summaryrefslogtreecommitdiffhomepage
path: root/pkg
AgeCommit message (Collapse)Author
2020-02-07Support listxattr and removexattr syscalls.Dean Deng
Note that these are only implemented for tmpfs, and other impls will still return EOPNOTSUPP. PiperOrigin-RevId: 293899385
2020-02-07Log level, optname, optval and optlen in getsockopt/setsockopt in strace.Ian Gudger
Log 8, 16, and 32 int optvals and dump the memory of other sizes. Updates #1782 PiperOrigin-RevId: 293889388
2020-02-07Address GH comments.Kevin Krakauer
2020-02-06Send DAD event when DAD resolves immediatelyGhanan Gowripalan
Previously, a DAD event would not be sent if DAD was disabled. This allows integrators to do some work when an IPv6 address is bound to a NIC without special logic that checks if DAD is enabled. Without this change, integrators would need to check if a NIC has DAD enabled when an address is auto-generated. If DAD is enabled, it would need to delay the work until the DAD completion event; otherwise, it would need to do the work in the address auto-generated event handler. Test: stack_test.TestDADDisabled PiperOrigin-RevId: 293732914
2020-02-06Merge branch 'master' into tcp-matchers-submitKevin Krakauer
2020-02-06Auto-generate link-local address as a SLAAC addressGhanan Gowripalan
Auto-generated link-local addresses should have the same lifecycle hooks as global SLAAC addresses. The Stack's NDP dispatcher should be notified when link-local addresses are auto-generated and invalidated. They should also be removed when a NIC is disabled (which will be supported in a later change). Tests: - stack_test.TestNICAutoGenAddrWithOpaque - stack_test.TestNICAutoGenAddr PiperOrigin-RevId: 293706760
2020-02-06Perform DAD on IPv6 addresses when enabling a NICGhanan Gowripalan
Addresses may be added before a NIC is enabled. Make sure DAD is performed on the permanent IPv6 addresses when they get enabled. Test: - stack_test.TestDoDADWhenNICEnabled - stack.TestDisabledRxStatsWhenNICDisabled PiperOrigin-RevId: 293697429
2020-02-06Make gonet consistent both internally and with the net package.Ian Gudger
The types gonet.Conn and gonet.PacketConn were confusingly named as both implemented net.Conn. Further, gonet.Conn was perhaps unexpectedly TCP-specific (net.Conn is not). This change renames them to gonet.TCPConn and gonet.UDPConn. Renames gonet.NewListener to gonet.ListenTCP and adds a new gonet.NewTCPListner function to be consistent with both the gonet.DialXxx and gonet.NewXxxConn functions as well as net.ListenTCP. Updates #1632 PiperOrigin-RevId: 293671303
2020-02-06Update link address for targets of Neighbor AdvertsGhanan Gowripalan
Get the link address for the target of an NDP Neighbor Advertisement from the NDP Target Link Layer Address option. Tests: - ipv6.TestNeighorAdvertisementWithTargetLinkLayerOption - ipv6.TestNeighorAdvertisementWithInvalidTargetLinkLayerOption PiperOrigin-RevId: 293632609
2020-02-06Move p9.pool to a separate packageAndrei Vagin
PiperOrigin-RevId: 293617493
2020-02-05Add notes to relevant tests.Adin Scannell
These were out-of-band notes that can help provide additional context and simplify automated imports. PiperOrigin-RevId: 293525915
2020-02-05recv() on a closed TCP socket returns ENOTCONNEyal Soha
From RFC 793 s3.9 p58 Event Processing: If RECEIVE Call arrives in CLOSED state and the user has access to such a connection, the return should be "error: connection does not exist" Fixes #1598 PiperOrigin-RevId: 293494287
2020-02-05Merge branch 'master' into tcp-matchers-submitKevin Krakauer
2020-02-05Disable get/set xattrs until list/remove exist too.Nicolas Lacasse
PiperOrigin-RevId: 293411655
2020-02-04Support RTM_NEWADDR and RTM_GETLINK in (rt)netlink.Ting-Yu Wang
PiperOrigin-RevId: 293271055
2020-02-04Merge pull request #1683 from kevinGC:ipt-udp-matchersgVisor bot
PiperOrigin-RevId: 293243342
2020-02-04Add socket connection stress test.Ian Gudger
Tests 65k connection attempts on common types of sockets to check for port leaks. Also fixes a bug where dual-stack sockets wouldn't properly re-queue segments received while closing. PiperOrigin-RevId: 293241166
2020-02-04timer_create(2) should return 0 on successMichael Pratt
The timer ID is copied out to the argument. Fixes #1738 PiperOrigin-RevId: 293210801
2020-02-04Fix safecopy test.Adin Scannell
This is failing in Go1.14 due to new checkptr constraints. This version should avoid hitting this constraints by doing "dangerous" pointer math less dangerously? PiperOrigin-RevId: 293205764
2020-02-04Remove argument from vfs.MountNamespace.DecRef()Fabricio Voznika
Updates #1035 PiperOrigin-RevId: 293194631
2020-02-04VFS2 gofer clientJamie Liu
