executor: mount /proc in namespace

/proc is useful for fault injection and there is probably some interesting stuff to fuzz as well.
author: Dmitry Vyukov <dvyukov@google.com> 2017-05-23 13:49:16 +0200
committer: Dmitry Vyukov <dvyukov@google.com> 2017-05-23 13:49:16 +0200
commit: 6117e48187f8d8719376dee3e863fa701fd4d784 (patch)
tree: 82b10be9dceb52e24328d9479309f2f140b1b923 /executor
parent: 288d7fe009f0f12c71d7463ef060c85d81c67042 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/executor/common.h b/executor/common.h
index eb56c8ec1..c264d7b70 100644
--- a/executor/common.h
+++ b/executor/common.h
@@ -559,6 +559,11 @@ static int do_sandbox_setuid(int executor_pid, bool enable_tun)
 	if (syscall(SYS_setresuid, nobody, nobody, nobody))
 		fail("failed to setresuid");
 
+	// This is required to open /proc/self/* files.
+	// Otherwise they are owned by root and we can't open them after setuid.
+	// See task_dump_owner function in kernel.
+	prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
+
 	loop();
 	doexit(1);
 }
@@ -619,6 +624,10 @@ static int namespace_sandbox_proc(void* arg)
 		fail("mkdir failed");
 	if (mount("/dev", "./syz-tmp/newroot/dev", NULL, MS_BIND | MS_REC | MS_PRIVATE, NULL))
 		fail("mount(dev) failed");
+	if (mkdir("./syz-tmp/newroot/proc", 0700))
+		fail("mkdir failed");
+	if (mount(NULL, "./syz-tmp/newroot/proc", "proc", 0, NULL))
+		fail("mount(proc) failed");
 	if (mkdir("./syz-tmp/pivot", 0777))
 		fail("mkdir failed");
 	if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) {
author	Dmitry Vyukov <dvyukov@google.com>	2017-05-23 13:49:16 +0200
committer	Dmitry Vyukov <dvyukov@google.com>	2017-05-23 13:49:16 +0200
commit	6117e48187f8d8719376dee3e863fa701fd4d784 (patch)
tree	82b10be9dceb52e24328d9479309f2f140b1b923 /executor
parent	288d7fe009f0f12c71d7463ef060c85d81c67042 (diff)