor/pkg/usermem" @@ -25,13 +25,13 @@ import ( // getRegs gets the general purpose register set. func (t *thread) getRegs(regs *arch.Registers) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(unsafe.Pointer(regs)), Len: uint64(unsafe.Sizeof(*regs)), } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETREGSET, uintptr(t.tid), linux.NT_PRSTATUS, uintptr(unsafe.Pointer(&iovec)), @@ -44,13 +44,13 @@ func (t *thread) getRegs(regs *arch.Registers) error { // setRegs sets the general purpose register set. func (t *thread) setRegs(regs *arch.Registers) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(unsafe.Pointer(regs)), Len: uint64(unsafe.Sizeof(*regs)), } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_SETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_SETREGSET, uintptr(t.tid), linux.NT_PRSTATUS, uintptr(unsafe.Pointer(&iovec)), @@ -61,15 +61,15 @@ func (t *thread) setRegs(regs *arch.Registers) error { return nil } -// getFPRegs gets the floating-point data via the GETREGSET ptrace syscall. +// getFPRegs gets the floating-point data via the GETREGSET ptrace unix. func (t *thread) getFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsave bool) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(fpState), Len: fpLen, } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETREGSET, uintptr(t.tid), fpRegSet(useXsave), uintptr(unsafe.Pointer(&iovec)), @@ -80,15 +80,15 @@ func (t *thread) getFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsa return nil } -// setFPRegs sets the floating-point data via the SETREGSET ptrace syscall. +// setFPRegs sets the floating-point data via the SETREGSET ptrace unix. func (t *thread) setFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsave bool) error { - iovec := syscall.Iovec{ + iovec := unix.Iovec{ Base: (*byte)(fpState), Len: fpLen, } - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_SETREGSET, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_SETREGSET, uintptr(t.tid), fpRegSet(useXsave), uintptr(unsafe.Pointer(&iovec)), @@ -101,9 +101,9 @@ func (t *thread) setFPRegs(fpState *arch.FloatingPointData, fpLen uint64, useXsa // getSignalInfo retrieves information about the signal that caused the stop. func (t *thread) getSignalInfo(si *arch.SignalInfo) error { - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETSIGINFO, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETSIGINFO, uintptr(t.tid), 0, uintptr(unsafe.Pointer(si)), @@ -123,18 +123,18 @@ func (t *thread) getSignalInfo(si *arch.SignalInfo) error { func (t *thread) clone() (*thread, error) { r, ok := usermem.Addr(stackPointer(&t.initRegs)).RoundUp() if !ok { - return nil, syscall.EINVAL + return nil, unix.EINVAL } rval, err := t.syscallIgnoreInterrupt( &t.initRegs, - syscall.SYS_CLONE, + unix.SYS_CLONE, arch.SyscallArgument{Value: uintptr( - syscall.CLONE_FILES | - syscall.CLONE_FS | - syscall.CLONE_SIGHAND | - syscall.CLONE_THREAD | - syscall.CLONE_PTRACE | - syscall.CLONE_VM)}, + unix.CLONE_FILES | + unix.CLONE_FS | + unix.CLONE_SIGHAND | + unix.CLONE_THREAD | + unix.CLONE_PTRACE | + unix.CLONE_VM)}, // The stack pointer is just made up, but we have it be // something sensible so the kernel doesn't think we're // up to no good. Which we are. @@ -158,9 +158,9 @@ func (t *thread) clone() (*thread, error) { // getEventMessage retrieves a message about the ptrace event that just happened. func (t *thread) getEventMessage() (uintptr, error) { var msg uintptr - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_GETEVENTMSG, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_GETEVENTMSG, uintptr(t.tid), 0, uintptr(unsafe.Pointer(&msg)), diff --git a/pkg/sentry/platform/ptrace/stub_unsafe.go