summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2018-08-02Copy creds in accessMichael Pratt
PiperOrigin-RevId: 207181631 Change-Id: Ic6205278715a9260fb970efb414fc758ea72c4c6
2018-08-02Update comment referenceMichael Pratt
PiperOrigin-RevId: 207180809 Change-Id: I08c264812919e81b2c56fdd4a9ef06924de8b52f
2018-08-02Automated rollback of changelist 207037226Zhaozhong Ni
PiperOrigin-RevId: 207125440 Change-Id: I6c572afb4d693ee72a0c458a988b0e96d191cd49
2018-08-02Add seccomp(2) support.Brian Geffon
Add support for the seccomp syscall and the flag SECCOMP_FILTER_FLAG_TSYNC. PiperOrigin-RevId: 207101507 Change-Id: I5eb8ba9d5ef71b0e683930a6429182726dc23175
2018-08-01Automated rollback of changelist 207007153Michael Pratt
PiperOrigin-RevId: 207037226 Change-Id: I8b5f1a056d4f3eab17846f2e0193bb737ecb5428
2018-08-01stateify: convert all packages to use explicit mode.Zhaozhong Ni
PiperOrigin-RevId: 207007153 Change-Id: Ifedf1cc3758dc18be16647a4ece9c840c1c636c9
2018-08-01New conditional for adding key/value pairs to maps.Brielle Broder
When adding MultiDeviceKeys and their values into MultiDevice maps, make sure the keys and values have not already been added. This ensures that preexisting key/value pairs are not overridden. PiperOrigin-RevId: 206942766 Change-Id: I9d85f38eb59ba59f0305e6614a52690608944981
2018-07-31proc: show file flags in fdinfoAndrei Vagin
Currently, there is an attempt to print FD flags, but they are not decoded into a number, so we see something like this: /criu # cat /proc/self/fdinfo/0 flags: {%!o(bool=000false)} Actually, fdinfo has to contain file flags. Change-Id: Idcbb7db908067447eb9ae6f2c3cfb861f2be1a97 PiperOrigin-RevId: 206794498
2018-07-27Added the O_LARGEFILE flag.Justine Olshan
This flag will always be true for gVisor files. PiperOrigin-RevId: 206355963 Change-Id: I2f03d2412e2609042df43b06d1318cba674574d0
2018-07-27stateify: support explicit annotation mode; convert refs and stack packages.Zhaozhong Ni
We have been unnecessarily creating too many savable types implicitly. PiperOrigin-RevId: 206334201 Change-Id: Idc5a3a14bfb7ee125c4f2bb2b1c53164e46f29a8
2018-07-26Don't copy-up extended attributes that specifically configure a lower overlay.Nicolas Lacasse
When copying-up files from a lower fs to an upper, we also copy the extended attributes on the file. If there is a (nested) overlay inside the lower, some of these extended attributes configure the lower overlay, and should not be copied-up to the upper. In particular, whiteout attributes in the lower fs overlay should not be copied-up, since the upper fs may actually contain the file. PiperOrigin-RevId: 206236010 Change-Id: Ia0454ac7b99d0e11383f732a529cb195ed364062
2018-07-25Format openat flagsMichael Pratt
PiperOrigin-RevId: 206021774 Change-Id: I447b6c751c28a8d8d4d78468b756b6ad8c61e169
2018-07-24Typo fix.Kevin Krakauer
PiperOrigin-RevId: 205880843 Change-Id: If2272b25f08a18ebe9b6309a1032dd5cdaa59866
2018-07-23Add KVM and overlay dimensions to container_testFabricio Voznika
PiperOrigin-RevId: 205714667 Change-Id: I317a2ca98ac3bdad97c4790fcc61b004757d99ef
2018-07-20Format getcwd pathMichael Pratt
PiperOrigin-RevId: 205440332 Change-Id: I2a838f363e079164c83da88e1b0b8769844fe79b
2018-07-19kernel: mutations on creds now require a copy.Adin Scannell
PiperOrigin-RevId: 205315612 Change-Id: I9a0a1e32c8abfb7467a38743b82449cc92830316
2018-07-19fs: Pass context to Revalidate() function.Nicolas Lacasse
