summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-02-24Merge release-20210208.0-85-gacd516cfe (automated)gVisor bot
2021-02-24Add YAMA security module restrictions on ptrace(2).Dean Deng
Restrict ptrace(2) according to the default configurations of the YAMA security module (mode 1), which is a common default among various Linux distributions. The new access checks only permit the tracer to proceed if one of the following conditions is met: a) The tracer is already attached to the tracee. b) The target is a descendant of the tracer. c) The target has explicitly given permission to the tracer through the PR_SET_PTRACER prctl. d) The tracer has CAP_SYS_PTRACE. See security/yama/yama_lsm.c for more details. Note that these checks are added to CanTrace, which is checked for PTRACE_ATTACH as well as some other operations, e.g., checking a process' memory layout through /proc/[pid]/mem. Since this patch adds restrictions to ptrace, it may break compatibility for applications run by non-root users that, for instance, rely on being able to trace processes that are not descended from the tracer (e.g., `gdb -p`). YAMA restrictions can be turned off by setting /proc/sys/kernel/yama/ptrace_scope to 0, or exceptions can be made on a per-process basis with the PR_SET_PTRACER prctl. Reported-by: syzbot+622822d8bca08c99e8c8@syzkaller.appspotmail.com PiperOrigin-RevId: 359237723
2021-02-24Merge release-20210208.0-84-g6e000d342 (automated)gVisor bot
2021-02-24Use async task context for async IO.Dean Deng
PiperOrigin-RevId: 359235699
2021-02-23Merge release-20210208.0-83-g24ea8003a (automated)gVisor bot
2021-02-22Only detect mds for mitigate.Zach Koopmans
Only detect and mitigate on mds for the mitigate command. PiperOrigin-RevId: 358924466
2021-02-23Merge release-20210208.0-82-g34e2cda9a (automated)gVisor bot
2021-02-22Return nicer error message when cgroups v1 isn't availableFabricio Voznika
Updates #3481 Closes #5430 PiperOrigin-RevId: 358923208
2021-02-22Merge release-20210208.0-81-gfed1cc6d8 (automated)gVisor bot
2021-02-22Internal change.gVisor bot
PiperOrigin-RevId: 358890980
2021-02-22Merge release-20210208.0-80-gc5a4e1000 (automated)gVisor bot
2021-02-22unix: sendmmsg and recvmsg have to cap a number of message to UIO_MAXIOVAndrei Vagin
Reported-by: syzbot+f2489ba0b999a45d1ad1@syzkaller.appspotmail.com PiperOrigin-RevId: 358866218
2021-02-22Merge release-20210208.0-79-g19fe3a2bf (automated)gVisor bot
2021-02-22Fix `runsc kill --pid`Fabricio Voznika
Previously, loader.signalProcess was inconsitently using both root and container's PID namespace to find the process. It used root namespace for the exec'd process and container's PID namespace for other processes. This fixes the code to use the root PID namespace across the board, which is the same PID reported in `runsc ps` (or soon will after https://github.com/google/gvisor/pull/5519). PiperOrigin-RevId: 358836297
2021-02-20Merge release-20210208.0-78-g93fc09248 (automated)gVisor bot
2021-02-19Don't hold baseEndpoint.mu while calling EventUpdate().Nicolas Lacasse
This removes a three-lock deadlock between fdnotifier.notifier.mu, epoll.EventPoll.listsMu, and baseEndpoint.mu. A lock order comment was added to epoll/epoll.go. Also fix unsafe access of baseEndpoint.connected/receiver. PiperOrigin-RevId: 358515191
2021-02-20Merge release-20210208.0-77-g7544eeb24 (automated)gVisor bot
2021-02-19Correctly set and respect b.N in fio benchmark.Zach Koopmans
fio should scale by written/read bytes and not iterate runs of the fio container. PiperOrigin-RevId: 358511771
2021-02-19Merge release-20210208.0-76-g5e22ab93e (automated)gVisor bot
2021-02-19control.Proc.Exec should default to root pid namespace if none provided.Nicolas Lacasse
PiperOrigin-RevId: 358445320
2021-02-19Merge release-20210208.0-75-g599579d0e (automated)gVisor bot
2021-02-19Add a few more project ideas to the gsoc 2021 listRahat Mahmood
PiperOrigin-RevId: 358354414
2021-02-19Merge release-20210208.0-74-gec7f44f36 (automated)gVisor bot
2021-02-18Make socketops reflect correct sndbuf value for host UDS.Bhasker Hariharan
Also skips a test if the setsockopt to increase send buffer did not result in an increase. This is possible when the underlying socket is a host backed unix domain socket as in such cases gVisor does not permit increasing SO_SNDBUF. PiperOrigin-RevId: 358285158
