gvisor/ directory
Directories ΒΆ
| Path | Synopsis |
|---|---|
| images | |
| images/benchmarks | |
| images/benchmarks/profile-helper | Binary profilehelper helps exfiltrate benchmark profiles. |
| images/gpu | |
| images/gpu/cuda-tests | run_sample runs a CUDA sample test. |
| images/gpu/cuda-tests-12-8 | run_sample runs a CUDA sample test. |
| images/gpu/ollama | |
| images/gpu/ollama/client | A simple `curl`-like HTTP client that prints metrics after the request. |
| pkg | |
| pkg/abi | Package abi describes the interface between a kernel and userspace. |
| pkg/abi/attestation | Package attestation includes definitions needed for gVisor attestation. |
| pkg/abi/gasket | Package gasket describes the userspace interface for Gasket devices. |
| pkg/abi/linux | Package linux contains the constants and types needed to interface with a Linux kernel. |
| pkg/abi/linux/errno | Package errno holds errno codes for abi/linux. |
| pkg/abi/nvgpu | Package nvgpu tracks the ABI of the Nvidia GPU Linux kernel driver: https://github.com/NVIDIA/open-gpu-kernel-modules |
| pkg/abi/sentry | Package sentry contains ABI-related constants for the gVisor sentry. |
| pkg/abi/tpu | Package tpu defines constants used to interact with TPUs. |
| pkg/aio | Package aio provides asynchronous I/O on host file descriptors. |
| pkg/atomicbitops | Package atomicbitops provides extensions to the sync/atomic package. |
| pkg/binary | Package binary translates between select fixed-sized types and a binary representation. |
| pkg/bitmap | Package bitmap provides the implementation of bitmap. |
| pkg/bits | Package bits includes all bit related types and operations. |
| pkg/bpf | Package bpf provides tools for working with Berkeley Packet Filter (BPF) programs. |
| pkg/buffer | Package buffer provides the implementation of a non-contiguous buffer that is reference counted, pooled, and copy-on-write. |
| pkg/cleanup | Package cleanup provides utilities to clean "stuff" on defers. |
| pkg/compressio | Package compressio provides parallel compression and decompression, as well as optional SHA-256 hashing. |
| pkg/context | Package context defines an internal context type. |
| pkg/control | |
| pkg/control/client | Package client provides a basic control client interface. |
| pkg/control/server | Package server provides a basic control server interface. |
| pkg/coretag | Package coretag implements core tagging. |
| pkg/coverage | Package coverage provides an interface through which Go coverage data can be collected, converted to kcov format, and exposed to userspace. |
| pkg/cpuid | Package cpuid provides basic functionality for creating and adjusting CPU feature sets. |
| pkg/crypto | Package crypto wraps crypto primitives. |
| pkg/devutil | Package devutil provides device specific utilities. |
| pkg/erofs | Package erofs provides the ability to access the contents in an EROFS [1] image. |
| pkg/errors | Package errors holds the standardized error definition for gVisor. |
| pkg/errors/linuxerr | Package linuxerr contains syscall error codes exported as an error interface pointers. |
| pkg/eventchannel | Package eventchannel contains functionality for sending any protobuf message on a socketpair. |
| pkg/eventfd | Package eventfd wraps Linux's eventfd(2) syscall. |
| pkg/fd | Package fd provides types for working with file descriptors. |
| pkg/fdchannel | Package fdchannel implements passing file descriptors between processes over Unix domain sockets. |
| pkg/fdnotifier | Package fdnotifier contains an adapter that translates IO events (e.g., a file became readable/writable) from native FDs to the notifications in the waiter package. |
| pkg/flipcall | Package flipcall implements a protocol providing Fast Local Interprocess Procedure Calls between mutually-distrusting processes. |
| pkg/fspath | Package fspath provides efficient tools for working with file paths in Linux-compatible filesystem implementations. |
| pkg/fsutil | Package fsutil contains filesystem utilities that can be shared between the sentry and other sandbox components. |
| pkg/gohacks | Package gohacks contains utilities for subverting the Go compiler. |
| pkg/goid | Package goid provides the Get function. |
| pkg/gomaxprocs | Package gomaxprocs synchronizes adjustments to GOMAXPROCS. |
| pkg/gvisordetect | Package gvisordetect implements a library that callers may use to detect whether they are running on a gVisor kernel, assuming it is configured to expose the gVisor marker file. |
| pkg/hostarch | Package hostarch contains host arch address operations for user memory. |
| pkg/hostos | Package hostos contains utility functions for getting information about the host OS. |
| pkg/hostsyscall | Package hostsyscall provides functions like unix.RawSyscall, but without the overhead of multiple stack frame allocations. |
| pkg/hosttid | Package hosttid provides the Current function. |
| pkg/ilist | Package ilist provides the implementation of intrusive linked lists. |
| pkg/linewriter | Package linewriter provides an io.Writer which calls an emitter on each line. |
| pkg/lisafs | Package lisafs (LInux SAndbox FileSystem) defines the protocol for filesystem RPCs between an untrusted Sandbox (client) and a trusted filesystem server. |
| pkg/lisafs/testsuite | Package testsuite provides a integration testing suite for lisafs. |
| pkg/log | Package log implements a library for logging. |
| pkg/marshal | Package marshal defines the Marshallable interface for serialize/deserializing go data structures to/from memory, according to the Linux ABI. |
| pkg/marshal/primitive | Package primitive defines marshal.Marshallable implementations for primitive types. |