Updates #1198 Opening host pipes (by spinning in fdpipe) and host sockets is not yet complete, and will be done in a future CL. Major differences from VFS1 gofer client (sentry/fs/gofer), with varying levels of backportability: - "Cache policies" are replaced by InteropMode, which control the behavior of timestamps in addition to caching. Under InteropModeExclusive (analogous to cacheAll) and InteropModeWritethrough (analogous to cacheAllWritethrough), client timestamps are *not* written back to the server (it is not possible in 9P or Linux for clients to set ctime, so writing back client-authoritative timestamps results in incoherence between atime/mtime and ctime). Under InteropModeShared (analogous to cacheRemoteRevalidating), client timestamps are not used at all (remote filesystem clocks are authoritative). cacheNone is translated to InteropModeShared + new option filesystemOptions.specialRegularFiles. - Under InteropModeShared, "unstable attribute" reloading for permission checks, lookup, and revalidation are fused, which is feasible in VFS2 since gofer.filesystem controls path resolution. This results in a ~33% reduction in RPCs for filesystem operations compared to cacheRemoteRevalidating. For example, consider stat("/foo/bar/baz") where "/foo/bar/baz" fails revalidation, resulting in the instantiation of a new dentry: VFS1 RPCs: getattr("/") // fs.MountNamespace.FindLink() => fs.Inode.CheckPermission() => gofer.inodeOperations.check() => gofer.inodeOperations.UnstableAttr() walkgetattr("/", "foo") = fid1 // fs.Dirent.walk() => gofer.session.Revalidate() => gofer.cachePolicy.Revalidate() clunk(fid1) getattr("/foo") // CheckPermission walkgetattr("/foo", "bar") = fid2 // Revalidate clunk(fid2) getattr("/foo/bar") // CheckPermission walkgetattr("/foo/bar", "baz") = fid3 // Revalidate clunk(fid3) walkgetattr("/foo/bar", "baz") = fid4 // fs.Dirent.walk() => gofer.inodeOperations.Lookup getattr("/foo/bar/baz") // linux.stat() => gofer.inodeOperations.UnstableAttr() VFS2 RPCs: getattr("/") // gofer.filesystem.walkExistingLocked() walkgetattr("/", "foo") = fid1 // gofer.filesystem.stepExistingLocked() clunk(fid1) // No getattr: walkgetattr already updated metadata for permission check walkgetattr("/foo", "bar") = fid2 clunk(fid2) walkgetattr("/foo/bar", "baz") = fid3 // No clunk: fid3 used for new gofer.dentry // No getattr: walkgetattr already updated metadata for stat() - gofer.filesystem.unlinkAt() does not require instantiation of a dentry that represents the file to be deleted. Updates #898. - gofer.regularFileFD.OnClose() skips Tflushf for regular files under InteropModeExclusive, as it's nonsensical to request a remote file flush without flushing locally-buffered writes to that remote file first. - Symlink targets are cached when InteropModeShared is not in effect. - p9.QID.Path (which is already required to be unique for each file within a server, and is accordingly already synthesized from device/inode numbers in all known gofers) is used as-is for inode numbers, rather than being mapped along with attr.RDev in the client to yet another synthetic inode number. - Relevant parts of fsutil.CachingInodeOperations are inlined directly into gofer package code. This avoids having to duplicate part of its functionality in fsutil.HostMappable. PiperOrigin-RevId: 293190213
2020-02-04Add support for sentry internal pipe for gofer mountsFabricio Voznika
Internal pipes are supported similarly to how internal UDS is done. It is also controlled by the same flag. Fixes #1102 PiperOrigin-RevId: 293150045
2020-02-03seccomp: allow to filter syscalls by instruction pointerAndrei Vagin
PiperOrigin-RevId: 293029446
2020-01-31Fix method comment to match method name.Ian Gudger
PiperOrigin-RevId: 292624867
2020-01-31Implement file locks for regular tmpfs files in VFSv2.Dean Deng
Add a file lock implementation that can be embedded into various filesystem implementations. Updates #1480 PiperOrigin-RevId: 292614758
2020-01-31Use multicast Ethernet address for multicast NDPGhanan Gowripalan
As per RFC 2464 section 7, an IPv6 packet with a multicast destination address is transmitted to the mapped Ethernet multicast address. Test: - ipv6.TestLinkResolution - stack_test.TestDADResolve - stack_test.TestRouterSolicitation PiperOrigin-RevId: 292610529
2020-01-31SpellingKevin Krakauer
2020-01-31iptables: enable TCP matching with "-m tcp".Kevin Krakauer
A couple other things that changed: - There's a proper extension registration system for matchers. Anyone adding another matcher can use tcp_matcher.go or udp_matcher.go as a template. - All logging and use of syserr.Error in the netfilter package happens at the highest possible level (public functions). Lower-level functions just return normal, descriptive golang errors.
