The peer credential check worked by querying the peer's UID using SO_PEERCRED.
However, when sandbox is configured with custom UID/GID mappings, which it is
in the following situations:
1. When not using directfs, sandbox has a mapping of only `65534:65534:1`. So
all other non-65534 UIDs are unmmaped.
2. When using directfs with userns-remap. The sandbox has the same UID/GID
mapping as the container.
In these cases, when the root user tries to connect, the host root user is not
mapped. Unmapped IDs are translated to overflowuid/gid, which happens to
default to 65534. This leads to unexpected results:
- Without directfs, this check allows any connection, because sandbox is also
running as nobody/65534.
- In the directfs+userns-remap case, all connections are denied.
This check doesn't really enforce anything. Hence remove it.
The real enforcement mechanism is the file mode of the unix domain socket over
which the connection happens. The socket file's mode depends on umask, which
defaults to 022. Hence only the user which creates the sandbox via
`runsc create` has write permission on this socket. So only the sandbox creator
or root can connect to the sandbox, as intended.
Fixes#9356
PiperOrigin-RevId: 565836818
UDS connect and bind fail when the socket path being used is more than 107 in
length. Shorten the path using procfs: "/proc/self/fd/{parentFD}/{sockName)"
This avoids falling back to using abstract sockets in some instances.
Suggested-by: Andrei Vagin <avagin@google.com>
PiperOrigin-RevId: 565557006
The typical sequence of calls to start a container looks like this
ct, err := container.New(conf, containerArgs)
defer ct.Destroy()
ct.Start(conf)
ws, err := ct.Wait()
For the root container, ct.Destroy() kills the sandbox process. This
doesn't look like a right wait to stop it. For example, all ongoing rpc
calls are aborted in this case. If everything is going alright, we can
just wait and it will exit itself.
Reported-by: syzbot+084fca334720887441e7@syzkaller.appspotmail.com
Signed-off-by: Andrei Vagin <avagin@gmail.com>
This includes minor fix-ups:
* Handle SIGTERM in runsc debug, to exit gracefully.
* Fix cmd.debug.go opening all profiles as RDONLY.
* Fix the test name in fio_test.go, and encode the block size in the test.
PiperOrigin-RevId: 350205718
* Rename syncutil to sync.
* Add aliases to sync types.
* Replace existing usage of standard library sync package.
This will make it easier to swap out synchronization primitives. For example,
this will allow us to use primitives from github.com/sasha-s/go-deadlock to
check for lock ordering violations.
Updates #1472
PiperOrigin-RevId: 289033387
Based on the guidelines at
https://opensource.google.com/docs/releasing/authors/.
1. $ rg -l "Google LLC" | xargs sed -i 's/Google LLC.*/The gVisor Authors./'
2. Manual fixup of "Google Inc" references.
3. Add AUTHORS file. Authors may request to be added to this file.
4. Point netstack AUTHORS to gVisor AUTHORS. Drop CONTRIBUTORS.
Fixes#209
PiperOrigin-RevId: 245823212
Change-Id: I64530b24ad021a7d683137459cafc510f5ee1de9
Nothing reads them and they can simply get stale.
Generated with:
$ sed -i "s/licenses(\(.*\)).*/licenses(\1)/" **/BUILD
PiperOrigin-RevId: 231818945
Change-Id: Ibc3f9838546b7e94f13f217060d31f4ada9d4bf0
This change also adds extensive testing to the p9 package via mocks. The sanity
checks and type checks are moved from the gofer into the core package, where
they can be more easily validated.
PiperOrigin-RevId: 218296768
Change-Id: I4fc3c326e7bf1e0e140a454cbacbcc6fd617ab55
We have been unnecessarily creating too many savable types implicitly.
PiperOrigin-RevId: 206334201
Change-Id: Idc5a3a14bfb7ee125c4f2bb2b1c53164e46f29a8
Ayush Ranjan
Adin Scannell
Kevin Krakauer
gVisor bot
Andrei Vagin
Ian Gudger
Michael Pratt
Zhaozhong Ni
Googler