Age | Commit message (Collapse) | Author |
|
This is necessary since ptraceClone() mutates tracer.ptraceTracees.
PiperOrigin-RevId: 365152396
|
|
On Linux these are meant to be equivalent to POLLIN/POLLOUT. Rather
than hack these on in sys_poll etc it felt cleaner to just cleanup
the call sites to notify for both events. This is what linux does
as well.
Fixes #5544
PiperOrigin-RevId: 364859977
|
|
PiperOrigin-RevId: 364859173
|
|
This change sets the inner `routeInfo` struct to be a named private member
and replaces direct access with access through getters. Note that direct
access to the fields of `routeInfo` is still possible through the `RouteInfo`
struct.
Fixes #4902
PiperOrigin-RevId: 364822872
|
|
PiperOrigin-RevId: 364728696
|
|
This change is inspired by Adin's cl/355256448.
PiperOrigin-RevId: 364695931
|
|
Also adds support for clearing the setuid bit when appropriate (writing,
truncating, changing size, changing UID, or changing GID).
VFS2 only.
PiperOrigin-RevId: 364661835
|
|
PiperOrigin-RevId: 364596526
|
|
...instead of opting out of them.
Loopback traffic should be stack-local but gVisor has some clients
that depend on the ability to receive loopback traffic that originated
from outside of the stack. Because of this, we guard this change behind
IP protocol options.
A previous change provided the facility to deny these martian loopback
packets but this change requires client to opt-in to accepting martian
loopback packets as accepting martian loopback packets are not meant
to be accepted, as per RFC 1122 section 3.2.1.3.g:
(g) { 127, <any> }
Internal host loopback address. Addresses of this form
MUST NOT appear outside a host.
PiperOrigin-RevId: 364581174
|
|
- Don't cleanup containers in Network.Cleanup, otherwise containers will
be killed and removed several times.
- Don't set AutoRemove for containers. This will prevent the confusing
'removal already in progress' messages.
Fixes #3795
PiperOrigin-RevId: 364404414
|
|
PiperOrigin-RevId: 364381970
|
|
PiperOrigin-RevId: 364370595
|
|
syserror allows packages to register translators for errors. These
translators should be called prior to checking if the error is valid,
otherwise it may not account for possible errors that can be returned
from different packages, e.g. safecopy.BusError => syserror.EFAULT.
Second attempt, it passes tests now :-)
PiperOrigin-RevId: 363714508
|
|
Transport demuxer and UDP tests should not use a loopback address as the
source address for packets injected into the stack as martian loopback
packets will be dropped in a later change.
PiperOrigin-RevId: 363479681
|
|
Loopback traffic should be stack-local but gVisor has some clients
that depend on the ability to receive loopback traffic that originated
from outside of the stack. Because of this, we guard this change behind
IP protocol options.
Test: integration_test.TestExternalLoopbackTraffic
PiperOrigin-RevId: 363461242
|
|
If physical pages of a memory region are not mapped yet, the kernel will
trigger KVM_EXIT_MMIO and we will map physical pages in bluepillHandler().
An instruction that triggered a fault will not be re-executed, it
will be emulated in the kernel, but it can't emulate complex
instructions like xsave, xrstor. We can touch the memory with
simple instructions to workaround this problem.
|
|
Netstack does not check ACK number for FIN-ACK packets and goes into TIMEWAIT
unconditionally. Fixing the state machine will give us back the retransmission
of FIN.
PiperOrigin-RevId: 363301883
|
|
There is a race in handling new incoming connections on a listening
endpoint that causes the endpoint to reply to more incoming SYNs than
what is permitted by the listen backlog.
The race occurs when there is a successful passive connection handshake
and the synRcvdCount counter is decremented, followed by the endpoint
delivered to the accept queue. In the window of time between
synRcvdCount decrementing and the endpoint being enqueued for accept,
new incoming SYNs can be handled without honoring the listen backlog
value, as the backlog could be perceived not full.
Fixes #5637
PiperOrigin-RevId: 363279372
|
|
PiperOrigin-RevId: 363276495
|
|
They are not used outside of the header package.
PiperOrigin-RevId: 363237708
|
|
...as per RFC 7527.
If a looped-back DAD message is received, do not fail DAD since our own
DAD message does not indicate that a neighbor has the address assigned.
Test: ndp_test.TestDADResolveLoopback
PiperOrigin-RevId: 363224288
|
|
Calling into the stack from LinkAddressRequest is not needed as we
already have a reference to the network endpoint (IPv6) or network
interface (IPv4/ARP).
PiperOrigin-RevId: 363213973
|
|
PiperOrigin-RevId: 363092268
|
|
PiperOrigin-RevId: 363091954
|
|
Doing so involved breaking dependencies between //pkg/tcpip and the rest
of gVisor, which are discouraged anyways.
Tested on the Go branch via:
gvisor.dev/gvisor/pkg/tcpip/...
