summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-03-17Wrap rand.Reader in a bufio.Reader.Bhasker Hariharan
rand.Read() results in a syscall to the host on every call instead we can wrap it with a bufio.Reader to buffer and reduce number of syscalls. This is especially important for TCP where every newly created endpoint reads random data to initialize the timestamp offsets for the endpoint. Updates #231 PiperOrigin-RevId: 301501607
2020-03-17iptables: fix type in script name, mark some new tests as skippedKevin Krakauer
PiperOrigin-RevId: 301476456
2020-03-17Remove HostFS from Sentry.Zach Koopmans
PiperOrigin-RevId: 301402181
2020-03-17Packetimpact in Go with c++ stubEyal Soha
PiperOrigin-RevId: 301382690
2020-03-16fdtable: don't try to zap fdtable entry if close is called for non-existing fdAndrei Vagin
FDTable.setAll is used to zap entries, but it grows the table up to a specified fd. Reported-by: syzbot+9e281b0750d2d4caa190@syzkaller.appspotmail.com PiperOrigin-RevId: 301280000
2020-03-16Enforce file size rlimits in VFS2Fabricio Voznika
Updates #1035 PiperOrigin-RevId: 301255357
2020-03-16Add calls to vfs.CheckSetStat to fsimplsFabricio Voznika
Only gofer filesystem was calling vfs.CheckSetStat for vfs.FilesystemImpl.SetStatAt and vfs.FileDescriptionImpl.SetStat. Updates #1193, #1672, #1197 PiperOrigin-RevId: 301226522
2020-03-16Enable ARP resolution in TAP devices.Ting-Yu Wang
PiperOrigin-RevId: 301208471
2020-03-16Merge pull request #1943 from kevinGC:ipt-filter-ipgVisor bot
PiperOrigin-RevId: 301197007
2020-03-16Prevent vnetHdr from escaping in WritePacket.Bhasker Hariharan
PiperOrigin-RevId: 301157950
2020-03-14Disallow kernfs.Inode.SetStat for readonly inodesFabricio Voznika
Updates #1195, #1193 PiperOrigin-RevId: 300950993
2020-03-14Plumb VFS2 imported fds into virtual filesystem.Dean Deng
- When setting up the virtual filesystem, mount a host.filesystem to contain all files that need to be imported. - Make read/preadv syscalls to the host in cases where preadv2 may not be supported yet (likewise for writing). - Make save/restore functions in kernel/kernel.go return early if vfs2 is enabled. PiperOrigin-RevId: 300922353
2020-03-13Add remaining procfs filesFabricio Voznika
Closes #1195 PiperOrigin-RevId: 300867055
2020-03-13Panic if file in FDTable has been destroyedFabricio Voznika
This will give more information about the file to identify where possibly the extra DecRef() would be. PiperOrigin-RevId: 300855874
2020-03-13Fix infinite loop in semaphore.sem.wakeWaiters().Jamie Liu
PiperOrigin-RevId: 300845134
2020-03-13Internal changeZach Koopmans
PiperOrigin-RevId: 300836270
2020-03-13Fix typoMichael Pratt
PiperOrigin-RevId: 300832988
2020-03-13Refactor SLAAC address state into SLAAC prefix stateGhanan Gowripalan
Previously, SLAAC related state was stored on a per-address basis. This was sufficient for the simple case of a single SLAAC address per prefix, but future CLs will introduce temporary addresses which will result in multiple SLAAC addresses for a prefix. This refactor allows storing multiple addresses for a prefix in a single SLAAC prefix state. No behaviour changes - existing tests continue to pass. PiperOrigin-RevId: 300832812
2020-03-13Fix oom_score_adj.Jamie Liu
- Make oomScoreAdj a ThreadGroup field (Linux: signal_struct::oom_score_adj). - Avoid deadlock caused by Task.OOMScoreAdj()/SetOOMScoreAdj() locking Task.mu and TaskSet.mu in the wrong order (via Task.ExitState()). PiperOrigin-RevId: 300814698
2020-03-13Disable a NIC before removing itGhanan Gowripalan
