summaryrefslogtreecommitdiffhomepage
path: root/pkg/abi
AgeCommit message (Collapse)Author
2020-04-22Specify a memory file in platform.New().Andrei Vagin
PiperOrigin-RevId: 307941984
2020-03-26Support owner matching for iptables.Nayana Bidari
This feature will match UID and GID of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.
2020-03-26Combine file mode and isDir argumentsFabricio Voznika
Updates #1035 PiperOrigin-RevId: 303021328
2020-03-16Merge pull request #1943 from kevinGC:ipt-filter-ipgVisor bot
PiperOrigin-RevId: 301197007
2020-03-14Plumb VFS2 imported fds into virtual filesystem.Dean Deng
- When setting up the virtual filesystem, mount a host.filesystem to contain all files that need to be imported. - Make read/preadv syscalls to the host in cases where preadv2 may not be supported yet (likewise for writing). - Make save/restore functions in kernel/kernel.go return early if vfs2 is enabled. PiperOrigin-RevId: 300922353
2020-03-11Merge pull request #1975 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 300362789
2020-03-09Enable thread local storage support on arm64.Haibo Xu
Linux use the task.thread.uw.tp_value field to store the TLS pointer on arm64 platform, and we use a similar way in gvisor to store it in the arch/State struct. Signed-off-by: Haibo Xu <haibo.xu@arm.com> Change-Id: Ie76b5c6d109bc27ccfd594008a96753806db7764
2020-02-26iptables: filter by IP address (and range)Kevin Krakauer
Enables commands such as: $ iptables -A INPUT -d 127.0.0.1 -j ACCEPT $ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT Also adds a bunch of REDIRECT+destination tests.
2020-02-25Merge branch 'master' into iptablesnybidari
2020-02-25Add nat table support for iptables.Nayana Bidari
- commit the changes for the comments.
2020-02-25Port most syscalls to VFS2.Jamie Liu
pipe and pipe2 aren't ported, pending a slight rework of pipe FDs for VFS2. mount and umount2 aren't ported out of temporary laziness. access and faccessat need additional FSImpl methods to implement properly, but are stubbed to prevent googletest from CHECK-failing. Other syscalls require additional plumbing. Updates #1623 PiperOrigin-RevId: 297188448
2020-02-21Implement tap/tun device in vfs.Ting-Yu Wang
PiperOrigin-RevId: 296526279
2020-02-20Better strace logging for epoll syscalls.gVisor bot
Example: epoll_ctl(0x3 anon_inode:[eventpoll], EPOLL_CTL_ADD, 0x6 anon_inode:[eventfd], 0x7efe2fd92a80 {events=EPOLLIN|EPOLLOUT data=0x10203040506070a}) = 0x0 (4.411µs) epoll_wait(0x3 anon_inode:[eventpoll], 0x7efe2fd92b50 {{events=EPOLLOUT data=0x102030405060708}{events=EPOLLOUT data=0x102030405060708}{events=EPOLLOUT data=0x102030405060708}}, 0x3, 0xffffffff) = 0x3 (29.891µs) PiperOrigin-RevId: 296258146
2020-02-18Merge pull request #1850 from kevinGC:jump2gVisor bot
PiperOrigin-RevId: 295785052
2020-02-18Add nat table support for iptables.Nayana Bidari
Add nat table support for Prerouting hook with Redirect option. Add tests to check redirect of ports.
2020-02-14Remove linux.EpollEvent.Fd.gVisor bot
glibc defines struct epoll_event in such a way that epoll_event.data.fd exists. However, the kernel's definition of struct epoll_event makes epoll_event.data an opaque uint64, so naming half of it "fd" just introduces confusion. Remove the Fd field, and make Data a [2]int32 to compensate. Also add required padding to linux.EpollEvent on ARM64. PiperOrigin-RevId: 295250424
2020-02-14Enable automated marshalling for struct stat.gVisor bot
This requires fixing a few build issues for non-am64 platforms. PiperOrigin-RevId: 295196922
2020-02-14Fix various issues related to enabling go-marshal.gVisor bot
- Add missing build tags to files in the abi package. - Add the marshal package as a sentry dependency, allowed by deps_test. - Fix an issue with our top-level go_library BUILD rule, which incorrectly shadows the variable containing the input set of source files. This caused the expansion for the go_marshal clause to silently omit input files. - Fix formatting when copying build tags to gomarshal-generated files. - Fix a bug with import statement collision detection in go-marshal. PiperOrigin-RevId: 295112284
2020-02-13We can now create and jump in iptables. For example:Kevin Krakauer
$ iptables -N foochain $ iptables -A INPUT -j foochain
2020-02-13Internal change.gVisor bot
PiperOrigin-RevId: 294952610
2020-02-10Merge pull request #1775 from kevinGC:tcp-matchers-submitgVisor bot
PiperOrigin-RevId: 294340468
2020-02-07Address GH comments.Kevin Krakauer
2020-02-04Merge pull request #1683 from kevinGC:ipt-udp-matchersgVisor bot
PiperOrigin-RevId: 293243342
2020-01-31iptables: enable TCP matching with "-m tcp".Kevin Krakauer
A couple other things that changed: - There's a proper extension registration system for matchers. Anyone adding another matcher can use tcp_matcher.go or udp_matcher.go as a template. - All logging and use of syserr.Error in the netfilter package happens at the highest possible level (public functions). Lower-level functions just return normal, descriptive golang errors.
