Merge pull request #9551 from amysaq2023:support-external-stack

PiperOrigin-RevId: 677933413

Author: gvisor-bot

.bazelrc

@@ -29,6 +29,9 @@ test:race --@io_bazel_rules_go//go/config:race --@io_bazel_rules_go//go/config:p
 build --@io_bazel_rules_go//go/config:pure
 test --@io_bazel_rules_go//go/config:pure
 
+# Set bazel_rule as non-pure when cgo is used.
+build:plugin-tldk --@io_bazel_rules_go//go/config:pure=false --define=plugin_tldk=true --define=network_plugins=true
+
 # By default, exclude nogo targets from building. They will still be included
 # by default for all tests.
 build --build_tag_filters=-nogo

.buildkite/pipeline.yaml

@@ -87,7 +87,7 @@ steps:
     label: ":world_map: Build runsc and pkg (AMD64)"
     commands:
       - "make build TARGETS=//pkg/..."
-      - "make build TARGETS=//runsc/..."
+      - "make build TARGETS='--build_tag_filters=-network_plugins //runsc/...'"
     agents:
       arch: "amd64"
 
@@ -96,7 +96,7 @@ steps:
     label: ":world_map: Build runsc and pkg (ARM64)"
     commands:
       - "make build TARGETS=//pkg/..."
-      - "make build TARGETS=//runsc/..."
+      - "make build TARGETS='--build_tag_filters=-network_plugins //runsc/...'"
     agents:
       arch: "arm64"
 
@@ -105,7 +105,7 @@ steps:
     <<: *source_test_continuous
     label: ":world_map: Build everything"
     commands:
-      - "make build TARGETS=//..."
+      - "make build TARGETS='--build_tag_filters=-network_plugins //...'"
 
   # Check that the Go branch builds. This is not technically required, as this build is maintained
   # as a GitHub action in order to preserve this maintaince across forks. However, providing the

BUILD

@@ -139,6 +139,7 @@ go_path(
 
         # Packages that are not dependencies of the above.
         "//pkg/sentry/kernel/memevent",
+        "//pkg/sentry/socket/plugin/stack",
         "//pkg/tcpip/adapters/gonet",
         "//pkg/tcpip/faketime",
         "//pkg/tcpip/link/channel",

Makefile

@@ -221,7 +221,7 @@ nogo-tests:
 #
 # FIXME(gvisor.dev/issue/10045): Need to fix broken tests.
 unit-tests: ## Local package unit tests in pkg/..., tools/.., etc.
-	@$(call test,--test_tag_filters=-nogo$(COMMA)-requires-kvm -- //:all pkg/... tools/... runsc/... vdso/... test/trace/... -//pkg/metric:metric_test -//pkg/coretag:coretag_test -//runsc/config:config_test -//tools/tracereplay:tracereplay_test -//test/trace:trace_test)
+	@$(call test,--test_tag_filters=-nogo$(COMMA)-requires-kvm --build_tag_filters=-network_plugins -- //:all pkg/... tools/... runsc/... vdso/... test/trace/... -//pkg/metric:metric_test -//pkg/coretag:coretag_test -//runsc/config:config_test -//tools/tracereplay:tracereplay_test -//test/trace:trace_test)
 .PHONY: unit-tests
 
 # See unit-tests: this includes runsc/container.

WORKSPACE

@@ -52,6 +52,7 @@ http_archive(
         # Allow for patching of the go_sdk.
         "//tools:rules_go_sdk.patch",
         "//tools:rules_go_facts.patch",
+        "//tools:rules_cgo.patch",
     ],
     sha256 = "80a98277ad1311dacd837f9b16db62887702e9f1d1c4c9f796d0121a46c8e184",
     urls = [
@@ -3351,3 +3352,9 @@ go_repository(
     sum = "h1:uImZAk6qLkC6F9ju6mZ5SPBqTyK8xjZKwSmwnCg4bxg=",
     version = "v2.3.3",
 )
+
+new_local_repository(
+    name = "libpluginstack",
+    path = "tools/plugin-stack",
+    build_file = "tools/plugin-stack/plugin-stack.BUILD",
+)

pkg/abi/linux/netdevice.go

@@ -85,6 +85,9 @@ type IFConf struct {
 	Ptr uint64
 }
 
+// SizeOfIFConf is the binary size of an IFConf struct (16 bytes).
+var SizeOfIFConf = (*IFConf)(nil).SizeBytes()
+
 // EthtoolCmd is a marshallable type to be able to easily copyin the
 // the command for an SIOCETHTOOL ioctl.
 //

pkg/sentry/socket/plugin/BUILD

@@ -0,0 +1,21 @@
+load("//tools:defs.bzl", "go_library")
+
+package(
+    default_applicable_licenses = ["//:license"],
+    licenses = ["notice"],
+)
+
+go_library(
+    name = "plugin",
+    srcs = [
+        "config.go",
+        "plugin.go",
+    ],
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/seccomp",
+        "//pkg/sentry/inet",
+        "//pkg/waiter",
+        "@org_golang_x_sys//unix:go_default_library",
+    ],
+)

