pkg/kernel: sandbox make invocation

author: Dmitry Vyukov <dvyukov@google.com> 2017-11-16 13:16:30 +0100
committer: Dmitry Vyukov <dvyukov@google.com> 2017-11-17 14:56:34 +0300
commit: 2f7fc0ff65b73cf2a6bfc1878aae75a7f5bae870 (patch)
tree: cd92b603b0fb9965aa8c2d9ff4328ff7e5f2785f /pkg/osutil
parent: 348d8f13f0299cd97f9219105ed7b21e591ddd36 (diff)
7 files changed, 110 insertions, 2 deletions
diff --git a/pkg/osutil/osutil_akaros.go b/pkg/osutil/osutil_akaros.go
index 6a69cc033..74061e23d 100644
--- a/pkg/osutil/osutil_akaros.go
+++ b/pkg/osutil/osutil_akaros.go
@@ -19,5 +19,13 @@ func UmountAll(dir string) {
 func prolongPipe(r, w *os.File) {
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_appengine.go b/pkg/osutil/osutil_appengine.go
index 2fc10761c..ce2938a24 100644
--- a/pkg/osutil/osutil_appengine.go
+++ b/pkg/osutil/osutil_appengine.go
@@ -9,5 +9,13 @@ import (
 	"os/exec"
 )
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_bsd.go b/pkg/osutil/osutil_bsd.go
index c955fdd72..569e78618 100644
--- a/pkg/osutil/osutil_bsd.go
+++ b/pkg/osutil/osutil_bsd.go
@@ -16,5 +16,13 @@ func UmountAll(dir string) {
 func prolongPipe(r, w *os.File) {
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_darwin.go b/pkg/osutil/osutil_darwin.go
index 1ade9c12a..da468300b 100644
--- a/pkg/osutil/osutil_darwin.go
+++ b/pkg/osutil/osutil_darwin.go
@@ -13,5 +13,13 @@ import (
 func prolongPipe(r, w *os.File) {
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_fuchsia.go b/pkg/osutil/osutil_fuchsia.go
index de3827b13..e1cbe6046 100644
--- a/pkg/osutil/osutil_fuchsia.go
+++ b/pkg/osutil/osutil_fuchsia.go
@@ -37,5 +37,13 @@ func ProcessSignal(p *os.Process, sig int) bool {
 func prolongPipe(r, w *os.File) {
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_linux.go b/pkg/osutil/osutil_linux.go
index 0a84f3f14..d2aa34f1f 100644
--- a/pkg/osutil/osutil_linux.go
+++ b/pkg/osutil/osutil_linux.go
@@ -6,11 +6,16 @@
 package osutil
 
 import (
+	"fmt"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
 	"syscall"
+	"time"
 	"unsafe"
 )
 
@@ -27,10 +32,65 @@ func UmountAll(dir string) {
 	}
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	if cmd.SysProcAttr == nil {
+		cmd.SysProcAttr = new(syscall.SysProcAttr)
+	}
+	if user {
+		uid, err := initSandbox()
+		if err != nil {
+			return err
+		}
+		cmd.SysProcAttr.Credential = &syscall.Credential{
+			Uid: uid,
+			Gid: uid,
+		}
+	}
+	if net {
+		cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWNET | syscall.CLONE_NEWIPC |
+			syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID
+	}
+	return nil
+}
+
+func SandboxChown(file string) error {
+	uid, err := initSandbox()
+	if err != nil {
+		return err
+	}
+	return os.Chown(file, int(uid), int(uid))
+}
+
+var (
+	sandboxOnce     sync.Once
+	sandboxUsername = "syzkaller"
+	sandboxUID      = ^uint32(0)
+)
+
+func initSandbox() (uint32, error) {
+	sandboxOnce.Do(func() {
+		out, err := RunCmd(time.Minute, "", "id", "-u", sandboxUsername)
+		if err != nil || len(out) == 0 {
+			return
+		}
+		str := strings.Trim(string(out), " \t\n")
+		uid, err := strconv.ParseUint(str, 10, 32)
+		if err != nil {
+			return
+		}
+		sandboxUID = uint32(uid)
+	})
+	if sandboxUID == ^uint32(0) {
+		return 0, fmt.Errorf("user %q is not found, can't sandbox command", sandboxUsername)
+	}
+	return sandboxUID, nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Pdeathsig: syscall.SIGKILL,
+	if cmd.SysProcAttr == nil {
+		cmd.SysProcAttr = new(syscall.SysProcAttr)
 	}
+	cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
 }
 
 func prolongPipe(r, w *os.File) {
diff --git a/pkg/osutil/osutil_windows.go b/pkg/osutil/osutil_windows.go
index 4a00fe0c2..2d8569921 100644
--- a/pkg/osutil/osutil_windows.go
+++ b/pkg/osutil/osutil_windows.go
@@ -37,5 +37,13 @@ func ProcessSignal(p *os.Process, sig int) bool {
 	return false
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
author	Dmitry Vyukov <dvyukov@google.com>	2017-11-16 13:16:30 +0100
committer	Dmitry Vyukov <dvyukov@google.com>	2017-11-17 14:56:34 +0300
commit	2f7fc0ff65b73cf2a6bfc1878aae75a7f5bae870 (patch)
tree	cd92b603b0fb9965aa8c2d9ff4328ff7e5f2785f /pkg/osutil
parent	348d8f13f0299cd97f9219105ed7b21e591ddd36 (diff)