summaryrefslogtreecommitdiffhomepage
path: root/pkg
AgeCommit message (Collapse)Author
2021-10-26Merge release-20211019.0-39-g8b2e8caad (automated)gVisor bot
2021-10-26Move attestation definitions to standalone packageChong Cai
PiperOrigin-RevId: 405698863
2021-10-26Merge release-20211019.0-38-g2d384f761 (automated)gVisor bot
2021-10-26Change Notify() to use unix.RawSyscall.Bhasker Hariharan
eventfd.Notify() uses unix.Write which will eventually call unix.Syscall which will yield the current go processor resulting in the Go scheduler parking the current goroutine till the syscall returns. But in most cases where Notify() is called there is no reason to yield as the caller probably wants to continue doing something right afterwards. Like in the case of the sharedmem endpoint which may still have more packets to write. PiperOrigin-RevId: 405693801
2021-10-26Merge release-20211019.0-36-g12480f1c4 (automated)gVisor bot
2021-10-26Ensure statfs::f_namelen is set by VFS2 gofer statfs/fstatfs.Jamie Liu
VFS1 discards the value of f_namelen returned by the filesystem and returns NAME_MAX unconditionally instead, so it doesn't run into this. Also set f_frsize for completeness. PiperOrigin-RevId: 405579707
2021-10-25Merge release-20211019.0-35-g4d07fc952 (automated)gVisor bot
2021-10-25Do not leak non-permission mode bits in mq_open(2).Ayush Ranjan
As caught by syzkaller, we were leaking non-permission bits while passing the user generated mode. DynamicBytesFile panics in this case. Reported-by: syzbot+5abe52d47d56a5a98c89@syzkaller.appspotmail.com PiperOrigin-RevId: 405481392
2021-10-25Merge release-20211019.0-33-g9262ea47a (automated)gVisor bot
2021-10-25Add support for containerd 1.5Fabricio Voznika
"cri.runtimeoptions.v1" moved to "runtimeoptions.v1" and containerd configuration format version 2 is required. Updates #6449 PiperOrigin-RevId: 405474653
2021-10-25Merge release-20211019.0-32-g7c267106d (automated)gVisor bot
2021-10-23initialize hostFeatureSet from init functionJing Chen
2021-10-23fix the failed test target //pkg/cpuid:cpuid_test on arm64.Jing Chen
2021-10-21Merge release-20211011.0-59-g14f411392 (automated)gVisor bot
2021-10-21Merge pull request #6345 from sudo-sturbia:mq/syscallsgVisor bot
PiperOrigin-RevId: 404901660
2021-10-21Merge release-20211011.0-39-g207221ffb (automated)gVisor bot
2021-10-21Add an integration test for istio like redirect.Bhasker Hariharan
Updates #6441,#6317 PiperOrigin-RevId: 404872327
2021-10-20Merge release-20211011.0-37-gc23d67f3c (automated)gVisor bot
2021-10-20Report correct error when restore failsFabricio Voznika
When file corruption is detected, report vfs.ErrCorruption to distinguish corruption error from other restore errors. Updates #1035 PiperOrigin-RevId: 404588445
2021-10-20Merge release-20211011.0-36-gbdf4e41c8 (automated)gVisor bot
2021-10-19Always parse Transport headersGhanan Gowripalan
..including ICMP headers before delivering them to the TransportDispatcher. Updates #3810. PiperOrigin-RevId: 404404002
2021-10-19Fix typo in FIXMEFabricio Voznika
PiperOrigin-RevId: 404400399
2021-10-19Merge release-20211011.0-34-g1b494b80f (automated)gVisor bot
2021-10-19Do not return non-nil *lisafs.Inode to doCreateAt on error.Ayush Ranjan
lisafs.ClientFile.MkdirAt is allowed to return a non-nil Inode and a non-nil error on an RPC error. The caller must not use the returned (invalid) Inode on error. But a code path in the gofer client does end up using it. More specifically, when the Mkdir RPC fails and we end up creating a synthetic dentry for a mountpoint, we end up returning the (invalid) non-nil Inode to filesystem.doCreateAt implementation which thinks that a remote file was created. But that non-nil Inode is actually invalid because the RPC failed. Things go downhill from there. Update client to not use childDirInode if RPC failed. PiperOrigin-RevId: 404396573