When a NIC is removed, attempt to disable the NIC first to cleanup dynamic state and stop ongoing periodic tasks (e.g. IPv6 router solicitations, DAD) so that a removed NIC does not attempt to send packets. Tests: - stack_test.TestRemoveUnknownNIC - stack_test.TestRemoveNIC - stack_test.TestDADStop - stack_test.TestCleanupNDPState - stack_test.TestRouteWithDownNIC - stack_test.TestStopStartSolicitingRouters PiperOrigin-RevId: 300805857
2020-03-13Avoid unnecessary work in transportDemuxer.deliverPacket().Jamie Liu
- Don't allocate []*endpointsByNic in transportDemuxer.deliverPacket() unless actually needed for UDP broadcast/multicast. - Don't allocate []*endpointsByNic via transportDemuxer.findEndpointLocked() => transportDemuxer.findAllEndpointsLocked(). - Skip unnecessary map lookups in transportDemuxer.findEndpointLocked() => transportDemuxer.findAllEndpointsLocked() (now iterEndpointsLocked). For most deliverable packets other than UDP broadcast/multicast packets, this saves two slice allocations and three map lookups per packet. PiperOrigin-RevId: 300804135
2020-03-13Fix lock recursion in kernel.ProcessGroup.SendSignal().Jamie Liu
PiperOrigin-RevId: 300803515
2020-03-13Skip process if it has exitedFabricio Voznika
PiperOrigin-RevId: 300802159
2020-03-13Run "startup" benchmark in Kokoro benchmark job.Zach Koopmans
PiperOrigin-RevId: 300798423
2020-03-13Implement access/faccessat for VFS2.Dean Deng
Note that the raw faccessat system call does not actually take a flags argument; according to faccessat(2), the glibc wrapper implements the flags by using fstatat(2). Remove the flag argument that we try to extract from vfs1, which would just be a garbage value. Updates #1965 Fixes #2101 PiperOrigin-RevId: 300796067
2020-03-13Fix "application exiting with {Code:0 Signo:27}" during boot.Ting-Yu Wang
2aa9514a06a5e34894e606d508ac2df53b082c74 skips SIGURG, but later code expects the sigchans array contains consecutive signal numbers. PiperOrigin-RevId: 300793450
2020-03-13Honour the link's MaxHeaderLength when forwardingGhanan Gowripalan
LinkEndpoints may expect/assume that the a tcpip.PacketBuffer's Header has enough capacity for its own headers, as per documentation for LinkEndpoint.MaxHeaderLength. Test: stack_test.TestNICForwarding PiperOrigin-RevId: 300784192
2020-03-13Add support for mount flagsFabricio Voznika
Plumbs MS_NOEXEC and MS_RDONLY. Others are TODO. Updates #1623 #1193 PiperOrigin-RevId: 300764669
2020-03-12Clarify comments about IHL in ipv4.go.Eyal Soha
PiperOrigin-RevId: 300668506
2020-03-12Remove flaky network namespace test that uses clone().Ting-Yu Wang
PiperOrigin-RevId: 300626011
2020-03-12Mark gonet_test as flaky.Zach Koopmans
Mark /pkg/tcpip/adapters/gonet/gonet_test as flaky. PiperOrigin-RevId: 300609529
2020-03-12Kill sandbox process when parent process terminatesFabricio Voznika
When the sandbox runs in attached more, e.g. runsc do, runsc run, the sandbox lifetime is controlled by the parent process. This wasn't working in all cases because PR_GET_PDEATHSIG doesn't propagate through execve when the process changes uid/gid. So it was getting dropped when the sandbox execve's to change to user nobody. PiperOrigin-RevId: 300601247
2020-03-11Use a heap in transport demuxerTamir Duberstein
...instead of sorting at various times. Plug a memory leak by setting removed elements to nil. PiperOrigin-RevId: 300471087
2020-03-11Implement heap.Interface on pointer receiverTamir Duberstein
PiperOrigin-RevId: 300467253
2020-03-11Fix race condition (*tcp.endpoint).CloseTamir Duberstein
Atomically close the endpoint. Before this change, it was possible for multiple callers to perform duplicate work. PiperOrigin-RevId: 300462110
2020-03-11Clean-up buffer implementation.Adin Scannell
