summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2019-08-07Merge 79cc4397 (automated)gVisor bot
2019-08-07Merge e70eafc9 (automated)gVisor bot
2019-08-06Merge dfbc0b0a (automated)gVisor bot
2019-08-06Merge 704f9610 (automated)gVisor bot
2019-08-06Require pread/pwrite for splice file offsetsMichael Pratt
If there is an offset, the file must support pread/pwrite. See fs/splice.c:do_splice. PiperOrigin-RevId: 261944932
2019-08-05Merge 23e74043 (automated)gVisor bot
2019-08-02Merge 960a5e55 (automated)gVisor bot
2019-08-02Plumbing for iptables sockopts.Kevin Krakauer
PiperOrigin-RevId: 261413396
2019-08-02Merge b6a5b950 (automated)gVisor bot
2019-08-02Job control: controlling TTYs and foreground process groups.Kevin Krakauer
(Don't worry, this is mostly tests.) Implemented the following ioctls: - TIOCSCTTY - set controlling TTY - TIOCNOTTY - remove controlling tty, maybe signal some other processes - TIOCGPGRP - get foreground process group. Also enables tcgetpgrp(). - TIOCSPGRP - set foreground process group. Also enabled tcsetpgrp(). Next steps are to actually turn terminal-generated control characters (e.g. C^c) into signals to the proper process groups, and to send SIGTTOU and SIGTTIN when appropriate. PiperOrigin-RevId: 261387276
2019-08-02Merge b461be88 (automated)gVisor bot
2019-08-02Merge 2906dffc (automated)gVisor bot
2019-08-02Automated rollback of changelist 261191548Rahat Mahmood
PiperOrigin-RevId: 261373749
2019-08-02Merge aaaefdf9 (automated)gVisor bot
2019-08-02Remove kernel.mounts.Nicolas Lacasse
We can get the mount namespace from the CreateProcessArgs in all cases where we need it. This also gets rid of kernel.Destroy method, since the only thing it was doing was DecRefing the mounts. Removing the need to call kernel.SetRootMountNamespace also allowed for some more simplifications in the container fs setup code. PiperOrigin-RevId: 261357060
2019-08-02Merge 3eff0531 (automated)gVisor bot
2019-08-01Merge bad43772 (automated)gVisor bot
2019-08-01Drop reference on fs.Inode if Mount goes wrong.Nicolas Lacasse
PiperOrigin-RevId: 261203674
2019-08-01Merge f2b25aea (automated)gVisor bot
2019-08-01tmpfs and ramfs Dirs should drop references on children in Release().Nicolas Lacasse
This is the source of many warnings like: AtomicRefCount 0x7f5ff84e3500 owned by "fs.Inode" garbage collected with ref count of 1 (want 0) PiperOrigin-RevId: 261197093
2019-08-01Implement getsockopt(TCP_INFO).Rahat Mahmood
Export some readily-available fields for TCP_INFO and stub out the rest. PiperOrigin-RevId: 261191548
2019-08-01Merge 0a246fab (automated)gVisor bot
2019-07-31Basic support for 'ip route'Ian Lewis
Implements support for RTM_GETROUTE requests for netlink sockets. Fixes #507 PiperOrigin-RevId: 261051045
2019-07-31Merge 77833ece (automated)gVisor bot
2019-07-31Merge cf2b2d97 (automated)gVisor bot
2019-07-31Initialize kernel.unimplementedSyscallEmitter with a sync.Once.Nicolas Lacasse
This is initialized lazily on the first unimplemented syscall. Without the sync.Once, this is racy. PiperOrigin-RevId: 260971758
2019-07-31Merge edcc60b9 (automated)gVisor bot
2019-07-31Merge 12c4eb29 (automated)gVisor bot
2019-07-31Merge c6e6d92c (automated)gVisor bot
2019-07-31Merge a7d5e0d2 (automated)gVisor bot
2019-07-30Cache pages in CachingInodeOperations.Read when memory evictions are delayed.Jamie Liu
PiperOrigin-RevId: 260851452
2019-07-30ext: Migrate from using fileReader custom interface to using io.Reader.Ayush Ranjan
It gets rid of holding state of the io.Reader offset (which is anyways held by the vfs.FileDescriptor struct. It is also odd using a io.Reader becuase we using io.ReaderAt to interact with the device. So making a io.ReaderAt wrapper makes more sense. Most importantly, it gets rid of the complexity of extracting the file reader from a regular file implementation and then using it. Now we can just use the regular file implementation as a reader which is more intuitive. PiperOrigin-RevId: 260846927
2019-07-31Merge 9fbe984d (automated)gVisor bot
2019-07-30ext: block map file reader implementation.Ayush Ranjan
Also adds stress tests for block map reader and intensifies extent reader tests. PiperOrigin-RevId: 260838177
2019-07-31Merge 885e17f8 (automated)gVisor bot
2019-07-30Merge 7369c63e (automated)gVisor bot
2019-07-30Merge 93b0917d (automated)gVisor bot
2019-07-30Merge pull request #607 from DarcySail:mastergVisor bot
PiperOrigin-RevId: 260783254
2019-07-30Merge e511c0e0 (automated)gVisor bot
2019-07-30Add feature to launch Sentry from an open host FD.Zach Koopmans
Adds feature to launch from an open host FD instead of a binary_path. The FD should point to a valid executable and most likely be statically compiled. If the executable is not statically compiled, the loader will search along the interpreter paths, which must be able to be resolved in the Sandbox's file system or start will fail. PiperOrigin-RevId: 260756825
2019-07-30Merge 1decf764 (automated)gVisor bot
2019-07-30Merge 8da9f8a1 (automated)gVisor bot
2019-07-29Migrate from using io.ReadSeeker to io.ReaderAt.Ayush Ranjan
This provides the following benefits: - We can now use pkg/fd package which does not take ownership of the file descriptor. So it does not close the fd when garbage collected. This reduces scope of errors from unexpected garbage collection of io.File. - It enforces the offset parameter in every read call. It does not affect the fd offset nor is it affected by it. Hence reducing scope of error of using stale offsets when reading. - We do not need to serialize the usage of any global file descriptor anymore. So this drops the mutual exclusion req hence reducing complexity and congestion. PiperOrigin-RevId: 260635174
2019-07-30Combine multiple epoll events copiesHang Su
Allocate a larger memory buffer and combine multiple copies into one copy, to reduce the number of copies from kernel memory to user memory. Signed-off-by: Hang Su <darcy.sh@antfin.com>
2019-07-30Merge ddf25e33 (automated)gVisor bot
2019-07-29ext: extent reader implementation.Ayush Ranjan
PiperOrigin-RevId: 260629559
2019-07-30Merge b765eb45 (automated)gVisor bot
2019-07-29ext: inode implementations.Ayush Ranjan
PiperOrigin-RevId: 260624470
2019-07-30Merge 5fdb945a (automated)gVisor bot
2019-07-29Rate limit the unimplemented syscall event handler.Nicolas Lacasse
This introduces two new types of Emitters: 1. MultiEmitter, which will forward events to other registered Emitters, and 2. RateLimitedEmitter, which will forward events to a wrapped Emitter, subject to given rate limits. The methods in the eventchannel package itself act like a multiEmitter, but is not actually an Emitter. Now we have a DefaultEmitter, and the methods in eventchannel simply forward calls to the DefaultEmitter. The unimplemented syscall handler now uses a RateLimetedEmitter that wraps the DefaultEmitter. PiperOrigin-RevId: 260612770