Specify a memory file in platform.New().
PiperOrigin-RevId: 307941984
This commit is contained in:
parent
37f863f628
commit
0c586946ea
|
@ -10,6 +10,7 @@ go_library(
|
|||
name = "linux",
|
||||
srcs = [
|
||||
"aio.go",
|
||||
"arch_amd64.go",
|
||||
"audit.go",
|
||||
"bpf.go",
|
||||
"capability.go",
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
// Copyright 2020 The gVisor Authors.
|
||||
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
// +build amd64
|
||||
|
||||
package linux
|
||||
|
||||
// Start and end addresses of the vsyscall page.
|
||||
const (
|
||||
VSyscallStartAddr uint64 = 0xffffffffff600000
|
||||
VSyscallEndAddr uint64 = 0xffffffffff601000
|
||||
)
|
|
@ -63,3 +63,10 @@ func (a BPFAction) String() string {
|
|||
func (a BPFAction) Data() uint16 {
|
||||
return uint16(a & SECCOMP_RET_DATA)
|
||||
}
|
||||
|
||||
// SockFprog is sock_fprog taken from <linux/filter.h>.
|
||||
type SockFprog struct {
|
||||
Len uint16
|
||||
pad [6]byte
|
||||
Filter *BPFInstruction
|
||||
}
|
||||
|
|
|
@ -134,7 +134,7 @@ func (pwa *PacketWindowAllocator) Allocate(size int) (PacketWindowDescriptor, er
|
|||
start := pwa.nextAlloc
|
||||
pwa.nextAlloc = end
|
||||
return PacketWindowDescriptor{
|
||||
FD: pwa.fd,
|
||||
FD: pwa.FD(),
|
||||
Offset: start,
|
||||
Length: size,
|
||||
}, nil
|
||||
|
@ -158,7 +158,7 @@ func (pwa *PacketWindowAllocator) ensureFileSize(min int64) error {
|
|||
}
|
||||
newSize = newNewSize
|
||||
}
|
||||
if err := syscall.Ftruncate(pwa.fd, newSize); err != nil {
|
||||
if err := syscall.Ftruncate(pwa.FD(), newSize); err != nil {
|
||||
return fmt.Errorf("ftruncate failed: %v", err)
|
||||
}
|
||||
pwa.fileSize = newSize
|
||||
|
|
|
@ -21,13 +21,6 @@ import (
|
|||
"gvisor.dev/gvisor/pkg/abi/linux"
|
||||
)
|
||||
|
||||
// sockFprog is sock_fprog taken from <linux/filter.h>.
|
||||
type sockFprog struct {
|
||||
Len uint16
|
||||
pad [6]byte
|
||||
Filter *linux.BPFInstruction
|
||||
}
|
||||
|
||||
// SetFilter installs the given BPF program.
|
||||
//
|
||||
// This is safe to call from an afterFork context.
|
||||
|
@ -39,7 +32,7 @@ func SetFilter(instrs []linux.BPFInstruction) syscall.Errno {
|
|||
return errno
|
||||
}
|
||||
|
||||
sockProg := sockFprog{
|
||||
sockProg := linux.SockFprog{
|
||||
Len: uint16(len(instrs)),
|
||||
Filter: (*linux.BPFInstruction)(unsafe.Pointer(&instrs[0])),
|
||||
}
|
||||
|
|
|
@ -96,6 +96,7 @@ func (t *Task) run(threadID uintptr) {
|
|||
t.tg.liveGoroutines.Done()
|
||||
t.tg.pidns.owner.liveGoroutines.Done()
|
||||
t.tg.pidns.owner.runningGoroutines.Done()
|
||||
t.p.Release()
|
||||
|
||||
// Keep argument alive because stack trace for dead variables may not be correct.
|
||||
runtime.KeepAlive(threadID)
|
||||
|
|
|
@ -85,3 +85,6 @@ func (c *context) Switch(as platform.AddressSpace, ac arch.Context, _ int32) (*a
|
|||
func (c *context) Interrupt() {
|
||||
c.interrupt.NotifyInterrupt()
|
||||
}
|
||||
|
||||
// Release implements platform.Context.Release().