The current revalidation logic is very simple and does not do much introspection of the dirent being revalidated (other than looking at the type of file). Fancier revalidation logic is coming soon, and we need to be able to look at the cached and uncached attributes of a given dirent, and we need a context to perform some of these operations. PiperOrigin-RevId: 205307351 Change-Id: If17ea1c631d8f9489c0e05a263e23d7a8a3bf159
2018-07-19ConfigureMMap on an overlay file delegates to the upper if there is no lower.Nicolas Lacasse
In the general case with an overlay, all mmap calls must go through the overlay, because in the event of a copy-up, the overlay needs to invalidate any previously-created mappings. If there if no lower file, however, there will never be a copy-up, so the overlay can delegate directly to the upper file in that case. This also allows us to correctly mmap /dev/zero when it is in an overlay. This file has special semantics which the overlay does not know about. In particular, it does not implement Mappable(), which (in the general case) the overlay uses to detect if a file is mappable or not. PiperOrigin-RevId: 205306743 Change-Id: I92331649aa648340ef6e65411c2b42c12fa69631
2018-07-19Add AT_UID, AT_EUID, AT_GID, AT_EGID to aux vector.Brian Geffon
With musl libc when these entries are missing from the aux vector it's forcing libc.secure (effectively AT_SECURE). This mode prevents RPATH and LD_LIBRARY_PATH from working. https://git.musl-libc.org/cgit/musl/tree/ldso/dynlink.c#n1488 As the first entry is a mask of all the aux fields set: https://git.musl-libc.org/cgit/musl/tree/ldso/dynlink.c#n187 PiperOrigin-RevId: 205284684 Change-Id: I04de7bab241043306b4f732306a81d74edfdff26
2018-07-19sentry: save stack in proc net dev.Zhaozhong Ni
PiperOrigin-RevId: 205253858 Change-Id: Iccdc493b66d1b4d39de44afb1184952183b1283f
2018-07-18Fix lock-ordering violation in Create by logging BaseName instead of FullName.Nicolas Lacasse
Dirent.FullName takes the global renameMu, but can be called during Create, which itself takes dirent.mu and dirent.dirMu, which is a lock-order violation: Dirent.Create d.dirMu.Lock d.mu.Lock Inode.Create gofer.inodeOperations.Create gofer.NewFile Dirent.FullName d.renameMu.RLock We only use the FullName here for logging, and in this case we can get by with logging only the BaseName. A `BaseName` method was added to Dirent, which simply returns the name, taking d.parent.mu as required. In the Create pathway, we can't call d.BaseName() because taking d.parent.mu after d.mu violates the lock order. But we already know the base name of the file we just created, so that's OK. In the Open/GetFile pathway, we are free to call d.BaseName() because the other dirent locks are not held. PiperOrigin-RevId: 205112278 Change-Id: Ib45c734081aecc9b225249a65fa8093eb4995f10
2018-07-17Merge FileMem.usage in IncRefMichael Pratt
Per the doc, usage must be kept maximally merged. Beyond that, it is simply a good idea to keep fragmentation in usage to a minimum. The glibc malloc allocator allocates one page at a time, potentially causing lots of fragmentation. However, those pages are likely to have the same number of references, often making it possible to merge ranges. PiperOrigin-RevId: 204960339 Change-Id: I03a050cf771c29a4f05b36eaf75b1a09c9465e14
2018-07-16Add CPUID faulting for ptrace and KVM.Adin Scannell
PiperOrigin-RevId: 204858314 Change-Id: I8252bf8de3232a7a27af51076139b585e73276d4
