Age | Commit message (Collapse) | Author |
|
Restrict ptrace(2) according to the default configurations of the YAMA security
module (mode 1), which is a common default among various Linux distributions.
The new access checks only permit the tracer to proceed if one of the following
conditions is met:
a) The tracer is already attached to the tracee.
b) The target is a descendant of the tracer.
c) The target has explicitly given permission to the tracer through the
PR_SET_PTRACER prctl.
d) The tracer has CAP_SYS_PTRACE.
See security/yama/yama_lsm.c for more details.
Note that these checks are added to CanTrace, which is checked for
PTRACE_ATTACH as well as some other operations, e.g., checking a process'
memory layout through /proc/[pid]/mem.
Since this patch adds restrictions to ptrace, it may break compatibility for
applications run by non-root users that, for instance, rely on being able to
trace processes that are not descended from the tracer (e.g., `gdb -p`). YAMA
restrictions can be turned off by setting /proc/sys/kernel/yama/ptrace_scope
to 0, or exceptions can be made on a per-process basis with the PR_SET_PTRACER
prctl.
Reported-by: syzbot+622822d8bca08c99e8c8@syzkaller.appspotmail.com
PiperOrigin-RevId: 359237723
|
|
Reported-by: syzbot+f2489ba0b999a45d1ad1@syzkaller.appspotmail.com
PiperOrigin-RevId: 358866218
|
|
Also skips a test if the setsockopt to increase send buffer did not result in an
increase. This is possible when the underlying socket is a host backed unix
domain socket as in such cases gVisor does not permit increasing SO_SNDBUF.
PiperOrigin-RevId: 358285158
|
|
Individual test cases must not rely on being executed in a clean environment.
PiperOrigin-RevId: 358207468
|
|
PiperOrigin-RevId: 357224877
|
|
PiperOrigin-RevId: 357031904
|
|
PiperOrigin-RevId: 357015186
|
|
PiperOrigin-RevId: 356868412
|
|
The limits for snd/rcv buffers for unix domain socket is controlled by the
following sysctls on linux
- net.core.rmem_default
- net.core.rmem_max
- net.core.wmem_default
- net.core.wmem_max
Today in gVisor we do not expose these sysctls but we do support setting the
equivalent in netstack via stack.Options() method. But AF_UNIX sockets in gVisor
can be used without netstack, with hostinet or even without any networking stack
at all. Which means ideally these sysctls need to live as globals in gVisor.
But rather than make this a big change for now we hardcode the limits in the
AF_UNIX implementation itself (which in itself is better than where we were
before) where it SO_SNDBUF was hardcoded to 16KiB. Further we bump the initial
limit to a default value of 208 KiB to match linux from the paltry 16 KiB we use
today.
Updates #5132
PiperOrigin-RevId: 356665498
|
|
PiperOrigin-RevId: 356587965
|
|
Reported-by: syzbot+9ffc71246fe72c73fc25@syzkaller.appspotmail.com
PiperOrigin-RevId: 356536113
|
|
PiperOrigin-RevId: 356450303
|
|
We previously return EINVAL when connecting to port 0, however this is not the
observed behavior on Linux. One of the observable effects after connecting to
port 0 on Linux is that getpeername() will fail with ENOTCONN.
PiperOrigin-RevId: 356413451
|
|
Reported-by: syzbot+d54bc27a15aefe52c330@syzkaller.appspotmail.com
PiperOrigin-RevId: 356406975
|
|
According to vfs.FilesystemImpl.RenameAt documentation:
- If the last path component in rp is "." or "..", and opts.Flags contains
RENAME_NOREPLACE, RenameAt returns EEXIST.
- If the last path component in rp is "." or "..", and opts.Flags does not
contain RENAME_NOREPLACE, RenameAt returns EBUSY.
Reported-by: syzbot+6189786e64fe13fe43f8@syzkaller.appspotmail.com
PiperOrigin-RevId: 355959266
|
|
PiperOrigin-RevId: 355506299
|
|
Netstack today will send dupACK's with no rate limit for incoming out of
window segments. This can result in ACK loops for example if a TCP socket
connects to itself (actually permitted by TCP). Where the ACK sent in
response to packets being out of order itself gets considered as an out
of window segment resulting in another ACK being generated.
PiperOrigin-RevId: 355206877
|
|
Also sync syscall test expectations on Fuchisa.
PiperOrigin-RevId: 355163492
|
|
Individual test cases must not rely on being executed in a clean environment.
PiperOrigin-RevId: 354730126
|
|
PiperOrigin-RevId: 354615220
|
|
Individual test cases must not rely on being executed in a clean environment.
PiperOrigin-RevId: 354604389
|
|
PiperOrigin-RevId: 354595623
|
|
PiperOrigin-RevId: 354441239
|
|
PiperOrigin-RevId: 354367665
|
|
The previous check was using SOCK_RAW, despite the fact that the test only uses
SOCK_DGRAM. Simplify the test machinery while I'm here.
PiperOrigin-RevId: 354359842
|
|
This CL adds support for the following fields:
- RTT, RTTVar, RTO
- send congestion window (sndCwnd) and send slow start threshold (sndSsthresh)
- congestion control state(CaState)
- ReorderSeen
PiperOrigin-RevId: 354195361
|
|
Contrary to the comment on the socket test, the failure was due to an issue
with goferfs rather than kernfs.
