From 9cbf5a3dcc71d85cd857f117d4b7189a101be9c1 Mon Sep 17 00:00:00 2001
From: Haibo Xu <haibo.xu@arm.com>
Date: Fri, 25 Oct 2019 03:09:59 +0000
Subject: Enable pkg/cpuid support on arm64.

Fixes #1255

Signed-off-by: Haibo Xu <haibo.xu@arm.com>
Change-Id: I8614e6f3ee321c2989567e4e712aa8f28cc9db14
---
 pkg/cpuid/cpuid_arm64.go | 461 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 461 insertions(+)
 create mode 100644 pkg/cpuid/cpuid_arm64.go

(limited to 'pkg/cpuid/cpuid_arm64.go')

diff --git a/pkg/cpuid/cpuid_arm64.go b/pkg/cpuid/cpuid_arm64.go
new file mode 100644
index 000000000..6d71290c9
--- /dev/null
+++ b/pkg/cpuid/cpuid_arm64.go
@@ -0,0 +1,461 @@
+// Copyright 2020 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build arm64
+
+package cpuid
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"io/ioutil"
+	"strconv"
+	"strings"
+
+	"gvisor.dev/gvisor/pkg/log"
+)
+
+// ARM64 doesn't have a 'cpuid' equivalent, which means it have no architected
+// discovery mechanism for hardware features available to userspace code at EL0.
+// The kernel exposes the presence of these features to userspace through a set
+// of flags(HWCAP/HWCAP2) bits, exposed in the auxilliary vector.
+// Ref Documentation/arm64/elf_hwcaps.rst for more info.
+//
+// Currently, only the HWCAP bits are supported.
+
+const (
+	// Single and double precision float point types.
+	ARM64FeatureFP Feature = iota
+
+	// Advanced SIMD with single and double precision
+	// float point arithmetic.
+	ARM64FeatureASIMD
+
+	// The generic timer is configured to generate
+	// events at a frequency of approximately 100KHz.
+	ARM64FeatureEVTSTRM
+
+	// AES instructions(AESE/AESD/AESMC/AESIMC).
+	ARM64FeatureAES
+
+	// AES instructions(PMULL/PMULL2).
+	ARM64FeaturePMULL
+
+	// SHA1 instructions(SHA1C/SHA1P/SHA1M etc).
+	ARM64FeatureSHA1
+
+	// SHA2 instructions(SHA256H/SHA256H2/SHA256SU0 etc).
+	ARM64FeatureSHA2
+
+	// CRC32 instructions(CRC32B/CRC32H/CRC32W etc).
+	ARM64FeatureCRC32
+
+	// Atomic instructions(LDADD/LDCLR/LDEOR/LDSET etc).
+	ARM64FeatureATOMICS
+
+	// Half precision float point arithmetic.
+	ARM64FeatureFPHP
+
+	// ASIMD with half precision float point arithmetic.
+	ARM64FeatureASIMDHP
+
+	// EL0 access to certain ID registers is available.
+	ARM64FeatureCPUID
+
+	// SQRDMLAH and SQRDMLSH instructions implemented.
+	ARM64FeatureASIMDRDM
+
+	// The FJCVTZS instruction is implemented.
+	ARM64FeatureJSCVT
+
+	// The FCMLA and FCADD instructions are implemented.
+	ARM64FeatureFCMA
+
+	// The LDAPRB/LDAPRH/LDAPR instructions are implemented.
+	ARM64FeatureLRCPC
+
+	// DC instruction(DC CVAP) supported.
+	ARM64FeatureDCPOP
+
+	// SHA3 instructions(EOR3/RAX1/XAR/BCAX) implemented.
+	ARM64FeatureSHA3
+
+	// SM3 instructions(SM3SS1/SM3TT1A/SM3TT1B) implemented.
+	ARM64FeatureSM3
+
+	// SM4 instructions(SM4E/SM4EKEY) implemented.
+	ARM64FeatureSM4
+
+	// Dot Product instructions(UDOT/SDOT) implemented.
+	ARM64FeatureASIMDDP
+
+	// SHA2 instructions(SHA512H/SHA512H2/SHA512SU0) implemented.
+	ARM64FeatureSHA512
+
+	// Scalable Vector Extension implemented.
+	ARM64FeatureSVE
+
+	// FMLAL and FMLSL instructions are implemented.
+	ARM64FeatureASIMDFHM
+)
+
+// ELF auxiliary vector tags
+const (
+	_AT_NULL   = 0  // End of vector
+	_AT_HWCAP  = 16 // hardware capability bit vector
+	_AT_HWCAP2 = 26 // hardware capability bit vector 2
+)
+
+// These should not be changed after they are initialized.
+var hwCap uint
+
+// To make emulation of /proc/cpuinfo easy, these names match the names of the
