Add /proc/gvisor/kernel_is_gvisor marker file used to detect gVisor.

This change adds a configuration option to gVisor that, when enabled,
creates a file at `/proc/gvisor/kernel_is_gvisor` that can be used by
applications to detect whether they are running inside a gVisor sandbox.

Useful for testing and introspection.

PiperOrigin-RevId: 749217117

Author: EtiennePerot

pkg/gvisordetect/BUILD

@@ -0,0 +1,12 @@
+load("//tools:defs.bzl", "go_library")
+
+package(
+    default_applicable_licenses = ["//:license"],
+    licenses = ["notice"],
+)
+
+go_library(
+    name = "gvisordetect",
+    srcs = ["gvisordetect.go"],
+    visibility = ["//visibility:public"],
+)

pkg/gvisordetect/gvisordetect.go

@@ -0,0 +1,40 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package gvisordetect implements a library that callers may use to detect
+// whether they are running on a gVisor kernel, assuming it is configured
+// to expose the gVisor marker file.
+package gvisordetect
+
+import (
+	"errors"
+	"fmt"
+	"os"
+)
+
+// RunningInGVisor checks if the caller is running against a gVisor kernel.
+// This is only accurate if the gVisor kernel is configured to expose
+// its marker file.
+func RunningInGVisor() (bool, error) {
+	const markerFilePath = "/proc/gvisor/kernel_is_gvisor"
+
+	_, err := os.Stat(markerFilePath)
+	if err == nil {
+		return true, nil
+	}
+	if errors.Is(err, os.ErrNotExist) {
+		return false, nil
+	}
+	return false, fmt.Errorf("cannot detect whether running in gVisor: %w", err)
+}

pkg/sentry/fsimpl/proc/filesystem.go

@@ -159,6 +159,12 @@ func (fs *filesystem) newStaticDir(ctx context.Context, creds *auth.Credentials,
 // +stateify savable
 type InternalData struct {
 	ExtraInternalData
+
+	// GVisorMarkerFile indicates whether a file named gvisor/kernel_is_gvisor
+	// should exist in the procfs.
+	GVisorMarkerFile bool
+
+	// Cgroups-internal data.
 	Cgroups map[string]string
 }
 

pkg/sentry/fsimpl/proc/proc_impl.go

@@ -29,5 +29,10 @@ import (
 // +stateify savable
 type ExtraInternalData struct{}
 
-func (fs *filesystem) newTasksInodeExtra(context.Context, *auth.Credentials, *InternalData, *kernel.Kernel, map[string]kernfs.Inode) {
+func (fs *filesystem) newTasksInodeExtra(ctx context.Context, root *auth.Credentials, internalData *InternalData, _ *kernel.Kernel, nodes map[string]kernfs.Inode) {
+	if internalData.GVisorMarkerFile {
+		nodes["gvisor"] = fs.newStaticDir(ctx, root, map[string]kernfs.Inode{
+			"kernel_is_gvisor": newStaticFile("gvisor\n"),
+		})
+	}
 }

runsc/boot/restore_impl.go

@@ -21,6 +21,7 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"gvisor.dev/gvisor/pkg/sentry/control"
 	"gvisor.dev/gvisor/pkg/sentry/fsimpl/proc"
+	"gvisor.dev/gvisor/runsc/config"
 )
 
 func preSaveImpl(*Loader, *control.SaveOpts) error {
@@ -37,8 +38,10 @@ func postResumeImpl(*Loader) error {
 	return nil
 }
 
-func newProcInternalData(*specs.Spec) *proc.InternalData {
-	return &proc.InternalData{}
+func newProcInternalData(conf *config.Config, _ *specs.Spec) *proc.InternalData {
+	return &proc.InternalData{
+		GVisorMarkerFile: conf.GVisorMarkerFile,
+	}
 }
 
 func (l *Loader) kernelInitExtra() {}

runsc/boot/vfs.go

@@ -872,7 +872,7 @@ func getMountNameAndOptions(spec *specs.Spec, conf *config.Config, m *mountInfo,
 		fsName = sys.Name
 
 	case proc.Name:
-		internalData = newProcInternalData(spec)
+		internalData = newProcInternalData(conf, spec)
 
 	case sys.Name:
 		sysData := &sys.InternalData{EnableTPUProxyPaths: specutils.TPUProxyIsEnabled(spec, conf)}

runsc/config/config.go

@@ -388,6 +388,9 @@ type Config struct {
 	// RestoreSpecValidation indicates the level of spec validation to be
 	// performed during restore.
 	RestoreSpecValidation RestoreSpecValidationPolicy `flag:"restore-spec-validation"`
+
+	// GVisorMarkerFile enables the /proc/gvisor/kernel_is_gvisor marker file.
+	GVisorMarkerFile bool `flag:"gvisor-marker-file"`
 }
 
 func (c *Config) validate() error {

runsc/config/flags.go

@@ -119,6 +119,7 @@ func RegisterFlags(flagSet *flag.FlagSet) {
 	flagSet.Bool("fsgofer-host-uds", false, "DEPRECATED: use host-uds=all")
 	flagSet.Var(hostUDSPtr(HostUDSNone), flagHostUDS, "controls permission to access host Unix-domain sockets. Values: none|open|create|all, default: none")
 	flagSet.Var(hostFifoPtr(HostFifoNone), "host-fifo", "controls permission to access host FIFOs (or named pipes). Values: none|open, default: none")
+	flagSet.Bool("gvisor-marker-file", false, "enable the presence of the /proc/gvisor/kernel_is_gvisor file that can be used by applications to detect that gVisor is in use")
 
 	flagSet.Bool("vfs2", true, "DEPRECATED: this flag has no effect.")
 	flagSet.Bool("fuse", true, "DEPRECATED: this flag has no effect.")

