Age | Commit message (Collapse) | Author |
|
PiperOrigin-RevId: 307166317
|
|
prlimit was erroneously comparing UIDs and GIDs when getting/setting a process'
own limits. From the manpage:
To set or get the resources of a process other than itself, the caller must have
the CAP_SYS_RESOURCE capability, or the real, effective, and saved set user IDs
of the target process must match the real user ID of the caller and the real,
effective, and saved set group IDs of the target process must match the real
group ID of the caller.
PiperOrigin-RevId: 307127266
|
|
PiperOrigin-RevId: 307078788
|
|
Included:
- loader_test.go RunTest and TestStartSignal VFS2
- container_test.go TestAppExitStatus on VFS2
- experimental flag added to runsc to turn on VFS2
Note: shared mounts are not yet supported.
PiperOrigin-RevId: 307070753
|
|
This previously changed in 305699233, but this behaviour turned out to
be load bearing.
PiperOrigin-RevId: 307033802
|
|
Updates #1035
PiperOrigin-RevId: 306968644
|
|
PiperOrigin-RevId: 306891171
|
|
- Use the fs.File, rather than the vfs.FileDescription, in the VFS1 version.
- Check for a nil fs.File/vfs.FileDescription before calling DecRef, which is
possible if a racing dup2() or dup3() replaces the file descriptor between
when it is installed and when it is returned. (This is not possible in Linux
because Linux separates allocation of a file descriptor from binding an
allocated file descriptor to a struct file, and dup2/dup3 return EBUSY if
asked to replace an allocated but unbound file descriptor.)
PiperOrigin-RevId: 306517101
|
|
Needed for PipeTest_Flags: files opened by open() and openat() get O_LARGEFILE
(on architectures with 64-bit off_t), but not FDs created by other syscalls
such as pipe().
Updates #1035
PiperOrigin-RevId: 306504788
|
|
PiperOrigin-RevId: 306348346
|
|
PiperOrigin-RevId: 306306809
|
|
PiperOrigin-RevId: 306300032
|
|
Note that most kinds of sockets are not yet supported in VFS2
(only Unix sockets are partially supported at the moment), so
these syscalls will still generally fail. Enabling them allows
us to begin running socket tests for VFS2 as more features are
ported over.
Updates #1476, #1478, #1484, #1485.
PiperOrigin-RevId: 306292294
|
|
The comments in the ticket indicate that this behavior
is fine and that the ticket should be closed, so we shouldn't
need pointers to the ticket.
PiperOrigin-RevId: 306266071
|
|
PiperOrigin-RevId: 306263615
|
|
noNewPrivileges is ignored if set to false since gVisor assumes that
PR_SET_NO_NEW_PRIVS is always enabled.
PiperOrigin-RevId: 305991947
|
|
As in VFS1, we only support the user.* namespace. Plumbing is added to tmpfs
and goferfs.
Note that because of the slightly different order of checks between VFS2 and
Linux, one of the xattr tests needs to be relaxed slightly.
Fixes #2363.
PiperOrigin-RevId: 305985121
|
|
The sentry doesn't allow execve, but it's a good defense
in-depth measure.
PiperOrigin-RevId: 305958737
|
|
The dependency strace=>kernel grew over time. strace also depends on
task's FD table and FSContext. It could be fixed with some interfaces
the other way, but then we're trading an interface for another, and
kernel.Stracer is likely cleaner.
Closes #155
PiperOrigin-RevId: 305909678
|
|
PiperOrigin-RevId: 305807868
|
|
Signed-off-by: Haibo Xu <haibo.xu@arm.com>
Change-Id: I5bb8fa7d580d173b1438d6465e1adb442216c8fa
|
|
This should fix panic at aio callback.
PiperOrigin-RevId: 305798549
|
|
PiperOrigin-RevId: 305794509
|
|
Block and drain requests in io_destroy(2).
Note the reason to create read-only mapping.
PiperOrigin-RevId: 305786312
|
|
PiperOrigin-RevId: 305699233
|
|
Minimize the use of unsafe.
Signed-off-by: Bin Lu <bin.lu@arm.com>
|
|
The Linux does the same.
Reported-by: syzbot+e81716e8956e92e9d56b@syzkaller.appspotmail.com
PiperOrigin-RevId: 305625439
|
|
PiperOrigin-RevId: 305598136
|
|
PiperOrigin-RevId: 305592245
|
|
PiperOrigin-RevId: 305588941
|
|
Determine system time from within the sentry rather than relying on the remote
filesystem to prevent inconsistencies.
