diff options
Diffstat (limited to 'runsc/boot')
-rw-r--r-- | runsc/boot/compat.go | 12 | ||||
-rw-r--r-- | runsc/boot/compat_amd64.go | 4 | ||||
-rw-r--r-- | runsc/boot/controller.go | 4 | ||||
-rw-r--r-- | runsc/boot/filter/config.go | 379 | ||||
-rw-r--r-- | runsc/boot/filter/config_amd64.go | 33 | ||||
-rw-r--r-- | runsc/boot/filter/config_arm64.go | 17 | ||||
-rw-r--r-- | runsc/boot/filter/config_profile.go | 7 | ||||
-rw-r--r-- | runsc/boot/filter/extra_filters_msan.go | 11 | ||||
-rw-r--r-- | runsc/boot/filter/extra_filters_race.go | 25 | ||||
-rw-r--r-- | runsc/boot/fs.go | 12 | ||||
-rw-r--r-- | runsc/boot/limits.go | 8 | ||||
-rw-r--r-- | runsc/boot/loader_test.go | 7 | ||||
-rw-r--r-- | runsc/boot/network.go | 4 |
13 files changed, 258 insertions, 265 deletions
diff --git a/runsc/boot/compat.go b/runsc/boot/compat.go index a3a76b609..28e82e117 100644 --- a/runsc/boot/compat.go +++ b/runsc/boot/compat.go @@ -17,8 +17,8 @@ package boot import ( "fmt" "os" - "syscall" + "golang.org/x/sys/unix" "google.golang.org/protobuf/proto" "gvisor.dev/gvisor/pkg/eventchannel" "gvisor.dev/gvisor/pkg/log" @@ -93,19 +93,19 @@ func (c *compatEmitter) emitUnimplementedSyscall(us *spb.UnimplementedSyscall) { tr := c.trackers[sysnr] if tr == nil { switch sysnr { - case syscall.SYS_PRCTL: + case unix.SYS_PRCTL: // args: cmd, ... tr = newArgsTracker(0) - case syscall.SYS_IOCTL, syscall.SYS_EPOLL_CTL, syscall.SYS_SHMCTL, syscall.SYS_FUTEX, syscall.SYS_FALLOCATE: + case unix.SYS_IOCTL, unix.SYS_EPOLL_CTL, unix.SYS_SHMCTL, unix.SYS_FUTEX, unix.SYS_FALLOCATE: // args: fd/addr, cmd, ... tr = newArgsTracker(1) - case syscall.SYS_GETSOCKOPT, syscall.SYS_SETSOCKOPT: + case unix.SYS_GETSOCKOPT, unix.SYS_SETSOCKOPT: // args: fd, level, name, ... tr = newArgsTracker(1, 2) - case syscall.SYS_SEMCTL: + case unix.SYS_SEMCTL: // args: semid, semnum, cmd, ... tr = newArgsTracker(2) @@ -131,7 +131,7 @@ func (c *compatEmitter) emitUnimplementedSyscall(us *spb.UnimplementedSyscall) { } func (c *compatEmitter) emitUncaughtSignal(msg *ucspb.UncaughtSignal) { - sig := syscall.Signal(msg.SignalNumber) + sig := unix.Signal(msg.SignalNumber) c.sink.Infof( "Uncaught signal: %q (%d), PID: %d, TID: %d, fault addr: %#x", sig, msg.SignalNumber, msg.Pid, msg.Tid, msg.FaultAddr) diff --git a/runsc/boot/compat_amd64.go b/runsc/boot/compat_amd64.go index 8eb76b2ba..7e13ff87c 100644 --- a/runsc/boot/compat_amd64.go +++ b/runsc/boot/compat_amd64.go @@ -16,8 +16,8 @@ package boot import ( "fmt" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi" "gvisor.dev/gvisor/pkg/sentry/arch" rpb "gvisor.dev/gvisor/pkg/sentry/arch/registers_go_proto" @@ -92,7 +92,7 @@ func syscallNum(regs *rpb.Registers) uint64 { func newArchArgsTracker(sysnr uint64) syscallTracker { switch sysnr { - case syscall.SYS_ARCH_PRCTL: + case unix.SYS_ARCH_PRCTL: // args: cmd, ... return newArgsTracker(0) } diff --git a/runsc/boot/controller.go b/runsc/boot/controller.go index 5e849cb37..1cd5fba5c 100644 --- a/runsc/boot/controller.go +++ b/runsc/boot/controller.go @@ -18,9 +18,9 @@ import ( "errors" "fmt" "os" - "syscall" specs "github.com/opencontainers/runtime-spec/specs-go" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/control/server" "gvisor.dev/gvisor/pkg/fd" "gvisor.dev/gvisor/pkg/log" @@ -366,7 +366,7 @@ func (cm *containerManager) Restore(o *RestoreOpts, _ *struct{}) error { case 2: // The device file is donated to the platform. // Can't take ownership away from os.File. dup them to get a new FD. - fd, err := syscall.Dup(int(o.Files[1].Fd())) + fd, err := unix.Dup(int(o.Files[1].Fd())) if err != nil { return fmt.Errorf("failed to dup file: %v", err) } diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index 2a8c916d5..49b503f99 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -16,7 +16,6 @@ package filter import ( "os" - "syscall" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -26,19 +25,19 @@ import ( // allowedSyscalls is the set of syscalls executed by the Sentry to the host OS. var allowedSyscalls = seccomp.SyscallRules{ - syscall.SYS_CLOCK_GETTIME: {}, - syscall.SYS_CLOSE: {}, - syscall.SYS_DUP: {}, - syscall.SYS_DUP3: []seccomp.Rule{ + unix.SYS_CLOCK_GETTIME: {}, + unix.SYS_CLOSE: {}, + unix.SYS_DUP: {}, + unix.SYS_DUP3: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.O_CLOEXEC), + seccomp.EqualTo(unix.O_CLOEXEC), }, }, - syscall.SYS_EPOLL_CREATE1: {}, - syscall.SYS_EPOLL_CTL: {}, - syscall.SYS_EPOLL_PWAIT: []seccomp.Rule{ + unix.SYS_EPOLL_CREATE1: {}, + unix.SYS_EPOLL_CTL: {}, + unix.SYS_EPOLL_PWAIT: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, @@ -47,34 +46,34 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.EqualTo(0), }, }, - syscall.SYS_EVENTFD2: []seccomp.Rule{ + unix.SYS_EVENTFD2: []seccomp.Rule{ { seccomp.EqualTo(0), seccomp.EqualTo(0), }, }, - syscall.SYS_EXIT: {}, - syscall.SYS_EXIT_GROUP: {}, - syscall.SYS_FALLOCATE: {}, - syscall.SYS_FCHMOD: {}, - syscall.SYS_FCNTL: []seccomp.Rule{ + unix.SYS_EXIT: {}, + unix.SYS_EXIT_GROUP: {}, + unix.SYS_FALLOCATE: {}, + unix.SYS_FCHMOD: {}, + unix.SYS_FCNTL: []seccomp.Rule{ { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.F_GETFL), + seccomp.EqualTo(unix.F_GETFL), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.F_SETFL), + seccomp.EqualTo(unix.F_SETFL), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.F_GETFD), + seccomp.EqualTo(unix.F_GETFD), }, }, - syscall.SYS_FSTAT: {}, - syscall.SYS_FSYNC: {}, - syscall.SYS_FTRUNCATE: {}, - syscall.SYS_FUTEX: []seccomp.Rule{ + unix.SYS_FSTAT: {}, + unix.SYS_FSYNC: {}, + unix.SYS_FTRUNCATE: {}, + unix.SYS_FUTEX: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.EqualTo(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG), @@ -109,35 +108,35 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.EqualTo(0), }, }, - syscall.SYS_GETPID: {}, + unix.SYS_GETPID: {}, unix.SYS_GETRANDOM: {}, - syscall.SYS_GETSOCKOPT: []seccomp.Rule{ + unix.SYS_GETSOCKOPT: []seccomp.Rule{ { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_DOMAIN), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_DOMAIN), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_TYPE), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_TYPE), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_ERROR), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_ERROR), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_SNDBUF), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_SNDBUF), }, }, - syscall.SYS_GETTID: {}, - syscall.SYS_GETTIMEOFDAY: {}, + unix.SYS_GETTID: {}, + unix.SYS_GETTIMEOFDAY: {}, // SYS_IOCTL is needed for terminal support, but we only allow // setting/getting termios and winsize. - syscall.SYS_IOCTL: []seccomp.Rule{ + unix.SYS_IOCTL: []seccomp.Rule{ { seccomp.MatchAny{}, /* fd */ seccomp.EqualTo(linux.TCGETS), @@ -169,94 +168,94 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.MatchAny{}, /* winsize struct */ }, }, - syscall.SYS_LSEEK: {}, - syscall.SYS_MADVISE: {}, + unix.SYS_LSEEK: {}, + unix.SYS_MADVISE: {}, unix.SYS_MEMBARRIER: []seccomp.Rule{ { seccomp.EqualTo(linux.MEMBARRIER_CMD_GLOBAL), seccomp.EqualTo(0), }, }, - syscall.SYS_MINCORE: {}, + unix.SYS_MINCORE: {}, // Used by the Go runtime as a temporarily workaround for a Linux // 5.2-5.4 bug. // // See src/runtime/os_linux_x86.go. // // TODO(b/148688965): Remove once this is gone from Go. - syscall.SYS_MLOCK: []seccomp.Rule{ + unix.SYS_MLOCK: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.EqualTo(4096), }, }, - syscall.SYS_MMAP: []seccomp.Rule{ + unix.SYS_MMAP: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.MAP_SHARED), + seccomp.EqualTo(unix.MAP_SHARED), }, { seccomp.MatchAny{}, seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.MAP_PRIVATE), + seccomp.EqualTo(unix.MAP_PRIVATE), }, { seccomp.MatchAny{}, seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS), + seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS), }, { seccomp.MatchAny{}, seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS | syscall.MAP_STACK), + seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_STACK), }, { seccomp.MatchAny{}, seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS | syscall.MAP_NORESERVE), + seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_NORESERVE), }, { seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.PROT_WRITE | syscall.PROT_READ), - seccomp.EqualTo(syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS | syscall.MAP_FIXED), + seccomp.EqualTo(unix.PROT_WRITE | unix.PROT_READ), + seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_FIXED), }, }, - syscall.SYS_MPROTECT: {}, - syscall.SYS_MUNMAP: {}, - syscall.SYS_NANOSLEEP: {}, - syscall.SYS_PPOLL: {}, - syscall.SYS_PREAD64: {}, - syscall.SYS_PREADV: {}, - unix.SYS_PREADV2: {}, - syscall.SYS_PWRITE64: {}, - syscall.SYS_PWRITEV: {}, - unix.SYS_PWRITEV2: {}, - syscall.SYS_READ: {}, - syscall.SYS_RECVMSG: []seccomp.Rule{ + unix.SYS_MPROTECT: {}, + unix.SYS_MUNMAP: {}, + unix.SYS_NANOSLEEP: {}, + unix.SYS_PPOLL: {}, + unix.SYS_PREAD64: {}, + unix.SYS_PREADV: {}, + unix.SYS_PREADV2: {}, + unix.SYS_PWRITE64: {}, + unix.SYS_PWRITEV: {}, + unix.SYS_PWRITEV2: {}, + unix.SYS_READ: {}, + unix.SYS_RECVMSG: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.MSG_DONTWAIT | syscall.MSG_TRUNC), + seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC), }, { seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.MSG_DONTWAIT | syscall.MSG_TRUNC | syscall.MSG_PEEK), + seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC | unix.MSG_PEEK), }, }, - syscall.SYS_RECVMMSG: []seccomp.Rule{ + unix.SYS_RECVMMSG: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, seccomp.EqualTo(fdbased.MaxMsgsPerRecv), - seccomp.EqualTo(syscall.MSG_DONTWAIT), + seccomp.EqualTo(unix.MSG_DONTWAIT), seccomp.EqualTo(0), }, }, @@ -265,34 +264,34 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.MatchAny{}, seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.MSG_DONTWAIT), + seccomp.EqualTo(unix.MSG_DONTWAIT), seccomp.EqualTo(0), }, }, - syscall.SYS_RESTART_SYSCALL: {}, - syscall.SYS_RT_SIGACTION: {}, - syscall.SYS_RT_SIGPROCMASK: {}, - syscall.SYS_RT_SIGRETURN: {}, - syscall.SYS_SCHED_YIELD: {}, - syscall.SYS_SENDMSG: []seccomp.Rule{ + unix.SYS_RESTART_SYSCALL: {}, + unix.SYS_RT_SIGACTION: {}, + unix.SYS_RT_SIGPROCMASK: {}, + unix.SYS_RT_SIGRETURN: {}, + unix.SYS_SCHED_YIELD: {}, + unix.SYS_SENDMSG: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.MSG_DONTWAIT | syscall.MSG_NOSIGNAL), + seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_NOSIGNAL), }, }, - syscall.SYS_SETITIMER: {}, - syscall.SYS_SHUTDOWN: []seccomp.Rule{ + unix.SYS_SETITIMER: {}, + unix.SYS_SHUTDOWN: []seccomp.Rule{ // Used by fs/host to shutdown host sockets. - {seccomp.MatchAny{}, seccomp.EqualTo(syscall.SHUT_RD)}, - {seccomp.MatchAny{}, seccomp.EqualTo(syscall.SHUT_WR)}, + {seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_RD)}, + {seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_WR)}, // Used by unet to shutdown connections. - {seccomp.MatchAny{}, seccomp.EqualTo(syscall.SHUT_RDWR)}, + {seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_RDWR)}, }, - syscall.SYS_SIGALTSTACK: {}, - unix.SYS_STATX: {}, - syscall.SYS_SYNC_FILE_RANGE: {}, - syscall.SYS_TEE: []seccomp.Rule{ + unix.SYS_SIGALTSTACK: {}, + unix.SYS_STATX: {}, + unix.SYS_SYNC_FILE_RANGE: {}, + unix.SYS_TEE: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, @@ -300,12 +299,12 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.EqualTo(unix.SPLICE_F_NONBLOCK), /* flags */ }, }, - syscall.SYS_TGKILL: []seccomp.Rule{ + unix.SYS_TGKILL: []seccomp.Rule{ { seccomp.EqualTo(uint64(os.Getpid())), }, }, - syscall.SYS_UTIMENSAT: []seccomp.Rule{ + unix.SYS_UTIMENSAT: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.EqualTo(0), /* null pathname */ @@ -313,9 +312,9 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.EqualTo(0), /* flags */ }, }, - syscall.SYS_WRITE: {}, + unix.SYS_WRITE: {}, // For rawfile.NonBlockingWriteIovec. - syscall.SYS_WRITEV: []seccomp.Rule{ + unix.SYS_WRITEV: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, @@ -327,313 +326,313 @@ var allowedSyscalls = seccomp.SyscallRules{ // hostInetFilters contains syscalls that are needed by sentry/socket/hostinet. func hostInetFilters() seccomp.SyscallRules { return seccomp.SyscallRules{ - syscall.SYS_ACCEPT4: []seccomp.Rule{ + unix.SYS_ACCEPT4: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC), + seccomp.EqualTo(unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), }, }, - syscall.SYS_BIND: {}, - syscall.SYS_CONNECT: {}, - syscall.SYS_GETPEERNAME: {}, - syscall.SYS_GETSOCKNAME: {}, - syscall.SYS_GETSOCKOPT: []seccomp.Rule{ + unix.SYS_BIND: {}, + unix.SYS_CONNECT: {}, + unix.SYS_GETPEERNAME: {}, + unix.SYS_GETSOCKNAME: {}, + unix.SYS_GETSOCKOPT: []seccomp.Rule{ { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_TOS), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_TOS), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_RECVTOS), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_RECVTOS), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_PKTINFO), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_PKTINFO), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_RECVORIGDSTADDR), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_RECVORIGDSTADDR), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_RECVERR), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_RECVERR), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), - seccomp.EqualTo(syscall.IPV6_TCLASS), + seccomp.EqualTo(unix.SOL_IPV6), + seccomp.EqualTo(unix.IPV6_TCLASS), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), - seccomp.EqualTo(syscall.IPV6_RECVTCLASS), + seccomp.EqualTo(unix.SOL_IPV6), + seccomp.EqualTo(unix.IPV6_RECVTCLASS), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), - seccomp.EqualTo(syscall.IPV6_RECVERR), + seccomp.EqualTo(unix.SOL_IPV6), + seccomp.EqualTo(unix.IPV6_RECVERR), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), - seccomp.EqualTo(syscall.IPV6_V6ONLY), + seccomp.EqualTo(unix.SOL_IPV6), + seccomp.EqualTo(unix.IPV6_V6ONLY), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), + seccomp.EqualTo(unix.SOL_IPV6), seccomp.EqualTo(linux.IPV6_RECVORIGDSTADDR), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_ERROR), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_ERROR), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_KEEPALIVE), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_KEEPALIVE), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_SNDBUF), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_SNDBUF), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_RCVBUF), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_RCVBUF), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_REUSEADDR), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_REUSEADDR), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_TYPE), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_TYPE), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_LINGER), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_LINGER), