pkg/kernel: sandbox make invocation

9 files changed, 170 insertions, 38 deletions

diff --git a/pkg/git/git.go b/pkg/git/git.go
index e4a54f71d..f67db363a 100644
--- a/pkg/git/git.go
+++ b/pkg/git/git.go
@@ -21,8 +21,8 @@ const timeout = time.Hour // timeout for all git invocations
 // This involves fetching/resetting/cloning as necessary to recover from all possible problems.
 // Returns hash of the HEAD commit in the specified branch.
 func Poll(dir, repo, branch string) (string, error) {
-	osutil.RunCmd(timeout, dir, "git", "reset", "--hard")
-	origin, err := osutil.RunCmd(timeout, dir, "git", "remote", "get-url", "origin")
+	runSandboxed(dir, "git", "reset", "--hard")
+	origin, err := runSandboxed(dir, "git", "remote", "get-url", "origin")
 	if err != nil || strings.TrimSpace(string(origin)) != repo {
 		// The repo is here, but it has wrong origin (e.g. repo in config has changed), re-clone.
 		if err := clone(dir, repo, branch); err != nil {
@@ -32,19 +32,19 @@ func Poll(dir, repo, branch string) (string, error) {
 	// Use origin/branch for the case the branch was force-pushed,
 	// in such case branch is not the same is origin/branch and we will
 	// stuck with the local version forever (git checkout won't fail).
-	if _, err := osutil.RunCmd(timeout, dir, "git", "checkout", "origin/"+branch); err != nil {
+	if _, err := runSandboxed(dir, "git", "checkout", "origin/"+branch); err != nil {
 		// No such branch (e.g. branch in config has changed), re-clone.
 		if err := clone(dir, repo, branch); err != nil {
 			return "", err
 		}
 	}
-	if _, err := osutil.RunCmd(timeout, dir, "git", "fetch", "--no-tags"); err != nil {
+	if _, err := runSandboxed(dir, "git", "fetch", "--no-tags"); err != nil {
 		// Something else is wrong, re-clone.
 		if err := clone(dir, repo, branch); err != nil {
 			return "", err
 		}
 	}
-	if _, err := osutil.RunCmd(timeout, dir, "git", "checkout", "origin/"+branch); err != nil {
+	if _, err := runSandboxed(dir, "git", "checkout", "origin/"+branch); err != nil {
 		return "", err
 	}
 	return HeadCommit(dir)
@@ -53,37 +53,32 @@ func Poll(dir, repo, branch string) (string, error) {
 // Checkout checkouts the specified repository/branch in dir.
 // It does not fetch history and efficiently supports checkouts of different repos in the same dir.
 func Checkout(dir, repo, branch string) (string, error) {
-	if _, err := osutil.RunCmd(timeout, dir, "git", "reset", "--hard"); err != nil {
+	if _, err := runSandboxed(dir, "git", "reset", "--hard"); err != nil {
 		if err := initRepo(dir); err != nil {
 			return "", err
 		}
 	}
-	output, err := osutil.RunCmd(timeout, dir, "git", "fetch", "--no-tags", "--depth=1", repo, branch)
+	_, err := runSandboxed(dir, "git", "fetch", "--no-tags", "--depth=1", repo, branch)
 	if err != nil {
-		return "", fmt.Errorf("git fetch %v %v failed: %v\n%s", repo, branch, err, output)
+		return "", err
 	}
-	if output, err := osutil.RunCmd(timeout, dir, "git", "checkout", "FETCH_HEAD"); err != nil {
-		return "", fmt.Errorf("git checkout FETCH_HEAD failed: %v\n%s", err, output)
+	if _, err := runSandboxed(dir, "git", "checkout", "FETCH_HEAD"); err != nil {
+		return "", err
 	}
 	return HeadCommit(dir)
 }
 
