Age | Commit message (Collapse) | Author |
|
Fixes a NAT bug that manifested as:
- A SYN was sent from gVisor to another host, unaffected by iptables.
- The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule
despite being part of the existing connection.
- The socket that sent the SYN never received the SYN/ACK and thus a
connection could not be established.
We handle this (as Linux does) by tracking all connections, inserting a
no-op conntrack rule for new connections with no rules of their own.
Needed for istio support (#170).
|
|
For iptables users, Check() is a hot path called for every packet one or more
times. Let's avoid a bunch of map lookups.
PiperOrigin-RevId: 322678699
|
|
Updates #2923
PiperOrigin-RevId: 322671489
|
|
Helps in fixing open syscall tests: AppendConcurrentWrite and AppendOnly.
We also now update the file size for seekable special files (regular files)
which we were not doing earlier.
Updates #2923
PiperOrigin-RevId: 322670843
|
|
Updates #173
PiperOrigin-RevId: 322665518
|
|
Temporarily skip these, on bhaskherh@'s advice.
PiperOrigin-RevId: 322664955
|
|
PiperOrigin-RevId: 322265513
|
|
- Fixes some html validation issues.
- Fixes links on security basics blog post.
- Adds rel=noopener to links with target=_blank and adds a check to
htmlproofer.
- Add favicon check to htmlproofer.
Fixes #3286
Fixes #3284
PiperOrigin-RevId: 321892602
|
|
PiperOrigin-RevId: 321887956
|
|
PiperOrigin-RevId: 321885126
|
|
PiperOrigin-RevId: 321875119
|
|
PiperOrigin-RevId: 321839398
|
|
DUT logs will include logs from the posix server and gVisor, which
provides a way to instrument the DUT during test failures.
PiperOrigin-RevId: 321816647
|
|
PiperOrigin-RevId: 321808673
|
|
PiperOrigin-RevId: 321790802
|
|
Updates #173
PiperOrigin-RevId: 321690756
|
|
PiperOrigin-RevId: 321647645
|
|
PiperOrigin-RevId: 321620517
|
|
PiperOrigin-RevId: 321496734
|
|
PiperOrigin-RevId: 321478001
|
|
This is no longer necessary, as we always set NetworkHeader before calling
iptables.Check.
PiperOrigin-RevId: 321461978
|
|
PiperOrigin-RevId: 321449877
|
|
Now it calls pkt.Data.ToView() when writing the packet. This may require
copying when the packet is large, which puts the worse case in an even worse
situation.
This sent out in a separate preparation change as it requires syscall filter
changes. This change will be followed by the change for the adoption of the new
PacketHeader API.
PiperOrigin-RevId: 321447003
|
|
Packet sockets also seem to allow double binding and do not return an error on
linux. This was tested by running the syscall test in a linux namespace as root
and the current test DoubleBind fails@HEAD.
Passes after this change.
Updates #173
PiperOrigin-RevId: 321445137
|
|
gVisor incorrectly returns the wrong ARP type for SIOGIFHWADDR. This breaks
tcpdump as it tries to interpret the packets incorrectly.
Similarly, SIOCETHTOOL is used by tcpdump to query interface properties which
fails with an EINVAL since we don't implement it. For now change it to return
EOPNOTSUPP to indicate that we don't support the query rather than return
EINVAL.
NOTE: ARPHRD types for link endpoints are distinct from NIC capabilities
and NIC flags. In Linux all 3 exist eg. ARPHRD types are stored in dev->type
field while NIC capabilities are more like the device features which can be
queried using SIOCETHTOOL but not modified and NIC Flags are fields that can
be modified from user space. eg. NIC status (UP/DOWN/MULTICAST/BROADCAST) etc.
Updates #2746
PiperOrigin-RevId: 321436525
|
|
`set -e` does not catch errors in bash command substituions like
`echo $(bad cmd)` so bazel thinks it succeeded and cached the result.
PiperOrigin-RevId: 321412327
|
|
Much like the boot process, apply pdeathsig to the gofer for cases where
the sandbox lifecycle is attached to the parent (runsc run/do).
This isn't strictly necessary, as the gofer normally exits once the
sentry disappears, but this makes that extra reliable.
|
|
PiperOrigin-RevId: 321411758
|
|
PiperOrigin-RevId: 321403149
|
|
When we failed to create the new socket after adding the fd to
fdnotifier, we should remove the fd from fdnotifier, because we
are going to close the fd directly.
Fixes: #3241
Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
|
|
PiperOrigin-RevId: 321269281
|
|
To implement stat(2) in FUSE, we have to embed credentials and pid in request
header. The information should be extracted from the context passed to VFS
layer. Therefore `Stat()` signature in `kernfs.Inode` interface should include
context as first argument. Some other fs implementations need to be modified as
well, such as devpts, host, pipefs, and proc.
Fixes #3235
|
|
Will re-submit when ICMP dest unreachable is handled correctly and it can be
turned back on.
PiperOrigin-RevId: 321227330
|
|
A packetimpact test for: "A node must be able to accept a fragmented packet
that, after reassembly, is as large as 1500 octets."
PiperOrigin-RevId: 321210729
|
|
- Combine process creation code that is shared between
root and subcontainer processes
- Move root container information into a struct for
clarity
Updates #2714
PiperOrigin-RevId: 321204798
|
|
Also ironed out all the bugs found on the IPv6 code path that affects socket
bind, send and receive.
PiperOrigin-RevId: 321202653
|
|
PiperOrigin-RevId: 321062975
|
|
PiperOrigin-RevId: 321060717
|
|
PiperOrigin-RevId: 321053634
|
|
When --debug is enabled, the following log messages are
printed every second filling up the log:
D0430 18:04:42.823775 129561 parameters.go:238] Clock(Monotonic): error: 46 ns, adjusted frequency from 3591713733 Hz to 3591714196 Hz
D0430 18:04:42.823870 129561 parameters.go:238] Clock(Realtime): error: 36 ns, adjusted frequency from 3591714003 Hz to 3591714169 Hz
D0430 18:04:42.823892 129561 timekeeper.go:209] Updating VDSO parameters: {monotonicReady:1 monotonicBaseCycles:15758797714254696 monotonicBaseRef:29000233837 monotonicFrequency:3591714196 realtimeReady:1 realtimeBaseCycles:15758797714610880 realtimeBaseRef:1588269882823867374 realtimeFrequency:3591714169}
Info and warning messages for larger changes are kept the same.
PiperOrigin-RevId: 321048523
|
|
Add a conditional to avoid running the issue reviver on forks. It will
always cause errors since bug references in the source code don't match
issue IDs in forked repos.
PiperOrigin-RevId: 321042060
|
|
PiperOrigin-RevId: 321035635
|
|
PiperOrigin-RevId: 321029113
|
|
PiperOrigin-RevId: 321028238
|
|
This rule isn't restored when the Kokoro VM is restarted, so it's not doing
anything. And the problem it was meant to solved is instead addressed by
https://github.com/google/gvisor/pull/3207.
PiperOrigin-RevId: 321026846
|
|
For accessing metadata fields:
- If metadataMu is locked, we can access without atomics
- If metadataMu is unlocked, we should use atomics
For mutating metadata fields:
- Always lock metadataMu and use atomics.
There were some instances of inconsistencies which have been fixed.
PiperOrigin-RevId: 321022895
|
|
PiperOrigin-RevId: 321021071
|
|
PiperOrigin-RevId: 321020733
|
|
PiperOrigin-RevId: 321008185
|
|
As in Linux, we must periodically clean up unused connections.
PiperOrigin-RevId: 321003353
|