Addresses #1446.
PiperOrigin-RevId: 363081778
|
|
If there was a partial write (when not using the host FD) which did not generate
an error, we were incorrectly returning the number of bytes attempted to write
instead of the number of bytes actually written.
PiperOrigin-RevId: 363058989
|
|
PiperOrigin-RevId: 362999220
|
|
Lots of small changes:
- simplify package API via Reservation type
- rename some single-letter variable names that were hard to follow
- rename some types
PiperOrigin-RevId: 362442366
|
|
By default, fusefs defers node permission checks to the server. The
default_permissions mount option enables the usual unix permission
checks based on the node owner and mode bits. Previously fusefs was
incorrectly checking permissions unconditionally.
Additionally, fusefs should restrict filesystem access to processes
started by the mount owner to prevent the fuse daemon from gaining
priviledge over other processes. The allow_other mount option
overrides this behaviour. Previously fusefs was incorrectly skipping
this check.
Updates #3229
PiperOrigin-RevId: 362419092
|
|
The Merkle tree files need to be cleared before enabling to avoid
redundant content.
PiperOrigin-RevId: 362409591
|
|
PiperOrigin-RevId: 362406813
|
|
PiperOrigin-RevId: 362297474
|
|
- Implement Stringer for it so that we can improve error messages.
- Use TCPFlags through the code base. There used to be a mixed usage of byte,
uint8 and int as TCP flags.
PiperOrigin-RevId: 361940150
|
|
Speeds up the socket stress tests by a couple orders of magnitude.
PiperOrigin-RevId: 361721050
|
|
Updates #5597
PiperOrigin-RevId: 361252003
|
|
IPv4 would violate the lock ordering of protocol > endpoint when closing
network endpoints by calling `ipv4.protocol.forgetEndpoint` while
holding the network endpoint lock.
PiperOrigin-RevId: 361232817
|
|
The integrator may be interested in who owns a duplicate address so
pass this information (if available) along.
Fixes #5605.
PiperOrigin-RevId: 361213556
|
|
PiperOrigin-RevId: 361196154
|
|
While I'm here, update NDPDispatcher.OnDuplicateAddressDetectionStatus to
take a DADResult and rename it to OnDuplicateAddressDetectionResult.
Fixes #5606.
PiperOrigin-RevId: 360965416
|
|
The only user is in (*handshake).complete and it specifies MaxRTO, so there is
no behavior changes.
PiperOrigin-RevId: 360954447
|
|
transport.baseEndpoint.receiver and transport.baseEndpoint.connected are
protected by transport.baseEndpoint.Mutex. In order to access them without
holding the mutex, we must make a copy.
Notifications must be sent without holding the mutex, so we need the values
without holding the mutex.
|
|
clientEP.Connect may fail because serverEP was not listening.
PiperOrigin-RevId: 360780667
|
|
One of the preparation to decouple underlying buffer implementation.
There are still some methods that tie to VectorisedView, and they will be
changed gradually in later CLs.
This CL also introduce a new ICMPv6ChecksumParams to replace long list of
parameters when calling ICMPv6Checksum, aiming to be more descriptive.
PiperOrigin-RevId: 360778149
|
|
(*os.PathError).Timeout does the same thing.
PiperOrigin-RevId: 360756784
|
|
Changes the neighbor_cache_test.go tests to always assert UpdatedAtNanos.
Completes the assertion of UpdatedAtNanos in every NUD test, a field that was
historically not checked due to the lack of a deterministic, controllable
clock. This is no longer true with the tcpip.Clock interface. While the tests
have been adjusted to use Clock, asserting by the UpdatedAtNanos was neglected.
Fixes #4663
PiperOrigin-RevId: 360730077
|
|
This validates that struct fields if annotated with "// checklocks:mu" where
"mu" is a mutex field in the same struct then access to the field is only
done with "mu" locked.
All types that are guarded by a mutex must be annotated with
// +checklocks:<mutex field name>
For more details please refer to README.md.
PiperOrigin-RevId: 360729328
|
|
While I'm here, simplify the comments and unify naming of certain stats
across protocols.
PiperOrigin-RevId: 360728849
|
|
The syscall package has been deprecated in favor of golang.org/x/sys.
Note that syscall is still used in the following places:
- pkg/sentry/socket/hostinet/stack.go: some netlink related functionalities
are not yet available in golang.org/x/sys.
- syscall.Stat_t is still used in some places because os.FileInfo.Sys() still
returns it and not unix.Stat_t.
Updates #214
PiperOrigin-RevId: 360701387
|
|
Prevent the situation where callers to (*stack).GetLinkAddress provide
incorrect arguments and are unable to observe this condition.
Updates #5583.
PiperOrigin-RevId: 360481557
|
|
io.Reader.ReadFull returns the number of bytes copied and an error if fewer
bytes were read.
PiperOrigin-RevId: 360247614
|