summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2020-11-03arm64 kvm: inject sError to trigger sigbuslubinszARM
Use an sErr injection to trigger sigbus when we receive EFAULT from the run ioctl. After applying this patch, mmap_test_runsc_kvm will be passed on Arm64. Signed-off-by: Bin Lu <bin.lu@arm.com> COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/4542 from lubinszARM:pr_kvm_mmap_1 f81bd42466d1d60a581e5fb34de18b78878c68c1 PiperOrigin-RevId: 340461239
2020-11-02Implement command GETZCNT for semctl.Jing Chen
PiperOrigin-RevId: 340389884
2020-11-02[vfs2] Refactor kernfs checkCreateLocked.Dean Deng
Don't return the filename, since it can already be determined by the caller. This was causing a panic in RenameAt, which relied on the name to be nonempty even if the error was EEXIST. Reported-by: syzbot+e9f117d000301e42361f@syzkaller.appspotmail.com PiperOrigin-RevId: 340381946
2020-11-02Pass hashing algorithms in verity fs optsChong Cai
PiperOrigin-RevId: 340275942
2020-11-01Fix returned error when deleting non-existant addressIan Lewis
PiperOrigin-RevId: 340149214
2020-10-30Adjust error handling in kernfs rename.Dean Deng
Read-only directories (e.g. under /sys, /proc) should return EPERM for rename. PiperOrigin-RevId: 339979022
2020-10-30Fix rename error handling for VFS2 kernfs.Dean Deng
The non-errno error was causing panics before. PiperOrigin-RevId: 339969348
2020-10-30Separate kernel.Task.AsCopyContext() into CopyContext() and OwnCopyContext().Jamie Liu
kernel.copyContext{t} cannot be used outside of t's task goroutine, for three reasons: - t.CopyScratchBuffer() is task-goroutine-local. - Calling t.MemoryManager() without running on t's task goroutine or locking t.mu violates t.MemoryManager()'s preconditions. - kernel.copyContext passes t as context.Context to MM IO methods, which is illegal outside of t's task goroutine (cf. kernel.Task.Value()). Fix this by splitting AsCopyContext() into CopyContext() (which takes an explicit context.Context and is usable outside of the task goroutine) and OwnCopyContext() (which uses t as context.Context, but is only usable by t's task goroutine). PiperOrigin-RevId: 339933809
2020-10-30Merge pull request #4564 from zhlhahaha:1981gVisor bot
PiperOrigin-RevId: 339921446
2020-10-29Make RedirectTarget thread safeKevin Krakauer
Fixes #4613. PiperOrigin-RevId: 339746784
2020-10-29Keep magic constants out of netstackKevin Krakauer
PiperOrigin-RevId: 339721152
2020-10-28Add leak checking for kernfs.Dentry.Dean Deng
Updates #1486. PiperOrigin-RevId: 339581879
2020-10-28Add logging option to leak checker.Dean Deng
Also refactor the template and CheckedObject interface to make this cleaner. Updates #1486. PiperOrigin-RevId: 339577120
2020-10-28Merge pull request #4630 from lemin9538:lemin_arm64_devgVisor bot
PiperOrigin-RevId: 339540747
2020-10-28Invalidate overlay.dentry.dirents during open() file creation.Jamie Liu
Updates #1199 PiperOrigin-RevId: 339528827
2020-10-28[vfs] Refactor hostfs mmap into kernfs util.Ayush Ranjan
PiperOrigin-RevId: 339505487
2020-10-27Merge pull request #4598 from lubinszARM:pr_kvm_precise_syncgVisor bot
PiperOrigin-RevId: 339404936
2020-10-28arm64: need to restore the sentry's TLS when in EL1Min Le
Signed-off-by: Min Le <lemin.lm@antgroup.com>
2020-10-27Add SHA512 to merkle tree libraryChong Cai
PiperOrigin-RevId: 339377254
2020-10-27Implement /proc/[pid]/memLennart
This PR implements /proc/[pid]/mem for `pkg/sentry/fs` (refer to #2716) and `pkg/sentry/fsimpl`. @majek COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/4060 from lnsp:proc-pid-mem 2caf9021254646f441be618a9bb5528610e44d43 PiperOrigin-RevId: 339369629
2020-10-27Assign VFS2 overlay device numbers based on layer device numbers.Jamie Liu
In VFS1's overlayfs, files use the device and inode number of the lower layer inode if one exists, and the upper layer inode otherwise. The former behavior is inefficient (requiring lower layer lookups even if the file exists and is otherwise wholly determined by the upper layer), and somewhat dangerous if the lower layer is also observable (since both the overlay and lower layer file will have the same device and inode numbers and thus appear to be the same file, despite being behaviorally different). VFS2 overlayfs imitates Linux overlayfs (in its default configuration) instead; it always uses the inode number from the originating layer, but synthesizes a unique device number for directories and another device number for non-directory files that have not been copied-up. As it turns out, the latter is insufficient (in VFS2, and possibly Linux as well), because a given layer may include files with different device numbers. If two distinct files on such a layer have device number X and Y respectively, but share inode number Z, then the overlay will map both files to some private device number X' and inode number Z, potentially confusing applications. Fix this by assigning synthetic device numbers based on the lower layer's device number, rather than the lower layer's vfs.Filesystem. PiperOrigin-RevId: 339300341
