Replace mknod call with mknodat equivalent to protect
against symlink attacks. Also added Mknod tests.
Remove goferfs reliance on gofer to check for file
existence before creating a synthetic entry.
Updates #2923
PiperOrigin-RevId: 327544516
bazel creates sysmlink to the cache on the first invokation.
On a new clone, there are no symlink, thus `rm -rf bazel-bin/gopath`
has no effect. Call `bazel build something` first, then delete
cached gopath.
PiperOrigin-RevId: 327536044
Accept 128 + SIGNAL as well as SIGNAL as valid
returns for fork/exec tests.
Also, make changes so that test compiles in opensource. Test
had compile errors on latest Ubuntu 16.04 image with updated bazel to
3.4.0 (as well as base 2.0) used for Kokoro tests.
PiperOrigin-RevId: 327510310
- Remove sendDone, which currently does nothing whatsoever (errors sent to the
channel are completely unused). Instead, have request handlers log errors
they get from p9.send() inline.
- Replace recvOkay and recvDone with recvMu/recvIdle/recvShutdown. In addition
to being slightly clearer (IMO), this eliminates the p9.connState.service()
goroutine, significantly reducing the overhead involved in passing connection
receive access between goroutines (from buffered chan send/recv + unbuffered
chan send/recv to just a mutex unlock/lock).
PiperOrigin-RevId: 327476755
RACK requires the segments to be in the order of their transmission
or retransmission times. This cl creates a new list and moves the
retransmitted segments to the end of the list.
PiperOrigin-RevId: 327325153
Skip InvalidOffset and InvalidLength for Linux as the test is invalid for
later Kernel versions.
Add UnsupportedFile test as this check is in all kernel versions.
PiperOrigin-RevId: 327248035
Setting timeouts for sockets on GCP images (debian) for usecs only
respects multiples of 4K. Set the test with a multiple of 4K with a comment.
PiperOrigin-RevId: 327093848
Fixes python runtime test test_glob.
Updates #3515
We were checking is the to-be-opened dentry is a dir or not before resolving
symlinks. We should check that after resolving symlinks.
This was preventing us from opening a symlink which pointed to a directory
with O_DIRECTORY.
Also added this check in tmpfs and removed a duplicate check.
PiperOrigin-RevId: 327085895
The abstract socket namespace no longer holds any references on sockets.
Instead, TryIncRef() is used when a socket is being retrieved in
BoundEndpoint(). Abstract sockets are now responsible for removing themselves
from the namespace they are in, when they are destroyed.
Updates #1486.
PiperOrigin-RevId: 327064173
This is in compliance with VFS1. See pkg/sentry/fs/dev/tty.go in the struct
ttyInodeOperations.
Fixes the failure of python runtime test_ioctl.
Updates #3515
PiperOrigin-RevId: 327042758
The NetworkEndpoint does not need to be created for each address.
Most of the work the NetworkEndpoint does is address agnostic.
PiperOrigin-RevId: 326759605
This is a preparatory commit for a larger commit working on
ICMP generation in error cases.
This is removal of technical debt and cleanup in the gvisor code
as part of gvisor issue 2211.
Updates #2211.
PiperOrigin-RevId: 326615389
Fixes php runtime test ext/standard/tests/file/readfile_basic.phpt
Fixes#3516
fsgofers only want the access mode in the OpenFlags passed to Create(). If more
flags are supplied (like O_APPEND in this case), read/write from that fd will
fail with EBADF. See runsc/fsgofer/fsgofer.go:WriteAt()
VFS2 was providing more than just access modes. So filtering the flags using
p9.OpenFlagsModeMask == linux.O_ACCMODE fixes the issue.
Gofer in VFS1 also only extracts the access mode flags while making the create
RPC. See pkg/sentry/fs/gofer/path.go:Create()
Even in VFS2, when we open a handle, we extract out only the access mode flags
+ O_TRUNC.
See third_party/gvisor/pkg/sentry/fsimpl/gofer/handle.go:openHandle()
Added a test for this.
PiperOrigin-RevId: 326574829
This change supports using the user supplied MSS (TCP_MAXSEG socket
option) for new socket connections created from a listening TCP socket.
Note that the user supplied MSS will only be used if it is not greater
than the maximum possible MSS for a TCP connection's route. If it is
greater than the maximum possible MSS, the MSS will be capped at that
maximum value.
Test: tcp_test.TestUserSuppliedMSSOnListenAccept
PiperOrigin-RevId: 326567442
Formerly, when a packet is constructed or parsed, all headers are set by the
client code. This almost always involved prepending to pk.Header buffer or
trimming pk.Data portion. This is known to prone to bugs, due to the complexity
and number of the invariants assumed across netstack to maintain.
In the new PacketHeader API, client will call Push()/Consume() method to
construct/parse an outgoing/incoming packet. All invariants, such as slicing
and trimming, are maintained by the API itself.
NewPacketBuffer() is introduced to create new PacketBuffer. Zero value is no
longer valid.
PacketBuffer now assumes the packet is a concatenation of following portions:
* LinkHeader
* NetworkHeader
* TransportHeader
* Data
Any of them could be empty, or zero-length.
PiperOrigin-RevId: 326507688
Netstack's TIME-WAIT state for a TCP socket could be terminated prematurely if
the socket entered TIME-WAIT using shutdown(..., SHUT_RDWR) and then was closed
using close(). This fixes that bug and updates the tests to verify that Netstack
correctly honors TIME-WAIT under such conditions.
Fixes#3106
PiperOrigin-RevId: 326456443
Fixes php test ext/standard/tests/file/touch_variation5.phpt on vfs2.
Updates #3516
Also spotted a bug with O_EXCL, where we did not return EEXIST when we tried
to open the root of the filesystem with O_EXCL | O_CREAT.
Added some more tests for open() corner cases.
PiperOrigin-RevId: 326346863
Fabricio Voznika
Zach Koopmans
Kevin Krakauer
Jamie Liu
Dean Deng
Ayush Ranjan
Nayana Bidari
gVisor bot
Nicolas Lacasse
Ghanan Gowripalan
Arthur Sfez
Ian Lewis
Julian Elischer
Ting-Yu Wang
Bhasker Hariharan