Enable runsc/boot support on arm64.
This patch also include a minor change to replace syscall.Dup2
with syscall.Dup3 which was missed in a previous commit(ref a25a976
).
Signed-off-by: Haibo Xu <haibo.xu@arm.com>
Change-Id: I00beb9cc492e44c762ebaa3750201c63c1f7c2f3
This commit is contained in:
parent
2c6c9af904
commit
05871a1cdc
|
@ -38,7 +38,7 @@ func main() {
|
||||||
syscall.SYS_CLONE: {},
|
syscall.SYS_CLONE: {},
|
||||||
syscall.SYS_CLOSE: {},
|
syscall.SYS_CLOSE: {},
|
||||||
syscall.SYS_DUP: {},
|
syscall.SYS_DUP: {},
|
||||||
syscall.SYS_DUP2: {},
|
syscall.SYS_DUP3: {},
|
||||||
syscall.SYS_EPOLL_CREATE1: {},
|
syscall.SYS_EPOLL_CREATE1: {},
|
||||||
syscall.SYS_EPOLL_CTL: {},
|
syscall.SYS_EPOLL_CTL: {},
|
||||||
syscall.SYS_EPOLL_WAIT: {},
|
syscall.SYS_EPOLL_WAIT: {},
|
||||||
|
|
|
@ -268,7 +268,7 @@ func (i *inodeFileState) recreateReadHandles(ctx context.Context, writer *handle
|
||||||
// operations on the old will see the new data. Then, make the new handle take
|
// operations on the old will see the new data. Then, make the new handle take
|
||||||
// ownereship of the old FD and mark the old readHandle to not close the FD
|
// ownereship of the old FD and mark the old readHandle to not close the FD
|
||||||
// when done.
|
// when done.
|
||||||
if err := syscall.Dup2(h.Host.FD(), i.readHandles.Host.FD()); err != nil {
|
if err := syscall.Dup3(h.Host.FD(), i.readHandles.Host.FD(), 0); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,8 @@ go_library(
|
||||||
"fs.go",
|
"fs.go",
|
||||||
"limits.go",
|
"limits.go",
|
||||||
"loader.go",
|
"loader.go",
|
||||||
|
"loader_amd64.go",
|
||||||
|
"loader_arm64.go",
|
||||||
"network.go",
|
"network.go",
|
||||||
"pprof.go",
|
"pprof.go",
|
||||||
"strace.go",
|
"strace.go",
|
||||||
|
|
|
@ -6,6 +6,8 @@ go_library(
|
||||||
name = "filter",
|
name = "filter",
|
||||||
srcs = [
|
srcs = [
|
||||||
"config.go",
|
"config.go",
|
||||||
|
"config_amd64.go",
|
||||||
|
"config_arm64.go",
|
||||||
"extra_filters.go",
|
"extra_filters.go",
|
||||||
"extra_filters_msan.go",
|
"extra_filters_msan.go",
|
||||||
"extra_filters_race.go",
|
"extra_filters_race.go",
|
||||||
|
|
|
@ -26,10 +26,6 @@ import (
|
||||||
|
|
||||||
// allowedSyscalls is the set of syscalls executed by the Sentry to the host OS.
|
// allowedSyscalls is the set of syscalls executed by the Sentry to the host OS.