b/pkg/sentry/platform/ptrace/stub_unsafe.go index 341dde143..780227248 100644 --- a/pkg/sentry/platform/ptrace/stub_unsafe.go +++ b/pkg/sentry/platform/ptrace/stub_unsafe.go @@ -16,9 +16,9 @@ package ptrace import ( "reflect" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/safecopy" "gvisor.dev/gvisor/pkg/usermem" ) @@ -56,17 +56,17 @@ func stubInit() { // something that may have been there already. We just walk // down the address space until we find a place where the stub // can be placed. - addr, _, errno := syscall.RawSyscall6( - syscall.SYS_MMAP, + addr, _, errno := unix.RawSyscall6( + unix.SYS_MMAP, stubStart, mapLen, - syscall.PROT_WRITE|syscall.PROT_READ, - syscall.MAP_PRIVATE|syscall.MAP_ANONYMOUS, + unix.PROT_WRITE|unix.PROT_READ, + unix.MAP_PRIVATE|unix.MAP_ANONYMOUS, 0 /* fd */, 0 /* offset */) if addr != stubStart || errno != 0 { if addr != 0 { // Unmap the region we've mapped accidentally. - syscall.RawSyscall(syscall.SYS_MUNMAP, addr, mapLen, 0) + unix.RawSyscall(unix.SYS_MUNMAP, addr, mapLen, 0) } // Attempt to begin at a lower address. @@ -79,11 +79,11 @@ func stubInit() { copy(targetSlice, stubSlice) // Make the stub executable. - if _, _, errno := syscall.RawSyscall( - syscall.SYS_MPROTECT, + if _, _, errno := unix.RawSyscall( + unix.SYS_MPROTECT, stubStart, mapLen, - syscall.PROT_EXEC|syscall.PROT_READ); errno != 0 { + unix.PROT_EXEC|unix.PROT_READ); errno != 0 { panic("mprotect failed: " + errno.Error()) } diff --git a/pkg/sentry/platform/ptrace/subprocess.go b/pkg/sentry/platform/ptrace/subprocess.go index 17fb0a0d8..acccbfe2e 100644 --- a/pkg/sentry/platform/ptrace/subprocess.go +++ b/pkg/sentry/platform/ptrace/subprocess.go @@ -18,7 +18,6 @@ import ( "fmt" "os" "runtime" - "syscall" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/log" @@ -35,9 +34,9 @@ import ( // // These constants are only used in subprocess.go. const ( - ERESTARTSYS = syscall.Errno(512) - ERESTARTNOINTR = syscall.Errno(513) - ERESTARTNOHAND = syscall.Errno(514) + ERESTARTSYS = unix.Errno(512) + ERESTARTNOINTR = unix.Errno(513) + ERESTARTNOHAND = unix.Errno(514) ) // globalPool exists to solve two distinct problems: @@ -96,7 +95,7 @@ func (tp *threadPool) lookupOrCreate(currentTID int32, newThread func() *thread) // threads never exiting. for origTID, t := range tp.threads { // Signal zero is an easy existence check. - if err := syscall.Tgkill(syscall.Getpid(), int(origTID), 0); err != nil { + if err := unix.Tgkill(unix.Getpid(), int(origTID), 0); err != nil { // This thread has been abandoned; reuse it. delete(tp.threads, origTID) tp.threads[currentTID] = t @@ -186,7 +185,7 @@ func newSubprocess(create func() (*thread, error)) (*subprocess, error) { // (Hopefully nobody tgkilled it with a signal < // SIGSTOP before the SIGSTOP was delivered, in which // case that signal would be delivered before SIGSTOP.) - if sig := t.wait(stopped); sig != syscall.SIGSTOP { + if sig := t.wait(stopped); sig != unix.SIGSTOP { panic(fmt.Sprintf("error waiting for new clone: expected SIGSTOP, got %v", sig)) } @@ -269,7 +268,7 @@ func (s *subprocess) newThread() *thread { // attach attaches to the thread. func (t *thread) attach() { - if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, syscall.PTRACE_ATTACH, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { + if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_ATTACH, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("unable to attach: %v", errno)) } @@ -277,7 +276,7 @@ func (t *thread) attach() { // stopped from the SIGSTOP queued by CLONE_PTRACE (see inner loop of // newSubprocess), so we always expect to see signal-delivery-stop with // SIGSTOP. - if sig := t.wait(stopped); sig != syscall.SIGSTOP { + if sig := t.wait(stopped); sig != unix.SIGSTOP { panic(fmt.Sprintf("wait failed: expected SIGSTOP, got %v", sig)) } @@ -301,7 +300,7 @@ func (t *thread) grabInitRegs() { // // Because the SIGSTOP is not suppressed, the thread will enter group-stop. func (t *thread) detach() { - if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, syscall.PTRACE_DETACH, uintptr(t.tid), 0, uintptr(syscall.SIGSTOP), 0, 0); errno != 0 { + if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_DETACH, uintptr(t.tid), 0, uintptr(unix.SIGSTOP), 0, 0); errno != 0 { panic(fmt.Sprintf("can't detach new clone: %v", errno)) } } @@ -331,14 +330,14 @@ func (t *thread) dumpAndPanic(message string) { func (t *thread) unexpectedStubExit() { msg, err := t.getEventMessage() - status := syscall.WaitStatus(msg) - if status.Signaled() && status.Signal() == syscall.SIGKILL { + status := unix.WaitStatus(msg) + if status.Signaled() && status.Signal() == unix.SIGKILL { // SIGKILL can be only sent by a user or OOM-killer. In both // these cases, we don't need to panic. There is no reasons to // think that something wrong in gVisor. log.Warningf("The ptrace stub process %v has been killed by SIGKILL.", t.tgid) pid := os.Getpid() - syscall.Tgkill(pid, pid, syscall.Signal(syscall.SIGKILL)) + unix.Tgkill(pid, pid, unix.Signal(unix.SIGKILL)) } t.dumpAndPanic(fmt.Sprintf("wait failed: the process %d:%d exited: %x (err %v)", t.tgid, t.tid, msg, err)) } @@ -346,12 +345,12 @@ func (t *thread) unexpectedStubExit() { // wait waits for a stop event. // // Precondition: outcome is a valid waitOutcome. -func (t *thread) wait(outcome waitOutcome) syscall.Signal { - var status syscall.WaitStatus +func (t *thread) wait(outcome waitOutcome) unix.Signal { + var status unix.WaitStatus for { - r, err := syscall.Wait4(int(t.tid), &status, syscall.WALL|syscall.WUNTRACED, nil) - if err == syscall.EINTR || err == syscall.EAGAIN { + r, err := unix.Wait4(int(t.tid), &status, unix.WALL|unix.WUNTRACED, nil) + if err == unix.EINTR || err == unix.EAGAIN { // Wait was interrupted; wait again. continue } else if err != nil { @@ -369,12 +368,12 @@ func (t *thread) wait(outcome waitOutcome) syscall.Signal { if stopSig == 0 { continue // Spurious stop. } - if stopSig == syscall.SIGTRAP { - if status.TrapCause() == syscall.PTRACE_EVENT_EXIT { + if stopSig == unix.SIGTRAP { + if status.TrapCause() == unix.PTRACE_EVENT_EXIT { t.unexpectedStubExit() } // Re-encode the trap cause the way it's expected. - return stopSig | syscall.Signal(status.TrapCause()<<8) + return stopSig | unix.Signal(status.TrapCause()<<8) } // Not a trap signal. return stopSig @@ -382,7 +381,7 @@ func (t *thread) wait(outcome waitOutcome) syscall.Signal { if !status.Exited() && !status.Signaled() { t.dumpAndPanic(fmt.Sprintf("ptrace status unexpected: got %v, wanted exited", status)) } - return syscall.Signal(status.ExitStatus()) + return unix.Signal(status.ExitStatus()) default: // Should not happen. t.dumpAndPanic(fmt.Sprintf("unknown outcome: %v", outcome)) @@ -397,7 +396,7 @@ func (t *thread) wait(outcome waitOutcome) syscall.Signal { // manually created threads. func (t *thread) destroy() { t.detach() - syscall.Tgkill(int(t.tgid), int(t.tid), syscall.Signal(syscall.SIGKILL)) + unix.Tgkill(int(t.tgid), int(t.tid), unix.Signal(unix.SIGKILL)) t.wait(killed) } @@ -407,12 +406,12 @@ func (t *thread) init() { // set PTRACE_O_EXITKILL to ensure that the unexpected exit of the // sentry will immediately kill the associated stubs. const PTRACE_O_EXITKILL = 0x100000 - _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, - syscall.PTRACE_SETOPTIONS, + _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, + unix.PTRACE_SETOPTIONS, uintptr(t.tid), 