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_TIMESTAMP), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_TIMESTAMP), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_TCP), - seccomp.EqualTo(syscall.TCP_NODELAY), + seccomp.EqualTo(unix.SOL_TCP), + seccomp.EqualTo(unix.TCP_NODELAY), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_TCP), - seccomp.EqualTo(syscall.TCP_INFO), + seccomp.EqualTo(unix.SOL_TCP), + seccomp.EqualTo(unix.TCP_INFO), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_TCP), + seccomp.EqualTo(unix.SOL_TCP), seccomp.EqualTo(linux.TCP_INQ), }, }, - syscall.SYS_IOCTL: []seccomp.Rule{ + unix.SYS_IOCTL: []seccomp.Rule{ { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.TIOCOUTQ), + seccomp.EqualTo(unix.TIOCOUTQ), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.TIOCINQ), + seccomp.EqualTo(unix.TIOCINQ), }, }, - syscall.SYS_LISTEN: {}, - syscall.SYS_READV: {}, - syscall.SYS_RECVFROM: {}, - syscall.SYS_RECVMSG: {}, - syscall.SYS_SENDMSG: {}, - syscall.SYS_SENDTO: {}, - syscall.SYS_SETSOCKOPT: []seccomp.Rule{ + unix.SYS_LISTEN: {}, + unix.SYS_READV: {}, + unix.SYS_RECVFROM: {}, + unix.SYS_RECVMSG: {}, + unix.SYS_SENDMSG: {}, + unix.SYS_SENDTO: {}, + unix.SYS_SETSOCKOPT: []seccomp.Rule{ { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_SNDBUF), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_SNDBUF), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_RCVBUF), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_RCVBUF), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_REUSEADDR), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_REUSEADDR), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_TIMESTAMP), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_TIMESTAMP), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_TCP), - seccomp.EqualTo(syscall.TCP_NODELAY), + seccomp.EqualTo(unix.SOL_TCP), + seccomp.EqualTo(unix.TCP_NODELAY), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_TCP), + seccomp.EqualTo(unix.SOL_TCP), seccomp.EqualTo(linux.TCP_INQ), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_TOS), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_TOS), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_RECVTOS), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_RECVTOS), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_PKTINFO), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_PKTINFO), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_RECVORIGDSTADDR), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_RECVORIGDSTADDR), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IP), - seccomp.EqualTo(syscall.IP_RECVERR), + seccomp.EqualTo(unix.SOL_IP), + seccomp.EqualTo(unix.IP_RECVERR), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), - seccomp.EqualTo(syscall.IPV6_TCLASS), + seccomp.EqualTo(unix.SOL_IPV6), + seccomp.EqualTo(unix.IPV6_TCLASS), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), - seccomp.EqualTo(syscall.IPV6_RECVTCLASS), + seccomp.EqualTo(unix.SOL_IPV6), + seccomp.EqualTo(unix.IPV6_RECVTCLASS), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), + seccomp.EqualTo(unix.SOL_IPV6), seccomp.EqualTo(linux.IPV6_RECVORIGDSTADDR), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), - seccomp.EqualTo(syscall.IPV6_RECVERR), + seccomp.EqualTo(unix.SOL_IPV6), + seccomp.EqualTo(unix.IPV6_RECVERR), seccomp.MatchAny{}, seccomp.EqualTo(4), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), - seccomp.EqualTo(syscall.IPV6_V6ONLY), + seccomp.EqualTo(unix.SOL_IPV6), + seccomp.EqualTo(unix.IPV6_V6ONLY), seccomp.MatchAny{}, seccomp.EqualTo(4), }, }, - syscall.SYS_SHUTDOWN: []seccomp.Rule{ + unix.SYS_SHUTDOWN: []seccomp.Rule{ { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SHUT_RD), + seccomp.EqualTo(unix.SHUT_RD), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SHUT_WR), + seccomp.EqualTo(unix.SHUT_WR), }, { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SHUT_RDWR), + seccomp.EqualTo(unix.SHUT_RDWR), }, }, - syscall.SYS_SOCKET: []seccomp.Rule{ + unix.SYS_SOCKET: []seccomp.Rule{ { - seccomp.EqualTo(syscall.AF_INET), - seccomp.EqualTo(syscall.SOCK_STREAM | syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC), + seccomp.EqualTo(unix.AF_INET), + seccomp.EqualTo(unix.SOCK_STREAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), seccomp.EqualTo(0), }, { - seccomp.EqualTo(syscall.AF_INET), - seccomp.EqualTo(syscall.SOCK_DGRAM | syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC), + seccomp.EqualTo(unix.AF_INET), + seccomp.EqualTo(unix.SOCK_DGRAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), seccomp.EqualTo(0), }, { - seccomp.EqualTo(syscall.AF_INET6), - seccomp.EqualTo(syscall.SOCK_STREAM | syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC), + seccomp.EqualTo(unix.AF_INET6), + seccomp.EqualTo(unix.SOCK_STREAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), seccomp.EqualTo(0), }, { - seccomp.EqualTo(syscall.AF_INET6), - seccomp.EqualTo(syscall.SOCK_DGRAM | syscall.SOCK_NONBLOCK | syscall.SOCK_CLOEXEC), + seccomp.EqualTo(unix.AF_INET6), + seccomp.EqualTo(unix.SOCK_DGRAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), seccomp.EqualTo(0), }, }, - syscall.SYS_WRITEV: {}, + unix.SYS_WRITEV: {}, } } func controlServerFilters(fd int) seccomp.SyscallRules { return seccomp.SyscallRules{ - syscall.SYS_ACCEPT: []seccomp.Rule{ + unix.SYS_ACCEPT: []seccomp.Rule{ { seccomp.EqualTo(fd), }, }, - syscall.SYS_LISTEN: []seccomp.Rule{ + unix.SYS_LISTEN: []seccomp.Rule{ { seccomp.EqualTo(fd), seccomp.EqualTo(16 /* unet.backlog */), }, }, - syscall.SYS_GETSOCKOPT: []seccomp.Rule{ + unix.SYS_GETSOCKOPT: []seccomp.Rule{ { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_SOCKET), - seccomp.EqualTo(syscall.SO_PEERCRED), + seccomp.EqualTo(unix.SOL_SOCKET), + seccomp.EqualTo(unix.SO_PEERCRED), }, }, } diff --git a/runsc/boot/filter/config_amd64.go b/runsc/boot/filter/config_amd64.go index cea5613b8..42cb8ed3a 100644 --- a/runsc/boot/filter/config_amd64.go +++ b/runsc/boot/filter/config_amd64.go @@ -17,30 +17,29 @@ package filter import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/seccomp" ) func init() { - allowedSyscalls[syscall.SYS_ARCH_PRCTL] = []seccomp.Rule{ + allowedSyscalls[unix.SYS_ARCH_PRCTL] = []seccomp.Rule{ // TODO(b/168828518): No longer used in Go 1.16+. {seccomp.EqualTo(linux.ARCH_SET_FS)}, } - allowedSyscalls[syscall.SYS_CLONE] = []seccomp.Rule{ + allowedSyscalls[unix.SYS_CLONE] = []seccomp.Rule{ // parent_tidptr and child_tidptr are always 0 because neither // CLONE_PARENT_SETTID nor CLONE_CHILD_SETTID are used. { seccomp.EqualTo( - syscall.CLONE_VM | - syscall.CLONE_FS | - syscall.CLONE_FILES | - syscall.CLONE_SETTLS | - syscall.CLONE_SIGHAND | - syscall.CLONE_SYSVSEM | - syscall.CLONE_THREAD), + unix.CLONE_VM | + unix.CLONE_FS | + unix.CLONE_FILES | + unix.CLONE_SETTLS | + unix.CLONE_SIGHAND | + unix.CLONE_SYSVSEM | + unix.CLONE_THREAD), seccomp.MatchAny{}, // newsp seccomp.EqualTo(0), // parent_tidptr seccomp.EqualTo(0), // child_tidptr @@ -49,12 +48,12 @@ func init() { { // TODO(b/168828518): No longer used in Go 1.16+ (on amd64). seccomp.EqualTo( - syscall.CLONE_VM | - syscall.CLONE_FS | - syscall.CLONE_FILES | - syscall.CLONE_SIGHAND | - syscall.CLONE_SYSVSEM | - syscall.CLONE_THREAD), + unix.CLONE_VM | + unix.CLONE_FS | + unix.CLONE_FILES | + unix.CLONE_SIGHAND | + unix.CLONE_SYSVSEM | + unix.CLONE_THREAD), seccomp.MatchAny{}, // newsp seccomp.EqualTo(0), // parent_tidptr seccomp.EqualTo(0), // child_tidptr diff --git a/runsc/boot/filter/config_arm64.go b/runsc/boot/filter/config_arm64.go index 