summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/loader
AgeCommit message (Collapse)Author
2021-06-16[syserror] Refactor linuxerr and error package.Zach Koopmans
Move Error struct to pkg/errors package for use in multiple places. Move linuxerr static definitions under pkg/errors/linuxerr. Add a lookup list for quick lookup of *errors.Error by errno. This is useful when converting syserror errors and unix.Errno/syscall.Errrno values to *errors.Error. Update benchmarks routines to include conversions. The below benchmarks show *errors.Error usage to be comparable to using unix.Errno. BenchmarkAssignUnix BenchmarkAssignUnix-32 787875022 1.284 ns/op BenchmarkAssignLinuxerr BenchmarkAssignLinuxerr-32 1000000000 1.209 ns/op BenchmarkAssignSyserror BenchmarkAssignSyserror-32 759269229 1.429 ns/op BenchmarkCompareUnix BenchmarkCompareUnix-32 1000000000 1.310 ns/op BenchmarkCompareLinuxerr BenchmarkCompareLinuxerr-32 1000000000 1.241 ns/op BenchmarkCompareSyserror BenchmarkCompareSyserror-32 147196165 8.248 ns/op BenchmarkSwitchUnix BenchmarkSwitchUnix-32 373233556 3.664 ns/op BenchmarkSwitchLinuxerr BenchmarkSwitchLinuxerr-32 476323929 3.294 ns/op BenchmarkSwitchSyserror BenchmarkSwitchSyserror-32 39293408 29.62 ns/op BenchmarkReturnUnix BenchmarkReturnUnix-32 1000000000 0.5042 ns/op BenchmarkReturnLinuxerr BenchmarkReturnLinuxerr-32 1000000000 0.8152 ns/op BenchmarkConvertUnixLinuxerr BenchmarkConvertUnixLinuxerr-32 739948875 1.547 ns/op BenchmarkConvertUnixLinuxerrZero BenchmarkConvertUnixLinuxerrZero-32 977733974 1.489 ns/op PiperOrigin-RevId: 379806801
2021-06-11Fix //test/syscalls:exec_test_nativeZach Koopmans
Later kernels add empty arguments to argv, throwing off return values for the exec_basic_workload.cc binary. This is result of a bug introduced by ccbb18b67323b "exec/binfmt_script: Don't modify bprm->buf and then return - ENOEXEC". Before this change, an empty interpreter string was reported if the first non-space/non-tab character after "#!" was '\0' (end of file, previously- overwritten trailing space or tab, or previously-overwritten first newline). After this change, an empty interpreter string is reported if all characters after "#!" are spaces or tabs, or the first non-space non-tab character is at i_end, which is the position of the first newline after "#!". However, if there is no newline after "#!" (as in ExecTest.InterpreterScriptNoPath), then i_end = buf_end (= bprm->buf + sizeof(bprm->buf) - 1, the last possible byte in the buffer) and neither condition holds. Change white space for script inputs to take into account the above bug. Co-authored-by: Andrei Vagin <avagin@gmail.com> PiperOrigin-RevId: 378997171
2021-05-04Remove uses of the binary package from the rest of the sentry.Rahat Mahmood
PiperOrigin-RevId: 372020696
2021-03-29[syserror] Split usermem packageZach Koopmans
Split usermem package to help remove syserror dependency in go_marshal. New hostarch package contains code not dependent on syserror. PiperOrigin-RevId: 365651233
2021-02-08exec: don't panic if an elf file is malformedAndrei Vagin
Reported-by: syzbot+d54bc27a15aefe52c330@syzkaller.appspotmail.com PiperOrigin-RevId: 356406975
2021-01-11Fix Go branch for arm64.Adin Scannell
This requires several changes: * Templates must preserve relevant tags. * Pagetables templates are split into two targets, each preserving tags. * The binary VDSO is similarly split into two targets, with some juggling. * The top level tools/go_branch.sh now does a crossbuild of ARM64 as well, and checks and merges the results of the two branches together. Fixes #5178 PiperOrigin-RevId: 351304330
2020-10-19loader/elf: validate file offsetAndrei Vagin
Reported-by: syzbot+7406eef8247cb5a20855@syzkaller.appspotmail.com PiperOrigin-RevId: 337974474
