Age | Commit message (Collapse) | Author |
|
|
|
This gets us closer to passing the iptables tests and opens up iptables
so it can be worked on by multiple people.
A few restrictions are enforced for security (i.e. we don't want to let
users write a bunch of iptables rules and then just not enforce them):
- Only the filter table is writable.
- Only ACCEPT rules with no matching criteria can be added.
|
|
PiperOrigin-RevId: 288642552
|
|
The write tests are fitted to Linux-specific behavior, but it is not
well-specified. Tweak the tests to allow for both acceptable outcomes.
PiperOrigin-RevId: 288606386
|
|
PiperOrigin-RevId: 288402480
|
|
PiperOrigin-RevId: 287217899
|
|
Added the ability to get/set the IP_RECVTOS socket option on UDP endpoints. If
enabled, TOS from the incoming Network Header passed as ancillary data in the
ControlMessages.
Test:
* Added unit test to udp_test.go that tests getting/setting as well as
verifying that we receive expected TOS from incoming packet.
* Added a syscall test
PiperOrigin-RevId: 287029703
|
|
This change is needed to be compatible with the Linux kernel.
There is no glibc wrapper for the futex system call, so it is easy to
make a mistake and call syscall(__NR_futex, FUTEX_WAKE, addr) without
the fourth argument. This works on Linux, because it wakes one waiter
even if val is nonpositive.
PiperOrigin-RevId: 286494396
|
|
This test suite has existed for quite a while and has become kind of messy.
Various tests can be joined together by parameterizing.
PiperOrigin-RevId: 286482240
|
|
When listen(2) is called on an unbound socket, the socket is
automatically bound to a random free port with the local address
set to INADDR_ANY.
PiperOrigin-RevId: 286305906
|
|
PiperOrigin-RevId: 286249699
|
|
This avoids conflicting definitions of GetSocketPairs() in outer namespace when
multiple such cc files are complied for one binary.
PiperOrigin-RevId: 286243045
|
|
PiperOrigin-RevId: 286083614
|
|
PiperOrigin-RevId: 286003946
|
|
PiperOrigin-RevId: 285968611
|
|
Add checks for input arguments, file type, permissions, etc. that match
the Linux implementation. A call to get/setxattr that passes all the
checks will still currently return EOPNOTSUPP. Actual support will be
added in following commits.
Only allow user.* extended attributes for the time being.
PiperOrigin-RevId: 285835159
|
|
It would be preferrable to test iptables via syscall tests, but there are some
problems with that approach:
* We're limited to loopback-only, as syscall tests involve only a single
container. Other link interfaces (e.g. fdbased) should be tested.
* We'd have to shell out to call iptables anyways, as the iptables syscall
interface itself is too large and complex to work with alone.
* Running the Linux/native version of the syscall test will require root, which
is a pain to configure, is inherently unsafe, and could leave host iptables
misconfigured.
Using the go_test target allows there to be no new test runner.
PiperOrigin-RevId: 285274275
|
|
Reported-by: syzbot+2c0bcfd87fb4e8b7b009@syzkaller.appspotmail.com
PiperOrigin-RevId: 285228312
|
|
The implementation follows the linux behavior where specifying
a TCP_USER_TIMEOUT will cause the resend timer to honor the
user specified timeout rather than the default rto based timeout.
Further it alters when connections are timedout due to keepalive
failures. It does not alter the behavior of when keepalives are
sent. This is as per the linux behavior.
PiperOrigin-RevId: 285099795
|
|
Support for getxattr and setxattr are in subsequent commits.
PiperOrigin-RevId: 285088817
|
|
Test now no longer deletes files incorrectly, due to a fix in fs utils
used by TempPath (github.com/google/gvisor/pull/1368).
Fixes #1366
PiperOrigin-RevId: 284814605
|
|
IsDirectory() is used in RecursivelyDelete(), which should not follow symlinks.
The only other use (syscalls/linux/rename.cc) is not affected by this change.
Updates #1366.
PiperOrigin-RevId: 284803968
|
|
Disable until gvisor.dev/issue/1366 is resolved.
