summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-07-30checklinkname: rudimentary type-checking of linkname directivesMichael Pratt
This CL introduces a 'checklinkname' analyzer, which provides rudimentary type-checking that verifies that function signatures on the local and remote sides of //go:linkname directives match expected values. If the Go standard library changes the definitions of any of these function, checklinkname will flag the change as a finding, providing an error informing the gVisor team to adapt to the upstream changes. This allows us to eliminate the majority of gVisor's forward-looking negative build tags, as we can catch mismatches in testing [1]. The remaining forward-looking negative build tags are covering shared struct definitions, which I hope to add to checklinkname in a future CL. [1] Of course, semantics/requirements can change without the signature changing, so we still must be careful, but this covers the common case. PiperOrigin-RevId: 387873847
2021-07-28Explicitly encode the pcap packet headers to reduce CPU cost of pcap generation.gVisor bot
PiperOrigin-RevId: 387513118
2021-07-28Add Uid/Gid/Groups fields to VFS2 /proc/[pid]/status.Jamie Liu
For comparison: ``` $ docker run --rm -it ubuntu:focal bash -c 'cat /proc/self/status' Name: cat Umask: 0022 State: R (running) Tgid: 1 Ngid: 0 Pid: 1 PPid: 0 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 64 Groups: NStgid: 1 NSpid: 1 NSpgid: 1 NSsid: 1 VmPeak: 2660 kB VmSize: 2660 kB VmLck: 0 kB VmPin: 0 kB VmHWM: 528 kB VmRSS: 528 kB ... $ docker run --runtime=runsc-vfs2 --rm -it ubuntu:focal bash -c 'cat /proc/self/status' Name: cat State: R (running) Tgid: 1 Pid: 1 PPid: 0 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 4 Groups: VmSize: 10708 kB VmRSS: 3124 kB VmData: 316 kB ... ``` Fixes #6374 PiperOrigin-RevId: 387465655
2021-07-28Merge pull request #6358 from zhlhahaha:2232gVisor bot
PiperOrigin-RevId: 387442805
2021-07-28Add verity read benchmark testsChong Cai
PiperOrigin-RevId: 387431049
2021-07-28Lock gofer.dentry.dataMu before SetAttr RPC modifying file size.Jamie Liu
PiperOrigin-RevId: 387427887
2021-07-28tunning hasSlot function and fix store wrong value in usedSlotsHoward Zhang
Make hasSlot scan allocated slot, rather than the whole slice. It is supposed to store physicalStart in usedSlot. Signed-off-by: Howard Zhang <howard.zhang@arm.com>
2021-07-27Use go:build directives in generated files.Jamie Liu
Build constraints are now inferred from go:build directives rather than +build directives. +build directives are still emitted in generated files as required in Go 1.16 and earlier. Note that go/build/constraint was added in Go 1.16, so gVisor now requires Go 1.16. PiperOrigin-RevId: 387240779
2021-07-26Merge pull request #6292 from btw616:local-timezonegVisor bot
PiperOrigin-RevId: 386988406
2021-07-26Fix per-analyzer overrides of default-disabled groupsMichael Pratt
Currently behavior of config groups with `default: false` is buggy. The intention is that adding an empty suppression section for that group to a specific analyzer config should enable reporting for that analyzer. i.e., ``` groups: - name: foo regex: "^foo/" default: false global: ... analyzers: asmdecl: foo: # Enabled. ``` This should enable the foo group only for asmdecl. Unfortunately, today the actual behavior depends on the contents of the `global:` section. If `global:` contains an entry for foo, then it will work as described. If `global:` does _not_ contain an entry for foo, then the group default (disabled) always applies and the individual analyzer options have no effect. The cause of this is confusion in `AnalyzerConfig.shouldReport`, which doesn't distinguish between explicit suppression via a global suppression/exclude and simply having no configuration at all. Make this more explicit, so that the no configuration case can continue to per-analyzer configuration before falling back to the group default. The last test case in the added test fails without this change. This re-enables several opted-in analyzers for external dependencies, which have gained a few more false positives to suppress. PiperOrigin-RevId: 386904725
