summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-06-18Fix vfs2 tmpfs link permission checks.Dean Deng
Updates #2923. PiperOrigin-RevId: 317246916
2020-06-18socket/unix: (*connectionedEndpoint).State() has to take the endpoint lockAndrei Vagin
It accesses e.receiver which is protected by the endpoint lock. WARNING: DATA RACE Write at 0x00c0006aa2b8 by goroutine 189: pkg/sentry/socket/unix/transport.(*connectionedEndpoint).Connect.func1() pkg/sentry/socket/unix/transport/connectioned.go:359 +0x50 pkg/sentry/socket/unix/transport.(*connectionedEndpoint).BidirectionalConnect() pkg/sentry/socket/unix/transport/connectioned.go:327 +0xa3c pkg/sentry/socket/unix/transport.(*connectionedEndpoint).Connect() pkg/sentry/socket/unix/transport/connectioned.go:363 +0xca pkg/sentry/socket/unix.(*socketOpsCommon).Connect() pkg/sentry/socket/unix/unix.go:420 +0x13a pkg/sentry/socket/unix.(*SocketOperations).Connect() <autogenerated>:1 +0x78 pkg/sentry/syscalls/linux.Connect() pkg/sentry/syscalls/linux/sys_socket.go:286 +0x251 Previous read at 0x00c0006aa2b8 by goroutine 270: pkg/sentry/socket/unix/transport.(*baseEndpoint).Connected() pkg/sentry/socket/unix/transport/unix.go:789 +0x42 pkg/sentry/socket/unix/transport.(*connectionedEndpoint).State() pkg/sentry/socket/unix/transport/connectioned.go:479 +0x2f pkg/sentry/socket/unix.(*socketOpsCommon).State() pkg/sentry/socket/unix/unix.go:714 +0xc3e pkg/sentry/socket/unix.(*socketOpsCommon).SendMsg() pkg/sentry/socket/unix/unix.go:466 +0xc44 pkg/sentry/socket/unix.(*SocketOperations).SendMsg() <autogenerated>:1 +0x173 pkg/sentry/syscalls/linux.sendTo() pkg/sentry/syscalls/linux/sys_socket.go:1121 +0x4c5 pkg/sentry/syscalls/linux.SendTo() pkg/sentry/syscalls/linux/sys_socket.go:1134 +0x87 Reported-by: syzbot+c2be37eedc672ed59a86@syzkaller.appspotmail.com PiperOrigin-RevId: 317236996
2020-06-18iptables: skip iptables if no rules are setKevin Krakauer
Users that never set iptables rules shouldn't incur the iptables performance cost. Suggested by Ian (@iangudger). PiperOrigin-RevId: 317232921
2020-06-18iptables: remove metadata structKevin Krakauer
Metadata was useful for debugging and safety, but enough tests exist that we should see failures when (de)serialization is broken. It made stack initialization more cumbersome and it's also getting in the way of ip6tables. PiperOrigin-RevId: 317210653
2020-06-18Enable more VFS2 syscall testsFabricio Voznika
Updates #2923 PiperOrigin-RevId: 317185798
2020-06-18Acquire lock when accessing MultiDevice's cache in String().Ting-Yu Wang
PiperOrigin-RevId: 317180925
2020-06-18Ensure ip6tables module installedKevin Krakauer
This module isn't always loaded automatically. PiperOrigin-RevId: 317164471
2020-06-18Remove various uses of 'whitelist'Michael Pratt
Updates #2972 PiperOrigin-RevId: 317113059
2020-06-18Support setsockopt SO_SNDBUF/SO_RCVBUF for raw/udp sockets.Bhasker Hariharan
Updates #173,#6 Fixes #2888 PiperOrigin-RevId: 317087652
2020-06-18Cleanup tcp.timer and tcpip.RouteGhanan Gowripalan
When a tcp.timer or tcpip.Route is no longer used, clean up its resources so that unused memory may be released. PiperOrigin-RevId: 317046582
2020-06-17Implement Sync() to directoriesFabricio Voznika
Updates #1035, #1199 PiperOrigin-RevId: 317028108
2020-06-17Add TempTmpMount testFabricio Voznika
This currently doesn't work with VSF2. Add test to ensure it's not missed. Updates #1487 PiperOrigin-RevId: 317013792
2020-06-17Move mount configutation to RunOptsFabricio Voznika
Separate mount configuration from links and move it to RunOpts, like the other options. PiperOrigin-RevId: 317010158
2020-06-17Increase timeouts for NDP testsGhanan Gowripalan
... to help reduce flakes. When waiting for an event to occur, use a timeout of 10s. When waiting for an event to not occur, use a timeout of 1s. Test: Ran test locally w/ run count of 1000 with and without gotsan. PiperOrigin-RevId: 316998128
2020-06-17Add test for stat("/proc/net/snmp").Ian Gudger
PiperOrigin-RevId: 316974863
2020-06-17Internal change.gVisor bot
PiperOrigin-RevId: 316973783
2020-06-17Proc test: Allow root mount pathname to be non-root.Nicolas Lacasse
The test was expecting that the root mount pathname was "/", but it doesn't need to be. Only the mount point actually should be "/" (otherwise it is not the root). PiperOrigin-RevId: 316968025
2020-06-17Fix TtlDefault test on linux.Bhasker Hariharan
Different flavors of linux seem to use different defaults we accept 64 or 127 as the TtlDefault in the test. PiperOrigin-RevId: 316961150
2020-06-17Remove various uses of 'blacklist'Michael Pratt
Updates #2972 PiperOrigin-RevId: 316942245
2020-06-17Refactor host.canMap.Dean Deng