This also adds substantial test cases. The Read/Write interfaces are dropped as they are not necessary. PiperOrigin-RevId: 300461547
2020-03-11Merge pull request #2108 from kevinGC:prepare-ipt-testsgVisor bot
PiperOrigin-RevId: 300449422
2020-03-11Fix memory leak in danglingEndpoints.Bhasker Hariharan
Endpoints which were being terminated in an ERROR state or were moved to CLOSED by the worker goroutine do not run cleanupLocked() as that should already be run by the worker termination. But when making that change we made the mistake of not removing the endpoint from the danglingEndpoints which is normally done in cleanupLocked(). As a result these endpoints are leaked since a reference is held to them in the danglingEndpoints array forever till Stack is torn down. PiperOrigin-RevId: 300438426
2020-03-11iptables: ready tests to be enabled in kokoroKevin Krakauer
Fixed flakes (tested via --runs_per_test=100) and added skips for not-yet-implemented features. Once submitted, the iptables tests will be ready to enable in kokoro.
2020-03-11Internal changeZach Koopmans
PiperOrigin-RevId: 300410856
2020-03-11Upgrade KytheMichael Pratt
PiperOrigin-RevId: 300409401
2020-03-11Import "unsafe" in bluepill_arm64_unsafe.goAndrei Vagin
This fixes a compile time error: pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go:45:35: undefined: unsafe PiperOrigin-RevId: 300375687
2020-03-11runsc: Set asyncpreemptoff for the kvm platformAndrei Vagin
The asynchronous goroutine preemption is a new feature of Go 1.14. When we switched to go 1.14 (cl/297915917) in the bazel config, the kokoro syscall-kvm job started permanently failing. Lets temporary set asyncpreemptoff for the kvm platform to unblock tests. PiperOrigin-RevId: 300372387
2020-03-11Merge pull request #1975 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 300362789
2020-03-11runsc: don't redirect SIGURG which is used by Go's runtime schedulerAndrei Vagin
Go 1.14+ sends SIGURG to Ms to attempt asynchronous preemption of a G. Since it can't guarantee that a SIGURG is only related to preemption, it continues to forward them to signal.Notify (see runtime.sighandler). When runsc is running a container, there are three processes: a parent process and two children (sandbox and gopher). A parent process sets a signal handler for all signals and redirect them to the container init process. This logic should ignore SIGURG signals. We already ignore them in the Sentry, but it will be better to not notify about them when this is possible. PiperOrigin-RevId: 300345286
2020-03-11Automated rollback of changelist 300217972gVisor bot
PiperOrigin-RevId: 300308974
2020-03-11Merge pull request #1832 from xiaobo55x:tls_ptracegVisor bot
PiperOrigin-RevId: 300270894
2020-03-10Honour the link's MaxHeaderLength when forwardingGhanan Gowripalan
This change also updates where the IP packet buffer is held in an outbound tcpip.PacketBuffer from Header to Data. This change removes unncessary copying of the IP packet buffer when forwarding. Test: stack_test.TestNICForwarding PiperOrigin-RevId: 300217972
2020-03-10The packet forwarding should resolve the link address if necessary.gVisor bot
Fixes #1510 Test: - stack_test.TestForwardingWithStaticResolver - stack_test.TestForwardingWithFakeResolver - stack_test.TestForwardingWithNoResolver - stack_test.TestForwardingWithFakeResolverPartialTimeout - stack_test.TestForwardingWithFakeResolverTwoPackets - stack_test.TestForwardingWithFakeResolverManyPackets - stack_test.TestForwardingWithFakeResolverManyResolutions PiperOrigin-RevId: 300182570
2020-03-10Make checkpoint/restore e2e test less flakyIan Lewis
PiperOrigin-RevId: 300171916