summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-09-16Merge release-20200907.0-59-g326a1dbb7 (automated)gVisor bot
2020-09-16Refactor removed default test dimensionFabricio Voznika
ptrace was always selected as a dimension before, but not anymore. Some tests were specifying "overlay" expecting that to be in addition to the default. PiperOrigin-RevId: 332004111
2020-09-16Merge release-20200907.0-58-g9ef1c7992 (automated)gVisor bot
2020-09-16Rename marshal.Task to marshal.CopyContext.Rahat Mahmood
CopyContext is a better name for the interface because from go-marshal's perspective, the interface has nothing to do with a task. A kernel.Task happens to implement the interface, but so can other things like MemoryManager and IO sequences. PiperOrigin-RevId: 331959678
2020-09-16Merge release-20200907.0-57-gd201feb8c (automated)gVisor bot
2020-09-15Enable automated marshalling for the syscall package.Rahat Mahmood
PiperOrigin-RevId: 331940975
2020-09-16Merge release-20200907.0-56-gdcd532e2e (automated)gVisor bot
2020-09-15Add support for OCI seccomp filters in the sandbox.Ian Lewis
OCI configuration includes support for specifying seccomp filters. In runc, these filter configurations are converted into seccomp BPF programs and loaded into the kernel via libseccomp. runsc needs to be a static binary so, for runsc, we cannot rely on a C library and need to implement the functionality in Go. The generator added here implements basic support for taking OCI seccomp configuration and converting it into a seccomp BPF program with the same behavior as a program generated by libseccomp. - New conditional operations were added to pkg/seccomp to support operations available in OCI. - AllowAny and AllowValue were renamed to MatchAny and EqualTo to better reflect that syscalls matching the conditionals result in the provided action not simply SCMP_RET_ALLOW. - BuildProgram in pkg/seccomp no longer panics if provided an empty list of rules. It now builds a program with the architecture sanity check only. - ProgramBuilder now allows adding labels that are unused. However, backwards jumps are still not permitted. Fixes #510 PiperOrigin-RevId: 331938697
2020-09-16Merge release-20200907.0-55-gc053c4bb0 (automated)gVisor bot
2020-09-15Fix GitHub issue template.Ian Lewis
runsc -v doesn't work. It should be runsc -version PiperOrigin-RevId: 331911035
2020-09-16Merge release-20200907.0-54-gcb2e3c946 (automated)gVisor bot
2020-09-15Implement gvisor verity fs ioctl with GETFLAGSChong Cai
PiperOrigin-RevId: 331905347
2020-09-15Merge release-20200907.0-53-g8b15effd9 (automated)gVisor bot
2020-09-15Improve syserror_test.Jamie Liu
- It's very difficult to prevent returnErrnoAsError and returnError from being optimized out. Instead, replace BenchmarkReturn* with BenchmarkAssign*, which store to globalError. - Compare to a non-nil globalError in BenchmarkCompare* and BenchmarkSwitch*. New results: BenchmarkAssignErrno BenchmarkAssignErrno-12 1000000000 0.615 ns/op BenchmarkAssignError BenchmarkAssignError-12 1000000000 0.626 ns/op BenchmarkCompareErrno BenchmarkCompareErrno-12 1000000000 0.522 ns/op BenchmarkCompareError BenchmarkCompareError-12 1000000000 3.54 ns/op BenchmarkSwitchErrno BenchmarkSwitchErrno-12 1000000000 1.45 ns/op BenchmarkSwitchError BenchmarkSwitchError-12 536315757 10.9 ns/op PiperOrigin-RevId: 331875387
2020-09-15Merge release-20200907.0-52-g456c6c33e (automated)gVisor bot
2020-09-15Invert dependency between the context and amutex packages.Jamie Liu
This is to allow the syserror package to depend on the context package in a future change. PiperOrigin-RevId: 331866252
2020-09-15Merge release-20200907.0-51-ga004f0d08 (automated)gVisor bot
2020-09-15Support setting STATX_SIZE for kernfs.InodeAttrs.Dean Deng
Make setting STATX_SIZE a no-op, if it is valid for the given permissions and file type. Also update proc tests, which were overfitted before. Fixes #3842. Updates #1193. PiperOrigin-RevId: 331861087
2020-09-15Merge release-20200907.0-50-g72a30b114 (automated)gVisor bot
2020-09-15Move reusable IPv4 test code into a testutil module and refactor itArthur Sfez
The refactor aims to simplify the package, by replacing the Go channel with a PacketBuffer slice. This code will be reused by tests for IPv6 fragmentation. PiperOrigin-RevId: 331860411
2020-09-15Merge release-20200907.0-49-g7f89a26e1 (automated)gVisor bot
2020-09-15Merge release-20200907.0-48-g0d790cbae (automated)gVisor bot
2020-09-15Merge release-20200907.0-47-g86b31a807 (automated)gVisor bot
2020-09-15Release FDTable lock before dropping the fds.Nayana Bidari
This is needed for SO_LINGER, where close() is blocked for linger timeout and we are holding the FDTable lock for the entire timeout which will not allow us to create/delete other fds. We have to release the locks and then drop the fds. PiperOrigin-RevId: 331844185