2020-01-29Merge branch 'master' into ipt-udp-matchersKevin Krakauer
2020-01-29Add //pkg/sentry/devices/memdev.Jamie Liu
PiperOrigin-RevId: 292165063
2020-01-28Add VFS2 support for epoll.Jamie Liu
PiperOrigin-RevId: 291997879
2020-01-28netlink: add support for RTM_F_LOOKUP_TABLEJianfeng Tan
Test command: $ ip route get 1.1.1.1 Fixes: #1099 Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com> COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/1121 from tanjianfeng:fix-1099 e6919f3d4ede5aa51a48b3d2be0d7a4b482dd53d PiperOrigin-RevId: 291990716
2020-01-27Update package locations.Adin Scannell
Because the abi will depend on the core types for marshalling (usermem, context, safemem, safecopy), these need to be flattened from the sentry directory. These packages contain no sentry-specific details. PiperOrigin-RevId: 291811289
2020-01-27Cleanup for GH review.Kevin Krakauer
2020-01-27Standardize on tools directory.Adin Scannell
PiperOrigin-RevId: 291745021
2020-01-24Merge branch 'master' into ipt-udp-matchersKevin Krakauer
2020-01-22Error marshalling the matcher.Kevin Krakauer
The iptables binary is looking for libxt_.so when it should be looking for libxt_udp.so, so it's having an issue reading the data in xt_match_entry. I think it may be an alignment issue. Trying to fix this is leading to me fighting with the metadata struct, so I'm gonna go kill that.
2020-01-21Merge pull request #1505 from xiaobo55x:fcntl_flagsgVisor bot
PiperOrigin-RevId: 290840484
2020-01-21Implement sysfs.Rahat Mahmood
PiperOrigin-RevId: 290822487
2020-01-21Removed TCP work (saved in ipt-tcp-match).Kevin Krakauer
2020-01-21Add missing verbMichael Pratt
PiperOrigin-RevId: 290821997
2020-01-21Add UDP matchers.Kevin Krakauer
2020-01-15Add timestamps to VFS2 tmpfs, and implement some of SetStat.Nicolas Lacasse
PiperOrigin-RevId: 289962040
2020-01-08More GH comments.Kevin Krakauer
2020-01-08Addressed GH commentsKevin Krakauer
2020-01-08Comment cleanup.Kevin Krakauer
2020-01-08Write simple ACCEPT rules to the filter table.Kevin Krakauer
This gets us closer to passing the iptables tests and opens up iptables so it can be worked on by multiple people. A few restrictions are enforced for security (i.e. we don't want to let users write a bunch of iptables rules and then just not enforce them): - Only the filter table is writable. - Only ACCEPT rules with no matching criteria can be added.
2020-01-06Implement rseq(2)Michael Pratt
PiperOrigin-RevId: 288342928
2020-01-06Make some of the fcntl flags arch specific..Haibo Xu
Some of the flags in the file system related system call are architecture specific(O_NOFOLLOW/O_DIRECT..). Ref to the fcntl.h file in the Linux src codes. Signed-off-by: Haibo Xu <haibo.xu@arm.com> Change-Id: I354d988073bfd0c9ff5371d4e0be9da2b8fd019f
2019-12-16Implement checks for get/setxattr at the syscall layer.Dean Deng
Add checks for input arguments, file type, permissions, etc. that match the Linux implementation. A call to get/setxattr that passes all the checks will still currently return EOPNOTSUPP. Actual support will be added in following commits. Only allow user.* extended attributes for the time being. PiperOrigin-RevId: 285835159
2019-12-12Implement kernfs.Rahat Mahmood
PiperOrigin-RevId: 285231002
2019-12-10Add most VFS methods for syscalls.Jamie Liu
PiperOrigin-RevId: 284892289
2019-12-05Implement F_GETOWN_EX and F_SETOWN_EX.Ian Gudger
Some versions of glibc will convert F_GETOWN fcntl(2) calls into F_GETOWN_EX in some cases. PiperOrigin-RevId: 284089373
2019-11-27Add support for receiving TOS and TCLASS control messages in hostinet.Dean Deng
This involves allowing getsockopt/setsockopt for the corresponding socket options, as well as allowing hostinet to process control messages received from the actual recvmsg syscall. PiperOrigin-RevId: 282851425