| pkg/memutil | Package memutil provides utilities for working with shared memory files. |
| pkg/metric | Package metric provides primitives for collecting metrics. |
| pkg/metric/buckettool | buckettool prints buckets for distribution metrics. |
| pkg/p9 | Package p9 is a 9P2000.L implementation. |
| pkg/p9/p9test | Package p9test provides standard mocks for p9. |
| pkg/pool | Package pool provides a trivial integer pool. |
| pkg/prometheus | Package prometheus contains Prometheus-compliant metric data structures and utilities in pure Go. |
| pkg/rand | Package rand implements a cryptographically secure pseudorandom number generator. |
| pkg/rawfile | Package rawfile contains utilities for using raw host files on Linux hosts. |
| pkg/refs | Package refs defines an interface for reference counted objects. |
| pkg/ring0 | Package ring0 provides basic operating system-level stubs. |
| pkg/ring0/pagetables | Package pagetables provides a generic implementation of pagetables. |
| pkg/ringdeque | Package ringdeque provides the Deque type. |
| pkg/safecopy | Package safecopy provides an efficient implementation of functions to access memory that may result in SIGSEGV or SIGBUS being sent to the accessor. |
| pkg/safemem | Package safemem provides the Block and BlockSeq types. |
| pkg/seccomp | Package seccomp provides generation of basic seccomp filters. |
| pkg/seccomp/precompiledseccomp | precompile_gen generates a Go library that contains precompiled seccomp programs. |
| pkg/seccomp/precompiledseccomp/example | Package example defines two seccomp programs ("example_program1" and "example_program2") to be embedded in the `usage` package in this directory. |
| pkg/seccomp/precompiledseccomp/example/usage | Package usage shows how to use precompiled seccomp-bpf programs. |
| pkg/seccomp/victim | Test binary used to test that seccomp filters are properly constructed and indeed kill the process on violation. |
| pkg/secio | Package secio provides support for sectioned I/O. |
| pkg/segment | Package segment provides tools for working with collections of segments. |
| pkg/segment/test | Package segment is a test package. |
| pkg/sentry | |
| pkg/sentry/arch | Package arch provides abstractions around architecture-dependent details, such as syscall calling conventions, native types, etc. |
| pkg/sentry/arch/fpu | Package fpu provides basic floating point helpers. |
| pkg/sentry/contexttest | Package contexttest builds a test context.Context. |
| pkg/sentry/control | Package control contains types that expose control server methods, and can be used to configure and interact with a running sandbox process. |
| pkg/sentry/devices | |
| pkg/sentry/devices/memdev | Package memdev implements "mem" character devices, as implemented in Linux by drivers/char/mem.c and drivers/char/random.c. |
| pkg/sentry/devices/nvproxy | Package nvproxy implements proxying for the Nvidia GPU Linux kernel driver: https://github.com/NVIDIA/open-gpu-kernel-modules. |
| pkg/sentry/devices/nvproxy/nvconf | Package nvconf provides configuration structures and utilities for nvproxy. |
| pkg/sentry/devices/tpuproxy | Package tpuproxy contains tpu backend driver proxy implementations and helper functions. |
| pkg/sentry/devices/tpuproxy/accel | Package accel implements a proxy for gasket based accel devices. |
| pkg/sentry/devices/tpuproxy/util | Package util contains helper functions for tpuproxy implementations. |
| pkg/sentry/devices/tpuproxy/vfio | Package vfio implements a proxy for VFIO devices. |
| pkg/sentry/devices/ttydev | Package ttydev implements a vfs.Device for /dev/tty. |
| pkg/sentry/devices/tundev | Package tundev implements the /dev/net/tun device. |
| pkg/sentry/fdcollector | Package fdcollector provides a goroutine that reads from a vfs.FileDescription (which may block) into a bytes.Buffer. |
| pkg/sentry/fdimport | Package fdimport provides the Import function. |
| pkg/sentry/fsimpl | |
| pkg/sentry/fsimpl/cgroupfs | Package cgroupfs implements cgroupfs. |
| pkg/sentry/fsimpl/dev | Package dev provides a filesystem implementation for /dev. |
| pkg/sentry/fsimpl/devpts | Package devpts provides a filesystem implementation that behaves like devpts. |
| pkg/sentry/fsimpl/devtmpfs | Package devtmpfs provides a singleton fsimpl/dev filesystem instance, analogous to Linux's devtmpfs. |
| pkg/sentry/fsimpl/erofs | Package erofs implements erofs. |
| pkg/sentry/fsimpl/eventfd | Package eventfd implements event fds. |
| pkg/sentry/fsimpl/fuse | Package fuse implements fusefs. |
| pkg/sentry/fsimpl/gofer | Package gofer provides a filesystem implementation that is backed by a 9p server, interchangeably referred to as "gofers" throughout this package. |
| pkg/sentry/fsimpl/host | Package host provides a filesystem implementation for host files imported as file descriptors. |
| pkg/sentry/fsimpl/iouringfs | Package iouringfs provides a filesystem implementation for IO_URING basing it on anonfs. |
| pkg/sentry/fsimpl/kernfs | Package kernfs provides the tools to implement inode-based filesystems. |
| pkg/sentry/fsimpl/lock | Package lock is the API for POSIX-style advisory regional file locks and BSD-style full file locks. |
| pkg/sentry/fsimpl/mqfs | Package mqfs provides a filesystem implementation to back POSIX message queues. |
| pkg/sentry/fsimpl/nsfs | Package nsfs provides the filesystem implementation backing Kernel.NsfsMount. |
| pkg/sentry/fsimpl/overlay | Package overlay provides an overlay filesystem implementation, which synthesizes a filesystem by composing one or more immutable filesystems ("lower layers") with an optional mutable filesystem ("upper layer"). |
| pkg/sentry/fsimpl/pipefs | Package pipefs provides the filesystem implementation backing Kernel.PipeMount. |