2021-07-23Clean up logic for when a VFS2 gofer regular file close causes a flushf.Jamie Liu
PiperOrigin-RevId: 386577891
2021-07-23Add verity open benchmark testChong Cai
PiperOrigin-RevId: 386533065
2021-07-23Don't panic on user-controlled state in semaphore syscalls.Rahat Mahmood
Reported-by: syzbot+beb099a67f670386a367@syzkaller.appspotmail.com PiperOrigin-RevId: 386521361
2021-07-23Add support for SIOCGIFCONF ioctl in hostinet.Lucas Manning
PiperOrigin-RevId: 386511818
2021-07-23update bug number in loopback testsKevin Krakauer
PiperOrigin-RevId: 386511209
2021-07-23buildkite: deflake itimer testKevin Krakauer
The self-admittedly arbitrary threshold of 20% of alarms being sent to the main thread was being breached. I saw a run of of ~20-23% [1]. We should allow for a little more breathing room. 1 - https://buildkite.com/gvisor/pipeline/builds/7400 PiperOrigin-RevId: 386503482
2021-07-23Handle EINTR from socket syscalls in send/recv benchmark.Rahat Mahmood
The benchmark check fails if any of the socket syscalls fail with EINTR. We see this manifest in S/R lifecycles since S/R has a high probability of aborting these syscalls with EINTR. PiperOrigin-RevId: 386480365
2021-07-22Move socket_test_util to //test/utilGhanan Gowripalan
...and rename the library to socket_util. PiperOrigin-RevId: 386348306
2021-07-22VFS2: remove ext codeKevin Krakauer
We opted to move forward with FUSE instead. PiperOrigin-RevId: 386344258
2021-07-22kvm: set CR0.NE = 1Andrei Vagin
CR0.NE enables internal x87 floating point error reporting when set, else enables PC style x87 error detection. On AMD, the #MF exception isn't generated if CR0.NE isn't set. PiperOrigin-RevId: 386340269
2021-07-22runsc: Wait child processes without timeoutsAndrei Vagin
* First, we don't need to poll child processes. * Second, the 5 seconds timeout is too small if a host is overloaded. * Third, this can hide bugs in the code when we wait a process that isn't going to exit. PiperOrigin-RevId: 386337586
2021-07-22Merge pull request #6108 from sudo-sturbia:msgqueue/syscallsgVisor bot
PiperOrigin-RevId: 386323389
2021-07-22buildkite: move golang installation to VM bootKevin Krakauer
Rather than re-downloading and installing Go for each pipeline run, we should just do it at boot. PiperOrigin-RevId: 386320005
2021-07-22Replace kernel package types for clone and unshare with linux package types.Jamie Liu
PiperOrigin-RevId: 386312456
2021-07-21Add metric to count number of segments acknowledged by DSACK.Nayana Bidari
- Creates new metric "/tcp/segments_acked_with_dsack" to count the number of segments acked with DSACK. - Added check to verify the metric is getting incremented when a DSACK is sent in the unit tests. PiperOrigin-RevId: 386135949
2021-07-21buildkite: update GoKevin Krakauer
#6322 tried to update Go to 1.16, but existing nodes fail to upgrade due to the presence of old Go [1]. Specifically when trying to add Go to `/usr/bin`: ``` ln: failed to create symbolic link '/usr/bin/go': File exists ``` Also: - Removing `golang-go` also removes apt installs of `gcc` and `pkg-config`, so those are installed explicitly. - Add `-c` to wget, which will prevent re-downloading Go for each run. - Disable GO111MODULE when building cri-tools and containerd, since we're using pre-module versions of each. 1 - https://buildkite.com/gvisor/pipeline/builds/7285#3593244c-e411-472d-804a-9c7fbbd24762 PiperOrigin-RevId: 386106881
