summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-07-23Add permission checks to vfs2 truncate.Dean Deng
- Check write permission on truncate(2). Unlike ftruncate(2), truncate(2) fails if the user does not have write permissions on the file. - For gofers under InteropModeShared, check file type before making a truncate request. We should fail early and avoid making an rpc when possible. Furthermore, depending on the remote host's failure may give us unexpected behavior--if the host converts the truncate request to an ftruncate syscall on an open fd, we will get EINVAL instead of EISDIR. Updates #2923. PiperOrigin-RevId: 322913569
2020-07-23FileDescription is hard to spell.Dean Deng
Fix typos. PiperOrigin-RevId: 322913282
2020-07-23Add AfterFunc to tcpip.ClockSam Balana
Changes the API of tcpip.Clock to also provide a method for scheduling and rescheduling work after a specified duration. This change also implements the AfterFunc method for existing implementations of tcpip.Clock. This is the groundwork required to mock time within tests. All references to CancellableTimer has been replaced with the tcpip.Job interface, allowing for custom implementations of scheduling work. This is a BREAKING CHANGE for clients that implement their own tcpip.Clock or use tcpip.CancellableTimer. Migration plan: 1. Add AfterFunc(d, f) to tcpip.Clock 2. Replace references of tcpip.CancellableTimer with tcpip.Job 3. Replace calls to tcpip.CancellableTimer#StopLocked with tcpip.Job#Cancel 4. Replace calls to tcpip.CancellableTimer#Reset with tcpip.Job#Schedule 5. Replace calls to tcpip.NewCancellableTimer with tcpip.NewJob. PiperOrigin-RevId: 322906897
2020-07-23Implement get/set_robust_list.Nicolas Lacasse
PiperOrigin-RevId: 322904430
2020-07-23Merge pull request #3024 from ridwanmsharif:ridwanmsharif/fuse-stub-implgVisor bot
PiperOrigin-RevId: 322890087
2020-07-23Add task work mechanism.Dean Deng
Like task_work in Linux, this allows us to register callbacks to be executed before returning to userspace. This is needed for kcov support, which requires coverage information to be up-to-date whenever we are in user mode. We will provide coverage data through the kcov interface to enable coverage-directed fuzzing in syzkaller. One difference from Linux is that task work cannot queue work before the transition to userspace that it precedes; queued work will be picked up before the next transition. PiperOrigin-RevId: 322889984
2020-07-23Automated rollback of changelist 321227330Kevin Krakauer
PiperOrigin-RevId: 322888057
2020-07-23kvm-tls-2:add the preservation of user-TLS in the Arm64 kvm platformlubinszARM
This patch load/save TLS for the container application. Related issue: full context-switch supporting for Arm64 #1238 COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/2761 from lubinszARM:pr_tls_2 cb5dbca1c9c3f378002406da7a58887f9b5032b3 PiperOrigin-RevId: 322887044
2020-07-23iptables: use keyed array literalsKevin Krakauer
PiperOrigin-RevId: 322882426
2020-07-23Use mode supplied by the mount optionsRidwan Sharif
2020-07-23Added stub FUSE filesystemRidwan Sharif
Allow FUSE filesystems to be mounted using libfuse. The appropriate flags and mount options are parsed and understood by fusefs.
