summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2021-03-26Merge release-20210315.0-28-gfbec65fc3 (automated)gVisor bot
2021-03-25Use seqfile.SeqHandles correctly in VFS1 /proc/net/.Jamie Liu
Before this change: ``` $ docker run --runtime=runsc --rm -it -v ~/tmp:/hosttmp ubuntu:focal /hosttmp/issue5732 --bytes1=128 --bytes2=1024 #1: read(128) = 128 #2: read(1024) = EOF $ docker run --runtime=runsc-vfs2 --rm -it -v ~/tmp:/hosttmp ubuntu:focal /hosttmp/issue5732 --bytes1=128 --bytes2=1024 #1: read(128) = 128 #2: read(1024) = 256 ``` After this change: ``` $ docker run --runtime=runsc --rm -it -v ~/tmp:/hosttmp ubuntu:focal /hosttmp/issue5732 --bytes1=128 --bytes2=1024 #1: read(128) = 128 #2: read(1024) = 256 $ docker run --runtime=runsc-vfs2 --rm -it -v ~/tmp:/hosttmp ubuntu:focal /hosttmp/issue5732 --bytes1=128 --bytes2=1024 #1: read(128) = 128 #2: read(1024) = 256 ``` Fixes #5732 PiperOrigin-RevId: 365178386
2021-03-25Merge release-20210315.0-27-g79bc446fa (automated)gVisor bot
2021-03-25Lock TaskSet mutex for writing in ptraceClone().Jamie Liu
This is necessary since ptraceClone() mutates tracer.ptraceTracees. PiperOrigin-RevId: 365152396
2021-03-24Merge release-20210315.0-23-ge7ca2a51a (automated)gVisor bot
2021-03-24Add POLLRDNORM/POLLWRNORM support.Bhasker Hariharan
On Linux these are meant to be equivalent to POLLIN/POLLOUT. Rather than hack these on in sys_poll etc it felt cleaner to just cleanup the call sites to notify for both events. This is what linux does as well. Fixes #5544 PiperOrigin-RevId: 364859977
2021-03-24Merge release-20210315.0-20-g8ee4a3f6d (automated)gVisor bot
2021-03-23Merge pull request #5677 from avagin:kvm-mmiogVisor bot
PiperOrigin-RevId: 364728696
2021-03-24Merge release-20210315.0-18-g56a9a1397 (automated)gVisor bot
2021-03-23Move the code that manages floating-point state to a separate packageAndrei Vagin
This change is inspired by Adin's cl/355256448. PiperOrigin-RevId: 364695931
2021-03-23Merge release-20210315.0-16-g92374e519 (automated)gVisor bot
2021-03-23setgid directory support in goferfsKevin Krakauer
Also adds support for clearing the setuid bit when appropriate (writing, truncating, changing size, changing UID, or changing GID). VFS2 only. PiperOrigin-RevId: 364661835
2021-03-23Merge release-20210315.0-15-gacb4c6288 (automated)gVisor bot
2021-03-22Merge release-20210315.0-6-g6bd2c6ce7 (automated)gVisor bot
2021-03-22Merge release-20210315.0-5-gb428fd02e (automated)gVisor bot
2021-03-22Avoid calling sync on each write in writethrough mode.Nicolas Lacasse
PiperOrigin-RevId: 364370595
2021-03-18Merge release-20210309.0-41-g7fac7e32f (automated)gVisor bot
2021-03-18Translate syserror when validating partial IO errorsFabricio Voznika
syserror allows packages to register translators for errors. These translators should be called prior to checking if the error is valid, otherwise it may not account for possible errors that can be returned from different packages, e.g. safecopy.BusError => syserror.EFAULT. Second attempt, it passes tests now :-) PiperOrigin-RevId: 363714508
2021-03-16kvm: prefault a floating point state before restoring itAndrei Vagin
If physical pages of a memory region are not mapped yet, the kernel will trigger KVM_EXIT_MMIO and we will map physical pages in bluepillHandler(). An instruction that triggered a fault will not be re-executed, it will be emulated in the kernel, but it can't emulate complex instructions like xsave, xrstor. We can touch the memory with simple instructions to workaround this problem.