0, - syscall.PTRACE_O_TRACESYSGOOD|syscall.PTRACE_O_TRACEEXIT|PTRACE_O_EXITKILL, + unix.PTRACE_O_TRACESYSGOOD|unix.PTRACE_O_TRACEEXIT|PTRACE_O_EXITKILL, 0, 0) if errno != 0 { panic(fmt.Sprintf("ptrace set options failed: %v", errno)) @@ -434,17 +433,17 @@ func (t *thread) syscall(regs *arch.Registers) (uintptr, error) { // Execute the syscall instruction. The task has to stop on the // trap instruction which is right after the syscall // instruction. - if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, syscall.PTRACE_CONT, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { + if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_CONT, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace syscall-enter failed: %v", errno)) } sig := t.wait(stopped) - if sig == syscall.SIGTRAP { + if sig == unix.SIGTRAP { // Reached syscall-enter-stop. break } else { // Some other signal caused a thread stop; ignore. - if sig != syscall.SIGSTOP && sig != syscall.SIGCHLD { + if sig != unix.SIGSTOP && sig != unix.SIGCHLD { log.Warningf("The thread %d:%d has been interrupted by %d", t.tgid, t.tid, sig) } continue @@ -483,7 +482,7 @@ func (t *thread) syscallIgnoreInterrupt( // NotifyInterrupt implements interrupt.Receiver.NotifyInterrupt. func (t *thread) NotifyInterrupt() { - syscall.Tgkill(int(t.tgid), int(t.tid), syscall.Signal(platform.SignalInterrupt)) + unix.Tgkill(int(t.tgid), int(t.tid), unix.Signal(platform.SignalInterrupt)) } // switchToApp is called from the main SwitchToApp entrypoint. @@ -532,15 +531,15 @@ func (s *subprocess) switchToApp(c *context, ac arch.Context) bool { for { // Start running until the next system call. if isSingleStepping(regs) { - if _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, + if _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, unix.PTRACE_SYSEMU_SINGLESTEP, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace sysemu failed: %v", errno)) } } else { - if _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, + if _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace sysemu failed: %v", errno)) @@ -550,7 +549,7 @@ func (s *subprocess) switchToApp(c *context, ac arch.Context) bool { // Wait for the syscall-enter stop. sig := t.wait(stopped) - if sig == syscall.SIGSTOP { + if sig == unix.SIGSTOP { // SIGSTOP was delivered to another thread in the same thread // group, which initiated another group stop. Just ignore it. continue @@ -571,7 +570,7 @@ func (s *subprocess) switchToApp(c *context, ac arch.Context) bool { } // Is it a system call? - if sig == (syscallEvent | syscall.SIGTRAP) { + if sig == (syscallEvent | unix.SIGTRAP) { s.arm64SyscallWorkaround(t, regs) // Ensure registers are sane. @@ -619,14 +618,14 @@ func (s *subprocess) syscall(sysno uintptr, args ...arch.SyscallArgument) (uintp func (s *subprocess) MapFile(addr usermem.Addr, f memmap.File, fr memmap.FileRange, at usermem.AccessType, precommit bool) error { var flags int if precommit { - flags |= syscall.MAP_POPULATE + flags |= unix.MAP_POPULATE } _, err := s.syscall( - syscall.SYS_MMAP, + unix.SYS_MMAP, arch.SyscallArgument{Value: uintptr(addr)}, arch.SyscallArgument{Value: uintptr(fr.Length())}, arch.SyscallArgument{Value: uintptr(at.Prot())}, - arch.SyscallArgument{Value: uintptr(flags | syscall.MAP_SHARED | syscall.MAP_FIXED)}, + arch.SyscallArgument{Value: uintptr(flags | unix.MAP_SHARED | unix.MAP_FIXED)}, arch.SyscallArgument{Value: uintptr(f.FD())}, arch.SyscallArgument{Value: uintptr(fr.Start)}) return err @@ -653,7 +652,7 @@ func (s *subprocess) Unmap(addr usermem.Addr, length uint64) { } s.mu.Unlock() _, err := s.syscall( - syscall.SYS_MUNMAP, + unix.SYS_MUNMAP, arch.SyscallArgument{Value: uintptr(addr)}, arch.SyscallArgument{Value: uintptr(length)}) if err != nil { diff --git a/pkg/sentry/platform/ptrace/subprocess_amd64.go b/pkg/sentry/platform/ptrace/subprocess_amd64.go index 04815282b..9252c0bd7 100644 --- a/pkg/sentry/platform/ptrace/subprocess_amd64.go +++ b/pkg/sentry/platform/ptrace/subprocess_amd64.go @@ -19,7 +19,6 @@ package ptrace import ( "fmt" "strings" - "syscall" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -96,7 +95,7 @@ func updateSyscallRegs(regs *arch.Registers) { func syscallReturnValue(regs *arch.Registers) (uintptr, error) { rval := int64(regs.Rax) if rval < 0 { - return 0, syscall.Errno(-rval) + return 0, unix.Errno(-rval) } return uintptr(rval), nil } @@ -179,7 +178,7 @@ func patchSignalInfo(regs *arch.Registers, signalInfo *arch.SignalInfo) { // //go:nosplit func enableCpuidFault() { - syscall.RawSyscall6(syscall.SYS_ARCH_PRCTL, linux.ARCH_SET_CPUID, 0, 0, 0, 0, 0) + unix.RawSyscall6(unix.SYS_ARCH_PRCTL, linux.ARCH_SET_CPUID, 0, 0, 0, 0, 0) } // appendArchSeccompRules append architecture specific seccomp rules when creating BPF program. @@ -189,9 +188,9 @@ func appendArchSeccompRules(rules []seccomp.RuleSet, defaultAction linux.BPFActi // Rules for trapping vsyscall access. seccomp.RuleSet{ Rules: seccomp.SyscallRules{ - syscall.SYS_GETTIMEOFDAY: {}, - syscall.SYS_TIME: {}, - unix.SYS_GETCPU: {}, // SYS_GETCPU was not defined in package syscall on amd64. + unix.SYS_GETTIMEOFDAY: {}, + unix.SYS_TIME: {}, + unix.SYS_GETCPU: {}, // SYS_GETCPU was not defined in package syscall on amd64. }, Action: linux.SECCOMP_RET_TRAP, Vsyscall: true, @@ -200,7 +199,7 @@ func appendArchSeccompRules(rules []seccomp.RuleSet, defaultAction linux.BPFActi rules = append(rules, seccomp.RuleSet{ Rules: seccomp.SyscallRules{ - syscall.SYS_ARCH_PRCTL: []seccomp.Rule{ + unix.SYS_ARCH_PRCTL: []seccomp.Rule{ {seccomp.EqualTo(linux.ARCH_SET_CPUID), seccomp.EqualTo(0)}, }, }, @@ -227,19 +226,19 @@ func probeSeccomp() bool { // Set registers to the yield system call. This call is not allowed // by the filters specified in the attachThread function. - regs := createSyscallRegs(&t.initRegs, syscall.SYS_SCHED_YIELD) + regs := createSyscallRegs(&t.initRegs, unix.SYS_SCHED_YIELD) if err := t.setRegs(®s); err != nil { panic(fmt.Sprintf("ptrace set regs failed: %v", err)) } for { // Attempt an emulation. - if _, _, errno := syscall.RawSyscall6(syscall.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { + if _, _, errno := unix.RawSyscall6(unix.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace syscall-enter failed: %v", errno)) } sig := t.wait(stopped) - if sig == (syscallEvent | syscall.SIGTRAP) { + if sig == (syscallEvent | unix.SIGTRAP) { // Did the seccomp errno hook already run? This would // indicate that seccomp is first in line and we're // less than 4.8. diff --git a/pkg/sentry/platform/ptrace/subprocess_arm64.go b/pkg/sentry/platform/ptrace/subprocess_arm64.go index 416132967..c0cbc0686 100644 --- a/pkg/sentry/platform/ptrace/subprocess_arm64.go +++ b/pkg/sentry/platform/ptrace/subprocess_arm64.go @@ -19,7 +19,6 @@ package ptrace import ( "fmt" "strings" - "syscall" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -99,7 +98,7 @@ func updateSyscallRegs(regs *arch.Registers) { func syscallReturnValue(regs *arch.Registers) (uintptr, error) { rval := int64(regs.Regs[0]) if rval < 0 { - return 0, syscall.Errno(-rval) + return 0, unix.Errno(-rval) } return uintptr(rval), nil } @@ -185,8 +184,8 @@ func (s *subprocess) arm64SyscallWorkaround(t *thread, regs *arch.Registers) { // signal, resume a stub thread and catch it on a signal