Resolve related TODOs; the time discrepancies in question don't exist anymore.
PiperOrigin-RevId: 305557099
|
|
FileDescription references are side-effectual; for example, holding a reference
on the write end of a pipe prevents reads from the read end from returning EOF.
This change is consistent with Linux, but not VFS1; while VFS1 also has this
bug, it's less visible there since VFS1 procfs disables caching.
Updates #1195
PiperOrigin-RevId: 305545099
|
|
Updates #164
PiperOrigin-RevId: 305544029
|
|
This fixes a bug in the proc net directory.
Updates #2243
|
|
Updates #2243
|
|
This required minor restructuring of how system call tables were saved
and restored, but it makes way more sense this way.
Updates #2243
|
|
Required directory checks were being skipped when there was
no child cached. Now the code always loads the child file
before unlinking it.
Updates #1198
PiperOrigin-RevId: 305382323
|
|
Check whether an fd is seekable by calling the seek syscall and
examining the return value, instead of checking the file type,
which is inaccurate.
PiperOrigin-RevId: 305361593
|
|
We already have network namespace for netstack.
PiperOrigin-RevId: 305341954
|
|
gofer operations accumulate dentries touched in a slice to call
checkCachingLocked on them when the operation is over. In case
the same dentry is touched multiple times during the operation,
checkCachingLocked, and consequently destroyLocked, may be called
more than once for the same dentry.
Updates #1198
PiperOrigin-RevId: 305276819
|
|
Updates #1195
PiperOrigin-RevId: 305143567
|
|
PiperOrigin-RevId: 305067208
|
|
Updates #1476.
PiperOrigin-RevId: 305024274
|
|
Updates #1476, #1478, #1484, #1485.
PiperOrigin-RevId: 304845354
|
|
Software GSO implementation currently has a complicated code path with
implicit assumptions that all packets to WritePackets carry same Data
and it does this to avoid allocations on the path etc. But this makes it
hard to reuse the WritePackets API.
This change breaks all such assumptions by introducing a new Vectorised
View API ReadToVV which can be used to cleanly split a VV into multiple
independent VVs. Further this change also makes packet buffers linkable
to form an intrusive list. This allows us to get rid of the array of
packet buffers that are passed in the WritePackets API call and replace
it with a list of packet buffers.
While this code does introduce some more allocations in the benchmarks
it doesn't cause any degradation.
Updates #231
PiperOrigin-RevId: 304731742
|
|
This change involves several steps:
- Refactor the VFS1 unix socket implementation to share methods between VFS1
and VFS2 where possible. Re-implement the rest.
- Override the default PRead, Read, PWrite, Write, Ioctl, Release methods in
FileDescriptionDefaultImpl.
- Add functions to create and initialize a new Dentry/Inode and FileDescription
for a Unix socket file.
Updates #1476
PiperOrigin-RevId: 304689796
|
|
PiperOrigin-RevId: 304684417
|
|
NAME_MAX should be enforced per filesystem implementation
because other file systems may not have the same restriction.
Gofer filesystem now keeps a reference to the kernel clock to
avoid lookup in the Context on file access to update atime.
Update access, modification, and status change times in tmpfs.
Updates #1197, #1198.
PiperOrigin-RevId: 304527148
|
|
PiperOrigin-RevId: 304508083
|
|
This is mostly required for PipeTest_OffsetCalls.
The options are DenyPRead/PWrite rather than AllowPRead/PWrite since, in Linux
terms, fs/open.c:do_dentry_open sets FMODE_PREAD|FMODE_PWRITE unconditionally
(although it allows filesystem implementations of open to unset these flags),
so they're set for most FDs; it's usually FDs created outside of open(2) that
don't get them, e.g.:
- Syscall-created pipes (fs/pipe.c:create_pipe_files =>
fs/file_table.c:alloc_file_pseudo)
- Epoll instances (fs/eventpoll.c:do_epoll_create =>
fs/anon_inodes.c:anon_inode_getfile => alloc_file_pseudo)
- Sockets (net/socket.c:sock_alloc_file => alloc_file_pseudo)
This CL adds the flags to epoll instances; a subsequent CL reworks the VFS2
implementation of pipe FDs to be filesystem-independent and adds the flags
there, and sockets aren't implemented yet.
Updates #1035
PiperOrigin-RevId: 304506434
|