+// basic features in Linux defined in arch/arm64/kernel/cpuinfo.c.
+var arm64FeatureStrings = map[Feature]string{
+	ARM64FeatureFP:       "fp",
+	ARM64FeatureASIMD:    "asimd",
+	ARM64FeatureEVTSTRM:  "evtstrm",
+	ARM64FeatureAES:      "aes",
+	ARM64FeaturePMULL:    "pmull",
+	ARM64FeatureSHA1:     "sha1",
+	ARM64FeatureSHA2:     "sha2",
+	ARM64FeatureCRC32:    "crc32",
+	ARM64FeatureATOMICS:  "atomics",
+	ARM64FeatureFPHP:     "fphp",
+	ARM64FeatureASIMDHP:  "asimdhp",
+	ARM64FeatureCPUID:    "cpuid",
+	ARM64FeatureASIMDRDM: "asimdrdm",
+	ARM64FeatureJSCVT:    "jscvt",
+	ARM64FeatureFCMA:     "fcma",
+	ARM64FeatureLRCPC:    "lrcpc",
+	ARM64FeatureDCPOP:    "dcpop",
+	ARM64FeatureSHA3:     "sha3",
+	ARM64FeatureSM3:      "sm3",
+	ARM64FeatureSM4:      "sm4",
+	ARM64FeatureASIMDDP:  "asimddp",
+	ARM64FeatureSHA512:   "sha512",
+	ARM64FeatureSVE:      "sve",
+	ARM64FeatureASIMDFHM: "asimdfhm",
+}
+
+var (
+	cpuFreqMHz float64
+	cpuImplHex uint64
+	cpuArchDec uint64
+	cpuVarHex  uint64
+	cpuPartHex uint64
+	cpuRevDec  uint64
+)
+
+// arm64FeaturesFromString includes features from arm64FeatureStrings.
+var arm64FeaturesFromString = make(map[string]Feature)
+
+// FeatureFromString returns the Feature associated with the given feature
+// string plus a bool to indicate if it could find the feature.
+func FeatureFromString(s string) (Feature, bool) {
+	f, b := arm64FeaturesFromString[s]
+	return f, b
+}
+
+// String implements fmt.Stringer.
+func (f Feature) String() string {
+	if s := f.flagString(); s != "" {
+		return s
+	}
+
+	return fmt.Sprintf("<cpuflag %d>", f)
+}
+
+func (f Feature) flagString() string {
+	if s, ok := arm64FeatureStrings[f]; ok {
+		return s
+	}
+
+	return ""
+}
+
+// FeatureSet is a set of Features for a CPU.
+//
+// +stateify savable
+type FeatureSet struct {
+	// Set is the set of features that are enabled in this FeatureSet.
+	Set map[Feature]bool
+
+	// CPUImplementer is part of the processor signature.
+	CPUImplementer uint8
+
+	// CPUArchitecture is part of the processor signature.
+	CPUArchitecture uint8
+
+	// CPUVariant is part of the processor signature.
+	CPUVariant uint8
+
+	// CPUPartnum is part of the processor signature.
+	CPUPartnum uint16
+
+	// CPURevision is part of the processor signature.
+	CPURevision uint8
+}
+
+// CheckHostCompatible returns nil if fs is a subset of the host feature set.
+// Noop on arm64.
+func (fs *FeatureSet) CheckHostCompatible() error {
+	return nil
+}
+
+// ExtendedStateSize returns the number of bytes needed to save the "extended
+// state" for this processor and the boundary it must be aligned to. Extended
+// state includes floating point(NEON) registers, and other cpu state that's not
+// associated with the normal task context.
+func (fs *FeatureSet) ExtendedStateSize() (size, align uint) {
+	// ARMv8 provide 32x128bits NEON registers.
+	//
+	// Ref arch/arm64/include/uapi/asm/ptrace.h
+	// struct user_fpsimd_state {
+	//        __uint128_t     vregs[32];
+	//        __u32           fpsr;
+	//	  __u32           fpcr;
+	//	  __u32           __reserved[2];
+	// };
+	return 528, 16
+}
+
+// HasFeature tests whether or not a feature is in the given feature set.
+func (fs *FeatureSet) HasFeature(feature Feature) bool {
+	return fs.Set[feature]
+}
+
+// UseXsaveopt returns true if 'fs' supports the "xsaveopt" instruction.
+// Noop on arm64.
+func (fs *FeatureSet) UseXsave() bool {
+	return false
+}
+
+// FlagsString prints out supported CPU "flags" field in /proc/cpuinfo.