| pkg/sentry/fsimpl/proc | Package proc implements a partial in-memory file system for procfs. |
| pkg/sentry/fsimpl/signalfd | Package signalfd provides basic signalfd file implementations. |
| pkg/sentry/fsimpl/sockfs | Package sockfs provides a filesystem implementation for anonymous sockets. |
| pkg/sentry/fsimpl/sys | Package sys implements sysfs. |
| pkg/sentry/fsimpl/testutil | Package testutil provides common test utilities for kernfs-based filesystems. |
| pkg/sentry/fsimpl/timerfd | Package timerfd implements timer fds. |
| pkg/sentry/fsimpl/tmpfs | Package tmpfs provides an in-memory filesystem whose contents are application-mutable, consistent with Linux's tmpfs. |
| pkg/sentry/fsimpl/user | Package user contains methods for resolving filesystem paths based on the user and their environment. |
| pkg/sentry/fsmetric | Package fsmetric defines filesystem metrics. |
| pkg/sentry/fsutil | Package fsutil provides utilities for implementing vfs.FileDescriptionImpl and vfs.FilesystemImpl. |
| pkg/sentry/hostcpu | Package hostcpu provides utilities for working with CPU information provided by a host Linux kernel. |
| pkg/sentry/hostfd | Package hostfd provides efficient I/O with host file descriptors. |
| pkg/sentry/hostmm | Package hostmm provides tools for interacting with the host Linux kernel's virtual memory management subsystem. |
| pkg/sentry/inet | Package inet defines semantics for IP stacks. |
| pkg/sentry/kernel | Package kernel provides an emulation of the Linux kernel. |
| pkg/sentry/kernel/auth | Package auth implements an access control model that is a subset of Linux's. |
| pkg/sentry/kernel/contexttest | Package contexttest provides a test context.Context which includes a dummy kernel pointing to a valid platform. |
| pkg/sentry/kernel/fasync | Package fasync provides FIOASYNC related functionality. |
| pkg/sentry/kernel/futex | Package futex provides an implementation of the futex interface as found in the Linux kernel. |
| pkg/sentry/kernel/ipc | Package ipc defines functionality and utilities common to sysvipc mechanisms. |
| pkg/sentry/kernel/memevent | Package memevent implements the memory usage events controller, which periodically emits events via the eventchannel. |
| pkg/sentry/kernel/mq | Package mq provides an implementation for POSIX message queues. |
| pkg/sentry/kernel/msgqueue | Package msgqueue implements System V message queues. |
| pkg/sentry/kernel/pipe | Package pipe provides a pipe implementation. |
| pkg/sentry/kernel/sched | Package sched implements scheduler related features. |
| pkg/sentry/kernel/semaphore | Package semaphore implements System V semaphores. |
| pkg/sentry/kernel/shm | Package shm implements sysv shared memory segments. |
| pkg/sentry/ktime | Package ktime provides an API for clocks and timers implemented by the sentry. |
| pkg/sentry/limits | Package limits provides resource limits. |
| pkg/sentry/loader | Package loader loads an executable file into a MemoryManager. |
| pkg/sentry/loader/vdsodata | Package vdsodata contains a compiled VDSO object. |
| pkg/sentry/memmap | Package memmap defines semantics for memory mappings. |
| pkg/sentry/mm | Package mm provides a memory management subsystem. |
| pkg/sentry/pgalloc | Package pgalloc contains the page allocator subsystem, which provides allocatable memory that may be mapped into application address spaces. |
| pkg/sentry/platform | Package platform provides a Platform abstraction. |
| pkg/sentry/platform/interrupt | Package interrupt provides an interrupt helper. |
| pkg/sentry/platform/kvm | Package kvm provides a kvm-based implementation of the platform interface. |
| pkg/sentry/platform/kvm/testutil | Package testutil provides common assembly stubs for testing. |
| pkg/sentry/platform/platforms | Package platforms imports all available platform packages. |
| pkg/sentry/platform/ptrace | Package ptrace provides a ptrace-based implementation of the platform interface. |
| pkg/sentry/platform/systrap | Package systrap provides a seccomp-based implementation of the platform interface. |
| pkg/sentry/platform/systrap/sysmsg | Package sysmsg provides a stub signal handler and a communication protocol between stub threads and the Sentry. |
| pkg/sentry/platform/systrap/usertrap | Package usertrap implements the library to replace syscall instructions with function calls. |
| pkg/sentry/seccheck | Package seccheck defines a structure for dynamically-configured security checks in the sentry. |
| pkg/sentry/seccheck/sinks | |
| pkg/sentry/seccheck/sinks/null | Package null defines a seccheck.Sink that does nothing with the trace points, akin to /dev/null. |
| pkg/sentry/seccheck/sinks/remote | Package remote defines a seccheck.Sink that serializes points to a remote process. |
| pkg/sentry/seccheck/sinks/remote/server | Package server provides a common server implementation that can connect with remote.Remote. |
| pkg/sentry/seccheck/sinks/remote/test | Package test provides functionality used to test the remote sink. |
| pkg/sentry/seccheck/sinks/remote/wire | Package wire defines structs used in the wire format for the remote checker. |
| pkg/sentry/socket | Package socket provides the interfaces that need to be provided by socket implementations and providers, as well as per family demultiplexing of socket creation. |
| pkg/sentry/socket/control | Package control provides internal representations of socket control messages. |
| pkg/sentry/socket/hostinet | Package hostinet implements AF_INET and AF_INET6 sockets using the host's network stack. |
| pkg/sentry/socket/netfilter | Package netfilter helps the sentry interact with netstack's netfilter capabilities. |
