executor: setup sysctl's in setup_machine

Currently we assume that sysctl's are setup as part of machine boot.
This introduces a non-trivial dependency on image creation
and sysctl's are not captured by as part of C reproducers
and are not captured by syzbot dashboard. This can make some
reproducers fail on developer machines or on syzbot later
when sysctl's change.
Setup sysctl's in executor as part of machine setup.
It makes it much more controllable and hermetic.

1 files changed, 35 insertions, 8 deletions

diff --git a/executor/executor_linux.h b/executor/executor_linux.h
index e4e3ab56b..48269fe83 100644
--- a/executor/executor_linux.h
+++ b/executor/executor_linux.h
@@ -248,14 +248,41 @@ static feature_t features[] = {
     {"usb", setup_usb},
 };
 
+// Note: this is not executed in C reproducers.
 static void setup_machine()
 {
-	// nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
-	// It happens a lot in qemu, and the messages are frequently corrupted
-	// (intermixed with other kernel output as they are printed from NMI)
-	// and are not matched against the suppression in pkg/report.
-	// This write prevents these messages from being printed.
-	// Note: this is not executed in C reproducers.
-	if (!write_file("/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"))
-		printf("write to /sys/kernel/debug/x86/nmi_longest_ns failed: %s\n", strerror(errno));
+	static struct {
+		const char* name;
+		const char* data;
+	} files[] = {
+	    // nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
+	    // It happens a lot in qemu, and the messages are frequently corrupted
+	    // (intermixed with other kernel output as they are printed from NMI)
+	    // and are not matched against the suppression in pkg/report.
+	    // This write prevents these messages from being printed.
+	    {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"},
+	    // This is part of deterministic hang/stall detection.
+	    // Don't change this without considering workqueue.watchdog_thresh,
+	    // CONFIG_RCU_CPU_STALL_TIMEOUT and CONFIG_DEFAULT_HUNG_TASK_TIMEOUT.
+	    {"/proc/sys/kernel/watchdog_thresh", "55"},
+	    {"/proc/sys/kernel/hung_task_check_interval_secs", "20"},
+	    // This gives more interesting coverage.
+	    {"/proc/sys/net/core/bpf_jit_enable", "1"},
+	    // bpf_jit_kallsyms and disabling bpf_jit_harden are required
+	    // for unwinding through bpf functions.
+	    {"/proc/sys/net/core/bpf_jit_kallsyms", "1"},
+	    {"/proc/sys/net/core/bpf_jit_harden", "0"},
+	    // This is to provide more useful info in crash reports.
+	    {"/proc/sys/kernel/kptr_restrict", "0"},
+	    {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"},
+	    // This is to restrict effects of recursive exponential mounts, for details see
+	    // "mnt: Add a per mount namespace limit on the number of mounts" commit.
+	    {"/proc/sys/fs/mount-max", "100"},
+	    // Dumping all tasks to console can take too long.
+	    {"/proc/sys/vm/oom_dump_tasks", "0"},
+	};
+	for (size_t i = 0; i < ARRAY_SIZE(files); i++) {
+		if (!write_file(files[i].name, files[i].data))
+			printf("write to %s failed: %s\n", files[i].name, strerror(errno));
+	}
 }