summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2021-03-03Add checklocks analyzer.Bhasker Hariharan
This validates that struct fields if annotated with "// checklocks:mu" where "mu" is a mutex field in the same struct then access to the field is only done with "mu" locked. All types that are guarded by a mutex must be annotated with // +checklocks:<mutex field name> For more details please refer to README.md. PiperOrigin-RevId: 360729328
2021-03-03Export stats that were forgottenArthur Sfez
While I'm here, simplify the comments and unify naming of certain stats across protocols. PiperOrigin-RevId: 360728849
2021-03-03[op] Replace syscall package usage with golang.org/x/sys/unix in pkg/.Ayush Ranjan
The syscall package has been deprecated in favor of golang.org/x/sys. Note that syscall is still used in the following places: - pkg/sentry/socket/hostinet/stack.go: some netlink related functionalities are not yet available in golang.org/x/sys. - syscall.Stat_t is still used in some places because os.FileInfo.Sys() still returns it and not unix.Stat_t. Updates #214 PiperOrigin-RevId: 360701387
2021-02-25Implement SEM_STAT_ANY cmd of semctl.Jing Chen
PiperOrigin-RevId: 359591577
2021-02-24Kernfs should not try to rename a file to itself.Nicolas Lacasse
One precondition of VFS.PrepareRenameAt is that the `from` and `to` dentries are not the same. Kernfs was not checking this, which could lead to a deadlock. PiperOrigin-RevId: 359385974
2021-02-24Use mapped device number + topmost inode number for all files in VFS2 overlay.Jamie Liu
Before this CL, VFS2's overlayfs uses a single private device number and an autoincrementing generated inode number for directories; this is consistent with Linux's overlayfs in the non-samefs non-xino case. However, this breaks some applications more consistently than on Linux due to more aggressive caching of Linux overlayfs dentries. Switch from using mapped device numbers + the topmost layer's inode number for just non-copied-up non-directory files, to doing so for all files. This still allows directory dev/ino numbers to change across copy-up, but otherwise keeps them consistent. Fixes #5545: ``` $ docker run --runtime=runsc-vfs2-overlay --rm ubuntu:focal bash -c "mkdir -p 1/2/3/4/5/6/7/8 && rm -rf 1 && echo done" done ``` PiperOrigin-RevId: 359350716
2021-02-24Merge pull request #5519 from dqminh:runsc-ps-pidsgVisor bot
PiperOrigin-RevId: 359334029
2021-02-24return root pids with runsc psDaniel Dao
`runsc ps` currently return pid for a task's immediate pid namespace, which is confusing when there're multiple pid namespaces. We should return only pids in the root namespace. Before: ``` 1000 1 0 0 ? 02:24 250ms chrome 1000 1 0 0 ? 02:24 40ms dumb-init 1000 1 0 0 ? 02:24 240ms chrome 1000 2 1 0 ? 02:24 2.78s node ``` After: ``` UID PID PPID C TTY STIME TIME CMD 1000 1 0 0 ? 12:35 0s dumb-init 1000 2 1 7 ? 12:35 240ms node 1000 13 2 21 ? 12:35 2.33s chrome 1000 27 13 3 ? 12:35 260ms chrome ``` Signed-off-by: Daniel Dao <dqminh@cloudflare.com>
2021-02-24Add YAMA security module restrictions on ptrace(2).Dean Deng
Restrict ptrace(2) according to the default configurations of the YAMA security module (mode 1), which is a common default among various Linux distributions. The new access checks only permit the tracer to proceed if one of the following conditions is met: a) The tracer is already attached to the tracee. b) The target is a descendant of the tracer. c) The target has explicitly given permission to the tracer through the PR_SET_PTRACER prctl. d) The tracer has CAP_SYS_PTRACE. See security/yama/yama_lsm.c for more details. Note that these checks are added to CanTrace, which is checked for PTRACE_ATTACH as well as some other operations, e.g., checking a process' memory layout through /proc/[pid]/mem. Since this patch adds restrictions to ptrace, it may break compatibility for applications run by non-root users that, for instance, rely on being able to trace processes that are not descended from the tracer (e.g., `gdb -p`). YAMA restrictions can be turned off by setting /proc/sys/kernel/yama/ptrace_scope to 0, or exceptions can be made on a per-process basis with the PR_SET_PTRACER prctl. Reported-by: syzbot+622822d8bca08c99e8c8@syzkaller.appspotmail.com PiperOrigin-RevId: 359237723
2021-02-24Use async task context for async IO.Dean Deng
PiperOrigin-RevId: 359235699
2021-02-22unix: sendmmsg and recvmsg have to cap a number of message to UIO_MAXIOVAndrei Vagin
Reported-by: syzbot+f2489ba0b999a45d1ad1@syzkaller.appspotmail.com PiperOrigin-RevId: 358866218
2021-02-19Don't hold baseEndpoint.mu while calling EventUpdate().Nicolas Lacasse