handling. t.NotifyInterrupt() for { - if _, _, errno := syscall.RawSyscall6( - syscall.SYS_PTRACE, + if _, _, errno := unix.RawSyscall6( + unix.SYS_PTRACE, unix.PTRACE_SYSEMU, uintptr(t.tid), 0, 0, 0, 0); errno != 0 { panic(fmt.Sprintf("ptrace sysemu failed: %v", errno)) @@ -194,12 +193,12 @@ func (s *subprocess) arm64SyscallWorkaround(t *thread, regs *arch.Registers) { // Wait for the syscall-enter stop. sig := t.wait(stopped) - if sig == syscall.SIGSTOP { + if sig == unix.SIGSTOP { // SIGSTOP was delivered to another thread in the same thread // group, which initiated another group stop. Just ignore it. continue } - if sig == (syscallEvent | syscall.SIGTRAP) { + if sig == (syscallEvent | unix.SIGTRAP) { t.dumpAndPanic(fmt.Sprintf("unexpected syscall event")) } break diff --git a/pkg/sentry/platform/ptrace/subprocess_linux.go b/pkg/sentry/platform/ptrace/subprocess_linux.go index 8548853da..4f0260432 100644 --- a/pkg/sentry/platform/ptrace/subprocess_linux.go +++ b/pkg/sentry/platform/ptrace/subprocess_linux.go @@ -18,8 +18,8 @@ package ptrace import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/procid" @@ -27,7 +27,7 @@ import ( "gvisor.dev/gvisor/pkg/sentry/arch" ) -const syscallEvent syscall.Signal = 0x80 +const syscallEvent unix.Signal = 0x80 // createStub creates a fresh stub processes. // @@ -63,7 +63,7 @@ func createStub() (*thread, error) { // // In addition, we set the PTRACE_O_TRACEEXIT option to log more // information about a stub process when it receives a fatal signal. - return attachedThread(uintptr(syscall.SIGKILL)|syscall.CLONE_FILES, defaultAction) + return attachedThread(uintptr(unix.SIGKILL)|unix.CLONE_FILES, defaultAction) } // attachedThread returns a new attached thread. @@ -78,38 +78,38 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro if defaultAction != linux.SECCOMP_RET_ALLOW { rules = append(rules, seccomp.RuleSet{ Rules: seccomp.SyscallRules{ - syscall.SYS_CLONE: []seccomp.Rule{ + unix.SYS_CLONE: []seccomp.Rule{ // Allow creation of new subprocesses (used by the master). - {seccomp.EqualTo(syscall.CLONE_FILES | syscall.SIGKILL)}, + {seccomp.EqualTo(unix.CLONE_FILES | unix.SIGKILL)}, // Allow creation of new threads within a single address space (used by addresss spaces). {seccomp.EqualTo( - syscall.CLONE_FILES | - syscall.CLONE_FS | - syscall.CLONE_SIGHAND | - syscall.CLONE_THREAD | - syscall.CLONE_PTRACE | - syscall.CLONE_VM)}, + unix.CLONE_FILES | + unix.CLONE_FS | + unix.CLONE_SIGHAND | + unix.CLONE_THREAD | + unix.CLONE_PTRACE | + unix.CLONE_VM)}, }, // For the initial process creation. - syscall.SYS_WAIT4: {}, - syscall.SYS_EXIT: {}, + unix.SYS_WAIT4: {}, + unix.SYS_EXIT: {}, // For the stub prctl dance (all). - syscall.SYS_PRCTL: []seccomp.Rule{ - {seccomp.EqualTo(syscall.PR_SET_PDEATHSIG), seccomp.EqualTo(syscall.SIGKILL)}, + unix.SYS_PRCTL: []seccomp.Rule{ + {seccomp.EqualTo(unix.PR_SET_PDEATHSIG), seccomp.EqualTo(unix.SIGKILL)}, }, - syscall.SYS_GETPPID: {}, + unix.SYS_GETPPID: {}, // For the stub to stop itself (all). - syscall.SYS_GETPID: {}, - syscall.SYS_KILL: []seccomp.Rule{ - {seccomp.MatchAny{}, seccomp.EqualTo(syscall.SIGSTOP)}, + unix.SYS_GETPID: {}, + unix.SYS_KILL: []seccomp.Rule{ + {seccomp.MatchAny{}, seccomp.EqualTo(unix.SIGSTOP)}, }, // Injected to support the address space operations. - syscall.SYS_MMAP: {}, - syscall.SYS_MUNMAP: {}, + unix.SYS_MMAP: {}, + unix.SYS_MUNMAP: {}, }, Action: linux.SECCOMP_RET_ALLOW, }) @@ -125,17 +125,17 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro var ( pid uintptr ppid uintptr - errno syscall.Errno + errno unix.Errno ) // Remember the current ppid for the pdeathsig race. - ppid, _, _ = syscall.RawSyscall(syscall.SYS_GETPID, 