+func (fs *FeatureSet) FlagsString() string {
+	var s []string
+	for f, _ := range arm64FeatureStrings {
+		if fs.Set[f] {
+			if fstr := f.flagString(); fstr != "" {
+				s = append(s, fstr)
+			}
+		}
+	}
+	return strings.Join(s, " ")
+}
+
+// WriteCPUInfoTo is to generate a section of one cpu in /proc/cpuinfo. This is
+// a minimal /proc/cpuinfo, and the bogomips field is simply made up.
+func (fs FeatureSet) WriteCPUInfoTo(cpu uint, b *bytes.Buffer) {
+	fmt.Fprintf(b, "processor\t: %d\n", cpu)
+	fmt.Fprintf(b, "BogoMIPS\t: %.02f\n", cpuFreqMHz) // It's bogus anyway.
+	fmt.Fprintf(b, "Features\t\t: %s\n", fs.FlagsString())
+	fmt.Fprintf(b, "CPU implementer\t: 0x%x\n", cpuImplHex)
+	fmt.Fprintf(b, "CPU architecture\t: %d\n", cpuArchDec)
+	fmt.Fprintf(b, "CPU variant\t: 0x%x\n", cpuVarHex)
+	fmt.Fprintf(b, "CPU part\t: 0x%x\n", cpuPartHex)
+	fmt.Fprintf(b, "CPU revision\t: %d\n", cpuRevDec)
+	fmt.Fprintln(b, "") // The /proc/cpuinfo file ends with an extra newline.
+}
+
+// HostFeatureSet uses hwCap to get host values and construct a feature set
+// that matches that of the host machine.
+func HostFeatureSet() *FeatureSet {
+	s := make(map[Feature]bool)
+
+	for f, _ := range arm64FeatureStrings {
+		if hwCap&(1<<f) != 0 {
+			s[f] = true
+		}
+	}
+
+	return &FeatureSet{
+		Set:             s,
+		CPUImplementer:  uint8(cpuImplHex),
+		CPUArchitecture: uint8(cpuArchDec),
+		CPUVariant:      uint8(cpuVarHex),
+		CPUPartnum:      uint16(cpuPartHex),
+		CPURevision:     uint8(cpuRevDec),
+	}
+}
+
+// Reads bogomips from host /proc/cpuinfo. Must run before whitelisting.
+// This value is used to create the fake /proc/cpuinfo from a FeatureSet.
+func initCPUInfo() {
+	cpuinfob, err := ioutil.ReadFile("/proc/cpuinfo")
+	if err != nil {
+		// Leave it as 0. The standalone VDSO bails out in the same way.
+		log.Warningf("Could not read /proc/cpuinfo: %v", err)
+		return
+	}
+	cpuinfo := string(cpuinfob)
+
+	// We get the value straight from host /proc/cpuinfo.
+	for _, line := range strings.Split(cpuinfo, "\n") {
+		switch {
+		case strings.Contains(line, "BogoMIPS"):
+			{
+				splitMHz := strings.Split(line, ":")
+				if len(splitMHz) < 2 {
+					log.Warningf("Could not read /proc/cpuinfo: malformed BogoMIPS")
+					break
+				}
+
+				// If there was a problem, leave cpuFreqMHz as 0.
+				var err error
+				cpuFreqMHz, err = strconv.ParseFloat(strings.TrimSpace(splitMHz[1]), 64)
+				if err != nil {
+					log.Warningf("Could not parse BogoMIPS value %v: %v", splitMHz[1], err)
+					cpuFreqMHz = 0
+				}
+			}
+		case strings.Contains(line, "CPU implementer"):
+			{
+				splitImpl := strings.Split(line, ":")
+				if len(splitImpl) < 2 {
+					log.Warningf("Could not read /proc/cpuinfo: malformed CPU implementer")
+					break
+				}
+
+				// If there was a problem, leave cpuImplHex as 0.
+				var err error
+				cpuImplHex, err = strconv.ParseUint(strings.TrimSpace(splitImpl[1]), 0, 64)
+				if err != nil {
+					log.Warningf("Could not parse CPU implementer value %v: %v", splitImpl[1], err)
+					cpuImplHex = 0
+				}
+			}
+		case strings.Contains(line, "CPU architecture"):
+			{
+				splitArch := strings.Split(line, ":")
+				if len(splitArch) < 2 {
+					log.Warningf("Could not read /proc/cpuinfo: malformed CPU architecture")
+					break
+				}
+
+				// If there was a problem, leave cpuArchDec as 0.
+				var err error
+				cpuArchDec, err = strconv.ParseUint(strings.TrimSpace(splitArch[1]), 0, 64)
+				if err != nil {
+					log.Warningf("Could not parse CPU architecture value %v: %v", splitArch[1], err)