runsc/container/container_test.go

@@ -4093,6 +4093,26 @@ func TestCheckpointResume(t *testing.T) {
 	}
 }
 
+func TestMarkerFile(t *testing.T) {
+	app, err := testutil.FindFile("test/cmd/test_app/test_app")
+	if err != nil {
+		t.Fatal("error finding test_app:", err)
+	}
+	conf := testutil.TestConfig(t)
+
+	conf.GVisorMarkerFile = false
+	spec := testutil.NewSpecWithArgs(app, "gvisor-detect", "--exit-code-on-gvisor=1", "--exit-code-on-not-gvisor=0")
+	if err := run(spec, conf); err != nil {
+		t.Fatalf("unexpectedly detected gVisor when we expected to not be able to do so: %v", err)
+	}
+
+	conf.GVisorMarkerFile = true
+	spec = testutil.NewSpecWithArgs(app, "gvisor-detect", "--exit-code-on-gvisor=0", "--exit-code-on-not-gvisor=1")
+	if err := run(spec, conf); err != nil {
+		t.Fatalf("failed to detect gVisor when we expected to be able to do so: %v", err)
+	}
+}
+
 func TestIPv6DisableAllSysctl(t *testing.T) {
 	tests := []struct {
 		name         string

test/cmd/test_app/BUILD

@@ -19,6 +19,7 @@ go_binary(
         "//test/syscalls/linux:__pkg__",
     ],
     deps = [
+        "//pkg/gvisordetect",
         "//pkg/rand",
         "//pkg/test/testutil",
         "//pkg/unet",

test/cmd/test_app/main.go

@@ -34,6 +34,7 @@ import (
 
 	"github.com/google/subcommands"
 	"github.com/kr/pty"
+	"gvisor.dev/gvisor/pkg/gvisordetect"
 	gvisorrand "gvisor.dev/gvisor/pkg/rand"
 	"gvisor.dev/gvisor/pkg/test/testutil"
 	"gvisor.dev/gvisor/runsc/flag"
@@ -47,6 +48,7 @@ func main() {
 	subcommands.Register(new(fdSender), "")
 	subcommands.Register(new(forkBomb), "")
 	subcommands.Register(new(fsTreeCreator), "")
+	subcommands.Register(new(gvisorDetect), "")
 	subcommands.Register(new(ptyRunner), "")
 	subcommands.Register(new(reaper), "")
 	subcommands.Register(new(syscall), "")
@@ -275,6 +277,47 @@ func (c *taskTree) Execute(ctx context.Context, f *flag.FlagSet, args ...any) su
 	return subcommands.ExitSuccess
 }
 
+type gvisorDetect struct {
+	exitCodeOnGVisor    int
+	exitCodeOnNotGVisor int
+}
+
+// Name implements subcommands.Command.Name.
+func (*gvisorDetect) Name() string {
+	return "gvisor-detect"
+}
+
+// Synopsis implements subcommands.Command.Synopsys.
+func (*gvisorDetect) Synopsis() string {
+	return "checks if the process is running inside gVisor by checking for the marker file"
+}
+
+// Usage implements subcommands.Command.Usage.
+func (*gvisorDetect) Usage() string {
+	return "gvisor-detect [flags]"
+}
+
+// SetFlags implements subcommands.Command.SetFlags.
+func (c *gvisorDetect) SetFlags(f *flag.FlagSet) {
+	f.IntVar(&c.exitCodeOnGVisor, "exit-code-on-gvisor", 0, "exit code to return if running in gVisor")
+	f.IntVar(&c.exitCodeOnNotGVisor, "exit-code-on-not-gvisor", 42, "exit code to return if not running in gVisor")
+}
+
+// Execute implements subcommands.Command.Execute.
+func (c *gvisorDetect) Execute(ctx context.Context, f *flag.FlagSet, args ...any) subcommands.ExitStatus {
+	isGVisor, err := gvisordetect.RunningInGVisor()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error checking whether we are running in gVisor: %v\n", err)
+		return subcommands.ExitFailure
+	}
+	if isGVisor {
+		fmt.Println("running with gVisor kernel")
+		return subcommands.ExitStatus(c.exitCodeOnGVisor)
+	}
+	fmt.Println("running with non-gVisor kernel")
+	return subcommands.ExitStatus(c.exitCodeOnNotGVisor)
+}
+
 type forkBomb struct {
 	delay time.Duration
 }