summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2020-05-07Merge release-20200422.0-45-g16da7e7 (automated)gVisor bot
2020-05-07Update privateunixsocket TODOs.Dean Deng
Synthetic sockets do not have the race condition issue in VFS2, and we will get rid of privateunixsocket as well. Fixes #1200. PiperOrigin-RevId: 310386474
2020-05-07Merge release-20200422.0-42-ge0089a2 (automated)gVisor bot
2020-05-07Remove outdated TODO for VFS2 AccessAt.Dean Deng
Fixes #1965. PiperOrigin-RevId: 310380433
2020-05-07Merge release-20200422.0-41-gfeece24 (automated)gVisor bot
2020-05-06Merge pull request #2570 from lubinszARM:pr_cleangVisor bot
PiperOrigin-RevId: 310259686
2020-05-06Merge release-20200422.0-39-g7cd54c1 (automated)gVisor bot
2020-05-06Remove vfs.FileDescriptionOptions.InvalidWrite.Jamie Liu
Compare: https://elixir.bootlin.com/linux/v5.6/source/fs/timerfd.c#L431 PiperOrigin-RevId: 310246908
2020-05-06Merge release-20200422.0-37-g279f1eb (automated)gVisor bot
2020-05-06Fix runsc syscall documentation generation.Adin Scannell
We can register any number of tables with any number of architectures, and need not limit the definitions to the architecture in question. This allows runsc to generate documentation for all architectures simultaneously. Similarly, this simplifies the VFSv2 patching process. PiperOrigin-RevId: 310224827
2020-05-06Merge release-20200422.0-34-g591ff0e (automated)gVisor bot
2020-05-06Add maximum memory limit.Nicolas Lacasse
PiperOrigin-RevId: 310179277
2020-05-06Merge release-20200422.0-33-g8416da3 (automated)gVisor bot
2020-05-05Internal change.gVisor bot
PiperOrigin-RevId: 310057834
2020-05-05Merge release-20200422.0-29-gfaf89dd (automated)gVisor bot
2020-05-05Update vfs2 socket TODOs.Dean Deng
Three updates: - Mark all vfs2 socket syscalls as supported. - Use the same dev number and ino number generator for all types of sockets, unlike in VFS1. - Do not use host fd for hostinet metadata. Fixes #1476, #1478, #1484, 1485, #2017. PiperOrigin-RevId: 309994579
2020-05-05Merge release-20200422.0-28-ga6dbf95 (automated)gVisor bot
2020-05-05Update comments for synthetic gofer files in vfs2.Dean Deng
PiperOrigin-RevId: 309966538
2020-05-05Merge release-20200422.0-27-gb3bd414 (automated)gVisor bot
2020-05-05Merge release-20200422.0-26-g35951c3 (automated)gVisor bot
2020-05-05Return correct name for imported host filesFabricio Voznika
Implement PrependPath() in host.filesystem to correctly format name for host files. Updates #1672 PiperOrigin-RevId: 309959135
2020-05-05Translate p9.NoUID/GID to OverflowUID/GID.Jamie Liu
p9.NoUID/GID (== uint32(-1) == auth.NoID) is not a valid auth.KUID/KGID; in particular, using it for file ownership causes capabilities to be ineffective since file capabilities require that the file's KUID and KGID are mapped into the capability holder's user namespace [1], and auth.NoID is not mapped into any user namespace. Map p9.NoUID/GID to a different, valid KUID/KGID; in the unlikely case that an application actually using the overflow KUID/KGID attempts an operation that is consequently permitted by client permission checks, the remote operation will still fail with EPERM. Since this changes the VFS2 gofer client to no longer ignore the invalid IDs entirely, this CL both permits and requires that we change synthetic mount point creation to use root credentials. [1] See fs.Inode.CheckCapability or vfs.GenericCheckPermissions. PiperOrigin-RevId: 309856455
2020-05-04Merge release-20200422.0-25-gda71dc7 (automated)gVisor bot
2020-05-04Port eventfd to VFS2.Nicolas Lacasse
And move sys_timerfd.go to just timerfd.go for consistency. Updates #1475. PiperOrigin-RevId: 309835029
2020-05-04Merge release-20200422.0-23-g57dbd7f (automated)gVisor bot
2020-05-04Remove kernfs.Filesystem cast from GenericDirectoryFDFabricio Voznika
This allows for kerfs.Filesystem to be overridden by different implementations. Updates #1672 PiperOrigin-RevId: 309809321
2020-05-04Merge release-20200422.0-18-g711439b (automated)gVisor bot
2020-05-04Merge pull request #2275 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 309783486
2020-05-04Merge release-20200422.0-16-gcbc5bef (automated)gVisor bot
2020-05-04Add TTY support on VFS2 to runscFabricio Voznika
Updates #1623, #1487 PiperOrigin-RevId: 309777922
2020-05-04Merge release-20200422.0-15-g2c98687 (automated)gVisor bot
2020-05-04Fix flaky monotonic time.Adin Scannell
This change ensures that even platforms with some TSC issues (e.g. KVM), can get reliable monotonic time by applied a lower bound on each read. PiperOrigin-RevId: 309773801
2020-05-01Support for connection tracking of TCP packets.Nayana Bidari
Connection tracking is used to track packets in prerouting and output hooks of iptables. The NAT rules modify the tuples in connections. The connection tracking code modifies the packets by looking at the modified tuples.