2020-07-23Internal change.gVisor bot
PiperOrigin-RevId: 322859907
2020-07-23Merge pull request #3207 from kevinGC:icmp-connectgVisor bot
PiperOrigin-RevId: 322853192
2020-07-23Fix wildcard bind for raw socket.Bhasker Hariharan
Fixes #3334 PiperOrigin-RevId: 322846384
2020-07-23Marshallable socket opitons.Ayush Ranjan
Socket option values are now required to implement marshal.Marshallable. Co-authored-by: Rahat Mahmood <rahat@google.com> PiperOrigin-RevId: 322831612
2020-07-23Fix fsgofer Open() when control file is using O_PATHFabricio Voznika
Open tries to reuse the control file to save syscalls and file descriptors when opening a file. However, when the control file was opened using O_PATH (e.g. no file permission to open readonly), Open() would not check for it. PiperOrigin-RevId: 322821729
2020-07-23Port sendfile to vfs2.Nicolas Lacasse
And do some refactoring of the wait logic in sendfile/splice/tee. Updates #1035 #2923 PiperOrigin-RevId: 322815521
2020-07-23[vfs2][gofer] Fix update attributes race condition.Ayush Ranjan
We were getting the file attributes before locking the metadataMu which was causing stale updates to the file attributes. Fixes OpenTest_AppendConcurrentWrite. Updates #2923 PiperOrigin-RevId: 322804438
2020-07-23Merge pull request #2895 from kevinGC:outbound-conntrackgVisor bot
PiperOrigin-RevId: 322803359
2020-07-23Internal changeMichael Pratt
PiperOrigin-RevId: 322788791
2020-07-23Fix kokoro presubmits!Ayush Ranjan
Fixed the following error: tools/bazel.mk:119: *** Destination not provided.. Stop. The issue was that we were running all make commands in a subshell so variables like $T were not passed on. The other issue was related to credentials. The test passed locally but not on kokoro, the only difference in the workflow was the credentials bit. Also fixed up some other tiny issues I came across, were not blockers. PiperOrigin-RevId: 322782457
2020-07-22make connect(2) fail when dest is unreachableKevin Krakauer
Previously, ICMP destination unreachable datagrams were ignored by TCP endpoints. This caused connect to hang when an intermediate router couldn't find a route to the host. This manifested as a Kokoro error when Docker IPv6 was enabled. The Ruby image test would try to install the sinatra gem and hang indefinitely attempting to use an IPv6 address. Fixes #3079.
2020-07-22iptables: don't NAT existing connectionsKevin Krakauer
Fixes a NAT bug that manifested as: - A SYN was sent from gVisor to another host, unaffected by iptables. - The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule despite being part of the existing connection. - The socket that sent the SYN never received the SYN/ACK and thus a connection could not be established. We handle this (as Linux does) by tracking all connections, inserting a no-op conntrack rule for new connections with no rules of their own. Needed for istio support (#170).
2020-07-22iptables: replace maps with arraysKevin Krakauer
For iptables users, Check() is a hot path called for every packet one or more times. Let's avoid a bunch of map lookups. PiperOrigin-RevId: 322678699
2020-07-22[vfs2][tmpfs] Implement O_APPENDAyush Ranjan
Updates #2923 PiperOrigin-RevId: 322671489
2020-07-22Add O_APPEND support in vfs2 gofer.Ayush Ranjan
Helps in fixing open syscall tests: AppendConcurrentWrite and AppendOnly. We also now update the file size for seekable special files (regular files) which we were not doing earlier. Updates #2923 PiperOrigin-RevId: 322670843
2020-07-22Support for receiving outbound packets in AF_PACKET.Bhasker Hariharan
Updates #173 PiperOrigin-RevId: 322665518
2020-07-22Skip RawHDRINCL tests that are blocking presubmits/releases.Dean Deng
Temporarily skip these, on bhaskherh@'s advice. PiperOrigin-RevId: 322664955
2020-07-20Add standard entrypoints for test targets.Adin Scannell
PiperOrigin-RevId: 322265513
2020-07-17Clean up html on the website.Ian Lewis
- Fixes some html validation issues. - Fixes links on security basics blog post. - Adds rel=noopener to links with target=_blank and adds a check to htmlproofer. - Add favicon check to htmlproofer. Fixes #3286 Fixes #3284 PiperOrigin-RevId: 321892602
