executor: make sandboxes more modular

Currently we have a global fixed set of sandboxes,
which makes it hard to add new OS-specific ones
(all OSes need to updated to say that they don't
support this sandbox).
Let it each OS say what sandboxes it supports instead.

7 files changed, 9 insertions, 30 deletions

diff --git a/executor/common_akaros.h b/executor/common_akaros.h
index 8d83749dc..ead67c36c 100644
--- a/executor/common_akaros.h
+++ b/executor/common_akaros.h
@@ -33,9 +33,3 @@ void child()
 	doexit(0);
 }
 #endif
-
-#if SYZ_EXECUTOR
-#define do_sandbox_setuid() 0
-#define do_sandbox_namespace() 0
-#define do_sandbox_android_untrusted_app() 0
-#endif
diff --git a/executor/common_bsd.h b/executor/common_bsd.h
index 49c6b36de..63ae6c1d1 100644
--- a/executor/common_bsd.h
+++ b/executor/common_bsd.h
@@ -14,12 +14,6 @@ static int do_sandbox_none(void)
 }
 #endif
 
-#if SYZ_EXECUTOR
-#define do_sandbox_setuid() 0
-#define do_sandbox_namespace() 0
-#define do_sandbox_android_untrusted_app() 0
-#endif
-
 #if GOOS_openbsd
 
 #define __syscall syscall
diff --git a/executor/common_fuchsia.h b/executor/common_fuchsia.h
index fb08aa2a0..d232f2a14 100644
--- a/executor/common_fuchsia.h
+++ b/executor/common_fuchsia.h
@@ -241,12 +241,6 @@ static int do_sandbox_none(void)
 }
 #endif
 
-#if SYZ_EXECUTOR
-#define do_sandbox_setuid() 0
-#define do_sandbox_namespace() 0
-#define do_sandbox_android_untrusted_app() 0
-#endif
-
 // Ugly way to work around gcc's "error: function called through a non-compatible type".
 // The macro is used in generated C code.
 #define CAST(f) ({void* p = (void*)f; p; })
diff --git a/executor/common_linux.h b/executor/common_linux.h
index 5ae770800..02c1eb82e 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -1561,6 +1561,7 @@ static int do_sandbox_none(void)
 #include <sched.h>
 #include <sys/prctl.h>
 
+#define SYZ_HAVE_SANDBOX_SETUID 1
 static int do_sandbox_setuid(void)
 {
 	if (unshare(CLONE_NEWPID)) {
@@ -1722,6 +1723,7 @@ static int namespace_sandbox_proc(void* arg)
 	doexit(1);
 }
 
+#define SYZ_HAVE_SANDBOX_NAMESPACE 1
 static int do_sandbox_namespace(void)
 {
 	int pid;
@@ -1844,6 +1846,7 @@ static void syz_setfilecon(const char* path, const char* context)
 		fail("setfilecon: could not set context to %s, currently %s", context, new_context);
 }
 
+#define SYZ_HAVE_SANDBOX_ANDROID_UNTRUSTED_APP 1
 static int do_sandbox_android_untrusted_app(void)
 {
 	setup_common();
diff --git a/executor/common_test.h b/executor/common_test.h
index dc162a833..51b135377 100644
--- a/executor/common_test.h
+++ b/executor/common_test.h
@@ -56,9 +56,3 @@ static int do_sandbox_none(void)
 	doexit(0);
 }
 #endif
-
-#if SYZ_EXECUTOR
-#define do_sandbox_setuid() 0
-#define do_sandbox_namespace() 0
-#define do_sandbox_android_untrusted_app() 0
-#endif
diff --git a/executor/common_windows.h b/executor/common_windows.h
index 2a89ea469..d6b786ac1 100644
--- a/executor/common_windows.h
+++ b/executor/common_windows.h
@@ -111,9 +111,3 @@ static int do_sandbox_none(void)
 	doexit(0);
 }
 #endif
-
-#if SYZ_EXECUTOR
-#define do_sandbox_setuid() 0
-#define do_sandbox_namespace() 0
-#define do_sandbox_android_untrusted_app() 0
-#endif
diff --git a/executor/executor.cc b/executor/executor.cc
index 2244cc797..fca80e9be 100644
--- a/executor/executor.cc
+++ b/executor/executor.cc
@@ -364,15 +364,21 @@ int main(int argc, char** argv)
 	case sandbox_none:
 		status = do_sandbox_none();
 		break;
+#if SYZ_HAVE_SANDBOX_SETUID
 	case sandbox_setuid:
 		status = do_sandbox_setuid();
 		break;
+#endif
+#if SYZ_HAVE_SANDBOX_NAMESPACE
 	case sandbox_namespace:
 		status = do_sandbox_namespace();
 		break;
+#endif
+#if SYZ_HAVE_SANDBOX_ANDROID_UNTRUSTED_APP
 	case sandbox_android_untrusted_app:
 		status = do_sandbox_android_untrusted_app();
 		break;
+#endif
 	default:
 		fail("unknown sandbox type");
 	}