37313f97f..f162f87ff 100644 --- a/runsc/boot/filter/config_arm64.go +++ b/runsc/boot/filter/config_arm64.go @@ -17,21 +17,20 @@ package filter import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/seccomp" ) func init() { - allowedSyscalls[syscall.SYS_CLONE] = []seccomp.Rule{ + allowedSyscalls[unix.SYS_CLONE] = []seccomp.Rule{ { seccomp.EqualTo( - syscall.CLONE_VM | - syscall.CLONE_FS | - syscall.CLONE_FILES | - syscall.CLONE_SIGHAND | - syscall.CLONE_SYSVSEM | - syscall.CLONE_THREAD), + unix.CLONE_VM | + unix.CLONE_FS | + unix.CLONE_FILES | + unix.CLONE_SIGHAND | + unix.CLONE_SYSVSEM | + unix.CLONE_THREAD), seccomp.MatchAny{}, // newsp // These arguments are left uninitialized by the Go // runtime, so they may be anything (and are unused by diff --git a/runsc/boot/filter/config_profile.go b/runsc/boot/filter/config_profile.go index 7b8669595..89b66a6da 100644 --- a/runsc/boot/filter/config_profile.go +++ b/runsc/boot/filter/config_profile.go @@ -15,19 +15,18 @@ package filter import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/seccomp" ) // profileFilters returns extra syscalls made by runtime/pprof package. func profileFilters() seccomp.SyscallRules { return seccomp.SyscallRules{ - syscall.SYS_OPENAT: []seccomp.Rule{ + unix.SYS_OPENAT: []seccomp.Rule{ { seccomp.MatchAny{}, seccomp.MatchAny{}, - seccomp.EqualTo(syscall.O_RDONLY | syscall.O_LARGEFILE | syscall.O_CLOEXEC), + seccomp.EqualTo(unix.O_RDONLY | unix.O_LARGEFILE | unix.O_CLOEXEC), }, }, } diff --git a/runsc/boot/filter/extra_filters_msan.go b/runsc/boot/filter/extra_filters_msan.go index 209e646a7..41baa78cd 100644 --- a/runsc/boot/filter/extra_filters_msan.go +++ b/runsc/boot/filter/extra_filters_msan.go @@ -17,8 +17,7 @@ package filter import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/seccomp" ) @@ -26,9 +25,9 @@ import ( func instrumentationFilters() seccomp.SyscallRules { Report("MSAN is enabled: syscall filters less restrictive!") return seccomp.SyscallRules{ - syscall.SYS_CLONE: {}, - syscall.SYS_MMAP: {}, - syscall.SYS_SCHED_GETAFFINITY: {}, - syscall.SYS_SET_ROBUST_LIST: {}, + unix.SYS_CLONE: {}, + unix.SYS_MMAP: {}, + unix.SYS_SCHED_GETAFFINITY: {}, + unix.SYS_SET_ROBUST_LIST: {}, } } diff --git a/runsc/boot/filter/extra_filters_race.go b/runsc/boot/filter/extra_filters_race.go index 5b99eb8cd..79b2104f0 100644 --- a/runsc/boot/filter/extra_filters_race.go +++ b/runsc/boot/filter/extra_filters_race.go @@ -17,8 +17,7 @@ package filter import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/seccomp" ) @@ -26,17 +25,17 @@ import ( func instrumentationFilters() seccomp.SyscallRules { Report("TSAN is enabled: syscall filters less restrictive!") return seccomp.SyscallRules{ - syscall.SYS_BRK: {}, - syscall.SYS_CLOCK_NANOSLEEP: {}, - syscall.SYS_CLONE: {}, - syscall.SYS_FUTEX: {}, - syscall.SYS_MMAP: {}, - syscall.SYS_MUNLOCK: {}, - syscall.SYS_NANOSLEEP: {}, - syscall.SYS_OPEN: {}, - syscall.SYS_OPENAT: {}, - syscall.SYS_SET_ROBUST_LIST: {}, + unix.SYS_BRK: {}, + unix.SYS_CLOCK_NANOSLEEP: {}, + unix.SYS_CLONE: {}, + unix.SYS_FUTEX: {}, + unix.SYS_MMAP: {}, + unix.SYS_MUNLOCK: {}, + unix.SYS_NANOSLEEP: {}, + unix.SYS_OPEN: {}, + unix.SYS_OPENAT: {}, + unix.SYS_SET_ROBUST_LIST: {}, // Used within glibc's malloc. - syscall.SYS_TIME: {}, + unix.SYS_TIME: {}, } } diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go index 2b0d2cd51..77f632bb9 100644 --- a/runsc/boot/fs.go +++ b/runsc/boot/fs.go @@ -20,9 +20,9 @@ import ( "sort" "strconv" "strings" - "syscall" specs "github.com/opencontainers/runtime-spec/specs-go" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fd" @@ -312,11 +312,11 @@ func setupContainerFS(ctx context.Context, conf *config.Config, mntr *containerM } func adjustDirentCache(k *kernel.Kernel) error { - var hl