diff options
Diffstat (limited to 'pkg/sentry')
| -rw-r--r-- | pkg/sentry/platform/kvm/BUILD | 12 | ||||
| -rw-r--r-- | pkg/sentry/platform/kvm/kvm_safecopy_test.go | 1 | ||||
| -rw-r--r-- | pkg/sentry/platform/kvm/machine.go | 2 | ||||
| -rw-r--r-- | pkg/sentry/platform/kvm/machine_amd64.go | 2 | ||||
| -rw-r--r-- | pkg/sentry/platform/kvm/machine_arm64.go | 50 | ||||
| -rw-r--r-- | pkg/sentry/seccheck/BUILD | 4 | ||||
| -rw-r--r-- | pkg/sentry/seccheck/execve.go | 65 | ||||
| -rw-r--r-- | pkg/sentry/seccheck/exit.go | 57 | ||||
| -rw-r--r-- | pkg/sentry/seccheck/seccheck.go | 26 | ||||
| -rw-r--r-- | pkg/sentry/socket/netfilter/targets.go | 2 |
10 files changed, 184 insertions, 37 deletions
diff --git a/pkg/sentry/platform/kvm/BUILD b/pkg/sentry/platform/kvm/BUILD index 9aba92e91..a26f54269 100644 --- a/pkg/sentry/platform/kvm/BUILD +++ b/pkg/sentry/platform/kvm/BUILD @@ -87,6 +87,12 @@ go_test( "virtual_map_test.go", ], library = ":kvm", + # FIXME(gvisor.dev/issue/3374): Not working with all build systems. + nogo = False, + # cgo has to be disabled. We have seen libc that blocks all signals and + # calls mmap from pthread_create, but we use SIGSYS to trap mmap system + # calls. + pure = True, tags = [ "manual", "nogotsan", @@ -106,12 +112,6 @@ go_test( "//pkg/sentry/time", "@org_golang_x_sys//unix:go_default_library", ], - # FIXME(gvisor.dev/issue/3374): Not working with all build systems. - nogo = False, - # cgo has to be disabled. We have seen libc that blocks all signals and - # calls mmap from pthread_create, but we use SIGSYS to trap mmap system - # calls. - pure = True, ) genrule( diff --git a/pkg/sentry/platform/kvm/kvm_safecopy_test.go b/pkg/sentry/platform/kvm/kvm_safecopy_test.go index cbfc61919..9a87c9e6f 100644 --- a/pkg/sentry/platform/kvm/kvm_safecopy_test.go +++ b/pkg/sentry/platform/kvm/kvm_safecopy_test.go @@ -102,4 +102,3 @@ func TestSafecopy(t *testing.T) { } }) } - diff --git a/pkg/sentry/platform/kvm/machine.go b/pkg/sentry/platform/kvm/machine.go index dce6960f9..dcf34015d 100644 --- a/pkg/sentry/platform/kvm/machine.go +++ b/pkg/sentry/platform/kvm/machine.go @@ -279,7 +279,7 @@ func newMachine(vm int) (*machine, error) { } } - for _, vr := range(readOnlyGuestRegions) { + for _, vr := range readOnlyGuestRegions { mapRegion(vr, _KVM_MEM_READONLY) } diff --git a/pkg/sentry/platform/kvm/machine_amd64.go b/pkg/sentry/platform/kvm/machine_amd64.go index 52e0a2f37..ab1e036b7 100644 --- a/pkg/sentry/platform/kvm/machine_amd64.go +++ b/pkg/sentry/platform/kvm/machine_amd64.go @@ -502,6 +502,6 @@ func (m *machine) getNewVCPU() *vCPU { return nil } -func archPhysicalRegions(physicalRegions []physicalRegion) ([]physicalRegion) { +func archPhysicalRegions(physicalRegions []physicalRegion) []physicalRegion { return physicalRegions } diff --git a/pkg/sentry/platform/kvm/machine_arm64.go b/pkg/sentry/platform/kvm/machine_arm64.go index 2a25a757f..08d98c479 100644 --- a/pkg/sentry/platform/kvm/machine_arm64.go +++ b/pkg/sentry/platform/kvm/machine_arm64.go @@ -112,7 +112,7 @@ func rdonlyRegionsForSetMem() (phyRegions []physicalRegion) { // archPhysicalRegions fills readOnlyGuestRegions and allocates separate // physical regions form them. -func archPhysicalRegions(physicalRegions []physicalRegion) ([]physicalRegion) { +func archPhysicalRegions(physicalRegions []physicalRegion) []physicalRegion { applyVirtualRegions(func(vr virtualRegion) { if excludeVirtualRegion(vr) { return // skip region. @@ -125,26 +125,26 @@ func archPhysicalRegions(physicalRegions []physicalRegion) ([]physicalRegion) { rdRegions := readOnlyGuestRegions[:] // Add an unreachable region. - rdRegions = append(rdRegions, region { + rdRegions = append(rdRegions, region{ virtual: 0xffffffffffffffff, - length: 0, + length: 0, }) - var regions []physicalRegion + var regions []physicalRegion addValidRegion := func(r *physicalRegion, virtual, length uintptr) { if length == 0 { return } - regions = append(regions, physicalRegion { - region: region{ - virtual: virtual, - length: length, - }, - physical: r.physical + (virtual - r.virtual), + regions = append(regions, physicalRegion{ + region: region{ + virtual: virtual, + length: length, + }, + physical: r.physical + (virtual - r.virtual), }) } i := 0 - for _, pr := range(physicalRegions) { + for _, pr := range physicalRegions { start := pr.virtual end := pr.virtual + pr.length for start < end { @@ -160,16 +160,16 @@ func archPhysicalRegions(physicalRegions []physicalRegion) ([]physicalRegion) { if end < rdStart { newEnd = end } - addValidRegion(&pr, start, newEnd - start) + addValidRegion(&pr, start, newEnd-start) start = rdStart continue } if rdEnd < end { - addValidRegion(&pr, start, rdEnd - start) + addValidRegion(&pr, start, rdEnd-start) start = rdEnd continue } - addValidRegion(&pr, start, end - start) + addValidRegion(&pr, start, end-start) start = end } } @@ -178,7 +178,7 @@ func archPhysicalRegions(physicalRegions []physicalRegion) ([]physicalRegion) { } // Get all available physicalRegions. -func availableRegionsForSetMem() ([]physicalRegion) { +func availableRegionsForSetMem() []physicalRegion { var excludedRegions []region applyVirtualRegions(func(vr virtualRegion) { if !vr.accessType.Write { @@ -187,9 +187,9 @@ func availableRegionsForSetMem() ([]physicalRegion) { }) // Add an unreachable region. - excludedRegions = append(excludedRegions, region { + excludedRegions = append(excludedRegions, region{ virtual: 0xffffffffffffffff, - length: 0, + length: 0, }) var regions []physicalRegion @@ -197,16 +197,16 @@ func availableRegionsForSetMem() ([]physicalRegion) { if length == 0 { return } - regions = append(regions, physicalRegion { - region: region{ - virtual: virtual, - length: length, - }, - physical: r.physical + (virtual - r.virtual), + regions = append(regions, physicalRegion{ + region: region{ + virtual: virtual, + length: length, + }, + physical: r.physical + (virtual - r.virtual), }) } i := 0 - for _, pr := range(physicalRegions) { + for _, pr := range physicalRegions { start := pr.virtual end := pr.virtual + pr.length for start < end { @@ -226,7 +226,7 @@ func availableRegionsForSetMem() ([]physicalRegion) { if rend > end { rend = end } - addValidRegion(&pr, start, rend - start) + addValidRegion(&pr, start, rend-start) start = excludeEnd } } diff --git a/pkg/sentry/seccheck/BUILD b/pkg/sentry/seccheck/BUILD index 943fa180d..35feb969f 100644 --- a/pkg/sentry/seccheck/BUILD +++ b/pkg/sentry/seccheck/BUILD @@ -8,6 +8,8 @@ go_fieldenum( name = "seccheck_fieldenum", srcs = [ "clone.go", + "execve.go", + "exit.go", "task.go", ], out = "seccheck_fieldenum.go", @@ -29,6 +31,8 @@ go_library( name = "seccheck", srcs = [ "clone.go", + "execve.go", + "exit.go", "seccheck.go", "seccheck_fieldenum.go", "seqatomic_checkerslice_unsafe.go", diff --git a/pkg/sentry/seccheck/execve.go b/pkg/sentry/seccheck/execve.go new file mode 100644 index 000000000..f36e0730e --- /dev/null +++ b/pkg/sentry/seccheck/execve.go @@ -0,0 +1,65 @@ +// Copyright 2021 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package seccheck + +import ( + "gvisor.dev/gvisor/pkg/context" + "gvisor.dev/gvisor/pkg/sentry/kernel/auth" +) + +// ExecveInfo contains information used by the Execve checkpoint. +// +// +fieldenum Execve +type ExecveInfo struct { + // Invoker identifies the invoking thread. + Invoker TaskInfo + + // Credentials are the invoking thread's credentials. + Credentials *auth.Credentials + + // BinaryPath is a path to the executable binary file being switched to in + // the mount namespace in which it was opened. + BinaryPath string + + // Argv is the new process image's argument vector. + Argv []string + + // Env is the new process image's environment variables. + Env []string + + // BinaryMode is the executable binary file's mode. + BinaryMode uint16 + + // BinarySHA256 is the SHA-256 hash of the executable binary file. + // + // Note that this requires reading the entire file into memory, which is + // likely to be extremely slow. + BinarySHA256 [32]byte +} + +// ExecveReq returns fields required by the Execve checkpoint. +func (s *state) ExecveReq() ExecveFieldSet { + return s.execveReq.Load() +} + +// Execve is called at the Execve checkpoint. +func (s *state) Execve(ctx context.Context, mask ExecveFieldSet, info *ExecveInfo) error { + for _, c := range s.getCheckers() { + if err := c.Execve(ctx, mask, *info); err != nil { + return err + } + } + return nil +} diff --git a/pkg/sentry/seccheck/exit.go b/pkg/sentry/seccheck/exit.go new file mode 100644 index 000000000..69cb6911c --- /dev/null +++ b/pkg/sentry/seccheck/exit.go @@ -0,0 +1,57 @@ +// Copyright 2021 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package seccheck + +import ( + "gvisor.dev/gvisor/pkg/abi/linux" + "gvisor.dev/gvisor/pkg/context" +) + +// ExitNotifyParentInfo contains information used by the ExitNotifyParent +// checkpoint. +// +// +fieldenum ExitNotifyParent +type ExitNotifyParentInfo struct { + // Exiter identifies the exiting thread. Note that by the checkpoint's + // definition, Exiter.ThreadID == Exiter.ThreadGroupID and + // Exiter.ThreadStartTime == Exiter.ThreadGroupStartTime, so requesting + // ThreadGroup* fields is redundant. + Exiter TaskInfo + + // ExitStatus is the exiting thread group's exit status, as reported + // by wait*(). + ExitStatus linux.WaitStatus +} + +// ExitNotifyParentReq returns fields required by the ExitNotifyParent +// checkpoint. +func (s *state) ExitNotifyParentReq() ExitNotifyParentFieldSet { + return s.exitNotifyParentReq.Load() +} + +// ExitNotifyParent is called at the ExitNotifyParent checkpoint. +// +// The ExitNotifyParent checkpoint occurs when a zombied thread group leader, +// not waiting for exit acknowledgement from a non-parent ptracer, becomes the +// last non-dead thread in its thread group and notifies its parent of its +// exiting. +func (s *state) ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info *ExitNotifyParentInfo) error { + for _, c := range s.getCheckers() { + if err := c.ExitNotifyParent(ctx, mask, *info); err != nil { + return err + } + } + return nil +} diff --git a/pkg/sentry/seccheck/seccheck.go b/pkg/sentry/seccheck/seccheck.go index b6c9d44ce..e13274096 100644 --- a/pkg/sentry/seccheck/seccheck.go +++ b/pkg/sentry/seccheck/seccheck.go @@ -29,6 +29,8 @@ type Point uint // PointX represents the checkpoint X. const ( PointClone Point = iota + PointExecve + PointExitNotifyParent // Add new Points above this line. pointLength @@ -47,6 +49,8 @@ const ( // registered concurrently with invocations of checkpoints). type Checker interface { Clone(ctx context.Context, mask CloneFieldSet, info CloneInfo) error + Execve(ctx context.Context, mask ExecveFieldSet, info ExecveInfo) error + ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info ExitNotifyParentInfo) error } // CheckerDefaults may be embedded by implementations of Checker to obtain @@ -58,6 +62,16 @@ func (CheckerDefaults) Clone(ctx context.Context, mask CloneFieldSet, info Clone return nil } +// Execve implements Checker.Execve. +func (CheckerDefaults) Execve(ctx context.Context, mask ExecveFieldSet, info ExecveInfo) error { + return nil +} + +// ExitNotifyParent implements Checker.ExitNotifyParent. +func (CheckerDefaults) ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info ExitNotifyParentInfo) error { + return nil +} + // CheckerReq indicates what checkpoints a corresponding Checker runs at, and // what information it requires at those checkpoints. type CheckerReq struct { @@ -69,7 +83,9 @@ type CheckerReq struct { // All of the following fields indicate what fields in the corresponding // XInfo struct will be requested at the corresponding checkpoint. - Clone CloneFields + Clone CloneFields + Execve ExecveFields + ExitNotifyParent ExitNotifyParentFields } // Global is the method receiver of all seccheck functions. @@ -101,7 +117,9 @@ type state struct { // corresponding XInfo struct have been requested by any registered // checker, are accessed using atomic memory operations, and are mutated // with registrationMu locked. - cloneReq CloneFieldSet + cloneReq CloneFieldSet + execveReq ExecveFieldSet + exitNotifyParentReq ExitNotifyParentFieldSet } // AppendChecker registers the given Checker to execute at checkpoints. The @@ -110,7 +128,11 @@ type state struct { func (s *state) AppendChecker(c Checker, req *CheckerReq) { s.registrationMu.Lock() defer s.registrationMu.Unlock() + s.cloneReq.AddFieldsLoadable(req.Clone) + s.execveReq.AddFieldsLoadable(req.Execve) + s.exitNotifyParentReq.AddFieldsLoadable(req.ExitNotifyParent) + s.appendCheckerLocked(c) for _, p := range req.Points { word, bit := p/32, p%32 diff --git a/pkg/sentry/socket/netfilter/targets.go b/pkg/sentry/socket/netfilter/targets.go index ea56f39c1..0f6e576a9 100644 --- a/pkg/sentry/socket/netfilter/targets.go +++ b/pkg/sentry/socket/netfilter/targets.go @@ -647,7 +647,7 @@ func (jt *JumpTarget) id() targetID { } // Action implements stack.Target.Action. -func (jt *JumpTarget) Action(*stack.PacketBuffer, *stack.ConnTrack, stack.Hook, *stack.Route, tcpip.Address) (stack.RuleVerdict, int) { +func (jt *JumpTarget) Action(*stack.PacketBuffer, *stack.ConnTrack, stack.Hook, *stack.Route, stack.AddressableEndpoint) (stack.RuleVerdict, int) { return stack.RuleJump, jt.RuleNum } |