2020-09-15Read vfs2 epoll events atomically.Jamie Liu
Discovered by ayushranjan@: VFS2 was employing the following algorithm for fetching ready events from an epoll instance: - Create a statically sized EpollEvent slice on the stack of size 16. - Pass that to EpollInstance.ReadEvents() to populate. - EpollInstance.ReadEvents() requeues level-triggered events that it returns back into the ready queue. - Write the results to usermem. - If the number of results were = 16 then recall EpollInstance.ReadEvents() in the hopes of getting more. But this will cause duplication of the "requeued" ready level-triggered events. So if the ready queue has >= 16 ready events, the EpollWait for loop will spin until it fills the usermem with `maxEvents` events. Fixes #3521 PiperOrigin-RevId: 331840527
2020-09-15RFC: design for a 9P replacementJamie Liu
Tentatively `lisafs` (LInux SAndbox FileSystem). PiperOrigin-RevId: 331839246
2020-09-15Merge release-20200907.0-46-g84d48c0fd (automated)gVisor bot
2020-09-15Merge pull request #3895 from btw616:fix/issue-3894gVisor bot
PiperOrigin-RevId: 331824411
2020-09-15Merge release-20200907.0-44-gd3880b76c (automated)gVisor bot
2020-09-15Don't conclude broadcast from route destinationGhanan Gowripalan
The routing table (in its current) form should not be used to make decisions about whether a remote address is a broadcast address or not (for IPv4). Note, a destination subnet does not always map to a network. E.g. RouterA may have a route to 192.168.0.0/22 through RouterB, but RouterB may be configured with 4x /24 subnets on 4 different interfaces. See https://github.com/google/gvisor/issues/3938. PiperOrigin-RevId: 331819868
2020-09-15Fix proc.(*fdDir).IterDirents for VFS2Tiwei Bie
Currently the returned offset is an index, and we can't use it to find the next fd to serialize, because getdents should iterate correctly despite mutation of fds. Instead, we can return the next fd to serialize plus 2 (which accounts for "." and "..") as the offset. Fixes: #3894 Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
2020-09-14Merge release-20200907.0-43-g52ffeb2d6 (automated)gVisor bot
2020-09-14Add note about gofer link(2) limitationFabricio Voznika
PiperOrigin-RevId: 331648296
2020-09-14Merge release-20200907.0-42-g2747030ec (automated)gVisor bot
2020-09-14Store multicast memberships in a setTamir Duberstein
This is simpler and more performant. PiperOrigin-RevId: 331639978
2020-09-14Merge release-20200907.0-41-g05d2ebee5 (automated)gVisor bot
2020-09-14Test RST handling in TIME_WAIT.Mithun Iyer
gVisor stack ignores RSTs when in TIME_WAIT which is not the default Linux behavior. Add a packetimpact test to test the same. Also update code comments to reflect the rationale for the current gVisor behavior. PiperOrigin-RevId: 331629879
2020-09-14Merge release-20200907.0-40-g2969b1740 (automated)gVisor bot
2020-09-14Correct FDSize in /proc/[pid]/status.Jamie Liu
In Linux, FDSize is fs/proc/array.c:task_state() => struct fdtable::max_fds, which is set to the underlying array's length in fs/file.c:alloc_fdtable(). Follow-up changes: - Remove FDTable.GetRefs() and FDTable.GetRefsVFS2(), which are unused. - Reset FDTable.used to 0 during restore, since the subsequent calls to FDTable.setAll() increment it again, causing its value to be doubled. (After this CL, FDTable.used is only used to avoid reallocation in FDTable.GetFDs(), so this fix is not very visible.) PiperOrigin-RevId: 331588190
2020-09-14Merge release-20200907.0-39-g833ceb0f1 (automated)gVisor bot
2020-09-14Fix modprobe dependencyKevin Krakauer
The modprobe command only takes 1 module per invocation. The second module name is being passed as a module parameter. PiperOrigin-RevId: 331585765
2020-09-13Merge release-20200907.0-38-gb6ca96b9b (automated)gVisor bot
2020-09-12Cap reassembled IPv6 packets at 65535 octetsToshi Kikuchi
IPv4 can accept 65536-octet reassembled packets. Test: - ipv4_test.TestInvalidFragments - ipv4_test.TestReceiveFragments - ipv6.TestInvalidIPv6Fragments - ipv6.TestReceiveIPv6Fragments Fixes #3770 PiperOrigin-RevId: 331382977
2020-09-12Merge release-20200907.0-37-g3ca73841d (automated)gVisor bot
2020-09-11Move the 'marshal' and 'primitive' packages to the 'pkg' directory.Rahat Mahmood
PiperOrigin-RevId: 331256608
2020-09-11Merge release-20200810.0-237-g8d0f76dda (automated)gVisor bot
2020-09-11fuse_open: add padding to open out requestBoyuan He
2020-09-11Merge release-20200907.0-36-g1f4fb817c (automated)gVisor bot
2020-09-11Check that we have access to the trusted.* xattr namespace directly.Nicolas Lacasse
These operations require CAP_SYS_ADMIN in the root user namespace. There's no easy way to check that other than trying the operation and seeing what happens. PiperOrigin-RevId: 331242256
2020-09-11Merge release-20200810.0-236-gb8bee78d0 (automated)gVisor bot