summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2020-03-16Enforce file size rlimits in VFS2Fabricio Voznika
Updates #1035 PiperOrigin-RevId: 301255357
2020-03-16Add calls to vfs.CheckSetStat to fsimplsFabricio Voznika
Only gofer filesystem was calling vfs.CheckSetStat for vfs.FilesystemImpl.SetStatAt and vfs.FileDescriptionImpl.SetStat. Updates #1193, #1672, #1197 PiperOrigin-RevId: 301226522
2020-03-16Merge pull request #1943 from kevinGC:ipt-filter-ipgVisor bot
PiperOrigin-RevId: 301197007
2020-03-14Disallow kernfs.Inode.SetStat for readonly inodesFabricio Voznika
Updates #1195, #1193 PiperOrigin-RevId: 300950993
2020-03-14Plumb VFS2 imported fds into virtual filesystem.Dean Deng
- When setting up the virtual filesystem, mount a host.filesystem to contain all files that need to be imported. - Make read/preadv syscalls to the host in cases where preadv2 may not be supported yet (likewise for writing). - Make save/restore functions in kernel/kernel.go return early if vfs2 is enabled. PiperOrigin-RevId: 300922353
2020-03-13Add remaining procfs filesFabricio Voznika
Closes #1195 PiperOrigin-RevId: 300867055
2020-03-13Panic if file in FDTable has been destroyedFabricio Voznika
This will give more information about the file to identify where possibly the extra DecRef() would be. PiperOrigin-RevId: 300855874
2020-03-13Fix infinite loop in semaphore.sem.wakeWaiters().Jamie Liu
PiperOrigin-RevId: 300845134
2020-03-13Fix oom_score_adj.Jamie Liu
- Make oomScoreAdj a ThreadGroup field (Linux: signal_struct::oom_score_adj). - Avoid deadlock caused by Task.OOMScoreAdj()/SetOOMScoreAdj() locking Task.mu and TaskSet.mu in the wrong order (via Task.ExitState()). PiperOrigin-RevId: 300814698
2020-03-13Fix lock recursion in kernel.ProcessGroup.SendSignal().Jamie Liu
PiperOrigin-RevId: 300803515
2020-03-13Implement access/faccessat for VFS2.Dean Deng
Note that the raw faccessat system call does not actually take a flags argument; according to faccessat(2), the glibc wrapper implements the flags by using fstatat(2). Remove the flag argument that we try to extract from vfs1, which would just be a garbage value. Updates #1965 Fixes #2101 PiperOrigin-RevId: 300796067
2020-03-13Fix "application exiting with {Code:0 Signo:27}" during boot.Ting-Yu Wang
2aa9514a06a5e34894e606d508ac2df53b082c74 skips SIGURG, but later code expects the sigchans array contains consecutive signal numbers. PiperOrigin-RevId: 300793450
2020-03-13Add support for mount flagsFabricio Voznika
Plumbs MS_NOEXEC and MS_RDONLY. Others are TODO. Updates #1623 #1193 PiperOrigin-RevId: 300764669
2020-03-11Import "unsafe" in bluepill_arm64_unsafe.goAndrei Vagin
This fixes a compile time error: pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go:45:35: undefined: unsafe PiperOrigin-RevId: 300375687
2020-03-11Merge pull request #1975 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 300362789
2020-03-11runsc: don't redirect SIGURG which is used by Go's runtime schedulerAndrei Vagin
Go 1.14+ sends SIGURG to Ms to attempt asynchronous preemption of a G. Since it can't guarantee that a SIGURG is only related to preemption, it continues to forward them to signal.Notify (see runtime.sighandler). When runsc is running a container, there are three processes: a parent process and two children (sandbox and gopher). A parent process sets a signal handler for all signals and redirect them to the container init process. This logic should ignore SIGURG signals. We already ignore them in the Sentry, but it will be better to not notify about them when this is possible. PiperOrigin-RevId: 300345286