|
||||
func (c *context) Release() {}
|
||||
|
|
|
@ -191,6 +191,11 @@ func (*constructor) OpenDevice() (*os.File, error) {
|
|||
return OpenDevice()
|
||||
}
|
||||
|
||||
// Flags implements platform.Constructor.Flags().
|
||||
func (*constructor) Requirements() platform.Requirements {
|
||||
return platform.Requirements{}
|
||||
}
|
||||
|
||||
func init() {
|
||||
platform.Register("kvm", &constructor{})
|
||||
}
|
||||
|
|
|
@ -148,6 +148,9 @@ type Context interface {
|
|||
// Interrupt interrupts a concurrent call to Switch(), causing it to return
|
||||
// ErrContextInterrupt.
|
||||
Interrupt()
|
||||
|
||||
// Release() releases any resources associated with this context.
|
||||
Release()
|
||||
}
|
||||
|
||||
var (
|
||||
|
@ -353,10 +356,28 @@ func (fr FileRange) String() string {
|
|||
return fmt.Sprintf("[%#x, %#x)", fr.Start, fr.End)
|
||||
}
|
||||
|
||||
// Requirements is used to specify platform specific requirements.
|
||||
type Requirements struct {
|
||||
// RequiresCurrentPIDNS indicates that the sandbox has to be started in the
|
||||
// current pid namespace.
|
||||
RequiresCurrentPIDNS bool
|
||||
// RequiresCapSysPtrace indicates that the sandbox has to be started with
|
||||
// the CAP_SYS_PTRACE capability.
|
||||
RequiresCapSysPtrace bool
|
||||
}
|
||||
|
||||
// Constructor represents a platform type.
|
||||
type Constructor interface {
|
||||
// New returns a new platform instance.
|
||||
//
|
||||
// Arguments:
|
||||
//
|
||||
// * deviceFile - the device file (e.g. /dev/kvm for the KVM platform).
|
||||
New(deviceFile *os.File) (Platform, error)
|
||||
OpenDevice() (*os.File, error)
|
||||
|
||||
// Requirements returns platform specific requirements.
|
||||
Requirements() Requirements
|
||||
}
|
||||
|
||||
// platforms contains all available platform types.
|
||||
|
|
|
@ -177,6 +177,9 @@ func (c *context) Interrupt() {
|
|||
c.interrupt.NotifyInterrupt()
|
||||
}
|
||||
|
||||
// Release implements platform.Context.Release().
|
||||
func (c *context) Release() {}
|
||||
|
||||
// PTrace represents a collection of ptrace subprocesses.
|
||||
type PTrace struct {
|
||||
platform.MMapMinAddr
|
||||
|
@ -248,6 +251,16 @@ func (*constructor) OpenDevice() (*os.File, error) {
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
// Flags implements platform.Constructor.Flags().
|
||||
func (*constructor) Requirements() platform.Requirements {
|
||||
// TODO(b/75837838): Also set a new PID namespace so that we limit
|
||||
// access to other host processes.
|
||||
return platform.Requirements{
|
||||
RequiresCapSysPtrace: true,
|
||||
RequiresCurrentPIDNS: true,
|
||||
}
|
||||
}
|
||||
|
||||
func init() {
|
||||
platform.Register("ptrace", &constructor{})
|
||||
}
|
||||
|
|
|
@ -332,7 +332,7 @@ func (t *thread) unexpectedStubExit() {
|
|||
msg, err := t.getEventMessage()
|
||||
status := syscall.WaitStatus(msg)
|
||||
if status.Signaled() && status.Signal() == syscall.SIGKILL {
|
||||
// SIGKILL can be only sent by an user or OOM-killer. In both
|
||||
// SIGKILL can be only sent by a user or OOM-killer. In both
|
||||
// these cases, we don't need to panic. There is no reasons to
|
||||
// think that something wrong in gVisor.
