Age | Commit message (Collapse) | Author |
|
One precondition of VFS.PrepareRenameAt is that the `from` and `to` dentries
are not the same. Kernfs was not checking this, which could lead to a deadlock.
PiperOrigin-RevId: 359385974
|
|
Restrict ptrace(2) according to the default configurations of the YAMA security
module (mode 1), which is a common default among various Linux distributions.
The new access checks only permit the tracer to proceed if one of the following
conditions is met:
a) The tracer is already attached to the tracee.
b) The target is a descendant of the tracer.
c) The target has explicitly given permission to the tracer through the
PR_SET_PTRACER prctl.
d) The tracer has CAP_SYS_PTRACE.
See security/yama/yama_lsm.c for more details.
Note that these checks are added to CanTrace, which is checked for
PTRACE_ATTACH as well as some other operations, e.g., checking a process'
memory layout through /proc/[pid]/mem.
Since this patch adds restrictions to ptrace, it may break compatibility for
applications run by non-root users that, for instance, rely on being able to
trace processes that are not descended from the tracer (e.g., `gdb -p`). YAMA
restrictions can be turned off by setting /proc/sys/kernel/yama/ptrace_scope
to 0, or exceptions can be made on a per-process basis with the PR_SET_PTRACER
prctl.
Reported-by: syzbot+622822d8bca08c99e8c8@syzkaller.appspotmail.com
PiperOrigin-RevId: 359237723
|
|
Reported-by: syzbot+f2489ba0b999a45d1ad1@syzkaller.appspotmail.com
PiperOrigin-RevId: 358866218
|
|
fio should scale by written/read bytes and not iterate runs
of the fio container.
PiperOrigin-RevId: 358511771
|
|
Also skips a test if the setsockopt to increase send buffer did not result in an
increase. This is possible when the underlying socket is a host backed unix
domain socket as in such cases gVisor does not permit increasing SO_SNDBUF.
PiperOrigin-RevId: 358285158
|
|
Currently, iperf runs a client that scales by
bytes sent. In practice, this causes b.N to scale
slowly and have several short lived containers.
Instead, scale by KB to more quickly reach required time.
PiperOrigin-RevId: 358244926
|
|
Remove unused argument while I'm here and avoid returning
syscall.Errno(0) which should rather be a nil error.
PiperOrigin-RevId: 358227396
|
|
Individual test cases must not rely on being executed in a clean environment.
PiperOrigin-RevId: 358207468
|
|
Previously, we make two connect attempts. If the first attempt is still on
going when the second attempt is made, the test will fail. This change deflakes
the situation by not making the second attempt, instead, we poll for the first
attempt's completion and read the errno from SO_ERROR.
PiperOrigin-RevId: 358104769
|
|
PiperOrigin-RevId: 358085809
|
|
- TCP_INFO is used to get the RTO instead of calculating it manually.
PiperOrigin-RevId: 358032487
|
|
- Wrap comments at 80 columns
- Avoid duplicating the number of retries (5)
- Reduce indentation
- Use (*testing.T).Fatal rather than (*testing.T).Fatalf
PiperOrigin-RevId: 358017412
|
|
We were opening dual-stack sockets, but tests only set iptables rules for a
single network protocol. Thus, packets (probably sent by previous tests) could
sneak in and break tests.
Tested with:
bazel test ///test/iptables:iptables_test
--test_arg=--runtime=runsc --nocache_test_results --test_output=errors
--runs_per_test=1000 --test_filter=TestFilterInputDropUDP
PiperOrigin-RevId: 357972385
|
|
Remove flaky tcp_reordering_test as it does not check reordering. We have
added new reorder tests in tcp_rack_test.go
PiperOrigin-RevId: 357278769
|
|
Rename operation params in iperf and tensorflow to
match other similar benchmarks.
PiperOrigin-RevId: 357250304
|
|
Fix issue with iperf where b.N wasn't changing across runs.
Also, if the given runtime is runc/not given, don't run a profile against it.
PiperOrigin-RevId: 357231450
|
|
PiperOrigin-RevId: 357224877
|
|
Implementing interfaces on value types causes the interface to be
implemented by both the value type and the pointer type of the
implementer. This complicates type assertion as it requires the
assertion to check for both the pointer type and the value type.
PiperOrigin-RevId: 357061063
|
|
PiperOrigin-RevId: 357031904
|
|
PiperOrigin-RevId: 357015186
|
|
PiperOrigin-RevId: 356868412
|
|
PiperOrigin-RevId: 356843249
|
|
Deflake this test by retransmitting the ACK and retrying RST
expectation after the supposed state transition to CLOSED.
This gives time for the state transition to complete.
Without such a retransmit from the test, the ACK could get silently
dropped by the listener when the passively connecting endpoint
has not yet completely updated the state (in gVisor this would be
endpoint state and decrement of synRcvdCount).