0, 0, 0) + ppid, _, _ = unix.RawSyscall(unix.SYS_GETPID, 0, 0, 0) // Among other things, beforeFork masks all signals. beforeFork() // Do the clone. - pid, _, errno = syscall.RawSyscall6(syscall.SYS_CLONE, flags, 0, 0, 0, 0, 0) + pid, _, errno = unix.RawSyscall6(unix.SYS_CLONE, flags, 0, 0, 0, 0, 0) if errno != 0 { afterFork() return nil, errno @@ -152,7 +152,7 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro tid: int32(pid), cpu: ^uint32(0), } - if sig := t.wait(stopped); sig != syscall.SIGSTOP { + if sig := t.wait(stopped); sig != unix.SIGSTOP { return nil, fmt.Errorf("wait failed: expected SIGSTOP, got %v", sig) } t.attach() @@ -165,8 +165,8 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro // prevents the stub from getting PTY job control signals intended only // for the sentry process. We must call this before restoring signal // mask. - if _, _, errno := syscall.RawSyscall(syscall.SYS_SETSID, 0, 0, 0); errno != 0 { - syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0) + if _, _, errno := unix.RawSyscall(unix.SYS_SETSID, 0, 0, 0); errno != 0 { + unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0) } // afterForkInChild resets all signals to their default dispositions @@ -176,13 +176,13 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro // Explicitly unmask all signals to ensure that the tracer can see // them. if errno := unmaskAllSignals(); errno != 0 { - syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0) + unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0) } // Set an aggressive BPF filter for the stub and all it's children. See // the description of the BPF program built above. if errno := seccomp.SetFilter(instrs); errno != 0 { - syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0) + unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0) } // Enable cpuid-faulting. @@ -218,8 +218,8 @@ func (s *subprocess) createStub() (*thread, error) { // See above re: SIGKILL. pid, err := t.syscallIgnoreInterrupt( ®s, - syscall.SYS_CLONE, - arch.SyscallArgument{Value: uintptr(syscall.SIGKILL | syscall.CLONE_FILES)}, + unix.SYS_CLONE, + arch.SyscallArgument{Value: uintptr(unix.SIGKILL | unix.CLONE_FILES)}, arch.SyscallArgument{Value: 0}, arch.SyscallArgument{Value: 0}, arch.SyscallArgument{Value: 0}, @@ -237,10 +237,10 @@ func (s *subprocess) createStub() (*thread, error) { // If the child actually exited, the attach below will fail. _, err = t.syscallIgnoreInterrupt( &t.initRegs, - syscall.SYS_WAIT4, + unix.SYS_WAIT4, arch.SyscallArgument{Value: uintptr(pid)}, arch.SyscallArgument{Value: 0}, - arch.SyscallArgument{Value: syscall.WALL | syscall.WUNTRACED}, + arch.SyscallArgument{Value: unix.WALL | unix.WUNTRACED}, arch.SyscallArgument{Value: 0}, arch.SyscallArgument{Value: 0}, arch.SyscallArgument{Value: 0}) diff --git a/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go b/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go index 533e45497..9c342c59b 100644 --- a/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go +++ b/pkg/sentry/platform/ptrace/subprocess_linux_unsafe.go @@ -18,17 +18,17 @@ package ptrace import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) // unmaskAllSignals unmasks all signals on the current thread. // //go:nosplit -func unmaskAllSignals() syscall.Errno { +func unmaskAllSignals() unix.Errno { var set linux.SignalSet - _, _, errno := syscall.RawSyscall6(syscall.SYS_RT_SIGPROCMASK, linux.SIG_SETMASK, uintptr(unsafe.Pointer(&set)), 0, linux.SignalSetSize, 0, 0) + _, _, errno := unix.RawSyscall6(unix.SYS_RT_SIGPROCMASK, linux.SIG_SETMASK, uintptr(unsafe.Pointer(&set)), 0, linux.SignalSetSize, 0, 0) return errno } |