summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2020-06-11Merge release-20200522.0-125-g508e7c3a7 (automated)gVisor bot
2020-06-10Merge pull request #2763 from ↵gVisor bot
gaurav1086:sentry_kernel_timekeeper_use_buffered_channel PiperOrigin-RevId: 315803553
2020-06-10Merge release-20200522.0-120-g4b9652d63 (automated)gVisor bot
2020-06-10{S,G}etsockopt for TCP_KEEPCNT option.Nayana Bidari
TCP_KEEPCNT is used to set the maximum keepalive probes to be sent before dropping the connection. WANT_LGTM=jchacon PiperOrigin-RevId: 315758094
2020-06-10Merge release-20200522.0-119-ga5a4f8048 (automated)gVisor bot
2020-06-10socket/unix: handle sendto address argument for connected socketsAndrei Vagin
In case of SOCK_SEQPACKET, it has to be ignored. In case of SOCK_STREAM, EISCONN or EOPNOTSUPP has to be returned. PiperOrigin-RevId: 315755972
2020-06-10Merge release-20200522.0-117-g6d43ac957 (automated)gVisor bot
2020-06-10Merge pull request #2787 from lubinszARM:pr_race_timegVisor bot
PiperOrigin-RevId: 315734425
2020-06-10Merge release-20200522.0-115-gf004bb870 (automated)gVisor bot
2020-06-10Merge release-20200522.0-114-g9d2b2c121 (automated)gVisor bot
2020-06-10Merge release-20200522.0-113-g203dc121f (automated)gVisor bot
2020-06-10Redirect TODOs to more specific issuesFabricio Voznika
Closes #1623 PiperOrigin-RevId: 315681993
2020-06-09sentry: use defer wg.Done() unconditionallyGaurav Singh
Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>
2020-06-10Merge release-20200522.0-112-g67565078b (automated)gVisor bot
2020-06-09Implement flock(2) in VFS2Fabricio Voznika
LockFD is the generic implementation that can be embedded in FileDescriptionImpl implementations. Unique lock ID is maintained in vfs.FileDescription and is created on demand. Updates #1480 PiperOrigin-RevId: 315604825
2020-06-10Merge release-20200522.0-111-g52c922f7c (automated)gVisor bot
2020-06-09Merge pull request #2712 from lubinszARM:pr_sigfp_initgVisor bot
PiperOrigin-RevId: 315599736
2020-06-10Merge release-20200522.0-109-ge3cbfbf34 (automated)gVisor bot
2020-06-09Merge pull request #2907 from lubinszARM:pr_minorgVisor bot
PiperOrigin-RevId: 315595602
2020-06-09Merge release-20200522.0-106-g6722b1e56 (automated)gVisor bot
2020-06-09Don't WriteOut to readonly mountsFabricio Voznika
When the file closes, it attempts to write dirty cached attributes to the file. This should not be done when the mount is readonly. PiperOrigin-RevId: 315585058
2020-06-09Merge release-20200522.0-101-gecff24930 (automated)gVisor bot
2020-06-09Ensure pgalloc.MemoryFile.fileSize is always chunk-aligned.Jamie Liu
findAvailableLocked() may return a non-aligned FileRange.End after expansion since it may round FileRange.Start down to a hugepage boundary. PiperOrigin-RevId: 315520321
2020-06-09minor change in kvm module for Arm64Bin Lu
Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-06-09initialize an empty fp state area for sentry on Arm64Bin Lu
We need to initialize an empty fp state area for the sentry. Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-06-09Merge release-20200522.0-99-g4e96b9491 (automated)gVisor bot
2020-06-08Combine executable lookup codeFabricio Voznika
Run vs. exec, VFS1 vs. VFS2 were executable lookup were slightly different from each other. Combine them all into the same logic. PiperOrigin-RevId: 315426443
2020-06-08Merge release-20200522.0-97-gac37979c (automated)gVisor bot
2020-06-08Merge release-20200522.0-95-gdc029b4b (automated)gVisor bot
2020-06-08Implement VFS2 tmpfs mount options.Jamie Liu
As in VFS1, the mode, uid, and gid options are supported. Updates #1197 PiperOrigin-RevId: 315340510
2020-06-07Merge release-20200522.0-94-g32b823fc (automated)gVisor bot
2020-06-07netstack: parse incoming packet headers up-frontKevin Krakauer
Netstack has traditionally parsed headers on-demand as a packet moves up the stack. This is conceptually simple and convenient, but incompatible with iptables, where headers can be inspected and mangled before even a routing decision is made. This changes header parsing to happen early in the incoming packet path, as soon as the NIC gets the packet from a link endpoint. Even if an invalid packet is found (e.g. a TCP header of insufficient length), the packet is passed up the stack for proper stats bookkeeping. PiperOrigin-RevId: 315179302
2020-06-07Merge release-20200522.0-93-g62603041 (automated)gVisor bot
