Android: Fix sandbox implementation

My test harness for this code performed some steps that are not
performed when syz-executor is invoked directy.

Specifcally, we need to operate from a directory under /data/data,
and have the correct UID/GID set as the owner of the directory.

My test harness now correctly sets these, all sandbox operations
succeed, and loop() is invoked.

3 files changed, 20 insertions, 6 deletions

diff --git a/executor/common.h b/executor/common.h
index f5f124fef..79dc5940b 100644
--- a/executor/common.h
+++ b/executor/common.h
@@ -151,14 +151,18 @@ static uint64 current_time_ms(void)
 }
 #endif
 
-#if SYZ_EXECUTOR || SYZ_USE_TMP_DIR
+#if SYZ_EXECUTOR || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP || SYZ_USE_TMP_DIR
 #include <stdlib.h>
 #include <sys/stat.h>
 #include <unistd.h>
 
 static void use_temporary_dir(void)
 {
+#if SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
+	char tmpdir_template[] = "/data/data/syzkaller/syzkaller.XXXXXX";
+#else
 	char tmpdir_template[] = "./syzkaller.XXXXXX";
+#endif
 	char* tmpdir = mkdtemp(tmpdir_template);
 	if (!tmpdir)
 		fail("failed to mkdtemp");
@@ -665,7 +669,7 @@ int main(void)
 	for (procid = 0; procid < [[PROCS]]; procid++) {
 		if (fork() == 0) {
 #endif
-#if SYZ_USE_TMP_DIR
+#if SYZ_USE_TMP_DIR || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
 			use_temporary_dir();
 #endif
 			[[SANDBOX_FUNC]]
diff --git a/executor/common_linux.h b/executor/common_linux.h
index 09b92cfad..2e6b33bcb 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -1867,7 +1867,7 @@ static void syz_setfilecon(const char* path, const char* context)
 	if (setxattr(path, SELINUX_XATTR_NAME, context, strlen(context) + 1, 0) != 0)
 		fail("setfilecon: setxattr failed");
 
-	if (syz_getfilecon(path, new_context, sizeof(new_context)) != 0)
+	if (syz_getfilecon(path, new_context, sizeof(new_context)) <= 0)
 		fail("setfilecon: getfilecon failed");
 
 	if (strcmp(context, new_context) != 0)
@@ -1880,6 +1880,9 @@ static int do_sandbox_android_untrusted_app(void)
 	setup_common();
 	sandbox_common();
 
+	if (chown(".", UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
+		fail("chmod failed");
+
 	if (setgroups(UNTRUSTED_APP_NUM_GROUPS, UNTRUSTED_APP_GROUPS) != 0)
 		fail("setgroups failed");
 
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index f8a67d45d..f35fdf979 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -136,14 +136,18 @@ static uint64 current_time_ms(void)
 }
 #endif
 
-#if SYZ_EXECUTOR || SYZ_USE_TMP_DIR
+#if SYZ_EXECUTOR || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP || SYZ_USE_TMP_DIR
 #include <stdlib.h>
 #include <sys/stat.h>
 #include <unistd.h>
 
 static void use_temporary_dir(void)
 {
+#if SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
+	char tmpdir_template[] = "/data/data/syzkaller/syzkaller.XXXXXX";
+#else
 	char tmpdir_template[] = "./syzkaller.XXXXXX";
+#endif
 	char* tmpdir = mkdtemp(tmpdir_template);
 	if (!tmpdir)
 		fail("failed to mkdtemp");
@@ -3336,7 +3340,7 @@ static void syz_setfilecon(const char* path, const char* context)
 	if (setxattr(path, SELINUX_XATTR_NAME, context, strlen(context) + 1, 0) != 0)
 		fail("setfilecon: setxattr failed");
 
-	if (syz_getfilecon(path, new_context, sizeof(new_context)) != 0)
+	if (syz_getfilecon(path, new_context, sizeof(new_context)) <= 0)
 		fail("setfilecon: getfilecon failed");
 
 	if (strcmp(context, new_context) != 0)
@@ -3349,6 +3353,9 @@ static int do_sandbox_android_untrusted_app(void)
 	setup_common();
 	sandbox_common();
 
+	if (chown(".", UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
+		fail("chmod failed");
+
 	if (setgroups(UNTRUSTED_APP_NUM_GROUPS, UNTRUSTED_APP_GROUPS) != 0)
 		fail("setgroups failed");
 
@@ -4147,7 +4154,7 @@ int main(void)
 	for (procid = 0; procid < [[PROCS]]; procid++) {
 		if (fork() == 0) {
 #endif
-#if SYZ_USE_TMP_DIR
+#if SYZ_USE_TMP_DIR || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
 			use_temporary_dir();
 #endif
 			[[SANDBOX_FUNC]]