executor: revive setuid sandbox

The new namespace-based sanboxing is good,
but it's not always what one wants
(and also requires special kernel configs).

Change dropprivs config value to sandbox,
which can have different values (currently: none, setuid, namespace).
Setuid mode uses setuid(nobody) before fuzzing as before.

In future we can add more sandboxing modes or, say,
extend -sandbox=setuid to -sandbox=setuid:johndoe
to impersonolate into given user.

1 files changed, 6 insertions, 3 deletions

diff --git a/README.md b/README.md
index 7f6dd03d9..976345adb 100644
--- a/README.md
+++ b/README.md
@@ -97,9 +97,12 @@ following keys in its top-level object:
    the virtual machine.
  - `cpu`: Number of CPUs to simulate in the VM (*not currently used*).
  - `mem`: Amount of memory (in MiB) for the VM; this is passed as the `-m` option to `qemu-system-x86_64`.
- - `dropprivs` : Whether the executor program should try to use namespaces to drop privileges
-   before executing (requires a kernel built with `CONFIG_NAMESPACES`, `CONFIG_UTS_NS`,
-   `CONFIG_USER_NS`, `CONFIG_PID_NS` and `CONFIG_NET_NS`).
+ - `sandbox` : Sandboxing mode, one of "none", "setuid", "namespace".
+     "none": don't do anything special (has false positives, e.g. due to killing init)
+     "setuid": impersonate into user nobody (65534), default
+     "namespace": use namespaces to drop privileges,
+     (requires a kernel built with `CONFIG_NAMESPACES`, `CONFIG_UTS_NS`,
+     `CONFIG_USER_NS`, `CONFIG_PID_NS` and `CONFIG_NET_NS`).
  - `enable_syscalls`: List of syscalls to test (optional).
  - `disable_syscalls`: List of system calls that should be treated as disabled (optional).
  - `suppressions`: List of regexps for known bugs.