Simplify the canMap check. We do not have plans to allow mmap for anything beyond regular files, so we can just inline canMap() as a simple file mode check. Updates #1672. PiperOrigin-RevId: 316929654
2020-06-17TCP stat fixesMithun Iyer
Ensure that CurrentConnected stat is updated on any errors and cleanups during connected state processing. Fixes #2968 PiperOrigin-RevId: 316919426
2020-06-17Implement POSIX locksFabricio Voznika
- Change FileDescriptionImpl Lock/UnlockPOSIX signature to take {start,length,whence}, so the correct offset can be calculated in the implementations. - Create PosixLocker interface to make it possible to share the same locking code from different implementations. Closes #1480 PiperOrigin-RevId: 316910286
2020-06-17Fix typos in test/README.md.Nicolas Lacasse
Closes #2996. PiperOrigin-RevId: 316900535
2020-06-16Add runsc options to set checksum offloading statusgVisor bot
--tx-checksum-offload=<true|false> enable TX checksum offload (default: false) --rx-checksum-offload=<true|false> enable RX checksum offload (default: true) Fixes #2989 PiperOrigin-RevId: 316781309
2020-06-16Correctly handle multiple resizings in pgalloc.findAvailableRange().Jamie Liu
PiperOrigin-RevId: 316778032
2020-06-16Replace use of %v in tcp testsMithun Iyer
PiperOrigin-RevId: 316767969
2020-06-16Print spec as json when --debug is enabledFabricio Voznika
The previous format skipped many important structs that are pointers, especially for cgroups. Change to print as json, removing parts of the spec that are not relevant. Also removed debug message from gofer that can be very noisy when directories are large. PiperOrigin-RevId: 316713267
2020-06-16Port aio to VFS2.Nicolas Lacasse
In order to make sure all aio goroutines have stopped during S/R, a new WaitGroup was added to TaskSet, analagous to runningGoroutines. This WaitGroup is incremented with each aio goroutine, and waited on during kernel.Pause. The old VFS1 aio code was changed to use this new WaitGroup, rather than fs.Async. The only uses of fs.Async are now inode and mount Release operations, which do not call fs.Async recursively. This fixes a lock-ordering violation that can cause deadlocks. Updates #1035. PiperOrigin-RevId: 316689380
2020-06-16Miscellaneous VFS2 fixes.Jamie Liu
PiperOrigin-RevId: 316627764
2020-06-15TCP to honor updated window size during handshake.Mithun Iyer
In passive open cases, we transition to Established state after initializing endpoint's sender and receiver. With this we lose out on any updates coming from the ACK that completes the handshake. This change ensures that we uniformly transition to Established in all cases and does minor cleanups. Fixes #2938 PiperOrigin-RevId: 316567014
2020-06-15Remove blacklist from //test/runtimesMichael Pratt
Updates #2972 PiperOrigin-RevId: 316534165
2020-06-15Internal change.Martijn Vels
PiperOrigin-RevId: 316492839
2020-06-15Correctly set the test VFS environment variable.Rahat Mahmood
Also fix test bugs uncovered now that they aren't silently skipped on VFS2. Updates #1487. PiperOrigin-RevId: 316415807
2020-06-12Allow reading IP_MULTICAST_LOOP and IP_MULTICAST_TTL on TCP sockets.Ian Gudger
I am not really sure what the point of this is, but someone filed a bug about it, so I assume something relies on it. PiperOrigin-RevId: 316225127
2020-06-12Make GenerateRandomPayload available to all testsTony Gong
Moved the function for generating a payload of random byets of a specified length into the testbench package so that it's availbale for all tests to use. Added a test case to the IPv4 ID uniqueness test which uses a payload length of 512 bytes. This test case passes for gVisor currently, whereas the test case with a small payload of 11 bytes fails because gVisor only assigns the ID field if the IP payload is sufficiently large. PiperOrigin-RevId: 316185097
2020-06-12vfs2: implement fcntl(fd, F_SETFL, flags)Andrei Vagin
PiperOrigin-RevId: 316148074
2020-06-11Replace use of %v in packetimpact testsMithun Iyer
PiperOrigin-RevId: 316027588
2020-06-11Set the HOME environment variable for sub-containers.Ian Lewis
Fixes #701 PiperOrigin-RevId: 316025635
2020-06-11Remove generated logs when test succeeds.Adin Scannell
PiperOrigin-RevId: 316022884
2020-06-11Add //pkg/sentry/fsimpl/overlay.Jamie Liu