2020-01-31Extract multicast IP to Ethernet address mappingGhanan Gowripalan
Test: header.TestEthernetAddressFromMulticastIPAddress PiperOrigin-RevId: 292604649
2020-01-31Internal change.gVisor bot
PiperOrigin-RevId: 292587459
2020-01-30Merge branch 'master' into ipt-udp-matchersKevin Krakauer
2020-01-30Fix for panic in endpoint.Close().Bhasker Hariharan
When sending a RST on shutdown we need to double check the state after acquiring the work mutex as the endpoint could have transitioned out of a connected state from the time we checked it and we acquired the workMutex. I added two tests but sadly neither reproduce the panic. I am going to leave the tests in as they are good to have anyway. PiperOrigin-RevId: 292393800
2020-01-30Merge pull request #1288 from lubinszARM:pr_ring0_6gVisor bot
PiperOrigin-RevId: 292369598
2020-01-30Enforce splice offset limitsMichael Pratt
Splice must not allow negative offsets. Writes also must not allow offset + size to overflow int64. Reads are similarly broken, but not just in splice (b/148095030). Reported-by: syzbot+0e1ff0b95fb2859b4190@syzkaller.appspotmail.com PiperOrigin-RevId: 292361208
2020-01-30Do not include the Source Link Layer option with an unspecified source addressGhanan Gowripalan
When sending NDP messages with an unspecified source address, the Source Link Layer address must not be included. Test: stack_test.TestDADResolve PiperOrigin-RevId: 292341334
2020-01-29Do not spawn a goroutine when calling stack.NDPDispatcher's methodsGhanan Gowripalan
Do not start a new goroutine when calling stack.NDPDispatcher.OnDuplicateAddressDetectionStatus. PiperOrigin-RevId: 292268574
2020-01-29Add support for TCP_DEFER_ACCEPT.Bhasker Hariharan
PiperOrigin-RevId: 292233574
2020-01-29Merge branch 'master' into ipt-udp-matchersKevin Krakauer
2020-01-29Add plumbing for file locks in VFS2.Dean Deng
Updates #1480 PiperOrigin-RevId: 292180192
2020-01-29sentry: rename SetRSEQInterruptedIP to SetOldRSeqInterruptedIP for arm64Andrei Vagin
For amd64, this has been done on cl/288342928. PiperOrigin-RevId: 292170856
2020-01-29Add //pkg/sentry/devices/memdev.Jamie Liu
PiperOrigin-RevId: 292165063
2020-01-29supporting sError in guest kernel on Arm64Bin Lu
For test case 'TestBounce', we use KVM_SET_VCPU_EVENTS to trigger sError to leave guest. Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-01-28Prevent arbitrary size allocation when sending UDS messages.Dean Deng
Currently, Send() will copy data into a new byte slice without regard to the original size. Size checks should be performed before the allocation takes place. Note that for the sake of performance, we avoid putting the buffer allocation into the critical section. As a result, the size checks need to be performed again within Enqueue() in case the limit has changed. PiperOrigin-RevId: 292058147
2020-01-28Add support for WritableSource in DynamicBytesFileDescriptionImplFabricio Voznika
WritableSource is a convenience interface used for files that can be written to, e.g. /proc/net/ipv4/tpc_sack. It reads max of 4KB and only from offset 0 which should cover most cases. It can be extended as neeed. Updates #1195 PiperOrigin-RevId: 292056924
2020-01-28Changes missing in last submitFabricio Voznika
Updates #1487 Updates #1623 PiperOrigin-RevId: 292040835
2020-01-28Update link address for senders of Neighbor SolicitationsGhanan Gowripalan
Update link address for senders of NDP Neighbor Solicitations when the NS contains an NDP Source Link Layer Address option. Tests: - ipv6.TestNeighorSolicitationWithSourceLinkLayerOption - ipv6.TestNeighorSolicitationWithInvalidSourceLinkLayerOption PiperOrigin-RevId: 292028553
2020-01-28Add vfs.FileDescription to FD tableFabricio Voznika
FD table now holds both VFS1 and VFS2 types and uses the correct one based on what's set. Parts of this CL are just initial changes (e.g. sys_read.go, runsc/main.go) to serve as a template for the remaining changes. Updates #1487 Updates #1623 PiperOrigin-RevId: 292023223
2020-01-28Add //pkg/sentry/fsimpl/devtmpfs.Jamie Liu
PiperOrigin-RevId: 292021389
2020-01-28Include the NDP Source Link Layer option when sending DAD messagesGhanan Gowripalan
Test: stack_test.TestDADResolve PiperOrigin-RevId: 292003124
2020-01-28fs/splice: don't report partial errors for special filesAndrei Vagin
Special files can have additional requirements for granularity. For example, read from eventfd returns EINVAL if a size is less 8 bytes. Reported-by: syzbot+3905f5493bec08eb7b02@syzkaller.appspotmail.com PiperOrigin-RevId: 292002926