+					cpuArchDec = 0
+				}
+			}
+		case strings.Contains(line, "CPU variant"):
+			{
+				splitVar := strings.Split(line, ":")
+				if len(splitVar) < 2 {
+					log.Warningf("Could not read /proc/cpuinfo: malformed CPU variant")
+					break
+				}
+
+				// If there was a problem, leave cpuVarHex as 0.
+				var err error
+				cpuVarHex, err = strconv.ParseUint(strings.TrimSpace(splitVar[1]), 0, 64)
+				if err != nil {
+					log.Warningf("Could not parse CPU variant value %v: %v", splitVar[1], err)
+					cpuVarHex = 0
+				}
+			}
+		case strings.Contains(line, "CPU part"):
+			{
+				splitPart := strings.Split(line, ":")
+				if len(splitPart) < 2 {
+					log.Warningf("Could not read /proc/cpuinfo: malformed CPU part")
+					break
+				}
+
+				// If there was a problem, leave cpuPartHex as 0.
+				var err error
+				cpuPartHex, err = strconv.ParseUint(strings.TrimSpace(splitPart[1]), 0, 64)
+				if err != nil {
+					log.Warningf("Could not parse CPU part value %v: %v", splitPart[1], err)
+					cpuPartHex = 0
+				}
+			}
+		case strings.Contains(line, "CPU revision"):
+			{
+				splitRev := strings.Split(line, ":")
+				if len(splitRev) < 2 {
+					log.Warningf("Could not read /proc/cpuinfo: malformed CPU revision")
+					break
+				}
+
+				// If there was a problem, leave cpuRevDec as 0.
+				var err error
+				cpuRevDec, err = strconv.ParseUint(strings.TrimSpace(splitRev[1]), 0, 64)
+				if err != nil {
+					log.Warningf("Could not parse CPU revision value %v: %v", splitRev[1], err)
+					cpuRevDec = 0
+				}
+			}
+		}
+	}
+}
+
+// The auxiliary vector of a process on the Linux system can be read
+// from /proc/self/auxv, and tags and values are stored as 8-bytes
+// decimal key-value pairs on the 64-bit system.
+//
+// $ od -t d8 /proc/self/auxv
+//  0000000                   33      140734615224320
+//  0000020                   16           3219913727
+//  0000040                    6                 4096
+//  0000060                   17                  100
+//  0000100                    3       94665627353152
+//  0000120                    4                   56
+//  0000140                    5                    9
+//  0000160                    7      140425502162944
+//  0000200                    8                    0
+//  0000220                    9       94665627365760
+//  0000240                   11                 1000
+//  0000260                   12                 1000
+//  0000300                   13                 1000
+//  0000320                   14                 1000
+//  0000340                   23                    0
+//  0000360                   25      140734614619513
+//  0000400                   26                    0
+//  0000420                   31      140734614626284
+//  0000440                   15      140734614619529
+//  0000460                    0                    0
+func initHwCap() {
+	auxv, err := ioutil.ReadFile("/proc/self/auxv")
+	if err != nil {
+		log.Warningf("Could not read /proc/self/auxv: %v", err)
+		return
+	}
+
+	l := len(auxv) / 16
+	for i := 0; i < l; i++ {
+		tag := binary.LittleEndian.Uint64(auxv[i*16:])
+		val := binary.LittleEndian.Uint64(auxv[(i*16 + 8):])
+		if tag == _AT_HWCAP {
+			hwCap = uint(val)
+			break
+		}
+	}
+}
+
+func initFeaturesFromString() {
+	for f, s := range arm64FeatureStrings {
+		arm64FeaturesFromString[s] = f
+	}
+}
+
+func init() {
+	initCPUInfo()
+	initHwCap()
+	initFeaturesFromString()
+}
-- 
cgit v1.2.3