2018-07-16Start allocation and reclaim scans only where they may find a matchMichael Pratt
If usageSet is heavily fragmented, findUnallocatedRange and findReclaimable can spend excessive cycles linearly scanning the set for unallocated/free pages. Improve common cases by beginning the scan only at the first page that could possibly contain an unallocated/free page. This metadata only guarantees that there is no lower unallocated/free page, but a scan may still be required (especially for multi-page allocations). That said, this heuristic can still provide significant performance improvements for certain applications. PiperOrigin-RevId: 204841833 Change-Id: Ic41ad33bf9537ecd673a6f5852ab353bf63ea1e6
2018-07-16Add EventOperations.HostFD()Neel Natu
This method allows an eventfd inside the Sentry to be registered with with the host kernel. Update comment about memory mapping host fds via CachingInodeOperations. PiperOrigin-RevId: 204784859 Change-Id: I55823321e2d84c17ae0f7efaabc6b55b852ae257
2018-07-13Allow a filesystem to control its visibility in /proc/filesystems.Neel Natu
PiperOrigin-RevId: 204508520 Change-Id: I09e5f8b6e69413370e1a0d39dbb7dc1ee0b6192d
2018-07-13Note that Mount errors do not require translationsMichael Pratt
PiperOrigin-RevId: 204490639 Change-Id: I0fe26306bae9320c6aa4f854fe0ef25eebd93233
2018-07-12Fix aio eventfd lookupMichael Pratt
We're failing to set eventFile in the outer scope. PiperOrigin-RevId: 204392995 Change-Id: Ib9b04f839599ef552d7b5951d08223e2b1d5f6ad
2018-07-12sentry: wait for restore clock instead of panicing in Timekeeper.Zhaozhong Ni
PiperOrigin-RevId: 204372296 Change-Id: If1ed9843b93039806e0c65521f30177dc8036979
2018-07-12sentry: save inet stacks in proc files.Zhaozhong Ni
PiperOrigin-RevId: 204362791 Change-Id: If85ea7442741e299f0d7cddbc3d6b415e285da81
2018-07-12Format documentationMichael Pratt
PiperOrigin-RevId: 204323728 Change-Id: I1ff9aa062ffa12583b2e38ec94c87db7a3711971
2018-07-11Move ptrace constants to abi/linux.Jamie Liu
PiperOrigin-RevId: 204188763 Change-Id: I5596ab7abb3ec9e210a7f57b3fc420e836fa43f3
2018-07-11Add MemoryManager.Pin.Jamie Liu
PiperOrigin-RevId: 204162313 Change-Id: Ib0593dde88ac33e222c12d0dca6733ef1f1035dc
2018-07-10Exit tmpfs.fileInodeOperations.Translate early if required.Start >= EOF.Jamie Liu
Otherwise required and optional can be empty or have negative length. PiperOrigin-RevId: 204007079 Change-Id: I59e472a87a8caac11ffb9a914b8d79bf0cd70995
2018-07-10netstack: tcp socket connected state S/R support.Zhaozhong Ni
PiperOrigin-RevId: 203958972 Change-Id: Ia6fe16547539296d48e2c6731edacdd96bd6e93c
2018-07-09Inherit parent in clone(CLONE_THREAD) under TaskSet.mu.Jamie Liu
PiperOrigin-RevId: 203849534 Change-Id: I4d81513bfd32e0b7fc40c8a4c194eba7abc35a83
2018-07-09Trim all whitespace between interpreter and argMichael Pratt
Multiple whitespace characters are allowed. This fixes Ubuntu's /usr/sbin/invoke-rc.d, which has trailing whitespace after the interpreter which we were treating as an arg. PiperOrigin-RevId: 203802278 Change-Id: I0a6cdb0af4b139cf8abb22fa70351fe3697a5c6b
2018-07-03Fix data race on inotify.Watch.mask.Rahat Mahmood
PiperOrigin-RevId: 203180463 Change-Id: Ief50988c1c028f81ec07a26e704d893e86985bf0
2018-07-03Fix runsc VDSO mappingMichael Pratt
