diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2022-06-20 10:08:26 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2022-06-20 13:24:54 +0200 |
| commit | 6247d1c3f73bab8fccd7b0d608d1a0aaf07fecdb (patch) | |
| tree | 95aeda791ee771511358831e9a5d49e8f375f67b /pkg/csource/generated.go | |
| parent | 8f633d840e3eb6454f036e9da3285bcf27345616 (diff) | |
executor: fix enabling of ICMP/ping sockets
net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.
Note: don't set it for setuid sandbox since it's "low privilege".
Diffstat (limited to 'pkg/csource/generated.go')
| -rw-r--r-- | pkg/csource/generated.go | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go index bfd60f23e..e78362b29 100644 --- a/pkg/csource/generated.go +++ b/pkg/csource/generated.go @@ -8439,6 +8439,7 @@ static int do_sandbox_none(void) if (unshare(CLONE_NEWNET)) { debug("unshare(CLONE_NEWNET): %d\n", errno); } + write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); #if SYZ_EXECUTOR || SYZ_DEVLINK_PCI initialize_devlink_pci(); #endif @@ -8535,6 +8536,7 @@ static int namespace_sandbox_proc(void* arg) #endif if (unshare(CLONE_NEWNET)) fail("unshare(CLONE_NEWNET)"); + write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); #if SYZ_EXECUTOR || SYZ_DEVLINK_PCI initialize_devlink_pci(); #endif @@ -9834,7 +9836,6 @@ static void setup_sysctl() {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, - {"/proc/sys/net/ipv4/ping_group_range", "0 65535"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, {"/proc/sys/kernel/ctrl-alt-del", "0"}, |