2020-07-17Update README on cross-building images.Ting-Yu Wang
PiperOrigin-RevId: 321887956
2020-07-17Runtime tests are enormousAyush Ranjan
PiperOrigin-RevId: 321885126
2020-07-17Move main methods for benchmark packages main package file.Zach Koopmans
PiperOrigin-RevId: 321875119
2020-07-17Runtime tests: Download language runtime imageAyush Ranjan
PiperOrigin-RevId: 321839398
2020-07-17DUT logs in test failure messages in packetimpactJay Zhuang
DUT logs will include logs from the posix server and gVisor, which provides a way to instrument the DUT during test failures. PiperOrigin-RevId: 321816647
2020-07-17Automated rollback of changelist 321647645Ayush Ranjan
PiperOrigin-RevId: 321808673
2020-07-17Test UDP packets with mcast source addr are discardedJay Zhuang
PiperOrigin-RevId: 321790802
2020-07-16Add support to return protocol in recvmsg for AF_PACKET.Bhasker Hariharan
Updates #173 PiperOrigin-RevId: 321690756
2020-07-16Port runtime tests to use go_testAyush Ranjan
PiperOrigin-RevId: 321647645
2020-07-16Add ethernet broadcast address constantGhanan Gowripalan
PiperOrigin-RevId: 321620517
2020-07-15Merge pull request #3236 from craig08:fuse-kernfs-inode-stat-add-ctxgVisor bot
PiperOrigin-RevId: 321496734
2020-07-15Port httpd benchmarkZach Koopmans
PiperOrigin-RevId: 321478001
2020-07-15iptables: remove check for NetworkHeaderKevin Krakauer
This is no longer necessary, as we always set NetworkHeader before calling iptables.Check. PiperOrigin-RevId: 321461978
2020-07-15Merge pull request #3022 from prattmic:runsc_do_pdeathsiggVisor bot
PiperOrigin-RevId: 321449877
2020-07-15fdbased: Vectorized write for packet; relax writev syscall filter.Ting-Yu Wang
Now it calls pkt.Data.ToView() when writing the packet. This may require copying when the packet is large, which puts the worse case in an even worse situation. This sent out in a separate preparation change as it requires syscall filter changes. This change will be followed by the change for the adoption of the new PacketHeader API. PiperOrigin-RevId: 321447003
2020-07-15Add support for SO_ERROR to packet sockets.Bhasker Hariharan
Packet sockets also seem to allow double binding and do not return an error on linux. This was tested by running the syscall test in a linux namespace as root and the current test DoubleBind fails@HEAD. Passes after this change. Updates #173 PiperOrigin-RevId: 321445137
2020-07-15Fix minor bugs in a couple of interface IOCTLs.Bhasker Hariharan
gVisor incorrectly returns the wrong ARP type for SIOGIFHWADDR. This breaks tcpdump as it tries to interpret the packets incorrectly. Similarly, SIOCETHTOOL is used by tcpdump to query interface properties which fails with an EINVAL since we don't implement it. For now change it to return EOPNOTSUPP to indicate that we don't support the query rather than return EINVAL. NOTE: ARPHRD types for link endpoints are distinct from NIC capabilities and NIC flags. In Linux all 3 exist eg. ARPHRD types are stored in dev->type field while NIC capabilities are more like the device features which can be queried using SIOCETHTOOL but not modified and NIC Flags are fields that can be modified from user space. eg. NIC status (UP/DOWN/MULTICAST/BROADCAST) etc. Updates #2746 PiperOrigin-RevId: 321436525
2020-07-15Fix errors not getting caught when building vm image.Ting-Yu Wang
`set -e` does not catch errors in bash command substituions like `echo $(bad cmd)` so bazel thinks it succeeded and cached the result. PiperOrigin-RevId: 321412327
2020-07-15Apply pdeathsig to gofer for runsc run/doMichael Pratt
Much like the boot process, apply pdeathsig to the gofer for cases where the sandbox lifecycle is attached to the parent (runsc run/do). This isn't strictly necessary, as the gofer normally exits once the sentry disappears, but this makes that extra reliable.
2020-07-15Merge pull request #3165 from ridwanmsharif:ridwanmsharif/fuse-off-by-defaultgVisor bot
PiperOrigin-RevId: 321411758