This removes a three-lock deadlock between fdnotifier.notifier.mu, epoll.EventPoll.listsMu, and baseEndpoint.mu. A lock order comment was added to epoll/epoll.go. Also fix unsafe access of baseEndpoint.connected/receiver. PiperOrigin-RevId: 358515191
2021-02-19control.Proc.Exec should default to root pid namespace if none provided.Nicolas Lacasse
PiperOrigin-RevId: 358445320
2021-02-18Make socketops reflect correct sndbuf value for host UDS.Bhasker Hariharan
Also skips a test if the setsockopt to increase send buffer did not result in an increase. This is possible when the underlying socket is a host backed unix domain socket as in such cases gVisor does not permit increasing SO_SNDBUF. PiperOrigin-RevId: 358285158
2021-02-18Bump build constraints to Go 1.18Michael Pratt
These are bumped to allow early testing of Go 1.17. Use will be audited closer to the 1.17 release. PiperOrigin-RevId: 358278615
2021-02-18Validate IGMP packetsArthur Sfez
This change also adds support for Router Alert option processing on incoming packets, a new stat for Router Alert option, and exports all the IP-option related stats. Fixes #5491 PiperOrigin-RevId: 358238123
2021-02-17Move Name() out of netstack Matcher. It can live in the sentry.Kevin Krakauer
PiperOrigin-RevId: 358078157
2021-02-17Add gohacks.Slice/StringHeader.Jamie Liu
See https://github.com/golang/go/issues/19367 for rationale. Note that the upstream decision arrived at in that thread, while useful for some of our use cases, doesn't account for all of our SliceHeader use cases (we often use SliceHeader to extract pointers from slices in a way that avoids bounds checking and/or handles nil slices correctly) and also doesn't exist yet. PiperOrigin-RevId: 358071574
2021-02-17Check for directory emptiness in VFS1 overlay rmdir().Jamie Liu
Note that this CL reorders overlayEntry.copyMu before overlayEntry.dirCacheMu in the overlayFileOperations.IterateDir() => readdirEntries() path - but this lock ordering is already required by overlayRemove/Bind() => overlayEntry.markDirectoryDirty(), so this actually just fixes an inconsistency. PiperOrigin-RevId: 358047121
2021-02-11[rack] TLP: ACK Processing and PTO scheduling.Ayush Ranjan
This change implements TLP details enumerated in https://tools.ietf.org/html/draft-ietf-tcpm-rack-08#section-7.5.3 Fixes #5085 PiperOrigin-RevId: 357125037
2021-02-11Unconditionally check for directory-ness in overlay.filesystem.UnlinkAt().Jamie Liu
PiperOrigin-RevId: 357106080
2021-02-11Internal change.gVisor bot
PiperOrigin-RevId: 357090170
2021-02-11Implement semtimedop.Jing Chen
PiperOrigin-RevId: 357031904
2021-02-11Assign controlling terminal when tty is opened and support NOCTTYKevin Krakauer
PiperOrigin-RevId: 357015186
2021-02-10Support setgid directories in tmpfs and kernfsKevin Krakauer
PiperOrigin-RevId: 356868412
2021-02-10Don't allow to umount the namespace root mountAndrei Vagin
Linux does the same thing. Reported-by: syzbot+6c79385c930c929d1d9e@syzkaller.appspotmail.com PiperOrigin-RevId: 356854562
2021-02-10Merge pull request #5267 from lubinszARM:pr_usr_lazy_fpgVisor bot
PiperOrigin-RevId: 356762859
2021-02-09Add support for setting SO_SNDBUF for unix domain sockets.Bhasker Hariharan
The limits for snd/rcv buffers for unix domain socket is controlled by the following sysctls on linux - net.core.rmem_default - net.core.rmem_max - net.core.wmem_default - net.core.wmem_max Today in gVisor we do not expose these sysctls but we do support setting the equivalent in netstack via stack.Options() method. But AF_UNIX sockets in gVisor can be used without netstack, with hostinet or even without any networking stack at all. Which means ideally these sysctls need to live as globals in gVisor. But rather than make this a big change for now we hardcode the limits in the AF_UNIX implementation itself (which in itself is better than where we were before) where it SO_SNDBUF was hardcoded to 16KiB. Further we bump the initial limit to a default value of 208 KiB to match linux from the paltry 16 KiB we use today. Updates #5132 PiperOrigin-RevId: 356665498
2021-02-09Add cleanup TODO for integer-based proc files.Dean Deng
PiperOrigin-RevId: 356645022
2021-02-09Collapse code that always returns errorTamir Duberstein
PiperOrigin-RevId: 356536548
2021-02-09kernel: reparentLocked has to update children maps of old and new parentsAndrei Vagin
Reported-by: syzbot+9ffc71246fe72c73fc25@syzkaller.appspotmail.com PiperOrigin-RevId: 356536113
2021-02-09pipe: writeLocked has to return ErrWouldBlock if the pipe is fullAndrei Vagin
PiperOrigin-RevId: 356450303
2021-02-08exec: don't panic if an elf file is malformedAndrei Vagin
Reported-by: syzbot+d54bc27a15aefe52c330@syzkaller.appspotmail.com PiperOrigin-RevId: 356406975
2021-02-08[go-marshal] Remove binary package reference from syscalls package.Ayush Ranjan