syscall.Rlimit - if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, &hl); err != nil { + var hl unix.Rlimit + if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &hl); err != nil { return fmt.Errorf("getting RLIMIT_NOFILE: %v", err) } - if int64(hl.Cur) != syscall.RLIM_INFINITY { + if hl.Cur != unix.RLIM_INFINITY { newSize := hl.Cur / 2 if newSize < gofer.DefaultDirentCacheSize { log.Infof("Setting gofer dirent cache size to %d", newSize) @@ -844,10 +844,10 @@ func (c *containerMounter) mountSubmount(ctx context.Context, conf *config.Confi // than simply printed to the logs for the 'runsc boot' command. // // We check the error message string rather than type because the - // actual error types (syscall.EIO, syscall.EPIPE) are lost by file system + // actual error types (unix.EIO, unix.EPIPE) are lost by file system // implementation (e.g. p9). // TODO(gvisor.dev/issue/1765): Remove message when bug is resolved. - if strings.Contains(err.Error(), syscall.EIO.Error()) || strings.Contains(err.Error(), syscall.EPIPE.Error()) { + if strings.Contains(err.Error(), unix.EIO.Error()) || strings.Contains(err.Error(), unix.EPIPE.Error()) { return fmt.Errorf("%v: %s", err, specutils.FaqErrorMsg("memlock", "you may be encountering a Linux kernel bug")) } return err diff --git a/runsc/boot/limits.go b/runsc/boot/limits.go index ce62236e5..3d2b3506d 100644 --- a/runsc/boot/limits.go +++ b/runsc/boot/limits.go @@ -16,9 +16,9 @@ package boot import ( "fmt" - "syscall" specs "github.com/opencontainers/runtime-spec/specs-go" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/sentry/limits" "gvisor.dev/gvisor/pkg/sync" @@ -104,9 +104,9 @@ func (d *defs) initDefaults() error { // Read host limits that directly affect the sandbox and adjust the defaults // based on them. - for _, res := range []int{syscall.RLIMIT_FSIZE, syscall.RLIMIT_NOFILE} { - var hl syscall.Rlimit - if err := syscall.Getrlimit(res, &hl); err != nil { + for _, res := range []int{unix.RLIMIT_FSIZE, unix.RLIMIT_NOFILE} { + var hl unix.Rlimit + if err := unix.Getrlimit(res, &hl); err != nil { return err } diff --git a/runsc/boot/loader_test.go b/runsc/boot/loader_test.go index b77b4762e..3121ca6eb 100644 --- a/runsc/boot/loader_test.go +++ b/runsc/boot/loader_test.go @@ -19,7 +19,6 @@ import ( "math/rand" "os" "reflect" - "syscall" "testing" "time" @@ -78,7 +77,7 @@ func testSpec() *specs.Spec { // sandbox side of the connection, and a function that when called will stop the // gofer. func startGofer(root string) (int, func(), error) { - fds, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0) + fds, err := unix.Socketpair(unix.AF_UNIX, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0) if err != nil { return 0, nil, err } @@ -86,8 +85,8 @@ func startGofer(root string) (int, func(), error) { socket, err := unet.NewSocket(goferEnd) if err != nil { - syscall.Close(sandboxEnd) - syscall.Close(goferEnd) + unix.Close(sandboxEnd) + unix.Close(goferEnd) return 0, nil, fmt.Errorf("error creating server on FD %d: %v", goferEnd, err) } at, err := fsgofer.NewAttachPoint(root, fsgofer.Config{ROMount: true}) diff --git a/runsc/boot/network.go b/runsc/boot/network.go index 3d3a813df..7e627e4c6 100644 --- a/runsc/boot/network.go +++ b/runsc/boot/network.go @@ -19,8 +19,8 @@ import ( "net" "runtime" "strings" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/tcpip" "gvisor.dev/gvisor/pkg/tcpip/link/fdbased" @@ -195,7 +195,7 @@ func (n *Network) CreateLinksAndRoutes(args *CreateLinksAndRoutesArgs, _ *struct for j := 0; j < link.NumChannels; j++ { // Copy the underlying FD. oldFD := args.FilePayload.Files[fdOffset].Fd() - newFD, err := syscall.Dup(int(oldFD)) + newFD, err := unix.Dup(int(oldFD)) if err != nil { return fmt.Errorf("failed to dup FD %v: %v", oldFD, err) } |