Age | Commit message (Collapse) | Author |
|
It was looking at VFS1 table to determine where to
allocate the next FD from.
Updates #1035
PiperOrigin-RevId: 301678858
|
|
PiperOrigin-RevId: 301650898
|
|
PiperOrigin-RevId: 301614096
|
|
PiperOrigin-RevId: 301578043
|
|
rand.Read() results in a syscall to the host on every call instead
we can wrap it with a bufio.Reader to buffer and reduce number of syscalls.
This is especially important for TCP where every newly created endpoint
reads random data to initialize the timestamp offsets for the endpoint.
Updates #231
PiperOrigin-RevId: 301501607
|
|
PiperOrigin-RevId: 301476456
|
|
PiperOrigin-RevId: 301402181
|
|
PiperOrigin-RevId: 301382690
|
|
FDTable.setAll is used to zap entries, but it grows the table up to
a specified fd.
Reported-by: syzbot+9e281b0750d2d4caa190@syzkaller.appspotmail.com
PiperOrigin-RevId: 301280000
|
|
Updates #1035
PiperOrigin-RevId: 301255357
|
|
Only gofer filesystem was calling vfs.CheckSetStat for
vfs.FilesystemImpl.SetStatAt and vfs.FileDescriptionImpl.SetStat.
Updates #1193, #1672, #1197
PiperOrigin-RevId: 301226522
|
|
PiperOrigin-RevId: 301208471
|
|
PiperOrigin-RevId: 301197007
|
|
PiperOrigin-RevId: 301157950
|
|
Updates #1195, #1193
PiperOrigin-RevId: 300950993
|
|
- When setting up the virtual filesystem, mount a host.filesystem to contain
all files that need to be imported.
- Make read/preadv syscalls to the host in cases where preadv2 may not be
supported yet (likewise for writing).
- Make save/restore functions in kernel/kernel.go return early if vfs2 is
enabled.
PiperOrigin-RevId: 300922353
|
|
Closes #1195
PiperOrigin-RevId: 300867055
|
|
This will give more information about the file to
identify where possibly the extra DecRef()
would be.
PiperOrigin-RevId: 300855874
|
|
PiperOrigin-RevId: 300845134
|
|
PiperOrigin-RevId: 300836270
|
|
PiperOrigin-RevId: 300832988
|
|
Previously, SLAAC related state was stored on a per-address basis. This was
sufficient for the simple case of a single SLAAC address per prefix, but
future CLs will introduce temporary addresses which will result in multiple
SLAAC addresses for a prefix. This refactor allows storing multiple addresses
for a prefix in a single SLAAC prefix state.
No behaviour changes - existing tests continue to pass.
PiperOrigin-RevId: 300832812
|
|
- Make oomScoreAdj a ThreadGroup field (Linux: signal_struct::oom_score_adj).
- Avoid deadlock caused by Task.OOMScoreAdj()/SetOOMScoreAdj() locking Task.mu
and TaskSet.mu in the wrong order (via Task.ExitState()).
PiperOrigin-RevId: 300814698
|
|
When a NIC is removed, attempt to disable the NIC first to cleanup
dynamic state and stop ongoing periodic tasks (e.g. IPv6 router
solicitations, DAD) so that a removed NIC does not attempt to send
packets.
Tests:
- stack_test.TestRemoveUnknownNIC
- stack_test.TestRemoveNIC
- stack_test.TestDADStop
- stack_test.TestCleanupNDPState
- stack_test.TestRouteWithDownNIC
- stack_test.TestStopStartSolicitingRouters
PiperOrigin-RevId: 300805857
|
|
- Don't allocate []*endpointsByNic in transportDemuxer.deliverPacket() unless
actually needed for UDP broadcast/multicast.
- Don't allocate []*endpointsByNic via transportDemuxer.findEndpointLocked()
=> transportDemuxer.findAllEndpointsLocked().
- Skip unnecessary map lookups in transportDemuxer.findEndpointLocked() =>
transportDemuxer.findAllEndpointsLocked() (now iterEndpointsLocked).
For most deliverable packets other than UDP broadcast/multicast packets, this
saves two slice allocations and three map lookups per packet.
