Merge pull request #655 from praveensastry:feature/runsc-ref-chk-leak
PiperOrigin-RevId: 266226714
This commit is contained in:
commit
0789b9cc08
|
@ -215,8 +215,8 @@ type AtomicRefCount struct {
|
||||||
type LeakMode uint32
|
type LeakMode uint32
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// uninitializedLeakChecking indicates that the leak checker has not yet been initialized.
|
// UninitializedLeakChecking indicates that the leak checker has not yet been initialized.
|
||||||
uninitializedLeakChecking LeakMode = iota
|
UninitializedLeakChecking LeakMode = iota
|
||||||
|
|
||||||
// NoLeakChecking indicates that no effort should be made to check for
|
// NoLeakChecking indicates that no effort should be made to check for
|
||||||
// leaks.
|
// leaks.
|
||||||
|
@ -318,7 +318,7 @@ func (r *AtomicRefCount) finalize() {
|
||||||
switch LeakMode(atomic.LoadUint32(&leakMode)) {
|
switch LeakMode(atomic.LoadUint32(&leakMode)) {
|
||||||
case NoLeakChecking:
|
case NoLeakChecking:
|
||||||
return
|
return
|
||||||
case uninitializedLeakChecking:
|
case UninitializedLeakChecking:
|
||||||
note = "(Leak checker uninitialized): "
|
note = "(Leak checker uninitialized): "
|
||||||
}
|
}
|
||||||
if n := r.ReadRefs(); n != 0 {
|
if n := r.ReadRefs(); n != 0 {
|
||||||
|
|
|
@ -16,6 +16,7 @@ go_binary(
|
||||||
x_defs = {"main.version": "{VERSION}"},
|
x_defs = {"main.version": "{VERSION}"},
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/log",
|
"//pkg/log",
|
||||||
|
"//pkg/refs",
|
||||||
"//pkg/sentry/platform",
|
"//pkg/sentry/platform",
|
||||||
"//runsc/boot",
|
"//runsc/boot",
|
||||||
"//runsc/cmd",
|
"//runsc/cmd",
|
||||||
|
@ -48,6 +49,7 @@ go_binary(
|
||||||
x_defs = {"main.version": "{VERSION}"},
|
x_defs = {"main.version": "{VERSION}"},
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/log",
|
"//pkg/log",
|
||||||
|
"//pkg/refs",
|
||||||
"//pkg/sentry/platform",
|
"//pkg/sentry/platform",
|
||||||
"//runsc/boot",
|
"//runsc/boot",
|
||||||
"//runsc/cmd",
|
"//runsc/cmd",
|
||||||
|
|
|
@ -19,6 +19,7 @@ import (
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"gvisor.dev/gvisor/pkg/refs"
|
||||||
"gvisor.dev/gvisor/pkg/sentry/watchdog"
|
"gvisor.dev/gvisor/pkg/sentry/watchdog"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -112,6 +113,34 @@ func MakeWatchdogAction(s string) (watchdog.Action, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// MakeRefsLeakMode converts type from string.
|
||||||
|
func MakeRefsLeakMode(s string) (refs.LeakMode, error) {
|
||||||
|
switch strings.ToLower(s) {
|
||||||
|
case "disabled":
|
||||||
|
return refs.NoLeakChecking, nil
|
||||||
|
case "log-names":
|
||||||
|
return refs.LeaksLogWarning, nil
|
||||||
|
case "log-traces":
|
||||||
|
return refs.LeaksLogTraces, nil
|
||||||
|
default:
|
||||||
|
return 0, fmt.Errorf("invalid refs leakmode %q", s)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func refsLeakModeToString(mode refs.LeakMode) string {
|
||||||
|
switch mode {
|
||||||
|
// If not set, default it to disabled.
|
||||||
|
case refs.UninitializedLeakChecking, refs.NoLeakChecking:
|
||||||
|
return "disabled"
|
||||||
|
case refs.LeaksLogWarning:
|
||||||
|
return "log-names"
|
||||||
|
case refs.LeaksLogTraces:
|
||||||
|
return "log-traces"
|
||||||
|
default:
|
||||||
|
panic(fmt.Sprintf("Invalid leakmode: %d", mode))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Config holds configuration that is not part of the runtime spec.
|
// Config holds configuration that is not part of the runtime spec.
|
||||||
type Config struct {
|
type Config struct {
|
||||||
// RootDir is the runtime root directory.
|
// RootDir is the runtime root directory.
|
||||||
|
@ -201,6 +230,9 @@ type Config struct {
|
||||||
|
|
||||||
// AlsoLogToStderr allows to send log messages to stderr.
|
// AlsoLogToStderr allows to send log messages to stderr.
|
||||||
AlsoLogToStderr bool
|
AlsoLogToStderr bool
|
||||||
|
|
||||||
|
// ReferenceLeakMode sets reference leak check mode
|
||||||
|
ReferenceLeakMode refs.LeakMode
|
||||||
}
|
}
|
||||||
|
|
||||||
// ToFlags returns a slice of flags that correspond to the given Config.
|
// ToFlags returns a slice of flags that correspond to the given Config.