2020-10-13Don't leak VDSO mappings.Dean Deng
PiperOrigin-RevId: 336822021
2020-09-29Replace remaining uses of reflection-based marshalling.Rahat Mahmood
- Rewrite arch.Stack.{Push,Pop}. For the most part, stack now implements marshal.CopyContext and can be used as the target of marshal operations. Stack.Push had some extra logic for automatically null-terminating slices. This was only used for two specific types of slices, and is now handled explicitly. - Delete usermem.CopyObject{In,Out}. - Replace most remaining uses of the encoding/binary package with go-marshal. Most of these were using the binary package to compute the size of a struct, which go-marshal can directly replace. ~3 uses of the binary package remain. These aren't reasonably replaceable by go-marshal: for example one use is to construct the syscall trampoline for systrap. - Fill out remaining convenience wrappers in the primitive package. PiperOrigin-RevId: 334502375
2020-08-20Consistent precondition formattingMichael Pratt
Our "Preconditions:" blocks are very useful to determine the input invariants, but they are bit inconsistent throughout the codebase, which makes them harder to read (particularly cases with 5+ conditions in a single paragraph). I've reformatted all of the cases to fit in simple rules: 1. Cases with a single condition are placed on a single line. 2. Cases with multiple conditions are placed in a bulleted list. This format has been added to the style guide. I've also mentioned "Postconditions:", though those are much less frequently used, and all uses already match this style. PiperOrigin-RevId: 327687465
2020-08-03Plumbing context.Context to DecRef() and Release().Nayana Bidari
context is passed to DecRef() and Release() which is needed for SO_LINGER implementation. PiperOrigin-RevId: 324672584
2020-07-08Add shared mount hints to VFS2Fabricio Voznika
Container restart test is disabled for VFS2 for now. Updates #1487 PiperOrigin-RevId: 320296401
2020-07-07[vfs2] Remove VFS1 usage in VDSO.Ayush Ranjan
Removed VDSO dependency on VFS1. Resolves #2921 PiperOrigin-RevId: 320122176
2020-06-10Redirect TODOs to more specific issuesFabricio Voznika
Closes #1623 PiperOrigin-RevId: 315681993
2020-04-21Merge pull request #1818 from lubinszARM:pr_signal_1gVisor bot
PiperOrigin-RevId: 307680200
2020-04-17Arm64: VDSO support for signalBin Lu
The vdso is enabled, so we can use the sigreturn trampolines the vdso provides in arch module. Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-02-14Plumb VFS2 inside the SentrygVisor bot
- Added fsbridge package with interface that can be used to open and read from VFS1 and VFS2 files. - Converted ELF loader to use fsbridge - Added VFS2 types to FSContext - Added vfs.MountNamespace to ThreadGroup Updates #1623 PiperOrigin-RevId: 295183950
2020-01-27Update package locations.Adin Scannell
Because the abi will depend on the core types for marshalling (usermem, context, safemem, safecopy), these need to be flattened from the sentry directory. These packages contain no sentry-specific details. PiperOrigin-RevId: 291811289
2020-01-27Standardize on tools directory.Adin Scannell
PiperOrigin-RevId: 291745021
2019-12-06Document ELF PT_LOAD difference from LinuxMichael Pratt
PiperOrigin-RevId: 284191345
2019-11-13Fix some build errors on arm64.Haibo Xu
Initialize the VDSO "os" and "arch" fields explicitly, or the VDSO load process would failed on arm64 platform. Signed-off-by: Haibo Xu <haibo.xu@arm.com> Change-Id: Ic6768df88e43cd7c7956eb630511672ae11ac52f
2019-10-29Update symlink traversal limit when resolving interpreter path.Dean Deng
