From man TIOCPKT:
"""
In packet mode, each subsequent read(2) will return a packet that either
contains a single nonzero control byte, or has a single byte containing zero
('\0') followed by data written on the slave side of the pseudoterminal."
"""
This CL implements only the data portion of packet mode, not the control bytes,
but that seems to be enough to get xfce4-terminal to work.
PiperOrigin-RevId: 737175092
Before this change, host-backed event FDs would always crash the sandbox
during exit when the sentry tried to wait on the fdnotifier for an FD that
wasn't there.
PiperOrigin-RevId: 736585573
Previously, CheckChange (corresponding to Linux's tty/tty_check_change()) was
only used the host TTY implementation, not the devpts implementation.
Furthermore, ThreadGroup.SetForegroundProcessGroup() duplicated some of the
logic in CheckChange, notably sending SIGTTOU to background tasks. This means
that, for host TTYs, we could send SIGTTOU multiple times. In some
circumstances, this leads the ioctl returning ERESTARTSYS in an infinite loop.
PiperOrigin-RevId: 735934036
This support is only needed when the gofer mount in question is writable.
By default, the rootfs has an overlayfs applied, so the gofer lower layer is
not writabled. But if you are using --overlay2=none, then this change should
allow you to save sandbox with open FDs to deleted files in rootfs.
Updates #11425
PiperOrigin-RevId: 733021267
Exec'd processes cannot be stitched back to the original caller
and are killed after restore. So ignore failures
to restore host FDs (generally stdio) that belong
to them.
Fixes#11439
PiperOrigin-RevId: 732972054
auth.K{U/G}ID has type uint32. When uid = auth.NoID = math.MaxUint32, which is
intended to represent -1, and it is casted to int, it becomes 4294967295 on
64-bit systems as int is 8 bytes in size. So the == -1 check fails.
Fixed the bug by explicitly setting syscall args to -1 when uid.Ok() == false.
Similarly, fix the bug in runsc/fsgofer.
PiperOrigin-RevId: 728258705
When e.g. an application thread takes a page fault on an mmapped file, MM calls
`memmap.Mappable.Translate()` to obtain the corresponding host FD range that
should be mapped into the application's address space. It passes both the range
that *must* be mapped (e.g. the faulting page) as `required`, and the maximum
range that *may* be mapped (the previously-unfaulted part of the corresponding
VMA) as `optional`, such that file implementations can map more than `required`
to avoid future page faults.
Prior to this CL, `tmpfs.regularFile.Translate()` always returned translations
up to `optional`, under the assumption that allocating larger ranges from
`pgalloc.MemoryFile` has negligible incremental cost. This behavior dates to
the introduction of `memmap.Mappable.Translate()` (cl/182882705) and thus
predates the implementation of tmpfs size limits (cl/442686814). Now that the
latter exists, unconditionally translating - and therefore allocating pages -
up to `optional` can result in hitting tmpfs size limits prematurely.
Thus: Constrain optional translations returned by
`tmpfs.regularFile.Translate()`, applying the same logic as
`gofer.maxFillRange()`.
PiperOrigin-RevId: 713134287
When using overlayfs with tmpfs as the upper layer (common case), depending on
the application, a lot of whiteouts can be created. This leads to a lot of
memory allocation because new dentry and inode structs need to be allocated for
each whiteout. With this change, we at least avoid the inode allocations.
This is analogous with what Linux does. See fs/overlayfs/ovl_entry.h:ovl_fs's
field `whiteout` with comment "Shared whiteout cache".
PiperOrigin-RevId: 704897805
This fixes save/restore of mmapped gofer.specialFileFDs (usually obtained via
mount option "disable_file_handle_sharing") for which mappings have actually
been used (mm.pmas have been obtained).
PiperOrigin-RevId: 700465816
For vfs.FileDescriptions for which FileDescriptionOptions.UseDentryMetadata is
true, memmap.MappingIdentity.Device/InodeID() => FileDescription.Stat() =>
FilesystemImpl.StatAt() takes fsimpl locks for path traversal, which violates
the lock ordering and is unnecessary since no path is being traversed. Fix this
by carving out a special case where FilesystemImpl.Stat() (and
FileDescriptionImpl.Stat()) are required to meet the lock ordering requirements
of memmap.MappingIdentity.Device/InodeID(), and implement that special case by
skipping path traversal (and gofer revalidation) locks when not required.
PiperOrigin-RevId: 698608924
Right now, entries are never removed from dirInoCache and if someone creates
and deletes directories in a loop, they observe memory leaks.
PiperOrigin-RevId: 698195540
Lucas Manning
Nicolas Lacasse
Jamie Liu
Ayush Ranjan
Fabricio Voznika
gVisor bot
Andrei Vagin
xianzhe-databricks
Kevin Krakauer