PiperOrigin-RevId: 300804135
|
|
PiperOrigin-RevId: 300803515
|
|
PiperOrigin-RevId: 300802159
|
|
PiperOrigin-RevId: 300798423
|
|
Note that the raw faccessat system call does not actually take a flags argument;
according to faccessat(2), the glibc wrapper implements the flags by using
fstatat(2). Remove the flag argument that we try to extract from vfs1, which
would just be a garbage value.
Updates #1965
Fixes #2101
PiperOrigin-RevId: 300796067
|
|
2aa9514a06a5e34894e606d508ac2df53b082c74 skips SIGURG, but later code expects
the sigchans array contains consecutive signal numbers.
PiperOrigin-RevId: 300793450
|
|
LinkEndpoints may expect/assume that the a tcpip.PacketBuffer's Header
has enough capacity for its own headers, as per documentation for
LinkEndpoint.MaxHeaderLength.
Test: stack_test.TestNICForwarding
PiperOrigin-RevId: 300784192
|
|
Plumbs MS_NOEXEC and MS_RDONLY. Others are TODO.
Updates #1623 #1193
PiperOrigin-RevId: 300764669
|
|
PiperOrigin-RevId: 300668506
|
|
PiperOrigin-RevId: 300626011
|
|
Mark /pkg/tcpip/adapters/gonet/gonet_test as flaky.
PiperOrigin-RevId: 300609529
|
|
When the sandbox runs in attached more, e.g. runsc do, runsc run, the
sandbox lifetime is controlled by the parent process. This wasn't working
in all cases because PR_GET_PDEATHSIG doesn't propagate through execve
when the process changes uid/gid. So it was getting dropped when the
sandbox execve's to change to user nobody.
PiperOrigin-RevId: 300601247
|
|
...instead of sorting at various times. Plug a memory leak by setting
removed elements to nil.
PiperOrigin-RevId: 300471087
|
|
PiperOrigin-RevId: 300467253
|
|
Atomically close the endpoint. Before this change, it was possible for
multiple callers to perform duplicate work.
PiperOrigin-RevId: 300462110
|
|
This also adds substantial test cases.
The Read/Write interfaces are dropped as they are not necessary.
PiperOrigin-RevId: 300461547
|
|
PiperOrigin-RevId: 300449422
|
|
Endpoints which were being terminated in an ERROR state or were moved to CLOSED
by the worker goroutine do not run cleanupLocked() as that should already be run
by the worker termination. But when making that change we made the mistake of
not removing the endpoint from the danglingEndpoints which is normally done in
cleanupLocked().
As a result these endpoints are leaked since a reference is held to them in the
danglingEndpoints array forever till Stack is torn down.
PiperOrigin-RevId: 300438426
|
|
Fixed flakes (tested via --runs_per_test=100) and added skips for
not-yet-implemented features. Once submitted, the iptables tests will be
ready to enable in kokoro.
|
|
PiperOrigin-RevId: 300410856
|
|
PiperOrigin-RevId: 300409401
|
|
This fixes a compile time error:
pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go:45:35: undefined: unsafe
PiperOrigin-RevId: 300375687
|
|
The asynchronous goroutine preemption is a new feature of Go 1.14.
When we switched to go 1.14 (cl/297915917) in the bazel config,
the kokoro syscall-kvm job started permanently failing. Lets
temporary set asyncpreemptoff for the kvm platform to unblock tests.
PiperOrigin-RevId: 300372387
|
|
PiperOrigin-RevId: 300362789
|
|
Go 1.14+ sends SIGURG to Ms to attempt asynchronous preemption of a G. Since it
can't guarantee that a SIGURG is only related to preemption, it continues to
forward them to signal.Notify (see runtime.sighandler).
When runsc is running a container, there are three processes: a parent process
and two children (sandbox and gopher). A parent process sets a signal handler
for all signals and redirect them to the container init process. This logic
should ignore SIGURG signals. We already ignore them in the Sentry, but it will
be better to not notify about them when this is possible.
PiperOrigin-RevId: 300345286
|
|
PiperOrigin-RevId: 300308974
|