summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-05-20Merge release-20210510.0-63-gaf229f46a (automated)gVisor bot
2021-05-20Fix cgroupfs mount racing with unmount.Rahat Mahmood
Previously, mount could discover a hierarchy being destroyed concurrently, which resulted in mount attempting to take a ref on an already destroyed cgroupfs. Reported-by: syzbot+062c0a67798a200f23ee@syzkaller.appspotmail.com PiperOrigin-RevId: 374959054
2021-05-19Merge release-20210510.0-62-gb8b43f70c (automated)gVisor bot
2021-05-19Send ICMP errors when link address resolution failsNick Brown
Before this change, we would silently drop packets when link resolution failed. This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6), both of which specify that gateways should return an ICMP error to the sender when link resolution fails. PiperOrigin-RevId: 374699789
2021-05-19Merge release-20210510.0-61-g2f3eda37a (automated)gVisor bot
2021-05-19Fix nogo analysis.Adin Scannell
Ignore calls to atomic functions in case there is no analysis information. It is unclear why this has broken in some cases, perhaps these functions have been replaced by intrinsics as an optimization? PiperOrigin-RevId: 374682441
2021-05-19Merge release-20210510.0-60-g52394c34a (automated)gVisor bot
2021-05-18use more explicit netstack dependency restrictionsKevin Krakauer
Fuchsia was unable to build when building netstack transitively depended on golang.org/x/unix constants not defined in Fuchsia. The packages causing this (safemem and usermem) are no longer in the allowlist. Tested that this failed at cl/373651666, and passes now that the dependency has been removed. PiperOrigin-RevId: 374570220
2021-05-18Be explicit about setsid() return values in pty.ccKevin Krakauer
PiperOrigin-RevId: 374570219
2021-05-19Merge release-20210510.0-58-gf2d6c72b6 (automated)gVisor bot
2021-05-18Prevent infinite loops from being optimized away.gVisor bot
https://github.com/llvm/llvm-project/commit/6c3129549374c0e81e28fd0a21e96f8087b63a78 adds "mustprogress" to loops, which causes empty, side-effect free loops to be optimized away. These loops are intentionally infinite for purposes of testing, so add asm statements that prevent them from being removed. PiperOrigin-RevId: 374546142
2021-05-19Merge release-20210510.0-57-ge290d3370 (automated)gVisor bot
2021-05-18Merge pull request #6009 from kevinGC:anotheraligngVisor bot
PiperOrigin-RevId: 374545882
2021-05-18Merge release-20210510.0-55-g2ff71116e (automated)gVisor bot
2021-05-18Merge pull request #5908 from zhlhahaha:2157gVisor bot
PiperOrigin-RevId: 374517895
2021-05-18Merge release-20210510.0-53-ge4984f853 (automated)gVisor bot
2021-05-18Delete /cloud/gvisor/sandbox/sentry/gofer/opened_write_execute_file metricNayana Bidari
This metric is replaced by /cloud/gvisor/sandbox/sentry/suspicious_operations metric with field value opened_write_execute_file. PiperOrigin-RevId: 374509823
2021-05-18Merge release-20210510.0-52-g8ff6694e5 (automated)gVisor bot
2021-05-18[syserror] Add linuxerr package.Zach Koopmans
Add linuxerr package to replace syserror and syserr errors. This is done to improve performance comparing/returning errors to on par with syscall.Errno. The below linuxerr_test (formerly syserror_test) shows linuxerr.Error on par with unix.Error (syscall.Errno) as desired. BenchmarkAssignErrno BenchmarkAssignErrno-6 1000000000 0.6291 ns/op BenchmarkLinuxerrAssignError BenchmarkLinuxerrAssignError-6 1000000000 0.5808 ns/op BenchmarkAssignSyserrorError BenchmarkAssignSyserrorError-6 1000000000 0.6188 ns/op BenchmarkCompareErrno BenchmarkCompareErrno-6 1000000000 0.5041 ns/op BenchmarkCompareLinuxerrError BenchmarkCompareLinuxerrError-6 1000000000 0.4660 ns/op BenchmarkCompareSyserrorError BenchmarkCompareSyserrorError-6 309026907 3.386 ns/op BenchmarkSwitchErrno BenchmarkSwitchErrno-6 722253750 1.440 ns/op BenchmarkSwitchLinuxerrError BenchmarkSwitchLinuxerrError-6 709108542 1.453 ns/op BenchmarkSwitchSyserrorError BenchmarkSwitchSyserrorError-6 106331331 11.21 ns/op PiperOrigin-RevId: 374507431
2021-05-18Merge release-20210510.0-51-g5d04e0ae3 (automated)gVisor bot
2021-05-18Emit more information on panicTamir Duberstein
PiperOrigin-RevId: 374464969
2021-05-18Merge release-20210510.0-50-g32b66bb2b (automated)gVisor bot
2021-05-17Add badges for Github actions so it's easier to notice when they are failing.Ian Lewis
PiperOrigin-RevId: 374331016
2021-05-18Merge release-20210510.0-49-g3c24d345d (automated)gVisor bot
2021-05-17Automated rollback of changelist 373417636Jamie Liu
PiperOrigin-RevId: 374319456
2021-05-17Merge pull request #5224 from avagin:bazel-3.7gVisor bot
PiperOrigin-RevId: 374295866
2021-05-17Update bazel packagesAndrei Vagin
2021-05-17Merge release-20210510.0-46-ge6cd1ff1b (automated)gVisor bot
2021-05-17Reduce thread count in TCPResetDuringClose.Jamie Liu
This test suffers from extreme contention on tcpip/stack.AddressableEndpointState.mu via AddressableEndpointState.decAddressRef, at least when Go race detection is enabled. PiperOrigin-RevId: 374273745
2021-05-17Merge release-20210510.0-45-gd96499d17 (automated)gVisor bot
2021-05-17Make sandbox join the pod cgroup in K8sFabricio Voznika
cgroups in K8s are setup with the following hierarchy: `.../pod/container`. The sandbox is created with the first container and consequently uses the the pause container cgroup. This change removes the container cgroup from the path to make the sandbox use the pod cgroup instead. Otherwise limits set to the pause container will apply to the entire sandbox. PiperOrigin-RevId: 374273277