2020-03-11Merge pull request #1832 from xiaobo55x:tls_ptracegVisor bot
PiperOrigin-RevId: 300270894
2020-03-09Move /proc/net to /proc/PID/net, and make /proc/net -> /proc/self/net.Ting-Yu Wang
Issue #1833 PiperOrigin-RevId: 299998105
2020-03-09Enable thread local storage support on arm64.Haibo Xu
Linux use the task.thread.uw.tp_value field to store the TLS pointer on arm64 platform, and we use a similar way in gvisor to store it in the arch/State struct. Signed-off-by: Haibo Xu <haibo.xu@arm.com> Change-Id: Ie76b5c6d109bc27ccfd594008a96753806db7764
2020-03-06Update comments and debug level for profiling options.Dean Deng
PiperOrigin-RevId: 299448307
2020-03-06Add plumbing for importing fds in VFS2, along with non-socket, non-TTY impl.Dean Deng
In VFS2, imported file descriptors are stored in a kernfs-based filesystem. Upon calling ImportFD, the host fd can be accessed in two ways: 1. a FileDescription that can be added to the FDTable, and 2. a Dentry in the host.filesystem mount, which we will want to access through magic symlinks in /proc/[pid]/fd/. An implementation of the kernfs.Inode interface stores a unique host fd. This inode can be inserted into file descriptions as well as dentries. This change also plumbs in three FileDescriptionImpls corresponding to fds for sockets, TTYs, and other files (only the latter is implemented here). These implementations will mostly make corresponding syscalls to the host. Where possible, the logic is ported over from pkg/sentry/fs/host. Updates #1672 PiperOrigin-RevId: 299417263
2020-03-06Prevent memory leaks in ilistTamir Duberstein
When list elements are removed from a list but not discarded, it becomes important to invalidate the references they hold to their former neighbors to prevent memory leaks. PiperOrigin-RevId: 299412421
2020-03-06Merge pull request #1963 from xiaobo55x:kvm_commongVisor bot
PiperOrigin-RevId: 299405855
2020-03-06Merge pull request #1946 from xiaobo55x:dieTrampgVisor bot
PiperOrigin-RevId: 299405663
2020-03-05Stub oom_score_adj and oom_score.Ian Lewis
Adds an oom_score_adj and oom_score proc file stub. oom_score_adj accepts writes of values -1000 to 1000 and persists the value with the task. New tasks inherit the parent's oom_score_adj. oom_score is a read-only stub that always returns the value '0'. Issue #202 PiperOrigin-RevId: 299245355
2020-03-05Fix S/R on inet.Namespace.Ting-Yu Wang
PiperOrigin-RevId: 299238067
2020-03-05Merge pull request #1951 from moricho:moricho/add-profiler-optiongVisor bot
PiperOrigin-RevId: 299233818
2020-03-03Update cached file size when cache is skippedFabricio Voznika
gofer.dentryReadWriter.WriteFromBlocks was not updating gofer.dentry.size after a write operation that skips the cache. Updates #1198 PiperOrigin-RevId: 298708646
2020-03-03platform/ptrace: don't call probeSeccomp on arm64Andrei Vagin
The support of PTRACE_SYSEMU on arm64 was added in the 5.3 kernel, so we can be sure that the current version is higher that 5.3. And this change moves vsyscall seccomp rules to the arch specific file, because vsyscall isn't supported on arm64. PiperOrigin-RevId: 298696493
2020-03-02Fix panic caused by invalid address for Bind in packet sockets.Nayana Bidari
PiperOrigin-RevId: 298476533
2020-03-02Merge pull request #1885 from avagin:arm64-pcidsgVisor bot
PiperOrigin-RevId: 298405064
2020-03-02socket: take readMu to access readViewAndrei Vagin
