summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-02-24Merge release-20210208.0-89-gba4dfa717 (automated)gVisor bot
2021-02-24Move //pkg/gate.Gate to //pkg/sync.Jamie Liu
- Use atomic add rather than CAS in every Gate method, which is slightly faster in most cases. - Implement Close wakeup using gopark/goready to avoid channel allocation. New benchmarks: name old time/op new time/op delta GateEnterLeave-12 16.7ns ± 1% 10.3ns ± 1% -38.44% (p=0.000 n=9+8) GateClose-12 50.2ns ± 8% 42.4ns ± 6% -15.44% (p=0.000 n=10+10) GateEnterLeaveAsyncClose-12 972ns ± 2% 640ns ± 7% -34.15% (p=0.000 n=9+10) PiperOrigin-RevId: 359336344
2021-02-24Merge release-20210208.0-88-g8f6274404 (automated)gVisor bot
2021-02-24Merge pull request #5519 from dqminh:runsc-ps-pidsgVisor bot
PiperOrigin-RevId: 359334029
2021-02-24Merge release-20210208.0-86-g055073f11 (automated)gVisor bot
2021-02-24runsc/filters: permit clock_nanosleep for raceAndrei Vagin
Syzkaller hosts contains many audit messages that runsc tries to call the clock_nanosleep syscall. PiperOrigin-RevId: 359331413
2021-02-24return root pids with runsc psDaniel Dao
`runsc ps` currently return pid for a task's immediate pid namespace, which is confusing when there're multiple pid namespaces. We should return only pids in the root namespace. Before: ``` 1000 1 0 0 ? 02:24 250ms chrome 1000 1 0 0 ? 02:24 40ms dumb-init 1000 1 0 0 ? 02:24 240ms chrome 1000 2 1 0 ? 02:24 2.78s node ``` After: ``` UID PID PPID C TTY STIME TIME CMD 1000 1 0 0 ? 12:35 0s dumb-init 1000 2 1 7 ? 12:35 240ms node 1000 13 2 21 ? 12:35 2.33s chrome 1000 27 13 3 ? 12:35 260ms chrome ``` Signed-off-by: Daniel Dao <dqminh@cloudflare.com>
2021-02-24Merge release-20210208.0-85-gacd516cfe (automated)gVisor bot
2021-02-24Add YAMA security module restrictions on ptrace(2).Dean Deng
Restrict ptrace(2) according to the default configurations of the YAMA security module (mode 1), which is a common default among various Linux distributions. The new access checks only permit the tracer to proceed if one of the following conditions is met: a) The tracer is already attached to the tracee. b) The target is a descendant of the tracer. c) The target has explicitly given permission to the tracer through the PR_SET_PTRACER prctl. d) The tracer has CAP_SYS_PTRACE. See security/yama/yama_lsm.c for more details. Note that these checks are added to CanTrace, which is checked for PTRACE_ATTACH as well as some other operations, e.g., checking a process' memory layout through /proc/[pid]/mem. Since this patch adds restrictions to ptrace, it may break compatibility for applications run by non-root users that, for instance, rely on being able to trace processes that are not descended from the tracer (e.g., `gdb -p`). YAMA restrictions can be turned off by setting /proc/sys/kernel/yama/ptrace_scope to 0, or exceptions can be made on a per-process basis with the PR_SET_PTRACER prctl. Reported-by: syzbot+622822d8bca08c99e8c8@syzkaller.appspotmail.com PiperOrigin-RevId: 359237723
2021-02-24Merge release-20210208.0-84-g6e000d342 (automated)gVisor bot
2021-02-24Use async task context for async IO.Dean Deng
PiperOrigin-RevId: 359235699
2021-02-23Merge release-20210208.0-83-g24ea8003a (automated)gVisor bot
2021-02-22Only detect mds for mitigate.Zach Koopmans
Only detect and mitigate on mds for the mitigate command. PiperOrigin-RevId: 358924466
2021-02-23Merge release-20210208.0-82-g34e2cda9a (automated)gVisor bot
2021-02-22Return nicer error message when cgroups v1 isn't availableFabricio Voznika
Updates #3481 Closes #5430 PiperOrigin-RevId: 358923208
2021-02-22Merge release-20210208.0-81-gfed1cc6d8 (automated)gVisor bot
2021-02-22Internal change.gVisor bot
PiperOrigin-RevId: 358890980
2021-02-22Merge release-20210208.0-80-gc5a4e1000 (automated)gVisor bot
2021-02-22unix: sendmmsg and recvmsg have to cap a number of message to UIO_MAXIOVAndrei Vagin
Reported-by: syzbot+f2489ba0b999a45d1ad1@syzkaller.appspotmail.com PiperOrigin-RevId: 358866218
2021-02-22Merge release-20210208.0-79-g19fe3a2bf (automated)gVisor bot
2021-02-22Fix `runsc kill --pid`Fabricio Voznika
