summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2018-07-03Handle NUL-only paths in execMichael Pratt
The path in execve(2), interpreter script, and ELF interpreter may all be no more than a NUL-byte. Handle each of those cases. PiperOrigin-RevId: 203155745 Change-Id: I1c8b1b387924b23b2cf942341dfc76c9003da959
2018-07-02Hold d.parent.mu when reading d.nameMichael Pratt
PiperOrigin-RevId: 203041657 Change-Id: I120783d91712818e600505454c9276f8d9877f37
2018-06-29Sets the restore environment for restoring a container.Justine Olshan
Updated how restoring occurs through boot.go with a separate Restore function. This prevents a new process and new mounts from being created. Added tests to ensure the container is restored. Registered checkpoint and restore commands so they can be used. Docker support for these commands is still limited. Working on #80. PiperOrigin-RevId: 202710950 Change-Id: I2b893ceaef6b9442b1ce3743bd112383cb92af0c
2018-06-29aio: Return EINVAL if the number of events is negative.Nicolas Lacasse
PiperOrigin-RevId: 202671065 Change-Id: I248b74544d47ddde9cd59d89aa6ccb7dad2b6f89
2018-06-28Hold t.mu while calling t.FSContext().Nicolas Lacasse
PiperOrigin-RevId: 202562686 Change-Id: I0f5be7cc9098e86fa31d016251c127cb91084b05
2018-06-28Check for invalid offset when submitting an AIO read/write request.Nicolas Lacasse
PiperOrigin-RevId: 202528335 Change-Id: Ic32312cf4337bcb40a7155cb2174e5cd89a280f7
2018-06-27Fix semaphore data racesFabricio Voznika
PiperOrigin-RevId: 202371908 Change-Id: I72603b1d321878cae6404987c49e64732b676331
2018-06-27Call mm.CheckIORange() when copying in IOVecs.Nicolas Lacasse
CheckIORange is analagous to Linux's access_ok() method, which is checked when copying in IOVecs in both lib/iov_iter.c:import_single_range() and lib/iov_iter.c:import_iovec() => fs/read_write.c:rw_copy_check_uvector(). gVisor copies in IOVecs via Task.SingleIOSequence() and Task.CopyInIovecs(). We were checking the address range bounds, but not whether the address is valid. To conform with linux, we should also check that the address is valid. For usual preadv/pwritev syscalls, the effect of this change is not noticeable, since we find out that the address is invalid before the syscall completes. For vectorized async-IO operations, however, this change is necessary because Linux returns EFAULT when the operation is submitted, but before it executes. Thus, we must validate the iovecs when copying them in. PiperOrigin-RevId: 202370092 Change-Id: I8759a63ccf7e6b90d90d30f78ab8935a0fcf4936
2018-06-27Ignore MADV_DONTDUMP and MADV_DODUMP.Jamie Liu
PiperOrigin-RevId: 202361912 Change-Id: I1d0ee529073954d467b870872f494cebbf8ea61a
2018-06-26Add KVM, overlay and host network to image testsFabricio Voznika
PiperOrigin-RevId: 202236006 Change-Id: I4ea964a70fc49e8b51c9da27d77301c4eadaae71
2018-06-26Change SIGCHLD to SIGKILL in ptrace stubs.Adin Scannell
If the child stubs are killed by any unmaskable signal (e.g. SIGKILL), then the parent process will similarly be killed, resulting in the death of all other stubs. The effect of this is that if the OOM killer selects and kills a stub, the effect is the same as though the OOM killer selected and killed the sentry. PiperOrigin-RevId: 202219984 Change-Id: I0b638ce7e59e0a0f4d5cde12a7d05242673049d7
2018-06-26Use the correct Context for /proc/[pid]/maps.Jamie Liu
PiperOrigin-RevId: 202180487 Change-Id: I95cce41a4842ab731a4821b387b32008bfbdcb08
2018-06-26Add Context to seqfile.SeqSource.ReadSeqFileData.Jamie Liu
PiperOrigin-RevId: 202163895 Change-Id: Ib9942fcff80c0834216f4f10780662bef5b52270
2018-06-26Automated rollback of changelist 201596247Brian Geffon
PiperOrigin-RevId: 202151720 Change-Id: I0491172c436bbb32b977f557953ba0bc41cfe299
2018-06-25Fix panic messageMichael Pratt
The arguments are backwards from the message. PiperOrigin-RevId: 202054887 Change-Id: Id5750a84ca091f8b8fbe15be8c648d4fa3e31eb2
2018-06-25Check for empty applicationAddrRange in MM.DecUsers.Jamie Liu
PiperOrigin-RevId: 202043776 Change-Id: I4373abbcf735dc1cf4bebbbbb0c7124df36e9e78
2018-06-25Don't read cwd or root without holding muMichael Pratt
PiperOrigin-RevId: 202043090 Change-Id: I3c47fb3413ca8615d50d8a0503d72fcce9b09421
2018-06-25MountSource.Root() should return a refernce on the dirent.Nicolas Lacasse