|
||||
log.Warningf("The ptrace stub process %v has been killed by SIGKILL.", t.tgid)
|
||||
|
|
|
@ -44,13 +44,13 @@ go_library(
|
|||
"//pkg/sentry/control",
|
||||
"//pkg/sentry/kernel",
|
||||
"//pkg/sentry/kernel/auth",
|
||||
"//pkg/sentry/platform",
|
||||
"//pkg/state",
|
||||
"//pkg/state/statefile",
|
||||
"//pkg/sync",
|
||||
"//pkg/unet",
|
||||
"//pkg/urpc",
|
||||
"//runsc/boot",
|
||||
"//runsc/boot/platforms",
|
||||
"//runsc/console",
|
||||
"//runsc/container",
|
||||
"//runsc/flag",
|
||||
|
|
|
@ -25,8 +25,8 @@ import (
|
|||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"golang.org/x/sys/unix"
|
||||
"gvisor.dev/gvisor/pkg/log"
|
||||
"gvisor.dev/gvisor/pkg/sentry/platform"
|
||||
"gvisor.dev/gvisor/runsc/boot"
|
||||
"gvisor.dev/gvisor/runsc/boot/platforms"
|
||||
"gvisor.dev/gvisor/runsc/flag"
|
||||
"gvisor.dev/gvisor/runsc/specutils"
|
||||
)
|
||||
|
@ -183,7 +183,12 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
|
|||
if caps == nil {
|
||||
caps = &specs.LinuxCapabilities{}
|
||||
}
|
||||
if conf.Platform == platforms.Ptrace {
|
||||
|
||||
gPlatform, err := platform.Lookup(conf.Platform)
|
||||
if err != nil {
|
||||
Fatalf("loading platform: %v", err)
|
||||
}
|
||||
if gPlatform.Requirements().RequiresCapSysPtrace {
|
||||
// Ptrace platform requires extra capabilities.
|
||||
const c = "CAP_SYS_PTRACE"
|
||||
caps.Bounding = append(caps.Bounding, c)
|
||||
|
|
|
@ -446,9 +446,13 @@ func (s *Sandbox) createSandboxProcess(conf *boot.Config, args *Args, startSyncF
|
|||
nextFD++
|
||||
}
|
||||
|
||||
// If the platform needs a device FD we must pass it in.
|
||||
if deviceFile, err := deviceFileForPlatform(conf.Platform); err != nil {
|
||||
gPlatform, err := platform.Lookup(conf.Platform)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if deviceFile, err := gPlatform.OpenDevice(); err != nil {
|
||||
return fmt.Errorf("opening device file for platform %q: %v", gPlatform, err)
|
||||
} else if deviceFile != nil {
|
||||
defer deviceFile.Close()
|
||||
cmd.ExtraFiles = append(cmd.ExtraFiles, deviceFile)
|
||||
|
@ -539,7 +543,7 @@ func (s *Sandbox) createSandboxProcess(conf *boot.Config, args *Args, startSyncF
|
|||
{Type: specs.UTSNamespace},
|
||||
}
|
||||
|
||||
if conf.Platform == platforms.Ptrace {
|
||||
if gPlatform.Requirements().RequiresCurrentPIDNS {
|
||||
// TODO(b/75837838): Also set a new PID namespace so that we limit
|
||||
// access to other host processes.
|
||||
log.Infof("Sandbox will be started in the current PID namespace")
|
||||
|
|
|
@ -103,6 +103,9 @@ var analyzerConfig = map[*analysis.Analyzer]matcher{
|
|||
"pkg/sentry/platform/ring0/pagetables/allocator_unsafe.go", // Special case.
|
||||
"pkg/sentry/platform/safecopy/safecopy_unsafe.go", // Special case.
|
||||
"pkg/sentry/vfs/mount_unsafe.go", // Special case.
|
||||
"pkg/sentry/platform/systrap/stub_unsafe.go", // Special case.
|
||||
"pkg/sentry/platform/systrap/switchto_google_unsafe.go", // Special case.
|
||||
"pkg/sentry/platform/systrap/sysmsg_thread_unsafe.go", // Special case.
|
||||
),
|
||||
),
|
||||
unusedresult.Analyzer: alwaysMatches(),
|
||||
|
|
Loading…
Reference in New Issue