| pkg/sentry/socket/netlink | Package netlink provides core functionality for netlink sockets. |
| pkg/sentry/socket/netlink/nlmsg | Package nlmsg provides helpers to parse and construct netlink messages. |
| pkg/sentry/socket/netlink/port | Package port provides port ID allocation for netlink sockets. |
| pkg/sentry/socket/netlink/route | Package route provides a NETLINK_ROUTE socket protocol. |
| pkg/sentry/socket/netlink/uevent | Package uevent provides a NETLINK_KOBJECT_UEVENT socket protocol. |
| pkg/sentry/socket/netstack | Package netstack provides an implementation of the socket.Socket interface that is backed by a tcpip.Endpoint. |
| pkg/sentry/socket/netstack/packetmmap | Package packetmmap contains the packet mmap implementation for netstack. |
| pkg/sentry/socket/plugin | Package plugin provides a set of interfaces to interact with third-party netstack. |
| pkg/sentry/socket/plugin/cgo | Package cgo provides interfaces definition to interact with third-party network stack. |
| pkg/sentry/socket/plugin/stack | Package stack provides an implementation of plugin.PluginStack interface and an implementation of socket.Socket interface. |
| pkg/sentry/socket/unix | Package unix provides an implementation of the socket.Socket interface for the AF_UNIX protocol family. |
| pkg/sentry/socket/unix/transport | Package transport contains the implementation of Unix endpoints. |
| pkg/sentry/state | Package state provides high-level state wrappers. |
| pkg/sentry/strace | Package strace implements the logic to print out the input and the return value of each traced syscall. |
| pkg/sentry/syscalls | Package syscalls is the interface from the application to the kernel. |
| pkg/sentry/syscalls/linux | Package linux provides syscall tables for amd64 and arm64 Linux. |
| pkg/sentry/time | Package time provides a calibrated clock synchronized to a system reference clock. |
| pkg/sentry/unimpl | Package unimpl contains interface to emit events about unimplemented features. |
| pkg/sentry/uniqueid | Package uniqueid defines context.Context keys for obtaining system-wide unique identifiers. |
| pkg/sentry/usage | Package usage provides representations of resource usage. |
| pkg/sentry/vfs | Package vfs implements a virtual filesystem layer. |
| pkg/sentry/vfs/genericfstree | Package genericfstree provides tools for implementing vfs.FilesystemImpls that follow a standard pattern for synchronizing Dentry parent and name. |
| pkg/sentry/vfs/memxattr | Package memxattr provides a default, in-memory extended attribute implementation. |
| pkg/sentry/watchdog | Package watchdog is responsible for monitoring the sentry for tasks that may potentially be stuck or looping inderterminally causing hard to debug hangs in the untrusted app. |
| pkg/shim | |
| pkg/shim/v1 | Package v1 implements Containerd Shim v2 interface. |
| pkg/shim/v1/extension | Package extension provides an extension to the shim. |
| pkg/shim/v1/proc | Package proc is responsible to manage the communication between the shim and the sandbox process running the container. |
| pkg/shim/v1/runsc | Package runsc implements Containerd Shim v2 interface. |
| pkg/shim/v1/runsccmd | Package runsccmd provides an API to interact with runsc command line. |
| pkg/shim/v1/runtimeoptions | Package runtimeoptions contains the runtimeoptions proto for containerd 1.5 and above. |
| pkg/shim/v1/runtimeoptions/v14 | Package v14 contains the runtimeoptions proto for containerd 1.4 and earlier. |
| pkg/shim/v1/utils | Package utils container miscellaneous utility function used by the shim. |
| pkg/sigframe | Package sigframe implements a mechanism to create a signal frame on the stack and execute a user-defined callback function within that context. |
| pkg/sighandling | Package sighandling contains helpers for handling signals to applications. |
| pkg/sleep | Package sleep allows goroutines to efficiently sleep on multiple sources of notifications (wakers). |
| pkg/state | Package state provides functionality related to saving and loading object graphs. |
| pkg/state/pretty | Package pretty is a pretty-printer for state streams. |
| pkg/state/statefile | Package statefile defines the state file data stream. |
| pkg/state/tests | Package tests tests the state packages. |
| pkg/state/wire | Package wire contains a few basic types that can be composed to serialize graph information for the state package. |
| pkg/sync | Package sync provides synchronization primitives. |
| pkg/sync/atomicptr | Package seqatomic doesn't exist. |
| pkg/sync/atomicptrmap | Package atomicptrmap instantiates generic_atomicptrmap for testing. |
| pkg/syncevent | Package syncevent provides efficient primitives for goroutine synchronization based on event bitmasks. |
| pkg/sync/locking | Package locking implements lock primitives with the correctness validator. |
| pkg/sync/seqatomic | Package seqatomic doesn't exist. |
| pkg/syserr | Package syserr contains sandbox-internal errors. |
| pkg/tcpip | Package tcpip provides the interfaces and related types that users of the tcpip stack will use in order to create endpoints used to send and receive data over the network stack. |
| pkg/tcpip/adapters | |
| pkg/tcpip/adapters/gonet | Package gonet provides a Go net package compatible wrapper for a tcpip stack. |
| pkg/tcpip/checker | Package checker provides helper functions to check networking packets for validity. |
| pkg/tcpip/checksum | Package checksum provides the implementation of the encoding and decoding of network protocol headers. |
| pkg/tcpip/faketime | Package faketime provides a fake clock that implements tcpip.Clock interface. |
| pkg/tcpip/hash | |
| pkg/tcpip/hash/jenkins | Package jenkins implements Jenkins's one_at_a_time, non-cryptographic hash functions created by by Bob Jenkins. |