PiperOrigin-RevId: 202038397 Change-Id: I074d525f2e2d9bcd43b247b62f86f9129c101b78
2018-06-25Don't read FSContext.root without holding FSContext.muMichael Pratt
IsChrooted still has the opportunity to race with another thread entering the FSContext into a chroot, but that is unchanged (and fine, AFAIK). PiperOrigin-RevId: 202029117 Change-Id: I38bce763b3a7715fa6ae98aa200a19d51a0235f1
2018-06-22Add rpcinet support for SIOCGIFCONF.Brian Geffon
The interfaces and their addresses are already available via the stack Intefaces and InterfaceAddrs. Also add some tests as we had no tests around SIOCGIFCONF. I also added the socket_netgofer lifecycle for IOCTL tests. PiperOrigin-RevId: 201744863 Change-Id: Ie0a285a2a2f859fa0cafada13201d5941b95499a
2018-06-22Simplify some handle logic.Nicolas Lacasse
PiperOrigin-RevId: 201738936 Change-Id: Ib75136415e28e8df0c742acd6b9512d4809fe3a8
2018-06-22Handle mremap(old_size=0).Jamie Liu
PiperOrigin-RevId: 201729703 Change-Id: I486900b0c6ec59533b88da225a5829c474e35a70
2018-06-22Netstack should return EOF on closed read.Brian Geffon
The shutdown behavior where we return EAGAIN for sockets which are non-blocking is only correct for packet based sockets. SOCK_STREAM sockets should return EOF. PiperOrigin-RevId: 201703055 Change-Id: I20b25ceca7286c37766936475855959706fc5397
2018-06-21netstack: tcp socket connected state S/R support.Zhaozhong Ni
PiperOrigin-RevId: 201596247 Change-Id: Id22f47b2cdcbe14aa0d930f7807ba75f91a56724
2018-06-21Drop return from SendExternalSignalMichael Pratt
SendExternalSignal is no longer called before CreateProcess, so it can enforce this simplified precondition. StartForwarding, and after Kernel.Start. PiperOrigin-RevId: 201591170 Change-Id: Ib7022ef7895612d7d82a00942ab59fa433c4d6e9
2018-06-21Forward SIGUSR2 to the sandbox tooFabricio Voznika
SIGUSR2 was being masked out to be used as a way to dump sentry stacks. This could cause compatibility problems in cases anyone uses SIGUSR2 to communicate with the container init process. PiperOrigin-RevId: 201575374 Change-Id: I312246e828f38ad059139bb45b8addc2ed055d74
2018-06-21Implement ioctl(FIOASYNC)Ian Gudger
FIOASYNC and friends are used to send signals when a file is ready for IO. This may or may not be needed by Nginx. While Nginx does use it, it is unclear if the code that uses it has any effect. PiperOrigin-RevId: 201550828 Change-Id: I7ba05a7db4eb2dfffde11e9bd9a35b65b98d7f50
2018-06-20Remove some defers in hot paths in the filesystem code.Nicolas Lacasse
PiperOrigin-RevId: 201401727 Change-Id: Ia5589882ba58a00efb522ab372e206b7e8e62aee
2018-06-20sentry: pending signals S/R optimization.Zhaozhong Ni
Almost all of the hundreds of pending signal queues are empty upon save. PiperOrigin-RevId: 201380318 Change-Id: I40747072435299de681d646e0862efac0637e172
2018-06-19Epsocket has incorrect recv(2) behavior after SHUT_RD.Brian Geffon
After shutdown(SHUT_RD) calls to recv /w MSG_DONTWAIT or with O_NONBLOCK should result in a EAGAIN and not 0. Blocking sockets should return 0 as they would have otherwise blocked indefinitely. PiperOrigin-RevId: 201271123 Change-Id: If589b69c17fa5b9ff05bcf9e44024da9588c8876
2018-06-19Make KVM more scalable by removing CPU cap.Adin Scannell
Instead, CPUs will be created dynamically. We also allow a relatively efficient mechanism for stealing and notifying when a vCPU becomes available via unlock. Since the number of vCPUs is no longer fixed at machine creation time, we make the dirtySet packing more efficient. This has the pleasant side effect of cutting out the unsafe address space code. PiperOrigin-RevId: 201266691 Change-Id: I275c73525a4f38e3714b9ac0fd88731c26adfe66
2018-06-19sentry: futex S/R optimization.Zhaozhong Ni
No need to save thousands of zerovalue buckets. PiperOrigin-RevId: 201258598 Change-Id: I5d3ea7b6a5345117ab4f610332d5288ca550be33
2018-06-19Added a resume command to unpause a paused container.Justine Olshan
Resume checks the status of the container and unpauses the kernel if its status is paused. Otherwise nothing happens. Tests were added to ensure that the process is in the correct state after various commands. PiperOrigin-RevId: 201251234 Change-Id: Ifd11b336c33b654fea6238738f864fcf2bf81e19
2018-06-19Rpcinet is racy around shutdown flags.Brian Geffon