Major differences from existing overlay filesystems: - Linux allows lower layers in an overlay to require revalidation, but not the upper layer. VFS1 allows the upper layer in an overlay to require revalidation, but not the lower layer. VFS2 does not allow any layers to require revalidation. (Now that vfs.MkdirOptions.ForSyntheticMountpoint exists, no uses of overlay in VFS1 are believed to require upper layer revalidation; in particular, the requirement that the upper layer support the creation of "trusted." extended attributes for whiteouts effectively required the upper filesystem to be tmpfs in most cases.) - Like VFS1, but unlike Linux, VFS2 overlay does not attempt to make mutations of the upper layer atomic using a working directory and features like RENAME_WHITEOUT. (This may change in the future, since not having a working directory makes error recovery for some operations, e.g. rmdir, particularly painful.) - Like Linux, but unlike VFS1, VFS2 represents whiteouts using character devices with rdev == 0; the equivalent of the whiteout attribute on directories is xattr trusted.overlay.opaque = "y"; and there is no equivalent to the whiteout attribute on non-directories since non-directories are never merged with lower layers. - Device and inode numbers work as follows: - In Linux, modulo the xino feature and a special case for when all layers are the same filesystem: - Directories use the overlay filesystem's device number and an ephemeral inode number assigned by the overlay. - Non-directories that have been copied up use the device and inode number assigned by the upper filesystem. - Non-directories that have not been copied up use a per-(overlay, layer)-pair device number and the inode number assigned by the lower filesystem. - In VFS1, device and inode numbers always come from the lower layer unless "whited out"; this has the adverse effect of requiring interaction with the lower filesystem even for non-directory files that exist on the upper layer. - In VFS2, device and inode numbers are assigned as in Linux, except that xino and the samefs special case are not supported. - Like Linux, but unlike VFS1, VFS2 does not attempt to maintain memory mapping coherence across copy-up. (This may have to change in the future, as users may be dependent on this property.) - Like Linux, but unlike VFS1, VFS2 uses the overlayfs mounter's credentials when interacting with the overlay's layers, rather than the caller's. - Like Linux, but unlike VFS1, VFS2 permits multiple lower layers in an overlay. - Like Linux, but unlike VFS1, VFS2's overlay filesystem is application-mountable. Updates #1199 PiperOrigin-RevId: 316019067
2020-06-11Add test for reordering.Ian Gudger
Tests the effect of reordering on retransmission and window size. Test covers the expected behavior of both Linux and netstack, however, netstack does not behave as expected. Further, the current expected behavior of netstack is not ideal and should be adjusted in the future. PiperOrigin-RevId: 316015184
2020-06-11Enable nogo againFabricio Voznika
PiperOrigin-RevId: 316011323
2020-06-11Do not use tentative addresses for routesGhanan Gowripalan
Tentative addresses should not be used when finding a route. This change fixes a bug where a tentative address may have been used. Test: stack_test.TestDADResolve PiperOrigin-RevId: 315997624
2020-06-11Merge pull request #2863 from lubinszARM:pr_sndbufgVisor bot
PiperOrigin-RevId: 315991648
2020-06-11Don't copy structs with sync.Mutex during initializationFabricio Voznika
During inititalization inode struct was copied around, but it isn't great pratice to copy it around since it contains ref count and sync.Mutex. Updates #1480 PiperOrigin-RevId: 315983788
2020-06-11Merge pull request #2705 from lubinszARM:pr_sigfp_nestedgVisor bot
PiperOrigin-RevId: 315979564
2020-06-11Merge pull request #2946 from avagin:travis-pipefailgVisor bot
PiperOrigin-RevId: 315972822
2020-06-11Refactor packetimpact Connection typesgVisor bot
Reorganize the Connection types such that the defined types no longer expose the lower-level functions SendFrame and CreateFrame. These methods are still exported on the underlying Connection type, and thus can be accessed via a type-cast. In future, defined types should have one or more type-safe versions of the send() method on Connection, e.g. UDPIPv4 has Send() which allows the UDP header to be overridden and SendIP() which allows both the IPv4 and UDP headers to be modified. testbench.Connection gets a SendFrameStateless method which sends frames without updating the state of any of the layers. This should be used when sending out-of-band control messages such as ICMP messages, as using the normal Send method can result in errors when attempting to update the TCP state using an ICMP packet. Also remove the localAddr field of testbench.Connection and instead compute it on the fly as needed for UDPIPv4 and TCPIPv4. PiperOrigin-RevId: 315969714
2020-06-11Add Generate method in merkletreegVisor bot
A method is added to generate a merkle tree for data, and store the generated tree in the output. PiperOrigin-RevId: 315966571
2020-06-11Factor out flipcall mmap for internal usegVisor bot
PiperOrigin-RevId: 315959279