When execveat is called on an interpreter script, the symlink count for resolving the script path should be separate from the count for resolving the the corresponding interpreter. An ELOOP error should not occur if we do not hit the symlink limit along any individual path, even if the total number of symlinks encountered exceeds the limit. Closes #574 PiperOrigin-RevId: 277358474
2019-10-29Refactor logic for loadExecutable.Dean Deng
Separate the handling of filenames and *fs.File objects in a more explicit way for the sake of clarity. PiperOrigin-RevId: 277344203
2019-10-29Disallow execveat on interpreter scripts with fd opened with O_CLOEXEC.Dean Deng
When an interpreter script is opened with O_CLOEXEC and the resulting fd is passed into execveat, an ENOENT error should occur (the script would otherwise be inaccessible to the interpreter). This matches the actual behavior of Linux's execveat. PiperOrigin-RevId: 277306680
2019-10-25Aggregate arguments for loading executables into a single struct.Dean Deng
This change simplifies the function signatures of functions related to loading executables, such as LoadTaskImage, Load, loadBinary. PiperOrigin-RevId: 276821187
2019-10-24Handle AT_SYMLINK_NOFOLLOW flag for execveat.Dean Deng
PiperOrigin-RevId: 276441249
2019-10-16Reorder BUILD license and load functions in gvisor.Kevin Krakauer
PiperOrigin-RevId: 275139066
2019-10-01Include AT_SECURE in the aux vectorMichael Pratt
gVisor does not currently implement the functionality that would result in AT_SECURE = 1, but Linux includes AT_SECURE = 0 in the normal case, so we should do the same. PiperOrigin-RevId: 272311488
2019-10-01Honor X bit on extra anon pages in PT_LOAD segmentsMichael Pratt
Linux changed this behavior in 16e72e9b30986ee15f17fbb68189ca842c32af58 (v4.11). Previously, extra pages were always mapped RW. Now, those pages will be executable if the segment specified PF_X. They still must be writeable. PiperOrigin-RevId: 272256280
2019-08-27Fix comment typoMichael Pratt
PiperOrigin-RevId: 265731735
2019-07-30Add feature to launch Sentry from an open host FD.Zach Koopmans
Adds feature to launch from an open host FD instead of a binary_path. The FD should point to a valid executable and most likely be statically compiled. If the executable is not statically compiled, the loader will search along the interpreter paths, which must be able to be resolved in the Sandbox's file system or start will fail. PiperOrigin-RevId: 260756825
2019-07-21Add ARM64 support to pkg/sentry/loaderBin Lu
Signed-off-by: Bin Lu <bin.lu@arm.com>
2019-07-02Remove map from fd_map, change to fd_table.Adin Scannell
This renames FDMap to FDTable and drops the kernel.FD type, which had an entire package to itself and didn't serve much use (it was freely cast between types, and served as more of an annoyance than providing any protection.) Based on BenchmarkFDLookupAndDecRef-12, we can expect 5-10 ns per lookup operation, and 10-15 ns per concurrent lookup operation of savings. This also fixes two tangential usage issues with the FDMap. Namely, non-atomic use of NewFDFrom and associated calls to Remove (that are both racy and fail to drop the reference on the underlying file.) PiperOrigin-RevId: 256285890
2019-06-13Plumb context through more layers of filesytem.Ian Gudger
All functions which allocate objects containing AtomicRefCounts will soon need a context. PiperOrigin-RevId: 253147709
2019-06-13Update canonical repository.Adin Scannell
This can be merged after: https://github.com/google/gvisor-website/pull/77 or https://github.com/google/gvisor-website/pull/78 PiperOrigin-RevId: 253132620
2019-05-21Fix inconsistencies in ELF anonymous mappingsMichael Pratt
* A segment with filesz == 0, memsz > 0 should be an anonymous only mapping. We were failing to load such an ELF. * Anonymous pages are always mapped RW, regardless of the segment protections. PiperOrigin-RevId: 249355239 Change-Id: I251e5c0ce8848cf8420c3aadf337b0d77b1ad991
