summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/kernel
AgeCommit message (Collapse)Author
2019-08-06Merge dfbc0b0a (automated)gVisor bot
2019-08-06Merge 704f9610 (automated)gVisor bot
2019-08-05Merge 23e74043 (automated)gVisor bot
2019-08-02Merge 960a5e55 (automated)gVisor bot
2019-08-02Merge b6a5b950 (automated)gVisor bot
2019-08-02Job control: controlling TTYs and foreground process groups.Kevin Krakauer
(Don't worry, this is mostly tests.) Implemented the following ioctls: - TIOCSCTTY - set controlling TTY - TIOCNOTTY - remove controlling tty, maybe signal some other processes - TIOCGPGRP - get foreground process group. Also enables tcgetpgrp(). - TIOCSPGRP - set foreground process group. Also enabled tcsetpgrp(). Next steps are to actually turn terminal-generated control characters (e.g. C^c) into signals to the proper process groups, and to send SIGTTOU and SIGTTIN when appropriate. PiperOrigin-RevId: 261387276
2019-08-02Merge b461be88 (automated)gVisor bot
2019-08-02Merge 2906dffc (automated)gVisor bot
2019-08-02Merge aaaefdf9 (automated)gVisor bot
2019-08-02Remove kernel.mounts.Nicolas Lacasse
We can get the mount namespace from the CreateProcessArgs in all cases where we need it. This also gets rid of kernel.Destroy method, since the only thing it was doing was DecRefing the mounts. Removing the need to call kernel.SetRootMountNamespace also allowed for some more simplifications in the container fs setup code. PiperOrigin-RevId: 261357060
2019-08-02Merge 3eff0531 (automated)gVisor bot
2019-08-01Merge bad43772 (automated)gVisor bot
2019-08-01Merge f2b25aea (automated)gVisor bot
2019-08-01Merge 0a246fab (automated)gVisor bot
2019-07-31Merge cf2b2d97 (automated)gVisor bot
2019-07-31Initialize kernel.unimplementedSyscallEmitter with a sync.Once.Nicolas Lacasse
This is initialized lazily on the first unimplemented syscall. Without the sync.Once, this is racy. PiperOrigin-RevId: 260971758
2019-07-30Merge 7369c63e (automated)gVisor bot
2019-07-30Merge 93b0917d (automated)gVisor bot
2019-07-30Merge e511c0e0 (automated)gVisor bot
2019-07-30Add feature to launch Sentry from an open host FD.Zach Koopmans
Adds feature to launch from an open host FD instead of a binary_path. The FD should point to a valid executable and most likely be statically compiled. If the executable is not statically compiled, the loader will search along the interpreter paths, which must be able to be resolved in the Sandbox's file system or start will fail. PiperOrigin-RevId: 260756825
2019-07-30Merge 1decf764 (automated)gVisor bot
2019-07-30Merge 8da9f8a1 (automated)gVisor bot
2019-07-30Merge ddf25e33 (automated)gVisor bot
2019-07-30Merge b765eb45 (automated)gVisor bot
2019-07-30Merge 5fdb945a (automated)gVisor bot
2019-07-29Rate limit the unimplemented syscall event handler.Nicolas Lacasse
This introduces two new types of Emitters: 1. MultiEmitter, which will forward events to other registered Emitters, and 2. RateLimitedEmitter, which will forward events to a wrapped Emitter, subject to given rate limits. The methods in the eventchannel package itself act like a multiEmitter, but is not actually an Emitter. Now we have a DefaultEmitter, and the methods in eventchannel simply forward calls to the DefaultEmitter. The unimplemented syscall handler now uses a RateLimetedEmitter that wraps the DefaultEmitter. PiperOrigin-RevId: 260612770
2019-07-29Merge f0507e1d (automated)gVisor bot
2019-07-29Merge 8e8b6096 (automated)gVisor bot
2019-07-29Merge 09be87bb (automated)gVisor bot
2019-07-27Merge 4183b902 (automated)gVisor bot
2019-07-26Merge 27626926 (automated)gVisor bot
2019-07-26Merge b5012237 (automated)gVisor bot
2019-07-26Merge pull request #452 from zhangningdlut:chris_test_pidnsgVisor bot
PiperOrigin-RevId: 260220279
2019-07-25Merge 7052d21d (automated)gVisor bot
2019-07-25Merge 83767574 (automated)gVisor bot
2019-07-25Merge 417096f7 (automated)gVisor bot
2019-07-24Merge 2ed832ff (automated)gVisor bot
2019-07-24Use different pidns among different containerschris.zn
The different containers in a sandbox used only one pid namespace before. This results in that a container can see the processes in another container in the same sandbox. This patch use different pid namespace for different containers. Signed-off-by: chris.zn <chris.zn@antfin.com>
2019-07-24Merge 7e38d643 (automated)gVisor bot
2019-07-24Merge d7bb79b6 (automated)gVisor bot
2019-07-23Merge bd770895 (automated)gVisor bot
2019-07-23Merge 04cbb13c (automated)gVisor bot
2019-07-23Merge 57745994 (automated)gVisor bot
2019-07-23Merge 12c25656 (automated)gVisor bot
2019-07-22Merge d706922d (automated)gVisor bot
2019-07-22Merge a0a86bbb (automated)gVisor bot
2019-07-22Merge fdac770f (automated)gVisor bot
2019-07-19Merge 32e6be00 (automated)gVisor bot
2019-07-19Merge f544509c (automated)gVisor bot
2019-07-19Merge 0e040ba6 (automated)gVisor bot