80bdf8a4068de3ac4a73b6b61a0cdcfe3e3571af accidentally moved vdso into an inner scope, never assigning the vdso variable passed to the Kernel and thus skipping VDSO mappings. Fix this and remove the ability for loadVDSO to skip VDSO mappings, since tests that do so are gone. PiperOrigin-RevId: 203169135 Change-Id: Ifd8cadcbaf82f959223c501edcc4d83d05327eba
2018-07-03Handle NUL-only paths in execMichael Pratt
The path in execve(2), interpreter script, and ELF interpreter may all be no more than a NUL-byte. Handle each of those cases. PiperOrigin-RevId: 203155745 Change-Id: I1c8b1b387924b23b2cf942341dfc76c9003da959
2018-07-02Hold d.parent.mu when reading d.nameMichael Pratt
PiperOrigin-RevId: 203041657 Change-Id: I120783d91712818e600505454c9276f8d9877f37
2018-06-29Sets the restore environment for restoring a container.Justine Olshan
Updated how restoring occurs through boot.go with a separate Restore function. This prevents a new process and new mounts from being created. Added tests to ensure the container is restored. Registered checkpoint and restore commands so they can be used. Docker support for these commands is still limited. Working on #80. PiperOrigin-RevId: 202710950 Change-Id: I2b893ceaef6b9442b1ce3743bd112383cb92af0c
2018-06-29aio: Return EINVAL if the number of events is negative.Nicolas Lacasse
PiperOrigin-RevId: 202671065 Change-Id: I248b74544d47ddde9cd59d89aa6ccb7dad2b6f89
2018-06-28Hold t.mu while calling t.FSContext().Nicolas Lacasse
PiperOrigin-RevId: 202562686 Change-Id: I0f5be7cc9098e86fa31d016251c127cb91084b05
2018-06-28Check for invalid offset when submitting an AIO read/write request.Nicolas Lacasse
PiperOrigin-RevId: 202528335 Change-Id: Ic32312cf4337bcb40a7155cb2174e5cd89a280f7
2018-06-27Fix semaphore data racesFabricio Voznika
PiperOrigin-RevId: 202371908 Change-Id: I72603b1d321878cae6404987c49e64732b676331
2018-06-27Call mm.CheckIORange() when copying in IOVecs.Nicolas Lacasse
CheckIORange is analagous to Linux's access_ok() method, which is checked when copying in IOVecs in both lib/iov_iter.c:import_single_range() and lib/iov_iter.c:import_iovec() => fs/read_write.c:rw_copy_check_uvector(). gVisor copies in IOVecs via Task.SingleIOSequence() and Task.CopyInIovecs(). We were checking the address range bounds, but not whether the address is valid. To conform with linux, we should also check that the address is valid. For usual preadv/pwritev syscalls, the effect of this change is not noticeable, since we find out that the address is invalid before the syscall completes. For vectorized async-IO operations, however, this change is necessary because Linux returns EFAULT when the operation is submitted, but before it executes. Thus, we must validate the iovecs when copying them in. PiperOrigin-RevId: 202370092 Change-Id: I8759a63ccf7e6b90d90d30f78ab8935a0fcf4936
2018-06-27Ignore MADV_DONTDUMP and MADV_DODUMP.Jamie Liu
PiperOrigin-RevId: 202361912 Change-Id: I1d0ee529073954d467b870872f494cebbf8ea61a
2018-06-26Add KVM, overlay and host network to image testsFabricio Voznika
PiperOrigin-RevId: 202236006 Change-Id: I4ea964a70fc49e8b51c9da27d77301c4eadaae71
2018-06-26Change SIGCHLD to SIGKILL in ptrace stubs.Adin Scannell
If the child stubs are killed by any unmaskable signal (e.g. SIGKILL), then the parent process will similarly be killed, resulting in the death of all other stubs. The effect of this is that if the OOM killer selects and kills a stub, the effect is the same as though the OOM killer selected and killed the sentry. PiperOrigin-RevId: 202219984 Change-Id: I0b638ce7e59e0a0f4d5cde12a7d05242673049d7