2020-06-06Merge release-20200522.0-91-g427d2082 (automated)gVisor bot
2020-06-06Merge release-20200522.0-89-g21b6bc72 (automated)gVisor bot
2020-06-05Implement mount(2) and umount2(2) for VFS2.Rahat Mahmood
This is mostly syscall plumbing, VFS2 already implements the internals of mounts. In addition to the syscall defintions, the following mount-related mechanisms are updated: - Implement MS_NOATIME for VFS2, but only for tmpfs and goferfs. The other VFS2 filesystems don't implement node-level timestamps yet. - Implement the 'mode', 'uid' and 'gid' mount options for VFS2's tmpfs. - Plumb mount namespace ownership, which is necessary for checking appropriate capabilities during mount(2). Updates #1035 PiperOrigin-RevId: 315035352
2020-06-06Merge release-20200522.0-88-g527d08f6 (automated)gVisor bot
2020-06-05Add +checkescape annotations to kvm/ring0.Adin Scannell
This analysis also catches a potential bug, which is a split on mapPhysical. This would have led to potential guest-exit during Mapping (although this would have been handled by the now-unecessary retryInGuest loop). PiperOrigin-RevId: 315025106
2020-06-05Merge release-20200522.0-85-g9aaca5a6 (automated)gVisor bot
2020-06-05Use top-down allocation for pgalloc.Adin Scannell
This change has multiple small components. First, the chunk size is bumped to 1GB in order to avoid creating excessive VMAs in the Sentry, which can lead to VMA exhaustion (and hitting limits). Second, gap-tracking is added to the usage set in order to efficiently scan for available regions. Third, reclaim is moved to a simple segment set. This is done to allow the order of reclaim to align with the Allocate order (which becomes much more complex when trying to track a "max page" as opposed to "min page", so we just track explicit segments instead, which should make reclaim scanning faster anyways). Finally, the findAvailable function attempts to scan from the top-down, in order to maximize opportunities for VMA merging in applications (hopefully preventing the same VMA exhaustion that can affect the Sentry). PiperOrigin-RevId: 315009249
2020-06-05Merge release-20200522.0-84-g8c1f5b5c (automated)gVisor bot
2020-06-05Unshare files on execAndrei Vagin
The current task can share its fdtable with a few other tasks, but after exec, this should be a completely separate process. PiperOrigin-RevId: 314999565
2020-06-05Merge release-20200522.0-81-g526df4f5 (automated)gVisor bot
2020-06-05Fix error code returned due to Port exhaustion.Bhasker Hariharan
For TCP sockets gVisor incorrectly returns EAGAIN when no ephemeral ports are available to bind during a connect. Linux returns EADDRNOTAVAIL. This change fixes gVisor to return the correct code and adds a test for the same. This change also fixes a minor bug for ping sockets where connect() would fail with EINVAL unless the socket was bound first. Also added tests for testing UDP Port exhaustion and Ping socket port exhaustion. PiperOrigin-RevId: 314988525
2020-06-05Merge release-20200522.0-76-g41da7a56 (automated)gVisor bot
2020-06-05Fix copylocks error about copying IPTables.Ting-Yu Wang
IPTables.connections contains a sync.RWMutex. Copying it will trigger copylocks analysis. Tested by manually enabling nogo tests. sync.RWMutex is added to IPTables for the additional race condition discovered. PiperOrigin-RevId: 314817019
2020-06-04avoid runtime fails with missing stack maps in race mode on Arm64Bin Lu
In race mode, when calling the go function in asm code, there will be an missing stack maps issue. The root cause is: The function of 'muldiv64' has a non-empty frame, so it needs stack maps for locals, for which the macro NO_LOCAL_POINTERS will do. Also, the macro GO_ARGS can covers arguments. Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-06-03Merge release-20200522.0-72-gd3a8bffe (automated)gVisor bot
2020-06-03Pass PacketBuffer as pointer.Ting-Yu Wang
Historically we've been passing PacketBuffer by shallow copying through out the stack. Right now, this is only correct as the caller would not use PacketBuffer after passing into the next layer in netstack. With new buffer management effort in gVisor/netstack, PacketBuffer will own a Buffer (to be added). Internally, both PacketBuffer and Buffer may have pointers and shallow copying shouldn't be used. Updates #2404. PiperOrigin-RevId: 314610879
2020-06-03Merge release-20200522.0-70-g7da69fe9 (automated)gVisor bot