2021-10-19Merge release-20211011.0-33-g64aee33ed (automated)gVisor bot
2021-10-19Continue reaping bucket after reaping a tupleGhanan Gowripalan
Reaping an expired tuple removes it from its bucket so we need to grab the succeeding tuple in the bucket before reaping the expired tuple. Before this change, only the first expired tuple in a bucket was reaped per reaper run on the bucket. This change just allows more connections to be reaped. PiperOrigin-RevId: 404392925
2021-10-19Merge release-20211011.0-32-g80d655d84 (automated)gVisor bot
2021-10-19Stub cpuset cgroup control files.Rahat Mahmood
PiperOrigin-RevId: 404382475
2021-10-19Merge release-20211005.0-59-g03bc93d2b (automated)gVisor bot
2021-10-18conntrack: update state of un-NATted connectionsKevin Krakauer
This prevents reaping connections unnecessarily early. This change both moves the state update to the beginning of handlePacket and fixes a bug where un-finalized connections could become un-reapable. Fixes #6748 PiperOrigin-RevId: 404141012
2021-10-18Merge release-20211005.0-58-g211bbf82a (automated)gVisor bot
2021-10-18conntrack: use tcpip.Clock instead of time.TimeKevin Krakauer
- We should be using a monotonic clock - This will make future testing easier Updates #6748. PiperOrigin-RevId: 404072318
2021-10-18Merge release-20211005.0-57-gfa56fbf44 (automated)gVisor bot
2021-10-18Report ramdiskfs usage correctlyFabricio Voznika
Updates #1035 PiperOrigin-RevId: 404072231
2021-10-18Merge release-20211005.0-52-g4f6cda4d0 (automated)gVisor bot
2021-10-18Support distinction for RWMutex and read-only locks.Adin Scannell
Fixes #6590 PiperOrigin-RevId: 404007524
2021-10-15Satisfy nogoGhanan Gowripalan
PiperOrigin-RevId: 403479257
2021-10-15Merge release-20211005.0-49-ge4fc15bd8 (automated)gVisor bot
2021-10-15Implement WriteRawPacket for pipeTony Gong
Implement WriteRawPacket for pipe by calling `DeliverNetworkPacket` on the other end with empty values for the route and protocol number, and relies on the `NetworkDispatcher` to decapsulate the link layer header from the raw packet itself. PiperOrigin-RevId: 403461448
2021-10-15Merge release-20211005.0-47-g33b41d8fe (automated)gVisor bot
2021-10-14Report total memory based on limit or hostFabricio Voznika
gVisor was previously reporting the lower of cgroup limit or 2GB as total memory. This may cause applications to make bad decisions based on amount of memory available to them when more than 2GB is required. This change makes the lower of cgroup limit or the host total memory to be reported inside the sandbox. This also is more inline with docker which always reports host total memory. Note that reporting cgroup limit is strictly better than host total memory when there is a limit set. Fixes #5608 PiperOrigin-RevId: 403241608
2021-10-14Merge release-20211005.0-45-g6f4fcc4ba (automated)gVisor bot
2021-10-14Add a size parameterChong Cai
PiperOrigin-RevId: 403214414
2021-10-13Merge release-20210927.0-71-g4e2cc2bef (automated)gVisor bot
2021-10-13Minor fixes to sharedmem.Bhasker Hariharan
Use route/protocol from packetbuffer. Sharedmem implementation should use the EgressRoute/NetworkProtocolNumber embedded in the packetbuffer rather than what is passed as parameters to Write(Raw)Packet(s). PiperOrigin-RevId: 402934171
2021-10-13Merge release-20210927.0-70-g1796cd89d (automated)gVisor bot
2021-10-13add create-only raw socketsKevin Krakauer
These can be used by applications to manipulate iptables rules without enabling arbitrary reads from and writes to the underlying packet socket. PiperOrigin-RevId: 402924733
2021-10-13Merge release-20210927.0-68-gb74bbe11e (automated)gVisor bot
2021-10-13Represent direction with booleanGhanan Gowripalan
...since direction can only hold one of two possible values. PiperOrigin-RevId: 402855698
2021-10-13Merge release-20210927.0-67-g747cb9246 (automated)gVisor bot