From 3970c127434817304f67a2ad192cbe8094ad3353 Mon Sep 17 00:00:00 2001
From: Michael Pratt <mpratt@google.com>
Date: Thu, 18 Jun 2020 09:02:14 -0700
Subject: Remove various uses of 'whitelist'

Updates #2972

PiperOrigin-RevId: 317113059
---
 pkg/bpf/interpreter_test.go          |  2 +-
 pkg/cpuid/cpuid_arm64.go             |  5 +++--
 pkg/cpuid/cpuid_x86.go               |  7 +++----
 pkg/seccomp/seccomp_rules.go         |  4 ++--
 pkg/sentry/fs/filesystems.go         | 14 --------------
 pkg/sentry/fsimpl/host/host.go       |  5 +++--
 pkg/sentry/socket/hostinet/socket.go |  8 ++++----
 pkg/sentry/vfs/README.md             |  2 --
 test/syscalls/linux/xattr.cc         |  5 +++--
 tools/nogo/matchers.go               | 27 ++++++++++++++++-----------
 10 files changed, 35 insertions(+), 44 deletions(-)

(limited to 'pkg/cpuid/cpuid_arm64.go')

diff --git a/pkg/bpf/interpreter_test.go b/pkg/bpf/interpreter_test.go
index 547921d0a..c85d786b9 100644
--- a/pkg/bpf/interpreter_test.go
+++ b/pkg/bpf/interpreter_test.go
@@ -767,7 +767,7 @@ func TestSimpleFilter(t *testing.T) {
 			expectedRet: 0,
 		},
 		{
-			desc:        "Whitelisted syscall is allowed",
+			desc:        "Allowed syscall is indeed allowed",
 			seccompData: seccompData{nr: 231 /* __NR_exit_group */, arch: 0xc000003e},
 			expectedRet: 0x7fff0000,
 		},
diff --git a/pkg/cpuid/cpuid_arm64.go b/pkg/cpuid/cpuid_arm64.go
index 08381c1c0..ac7bb6774 100644
--- a/pkg/cpuid/cpuid_arm64.go
+++ b/pkg/cpuid/cpuid_arm64.go
@@ -312,8 +312,9 @@ func HostFeatureSet() *FeatureSet {
 	}
 }
 