PiperOrigin-RevId: 356825562
|
|
The limits for snd/rcv buffers for unix domain socket is controlled by the
following sysctls on linux
- net.core.rmem_default
- net.core.rmem_max
- net.core.wmem_default
- net.core.wmem_max
Today in gVisor we do not expose these sysctls but we do support setting the
equivalent in netstack via stack.Options() method. But AF_UNIX sockets in gVisor
can be used without netstack, with hostinet or even without any networking stack
at all. Which means ideally these sysctls need to live as globals in gVisor.
But rather than make this a big change for now we hardcode the limits in the
AF_UNIX implementation itself (which in itself is better than where we were
before) where it SO_SNDBUF was hardcoded to 16KiB. Further we bump the initial
limit to a default value of 208 KiB to match linux from the paltry 16 KiB we use
today.
Updates #5132
PiperOrigin-RevId: 356665498
|
|
The test will sometimes fail on Bind calls using the old RPCTimeout.
PiperOrigin-RevId: 356646668
|
|
PiperOrigin-RevId: 356587965
|
|
Reported-by: syzbot+9ffc71246fe72c73fc25@syzkaller.appspotmail.com
PiperOrigin-RevId: 356536113
|
|
PiperOrigin-RevId: 356450303
|
|
We previously return EINVAL when connecting to port 0, however this is not the
observed behavior on Linux. One of the observable effects after connecting to
port 0 on Linux is that getpeername() will fail with ENOTCONN.
PiperOrigin-RevId: 356413451
|
|
Reported-by: syzbot+d54bc27a15aefe52c330@syzkaller.appspotmail.com
PiperOrigin-RevId: 356406975
|
|
According to vfs.FilesystemImpl.RenameAt documentation:
- If the last path component in rp is "." or "..", and opts.Flags contains
RENAME_NOREPLACE, RenameAt returns EEXIST.
- If the last path component in rp is "." or "..", and opts.Flags does not
contain RENAME_NOREPLACE, RenameAt returns EBUSY.
Reported-by: syzbot+6189786e64fe13fe43f8@syzkaller.appspotmail.com
PiperOrigin-RevId: 355959266
|
|
PiperOrigin-RevId: 355675900
|
|
PiperOrigin-RevId: 355645297
|
|
Instead build the executable into the image.
PiperOrigin-RevId: 355631672
|
|
Our implementation of vfs.CheckDeleteSticky was not consistent with Linux,
specifically not consistent with fs/linux.h:check_sticky().
One of the biggest differences was that the vfs implementation did not
allow the owner of the sticky directory to delete files inside it that belonged
to other users.
This change makes our implementation consistent with Linux.
Also adds an integration test to check for this. This bug is also present in
VFS1.
Updates #3027
PiperOrigin-RevId: 355557425
|
|
PiperOrigin-RevId: 355506299
|
|
Netstack today will send dupACK's with no rate limit for incoming out of
window segments. This can result in ACK loops for example if a TCP socket
connects to itself (actually permitted by TCP). Where the ACK sent in
response to packets being out of order itself gets considered as an out
of window segment resulting in another ACK being generated.
PiperOrigin-RevId: 355206877
|
|
Also sync syscall test expectations on Fuchisa.
PiperOrigin-RevId: 355163492
|
|
PiperOrigin-RevId: 355067082
|
|
This makes it easier to add more tests that run on Ubuntu. We can now just
add a bash script and call that from integration_test without having to set up
another image.
PiperOrigin-RevId: 355000410
|
|
...to prevent panicking in case of failure.
PiperOrigin-RevId: 354970257
|
|
Individual test cases must not rely on being executed in a clean environment.
PiperOrigin-RevId: 354730126
|
|
PiperOrigin-RevId: 354615220
|
|
Individual test cases must not rely on being executed in a clean environment.
PiperOrigin-RevId: 354604389
|
|
PiperOrigin-RevId: 354595623
|
|
PiperOrigin-RevId: 354441239
|
|
When these specific tests were first added, they would fail when ran by
kokoro during the presubmit tests (but they always passed locally).
These tests are now passing, so they can be re-enabled. Unclear what
changed, one hypothesis is the move from kokoro to buildkite.
Fixes #4971
PiperOrigin-RevId: 354425395
|
|
There used to be a race condition where we may call Close before the connection
is established. Adding poll support so that we can eliminate this kind of race.
Startblock:
has LGTM from iyerm
and then
add reviewer tamird
PiperOrigin-RevId: 354369130
|
|
PiperOrigin-RevId: 354367665
|
|
The previous check was using SOCK_RAW, despite the fact that the test only uses
SOCK_DGRAM. Simplify the test machinery while I'm here.
PiperOrigin-RevId: 354359842
|