Age | Commit message (Collapse) | Author |
|
PiperOrigin-RevId: 322937495
|
|
PiperOrigin-RevId: 322928424
|
|
- Check write permission on truncate(2). Unlike ftruncate(2),
truncate(2) fails if the user does not have write permissions
on the file.
- For gofers under InteropModeShared, check file type before
making a truncate request. We should fail early and avoid
making an rpc when possible. Furthermore, depending on the
remote host's failure may give us unexpected behavior--if the
host converts the truncate request to an ftruncate syscall on
an open fd, we will get EINVAL instead of EISDIR.
Updates #2923.
PiperOrigin-RevId: 322913569
|
|
Fix typos.
PiperOrigin-RevId: 322913282
|
|
Changes the API of tcpip.Clock to also provide a method for scheduling and
rescheduling work after a specified duration. This change also implements the
AfterFunc method for existing implementations of tcpip.Clock.
This is the groundwork required to mock time within tests. All references to
CancellableTimer has been replaced with the tcpip.Job interface, allowing for
custom implementations of scheduling work.
This is a BREAKING CHANGE for clients that implement their own tcpip.Clock or
use tcpip.CancellableTimer. Migration plan:
1. Add AfterFunc(d, f) to tcpip.Clock
2. Replace references of tcpip.CancellableTimer with tcpip.Job
3. Replace calls to tcpip.CancellableTimer#StopLocked with tcpip.Job#Cancel
4. Replace calls to tcpip.CancellableTimer#Reset with tcpip.Job#Schedule
5. Replace calls to tcpip.NewCancellableTimer with tcpip.NewJob.
PiperOrigin-RevId: 322906897
|
|
PiperOrigin-RevId: 322904430
|
|
PiperOrigin-RevId: 322890087
|
|
Like task_work in Linux, this allows us to register callbacks to be executed
before returning to userspace. This is needed for kcov support, which requires
coverage information to be up-to-date whenever we are in user mode. We will
provide coverage data through the kcov interface to enable coverage-directed
fuzzing in syzkaller.
One difference from Linux is that task work cannot queue work before the
transition to userspace that it precedes; queued work will be picked up before
the next transition.
PiperOrigin-RevId: 322889984
|
|
This patch load/save TLS for the container application.
Related issue: full context-switch supporting for Arm64 #1238
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/2761 from lubinszARM:pr_tls_2 cb5dbca1c9c3f378002406da7a58887f9b5032b3
PiperOrigin-RevId: 322887044
|
|
PiperOrigin-RevId: 322882426
|
|
|
|
Allow FUSE filesystems to be mounted using libfuse.
The appropriate flags and mount options are parsed and
understood by fusefs.
|
|
PiperOrigin-RevId: 322853192
|
|
Fixes #3334
PiperOrigin-RevId: 322846384
|
|
Socket option values are now required to implement marshal.Marshallable.
Co-authored-by: Rahat Mahmood <rahat@google.com>
PiperOrigin-RevId: 322831612
|
|
And do some refactoring of the wait logic in sendfile/splice/tee.
Updates #1035 #2923
PiperOrigin-RevId: 322815521
|
|
We were getting the file attributes before locking the metadataMu which was
causing stale updates to the file attributes.
Fixes OpenTest_AppendConcurrentWrite.
Updates #2923
PiperOrigin-RevId: 322804438
|
|
Previously, ICMP destination unreachable datagrams were ignored by TCP
endpoints. This caused connect to hang when an intermediate router
couldn't find a route to the host.
This manifested as a Kokoro error when Docker IPv6 was enabled. The Ruby
image test would try to install the sinatra gem and hang indefinitely
attempting to use an IPv6 address.
Fixes #3079.
|
|
Fixes a NAT bug that manifested as:
- A SYN was sent from gVisor to another host, unaffected by iptables.
- The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule
despite being part of the existing connection.
- The socket that sent the SYN never received the SYN/ACK and thus a
connection could not be established.
We handle this (as Linux does) by tracking all connections, inserting a
no-op conntrack rule for new connections with no rules of their own.
Needed for istio support (#170).
|
|
For iptables users, Check() is a hot path called for every packet one or more
times. Let's avoid a bunch of map lookups.
PiperOrigin-RevId: 322678699
|
|
Updates #2923
PiperOrigin-RevId: 322671489
|
|
Helps in fixing open syscall tests: AppendConcurrentWrite and AppendOnly.
We also now update the file size for seekable special files (regular files)
which we were not doing earlier.
Updates #2923
PiperOrigin-RevId: 322670843
|
|
Updates #173
PiperOrigin-RevId: 322665518
|
|
|
|
PiperOrigin-RevId: 322265513
|
|
Updates #173
PiperOrigin-RevId: 321690756
|
|
PiperOrigin-RevId: 321620517
|
|
PiperOrigin-RevId: 321496734
|
|
This is no longer necessary, as we always set NetworkHeader before calling
iptables.Check.
PiperOrigin-RevId: 321461978
|
|
Now it calls pkt.Data.ToView() when writing the packet. This may require
copying when the packet is large, which puts the worse case in an even worse
situation.
