RFC: android: Add support for untrusted_app sandboxing (#697)

executor: add support for android_untrusted_app sandbox This adds a new sandbox type, 'android_untrusted_app', which restricts syz-executor to the privileges which are available to third-party applications, e.g. those installed from the Google Play store. In particular, this uses the UID space reserved for applications (instead of the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534) as well as a set of groups which the Android-specific kernels are aware of, and finally ensures that the SELinux context is set appropriately. Dependencies on libselinux are avoided by manually implementing the few functions that are needed to change the context of the current process, and arbitrary files. The underlying mechanisms are relatively simple. Fixes google/syzkaller#643 Test: make presubmit Bug: http://b/112900774
author: Zach Riggle <zachriggle@users.noreply.github.com> 2018-09-17 04:33:11 -0500
committer: Dmitry Vyukov <dvyukov@google.com> 2018-09-17 11:33:11 +0200
commit: 0eca949a6c271b879d582e01c3d1d79dc704172c (patch)
tree: ff6c780fbf4993aaa11036de414a74c28ac0fb5d /pkg/ipc
parent: fd85ed48854729938fad986fc81e1c57a667fb36 (diff)
2 files changed, 14 insertions, 10 deletions
diff --git a/pkg/ipc/ipc.go b/pkg/ipc/ipc.go
index 4752dc75c..d01761630 100644
--- a/pkg/ipc/ipc.go
+++ b/pkg/ipc/ipc.go
@@ -22,14 +22,16 @@ import (
 // Configuration flags for Config.Flags.
 type EnvFlags uint64
 
+// Note: New / changed flags should be added to parse_env_flags in executor.cc
 const (
-	FlagDebug            EnvFlags = 1 << iota // debug output from executor
-	FlagSignal                                // collect feedback signals (coverage)
-	FlagSandboxSetuid                         // impersonate nobody user
-	FlagSandboxNamespace                      // use namespaces for sandboxing
-	FlagEnableTun                             // initialize and use tun in executor
-	FlagEnableNetDev                          // setup a bunch of various network devices for testing
-	FlagEnableFault                           // enable fault injection support
+	FlagDebug                      EnvFlags = 1 << iota // debug output from executor
+	FlagSignal                                          // collect feedback signals (coverage)
+	FlagSandboxSetuid                                   // impersonate nobody user
+	FlagSandboxNamespace                                // use namespaces for sandboxing
+	FlagSandboxAndroidUntrustedApp                      // use Android sandboxing for the untrusted_app domain
+	FlagEnableTun                                       // initialize and use tun in executor
+	FlagEnableNetDev                                    // setup a bunch of various network devices for testing
+	FlagEnableFault                                     // enable fault injection support
 	// Executor does not know about these:
 	FlagUseShmem      // use shared memory instead of pipes for communication
 	FlagUseForkServer // use extended protocol with handshake
@@ -480,7 +482,7 @@ func makeCommand(pid int, bin []string, config *Config, inFile, outFile *os.File
 		}
 	}()
 
-	if config.Flags&(FlagSandboxSetuid|FlagSandboxNamespace) != 0 {
+	if config.Flags&(FlagSandboxSetuid|FlagSandboxNamespace|FlagSandboxAndroidUntrustedApp) != 0 {
 		if err := os.Chmod(dir, 0777); err != nil {
 			return nil, fmt.Errorf("failed to chmod temp dir: %v", err)
 		}
diff --git a/pkg/ipc/ipcconfig/ipcconfig.go b/pkg/ipc/ipcconfig/ipcconfig.go
index 7c74ea94d..021978274 100644
--- a/pkg/ipc/ipcconfig/ipcconfig.go
+++ b/pkg/ipc/ipcconfig/ipcconfig.go
@@ -17,7 +17,7 @@ var (
 	flagThreaded = flag.Bool("threaded", true, "use threaded mode in executor")
 	flagCollide  = flag.Bool("collide", true, "collide syscalls to provoke data races")
 	flagSignal   = flag.Bool("cover", false, "collect feedback signals (coverage)")
-	flagSandbox  = flag.String("sandbox", "none", "sandbox for fuzzing (none/setuid/namespace)")
+	flagSandbox  = flag.String("sandbox", "none", "sandbox for fuzzing (none/setuid/namespace/android_untrusted_app)")
 	flagDebug    = flag.Bool("debug", false, "debug output from executor")
 	flagTimeout  = flag.Duration("timeout", 0, "execution timeout")
 )
@@ -39,8 +39,10 @@ func Default(target *prog.Target) (*ipc.Config, *ipc.ExecOpts, error) {
 		c.Flags |= ipc.FlagSandboxSetuid
 	case "namespace":
 		c.Flags |= ipc.FlagSandboxNamespace
+	case "android_untrusted_app":
+		c.Flags |= ipc.FlagSandboxAndroidUntrustedApp
 	default:
-		return nil, nil, fmt.Errorf("flag sandbox must contain one of none/setuid/namespace")
+		return nil, nil, fmt.Errorf("flag sandbox must contain one of none/setuid/namespace/android_untrusted_app")
 	}
 
 	sysTarget := targets.Get(target.OS, target.Arch)
author	Zach Riggle <zachriggle@users.noreply.github.com>	2018-09-17 04:33:11 -0500
committer	Dmitry Vyukov <dvyukov@google.com>	2018-09-17 11:33:11 +0200
commit	0eca949a6c271b879d582e01c3d1d79dc704172c (patch)
tree	ff6c780fbf4993aaa11036de414a74c28ac0fb5d /pkg/ipc
parent	fd85ed48854729938fad986fc81e1c57a667fb36 (diff)