2019-05-21Add basic plumbing for splice and stub implementation.Adin Scannell
This does not actually implement an efficient splice or sendfile. Rather, it adds a generic plumbing to the file internals so that this can be added. All file implementations use the stub fileutil.NoSplice implementation, which causes sendfile and splice to fall back to an internal copy. A basic splice system call interface is added, along with a test. PiperOrigin-RevId: 249335960 Change-Id: Ic5568be2af0a505c19e7aec66d5af2480ab0939b
2019-04-29Change copyright notice to "The gVisor Authors"Michael Pratt
Based on the guidelines at https://opensource.google.com/docs/releasing/authors/. 1. $ rg -l "Google LLC" | xargs sed -i 's/Google LLC.*/The gVisor Authors./' 2. Manual fixup of "Google Inc" references. 3. Add AUTHORS file. Authors may request to be added to this file. 4. Point netstack AUTHORS to gVisor AUTHORS. Drop CONTRIBUTORS. Fixes #209 PiperOrigin-RevId: 245823212 Change-Id: I64530b24ad021a7d683137459cafc510f5ee1de9
2019-04-29Allow and document bug ids in gVisor codebase.Nicolas Lacasse
PiperOrigin-RevId: 245818639 Change-Id: I03703ef0fb9b6675955637b9fe2776204c545789
2019-04-11Use open fids when fstat()ing gofer files.Jamie Liu
PiperOrigin-RevId: 243018347 Change-Id: I1e5b80607c1df0747482abea61db7fcf24536d37
2019-04-10Internal changeMichael Pratt
PiperOrigin-RevId: 242978508 Change-Id: I0ea59ac5ba1dd499e87c53f2e24709371048679b
2019-03-14Decouple filemem from platform and move it to pgalloc.MemoryFile.Jamie Liu
This is in preparation for improved page cache reclaim, which requires greater integration between the page cache and page allocator. PiperOrigin-RevId: 238444706 Change-Id: Id24141b3678d96c7d7dc24baddd9be555bffafe4
2019-01-31Remove license commentsMichael Pratt
Nothing reads them and they can simply get stale. Generated with: $ sed -i "s/licenses(\(.*\)).*/licenses(\1)/" **/BUILD PiperOrigin-RevId: 231818945 Change-Id: Ibc3f9838546b7e94f13f217060d31f4ada9d4bf0
2019-01-14Remove fs.Handle, ramfs.Entry, and all the DeprecatedFileOperations.Nicolas Lacasse
More helper structs have been added to the fsutil package to make it easier to implement fs.InodeOperations and fs.FileOperations. PiperOrigin-RevId: 229305982 Change-Id: Ib6f8d3862f4216745116857913dbfa351530223b
2019-01-08Improve loader related error messages returned to users.Brian Geffon
PiperOrigin-RevId: 228382827 Change-Id: Ica1d30e0df826bdd77f180a5092b2b735ea5c804
2018-12-11Remove unused envv variable from two funcs.Christopher Koch
PiperOrigin-RevId: 225041520 Change-Id: Ib1afc693e592d308d60db82022c5b7743fd3c646
2018-12-04Max link traversals should be for an entire path.Brian Geffon
The number of symbolic links that are allowed to be followed are for a full path and not just a chain of symbolic links. PiperOrigin-RevId: 224047321 Change-Id: I5e3c4caf66a93c17eeddcc7f046d1e8bb9434a40
2018-10-23Track paths and provide a rename hook.Adin Scannell
This change also adds extensive testing to the p9 package via mocks. The sanity checks and type checks are moved from the gofer into the core package, where they can be more easily validated. PiperOrigin-RevId: 218296768 Change-Id: I4fc3c326e7bf1e0e140a454cbacbcc6fd617ab55
2018-10-19Use correct company name in copyright headerIan Gudger
PiperOrigin-RevId: 217951017 Change-Id: Ie08bf6987f98467d07457bcf35b5f1ff6e43c035
2018-10-08Statfs Namelen should be NAME_MAX not PATH_MAXMichael Pratt
We accidentally set the wrong maximum. I've also added PATH_MAX and NAME_MAX to the linux abi package. PiperOrigin-RevId: 216221311 Change-Id: I44805fcf21508831809692184a0eba4cee469633