|
||||||
|
@ -227,6 +259,7 @@ func (c *Config) ToFlags() []string {
|
||||||
"--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels),
|
"--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels),
|
||||||
"--rootless=" + strconv.FormatBool(c.Rootless),
|
"--rootless=" + strconv.FormatBool(c.Rootless),
|
||||||
"--alsologtostderr=" + strconv.FormatBool(c.AlsoLogToStderr),
|
"--alsologtostderr=" + strconv.FormatBool(c.AlsoLogToStderr),
|
||||||
|
"--ref-leak-mode=" + refsLeakModeToString(c.ReferenceLeakMode),
|
||||||
}
|
}
|
||||||
if c.TestOnlyAllowRunAsCurrentUserWithoutChroot {
|
if c.TestOnlyAllowRunAsCurrentUserWithoutChroot {
|
||||||
// Only include if set since it is never to be used by users.
|
// Only include if set since it is never to be used by users.
|
||||||
|
|
|
@ -33,7 +33,6 @@ import (
|
||||||
"gvisor.dev/gvisor/pkg/log"
|
"gvisor.dev/gvisor/pkg/log"
|
||||||
"gvisor.dev/gvisor/pkg/memutil"
|
"gvisor.dev/gvisor/pkg/memutil"
|
||||||
"gvisor.dev/gvisor/pkg/rand"
|
"gvisor.dev/gvisor/pkg/rand"
|
||||||
"gvisor.dev/gvisor/pkg/refs"
|
|
||||||
"gvisor.dev/gvisor/pkg/sentry/arch"
|
"gvisor.dev/gvisor/pkg/sentry/arch"
|
||||||
"gvisor.dev/gvisor/pkg/sentry/control"
|
"gvisor.dev/gvisor/pkg/sentry/control"
|
||||||
"gvisor.dev/gvisor/pkg/sentry/fs"
|
"gvisor.dev/gvisor/pkg/sentry/fs"
|
||||||
|
@ -1085,8 +1084,3 @@ func (l *Loader) threadGroupFromIDLocked(key execID) (*kernel.ThreadGroup, *host
|
||||||
}
|
}
|
||||||
return ep.tg, ep.tty, true, nil
|
return ep.tg, ep.tty, true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func init() {
|
|
||||||
// TODO(gvisor.dev/issue/365): Make this configurable.
|
|
||||||
refs.SetLeakMode(refs.NoLeakChecking)
|
|
||||||
}
|
|
||||||
|
|
|
@ -31,6 +31,7 @@ import (
|
||||||
|
|
||||||
"github.com/google/subcommands"
|
"github.com/google/subcommands"
|
||||||
"gvisor.dev/gvisor/pkg/log"
|
"gvisor.dev/gvisor/pkg/log"
|
||||||
|
"gvisor.dev/gvisor/pkg/refs"
|
||||||
"gvisor.dev/gvisor/pkg/sentry/platform"
|
"gvisor.dev/gvisor/pkg/sentry/platform"
|
||||||
"gvisor.dev/gvisor/runsc/boot"
|
"gvisor.dev/gvisor/runsc/boot"
|
||||||
"gvisor.dev/gvisor/runsc/cmd"
|
"gvisor.dev/gvisor/runsc/cmd"
|
||||||
|
@ -74,6 +75,7 @@ var (
|
||||||
netRaw = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.")
|
netRaw = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.")
|
||||||
numNetworkChannels = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.")
|
numNetworkChannels = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.")
|
||||||
rootless = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
|
rootless = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
|
||||||
|
referenceLeakMode = flag.String("ref-leak-mode", "disabled", "sets reference leak check mode: disabled (default), log-names, log-traces.")
|
||||||
|
|
||||||
// Test flags, not to be used outside tests, ever.
|
// Test flags, not to be used outside tests, ever.
|
||||||
testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
|
testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
|
||||||
|
@ -169,6 +171,15 @@ func main() {
|
||||||
cmd.Fatalf("num_network_channels must be > 0, got: %d", *numNetworkChannels)
|
cmd.Fatalf("num_network_channels must be > 0, got: %d", *numNetworkChannels)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
refsLeakMode, err := boot.MakeRefsLeakMode(*referenceLeakMode)
|
||||||
|
if err != nil {
|
||||||
|
cmd.Fatalf("%v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sets the reference leak check mode. Also set it in config below to
|
||||||
|
// propagate it to child processes.
|
||||||
|
refs.SetLeakMode(refsLeakMode)
|
||||||
|
|
||||||
// Create a new Config from the flags.
|
// Create a new Config from the flags.
|
||||||
conf := &boot.Config{
|
conf := &boot.Config{
|
||||||
RootDir: *rootDir,
|
RootDir: *rootDir,
|
||||||
|
@ -192,6 +203,7 @@ func main() {
|
||||||
NumNetworkChannels: *numNetworkChannels,
|
NumNetworkChannels: *numNetworkChannels,
|
||||||
Rootless: *rootless,
|
Rootless: *rootless,
|
||||||
AlsoLogToStderr: *alsoLogToStderr,
|
AlsoLogToStderr: *alsoLogToStderr,
|
||||||
|
ReferenceLeakMode: refsLeakMode,
|
||||||
|
|
||||||
TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot,
|
TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot,
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue