summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-05-08iptables - filter packets using outgoing interface.gVisor bot
Enables commands with -o (--out-interface) for iptables rules. $ iptables -A OUTPUT -o eth0 -j ACCEPT PiperOrigin-RevId: 310642286
2020-05-08Add UDP send/recv packetimpact tests.Bhasker Hariharan
Fixes #2654 PiperOrigin-RevId: 310642216
2020-05-08Pass flags to fsimpl/host.inode.open().Jamie Liu
This has two effects: It makes flags passed to open("/proc/[pid]/fd/[hostfd]") effective, and it prevents imported pipes/sockets/character devices from being opened with O_NONBLOCK unconditionally (because the underlying host FD was set to non-blocking in ImportFD()). PiperOrigin-RevId: 310596062
2020-05-08Send ACK to OTW SEQs/unacc ACKs in CLOSE_WAITZeling Feng
This fixed the corresponding packetimpact test. PiperOrigin-RevId: 310593470
2020-05-07Merge pull request #2637 from avagin:make-vs-bazelgVisor bot
PiperOrigin-RevId: 310479788
2020-05-07make: exit with non-zero code if "bazel build" failedAndrei Vagin
Without this fix, make exits with zero code when bazel build failed: $ make run TARGETS="--abra --kadabra" ERROR: Unrecognized option: --abra $ echo $? 0 Signed-off-by: Andrei Vagin <avagin@gmail.com>
2020-05-07make: bazel docker container should clean itself up.Adin Scannell
This change two does things: 1) Name the container based on the canonical directory path. 2) Allow the container to exit after bazel itself has exited. The first is necessary to support multiple working directories, while the second one allows these instances to clean up properly. PiperOrigin-RevId: 310460748
2020-05-07Fix ARM64 build.Adin Scannell
The common syscall definitions mean that ARM64-exclusive files need stubs in the ARM64 build. PiperOrigin-RevId: 310446698
2020-05-07Capture range variable in parallel subtestsSam Balana
Only the last test was running before since the goroutines won't be executed until after this loop. I added t.Log(test.name) and this is was the result: TestListenNoAcceptNonUnicastV4/SourceUnspecified: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestUnspecified: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestOtherMulticast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/SourceBroadcast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestOurMulticast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestBroadcast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/SourceOtherMulticast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/SourceOurMulticast: DestOtherMulticast https://github.com/golang/go/wiki/TableDrivenTests#parallel-testing PiperOrigin-RevId: 310440629
2020-05-07Allocate device numbers for VFS2 filesystems.Jamie Liu
Updates #1197, #1198, #1672 PiperOrigin-RevId: 310432006
2020-05-07Fix tags used for determining file sets.Adin Scannell
Updates #2569 Updates #2298 PiperOrigin-RevId: 310423629
2020-05-07Automated rollback of changelist 309339316Bhasker Hariharan
PiperOrigin-RevId: 310417191
2020-05-07Move pkg/sentry/vfs/{eventfd,timerfd} to new packages in pkg/sentry/fsimpl.Nicolas Lacasse
They don't depend on anything in VFS2, so they should be their own packages. PiperOrigin-RevId: 310416807
2020-05-07Internal change.gVisor bot
PiperOrigin-RevId: 310409922
2020-05-07Port signalfd to vfs2.Nicolas Lacasse
PiperOrigin-RevId: 310404113
2020-05-07Fix bugs in SACK recovery.Bhasker Hariharan
Every call to sender.NextSeg does not need to iterate from the front of the writeList as in a given recovery episode we can cache the last nextSeg returned. There cannot be a lower sequenced segment that matches the next call to NextSeg as otherwise we would have returned that instead in the previous call. This fixes the issue of excessive CPU usage w/ large send buffers where we spend a lot of time iterating from the front of the list on every NextSeg invocation. Further the following other bugs were also fixed: * Iteration of segments never sent in NextSeg() when looking for segments for retransmission that match step1/3/4 of the NextSeg algorithm * Correctly setting rescueRxt only if the rescue segment was actually sent. * Correctly initializing rescueRxt/highRxt when entering SACK recovery. * Correctly re-arming the timer only on retransmissions when SACK is in use and not for every segment being sent as it was being done before. * Copy over xmitTime and xmitCount on segment clone. * Move writeNext along when skipping over SACKED segments. This is required to prevent spurious retransmissions where we end up retransmitting data that was never lost. PiperOrigin-RevId: 310387671
2020-05-07Update privateunixsocket TODOs.Dean Deng
Synthetic sockets do not have the race condition issue in VFS2, and we will get rid of privateunixsocket as well. Fixes #1200. PiperOrigin-RevId: 310386474
2020-05-07Merge pull request #2639 from kevinGC:ipv4-frag-reassembly-testgVisor bot
PiperOrigin-RevId: 310380911
2020-05-07Remove outdated TODO for VFS2 AccessAt.Dean Deng
Fixes #1965. PiperOrigin-RevId: 310380433
2020-05-06Add basic incoming ipv4 fragment testsKevin Krakauer
Based on ipv6's TestReceiveIPv6Fragments.
2020-05-06Merge pull request #2570 from lubinszARM:pr_cleangVisor bot
PiperOrigin-RevId: 310259686
2020-05-06Remove vfs.FileDescriptionOptions.InvalidWrite.Jamie Liu
Compare: https://elixir.bootlin.com/linux/v5.6/source/fs/timerfd.c#L431 PiperOrigin-RevId: 310246908
2020-05-06Do not assume no DHCPv6 configurationsGhanan Gowripalan
Do not assume that networks need any DHCPv6 configurations. Instead, notify the NDP dispatcher in response to the first NDP RA's DHCPv6 flags, even if the flags indicate no DHCPv6 configurations are available. PiperOrigin-RevId: 310245068
2020-05-06Fix runsc syscall documentation generation.Adin Scannell
We can register any number of tables with any number of architectures, and need not limit the definitions to the architecture in question. This allows runsc to generate documentation for all architectures simultaneously. Similarly, this simplifies the VFSv2 patching process. PiperOrigin-RevId: 310224827
2020-05-06sniffer: fix accidental logging of good packets as badKevin Krakauer
We need to check vv.Size() instead of len(tcp), as tcp will always be 20 bytes long. PiperOrigin-RevId: 310218351
2020-05-06Internal change.gVisor bot
PiperOrigin-RevId: 310213705
2020-05-06Add maximum memory limit.Nicolas Lacasse
PiperOrigin-RevId: 310179277
2020-05-05Internal change.gVisor bot
PiperOrigin-RevId: 310057834
2020-05-05gvisor/test: use RetryEINTR for connect()Andrei Vagin
connect() returns EINTR after S/R and usually we use RetryEINTR to workaround this. PiperOrigin-RevId: 310038525
2020-05-05Support TCP zero window probes.Mithun Iyer
As per RFC 1122 4.2.2.17, when the remote advertizes zero receive window, the sender needs to probe for the window-size to become non-zero starting from the next retransmission interval. The TCP connection needs to be kept open as long as the remote is acknowledging the zero window probes. We reuse the retransmission timers to support this. Fixes #1644 PiperOrigin-RevId: 310021575
2020-05-05Internal change.gVisor bot
PiperOrigin-RevId: 310001058
2020-05-05Update vfs2 socket TODOs.Dean Deng
Three updates: - Mark all vfs2 socket syscalls as supported. - Use the same dev number and ino number generator for all types of sockets, unlike in VFS1. - Do not use host fd for hostinet metadata. Fixes #1476, #1478, #1484, 1485, #2017. PiperOrigin-RevId: 309994579
2020-05-05Update comments for synthetic gofer files in vfs2.Dean Deng
PiperOrigin-RevId: 309966538
2020-05-05Return correct name for imported host filesFabricio Voznika
Implement PrependPath() in host.filesystem to correctly format name for host files. Updates #1672 PiperOrigin-RevId: 309959135
2020-05-05Translate p9.NoUID/GID to OverflowUID/GID.Jamie Liu
p9.NoUID/GID (== uint32(-1) == auth.NoID) is not a valid auth.KUID/KGID; in particular, using it for file ownership causes capabilities to be ineffective since file capabilities require that the file's KUID and KGID are mapped into the capability holder's user namespace [1], and auth.NoID is not mapped into any user namespace. Map p9.NoUID/GID to a different, valid KUID/KGID; in the unlikely case that an application actually using the overflow KUID/KGID attempts an operation that is consequently permitted by client permission checks, the remote operation will still fail with EPERM. Since this changes the VFS2 gofer client to no longer ignore the invalid IDs entirely, this CL both permits and requires that we change synthetic mount point creation to use root credentials. [1] See fs.Inode.CheckCapability or vfs.GenericCheckPermissions. PiperOrigin-RevId: 309856455
2020-05-04Port eventfd to VFS2.Nicolas Lacasse
And move sys_timerfd.go to just timerfd.go for consistency. Updates #1475. PiperOrigin-RevId: 309835029
2020-05-04Internal change.gVisor bot
PiperOrigin-RevId: 309832671
2020-05-04Remove kernfs.Filesystem cast from GenericDirectoryFDFabricio Voznika
This allows for kerfs.Filesystem to be overridden by different implementations. Updates #1672 PiperOrigin-RevId: 309809321
2020-05-04Deflake //third_party/gvisor/test/syscalls:proc_test_nativeAndrei Vagin
There is the known issue of the linux procfs, that two consequent calls of readdir can return the same entry twice if between these calls one or more entries have been removed from this directory. PiperOrigin-RevId: 309803066
2020-05-04Internal change.gVisor bot
PiperOrigin-RevId: 309801320
2020-05-04Enable TestRunNonRoot on VFS2Fabricio Voznika
Also added back the default test dimension back which was dropped in a previous refactor. PiperOrigin-RevId: 309797327
2020-05-04Mount VSFS2 filesystem using root credentialsFabricio Voznika
PiperOrigin-RevId: 309787938
2020-05-04Merge pull request #2275 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 309783486
2020-05-04Add TTY support on VFS2 to runscFabricio Voznika
Updates #1623, #1487 PiperOrigin-RevId: 309777922
2020-05-04Fix flaky monotonic time.Adin Scannell
This change ensures that even platforms with some TSC issues (e.g. KVM), can get reliable monotonic time by applied a lower bound on each read. PiperOrigin-RevId: 309773801
2020-05-01Fix include type.Adin Scannell
PiperOrigin-RevId: 309506957
2020-05-01Run labeller only for non-forked pull requests.Adin Scannell
Otherwise the labeller will generate an error each time. PiperOrigin-RevId: 309505731
2020-05-01Support for connection tracking of TCP packets.Nayana Bidari
Connection tracking is used to track packets in prerouting and output hooks of iptables. The NAT rules modify the tuples in connections. The connection tracking code modifies the packets by looking at the modified tuples.
2020-05-01Regenerate SLAAC address on conflicts with the NICGhanan Gowripalan
If the NIC already has a generated SLAAC address, regenerate a new SLAAC address until one is generated that does not conflict with the NIC's existing addresses, up to a maximum of 10 attempts. This applies to both stable and temporary SLAAC addresses. Test: stack_test.TestMixedSLAACAddrConflictRegen PiperOrigin-RevId: 309495628
2020-05-01Automated rollback of changelist 308674219Kevin Krakauer
PiperOrigin-RevId: 309491861