2021-03-16Merge release-20210309.0-34-g607a1e481 (automated)gVisor bot
2021-03-16setgid directory support in overlayfsKevin Krakauer
PiperOrigin-RevId: 363276495
2021-03-16Merge release-20210309.0-30-gf7e841c2c (automated)gVisor bot
2021-03-15Turn sys_thread constants into variables.Etienne Perot
PiperOrigin-RevId: 363092268
2021-03-16Merge release-20210309.0-27-gb1d578772 (automated)gVisor bot
2021-03-15Make netstack (//pkg/tcpip) buildable for 32 bitKevin Krakauer
Doing so involved breaking dependencies between //pkg/tcpip and the rest of gVisor, which are discouraged anyways. Tested on the Go branch via: gvisor.dev/gvisor/pkg/tcpip/... Addresses #1446. PiperOrigin-RevId: 363081778
2021-03-15Merge release-20210309.0-26-gec45d9692 (automated)gVisor bot
2021-03-15[op] Make gofer client handle return partial write length when err is nil.Ayush Ranjan
If there was a partial write (when not using the host FD) which did not generate an error, we were incorrectly returning the number of bytes attempted to write instead of the number of bytes actually written. PiperOrigin-RevId: 363058989
2021-03-15Merge release-20210309.0-25-g48915d17d (automated)gVisor bot
2021-03-15Merge pull request #5618 from iangudger:unix-transport-racegVisor bot
PiperOrigin-RevId: 362999220
2021-03-12Merge release-20210301.0-43-g192318a23 (automated)gVisor bot
2021-03-11fusefs: Implement default_permissions and allow_other mount options.Rahat Mahmood
By default, fusefs defers node permission checks to the server. The default_permissions mount option enables the usual unix permission checks based on the node owner and mode bits. Previously fusefs was incorrectly checking permissions unconditionally. Additionally, fusefs should restrict filesystem access to processes started by the mount owner to prevent the fuse daemon from gaining priviledge over other processes. The allow_other mount option overrides this behaviour. Previously fusefs was incorrectly skipping this check. Updates #3229 PiperOrigin-RevId: 362419092
2021-03-12Merge release-20210301.0-37-gc5667022b (automated)gVisor bot
2021-03-11Clear Merkle tree files in RuntimeEnable modeChong Cai
The Merkle tree files need to be cleared before enabling to avoid redundant content. PiperOrigin-RevId: 362409591
2021-03-11Report filesystem-specific mount options.Rahat Mahmood
PiperOrigin-RevId: 362406813
2021-03-09Merge release-20210301.0-29-gabbdcebc5 (automated)gVisor bot
2021-03-08Implement /proc/sys/net/ipv4/ip_local_port_rangeKevin Krakauer
Speeds up the socket stress tests by a couple orders of magnitude. PiperOrigin-RevId: 361721050
2021-03-05Implement IterDirent in verity fsChong Cai
PiperOrigin-RevId: 361196154
2021-03-04Fix race in unix socket transport.Ian Gudger
transport.baseEndpoint.receiver and transport.baseEndpoint.connected are protected by transport.baseEndpoint.Mutex. In order to access them without holding the mutex, we must make a copy. Notifications must be sent without holding the mutex, so we need the values without holding the mutex.
2021-03-03Merge release-20210301.0-8-g3e69f5d08 (automated)gVisor bot
2021-03-03Merge release-20210301.0-7-g80bc67c26 (automated)gVisor bot
2021-03-03Add checklocks analyzer.Bhasker Hariharan
This validates that struct fields if annotated with "// checklocks:mu" where "mu" is a mutex field in the same struct then access to the field is only done with "mu" locked. All types that are guarded by a mutex must be annotated with // +checklocks:<mutex field name> For more details please refer to README.md. PiperOrigin-RevId: 360729328
2021-03-03Export stats that were forgottenArthur Sfez
While I'm here, simplify the comments and unify naming of certain stats across protocols. PiperOrigin-RevId: 360728849
2021-03-03Merge release-20210301.0-5-ga9441aea2 (automated)gVisor bot
2021-03-03[op] Replace syscall package usage with golang.org/x/sys/unix in pkg/.Ayush Ranjan
The syscall package has been deprecated in favor of golang.org/x/sys. Note that syscall is still used in the following places: - pkg/sentry/socket/hostinet/stack.go: some netlink related functionalities are not yet available in golang.org/x/sys. - syscall.Stat_t is still used in some places because os.FileInfo.Sys() still returns it and not unix.Stat_t. Updates #214 PiperOrigin-RevId: 360701387
2021-02-25Merge release-20210208.0-96-ge50ee2620 (automated)gVisor bot
2021-02-25Implement SEM_STAT_ANY cmd of semctl.Jing Chen
PiperOrigin-RevId: 359591577
2021-02-24Merge release-20210208.0-92-gf5692f7dc (automated)gVisor bot
2021-02-24Kernfs should not try to rename a file to itself.Nicolas Lacasse
One precondition of VFS.PrepareRenameAt is that the `from` and `to` dentries are not the same. Kernfs was not checking this, which could lead to a deadlock. PiperOrigin-RevId: 359385974
2021-02-24Merge release-20210208.0-91-g303c913c5 (automated)gVisor bot
2021-02-24Use mapped device number + topmost inode number for all files in VFS2 overlay.Jamie Liu
Before this CL, VFS2's overlayfs uses a single private device number and an autoincrementing generated inode number for directories; this is consistent with Linux's overlayfs in the non-samefs non-xino case. However, this breaks some applications more consistently than on Linux due to more aggressive caching of Linux overlayfs dentries. Switch from using mapped device numbers + the topmost layer's inode number for just non-copied-up non-directory files, to doing so for all files. This still allows directory dev/ino numbers to change across copy-up, but otherwise keeps them consistent. Fixes #5545: ``` $ docker run --runtime=runsc-vfs2-overlay --rm ubuntu:focal bash -c "mkdir -p 1/2/3/4/5/6/7/8 && rm -rf 1 && echo done" done ``` PiperOrigin-RevId: 359350716