-// Reads bogomips from host /proc/cpuinfo. Must run before whitelisting.
-// This value is used to create the fake /proc/cpuinfo from a FeatureSet.
+// Reads bogomips from host /proc/cpuinfo. Must run before syscall filter
+// installation. This value is used to create the fake /proc/cpuinfo from a
+// FeatureSet.
 func initCPUInfo() {
 	cpuinfob, err := ioutil.ReadFile("/proc/cpuinfo")
 	if err != nil {
diff --git a/pkg/cpuid/cpuid_x86.go b/pkg/cpuid/cpuid_x86.go
index 562f8f405..17a89c00d 100644
--- a/pkg/cpuid/cpuid_x86.go
+++ b/pkg/cpuid/cpuid_x86.go
@@ -1057,9 +1057,9 @@ func HostFeatureSet() *FeatureSet {
 	}
 }
 
-// Reads max cpu frequency from host /proc/cpuinfo. Must run before
-// whitelisting. This value is used to create the fake /proc/cpuinfo from a
-// FeatureSet.
+// Reads max cpu frequency from host /proc/cpuinfo. Must run before syscall
+// filter installation. This value is used to create the fake /proc/cpuinfo
+// from a FeatureSet.
 func initCPUFreq() {
 	cpuinfob, err := ioutil.ReadFile("/proc/cpuinfo")
 	if err != nil {
@@ -1106,7 +1106,6 @@ func initFeaturesFromString() {
 }
 
 func init() {
-	// initCpuFreq must be run before whitelists are enabled.
 	initCPUFreq()
 	initFeaturesFromString()
 }
diff --git a/pkg/seccomp/seccomp_rules.go b/pkg/seccomp/seccomp_rules.go
index 06308cd29..a52dc1b4e 100644
--- a/pkg/seccomp/seccomp_rules.go
+++ b/pkg/seccomp/seccomp_rules.go
@@ -56,7 +56,7 @@ func (a AllowValue) String() (s string) {
 	return fmt.Sprintf("%#x ", uintptr(a))
 }
 
-// Rule stores the whitelist of syscall arguments.
+// Rule stores the allowed syscall arguments.
 //
 // For example:
 // rule := Rule {
@@ -82,7 +82,7 @@ func (r Rule) String() (s string) {
 	return
 }
 
-// SyscallRules stores a map of OR'ed whitelist rules indexed by the syscall number.
+// SyscallRules stores a map of OR'ed argument rules indexed by the syscall number.
 // If the 'Rules' is empty, we treat it as any argument is allowed.
 //
 // For example:
diff --git a/pkg/sentry/fs/filesystems.go b/pkg/sentry/fs/filesystems.go
index 084da2a8d..d41f30bbb 100644
--- a/pkg/sentry/fs/filesystems.go
+++ b/pkg/sentry/fs/filesystems.go
@@ -87,20 +87,6 @@ func RegisterFilesystem(f Filesystem) {
 	filesystems.registered[f.Name()] = f
 }
 