PiperOrigin-RevId: 353918021
|
|
This also causes inotify events to be generated when reading files for exec.
This change also requires us to adjust splice+inotify tests due to
discrepancies between gVisor and Linux behavior. Note that these discrepancies
existed before; we just did not exercise them previously. See comment for more
details.
Fixes #5348.
PiperOrigin-RevId: 353907187
|
|
If data is sent over a stream socket that will not fit all at once, it will
be sent over multiple packets. SCM Rights should only be sent with the first
packet (see net/unix/af_unix.c:unix_stream_sendmsg in Linux).
Reported-by: syzbot+aa26482e9c4887aff259@syzkaller.appspotmail.com
PiperOrigin-RevId: 353886442
|
|
This CL moves {S,G}etsockopt of SO_SNDBUF from all endpoints to socketops. For
unix sockets, we do not support setting of this option.
PiperOrigin-RevId: 353871484
|
|
IN_CLOSE should only be generated when a file description loses its last
reference; not when a file descriptor is closed.
See fs/file_table.c:__fput.
Updates #5348.
PiperOrigin-RevId: 353810697
|
|
Individual test cases must not rely on being executed in a clean environment.
PiperOrigin-RevId: 353684155
|
|
The test was execve itself into `/bin/true`, so the test was
not actually executing.
PiperOrigin-RevId: 353676855
|
|
Fixes #5113.
PiperOrigin-RevId: 353313374
|
|
For an active OPEN call with unspecified foreign socket, TCP MUST
return error: foreign socket unspecified
PiperOrigin-RevId: 352961691
|
|
PiperOrigin-RevId: 352905565
|
|
On ARM64, when ptrace stops on a system call, it uses the x7 register to
indicate whether the stop has been signalled from syscall entry or syscall
exit. This means that we can't get a value of this register and we can't change
it. More details are in the comment for tracehook_report_syscall in
arch/arm64/kernel/ptrace.c.
This happens only if we stop on a system call, so let's queue a signal, resume
a stub thread and catch it on a signal handling.
Fixes: #5238
PiperOrigin-RevId: 352668695
|
|
IPv4 previously accepts the packet, while IPv6 panics. Neither is the behavior
in Linux.
splice() in Linux has different behavior than in gVisor. This change documents
it in the SpliceTooLong test.
Reported-by: syzbot+b550e78e5c24d1d521f2@syzkaller.appspotmail.com
PiperOrigin-RevId: 352091286
|
|
PiperOrigin-RevId: 352068182
|
|
io.Writer.Write requires err to be non-nil if n < len(v).
We could allow this but it will be irreversible if users depend on this
behavior.
Ported the test that discovered this.
PiperOrigin-RevId: 352065946
|
|
Also fix test expectation for UDP sendto() case in tuntap syscall test.
Fixes #5155
PiperOrigin-RevId: 352056612
|
|
- Remove the pipe package's dependence on the buffer package, which becomes
unused as a result. The buffer package is currently intended to serve two use
cases, pipes and temporary buffers, and does neither optimally as a result;
this change facilitates retooling the buffer package to better serve the
latter.
- Pass callbacks taking safemem.BlockSeq to the internal pipe I/O methods,
which makes most callbacks trivial.
- Fix VFS1's splice() and tee() to immediately return if a pipe returns a
partial write.
PiperOrigin-RevId: 351911375
|
|
Return EEXIST when overwritting a file as long as the caller has exec
permission on the parent directory, even if the caller doesn't have
write permission.
Also reordered the mount write check, which happens before permission
is checked.
Closes #5164
PiperOrigin-RevId: 351868123
|
|
This change implements TLP details enumerated in
https://tools.ietf.org/html/draft-ietf-tcpm-rack-08#section-7.5.1.
Fixes #5083
PiperOrigin-RevId: 351467357
|
|
These are primarily simplification and lint mistakes. However, minor
fixes are also included and tests added where appropriate.
PiperOrigin-RevId: 351425971
|
|
PiperOrigin-RevId: 350646249
|
|
Read now takes a destination io.Writer, count, options. Keeping the method name
Read, in contrast to the Write method.
This enables:
* direct transfer of views under VV
* zero copy
It also eliminates the need for sentry to keep a slice of view because
userspace had requested a read that is smaller than the view returned, removing
the complexity there.
Read/Peek/ReadPacket are now consolidated together and some duplicate code is
removed.
PiperOrigin-RevId: 350636322
|
|
IPv4 was always supported but UDP never supported joining/leaving IPv6
multicast groups via socket options.
Add: IPPROTO_IPV6, IPV6_JOIN_GROUP/IPV6_ADD_MEMBERSHIP
Remove: IPPROTO_IPV6, IPV6_LEAVE_GROUP/IPV6_DROP_MEMBERSHIP
Test: integration_test.TestUDPAddRemoveMembershipSocketOption
PiperOrigin-RevId: 350396072
|
|
PiperOrigin-RevId: 350246333
|
|
Reported-by: syzbot+814105309d2ae8651084@syzkaller.appspotmail.com
PiperOrigin-RevId: 350159452
|