Age | Commit message (Collapse) | Author |
|
|
|
Because the abi will depend on the core types for marshalling (usermem,
context, safemem, safecopy), these need to be flattened from the sentry
directory. These packages contain no sentry-specific details.
PiperOrigin-RevId: 291811289
|
|
PiperOrigin-RevId: 291745021
|
|
|
|
PiperOrigin-RevId: 290840484
|
|
|
|
PiperOrigin-RevId: 290822487
|
|
|
|
PiperOrigin-RevId: 290821997
|
|
|
|
PiperOrigin-RevId: 289962040
|
|
|
|
|
|
|
|
|
|
This gets us closer to passing the iptables tests and opens up iptables
so it can be worked on by multiple people.
A few restrictions are enforced for security (i.e. we don't want to let
users write a bunch of iptables rules and then just not enforce them):
- Only the filter table is writable.
- Only ACCEPT rules with no matching criteria can be added.
|
|
|
|
PiperOrigin-RevId: 288342928
|
|
Some of the flags in the file system related system call
are architecture specific(O_NOFOLLOW/O_DIRECT..). Ref to
the fcntl.h file in the Linux src codes.
Signed-off-by: Haibo Xu <haibo.xu@arm.com>
Change-Id: I354d988073bfd0c9ff5371d4e0be9da2b8fd019f
|
|
|
|
Add checks for input arguments, file type, permissions, etc. that match
the Linux implementation. A call to get/setxattr that passes all the
checks will still currently return EOPNOTSUPP. Actual support will be
added in following commits.
Only allow user.* extended attributes for the time being.
PiperOrigin-RevId: 285835159
|
|
|
|
PiperOrigin-RevId: 285231002
|
|
|
|
PiperOrigin-RevId: 284892289
|
|
|
|
Some versions of glibc will convert F_GETOWN fcntl(2) calls into F_GETOWN_EX in
some cases.
PiperOrigin-RevId: 284089373
|
|
|
|
This involves allowing getsockopt/setsockopt for the corresponding socket
options, as well as allowing hostinet to process control messages received from
the actual recvmsg syscall.
PiperOrigin-RevId: 282851425
|
|
|
|
In glibc, some structures are defined differently on different
platforms.
Such as: C.struct_stat
Signed-off-by: Bin Lu <bin.lu@arm.com>
|
|
|
|
PiperOrigin-RevId: 276380008
|
|
|
|
Like (AF_INET, SOCK_RAW) sockets, AF_PACKET sockets require CAP_NET_RAW. With
runsc, you'll need to pass `--net-raw=true` to enable them.
Binding isn't supported yet.
PiperOrigin-RevId: 275909366
|
|
PiperOrigin-RevId: 275139066
|
|
This proc file reports routing information to applications inside the
container.
Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com>
Change-Id: I498e47f8c4c185419befbb42d849d0b099ec71f3
|
|
|
|
In Linux (include/linux/types.h), mode_t is an unsigned short.
PiperOrigin-RevId: 272956350
|
|
|
|
Note that the exact semantics for these signalfds are slightly different from
Linux. These signalfds are bound to the process at creation time. Reads, polls,
etc. are all associated with signals directed at that task. In Linux, all
signalfd operations are associated with current, regardless of where the
signalfd originated.
In practice, this should not be an issue given how signalfds are used. In order
to fix this however, we will need to plumb the context through all the event
APIs. This gets complicated really quickly, because the waiter APIs are all
netstack-specific, and not generally exposed to the context. Probably not
worthwhile fixing immediately.
PiperOrigin-RevId: 269901749
|
|
They are no-ops, so the standard rule works fine.
PiperOrigin-RevId: 268776264
|
|
|
|
Document limitation of no reasonable implementation for RWF_HIPRI
flag (High Priority Read/Write for block-based file systems).
PiperOrigin-RevId: 264237589
|
|
|
|
PiperOrigin-RevId: 263637194
|
|
|
|
PiperOrigin-RevId: 263040624
|
|
|
|
Now if a process sends an unsupported netlink requests,
an error is returned from the send system call.
The linux kernel works differently in this case. It returns errors in the
nlmsgerr netlink message.
Reported-by: syzbot+571d99510c6f935202da@syzkaller.appspotmail.com
PiperOrigin-RevId: 262690453
|