Correct a data race in rpcinet where a shutdown and recvmsg can race around shutown flags. PiperOrigin-RevId: 201238366 Change-Id: I5eb06df4a2b4eba331eeb5de19076213081d581f
2018-06-19Add a new cache policy FSCACHE_WRITETHROUGH.Nicolas Lacasse
The new policy is identical to FSCACHE (which caches everything in memory), but it also flushes writes to the backing fs agent immediately. All gofer cache policy decisions have been moved into the cachePolicy type. Previously they were sprinkled around the codebase. There are many different things that we cache (page cache, negative dirents, dirent LRU, unstable attrs, readdir results....), and I don't think we should have individual flags to control each of these. Instead, we should have a few high-level cache policies that are consistent and useful to users. This refactoring makes it easy to add more such policies. PiperOrigin-RevId: 201206937 Change-Id: I6e225c382b2e5e1b0ad4ccf8ca229873f4cd389d
2018-06-19Rpcinet needs to track shutdown state for blocking sockets.Brian Geffon
Because rpcinet will emulate a blocking socket backed by an rpc based non-blocking socket. In the event of a shutdown(SHUT_RD) followed by a read a non-blocking socket is allowed to return an EWOULDBLOCK however since a blocking socket knows it cannot receive anymore data it would block indefinitely and in this situation linux returns 0. We have to track this on the rpcinet sentry side so we can emulate that behavior because the remote side has no way to know if the socket is actually blocking within the sentry. PiperOrigin-RevId: 201201618 Change-Id: I4ac3a7b74b5dae471ab97c2e7d33b83f425aedac
2018-06-17Add rpcinet support for control messages.Brian Geffon
Add support for control messages, but at this time the only control message that the sentry will support here is SO_TIMESTAMP. PiperOrigin-RevId: 200922230 Change-Id: I63a852d9305255625d9df1d989bd46a66e93c446
2018-06-15Replace crypto/rand with internal rand packageMichael Pratt
PiperOrigin-RevId: 200784607 Change-Id: I39aa6ee632936dcbb00fc298adccffa606e9f4c0
2018-06-15sentry: do not start delivering external signal immediately.Zhaozhong Ni
PiperOrigin-RevId: 200765756 Change-Id: Ie4266f32e4e977df3925eb29f3fbb756e0337606
2018-06-15FIFOs should support O_TRUNC as a no-op.Brian Geffon
PiperOrigin-RevId: 200759323 Change-Id: I683b2edcc2188304c4ca563e46af457e23625905
2018-06-15Use notify explicitly on unlock path.Adin Scannell
There are circumstances under which the redpill call will not generate the appropriate action and notification. Replace this call with an explicit notification, which is guaranteed to transition as well as perform the futex wake. PiperOrigin-RevId: 200726934 Change-Id: Ie19e008a6007692dd7335a31a8b59f0af6e54aaa
2018-06-15Implement /proc/thread-selfFabricio Voznika
Closes #68 PiperOrigin-RevId: 200725401 Change-Id: I4827009b8aee89d22887c3af67291ccf7058d420
2018-06-14Ignore expiration count in kernelCPUClockListener.Notify.Jamie Liu
PiperOrigin-RevId: 200590832 Change-Id: I35b817ecccc9414a742dee4815dfc67d0c7d0496
2018-06-13Fix reference leak in VDSO validationIan Gudger
PiperOrigin-RevId: 200496070 Change-Id: I33adb717c44e5b4bcadece882be3ab1ee3920556
2018-06-13Fix missing returns in rpcinet.Brian Geffon
PiperOrigin-RevId: 200472634 Change-Id: I3f0fb9e3b2f8616e6aa1569188258f330bf1ed31
2018-06-13Deflake kvm_test.Adin Scannell
PiperOrigin-RevId: 200439846 Change-Id: I9970fe0716cb02f0f41b754891d55db7e0729f56
2018-06-13Fix failure to mount volume that sandbox process has no accessFabricio Voznika
Boot loader tries to stat mount to determine whether it's a file or not. This may file if the sandbox process doesn't have access to the file. Instead, add overlay on top of file, which is better anyway since we don't want to propagate changes to the host. PiperOrigin-RevId: 200411261 Change-Id: I14222410e8bc00ed037b779a1883d503843ffebb
2018-06-13sentry: do not treat all save errors as state file errors.Zhaozhong Ni
PiperOrigin-RevId: 200410220 Change-Id: I6a8745e33be949e335719083501f18b24f6ba471
2018-06-13Log filemem state when panicing due to invalid refcount.Jamie Liu
PiperOrigin-RevId: 200408305 Change-Id: I676ee49ec77697105723577928c7f82088cd378e
2018-06-12Fix reference leak for negative direntsIan Gudger
PiperOrigin-RevId: 200306715 Change-Id: I7c80059c77ebd3d9a5d7d48b05c8e7a597f10850