2021-07-21Fix required Linux version in networking docs.Ian Lewis
PiperOrigin-RevId: 386093826
2021-07-21Use atomics when checking for parent setgid in VFS2 tmpfs file creation.Jamie Liu
Reported-by: syzbot+59550b48e06cc0d3b638@syzkaller.appspotmail.com PiperOrigin-RevId: 386075453
2021-07-20Enable RACK by default in netstack.Nayana Bidari
PiperOrigin-RevId: 385944428
2021-07-20Expose local address from raw socketsGhanan Gowripalan
PiperOrigin-RevId: 385940836
2021-07-20Add fsstress test to goferfsFabricio Voznika
PiperOrigin-RevId: 385937353
2021-07-20Don't kill container when volume is unmountedFabricio Voznika
The gofer session is killed when a gofer backed volume is unmounted. The gofer monitor catches the disconnect and kills the container. This changes the gofer monitor to only care about the rootfs connections, which cannot be unmounted. Fixes #6259 PiperOrigin-RevId: 385929039
2021-07-20Merge pull request #6220 from laijs:disconnect-fpgVisor bot
PiperOrigin-RevId: 385919423
2021-07-20Add go:build directives as required by Go 1.17's gofmt.Jamie Liu
PiperOrigin-RevId: 385894869
2021-07-20ring0: Initialize sentryXCR0 from Kernel.init()Andrei Vagin
Fixes #6300 PiperOrigin-RevId: 385840917
2021-07-16Automated rollback of changelist 385029528Kevin Krakauer
PiperOrigin-RevId: 385200993
2021-07-15Fix refcount increments in gofer.filesystem.Sync.Fabricio Voznika
fs.renameMu is released and reacquired in `dentry.destroyLocked()` allowing a dentry to be in `fs.syncableDentries` with a negative reference count. Fixes #5263 PiperOrigin-RevId: 385054337
2021-07-15Update gVisor release signing key to a version that does not expire.Etienne Perot
PiperOrigin-RevId: 385051420
2021-07-15buildkite: bump Go version to 1.16Kevin Krakauer
We're currently on 1.13, which can cause build issues with code targeting later versions. PiperOrigin-RevId: 385029528
2021-07-15netstack: support SO_RCVBUFFORCEKevin Krakauer
TCP is fully supported. As with SO_RCVBUF, other transport protocols perform no-ops per DefaultSocketOptionsHandler.OnSetReceiveBufferSize. PiperOrigin-RevId: 385023239
2021-07-15Merge pull request #6320 from kevinGC:issues-templategVisor bot
PiperOrigin-RevId: 385019550
2021-07-14Add verity symlink testsChong Cai
PiperOrigin-RevId: 384823097
2021-07-14Replace whitelist with allowlist from docsFabricio Voznika
PiperOrigin-RevId: 384796852
2021-07-14Set tcp endpoint state atomicallyTamir Duberstein
PiperOrigin-RevId: 384776517
2021-07-14testing: shrink exhaustion test size to avoid timeoutsKevin Krakauer
Tested via: ``` bazel test \ //test/syscalls:socket_ipv4_udp_unbound_loopback_nogotsan_test_runsc_ptrace --runs_per_test=2000 ``` PiperOrigin-RevId: 384773477
2021-07-14use github issue templatesKevin Krakauer
2021-07-13Replace whitelist with allowlistFabricio Voznika
PiperOrigin-RevId: 384586164
2021-07-13Do not require O_PATH flag to enable verityChong Cai
Remove the hack in gVisor vfs that allows verity to bypass the O_PATH check, since ioctl is not allowed on fds opened with O_PATH in linux. Verity still opens the lowerFD with O_PATH to open it as a symlink, but the API no longer expects O_PATH to open a fd to be verity enabled. Now only O_FOLLOW should be specified when opening and enabling verity features. PiperOrigin-RevId: 384567833
2021-07-13Implement stubs for msgget(2) and msgctl(IPC_RMID).Zyad A. Ali
Add support for msgget, and msgctl(IPC_RMID), and enable msgqueue syscall tests. Updates #135
2021-07-13Implement Registry.Remove.Zyad A. Ali
Remove implements the behaviour or msgctl(IPC_RMID). Updates #135