| pkg/tcpip/header | Package header provides the implementation of the encoding and decoding of network protocol headers. |
| pkg/tcpip/header/parse | Package parse provides utilities to parse packets. |
| pkg/tcpip/internal | |
| pkg/tcpip/link | |
| pkg/tcpip/link/channel | Package channel provides the implementation of channel-based data-link layer endpoints. |
| pkg/tcpip/link/ethernet | Package ethernet provides an implementation of an ethernet link endpoint that wraps an inner link endpoint. |
| pkg/tcpip/link/fdbased | Package fdbased provides the implementation of data-link layer endpoints backed by boundary-preserving file descriptors (e.g., TUN devices, seqpacket/datagram sockets). |
| pkg/tcpip/link/loopback | Package loopback provides the implementation of loopback data-link layer endpoints. |
| pkg/tcpip/link/muxed | Package muxed provides a muxed link endpoints. |
| pkg/tcpip/link/nested | Package nested provides helpers to implement the pattern of nested stack.LinkEndpoints. |
| pkg/tcpip/link/packetsocket | Package packetsocket provides a link endpoint that enables delivery of incoming and outgoing packets to any interested packet sockets. |
| pkg/tcpip/link/pipe | Package pipe provides the implementation of pipe-like data-link layer endpoints. |
| pkg/tcpip/link/qdisc | |
| pkg/tcpip/link/qdisc/fifo | Package fifo provides the implementation of FIFO queuing discipline that queues all outbound packets and asynchronously dispatches them to the lower link endpoint in the order that they were queued. |
| pkg/tcpip/link/sharedmem | Package sharedmem provides the implementation of data-link layer endpoints backed by shared memory. |
| pkg/tcpip/link/sharedmem/pipe | Package pipe implements a shared memory ring buffer on which a single reader and a single writer can operate (read/write) concurrently. |
| pkg/tcpip/link/sharedmem/queue | Package queue provides the implementation of transmit and receive queues based on shared memory ring buffers. |
| pkg/tcpip/link/sniffer | Package sniffer provides the implementation of data-link layer endpoints that wrap another endpoint and logs inbound and outbound packets. |
| pkg/tcpip/link/stopfd | Package stopfd provides an type that can be used to signal the stop of a dispatcher. |
| pkg/tcpip/link/tun | Package tun contains methods to open TAP and TUN devices. |
| pkg/tcpip/link/veth | Package veth provides the implementation of virtual ethernet device pair. |
| pkg/tcpip/link/waitable | Package waitable provides the implementation of data-link layer endpoints that wrap other endpoints, and can wait for inflight calls to WritePacket or DeliverNetworkPacket to finish (and new ones to be prevented). |
| pkg/tcpip/link/xdp | Package xdp provides link layer endpoints backed by AF_XDP sockets. |
| pkg/tcpip/network | |
| pkg/tcpip/network/arp | Package arp implements the ARP network protocol. |
| pkg/tcpip/network/hash | Package hash contains utility functions for hashing. |
| pkg/tcpip/network/internal | |
| pkg/tcpip/network/ipv4 | Package ipv4 contains the implementation of the ipv4 network protocol. |
| pkg/tcpip/network/ipv6 | Package ipv6 contains the implementation of the ipv6 network protocol. |
| pkg/tcpip/nftables | Package nftables provides the interface to process packets through a netfilter (nf) ruleset and maintain/modify the ruleset accordingly. |
| pkg/tcpip/ports | Package ports provides PortManager that manages allocating, reserving and releasing ports. |
| pkg/tcpip/prependable | Package prependable defines a buffer that grows backwards. |
| pkg/tcpip/sample | |
| pkg/tcpip/sample/tun_tcp_connect | This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and connects to a peer. |
| pkg/tcpip/sample/tun_tcp_echo | This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and listens on a port. |
| pkg/tcpip/seqnum | Package seqnum defines the types and methods for TCP sequence numbers such that they fit in 32-bit words and work properly when overflows occur. |
| pkg/tcpip/stack | Package stack provides the glue between networking protocols and the consumers of the networking stack. |
| pkg/tcpip/stack/gro | Package gro implements generic receive offload. |
| pkg/tcpip/tests | |
| pkg/tcpip/tests/integration | |
| pkg/tcpip/tests/utils | Package utils holds common testing utilities for tcpip. |
| pkg/tcpip/testutil | Package testutil provides helper functions for netstack unit tests. |
| pkg/tcpip/transport | Package transport supports transport protocols. |
| pkg/tcpip/transport/icmp | Package icmp contains the implementation of the ICMP and IPv6-ICMP transport protocols for use in ping. |
| pkg/tcpip/transport/internal | |
| pkg/tcpip/transport/packet | Package packet provides the implementation of packet sockets (see packet(7)). |
| pkg/tcpip/transport/raw | Package raw provides the implementation of raw sockets (see raw(7)). |
| pkg/tcpip/transport/tcp | Package tcp contains the implementation of the TCP transport protocol. |
| pkg/tcpip/transport/tcpconntrack | Package tcpconntrack implements a TCP connection tracking object. |
| pkg/tcpip/transport/tcp/test | |
| pkg/tcpip/transport/tcp/test/e2e | Package e2e contains definitions common to all e2e tcp tests. |
| pkg/tcpip/transport/tcp/testing | |
| pkg/tcpip/transport/tcp/testing/context | Package context provides a test context for use in tcp tests. |
| pkg/tcpip/transport/testing | |
| pkg/tcpip/transport/testing/context | Package context provides a context used by datagram-based network endpoints tests. |
| pkg/tcpip/transport/udp | Package udp contains the implementation of the UDP transport protocol. |
| pkg/test | |