This sent out in a separate preparation change as it requires syscall filter
changes. This change will be followed by the change for the adoption of the new
PacketHeader API.
PiperOrigin-RevId: 321447003
|
|
Packet sockets also seem to allow double binding and do not return an error on
linux. This was tested by running the syscall test in a linux namespace as root
and the current test DoubleBind fails@HEAD.
Passes after this change.
Updates #173
PiperOrigin-RevId: 321445137
|
|
gVisor incorrectly returns the wrong ARP type for SIOGIFHWADDR. This breaks
tcpdump as it tries to interpret the packets incorrectly.
Similarly, SIOCETHTOOL is used by tcpdump to query interface properties which
fails with an EINVAL since we don't implement it. For now change it to return
EOPNOTSUPP to indicate that we don't support the query rather than return
EINVAL.
NOTE: ARPHRD types for link endpoints are distinct from NIC capabilities
and NIC flags. In Linux all 3 exist eg. ARPHRD types are stored in dev->type
field while NIC capabilities are more like the device features which can be
queried using SIOCETHTOOL but not modified and NIC Flags are fields that can
be modified from user space. eg. NIC status (UP/DOWN/MULTICAST/BROADCAST) etc.
Updates #2746
PiperOrigin-RevId: 321436525
|
|
PiperOrigin-RevId: 321411758
|
|
When we failed to create the new socket after adding the fd to
fdnotifier, we should remove the fd from fdnotifier, because we
are going to close the fd directly.
Fixes: #3241
Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
|
|
PiperOrigin-RevId: 321269281
|
|
To implement stat(2) in FUSE, we have to embed credentials and pid in request
header. The information should be extracted from the context passed to VFS
layer. Therefore `Stat()` signature in `kernfs.Inode` interface should include
context as first argument. Some other fs implementations need to be modified as
well, such as devpts, host, pipefs, and proc.
Fixes #3235
|
|
PiperOrigin-RevId: 321060717
|
|
PiperOrigin-RevId: 321053634
|
|
When --debug is enabled, the following log messages are
printed every second filling up the log:
D0430 18:04:42.823775 129561 parameters.go:238] Clock(Monotonic): error: 46 ns, adjusted frequency from 3591713733 Hz to 3591714196 Hz
D0430 18:04:42.823870 129561 parameters.go:238] Clock(Realtime): error: 36 ns, adjusted frequency from 3591714003 Hz to 3591714169 Hz
D0430 18:04:42.823892 129561 timekeeper.go:209] Updating VDSO parameters: {monotonicReady:1 monotonicBaseCycles:15758797714254696 monotonicBaseRef:29000233837 monotonicFrequency:3591714196 realtimeReady:1 realtimeBaseCycles:15758797714610880 realtimeBaseRef:1588269882823867374 realtimeFrequency:3591714169}
Info and warning messages for larger changes are kept the same.
PiperOrigin-RevId: 321048523
|
|
PiperOrigin-RevId: 321035635
|
|
PiperOrigin-RevId: 321028238
|
|
For accessing metadata fields:
- If metadataMu is locked, we can access without atomics
- If metadataMu is unlocked, we should use atomics
For mutating metadata fields:
- Always lock metadataMu and use atomics.
There were some instances of inconsistencies which have been fixed.
PiperOrigin-RevId: 321022895
|
|
PiperOrigin-RevId: 321021071
|
|
PiperOrigin-RevId: 321020733
|
|
As in Linux, we must periodically clean up unused connections.
PiperOrigin-RevId: 321003353
|
|
sleep.Waker's fields are modified as values.
PiperOrigin-RevId: 320873451
|
|
Updates #2746
PiperOrigin-RevId: 320757963
|
|
Split the kvm ut test cases to pass unit-tests on Arm64.
I will add the tls and full-context test cases for Arm64 later.
Signed-off-by: Bin Lu <bin.lu@arm.com>
|
|
RFC-1122 (and others) specify that UDP should not receive
datagrams that have a source address that is a multicast address.
Packets should never be received FROM a multicast address.
See also, RFC 768: 'User Datagram Protocol'
J. Postel, ISI, 28 August 1980
A UDP datagram received with an invalid IP source address
(e.g., a broadcast or multicast address) must be discarded
by UDP or by the IP layer (see rfc 1122 Section 3.2.1.3).
This CL does not address TCP or broadcast which is more complicated.
Also adds a test for both ipv6 and ipv4 UDP.
Fixes #3154
PiperOrigin-RevId: 320547674
|
|
The go.mod dependency tree for the shim was somehow contradictory. After
resolving these issues (e.g. explicitly imported k8s 1.14, pulling a
specific dbus version), and adding all dependencies, the shim can now be
build as part of the regular bazel tree.
As part of this process, minor cleanup was done in all the source files:
headers were standardized (and include "The gVisor Authors" in addition
to the "The containerd Authors" if originally derived from containerd
sources), and comments were cleaned up to meet coding standards.
This change makes the containerd installation dynamic, so that multiple
versions can be tested, and drops the static installer for the VM image
itself.
This change also updates test/root/crictl_test.go and related utilities,
so that the containerd tests can be run on any version (and in cases
where it applies, they can be run on both v1 and v2 as parameterized
tests).
|