pkg/sentry/socket/plugin/cgo/BUILD

@@ -0,0 +1,41 @@
+load("//tools:defs.bzl", "go_library")
+
+package(
+    default_applicable_licenses = ["//:license"],
+    licenses = ["notice"],
+)
+
+config_setting(
+    name = "network_plugins",
+    values = {"define": "network_plugins=true"},
+)
+
+go_library(
+    name = "cgo",
+    srcs = [
+        "cgo.go",
+        "nocgo_stub_unsafe.go",
+        "socket_unsafe.go",
+        "stack_unsafe.go",
+        "util_unsafe.go",
+    ],
+    bazel_cdeps = [
+        "@libpluginstack//:libpluginstack",
+    ],
+    bazel_cgo = select({
+        ":network_plugins": True,
+        "//conditions:default": False,
+    }),
+    bazel_clinkopts = [
+        "-L external/libpluginstack",
+    ],
+    bazel_copts = [
+        "-march=native",
+        "-I external/libpluginstack/lib/libtle_glue",
+    ],
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/abi/linux",
+        "//pkg/abi/linux/errno",
+    ],
+)

pkg/sentry/socket/plugin/cgo/cgo.go

@@ -0,0 +1,21 @@
+// Copyright 2024 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package cgo provides interfaces definition to interact with third-party
+// network stack. It also implements CGO wrappers to handle Golang arguments
+// to CGO and CGO return values to Golang.
+//
+// Third-party external network stack will implement interfaces defined in this
+// package in order to be used by gVisor.
+package cgo

pkg/sentry/socket/plugin/cgo/nocgo_stub_unsafe.go

@@ -0,0 +1,158 @@
+// Copyright 2024 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !network_plugins
+// +build !network_plugins
+
+package cgo
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// GetPtr is a non-cgo stub function.
+func GetPtr(bs []byte) unsafe.Pointer {
+	panic("unimplemented")
+}
+
+// EpollCreate is a non-cgo stub function.
+func EpollCreate() int {
+	panic("unimplemented")
+}
+
+// EpollCtl is a non-cgo stub function.
+func EpollCtl(epfd int32, op int, handle, events uint32) {
+	panic("unimplemented")
+}
+
+// EpollWait is a non-cgo stub function.
+func EpollWait(epfd int32, events []syscall.EpollEvent, n int, us int) int {
+	panic("unimplemented")
+}
+
+// Socket is a non-cgo stub function.
+func Socket(domain, skType, protocol int) int64 {
+	panic("unimplemented")
+}
+
+// Bind is a non-cgo stub function.
+func Bind(handle uint32, sa []byte) int64 {
+	panic("unimplemented")
+}
+
+// Listen is a non-cgo stub function.
+func Listen(handle uint32, backlog int) int64 {
+	panic("unimplemented")
+}
+
+// Accept is a non-cgo stub function.
+func Accept(handle uint32, addrPtr *byte, lenPtr *uint32) int64 {
+	panic("unimplemented")
+}
+
+// Ioctl is a non-cgo stub function.
+func Ioctl(handle uint32, cmd uint32, buf []byte) int64 {
+	panic("unimplemented")
+}
+
+// Connect is a non-cgo stub function.
+func Connect(handle uint32, addr []byte) int64 {
+	panic("unimplemented")
+}
+
+// Getsockopt is a non-cgo stub function.
+func Getsockopt(handle uint32, l int, n int, val []byte, s int) (int64, int) {
+	panic("unimplemented")
+}
+
+// Setsockopt is a non-cgo stub function.
+func Setsockopt(handle uint32, l int, n int, val []byte) int64 {
+	panic("unimplemented")
+}
+
+// Shutdown is a non-cgo stub function.
+func Shutdown(handle uint32, how int) int64 {
+	panic("unimplemented")
+}
+
+// Close is a non-cgo stub function.
+func Close(handle uint32) {
+	panic("unimplemented")
+}
+
+// Getsockname is a non-cgo stub function.
+func Getsockname(handle uint32, addr []byte, addrlen *uint32) int64 {
+	panic("unimplemented")
+}
+
+// GetPeername is a non-cgo stub function.
+func GetPeername(handle uint32, addr []byte, addrlen *uint32) int64 {
+	panic("unimplemented")
+}
+
+// Readiness is a non-cgo stub function.
+func Readiness(handle uint32, mask uint64) int64 {
+	panic("unimplemented")
+}
+
+// Read is a non-cgo stub function.
+func Read(handle uint32, buf uintptr, count int) int64 {
+	panic("unimplemented")
+}
+
+// Readv is a non-cgo stub function.
+func Readv(handle uint32, iovs []syscall.Iovec) int64 {
+	panic("unimplemented")
+}
+
+// Recvfrom is a non-cgo stub function.
+func Recvfrom(handle uint32, buf, addr []byte, flags int) (int64, int) {
+	panic("unimplemented")
+}
+
+// Recvmsg is a non-cgo stub function.
+func Recvmsg(handle uint32, iovs []syscall.Iovec, addr, control []byte, flags int) (int64, int, int, int) {
+	panic("unimplemented")
+}
+
+// Write is a non-cgo stub function.
+func Write(handle uint32, buf uintptr, count int) int64 {
+	panic("unimplemented")
+}
+
+// Writev is a non-cgo stub function.
+func Writev(handle uint32, iovs []syscall.Iovec) int64 {
+	panic("unimplemented")
+}
+
+// Sendto is a non-cgo stub function.
+func Sendto(handle uint32, buf uintptr, count int, flags int, addr []byte) int64 {
+	panic("unimplemented")
+}
+
+// Sendmsg is a non-cgo stub function.
+func Sendmsg(handle uint32, iovs []syscall.Iovec, addr []byte, flags int) int64 {
+	panic("unimplemented")
+}
+
+// InitStack is a non-cgo stub function.
+func InitStack(initStr string, fds []int) error {
+	panic("unimplemented")
+}
+
+// PreInitStack is a non-cgo stub function.
+func PreInitStack(pid int) (string, []int, error) {
+	panic("unimplemented")
+}