-// UnregisterFilesystem removes a file system from the global set. To keep the
-// file system set compatible with save/restore, UnregisterFilesystem must be
-// called before save/restore methods.
-//
-// For instance, packages may unregister their file system after it is mounted.
-// This makes sense for pseudo file systems that should not be visible or
-// mountable. See whitelistfs in fs/host/fs.go for one example.
-func UnregisterFilesystem(name string) {
-	filesystems.mu.Lock()
-	defer filesystems.mu.Unlock()
-
-	delete(filesystems.registered, name)
-}
-
 // FindFilesystem returns a Filesystem registered at name or (nil, false) if name
 // is not a file system type that can be found in /proc/filesystems.
 func FindFilesystem(name string) (Filesystem, bool) {
diff --git a/pkg/sentry/fsimpl/host/host.go b/pkg/sentry/fsimpl/host/host.go
index a3a312edb..43a173bc9 100644
--- a/pkg/sentry/fsimpl/host/host.go
+++ b/pkg/sentry/fsimpl/host/host.go
@@ -476,8 +476,9 @@ func (i *inode) open(ctx context.Context, d *vfs.Dentry, mnt *vfs.Mount, flags u
 		return unixsocket.NewFileDescription(ep, ep.Type(), flags, mnt, d, &i.locks)
 	}
 
-	// TODO(gvisor.dev/issue/1672): Whitelist specific file types here, so that
-	// we don't allow importing arbitrary file types without proper support.
+	// TODO(gvisor.dev/issue/1672): Allow only specific file types here, so
+	// that we don't allow importing arbitrary file types without proper
+	// support.
 	if i.isTTY {
 		fd := &TTYFileDescription{
 			fileDescription: fileDescription{inode: i},
diff --git a/pkg/sentry/socket/hostinet/socket.go b/pkg/sentry/socket/hostinet/socket.go
index c11e82c10..a92aed2c9 100644
--- a/pkg/sentry/socket/hostinet/socket.go
+++ b/pkg/sentry/socket/hostinet/socket.go
@@ -324,7 +324,7 @@ func (s *socketOpsCommon) GetSockOpt(t *kernel.Task, level int, name int, outPtr
 		return nil, syserr.ErrInvalidArgument
 	}
 
-	// Whitelist options and constrain option length.
+	// Only allow known and safe options.
 	optlen := getSockOptLen(t, level, name)
 	switch level {
 	case linux.SOL_IP:
@@ -369,7 +369,7 @@ func (s *socketOpsCommon) GetSockOpt(t *kernel.Task, level int, name int, outPtr
 
 // SetSockOpt implements socket.Socket.SetSockOpt.
 func (s *socketOpsCommon) SetSockOpt(t *kernel.Task, level int, name int, opt []byte) *syserr.Error {
-	// Whitelist options and constrain option length.
+	// Only allow known and safe options.
 	optlen := setSockOptLen(t, level, name)
 	switch level {
 	case linux.SOL_IP:
@@ -415,7 +415,7 @@ func (s *socketOpsCommon) SetSockOpt(t *kernel.Task, level int, name int, opt []
 
 // RecvMsg implements socket.Socket.RecvMsg.
 func (s *socketOpsCommon) RecvMsg(t *kernel.Task, dst usermem.IOSequence, flags int, haveDeadline bool, deadline ktime.Time, senderRequested bool, controlLen uint64) (int, int, linux.SockAddr, uint32, socket.ControlMessages, *syserr.Error) {
-	// Whitelist flags.
+	// Only allow known and safe flags.
 	//
 	// FIXME(jamieliu): We can't support MSG_ERRQUEUE because it uses ancillary
 	// messages that gvisor/pkg/tcpip/transport/unix doesn't understand. Kill the
@@ -537,7 +537,7 @@ func (s *socketOpsCommon) RecvMsg(t *kernel.Task, dst usermem.IOSequence, flags
 
 // SendMsg implements socket.Socket.SendMsg.
 func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []byte, flags int, haveDeadline bool, deadline ktime.Time, controlMessages socket.ControlMessages) (int, *syserr.Error) {
-	// Whitelist flags.
+	// Only allow known and safe flags.
 	if flags&^(syscall.MSG_DONTWAIT|syscall.MSG_EOR|syscall.MSG_FASTOPEN|syscall.MSG_MORE|syscall.MSG_NOSIGNAL) != 0 {
 		return 0, syserr.ErrInvalidArgument
 	}
diff --git a/pkg/sentry/vfs/README.md b/pkg/sentry/vfs/README.md
index 66f3105bd..4b9faf2ea 100644
--- a/pkg/sentry/vfs/README.md
+++ b/pkg/sentry/vfs/README.md
@@ -169,8 +169,6 @@ This construction, which is essentially a type-safe analogue to Linux's
 
     -   binder, which is similarly far too incomplete to use.
 
