summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/fsimpl
AgeCommit message (Collapse)Author
2021-03-23Merge release-20210315.0-16-g92374e519 (automated)gVisor bot
2021-03-23setgid directory support in goferfsKevin Krakauer
Also adds support for clearing the setuid bit when appropriate (writing, truncating, changing size, changing UID, or changing GID). VFS2 only. PiperOrigin-RevId: 364661835
2021-03-23Merge release-20210315.0-15-gacb4c6288 (automated)gVisor bot
2021-03-16Merge release-20210309.0-34-g607a1e481 (automated)gVisor bot
2021-03-16setgid directory support in overlayfsKevin Krakauer
PiperOrigin-RevId: 363276495
2021-03-15Merge release-20210309.0-26-gec45d9692 (automated)gVisor bot
2021-03-15[op] Make gofer client handle return partial write length when err is nil.Ayush Ranjan
If there was a partial write (when not using the host FD) which did not generate an error, we were incorrectly returning the number of bytes attempted to write instead of the number of bytes actually written. PiperOrigin-RevId: 363058989
2021-03-12Merge release-20210301.0-43-g192318a23 (automated)gVisor bot
2021-03-11fusefs: Implement default_permissions and allow_other mount options.Rahat Mahmood
By default, fusefs defers node permission checks to the server. The default_permissions mount option enables the usual unix permission checks based on the node owner and mode bits. Previously fusefs was incorrectly checking permissions unconditionally. Additionally, fusefs should restrict filesystem access to processes started by the mount owner to prevent the fuse daemon from gaining priviledge over other processes. The allow_other mount option overrides this behaviour. Previously fusefs was incorrectly skipping this check. Updates #3229 PiperOrigin-RevId: 362419092
2021-03-12Merge release-20210301.0-37-gc5667022b (automated)gVisor bot
2021-03-11Clear Merkle tree files in RuntimeEnable modeChong Cai
The Merkle tree files need to be cleared before enabling to avoid redundant content. PiperOrigin-RevId: 362409591
2021-03-11Report filesystem-specific mount options.Rahat Mahmood
PiperOrigin-RevId: 362406813
2021-03-09Merge release-20210301.0-29-gabbdcebc5 (automated)gVisor bot
2021-03-08Implement /proc/sys/net/ipv4/ip_local_port_rangeKevin Krakauer
Speeds up the socket stress tests by a couple orders of magnitude. PiperOrigin-RevId: 361721050
2021-03-05Implement IterDirent in verity fsChong Cai
PiperOrigin-RevId: 361196154
2021-03-03Merge release-20210301.0-8-g3e69f5d08 (automated)gVisor bot
2021-03-03Add checklocks analyzer.Bhasker Hariharan
This validates that struct fields if annotated with "// checklocks:mu" where "mu" is a mutex field in the same struct then access to the field is only done with "mu" locked. All types that are guarded by a mutex must be annotated with // +checklocks:<mutex field name> For more details please refer to README.md. PiperOrigin-RevId: 360729328
2021-03-03Merge release-20210301.0-5-ga9441aea2 (automated)gVisor bot
2021-03-03[op] Replace syscall package usage with golang.org/x/sys/unix in pkg/.Ayush Ranjan
The syscall package has been deprecated in favor of golang.org/x/sys. Note that syscall is still used in the following places: - pkg/sentry/socket/hostinet/stack.go: some netlink related functionalities are not yet available in golang.org/x/sys. - syscall.Stat_t is still used in some places because os.FileInfo.Sys() still returns it and not unix.Stat_t. Updates #214 PiperOrigin-RevId: 360701387
2021-02-24Merge release-20210208.0-92-gf5692f7dc (automated)gVisor bot
2021-02-24Kernfs should not try to rename a file to itself.Nicolas Lacasse
One precondition of VFS.PrepareRenameAt is that the `from` and `to` dentries are not the same. Kernfs was not checking this, which could lead to a deadlock. PiperOrigin-RevId: 359385974
2021-02-24Merge release-20210208.0-91-g303c913c5 (automated)gVisor bot
2021-02-24Use mapped device number + topmost inode number for all files in VFS2 overlay.Jamie Liu
Before this CL, VFS2's overlayfs uses a single private device number and an autoincrementing generated inode number for directories; this is consistent with Linux's overlayfs in the non-samefs non-xino case. However, this breaks some applications more consistently than on Linux due to more aggressive caching of Linux overlayfs dentries. Switch from using mapped device numbers + the topmost layer's inode number for just non-copied-up non-directory files, to doing so for all files. This still allows directory dev/ino numbers to change across copy-up, but otherwise keeps them consistent. Fixes #5545: ``` $ docker run --runtime=runsc-vfs2-overlay --rm ubuntu:focal bash -c "mkdir -p 1/2/3/4/5/6/7/8 && rm -rf 1 && echo done" done ``` PiperOrigin-RevId: 359350716
2021-02-24Merge release-20210208.0-85-gacd516cfe (automated)gVisor bot
2021-02-24Add YAMA security module restrictions on ptrace(2).Dean Deng
