executor: mount /syz-inputs dir to fuzzing sandbox

Syzkaller allows user to specify filepath arguments in syscalls via globs. However, on linux, you are effectivly limited to some /sys and /dev paths due to sandboxing. With this change, user can supply their custom fuzzing artifacts to /syz-inputs to use those in globs. They are mounted read-only to increase reproducibility.
author: Nick Biryulin <keddad@yandex.ru> 2025-01-22 22:23:44 +0300
committer: Dmitry Vyukov <dvyukov@google.com> 2025-01-28 08:59:12 +0000
commit: 856815515a7a8d05b7ee511c95ca189e41927b4d (patch)
tree: 1d90cd446655d09b57503dbfab2a65a497a7e746 /executor
parent: 6eda6257f041f6f67b981d81f9ebb4ff8f3b9318 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h
index 635fc25ad..3cf9b87af 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -3953,6 +3953,16 @@ static void sandbox_common_mount_tmpfs(void)
 		fail("mount(smackfs) failed");
 	if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT)
 		fail("mount(binfmt_misc) failed");
+
+	// If user wants to supply custom inputs, those can be placed to /syz-inputs
+	// That folder will be mounted to fuzzer sandbox
+	// https://groups.google.com/g/syzkaller/c/U-DISFjKLzg
+	if (mkdir("./syz-tmp/newroot/syz-inputs", 0700))
+		fail("mkdir(/syz-inputs) failed");
+
+	if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT)
+		fail("mount(syz-inputs) failed");
+
 #if SYZ_EXECUTOR || SYZ_CGROUPS
 	initialize_cgroups();
 #endif
author	Nick Biryulin <keddad@yandex.ru>	2025-01-22 22:23:44 +0300
committer	Dmitry Vyukov <dvyukov@google.com>	2025-01-28 08:59:12 +0000
commit	856815515a7a8d05b7ee511c95ca189e41927b4d (patch)
tree	1d90cd446655d09b57503dbfab2a65a497a7e746 /executor
parent	6eda6257f041f6f67b981d81f9ebb4ff8f3b9318 (diff)