summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-07-12Merge release-20210705.0-11-ge3fdd1593 (automated)gVisor bot
2021-07-12[syserror] Update syserror to linuxerr for more errors.Zach Koopmans
Update the following from syserror to the linuxerr equivalent: EEXIST EFAULT ENOTDIR ENOTTY EOPNOTSUPP ERANGE ESRCH PiperOrigin-RevId: 384329869
2021-07-12Merge release-20210705.0-10-gebe99977a (automated)gVisor bot
2021-07-12Mark all functions that are called from a forked child with go:noraceAndrei Vagin
PiperOrigin-RevId: 384305599
2021-07-12Merge release-20210705.0-9-g9c09db654 (automated)gVisor bot
2021-07-12Fix async-signal-unsafety in chroot test.Jamie Liu
PiperOrigin-RevId: 384295543
2021-07-12Merge release-20210705.0-8-g4742f7d78 (automated)gVisor bot
2021-07-12Prevent interleaving in sniffer pcap outputTamir Duberstein
Remove "partial write" handling as io.Writer.Write is not permitted to return a nil error on partial writes, and this code was already panicking on non-nil errors. PiperOrigin-RevId: 384289970
2021-07-12Merge release-20210705.0-7-g1f396d8c1 (automated)gVisor bot
2021-07-12Prevent the cleanup script from destroying any "bootstrap" containers.Adin Scannell
PiperOrigin-RevId: 384257460
2021-07-12Merge release-20210628.0-35-g36a17a814 (automated)gVisor bot
2021-07-12Go 1.17 support for the KVM platformMichael Pratt
Go 1.17 adds a new register-based calling convention. While transparent for most applications, the KVM platform needs special work in a few cases. First of all, we need the actual address of some assembly functions, rather than the address of a wrapper. See http://gvisor.dev/pr/5832 for complete discussion of this. More relevant to this CL is that ABI0-to-ABIInternal wrappers (i.e., calls from assembly to Go) access the G via FS_BASE. The KVM quite fast-and-loose about the Go environment, often calling into (nosplit) Go functions with uninitialized FS_BASE. That will no longer work in Go 1.17, so this CL changes the platform to consistently restore FS_BASE before calling into Go code. This CL does not affect arm64 code. Go 1.17 does not support the register-based calling convention for arm64 (it will come in 1.18), but arm64 also does not use a non-standard register like FS_BASE for TLS, so it may not require any changes. PiperOrigin-RevId: 384234305
2021-07-09Merge release-20210628.0-34-gd78713e2d (automated)gVisor bot
2021-07-09Drop unnecessary checklocksignore.Adin Scannell
PiperOrigin-RevId: 383940663
2021-07-09Merge release-20210628.0-33-gde29d8d41 (automated)gVisor bot
2021-07-08Fix some //pkg/seccomp bugs.Jamie Liu
- LockOSThread() around prctl(PR_SET_NO_NEW_PRIVS) => seccomp(). go:nosplit "mostly" prevents async preemption, but IIUC preemption is still permitted during function prologues: funcpctab "".seccomp [valfunc=pctopcdata] 0 -1 00000 (gvisor/pkg/seccomp/seccomp_unsafe.go:110) TEXT "".seccomp(SB), NOSPLIT|ABIInternal, $72-32 0 00000 (gvisor/pkg/seccomp/seccomp_unsafe.go:110) TEXT "".seccomp(SB), NOSPLIT|ABIInternal, $72-32 0 -1 00000 (gvisor/pkg/seccomp/seccomp_unsafe.go:110) SUBQ $72, SP 4 00004 (gvisor/pkg/seccomp/seccomp_unsafe.go:110) MOVQ BP, 64(SP) 9 00009 (gvisor/pkg/seccomp/seccomp_unsafe.go:110) LEAQ 64(SP), BP e 00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:110) FUNCDATA $0, gclocals·ba30782f8935b28ed1adaec603e72627(SB) e 00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:110) FUNCDATA $1, gclocals·663f8c6bfa83aa777198789ce63d9ab4(SB) e 00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:110) FUNCDATA $2, "".seccomp.stkobj(SB) e 00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:111) PCDATA $0, $-2 e -2 00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:111) MOVQ "".ptr+88(SP), AX (-1 is objabi.PCDATA_UnsafePointSafe and -2 is objabi.PCDATA_UnsafePointUnsafe, from Go's cmd/internal/objabi.) - Handle non-errno failures from seccomp() with SECCOMP_FILTER_FLAG_TSYNC. PiperOrigin-RevId: 383757580
2021-07-09Merge release-20210628.0-32-gf8207a823 (automated)gVisor bot
2021-07-08clarify safemount behaviorKevin Krakauer
PiperOrigin-RevId: 383750666
2021-07-08Merge release-20210628.0-31-g052eb90dc (automated)gVisor bot
2021-07-08Replace kernel.ExitStatus with linux.WaitStatus.Jamie Liu
PiperOrigin-RevId: 383705129
2021-07-08Merge release-20210628.0-30-gfbd4ccf33 (automated)gVisor bot
2021-07-08Fix async-signal-unsafety in socket test.Jamie Liu
PiperOrigin-RevId: 383689096
2021-07-08Merge release-20210628.0-29-g07f2c8b56 (automated)gVisor bot
2021-07-08devpts: Notify of echo'd input queue bytes only after locks have been released.Etienne Perot
PiperOrigin-RevId: 383684320
2021-07-08Merge release-20210628.0-28-g1fc7a9eac (automated)gVisor bot
2021-07-08Do not queue zero sized segments.Bhasker Hariharan
Commit 16b751b6c610ec2c5a913cb8a818e9239ee7da71 introduced a bug where writes of zero size would end up queueing a zero sized segment which will cause the sandbox to panic when trying to send a zero sized segment(e.g. after an RTO) as netstack asserts that the all non FIN segments have size > 0. This change adds the check for a zero sized payload back to avoid queueing such segments. The associated test panics without the fix and passes with it. PiperOrigin-RevId: 383677884
