summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-05-13Enable overlayfs_stale_read by default for runsc.Jamie Liu
Linux 4.18 and later make reads and writes coherent between pre-copy-up and post-copy-up FDs representing the same file on an overlay filesystem. However, memory mappings remain incoherent: - Documentation/filesystems/overlayfs.rst, "Non-standard behavior": "If a file residing on a lower layer is opened for read-only and then memory mapped with MAP_SHARED, then subsequent changes to the file are not reflected in the memory mapping." - fs/overlay/file.c:ovl_mmap() passes through to the underlying FD without any management of coherence in the overlay. - Experimentally on Linux 5.2: ``` $ cat mmap_cat_page.c #include <err.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <sys/mman.h> #include <unistd.h> int main(int argc, char **argv) { if (argc < 2) { errx(1, "syntax: %s [FILE]", argv[0]); } const int fd = open(argv[1], O_RDONLY); if (fd < 0) { err(1, "open(%s)", argv[1]); } const size_t page_size = sysconf(_SC_PAGE_SIZE); void* page = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, 0); if (page == MAP_FAILED) { err(1, "mmap"); } for (;;) { write(1, page, strnlen(page, page_size)); if (getc(stdin) == EOF) { break; } } return 0; } $ gcc -O2 -o mmap_cat_page mmap_cat_page.c $ mkdir lowerdir upperdir workdir overlaydir $ echo old > lowerdir/file $ sudo mount -t overlay -o "lowerdir=lowerdir,upperdir=upperdir,workdir=workdir" none overlaydir $ ./mmap_cat_page overlaydir/file old ^Z [1]+ Stopped ./mmap_cat_page overlaydir/file $ echo new > overlaydir/file $ cat overlaydir/file new $ fg ./mmap_cat_page overlaydir/file old ``` Therefore, while the VFS1 gofer client's behavior of reopening read FDs is only necessary pre-4.18, replacing existing memory mappings (in both sentry and application address spaces) with mappings of the new FD is required regardless of kernel version, and this latter behavior is common to both VFS1 and VFS2. Re-document accordingly, and change the runsc flag to enabled by default. New test: - Before this CL: https://source.cloud.google.com/results/invocations/5b222d2c-e918-4bae-afc4-407f5bac509b - After this CL: https://source.cloud.google.com/results/invocations/f28c747e-d89c-4d8c-a461-602b33e71aab PiperOrigin-RevId: 311361267
2020-05-13Use VFS2 mount namesFabricio Voznika
Updates #1487 PiperOrigin-RevId: 311356385
2020-05-13Replace test_runner.sh bash script with Go.Ian Gudger
PiperOrigin-RevId: 311285868
2020-05-12Adjust a few log messagesFabricio Voznika
PiperOrigin-RevId: 311234146
2020-05-12Merge pull request #2678 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 311203776
2020-05-12Don't allow rename across different gofer or tmpfs mounts.Nicolas Lacasse
Fixes #2651. PiperOrigin-RevId: 311193661
2020-05-12Merge pull request #2513 from amscanne:website-integratedgVisor bot
PiperOrigin-RevId: 311184385
2020-05-12Merge pull request #2671 from kevinGC:skip-outputgVisor bot
PiperOrigin-RevId: 311181084
2020-05-12Don't call kernel.Task.Block() from netstack.SocketOperations.Write().Jamie Liu
kernel.Task.Block() requires that the caller is running on the task goroutine. netstack.SocketOperations.Write() uses kernel.TaskFromContext() to call kernel.Task.Block() even if it's not running on the task goroutine. Stop doing that. PiperOrigin-RevId: 311178335
2020-05-12iptables: support gid match for owner matching.Nayana Bidari
- Added support for matching gid owner and invert flag for uid and gid. $ iptables -A OUTPUT -p tcp -m owner --gid-owner root -j ACCEPT $ iptables -A OUTPUT -p tcp -m owner ! --uid-owner root -j ACCEPT $ iptables -A OUTPUT -p tcp -m owner ! --gid-owner root -j DROP - Added tests for uid, gid and invert flags.