| pkg/test/criutil | Package criutil contains utility functions for interacting with the Container Runtime Interface (CRI), principally via the crictl command line tool. |
| pkg/test/dockerutil | Package dockerutil is a collection of utility functions. |
| pkg/test/testutil | Package testutil contains utility functions for runsc tests. |
| pkg/timing | Package timing provides a way to record the timing of a series of operations across one or more goroutines. |
| pkg/trie | Package trie provides a character-based prefix trie data structure for storing arbitrary payloads in an efficiently retrievable manner. |
| pkg/unet | Package unet provides a minimal net package based on Unix Domain Sockets. |
| pkg/urpc | Package urpc provides a minimal RPC package based on unet. |
| pkg/usermem | Package usermem governs access to user memory. |
| pkg/waiter | Package waiter provides the implementation of a wait queue, where waiters can be enqueued to be notified when an event of interest happens. |
| pkg/xdp | Package xdp provides tools for working with AF_XDP sockets. |
| runsc | Binary runsc implements the OCI runtime interface. |
| runsc/boot | Package boot loads the kernel and runs a container. |
| runsc/boot/filter | Package filter installs seccomp filters to prevent prohibited syscalls in case it's compromised. |
| runsc/boot/filter/config | Package config defines all syscalls the sandbox is allowed to make to the host. |
| runsc/boot/filter/dumpfilter | dumpfilter dumps the seccomp-bpf program used by the Sentry. |
| runsc/boot/portforward | Package portforward holds the infrastructure to support the port forward command. |
| runsc/boot/pprof | Package pprof provides a stub to initialize custom profilers. |
| runsc/boot/procfs | Package procfs holds utilities for getting procfs information for sandboxed processes. |
| runsc/cgroup | Package cgroup provides an interface to read and write configuration to cgroup. |
| runsc/cli | Package cli is the main entrypoint for runsc. |
| runsc/cmd | Package cmd holds implementations of the runsc commands. |
| runsc/cmd/metricserver | The metricserver binary is a separate binary that implements the 'runsc metric-server' subcommand. |
| runsc/cmd/metricserver/metricservercmd | Package metricservercmd partially implements the 'metric-server' subcommand. |
| runsc/cmd/nvproxy | Package nvproxy provides subcommands for the nvproxy command. |
| runsc/cmd/trace | Package trace provides subcommands for the trace command. |
| runsc/cmd/util | Package util groups a bunch of common helper functions used by commands. |
| runsc/config | Package config provides basic infrastructure to set configuration settings for runsc. |
| runsc/console | Package console contains utilities for working with pty consols in runsc. |
| runsc/container | Package container creates and manipulates containers. |
| runsc/donation | Package donation tracks files that are being donated to a child process and using flags to notified the child process where the FDs are. |
| runsc/flag | Package flag wraps flag primitives. |
| runsc/fsgofer | Package fsgofer provides a lisafs server implementation which gives access to local files. |
| runsc/fsgofer/filter | Package filter defines all syscalls the gofer is allowed to make, and installs seccomp filters to prevent prohibited syscalls in case it's compromised. |
| runsc/hostsettings | Package hostsettings provides suggestions or adjustments for host kernel settings to improve runsc performance, stability, or security. |
| runsc/metricserver | Package metricserver implements a Prometheus metric server for runsc data. |
| runsc/metricserver/containermetrics | Package containermetrics returns metrics and labels interesting to export about a container or sandbox. |
| runsc/mitigate | Package mitigate provides libraries for the mitigate command. |
| runsc/profile | Package profile contains profiling utils. |
| runsc/sandbox | Package sandbox creates and manipulates sandboxes. |
| runsc/sandbox/bpf | Package bpf provides compiled bpf programs as byte slices. |
| runsc/specutils | Package specutils contains utility functions for working with OCI runtime specs. |
| runsc/specutils/safemount_test | safemount_runner is used to test the SafeMount function. |
| runsc/specutils/seccomp | Package seccomp implements some features of libseccomp in order to support OCI. |
| runsc/starttime | Package starttime holds the time the `runsc` command started. |
| runsc/version | Package version holds a string containing version information for runsc. |
| shim | Binary containerd-shim-runsc-v1 is the v2 containerd shim (implementing the formal v1 API). |
| shim/v1 | |
| shim/v1/cli | Package cli defines the command line interface for the V2 shim. |
| shim/v2 | Binary containerd-shim-runsc-v2 is the v3 containerd shim (implementing the formal v2 API). |
| test | |
| test/benchmarks | |
| test/benchmarks/base | Package base holds utility methods common to the base tests. |
| test/benchmarks/database | Package database holds benchmarks around database applications. |
| test/benchmarks/fs | |
| test/benchmarks/fs/fsbench | Package fsbench provides utility functions for filesystem benchmarks. |
| test/benchmarks/harness | Package harness holds utility code for running benchmarks on Docker. |
| test/benchmarks/media | Package media holds benchmarks around media processing applications. |
| test/benchmarks/ml | Package ml holds benchmarks around machine learning performance. |
| test/benchmarks/network | Package network holds benchmarks around raw network performance. |
| test/benchmarks/tcp | Binary tcp_proxy is a simple TCP proxy. |
| test/benchmarks/tools | Package tools holds tooling to couple command formatting and output parsers together. |
