pkg/flatrpc, pkg/vminfo, executor: introduce readonly coverage

Add a new vminfo feature, FeatureKcovResetIoctl, that is true if the kernel supports ioctl(KCOV_RESET_TRACE) making it possible to reset the coverage buffer on the kernel side. This, in turn, allows us to map the coverage buffer read-only, which will prevent all sorts of userspace-generated corruptions at a cost of an extra syscall per program execution. The corresponding exec env flag, ExecEnv::ReadOnlyCoverage, turns on read-only coverage in the executor. It is enabled by default if FeatureKcovResetIoctl is on.
author: Alexander Potapenko <glider@google.com> 2025-07-30 10:44:47 +0200
committer: Alexander Potapenko <glider@google.com> 2025-07-31 12:27:19 +0000
commit: 9a518853aaea13e0a60411b7be7d3ff1f05962de (patch)
tree: 646ae2c9dc6f44b86ddf90fe2c90a89b7236fe06 /pkg/vminfo
parent: dc769bad4c765a3c7b54150be90664e7a01caf40 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/pkg/vminfo/features.go b/pkg/vminfo/features.go
index 2be067d32..6c4d6ae6d 100644
--- a/pkg/vminfo/features.go
+++ b/pkg/vminfo/features.go
@@ -138,6 +138,8 @@ func (ctx *checkContext) featureToFlags(feat flatrpc.Feature) (flatrpc.ExecEnv,
 	case flatrpc.FeatureDelayKcovMmap:
 		envFlags |= flatrpc.ExecEnvSignal | flatrpc.ExecEnvDelayKcovMmap
 		execFlags |= flatrpc.ExecFlagCollectSignal | flatrpc.ExecFlagCollectCover
+	case flatrpc.FeatureKcovResetIoctl:
+		envFlags |= flatrpc.ExecEnvReadOnlyCoverage
 	case flatrpc.FeatureSandboxNone:
 		envFlags &= ^ctx.cfg.Sandbox
 		envFlags |= flatrpc.ExecEnvSandboxNone
author	Alexander Potapenko <glider@google.com>	2025-07-30 10:44:47 +0200
committer	Alexander Potapenko <glider@google.com>	2025-07-31 12:27:19 +0000
commit	9a518853aaea13e0a60411b7be7d3ff1f05962de (patch)
tree	646ae2c9dc6f44b86ddf90fe2c90a89b7236fe06 /pkg/vminfo
parent	dc769bad4c765a3c7b54150be90664e7a01caf40 (diff)