2020-05-12Merge pull request #2664 from lubinszARM:pr_sigfpgVisor bot
PiperOrigin-RevId: 311153824
2020-05-11Internal change.Jamie Liu
PiperOrigin-RevId: 311046755
2020-05-11iptables: check for truly unconditional rulesKevin Krakauer
We weren't properly checking whether the inserted default rule was unconditional.
2020-05-11Add fpsimd support in sigreturn on Arm64Bin Lu
Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-05-11Add fsimpl/gofer.InternalFilesystemOptions.OpenSocketsByConnecting.Jamie Liu
PiperOrigin-RevId: 311014995
2020-05-11Internal change.gVisor bot
PiperOrigin-RevId: 311011004
2020-05-11Automated rollback of changelist 310417191Bhasker Hariharan
PiperOrigin-RevId: 310963404
2020-05-11Internal change.gVisor bot
PiperOrigin-RevId: 310949277
2020-05-11Fix view.ToVectorisedView().Bhasker Hariharan
view.ToVectorisedView() now just returns an empty vectorised view if the view is of zero length. Earlier it would return a VectorisedView of zero length but with 1 empty view. This has been a source of bugs as lower layers don't expect zero length views in VectorisedViews. VectorisedView.AppendView() now is a no-op if the view being appended is of zero length. Fixes #2658 PiperOrigin-RevId: 310942269
2020-05-11Internal change.gVisor bot
PiperOrigin-RevId: 310941717
2020-05-10Stop avoiding preadv2 and pwritev2, and add them to the filters.Nicolas Lacasse
Some code paths needed these syscalls anyways, so they should be included in the filters. Given that we depend on these syscalls in some cases, there's no real reason to avoid them any more. PiperOrigin-RevId: 310829126
2020-05-08iptables - filter packets using outgoing interface.gVisor bot
Enables commands with -o (--out-interface) for iptables rules. $ iptables -A OUTPUT -o eth0 -j ACCEPT PiperOrigin-RevId: 310642286
2020-05-08Add UDP send/recv packetimpact tests.Bhasker Hariharan
Fixes #2654 PiperOrigin-RevId: 310642216
2020-05-08Pass flags to fsimpl/host.inode.open().Jamie Liu
This has two effects: It makes flags passed to open("/proc/[pid]/fd/[hostfd]") effective, and it prevents imported pipes/sockets/character devices from being opened with O_NONBLOCK unconditionally (because the underlying host FD was set to non-blocking in ImportFD()). PiperOrigin-RevId: 310596062
2020-05-08Send ACK to OTW SEQs/unacc ACKs in CLOSE_WAITZeling Feng
This fixed the corresponding packetimpact test. PiperOrigin-RevId: 310593470
2020-05-07Merge pull request #2637 from avagin:make-vs-bazelgVisor bot
PiperOrigin-RevId: 310479788
2020-05-07make: exit with non-zero code if "bazel build" failedAndrei Vagin
Without this fix, make exits with zero code when bazel build failed: $ make run TARGETS="--abra --kadabra" ERROR: Unrecognized option: --abra $ echo $? 0 Signed-off-by: Andrei Vagin <avagin@gmail.com>
2020-05-07make: bazel docker container should clean itself up.Adin Scannell
This change two does things: 1) Name the container based on the canonical directory path. 2) Allow the container to exit after bazel itself has exited. The first is necessary to support multiple working directories, while the second one allows these instances to clean up properly. PiperOrigin-RevId: 310460748
2020-05-07Fix ARM64 build.Adin Scannell
The common syscall definitions mean that ARM64-exclusive files need stubs in the ARM64 build. PiperOrigin-RevId: 310446698
2020-05-07Capture range variable in parallel subtestsSam Balana