|
||||||
var allowedSyscalls = seccomp.SyscallRules{
|
var allowedSyscalls = seccomp.SyscallRules{
|
||||||
syscall.SYS_ARCH_PRCTL: []seccomp.Rule{
|
|
||||||
{seccomp.AllowValue(linux.ARCH_GET_FS)},
|
|
||||||
{seccomp.AllowValue(linux.ARCH_SET_FS)},
|
|
||||||
},
|
|
||||||
syscall.SYS_CLOCK_GETTIME: {},
|
syscall.SYS_CLOCK_GETTIME: {},
|
||||||
syscall.SYS_CLONE: []seccomp.Rule{
|
syscall.SYS_CLONE: []seccomp.Rule{
|
||||||
{
|
{
|
||||||
|
@ -44,7 +40,7 @@ var allowedSyscalls = seccomp.SyscallRules{
|
||||||
},
|
},
|
||||||
syscall.SYS_CLOSE: {},
|
syscall.SYS_CLOSE: {},
|
||||||
syscall.SYS_DUP: {},
|
syscall.SYS_DUP: {},
|
||||||
syscall.SYS_DUP2: {},
|
syscall.SYS_DUP3: {},
|
||||||
syscall.SYS_EPOLL_CREATE1: {},
|
syscall.SYS_EPOLL_CREATE1: {},
|
||||||
syscall.SYS_EPOLL_CTL: {},
|
syscall.SYS_EPOLL_CTL: {},
|
||||||
syscall.SYS_EPOLL_PWAIT: []seccomp.Rule{
|
syscall.SYS_EPOLL_PWAIT: []seccomp.Rule{
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
// Copyright 2019 The gVisor Authors.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// +build amd64
|
||||||
|
|
||||||
|
package filter
|
||||||
|
|
||||||
|
import (
|
||||||
|
"syscall"
|
||||||
|
|
||||||
|
"gvisor.dev/gvisor/pkg/abi/linux"
|
||||||
|
"gvisor.dev/gvisor/pkg/seccomp"
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
allowedSyscalls[syscall.SYS_ARCH_PRCTL] = []seccomp.Rule{
|
||||||
|
{seccomp.AllowValue(linux.ARCH_GET_FS)},
|
||||||
|
{seccomp.AllowValue(linux.ARCH_SET_FS)},
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,21 @@
|
||||||
|
// Copyright 2019 The gVisor Authors.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// +build arm64
|
||||||
|
|
||||||
|
package filter
|
||||||
|
|
||||||
|
// Reserve for future customization.
|
||||||
|
func init() {
|
||||||
|
}
|
|
@ -43,7 +43,6 @@ import (
|
||||||
"gvisor.dev/gvisor/pkg/sentry/pgalloc"
|
"gvisor.dev/gvisor/pkg/sentry/pgalloc"
|
||||||
"gvisor.dev/gvisor/pkg/sentry/platform"
|
"gvisor.dev/gvisor/pkg/sentry/platform"
|
||||||
"gvisor.dev/gvisor/pkg/sentry/sighandling"
|
"gvisor.dev/gvisor/pkg/sentry/sighandling"
|
||||||
slinux "gvisor.dev/gvisor/pkg/sentry/syscalls/linux"
|
|
||||||
"gvisor.dev/gvisor/pkg/sentry/time"
|
"gvisor.dev/gvisor/pkg/sentry/time"
|
||||||
"gvisor.dev/gvisor/pkg/sentry/usage"
|
"gvisor.dev/gvisor/pkg/sentry/usage"
|
||||||
"gvisor.dev/gvisor/pkg/sentry/watchdog"
|
"gvisor.dev/gvisor/pkg/sentry/watchdog"
|
||||||
|
@ -147,9 +146,6 @@ type execProcess struct {
|
||||||
func init() {
|
func init() {
|
||||||
// Initialize the random number generator.
|
// Initialize the random number generator.
|
||||||
mrand.Seed(gtime.Now().UnixNano())
|
mrand.Seed(gtime.Now().UnixNano())
|
||||||
|
|
||||||
// Register the global syscall table.
|
|
||||||
kernel.RegisterSyscallTable(slinux.AMD64)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Args are the arguments for New().
|
// Args are the arguments for New().
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
// Copyright 2019 The gVisor Authors.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// +build amd64
|
||||||
|
|
||||||
|
// Package boot loads the kernel and runs a container.
|
||||||
|
package boot
|
||||||
|
|
||||||
|
import (
|
||||||
|
"gvisor.dev/gvisor/pkg/sentry/kernel"
|
||||||
|
"gvisor.dev/gvisor/pkg/sentry/syscalls/linux"
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
// Register the global syscall table.
|
||||||
|
kernel.RegisterSyscallTable(linux.AMD64)
|
||||||
|
}
|
|
@ -0,0 +1,28 @@
|
||||||
|
// Copyright 2019 The gVisor Authors.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// +build arm64
|
||||||
|
|
||||||
|
// Package boot loads the kernel and runs a container.
|
||||||
|
package boot
|
||||||
|
|
||||||
|
import (
|
||||||
|
"gvisor.dev/gvisor/pkg/sentry/kernel"
|
||||||
|
"gvisor.dev/gvisor/pkg/sentry/syscalls/linux"
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
// Register the global syscall table.
|
||||||
|
kernel.RegisterSyscallTable(linux.ARM64)
|
||||||
|
}
|
Loading…
Reference in New Issue