2021-05-17replace use of atomic with AlignedAtomicInt64Kevin Krakauer
2021-05-17Merge release-20210510.0-44-g7654181cc (automated)gVisor bot
2021-05-17Rename variables in IP forwarding testsNick Brown
Previously, we named domain objects using numbers (e.g. "e1", "e2" etc). This change renames objects to clarify whether they are part of the incoming or outgoing path. PiperOrigin-RevId: 374226859
2021-05-15Merge release-20210510.0-43-g8e8b75252 (automated)gVisor bot
2021-05-14Add stuck tasks and startup stuck tasks to weirdness metricNayana Bidari
Weirdness metric will replace the below two metrics: - watchdog/stuck_startup_detected - watchdog/stuck_tasks_detected PiperOrigin-RevId: 373895696
2021-05-14Merge release-20210510.0-42-g820c77d5e (automated)gVisor bot
2021-05-14Validate DAD configs when initializing DAD stateGhanan Gowripalan
Make sure that the initial configurations used by the DAD state is valid. Before this change, an invalid DAD configuration (with a zero-valued retransmit timer) was used so the DAD state would attempt to resolve DAD immediately. This lead to a deadlock in TestDADResolve as when DAD resolves, the stack notifies the NDP dispatcher which would attempt to write to an unbuffered channel while holding a lock. The test goroutine also attempts to obtain a stack.Route (before receiving from the channel) which ends up attempting to take the same lock. Test: stack_test.TestDADResolve PiperOrigin-RevId: 373888540
2021-05-14Control forwarding per NetworkEndpointGhanan Gowripalan
...instead of per NetworkProtocol to better conform with linux (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt): ``` conf/interface/* forwarding - BOOLEAN Enable IP forwarding on this interface. This controls whether packets received _on_ this interface can be forwarded. ``` Fixes #5932. PiperOrigin-RevId: 373888000
2021-05-14Merge release-20210510.0-40-g25f0ab331 (automated)gVisor bot
2021-05-14Add new metric for suspicious operations.Nayana Bidari
The new metric contains fields and will replace the below existing metric: - opened_write_execute_file PiperOrigin-RevId: 373884604
2021-05-14Merge release-20210510.0-39-gf8d79e94e (automated)gVisor bot
2021-05-14Add hash15 label for tests.Andrei Vagin
PiperOrigin-RevId: 373875071
2021-05-14Merge release-20210510.0-38-g894187b2c (automated)gVisor bot
2021-05-14Resolve remaining O_PATH TODOs.Dean Deng
O_PATH is now implemented in vfs2. Fixes #2782. PiperOrigin-RevId: 373861410
2021-05-14Merge release-20210510.0-37-geb7e83f64 (automated)gVisor bot
2021-05-14Add verity_mmap testsChong Cai
PiperOrigin-RevId: 373854462
2021-05-14Merge release-20210510.0-36-g600d14f83 (automated)gVisor bot
2021-05-14Don't read forwarding from netstack in sentryGhanan Gowripalan
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt: /proc/sys/net/ipv4/* Variables: ip_forward - BOOLEAN 0 - disabled (default) not 0 - enabled Forward Packets between interfaces. This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers) /proc/sys/net/ipv4/ip_forward only does work when its value is changed and always returns the last written value. The last written value may not reflect the current state of the netstack (e.g. when `ip_forward` was written a value of "1" then disable forwarding on an interface) so there is no need for sentry to probe netstack to get the current forwarding state of interfaces. ``` ~$ cat /proc/sys/net/ipv4/ip_forward 0 ~$ sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward" ~$ cat /proc/sys/net/ipv4/ip_forward 1 ~$ sudo sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eno1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.wlp1s0.forwarding = 1 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ sudo sysctl -w net.ipv4.conf.wlp1s0.forwarding=0 net.ipv4.conf.wlp1s0.forwarding = 0 ~$ sudo sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eno1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.wlp1s0.forwarding = 0 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ cat /proc/sys/net/ipv4/ip_forward 1 ~$ sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward" ~$ sudo sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eno1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.wlp1s0.forwarding = 0 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ sudo bash -c "echo 0 > /proc/sys/net/ipv4/ip_forward" ~$ sudo sysctl -a | grep ipv4 | grep forward sysctl: unable to open directory "/proc/sys/fs/binfmt_misc/" net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.eno1.forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.wlp1s0.forwarding = 0 net.ipv4.ip_forward = 0 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ cat /proc/sys/net/ipv4/ip_forward 0 ``` In the above example we can see that writing "1" to /proc/sys/net/ipv4/ip_forward configures the stack to be a router (all interfaces are configured to enable forwarding). However, if we manually update an interace (`wlp1s0`) to not forward packets, /proc/sys/net/ipv4/ip_forward continues to return the last written value of "1", even though not all interfaces will forward packets. Also note that writing the same value twice has no effect; work is performed iff the value changes. This change also removes the 'unset' state from sentry's ip forwarding data structures as an 'unset' ip forwarding value is the same as leaving forwarding disabled as the stack is always brought up with forwarding initially disabled; disabling forwarding on a newly created stack is a no-op. PiperOrigin-RevId: 373853106
2021-05-14Merge release-20210510.0-35-g2ac6b7688 (automated)gVisor bot