summaryrefslogtreecommitdiffhomepage
path: root/pkg/abi/linux
AgeCommit message (Collapse)Author
2020-02-26iptables: filter by IP address (and range)Kevin Krakauer
Enables commands such as: $ iptables -A INPUT -d 127.0.0.1 -j ACCEPT $ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT Also adds a bunch of REDIRECT+destination tests.
2020-02-21Implement tap/tun device in vfs.Ting-Yu Wang
PiperOrigin-RevId: 296526279
2020-02-20Better strace logging for epoll syscalls.gVisor bot
Example: epoll_ctl(0x3 anon_inode:[eventpoll], EPOLL_CTL_ADD, 0x6 anon_inode:[eventfd], 0x7efe2fd92a80 {events=EPOLLIN|EPOLLOUT data=0x10203040506070a}) = 0x0 (4.411µs) epoll_wait(0x3 anon_inode:[eventpoll], 0x7efe2fd92b50 {{events=EPOLLOUT data=0x102030405060708}{events=EPOLLOUT data=0x102030405060708}{events=EPOLLOUT data=0x102030405060708}}, 0x3, 0xffffffff) = 0x3 (29.891µs) PiperOrigin-RevId: 296258146
2020-02-18Merge pull request #1850 from kevinGC:jump2gVisor bot
PiperOrigin-RevId: 295785052
2020-02-14Remove linux.EpollEvent.Fd.gVisor bot
glibc defines struct epoll_event in such a way that epoll_event.data.fd exists. However, the kernel's definition of struct epoll_event makes epoll_event.data an opaque uint64, so naming half of it "fd" just introduces confusion. Remove the Fd field, and make Data a [2]int32 to compensate. Also add required padding to linux.EpollEvent on ARM64. PiperOrigin-RevId: 295250424
2020-02-14Enable automated marshalling for struct stat.gVisor bot
This requires fixing a few build issues for non-am64 platforms. PiperOrigin-RevId: 295196922
2020-02-14Fix various issues related to enabling go-marshal.gVisor bot
- Add missing build tags to files in the abi package. - Add the marshal package as a sentry dependency, allowed by deps_test. - Fix an issue with our top-level go_library BUILD rule, which incorrectly shadows the variable containing the input set of source files. This caused the expansion for the go_marshal clause to silently omit input files. - Fix formatting when copying build tags to gomarshal-generated files. - Fix a bug with import statement collision detection in go-marshal. PiperOrigin-RevId: 295112284
2020-02-13We can now create and jump in iptables. For example:Kevin Krakauer
$ iptables -N foochain $ iptables -A INPUT -j foochain
2020-02-13Internal change.gVisor bot
PiperOrigin-RevId: 294952610
2020-02-10Merge pull request #1775 from kevinGC:tcp-matchers-submitgVisor bot
PiperOrigin-RevId: 294340468
2020-02-07Address GH comments.Kevin Krakauer
2020-02-04Merge pull request #1683 from kevinGC:ipt-udp-matchersgVisor bot
PiperOrigin-RevId: 293243342
2020-01-31iptables: enable TCP matching with "-m tcp".Kevin Krakauer
A couple other things that changed: - There's a proper extension registration system for matchers. Anyone adding another matcher can use tcp_matcher.go or udp_matcher.go as a template. - All logging and use of syserr.Error in the netfilter package happens at the highest possible level (public functions). Lower-level functions just return normal, descriptive golang errors.
2020-01-29Merge branch 'master' into ipt-udp-matchersKevin Krakauer
2020-01-29Add //pkg/sentry/devices/memdev.Jamie Liu
PiperOrigin-RevId: 292165063
2020-01-28Add VFS2 support for epoll.Jamie Liu
PiperOrigin-RevId: 291997879
2020-01-28netlink: add support for RTM_F_LOOKUP_TABLEJianfeng Tan
Test command: $ ip route get 1.1.1.1 Fixes: #1099 Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com> COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/1121 from tanjianfeng:fix-1099 e6919f3d4ede5aa51a48b3d2be0d7a4b482dd53d PiperOrigin-RevId: 291990716
2020-01-27Cleanup for GH review.Kevin Krakauer
2020-01-27Standardize on tools directory.Adin Scannell
PiperOrigin-RevId: 291745021
2020-01-24Merge branch 'master' into ipt-udp-matchersKevin Krakauer
2020-01-22Error marshalling the matcher.Kevin Krakauer
The iptables binary is looking for libxt_.so when it should be looking for libxt_udp.so, so it's having an issue reading the data in xt_match_entry. I think it may be an alignment issue. Trying to fix this is leading to me fighting with the metadata struct, so I'm gonna go kill that.