Updates #1366
PiperOrigin-RevId: 284786895
|
|
PiperOrigin-RevId: 284786069
|
|
This was accidentally dropped from the change which fixed the bug.
Updates #1217
PiperOrigin-RevId: 284689362
|
|
Next steps include adding support to the transport demuxer and the UDP endpoint.
PiperOrigin-RevId: 284652151
|
|
These are currently duplicated in ip_socket_test_util, so tests including
both netinet/tcp.h and ip_socket_test_util won't compile.
PiperOrigin-RevId: 284623958
|
|
PiperOrigin-RevId: 284606133
|
|
Add a decent set of syscall tests for rseq(2). These are a bit awkward because
of issues with library integration. libc may register rseq on thread start
(including before main on the initial thread), precluding much testing. Thus we
run tests in a libc-free subprocess.
Support for rseq(2) in gVisor will come in a later commit.
PiperOrigin-RevId: 284595994
|
|
We need to skip a subset of the tests, because of features that hostinet does
not currently support.
Fixes #1209
PiperOrigin-RevId: 284235911
|
|
Some versions of glibc will convert F_GETOWN fcntl(2) calls into F_GETOWN_EX in
some cases.
PiperOrigin-RevId: 284089373
|
|
TcpPortReuseMultiThread creates lots of connections which result in
a lot of goroutines in the sentry. This can cause gotsan runs to
take really long and timeout. Increasing listen backlog and
reducing number of connections should help the connections complete
faster as well as reduce the number of goroutines that gotsan needs
to track.
PiperOrigin-RevId: 284046018
|
|
PiperOrigin-RevId: 284038840
|
|
PiperOrigin-RevId: 283955946
|
|
Fixes #1207
PiperOrigin-RevId: 283914438
|
|
Get rid of the SocketTest class, which is only extended by ReadvSocketTest.
Also, get rid of TCP sockets (which were unused anyway) from readv_socket.cc.
This is a very old test suite that isn't the right place for TCP loopback
tests.
PiperOrigin-RevId: 283672772
|
|
PiperOrigin-RevId: 283657725
|
|
If the socket is bound to ANY and connected to a loopback address,
getsockname() has to return the loopback address. Without this fix,
getsockname() returns ANY.
PiperOrigin-RevId: 283647781
|
|
The code in rcv.consumeSegment incorrectly transitions to
CLOSED state from LAST-ACK before the final ACK for the FIN.
Further if receiving a segment changes a socket to a closed state
then we should not invoke the sender as the socket is now closed
and sending any segments is incorrect.
PiperOrigin-RevId: 283625300
|
|
PiperOrigin-RevId: 283613824
|
|
A few tests have their own ad-hoc implementations. Add a single common one.
PiperOrigin-RevId: 283601666
|
|
We skipped it due to the issue in the golang scheduler
which has been fixed in go1.13.
PiperOrigin-RevId: 283432226
|
|
PiperOrigin-RevId: 283345791
|
|
Separate out a test in udp_socket.cc that depends on <linux/errqueue.h> so the
rest of the tests can run on Fuchsia.
PiperOrigin-RevId: 283322633
|
|
PiperOrigin-RevId: 282828273
|
|
This allows writable proc and devices files to be opened with O_CREAT|O_TRUNC.
This is encountered most frequently when interacting with proc or devices files
via the command line.
e.g. $ echo 8192 1048576 4194304 > /proc/sys/net/ipv4/tcp_rmem
Also adds a test to test the behavior of open(O_TRUNC), truncate, and ftruncate
on named pipes.
Fixes #1116
PiperOrigin-RevId: 282677425
|
|
This is how it has to be accoding to the man page.
PiperOrigin-RevId: 281998068
|
|
PiperOrigin-RevId: 281795269
|
|
Updates #1092
PiperOrigin-RevId: 280547239
|
|
It was possible to panic the sentry by opening a cache revalidating folder with
O_TRUNC|O_CREAT.
Avoids breaking php tests.
PiperOrigin-RevId: 280533213
|