| test/cmd | |
| test/cmd/test_app | Binary test_app is like a swiss knife for tests that need to run anything inside the sandbox. |
| test/e2e | Package integration is empty. |
| test/fsstress | Package fsstress is empty. |
| test/gpu | |
| test/gpu/cuda | Package cuda holds libraries for testing CUDA workloads. |
| test/gpu/ollama | Package ollama provides an Ollama API client. |
| test/gpu/stablediffusion | Package stablediffusion provides utilities to generate images with Stable Diffusion. |
| test/gpu/vllm | |
| test/image | Package image is empty. |
| test/iptables | Package iptables contains a set of iptables tests implemented as TestCases |
| test/iptables/runner | Package main runs iptables tests from within a docker container. |
| test/kubernetes | Package kubernetes contains utilities for gVisor tests. |
| test/kubernetes/benchmarks | Package gsutil is used to benchmark the speed of large (10GB) downloads. |
| test/kubernetes/benchmarks/httpbench | Package httpbench provides a library for benchmarking an HTTP server. |
| test/kubernetes/benchmarks/profiling | Package profiling helps with getting profiles from running benchmarks. |
| test/kubernetes/benchmetric | Package benchmetric provides utilities for benchmark metrics. |
| test/kubernetes/k8sctx | Package k8sctx is used to manage the lifecycle of a Kubernetes test or benchmark running in one or more Kubernetes clusters. |
| test/kubernetes/k8sctx/kubectlctx | Package kubectlctx provides a KubernetesContext that uses one or more kubectl configs to determine the cluster(s) to use for tests and benchmarks. |
| test/kubernetes/testcluster | Package testcluster wraps the Kubernetes library for common test operations. |
| test/kubernetes/tests | Package driver implements tests for driver version compatibility. |
| test/metricclient | Package metricclient provides utility functions to start, stop, and talk to a metric server. |
| test/metricsviz | Package metricsviz charts profiling metrics data and renders them to HTML. |
| test/metricsviz/metricsviz_cli | metricsviz_cli visualizes metrics from profiling metrics logs. |
| test/packetimpact | |
| test/packetimpact/dut | Package dut provides common definitions and utilities to be shared by DUTs. |
| test/packetimpact/dut/linux | Package linux provides utilities specific to bringing up linux DUTs. |
| test/packetimpact/dut/native | The native binary is used to bring up a native linux DUT. |
| test/packetimpact/dut/runsc | The devid binary is used to get the device ID in the runsc container. |
| test/packetimpact/internal | |
| test/packetimpact/netdevs | |
| test/packetimpact/netdevs/netlink | Package netlink has routines to get interfaces information through netlink. |
| test/packetimpact/runner | The runner binary is used as the test runner for PacketImpact tests. |
| test/packetimpact/testbench | Package testbench has utilities to send and receive packets, and also command the DUT to run POSIX functions. |
| test/packetimpact/tests | |
| test/root | Package root is used for tests that requires sysadmin privileges run. |
| test/rtnetlink | |
| test/rtnetlink/linux | tcp_serv creates a TCP server socket, reads data from stdin, and sends that data to the socket. |
| test/runner | Binary syscall_test_runner runs the syscall test suites in gVisor containers and on the host platform. |
| test/runner/fuse | Binary main starts a fuse server that forwards filesystem operations from /tmp to /fuse. |
| test/runner/gtest | Package gtest contains helpers for running google-test tests from Go. |
| test/runtimes | |
| test/runtimes/proctor | Binary proctor runs the test for a particular runtime. |
| test/runtimes/proctor/lib | Package lib contains proctor functions. |
| test/runtimes/runner | Binary runner runs the runtime tests in a Docker container. |
| test/runtimes/runner/lib | Package lib provides utilities for runner. |
| test/secbench | The runner binary executes a single benchmark run and prints out results. |
| test/secbench/secbenchdef | Package secbenchdef contains struct definitions for secbench benchmarks. |
| test/secfuzz | Package secfuzz allows fuzz-based testing of seccomp-bpf programs. |
| test/trace | Package trace is empty. |
| test/trace/config | Package config providides helper functions to configure trace sessions. |
| test/uds | Package uds contains helpers for testing external UDS functionality. |
| tools | |
| tools/bigquery | Package bigquery defines a BigQuery schema for benchmarks. |
| tools/checkaligned | Package checkaligned ensures that atomic (u)int operations happen exclusively via the atomicbitops package. |
| tools/checkconst | Package checkconst checks constant values. |
| tools/checkescape | Package checkescape allows recursive escape analysis for hot paths. |
| tools/checkescape/test1 | Package test1 is a test package. |
| tools/checkescape/test2 | Package test2 is a test package that imports test1. |
| tools/checklinkname | Package checklinkname ensures that linkname declarations match their source. |
| tools/checklinkname/test | Package test provides linkname test targets. |
| tools/checklocks | Package checklocks performs lock analysis to identify and flag unprotected access to annotated fields. |
| tools/checklocks/cmd | |
| tools/checklocks/cmd/checklocks | Binary checklocks is a `vettool` for `go vet`. |
| tools/checklocks/test | Package test is a test package. |
| tools/checklocks/test/crosspkg | Package crosspkg is a second package for testing. |
| tools/checkunsafe | Package checkunsafe allows unsafe imports only in files named appropriately. |
| tools/constraintutil | Package constraintutil provides utilities for working with Go build constraints. |