2021-07-07Merge release-20210628.0-27-g02fec8dba (automated)gVisor bot
2021-07-07Move time.Now() call to snifferTamir Duberstein
PiperOrigin-RevId: 383481745
2021-07-07Merge release-20210628.0-26-gcd558fcb0 (automated)gVisor bot
2021-07-07Sentry: Measure the time it takes to initialize the Sentry.Etienne Perot
PiperOrigin-RevId: 383472507
2021-07-07Merge release-20210628.0-25-gb63631b46 (automated)gVisor bot
2021-07-07Use time package-level variableTamir Duberstein
PiperOrigin-RevId: 383426091
2021-07-03Merge release-20210628.0-24-gadd8bca5b (automated)gVisor bot
2021-07-02[op] Make TCPNonBlockingConnectClose more reasonable.Ayush Ranjan
This test single handedly causes the syscalls:socket_inet_loopback_test test variants to take more than an hour to run on some of our testing environments. Reduce how aggressively this test tries to replicate a fixed flake. This is a regression test. PiperOrigin-RevId: 382849039
2021-07-03Merge release-20210628.0-23-g3d32a05a3 (automated)gVisor bot
2021-07-02runsc: validate mount targetsKevin Krakauer
PiperOrigin-RevId: 382845950
2021-07-02Merge release-20210628.0-22-gfcf0ff2fc (automated)gVisor bot
2021-07-02Merge pull request #6258 from liornm:fix-iptables-input-interfacegVisor bot
PiperOrigin-RevId: 382788878
2021-07-02Merge release-20210628.0-20-ga51a4b872 (automated)gVisor bot
2021-07-02Discover more specific routes as per RFC 4191Ghanan Gowripalan
More-specific route discovery allows hosts to pick a more appropriate router for off-link destinations. Fixes #6172. PiperOrigin-RevId: 382779880
2021-07-01Merge release-20210628.0-19-g16b751b6c (automated)gVisor bot
2021-07-01Mix checklocks and atomic analyzers.Adin Scannell
This change makes the checklocks analyzer considerable more powerful, adding: * The ability to traverse complex structures, e.g. to have multiple nested fields as part of the annotation. * The ability to resolve simple anonymous functions and closures, and perform lock analysis across these invocations. This does not apply to closures that are passed elsewhere, since it is not possible to know the context in which they might be invoked. * The ability to annotate return values in addition to receivers and other parameters, with the same complex structures noted above. * Ignoring locking semantics for "fresh" objects, i.e. objects that are allocated in the local frame (typically a new-style function). * Sanity checking of locking state across block transitions and returns, to ensure that no unexpected locks are held. Note that initially, most of these findings are excluded by a comprehensive nogo.yaml. The findings that are included are fundamental lock violations. The changes here should be relatively low risk, minor refactorings to either include necessary annotations to simplify the code structure (in general removing closures in favor of methods) so that the analyzer can be easily track the lock state. This change additional includes two changes to nogo itself: * Sanity checking of all types to ensure that the binary and ast-derived types have a consistent objectpath, to prevent the bug above from occurring silently (and causing much confusion). This also requires a trick in order to ensure that serialized facts are consumable downstream. This can be removed with https://go-review.googlesource.com/c/tools/+/331789 merged. * A minor refactoring to isolation the objdump settings in its own package. This was originally used to implement the sanity check above, but this information is now being passed another way. The minor refactor is preserved however, since it cleans up the code slightly and is minimal risk. PiperOrigin-RevId: 382613300
2021-07-01Merge release-20210628.0-18-g570ca5718 (automated)gVisor bot
2021-07-01Fix bug with TCP bind w/ SO_REUSEADDR.Bhasker Hariharan
In gVisor today its possible that when trying to bind a TCP socket w/ SO_REUSEADDR specified and requesting the kernel pick a port by setting port to zero can result in a previously bound port being returned. This behaviour is incorrect as the user is clearly requesting a free port. The behaviour is fine when the user explicity specifies a port. This change now checks if the user specified a port when making a port reservation for a TCP port and only returns unbound ports even if SO_REUSEADDR was specified. Fixes #6209 PiperOrigin-RevId: 382607638
2021-07-01Merge release-20210628.0-17-g3d4a8824f (automated)gVisor bot
2021-07-01Strace: handle null pathsFabricio Voznika
PiperOrigin-RevId: 382603592
2021-07-01Merge release-20210628.0-16-g590b8d3e9 (automated)gVisor bot
2021-07-01[syserror] Update several syserror errors to linuxerr equivalents.Zach Koopmans
Update/remove most syserror errors to linuxerr equivalents. For list of removed errors, see //pkg/syserror/syserror.go. PiperOrigin-RevId: 382574582
2021-07-01Merge release-20210628.0-15-g07ffecef8 (automated)gVisor bot
2021-06-30Implement fmt.Stringer for NDPRoutePreferenceGhanan Gowripalan
PiperOrigin-RevId: 382427879