DATA RACE in netstack.(*SocketOperations).fetchReadView Write at 0x00c001dca138 by goroutine 1001: gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketOperations).fetchReadView() pkg/sentry/socket/netstack/netstack.go:418 +0x85 gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketOperations).coalescingRead() pkg/sentry/socket/netstack/netstack.go:2309 +0x67 gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketOperations).nonBlockingRead() pkg/sentry/socket/netstack/netstack.go:2378 +0x183d Previous read at 0x00c001dca138 by goroutine 1111: gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketOperations).Ioctl() pkg/sentry/socket/netstack/netstack.go:2666 +0x533 gvisor.dev/gvisor/pkg/sentry/syscalls/linux.Ioctl() Reported-by: syzbot+d4c3885fcc346f08deb6@syzkaller.appspotmail.com PiperOrigin-RevId: 298387377
2020-03-02Take write lock when removing xattrMichael Pratt
PiperOrigin-RevId: 298380654
2020-02-28Merge pull request #1929 from avagin:arm64-cpuidgVisor bot
PiperOrigin-RevId: 297982488
2020-02-28watchdog: print panic error message before other messagesAndrei Vagin
This is needed for syzkaller to proper classify issues. Right now, all watchdog issues are duped to one with the subject "panic: Sentry detected stuck task(s). See stack trace and message above for more details". PiperOrigin-RevId: 297975363
2020-02-28Define CPUIDInstruction for arm64Andrei Vagin
There is no cpuid instruction on arm64, so we need to defined it just to avoid a compile time error. Signed-off-by: Andrei Vagin <avagin@gmail.com>
2020-02-28pcids.go isn't arch-specificAndrei Vagin
Signed-off-by: Andrei Vagin <avagin@gmail.com>
2020-02-28Make pipe buffer implementation standard.Adin Scannell
A follow-up change will convert the networking code to use this standard pipe implementation. PiperOrigin-RevId: 297903206
2020-02-28Hide /dev/net/tun when using hostinet.Ting-Yu Wang
/dev/net/tun does not currently work with hostinet. This has caused some program starts failing because it thinks the feature exists. PiperOrigin-RevId: 297876196
2020-02-28Change dup2 call to dup3Fabricio Voznika
We changed syscalls to allow dup3 for ARM64. Updates #1198 PiperOrigin-RevId: 297870816
2020-02-28Add nat table support for iptables.Nayana Bidari
- Fix review comments.
2020-02-27Merge of a369c88c0c4ece5239855000d28df045111c1be7gVisor bot
PiperOrigin-RevId: 297674924
2020-02-27Internal change.Nayana Bidari
PiperOrigin-RevId: 297638665
2020-02-26Fix construct of linux.Stat for arm64.Rahat Mahmood
PiperOrigin-RevId: 297494373
2020-02-26Merge pull request #1912 from lubinszARM:pr_kvm_buildgVisor bot
PiperOrigin-RevId: 297492004
2020-02-26iptables: filter by IP address (and range)Kevin Krakauer
Enables commands such as: $ iptables -A INPUT -d 127.0.0.1 -j ACCEPT $ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT Also adds a bunch of REDIRECT+destination tests.
2020-02-26add profile optionmoricho
2020-02-25Add VFS.NewDisconnectedMount().Jamie Liu
Analogous to Linux's kern_mount(). PiperOrigin-RevId: 297259580
2020-02-25Fix DATA RACE in fs.MayDelete.Adin Scannell
MayDelete must lock the directory also, otherwise concurrent renames may race. Note that this also changes the methods to be aligned with the actual Remove and RemoveDirectory methods to minimize confusion when reading the code. (It was hard to see that resolution was correct.) PiperOrigin-RevId: 297258304
2020-02-26Code Clean: Move arch independent codes to common file in kvm pkg.Haibo Xu
Signed-off-by: Haibo Xu <haibo.xu@arm.com> Change-Id: Iefbdf53e8e8d6d23ae75d8a2ff0d2a6e71f414d8