2020-10-27Add basic address deletion to netlinkIan Lewis
Updates #3921 PiperOrigin-RevId: 339195417
2020-10-26Implement command IPC_STAT for semctl.Jing Chen
PiperOrigin-RevId: 339166854
2020-10-26Add verity tests for deleted/renamed casesChong Cai
Also change verity test to use a context with an active task. This is required to delete/rename the file in the underlying file system. PiperOrigin-RevId: 339146445
2020-10-26[vfs] kernfs: Implement LRU cache for kernfs dentries.Ayush Ranjan
Much like the VFS2 gofer client, kernfs too now caches dentries. The size of the LRU cache is configurable via mount options. Have adopted the same reference semantics from gofer client dentry. Only sysfs and procfs use this LRU cache. The rest of the kernfs users (devpts, fusefs, host, pipefs, sockfs) still use the no cache approach. PiperOrigin-RevId: 339139835
2020-10-26Fix SCM Rights S/R reference leak.Dean Deng
Control messages collected when peeking into a socket were being leaked. PiperOrigin-RevId: 339114961
2020-10-24Implement Seek in verity fsChong Cai
PiperOrigin-RevId: 338847417
2020-10-24Add leak checking to vfs2 structures that cannot use the refs_vfs2 template.Dean Deng
Updates #1486. PiperOrigin-RevId: 338832085
2020-10-23Internal change.Chong Cai
PiperOrigin-RevId: 338798433
2020-10-23Fix nogo tests in //pkg/sentry/socket/...Ting-Yu Wang
PiperOrigin-RevId: 338784921
2020-10-23Support VFS2 save/restore.Jamie Liu
Inode number consistency checks are now skipped in save/restore tests for reasons described in greatest detail in StatTest.StateDoesntChangeAfterRename. They pass in VFS1 due to the bug described in new test case SimpleStatTest.DifferentFilesHaveDifferentDeviceInodeNumberPairs. Fixes #1663 PiperOrigin-RevId: 338776148
2020-10-23[vfs] kernfs: cleanup/refactor.Ayush Ranjan
PiperOrigin-RevId: 338728070
2020-10-23Implement Read in gvisor verity fsChong Cai
Read is implemented by PRead, with offset obtained from Seek. PiperOrigin-RevId: 338718587
2020-10-23[vfs] kernfs: Implement remaining InodeAttr fields.Ayush Ranjan
Added the following fields in kernfs.InodeAttr: - blockSize - atime - mtime - ctime Also resolved all TODOs for #1193. Fixes #1193 PiperOrigin-RevId: 338714527
2020-10-23Check for verity file/Merkle file when reopenChong Cai
Even if the child dentry has been cached, we should still check whether the file and the corresponding Merkle tree file exist as expected. This ensures that we can detect deletion/renaming of files that have been previous enabled and opened. Also make all verification failures to return EIO. This helps to test verify failures. PiperOrigin-RevId: 338709055
2020-10-23Support getsockopt for SO_ACCEPTCONN.Nayana Bidari
The SO_ACCEPTCONN option is used only on getsockopt(). When this option is specified, getsockopt() indicates whether socket listening is enabled for the socket. A value of zero indicates that socket listening is disabled; non-zero that it is enabled. PiperOrigin-RevId: 338703206
2020-10-23Rewrite reference leak checker without finalizers.Dean Deng
Our current reference leak checker uses finalizers to verify whether an object has reached zero references before it is garbage collected. There are multiple problems with this mechanism, so a rewrite is in order. With finalizers, there is no way to guarantee that a finalizer will run before the program exits. When an unreachable object with a finalizer is garbage collected, its finalizer will be added to a queue and run asynchronously. The best we can do is run garbage collection upon sandbox exit to make sure that all finalizers are enqueued. Furthermore, if there is a chain of finalized objects, e.g. A points to B points to C, garbage collection needs to run multiple times before all of the finalizers are enqueued. The first GC run will register the finalizer for A but not free it. It takes another GC run to free A, at which point B's finalizer can be registered. As a result, we need to run GC as many times as the length of the longest such chain to have a somewhat reliable leak checker. Finally, a cyclical chain of structs pointing to one another will never be garbage collected if a finalizer is set. This is a well-known issue with Go finalizers (https://github.com/golang/go/issues/7358). Using leak checking on filesystem objects that produce cycles will not work and even result in memory leaks. The new leak checker stores reference counted objects in a global map when leak check is enabled and removes them once they are destroyed. At sandbox exit, any remaining objects in the map are considered as leaked. This provides a deterministic way of detecting leaks without relying on the complexities of finalizers and garbage collection. This approach has several benefits over the former, including: - Always detects leaks of objects that should be destroyed very close to sandbox exit. The old checker very rarely detected these leaks, because it relied on garbage collection to be run