2020-05-01Merge release-20200422.0-11-g5e1e61f (automated)gVisor bot
2020-05-01Automated rollback of changelist 308674219Kevin Krakauer
PiperOrigin-RevId: 309491861
2020-05-01Merge release-20200422.0-9-g82bae30 (automated)gVisor bot
2020-05-01Port netstack, hostinet, and netlink sockets to VFS2.Dean Deng
All three follow the same pattern: 1. Refactor VFS1 sockets into socketOpsCommon, so that most of the methods can be shared with VFS2. 2. Create a FileDescriptionImpl with the corresponding socket operations, rewriting the few that cannot be shared with VFS1. 3. Set up a VFS2 socket provider that creates a socket by setting up a dentry in the global Kernel.socketMount and connecting it with a new FileDescription. This mostly completes the work for porting sockets to VFS2, and many syscall tests can be enabled as a result. There are several networking-related syscall tests that are still not passing: 1. net gofer tests 2. socketpair gofer tests 2. sendfile tests (splice is not implemented in VFS2 yet) Updates #1478, #1484, #1485 PiperOrigin-RevId: 309457331
2020-04-30Merge release-20200422.0-6-g01beec3 (automated)gVisor bot
2020-04-30Add gofer.InternalFilesystemOptions.LeakConnection.Jamie Liu
PiperOrigin-RevId: 309317605
2020-04-30Merge release-20200422.0-5-gbae30a0 (automated)gVisor bot
2020-04-30Implement waiter.Waitable methods on VFS2 host inodes.Nicolas Lacasse
This fixes bash in Ubuntu. Updates #1672. PiperOrigin-RevId: 309298252
2020-04-30Merge release-20200413.0-27-g442fde4 (automated)gVisor bot
2020-04-30Fix proc net bugs in VFS2.Dean Deng
The /proc/net/udp header was missing, and /proc/sys/net was set up as /proc/sys/net/net. Discovered while trying to run networking tests for VFS2. PiperOrigin-RevId: 309243758
2020-04-29Merge release-20200413.0-24-gef94401 (automated)gVisor bot
2020-04-29Add read/write timeouts for VFS2 socket files.Dean Deng
Updates #1476 PiperOrigin-RevId: 309098590
2020-04-29Merge release-20200413.0-23-ga105d18 (automated)gVisor bot
2020-04-29iptables: don't pollute logsKevin Krakauer
The netfilter package uses logs to make debugging the (de)serialization of structs easier. This generates a lot of (usually irrelevant) logs. Logging is now hidden behind a debug flag. PiperOrigin-RevId: 309087115
2020-04-29Merge release-20200413.0-18-gce19497 (automated)gVisor bot
2020-04-28Fix Unix socket permissions.Dean Deng
Enforce write permission checks in BoundEndpointAt, which corresponds to the permission checks in Linux (net/unix/af_unix.c:unix_find_other). Also, create bound socket files with the correct permissions in VFS2. Fixes #2324. PiperOrigin-RevId: 308949084
2020-04-29Merge release-20200413.0-16-gf93f2fd (automated)gVisor bot