Fixes a bug in our getsockopt(2) implementation which was incorrectly using binary.Size() instead of Marshallable.SizeBytes(). PiperOrigin-RevId: 356396551
2021-02-05Replace TaskFromContext(ctx).Kernel() with KernelFromContext(ctx)Ting-Yu Wang
Panic seen at some code path like control.ExecAsync where ctx does not have a Task. Reported-by: syzbot+55ce727161cf94a7b7d6@syzkaller.appspotmail.com PiperOrigin-RevId: 355960596
2021-02-05[vfs] Handle `.` and `..` as last path component names in kernfs Rename.Ayush Ranjan
According to vfs.FilesystemImpl.RenameAt documentation: - If the last path component in rp is "." or "..", and opts.Flags contains RENAME_NOREPLACE, RenameAt returns EEXIST. - If the last path component in rp is "." or "..", and opts.Flags does not contain RENAME_NOREPLACE, RenameAt returns EBUSY. Reported-by: syzbot+6189786e64fe13fe43f8@syzkaller.appspotmail.com PiperOrigin-RevId: 355959266
2021-02-04Move getcpu() to core filter listMichael Pratt
Some versions of the Go runtime call getcpu(), so add it for compatibility. The hostcpu package already uses getcpu() on arm64. PiperOrigin-RevId: 355717757
2021-02-04Call kernfs.syntheticDir.InitRefs() on creation.Nicolas Lacasse
PiperOrigin-RevId: 355675900
2021-02-03[vfs] Make sticky bit check consistent with Linux.Ayush Ranjan
Our implementation of vfs.CheckDeleteSticky was not consistent with Linux, specifically not consistent with fs/linux.h:check_sticky(). One of the biggest differences was that the vfs implementation did not allow the owner of the sticky directory to delete files inside it that belonged to other users. This change makes our implementation consistent with Linux. Also adds an integration test to check for this. This bug is also present in VFS1. Updates #3027 PiperOrigin-RevId: 355557425
2021-02-03arm64 kvm:implement basic lazy save and restore for FPSIMD registersRobin Luk
Implement basic lazy save and restore for FPSIMD registers, which only restore FPSIMD state on el0_fpsimd_acc and save FPSIMD state in switch(). Signed-off-by: Robin Luk <lubin.lu@antgroup.com>
2021-02-03arm64: clean codeRobin Luk
In order to improve the performance and stability, I reorg 2 modules slightly. arch: no red zone on Arm64. ring0: use stp instead of movd, and set RSV_REG_APP=R19. Signed-off-by: Robin Luk <lubin.lu@antgroup.com>
2021-02-02Remove call to Notify from pipe.VFSPipeFD.CopyOutFrom.Jamie Liu
This was missed in cl/351911375; pipe.VFSPipeFD.SpliceFromNonPipe already calls Notify. PiperOrigin-RevId: 355246655
2021-02-02Stub out basic `runsc events --stat` CPU functionalityKevin Krakauer
Because we lack gVisor-internal cgroups, we take the CPU usage of the entire pod and divide it proportionally according to sentry-internal usage stats. This fixes `kubectl top pods`, which gets a pod's CPU usage by summing the usage of its containers. Addresses #172. PiperOrigin-RevId: 355229833
2021-02-02Move ring0 package.Adin Scannell
This allows the package to serve as a general purpose ring0 support package, as opposed to being bound to specific sentry platforms. Updates #5039 PiperOrigin-RevId: 355220044
2021-02-02Add ETIMEDOUT to partial result listFabricio Voznika
Reported-by: syzbot+db8d83f93b84fcb84374@syzkaller.appspotmail.com PiperOrigin-RevId: 355213994
2021-02-02Minor page tables improvements.Adin Scannell
* Make split safe. * Enable looking up next valid address. * Support mappings with !accessType.Any(), distinct from unmap. These changes allow for the use of pagetables in low-level OS packages, such as ring0, and allow for the use of pagetables for more generic address space reservation (by writing entries with no access specified). Updates #5039 PiperOrigin-RevId: 355109016
2021-02-01Refactor HandleControlPacket/SockErrorGhanan Gowripalan
...to remove the need for the transport layer to deduce the type of error it received. Rename HandleControlPacket to HandleError as HandleControlPacket only handles errors. tcpip.SockError now holds a tcpip.SockErrorCause interface that different errors can implement. PiperOrigin-RevId: 354994306
2021-01-29Fix deadlock in specialFileFD.pwriteFabricio Voznika
When file is regular and metadata cache is authoritative, metadata lock is taken. The code deadlocks trying to acquire the metadata lock again to update time stampts. PiperOrigin-RevId: 354584594
2021-01-28Change tcpip.Error to an interfaceTamir Duberstein
This makes it possible to add data to types that implement tcpip.Error. ErrBadLinkEndpoint is removed as it is unused. PiperOrigin-RevId: 354437314
2021-01-28Propagate reader error in ReadFromTamir Duberstein
This was removed in 6c0e1d9cfe6adbfbb32e7020d6426608ac63ad37 but turns out to be crucial to prevent flaky behaviour in sendfile. PiperOrigin-RevId: 354434144