2021-02-18Merge release-20210208.0-73-gf80a857a4 (automated)gVisor bot
2021-02-18Bump build constraints to Go 1.18Michael Pratt
These are bumped to allow early testing of Go 1.17. Use will be audited closer to the 1.17 release. PiperOrigin-RevId: 358278615
2021-02-18Merge release-20210208.0-72-gec20f4f38 (automated)gVisor bot
2021-02-18Make b.N increase by KB not bytes on iperf.Zach Koopmans
Currently, iperf runs a client that scales by bytes sent. In practice, this causes b.N to scale slowly and have several short lived containers. Instead, scale by KB to more quickly reach required time. PiperOrigin-RevId: 358244926
2021-02-18Merge release-20210208.0-71-g2a2cb29e1 (automated)gVisor bot
2021-02-18Validate IGMP packetsArthur Sfez
This change also adds support for Router Alert option processing on incoming packets, a new stat for Router Alert option, and exports all the IP-option related stats. Fixes #5491 PiperOrigin-RevId: 358238123
2021-02-18Merge release-20210208.0-70-g26eada5de (automated)gVisor bot
2021-02-18Use standard want/got syntax in test errorsTamir Duberstein
Remove unused argument while I'm here and avoid returning syscall.Errno(0) which should rather be a nil error. PiperOrigin-RevId: 358227396
2021-02-18Merge release-20210208.0-69-gbb5db8044 (automated)gVisor bot
2021-02-18Remove deprecated NUD types Failed and FailedEntryLookupsSam Balana
Completes the soft migration to Unreachable state by removing the Failed state and the the FailedEntryLookups StatCounter. Fixes #4667 PiperOrigin-RevId: 358226380
2021-02-18Merge release-20210208.0-68-g582f7bf6c (automated)gVisor bot
2021-02-18Remove side effect from pty testsFabricio Voznika
Individual test cases must not rely on being executed in a clean environment. PiperOrigin-RevId: 358207468
2021-02-18Merge release-20210208.0-67-gf4d694693 (automated)gVisor bot
2021-02-17Deflake tcp_network_unreachable testZeling Feng
Previously, we make two connect attempts. If the first attempt is still on going when the second attempt is made, the test will fail. This change deflakes the situation by not making the second attempt, instead, we poll for the first attempt's completion and read the errno from SO_ERROR. PiperOrigin-RevId: 358104769
2021-02-18Merge release-20210208.0-66-gdea894238 (automated)gVisor bot
2021-02-17[infra] Update JDK11 version for java runtime tests.Ayush Ranjan
PiperOrigin-RevId: 358085809
2021-02-18Merge release-20210208.0-65-g1fc2c5f75 (automated)gVisor bot
2021-02-17Move Name() out of netstack Matcher. It can live in the sentry.Kevin Krakauer
PiperOrigin-RevId: 358078157
2021-02-18Merge release-20210208.0-64-gf051ec646 (automated)gVisor bot
2021-02-17Add gohacks.Slice/StringHeader.Jamie Liu
See https://github.com/golang/go/issues/19367 for rationale. Note that the upstream decision arrived at in that thread, while useful for some of our use cases, doesn't account for all of our SliceHeader use cases (we often use SliceHeader to extract pointers from slices in a way that avoids bounds checking and/or handles nil slices correctly) and also doesn't exist yet. PiperOrigin-RevId: 358071574
2021-02-17Merge release-20210208.0-63-g4bc7daf91 (automated)gVisor bot
2021-02-17Check for directory emptiness in VFS1 overlay rmdir().Jamie Liu
Note that this CL reorders overlayEntry.copyMu before overlayEntry.dirCacheMu in the overlayFileOperations.IterateDir() => readdirEntries() path - but this lock ordering is already required by overlayRemove/Bind() => overlayEntry.markDirectoryDirty(), so this actually just fixes an inconsistency. PiperOrigin-RevId: 358047121
2021-02-17Merge release-20210208.0-62-g3145fe1d1 (automated)gVisor bot
2021-02-17Use TCP_INFO to get RTO in tcp_retransmits_testNayana Bidari
- TCP_INFO is used to get the RTO instead of calculating it manually. PiperOrigin-RevId: 358032487
2021-02-17Merge release-20210208.0-61-g0e0bc3587 (automated)gVisor bot
2021-02-17Clean up test styleTamir Duberstein
- Wrap comments at 80 columns - Avoid duplicating the number of retries (5) - Reduce indentation - Use (*testing.T).Fatal rather than (*testing.T).Fatalf PiperOrigin-RevId: 358017412