-    -   whitelistfs, which we are already actively attempting to remove.
-
 -   Save/restore. For instance, it is unclear if the current implementation of
     the `state` package supports the inheritance pattern described above.
 
diff --git a/test/syscalls/linux/xattr.cc b/test/syscalls/linux/xattr.cc
index 3231732ec..cbcf08451 100644
--- a/test/syscalls/linux/xattr.cc
+++ b/test/syscalls/linux/xattr.cc
@@ -73,9 +73,10 @@ TEST_F(XattrTest, XattrLargeName) {
   std::string name = "user.";
   name += std::string(XATTR_NAME_MAX - name.length(), 'a');
 
-  // An xattr should be whitelisted before it can be accessed--do not allow
-  // arbitrary xattrs to be read/written in gVisor.
   if (!IsRunningOnGvisor()) {
+    // In gVisor, access to xattrs is controlled with an explicit list of
+    // allowed names. This name isn't going to be configured to allow access, so
+    // don't test it.
     EXPECT_THAT(setxattr(path, name.c_str(), nullptr, 0, /*flags=*/0),
                 SyscallSucceeds());
     EXPECT_THAT(getxattr(path, name.c_str(), nullptr, 0),
diff --git a/tools/nogo/matchers.go b/tools/nogo/matchers.go
index 32f099925..57a250501 100644
--- a/tools/nogo/matchers.go
+++ b/tools/nogo/matchers.go
@@ -27,10 +27,15 @@ type matcher interface {
 	ShouldReport(d analysis.Diagnostic, fs *token.FileSet) bool
 }
 
-// pathRegexps excludes explicit paths.
+// pathRegexps filters explicit paths.
 type pathRegexps struct {
-	expr      []*regexp.Regexp
-	whitelist bool
+	expr []*regexp.Regexp
+
+	// include, if true, indicates that paths matching any regexp in expr
+	// match.
+	//
+	// If false, paths matching no regexps in expr match.
+	include bool
 }
 
 // buildRegexps builds a list of regular expressions.
@@ -49,33 +54,33 @@ func (p *pathRegexps) ShouldReport(d analysis.Diagnostic, fs *token.FileSet) boo
 	fullPos := fs.Position(d.Pos).String()
 	for _, path := range p.expr {
 		if path.MatchString(fullPos) {
-			return p.whitelist
+			return p.include
 		}
 	}
-	return !p.whitelist
+	return !p.include
 }
 
 // internalExcluded excludes specific internal paths.
 func internalExcluded(paths ...string) *pathRegexps {
 	return &pathRegexps{
-		expr:      buildRegexps(internalPrefix, paths...),
-		whitelist: false,
+		expr:    buildRegexps(internalPrefix, paths...),
+		include: false,
 	}
 }
 
 // excludedExcluded excludes specific external paths.
 func externalExcluded(paths ...string) *pathRegexps {
 	return &pathRegexps{
-		expr:      buildRegexps(externalPrefix, paths...),
-		whitelist: false,
+		expr:    buildRegexps(externalPrefix, paths...),
+		include: false,
 	}
 }
 
 // internalMatches returns a path matcher for internal packages.
 func internalMatches() *pathRegexps {
 	return &pathRegexps{
-		expr:      buildRegexps(internalPrefix, ".*"),
-		whitelist: true,
+		expr:    buildRegexps(internalPrefix, ".*"),
+		include: true,
 	}
 }
 
-- 
cgit v1.2.3