Previously, loader.signalProcess was inconsitently using both root and container's PID namespace to find the process. It used root namespace for the exec'd process and container's PID namespace for other processes. This fixes the code to use the root PID namespace across the board, which is the same PID reported in `runsc ps` (or soon will after https://github.com/google/gvisor/pull/5519). PiperOrigin-RevId: 358836297
2021-02-20Merge release-20210208.0-78-g93fc09248 (automated)gVisor bot
2021-02-19Don't hold baseEndpoint.mu while calling EventUpdate().Nicolas Lacasse
This removes a three-lock deadlock between fdnotifier.notifier.mu, epoll.EventPoll.listsMu, and baseEndpoint.mu. A lock order comment was added to epoll/epoll.go. Also fix unsafe access of baseEndpoint.connected/receiver. PiperOrigin-RevId: 358515191
2021-02-20Merge release-20210208.0-77-g7544eeb24 (automated)gVisor bot
2021-02-19Correctly set and respect b.N in fio benchmark.Zach Koopmans
fio should scale by written/read bytes and not iterate runs of the fio container. PiperOrigin-RevId: 358511771
2021-02-19Merge release-20210208.0-76-g5e22ab93e (automated)gVisor bot
2021-02-19control.Proc.Exec should default to root pid namespace if none provided.Nicolas Lacasse
PiperOrigin-RevId: 358445320
2021-02-19Merge release-20210208.0-75-g599579d0e (automated)gVisor bot
2021-02-19Add a few more project ideas to the gsoc 2021 listRahat Mahmood
PiperOrigin-RevId: 358354414
2021-02-19Merge release-20210208.0-74-gec7f44f36 (automated)gVisor bot
2021-02-18Make socketops reflect correct sndbuf value for host UDS.Bhasker Hariharan
Also skips a test if the setsockopt to increase send buffer did not result in an increase. This is possible when the underlying socket is a host backed unix domain socket as in such cases gVisor does not permit increasing SO_SNDBUF. PiperOrigin-RevId: 358285158
2021-02-18Merge release-20210208.0-73-gf80a857a4 (automated)gVisor bot
2021-02-18Bump build constraints to Go 1.18Michael Pratt
These are bumped to allow early testing of Go 1.17. Use will be audited closer to the 1.17 release. PiperOrigin-RevId: 358278615
2021-02-18Merge release-20210208.0-72-gec20f4f38 (automated)gVisor bot
2021-02-18Make b.N increase by KB not bytes on iperf.Zach Koopmans
Currently, iperf runs a client that scales by bytes sent. In practice, this causes b.N to scale slowly and have several short lived containers. Instead, scale by KB to more quickly reach required time. PiperOrigin-RevId: 358244926
2021-02-18Merge release-20210208.0-71-g2a2cb29e1 (automated)gVisor bot
2021-02-18Validate IGMP packetsArthur Sfez
This change also adds support for Router Alert option processing on incoming packets, a new stat for Router Alert option, and exports all the IP-option related stats. Fixes #5491 PiperOrigin-RevId: 358238123
2021-02-18Merge release-20210208.0-70-g26eada5de (automated)gVisor bot
2021-02-18Use standard want/got syntax in test errorsTamir Duberstein
Remove unused argument while I'm here and avoid returning syscall.Errno(0) which should rather be a nil error. PiperOrigin-RevId: 358227396
2021-02-18Merge release-20210208.0-69-gbb5db8044 (automated)gVisor bot
2021-02-18Remove deprecated NUD types Failed and FailedEntryLookupsSam Balana
Completes the soft migration to Unreachable state by removing the Failed state and the the FailedEntryLookups StatCounter. Fixes #4667 PiperOrigin-RevId: 358226380
2021-02-18Merge release-20210208.0-68-g582f7bf6c (automated)gVisor bot
2021-02-18Remove side effect from pty testsFabricio Voznika
Individual test cases must not rely on being executed in a clean environment. PiperOrigin-RevId: 358207468
2021-02-18Merge release-20210208.0-67-gf4d694693 (automated)gVisor bot
2021-02-17Deflake tcp_network_unreachable testZeling Feng
Previously, we make two connect attempts. If the first attempt is still on going when the second attempt is made, the test will fail. This change deflakes the situation by not making the second attempt, instead, we poll for the first attempt's completion and read the errno from SO_ERROR. PiperOrigin-RevId: 358104769
2021-02-18Merge release-20210208.0-66-gdea894238 (automated)gVisor bot
2021-02-17[infra] Update JDK11 version for java runtime tests.Ayush Ranjan
PiperOrigin-RevId: 358085809
2021-02-18Merge release-20210208.0-65-g1fc2c5f75 (automated)gVisor bot
2021-02-17Move Name() out of netstack Matcher. It can live in the sentry.Kevin Krakauer
PiperOrigin-RevId: 358078157
2021-02-18Merge release-20210208.0-64-gf051ec646 (automated)gVisor bot