2020-01-21Merge pull request #1505 from xiaobo55x:fcntl_flagsgVisor bot
PiperOrigin-RevId: 290840484
2020-01-21Implement sysfs.Rahat Mahmood
PiperOrigin-RevId: 290822487
2020-01-21Removed TCP work (saved in ipt-tcp-match).Kevin Krakauer
2020-01-21Add missing verbMichael Pratt
PiperOrigin-RevId: 290821997
2020-01-21Add UDP matchers.Kevin Krakauer
2020-01-15Add timestamps to VFS2 tmpfs, and implement some of SetStat.Nicolas Lacasse
PiperOrigin-RevId: 289962040
2020-01-08More GH comments.Kevin Krakauer
2020-01-08Addressed GH commentsKevin Krakauer
2020-01-08Comment cleanup.Kevin Krakauer
2020-01-08Write simple ACCEPT rules to the filter table.Kevin Krakauer
This gets us closer to passing the iptables tests and opens up iptables so it can be worked on by multiple people. A few restrictions are enforced for security (i.e. we don't want to let users write a bunch of iptables rules and then just not enforce them): - Only the filter table is writable. - Only ACCEPT rules with no matching criteria can be added.
2020-01-06Implement rseq(2)Michael Pratt
PiperOrigin-RevId: 288342928
2020-01-06Make some of the fcntl flags arch specific..Haibo Xu
Some of the flags in the file system related system call are architecture specific(O_NOFOLLOW/O_DIRECT..). Ref to the fcntl.h file in the Linux src codes. Signed-off-by: Haibo Xu <haibo.xu@arm.com> Change-Id: I354d988073bfd0c9ff5371d4e0be9da2b8fd019f
2019-12-16Implement checks for get/setxattr at the syscall layer.Dean Deng
Add checks for input arguments, file type, permissions, etc. that match the Linux implementation. A call to get/setxattr that passes all the checks will still currently return EOPNOTSUPP. Actual support will be added in following commits. Only allow user.* extended attributes for the time being. PiperOrigin-RevId: 285835159
2019-12-12Implement kernfs.Rahat Mahmood
PiperOrigin-RevId: 285231002
2019-12-10Add most VFS methods for syscalls.Jamie Liu
PiperOrigin-RevId: 284892289
2019-12-05Implement F_GETOWN_EX and F_SETOWN_EX.Ian Gudger
Some versions of glibc will convert F_GETOWN fcntl(2) calls into F_GETOWN_EX in some cases. PiperOrigin-RevId: 284089373
2019-11-27Add support for receiving TOS and TCLASS control messages in hostinet.Dean Deng
This involves allowing getsockopt/setsockopt for the corresponding socket options, as well as allowing hostinet to process control messages received from the actual recvmsg syscall. PiperOrigin-RevId: 282851425
2019-10-24slight changes to pkg/abiBin Lu
In glibc, some structures are defined differently on different platforms. Such as: C.struct_stat Signed-off-by: Bin Lu <bin.lu@arm.com>
2019-10-23Merge pull request #641 from tanjianfeng:mastergVisor bot
PiperOrigin-RevId: 276380008
2019-10-21AF_PACKET support for netstack (aka epsocket).Kevin Krakauer
Like (AF_INET, SOCK_RAW) sockets, AF_PACKET sockets require CAP_NET_RAW. With runsc, you'll need to pass `--net-raw=true` to enable them. Binding isn't supported yet. PiperOrigin-RevId: 275909366
2019-10-16Reorder BUILD license and load functions in gvisor.Kevin Krakauer
PiperOrigin-RevId: 275139066
2019-10-15support /proc/net/routeJianfeng Tan
This proc file reports routing information to applications inside the container. Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com> Change-Id: I498e47f8c4c185419befbb42d849d0b099ec71f3
2019-10-04Change linux.FileMode from uint to uint16, and update VFS to use FileMode.Kevin Krakauer
In Linux (include/linux/types.h), mode_t is an unsigned short. PiperOrigin-RevId: 272956350
2019-09-18Signalfd supportAdin Scannell
Note that the exact semantics for these signalfds are slightly different from Linux. These signalfds are bound to the process at creation time. Reads, polls, etc. are all associated with signals directed at that task. In Linux, all signalfd operations are associated with current, regardless of where the signalfd originated. In practice, this should not be an issue given how signalfds are used. In order to fix this however, we will need to plumb the context through all the event APIs. This gets complicated really quickly, because the waiter APIs are all netstack-specific, and not generally exposed to the context. Probably not worthwhile fixing immediately. PiperOrigin-RevId: 269901749
2019-09-12Remove go_test from go_stateify and go_marshalMichael Pratt
They are no-ops, so the standard rule works fine. PiperOrigin-RevId: 268776264
2019-08-19Document RWF_HIPRI not implemented for preadv2/pwritev2.Zach Koopmans
Document limitation of no reasonable implementation for RWF_HIPRI flag (High Priority Read/Write for block-based file systems). PiperOrigin-RevId: 264237589
2019-08-15Document source and versioning of the TCPInfo struct.Rahat Mahmood
PiperOrigin-RevId: 263637194
2019-08-12Compute size of struct tcp_info instead of hardcoding it.Rahat Mahmood
PiperOrigin-RevId: 263040624
2019-08-09netlink: return an error in nlmsgerrAndrei Vagin
Now if a process sends an unsupported netlink requests, an error is returned from the send system call. The linux kernel works differently in this case. It returns errors in the nlmsgerr netlink message. Reported-by: syzbot+571d99510c6f935202da@syzkaller.appspotmail.com PiperOrigin-RevId: 262690453