in a short window of time. - Panics if we forgot to enable leak check on a ref-counted object (we will try to remove it from the map when it is destroyed, but it will never have been added). - Can store extra logging information in the map values without adding to the size of the ref count struct itself. With the size of just an int64, the ref count object remains compact, meaning frequent operations like IncRef/DecRef are more cache-efficient. - Can aggregate leak results in a single report after the sandbox exits. Instead of having warnings littered in the log, which were non-deterministically triggered by garbage collection, we can print all warning messages at once. Note that this could also be a limitation--the sandbox must exit properly for leaks to be detected. Some basic benchmarking indicates that this change does not significantly affect performance when leak checking is enabled, which is understandable since registering/unregistering is only done once for each filesystem object. Updates #1486. PiperOrigin-RevId: 338685972
2020-10-22arm64 kvm: added the implementation of setSystemTimeLegacy()Bin Lu
I have added support for setSystemTimeLegacy() by setting cntvoff. With this pr, TestRdtsc and other kvm syscall test cases(nanosleep, wait...) can be passed on Arm64. TO-DO: Add precise synchronization to KVM for Arm64. Reference PR: https://github.com/google/gvisor/pull/4397 Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-10-21Check for nil in kernel.FSContext functions.Dean Deng
Reported-by: syzbot+c0e175d2b10708314eb3@syzkaller.appspotmail.com PiperOrigin-RevId: 338386575
2020-10-21Merge pull request #4535 from lubinszARM:pr_kvm_exec_binary_1gVisor bot
PiperOrigin-RevId: 338321125
2020-10-20Merge pull request #4524 from lemin9538:lemin_arm64gVisor bot
PiperOrigin-RevId: 338126491
2020-10-20ARM64 KVM: bad regs.Sp return SIGSEGVHoward Zhang
Consistent with the linux kernel, bad regs.Sp return SIGSEGV Signed-off-by: Howard Zhang <howard.zhang@arm.com>
2020-10-19loader/elf: validate file offsetAndrei Vagin
Reported-by: syzbot+7406eef8247cb5a20855@syzkaller.appspotmail.com PiperOrigin-RevId: 337974474
2020-10-19Fix reference counting on kcov mappings.Dean Deng
Reported-by: syzbot+078580ce5dd6d607fcd8@syzkaller.appspotmail.com Reported-by: syzbot+2096681f6891e7bf8aed@syzkaller.appspotmail.com PiperOrigin-RevId: 337973519
2020-10-19Fix runsc tests on VFS2 overlay.Jamie Liu
- Check the sticky bit in overlay.filesystem.UnlinkAt(). Fixes StickyTest.StickyBitPermDenied. - When configuring a VFS2 overlay in runsc, copy the lower layer's root owner/group/mode to the upper layer's root (as in the VFS1 equivalent, boot.addOverlay()). This makes the overlay root owned by UID/GID 65534 with mode 0755 rather than owned by UID/GID 0 with mode 01777. Fixes CreateTest.CreateFailsOnUnpermittedDir, which assumes that the test cannot create files in /. - MknodTest.UnimplementedTypesReturnError assumes that the creation of device special files is not supported. However, while the VFS2 gofer client still doesn't support device special files, VFS2 tmpfs does, and in the overlay test dimension mknod() targets a tmpfs upper layer. The test initially has all capabilities, including CAP_MKNOD, so its creation of these files succeeds. Constrain these tests to VFS1. - Rename overlay.nonDirectoryFD to overlay.regularFileFD and only use it for regular files, using the original FD for pipes and device special files. This is more consistent with Linux (which gets the original inode_operations, and therefore file_operations, for these file types from ovl_fill_inode() => init_special_inode()) and fixes remaining mknod and pipe tests. - Read/write 1KB at a time in PipeTest.Streaming, rather than 4 bytes. This isn't strictly necessary, but it makes the test less obnoxiously slow on ptrace. Fixes #4407 PiperOrigin-RevId: 337971042
2020-10-19[vfs2] Fix fork reference leaks.Dean Deng
PiperOrigin-RevId: 337919424
2020-10-19splice: return EINVAL is len is negativeAndrei Vagin
Reported-by: syzbot+0268cc591c0f517a1de0@syzkaller.appspotmail.com PiperOrigin-RevId: 337901664
2020-10-19pgalloc: Do not hold MemoryFile.mu while calling mincore.Ayush Ranjan
This change makes the following changes: - Unlocks MemoryFile.mu while calling mincore (checkCommitted) because mincore can take a really long time. Accordingly looks up the segment in the tree tree again and handles changes to the segment. - MemoryFile.UpdateUsage() can now only be called at frequency at most 100Hz. 100 Hz = linux.CLOCKS_PER_SEC. Co-authored-by: Jamie Liu <jamieliu@google.com> PiperOrigin-RevId: 337865250
2020-10-18arm64 kvm: handle exception from accessing undefined instructionBin Lu
Consistent with the linux approach, we will produce a sigill to handle el0_undef. After applying this patch, exec_binary_test_runsc_kvm will be passed on Arm64. Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-10-16Merge pull request #4387 from lubinszARM:pr_tls_host_sentry_1gVisor bot
PiperOrigin-RevId: 337544656