diff options
| author | Aleksandr Nogikh <nogikh@google.com> | 2021-10-26 15:15:11 +0000 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2021-10-29 10:10:32 +0200 |
| commit | c40503e1fa86f3027e003118aaf91646a82f2b5d (patch) | |
| tree | da694c2add8430574310be74ea8566d11990f50a /executor/common_linux.h | |
| parent | 2353a3ec6e28d26c020ea7176d16d8fafb772e24 (diff) | |
all: add binderfs fuzzing support
Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.
Keep descriptions compatible with the legacy mode (when devices are
created at boot time).
Diffstat (limited to 'executor/common_linux.h')
| -rw-r--r-- | executor/common_linux.h | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h index b4303de1e..6875c88a0 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -3630,6 +3630,8 @@ static void initialize_cgroups() #if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID #include <errno.h> #include <sys/mount.h> +#include <sys/stat.h> +#include <unistd.h> static void setup_common() { @@ -3638,6 +3640,31 @@ static void setup_common() } } +static void setup_binderfs() +{ + // NOTE: this function must be called after chroot. + // Bind an instance of binderfs specific just to this executor - it will + // only be visible in its mount namespace and will help isolate binder + // devices during fuzzing. + // These commands will just silently fail if binderfs is not supported. + // Ideally it should have been added as a separate feature (with lots of + // minor changes throughout the code base), but it seems to be an overkill + // for just 2 simple lines of code. + if (mkdir("/dev/binderfs", 0777)) { + debug("mkdir(/dev/binderfs) failed: %d\n", errno); + } + + if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { + debug("mount of binder at /dev/binderfs failed: %d\n", errno); + } +#if !SYZ_EXECUTOR && !SYZ_USE_TMP_DIR + // Do a local symlink right away. + if (symlink("/dev/binderfs", "./binderfs")) { + debug("symlink(/dev/binderfs, ./binderfs) failed: %d\n", errno); + } +#endif +} + #include <sched.h> #include <sys/prctl.h> #include <sys/resource.h> @@ -3809,6 +3836,7 @@ static int do_sandbox_none(void) #if SYZ_EXECUTOR || SYZ_WIFI initialize_wifi_devices(); #endif + setup_binderfs(); loop(); doexit(1); } @@ -3852,6 +3880,7 @@ static int do_sandbox_setuid(void) #if SYZ_EXECUTOR || SYZ_WIFI initialize_wifi_devices(); #endif + setup_binderfs(); const int nobody = 65534; if (setgroups(0, NULL)) @@ -3967,6 +3996,7 @@ static int namespace_sandbox_proc(void* arg) fail("chroot failed"); if (chdir("/")) fail("chdir failed"); + setup_binderfs(); drop_caps(); loop(); @@ -4147,6 +4177,7 @@ static int do_sandbox_android(void) setfilecon(".", SELINUX_LABEL_APP_DATA_FILE); setcon(SELINUX_CONTEXT_UNTRUSTED_APP); + setup_binderfs(); loop(); doexit(1); } @@ -4430,6 +4461,7 @@ static void reset_loop() #if SYZ_EXECUTOR || SYZ_REPEAT #include <sys/prctl.h> +#include <unistd.h> #define SYZ_HAVE_SETUP_TEST 1 static void setup_test() @@ -4446,6 +4478,12 @@ static void setup_test() // isolate consequently executing programs. flush_tun(); #endif +#if SYZ_EXECUTOR || SYZ_USE_TMP_DIR + // Add a binderfs symlink to the tmp folder. + if (symlink("/dev/binderfs", "./binderfs")) { + debug("symlink(/dev/binderfs, ./binderfs) failed: %d", errno); + } +#endif } #endif |