Restrict ptrace(2) according to the default configurations of the YAMA security module (mode 1), which is a common default among various Linux distributions. The new access checks only permit the tracer to proceed if one of the following conditions is met: a) The tracer is already attached to the tracee. b) The target is a descendant of the tracer. c) The target has explicitly given permission to the tracer through the PR_SET_PTRACER prctl. d) The tracer has CAP_SYS_PTRACE. See security/yama/yama_lsm.c for more details. Note that these checks are added to CanTrace, which is checked for PTRACE_ATTACH as well as some other operations, e.g., checking a process' memory layout through /proc/[pid]/mem. Since this patch adds restrictions to ptrace, it may break compatibility for applications run by non-root users that, for instance, rely on being able to trace processes that are not descended from the tracer (e.g., `gdb -p`). YAMA restrictions can be turned off by setting /proc/sys/kernel/yama/ptrace_scope to 0, or exceptions can be made on a per-process basis with the PR_SET_PTRACER prctl. Reported-by: syzbot+622822d8bca08c99e8c8@syzkaller.appspotmail.com PiperOrigin-RevId: 359237723
2021-02-12Merge release-20210201.0-92-g34614c398 (automated)gVisor bot
2021-02-11Unconditionally check for directory-ness in overlay.filesystem.UnlinkAt().Jamie Liu
PiperOrigin-RevId: 357106080
2021-02-11Internal change.gVisor bot
PiperOrigin-RevId: 357090170
2021-02-11Merge release-20210201.0-86-gae8d966f5 (automated)gVisor bot
2021-02-11Assign controlling terminal when tty is opened and support NOCTTYKevin Krakauer
PiperOrigin-RevId: 357015186
2021-02-11Merge release-20210201.0-84-g81ea0016e (automated)gVisor bot
2021-02-10Support setgid directories in tmpfs and kernfsKevin Krakauer
PiperOrigin-RevId: 356868412
2021-02-10Merge release-20210201.0-72-g298c129cc (automated)gVisor bot
2021-02-09Add support for setting SO_SNDBUF for unix domain sockets.Bhasker Hariharan
The limits for snd/rcv buffers for unix domain socket is controlled by the following sysctls on linux - net.core.rmem_default - net.core.rmem_max - net.core.wmem_default - net.core.wmem_max Today in gVisor we do not expose these sysctls but we do support setting the equivalent in netstack via stack.Options() method. But AF_UNIX sockets in gVisor can be used without netstack, with hostinet or even without any networking stack at all. Which means ideally these sysctls need to live as globals in gVisor. But rather than make this a big change for now we hardcode the limits in the AF_UNIX implementation itself (which in itself is better than where we were before) where it SO_SNDBUF was hardcoded to 16KiB. Further we bump the initial limit to a default value of 208 KiB to match linux from the paltry 16 KiB we use today. Updates #5132 PiperOrigin-RevId: 356665498
2021-02-09Merge release-20210201.0-63-gd6dbe6e5c (automated)gVisor bot
2021-02-09pipe: writeLocked has to return ErrWouldBlock if the pipe is fullAndrei Vagin
PiperOrigin-RevId: 356450303
2021-02-06Merge release-20210125.0-88-g09afd6832 (automated)gVisor bot
2021-02-05[vfs] Handle `.` and `..` as last path component names in kernfs Rename.Ayush Ranjan
According to vfs.FilesystemImpl.RenameAt documentation: - If the last path component in rp is "." or "..", and opts.Flags contains RENAME_NOREPLACE, RenameAt returns EEXIST. - If the last path component in rp is "." or "..", and opts.Flags does not contain RENAME_NOREPLACE, RenameAt returns EBUSY. Reported-by: syzbot+6189786e64fe13fe43f8@syzkaller.appspotmail.com PiperOrigin-RevId: 355959266
2021-02-04Merge release-20210125.0-83-gaed9d8ce9 (automated)gVisor bot
2021-02-04Call kernfs.syntheticDir.InitRefs() on creation.Nicolas Lacasse
PiperOrigin-RevId: 355675900
2021-02-04Merge release-20210125.0-79-gf2c881f68 (automated)gVisor bot
2021-02-03[vfs] Make sticky bit check consistent with Linux.Ayush Ranjan
Our implementation of vfs.CheckDeleteSticky was not consistent with Linux, specifically not consistent with fs/linux.h:check_sticky(). One of the biggest differences was that the vfs implementation did not allow the owner of the sticky directory to delete files inside it that belonged to other users. This change makes our implementation consistent with Linux. Also adds an integration test to check for this. This bug is also present in VFS1. Updates #3027 PiperOrigin-RevId: 355557425
2021-01-29Merge release-20210125.0-30-g0fa534f11 (automated)gVisor bot
2021-01-29Fix deadlock in specialFileFD.pwriteFabricio Voznika
When file is regular and metadata cache is authoritative, metadata lock is taken. The code deadlocks trying to acquire the metadata lock again to update time stampts. PiperOrigin-RevId: 354584594
2021-01-29Merge release-20210125.0-21-g8d1afb418 (automated)gVisor bot
2021-01-28Change tcpip.Error to an interfaceTamir Duberstein
This makes it possible to add data to types that implement tcpip.Error. ErrBadLinkEndpoint is removed as it is unused. PiperOrigin-RevId: 354437314
2021-01-29Merge release-20210125.0-17-g62a37034f (automated)gVisor bot
2021-01-28[vfs] Fix rename implementation in OrderedChildren.Ayush Ranjan
Fixes #3027 as there is just 1 writable user using OrderedChildren's rename, unlink and rmdir (kernfs.syntheticDirectory) but it doesn't support the sticky bit yet. Fuse which is the other writable user implements its own Inode operations. PiperOrigin-RevId: 354386522
2021-01-26Merge release-20210112.0-94-g96bd076e8 (automated)gVisor bot
2021-01-26Initialize timestamps for gofer synthetic children.Dean Deng
Contrary to the comment on the socket test, the failure was due to an issue with goferfs rather than kernfs. PiperOrigin-RevId: 353918021