Only the last test was running before since the goroutines won't be executed until after this loop. I added t.Log(test.name) and this is was the result: TestListenNoAcceptNonUnicastV4/SourceUnspecified: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestUnspecified: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestOtherMulticast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/SourceBroadcast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestOurMulticast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestBroadcast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/SourceOtherMulticast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/SourceOurMulticast: DestOtherMulticast https://github.com/golang/go/wiki/TableDrivenTests#parallel-testing PiperOrigin-RevId: 310440629
2020-05-07Allocate device numbers for VFS2 filesystems.Jamie Liu
Updates #1197, #1198, #1672 PiperOrigin-RevId: 310432006
2020-05-07Fix tags used for determining file sets.Adin Scannell
Updates #2569 Updates #2298 PiperOrigin-RevId: 310423629
2020-05-07Automated rollback of changelist 309339316Bhasker Hariharan
PiperOrigin-RevId: 310417191
2020-05-07Move pkg/sentry/vfs/{eventfd,timerfd} to new packages in pkg/sentry/fsimpl.Nicolas Lacasse
They don't depend on anything in VFS2, so they should be their own packages. PiperOrigin-RevId: 310416807
2020-05-07Internal change.gVisor bot
PiperOrigin-RevId: 310409922
2020-05-07Port signalfd to vfs2.Nicolas Lacasse
PiperOrigin-RevId: 310404113
2020-05-07Fix bugs in SACK recovery.Bhasker Hariharan
Every call to sender.NextSeg does not need to iterate from the front of the writeList as in a given recovery episode we can cache the last nextSeg returned. There cannot be a lower sequenced segment that matches the next call to NextSeg as otherwise we would have returned that instead in the previous call. This fixes the issue of excessive CPU usage w/ large send buffers where we spend a lot of time iterating from the front of the list on every NextSeg invocation. Further the following other bugs were also fixed: * Iteration of segments never sent in NextSeg() when looking for segments for retransmission that match step1/3/4 of the NextSeg algorithm * Correctly setting rescueRxt only if the rescue segment was actually sent. * Correctly initializing rescueRxt/highRxt when entering SACK recovery. * Correctly re-arming the timer only on retransmissions when SACK is in use and not for every segment being sent as it was being done before. * Copy over xmitTime and xmitCount on segment clone. * Move writeNext along when skipping over SACKED segments. This is required to prevent spurious retransmissions where we end up retransmitting data that was never lost. PiperOrigin-RevId: 310387671
2020-05-07Update privateunixsocket TODOs.Dean Deng
Synthetic sockets do not have the race condition issue in VFS2, and we will get rid of privateunixsocket as well. Fixes #1200. PiperOrigin-RevId: 310386474
2020-05-07Merge pull request #2639 from kevinGC:ipv4-frag-reassembly-testgVisor bot
PiperOrigin-RevId: 310380911
2020-05-07Remove outdated TODO for VFS2 AccessAt.Dean Deng
Fixes #1965. PiperOrigin-RevId: 310380433
2020-05-06Add basic incoming ipv4 fragment testsKevin Krakauer
Based on ipv6's TestReceiveIPv6Fragments.
2020-05-06Merge pull request #2570 from lubinszARM:pr_cleangVisor bot
PiperOrigin-RevId: 310259686
2020-05-06Remove vfs.FileDescriptionOptions.InvalidWrite.Jamie Liu
Compare: https://elixir.bootlin.com/linux/v5.6/source/fs/timerfd.c#L431 PiperOrigin-RevId: 310246908
2020-05-06Do not assume no DHCPv6 configurationsGhanan Gowripalan
Do not assume that networks need any DHCPv6 configurations. Instead, notify the NDP dispatcher in response to the first NDP RA's DHCPv6 flags, even if the flags indicate no DHCPv6 configurations are available. PiperOrigin-RevId: 310245068
2020-05-06Add support for kramdown TOC.Adin Scannell
2020-05-06Add atom feed (at previous URL).Adin Scannell
2020-05-06Clean-up documentation.Adin Scannell
2020-05-06Add powered by gVisor logo.Adin Scannell
2020-05-06Fixup link in CODE_OF_CONDUCT.md.Adin Scannell
2020-05-06Fixup transitions for navbar.Adin Scannell