| tools/embeddedbinary | Package embeddedbinary embeds an external binary and provides a function to exec it. |
| tools/embeddedbinary/test | helloworld_bundler bundles helloworld_bundlee and executes it. |
| tools/embeddedbinary/test/helloworld | helloworld_bundlee writes "Hello, gVisor!\n" to stdout. |
| tools/github | Binary github is the entry point for GitHub utilities. |
| tools/github/reviver | Package reviver scans the code looking for TODOs and pass them to registered Buggers to ensure TODOs point to active issues. |
| tools/go_fieldenum | Binary fieldenum emits field bitmasks for all structs in a package marked "+fieldenum". |
| tools/go_generics | go_generics reads a Go source file and writes a new version of that file with a few transformations applied to each. |
| tools/go_generics/globals | Package globals provides an AST visitor that calls the visit function for all global identifiers. |
| tools/go_generics/go_merge | |
| tools/go_generics/rules_tests | |
| tools/go_generics/tests | |
| tools/go_generics/tests/all_stmts | |
| tools/go_generics/tests/all_types | |
| tools/go_generics/tests/all_types/lib | |
| tools/go_generics/tests/anon | |
| tools/go_generics/tests/consts | |
| tools/go_generics/tests/imports | |
| tools/go_generics/tests/remove_typedef | |
| tools/go_generics/tests/simple | |
| tools/go_marshal | go_marshal is a code generation utility for automatically generating code to marshal go data structures to memory. |
| tools/go_marshal/analysis | Package analysis implements common functionality used by generated go_marshal tests. |
| tools/go_marshal/gomarshal | Package gomarshal implements the go_marshal code generator. |
| tools/go_marshal/test | Package test contains data structures for testing the go_marshal tool. |
| tools/go_marshal/test/escape | Package escape contains test cases for escape analysis. |
| tools/go_marshal/test/external | Package external defines types we can import for testing. |
| tools/go_stateify | Stateify provides a simple way to generate Load/Save methods based on existing types and struct tags. |
| tools/gpu | Package main downloads and installs drivers. |
| tools/gpu/drivers | Package drivers contains methods to download and install drivers. |
| tools/gvisor2pcap | Binary gvisor2pcap converts gVisor packet sniffer output to .pcap files that can be fed to Wireshark or tcpdump. |
| tools/gvisor_k8s_tool | gvisor_k8s_tool is a command-line tool to interact with gVisor in Kubernetes clusters. |
| tools/gvisor_k8s_tool/cluster | Package cluster provides functions for dealing with Kubernetes clusters. |
| tools/gvisor_k8s_tool/cmd | |
| tools/gvisor_k8s_tool/cmd/install | Package install provides a function to install gVisor in a k8s cluster. |
| tools/gvisor_k8s_tool/provider | |
| tools/gvisor_k8s_tool/provider/clusterflag | Package clusterflag implements a flag.Value which can be used in commands to represent a Kubernetes cluster. |
| tools/gvisor_k8s_tool/provider/gke | Package gke contains functions to interact with Google Kubernetes Engine. |
| tools/gvisor_k8s_tool/provider/kubectl | Package kubectl contains functions to interact with Kubernetes clusters controlled using kubectl configurations. |
| tools/gvisor_k8s_tool/spec | Package spec contains Kubernetes object specifications for gVisor setup. |
| tools/gvisor_k8s_tool/util | Package util contains utility functions for gvisor_k8s_tools. |
| tools/ioctl_sniffer | Package main sets up the ioctl sniffer and runs a given command. |
| tools/ioctl_sniffer/sniffer | Package sniffer parses the output of the ioctl hook. |
| tools/nogo | Binary nogo performs static analysis. |
| tools/nogo/check | Package check implements binary analysis similar to bazel's nogo, or the unitchecker package. |
| tools/nogo/cli | Package cli implements a basic command line interface. |
| tools/nogo/config | Package config defines a filter configuration for nogo findings. |
| tools/nogo/facts | Package facts implements alternate fact types. |
| tools/nogo/flags | Package flags contains globally-visible flags. |
| tools/nogo/sanity | Package sanity provides a basic sanity test. |
| tools/nvidia_driver_differ | Package main sets up and runs the NVIDIA driver differ. |
| tools/nvidia_driver_differ/parser | Package parser contains functions for interfacing with driver_ast_parser. |
| tools/parsers | Package parsers holds parsers to parse Benchmark test output. |
| tools/profiletool | profiletool deals with pprof profiles. |
| tools/stucktasks | Package main implements a tool to help troubleshoot watchdog dumps. |
| tools/tracereplay | Package tracereplay implements a tool that can save and replay messages issued from remote.Remote. |
| tools/tracereplay/main | Package main implements a tool that can save and replay messages from issued from remote.Remote. |
| tools/xdp | The xdp_loader tool is used to load compiled XDP object files into the XDP hook of a net device. |
| tools/xdp/cmd | Package cmd implements the subcommands of xdp_loader. |
| tools/yamltest | Binary yamltest does strict yaml parsing and validation. |
| webhook | Binary main serves a mutating Kubernetes webhook. |
| webhook/pkg | |
| webhook/pkg/cli | Package cli provides a CLI interface for a mutating Kubernetes webhook. |
| webhook/pkg/injector | Package injector handles mutating webhook operations. |
| website | |
| website/cmd | |
| website/cmd/server | Server is the main gvisor.dev binary. |
| website/cmd/syscalldocs | Binary syscalldocs generates system call markdown. |
- Version
- v0.0.0-20250603074042-45108140e4ad (latest)
- Published
- Jun 3, 2025
- Platform
- linux/amd64
- Last checked
- 1 day ago –
Tools for package owners.