摘要:执行一个信号处理程序是件相当复杂的任务,因为在用户态和内核态之间切换时需要谨慎地处理栈中的内容。 信号处理程序是用户态进程所定义的函数,并包含在用户态的代码段中。handle_signal( )函数运行在内核态而信号处理程序运行在用户态,这就意味着在当前进程恢复 “正常”执行之前,它必须首先执行用户
阅读全文
posted @ 2021-01-27 16:30
随笔分类 - gvisor
摘要:https://github.com/google/gvisor/tree/master/pkg/sentry/fs VFS2 addresses this by delegating path resolution to the filesystem, making it possible to
阅读全文
posted @ 2021-01-22 11:36
摘要:Kernel setup runsc/boot/loader.go There are two kernel structs, kernel.Kernel and ring0.Kernel. kernel.Kernel contains most of kernel data structures
阅读全文
posted @ 2021-01-22 09:09
摘要:gVisor accesses the filesystem through a file proxy, called the Gofer. The gofer runs as a separate process, that is isolated from the sandbox. Gofer
阅读全文
posted @ 2021-01-21 20:30
摘要:runsc --vfs2 do echo 123 123
阅读全文
posted @ 2021-01-21 19:30
摘要:// R0 - The signal number. // R1 - Pointer to siginfo_t structure. // R2 - Pointer to ucontext structure. // TEXT ·sighandler(SB),NOSPLIT,$0 // si_sig
阅读全文
posted @ 2021-01-20 14:46
摘要:go源码中关于系统调用的定义如下: func Syscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno) func Syscall6(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintp
阅读全文
posted @ 2021-01-20 10:43
摘要:https://www.it610.com/article/1175051551228637184.htm TCP发送流程 third_party\golibs\github.com\google\netstack\tcpip\transport\tcp\snd.go sendData maybeS
阅读全文
posted @ 2021-01-19 19:49
摘要:Files in the sandbox may be backed by different implementations. For host-native files (where a file descriptor is available), the Gofer may return a
阅读全文
posted @ 2021-01-19 11:45
摘要:https://github.com/google/gvisor/issues/1397 #include <sys/socket.h> #include <sys/un.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #i
阅读全文
posted @ 2021-01-19 10:34
摘要:https://github.com/google/gvisor/issues/1397 pkg/sentry/syscalls/linux/sys_socket.go root@cloud:~/onlyGvisor/gvisor# docker exec -it test ping 8.8.8.8
阅读全文
posted @ 2021-01-19 10:19
摘要:root@cloud:~# docker exec -it test ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: seq=0 ttl=42 time=56.182 ms 64 bytes from
阅读全文
posted @ 2021-01-14 20:03
摘要:Stack traces Debugger Profiling Docker Proxy To enable debug and system call logging, add the runtimeArgs below to your Docker configuration (/etc/doc
阅读全文
posted @ 2021-01-14 15:36
摘要:Go 中 Syscall 的实现,在汇编文件 syscall/asm_linux_amd64.s 中 // func Syscall(trap int64, a1, a2, a3 int64) (r1, r2, err int64); // Trap # in AX, args in DI SI D
阅读全文
posted @ 2021-01-14 10:12
摘要:简介 Dune是一种能为应用程序提供直接但安全访问硬件能力(比如页表、快表等等)的系统。其在现代处理器中使用虚拟化硬件来提供过程,而非机器抽象。它由一个小型内核模块组成,该模块初始化虚拟化硬件并协调与内核的交互,以及一个帮助应用程序管理特权硬件功能的用户级库。 Dune提供了一个可加载的内核模块,可
阅读全文
posted @ 2021-01-13 15:02
摘要:gVisor 是沿着 libdune 的系统调用拦截思路发展而来的用户态内核或进程虚拟化技术。 – HW performs transiAons between modes • VM Exit -> trap to hypervisor (enter host mode) • VM Enter ->
阅读全文
posted @ 2021-01-13 14:46
摘要:https://terassyi.net/posts/2020/04/14/gvisor.html Sentry 复用了 go 语言的 GMP 模型 [3]。每个应用的线程均对应到 go 语言内置的 goroutine(参见 kernle.Task.Start 函数),即 G。go runtime
阅读全文
posted @ 2021-01-13 11:45
摘要:今天在翻阅Golang代码时,发现了Golang调用汇编代码的方法(详见pkg/bytes)。大概要做三件事,我以用汇编实现一个判断字符串是否相等的方法Equal为例,测试一下: 准备工作,创建工程目录: asm_demo |--bin |--pkg |--src | |--strlib | |--
阅读全文
posted @ 2021-01-13 10:07
摘要:1. Overview: no interrupts, no devices, no io tasks are goroutines 2. syscall: sentry can run in non-root(ring0) and root(ring3). userapp's syscall ar
阅读全文
posted @ 2021-01-13 09:58
摘要:How are Sentry system calls trapped into host kernel?From How gvisor trap to syscall handler in kvm platform, “Note that the SYSCALL instruction (Wenb
阅读全文
posted @ 2021-01-11 17:56
浙公网安备 33010602011771号