diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2018-08-08 11:16:54 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2018-08-08 11:16:54 +0200 |
| commit | ddeb9f8d8828ea4f297656445164e17a9f4c2591 (patch) | |
| tree | 7cf3dd75e03f4ddd9177aa0ffa53f1c293c063d3 | |
| parent | 14f8a76fe729bddfcc96913fa4f7821f163144ac (diff) | |
executor: don't checkpoint/reset net namespace with setuid sandbox
After setuid the process won't have rights to reset net namespace,
but it should not be able to change it during fuzzing too.
So just skip that part.
| -rw-r--r-- | executor/common_linux.h | 9 | ||||
| -rw-r--r-- | pkg/csource/generated.go | 8 |
2 files changed, 17 insertions, 0 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h index 9ab092efc..aab854d1c 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -1349,6 +1349,10 @@ static void reset_ebtables() static void checkpoint_net_namespace(void) { +#if SYZ_EXECUTOR + if (flag_sandbox == sandbox_setuid) + return; +#endif checkpoint_ebtables(); checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); @@ -1357,6 +1361,10 @@ static void checkpoint_net_namespace(void) static void reset_net_namespace(void) { +#if SYZ_EXECUTOR + if (flag_sandbox == sandbox_setuid) + return; +#endif reset_ebtables(); reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); @@ -1923,6 +1931,7 @@ static void kill_and_wait(int pid, int* status) #define SYZ_HAVE_SETUP_LOOP 1 static void setup_loop() { +// TODO(dvyukov): this needs SYZ_EXECUTOR and a test. #if SYZ_ENABLE_CGROUPS int pid = getpid(); char cgroupdir[64]; diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go index ee719dc65..f25ee1998 100644 --- a/pkg/csource/generated.go +++ b/pkg/csource/generated.go @@ -2862,6 +2862,10 @@ static void reset_ebtables() static void checkpoint_net_namespace(void) { +#if SYZ_EXECUTOR + if (flag_sandbox == sandbox_setuid) + return; +#endif checkpoint_ebtables(); checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); @@ -2870,6 +2874,10 @@ static void checkpoint_net_namespace(void) static void reset_net_namespace(void) { +#if SYZ_EXECUTOR + if (flag_sandbox == sandbox_setuid) + return; +#endif reset_ebtables(); reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); |