 func clone(dir, repo, branch string) error {
-	if err := os.RemoveAll(dir); err != nil {
-		return fmt.Errorf("failed to remove repo dir: %v", err)
+	if err := initRepo(dir); err != nil {
+		return err
 	}
-	if err := osutil.MkdirAll(dir); err != nil {
-		return fmt.Errorf("failed to create repo dir: %v", err)
+	if _, err := runSandboxed(dir, "git", "remote", "add", "origin", repo); err != nil {
+		return err
 	}
-	args := []string{
-		"clone",
-		repo,
-		"--single-branch",
-		"--branch", branch,
-		dir,
+	if _, err := runSandboxed(dir, "git", "fetch", "origin", "master"); err != nil {
+		return err
 	}
-	_, err := osutil.RunCmd(timeout, "", "git", args...)
-	return err
+	return nil
 }
 
 func initRepo(dir string) error {
@@ -93,16 +88,18 @@ func initRepo(dir string) error {
 	if err := osutil.MkdirAll(dir); err != nil {
 		return fmt.Errorf("failed to create repo dir: %v", err)
 	}
-	output, err := osutil.RunCmd(timeout, dir, "git", "init")
-	if err != nil {
-		return fmt.Errorf("failed to init git repo: %v\n%s", err, output)
+	if err := osutil.SandboxChown(dir); err != nil {
+		return err
+	}
+	if _, err := runSandboxed(dir, "git", "init"); err != nil {
+		return err
 	}
 	return nil
 }
 
 // HeadCommit returns hash of the HEAD commit of the current branch of git repository in dir.
 func HeadCommit(dir string) (string, error) {
-	output, err := osutil.RunCmd(timeout, dir, "git", "log", "--pretty=format:%H", "-n", "1")
+	output, err := runSandboxed(dir, "git", "log", "--pretty=format:%H", "-n", "1")
 	if err != nil {
 		return "", err
 	}
@@ -120,7 +117,7 @@ func ListRecentCommits(dir, baseCommit string) ([]string, error) {
 	// On upstream kernel this produces ~11MB of output.
 	// Somewhat inefficient to collect whole output in a slice
 	// and then convert to string, but should be bearable.
-	output, err := osutil.RunCmd(timeout, dir, "git", "log",
+	output, err := runSandboxed(dir, "git", "log",
 		"--pretty=format:%s", "--no-merges", "-n", "200000", baseCommit)
 	if err != nil {
 		return nil, err
@@ -154,12 +151,18 @@ var commitPrefixes = []string{
 func Patch(dir string, patch []byte) error {
 	// Do --dry-run first to not mess with partially consistent state.
 	cmd := osutil.Command("patch", "-p1", "--force", "--ignore-whitespace", "--dry-run")
+	if err := osutil.Sandbox(cmd, true, true); err != nil {
+		return err
+	}
 	cmd.Stdin = bytes.NewReader(patch)
 	cmd.Dir = dir
 	if output, err := cmd.CombinedOutput(); err != nil {
 		// If it reverses clean, then it's already applied
 		// (seems to be the easiest way to detect it).
 		cmd = osutil.Command("patch", "-p1", "--force", "--ignore-whitespace", "--reverse", "--dry-run")
+		if err := osutil.Sandbox(cmd, true, true); err != nil {
+			return err
+		}
 		cmd.Stdin = bytes.NewReader(patch)
 		cmd.Dir = dir
 		if _, err := cmd.CombinedOutput(); err == nil {
@@ -169,6 +172,9 @@ func Patch(dir string, patch []byte) error {
 	}
 	// Now apply for real.
 	cmd = osutil.Command("patch", "-p1", "--force", "--ignore-whitespace")
+	if err := osutil.Sandbox(cmd, true, true); err != nil {
+		return err
+	}
 	cmd.Stdin = bytes.NewReader(patch)
 	cmd.Dir = dir
 	if output, err := cmd.CombinedOutput(); err != nil {
@@ -177,6 +183,15 @@ func Patch(dir string, patch []byte) error {
 	return nil
 }
 
+func runSandboxed(dir, command string, args ...string) ([]byte, error) {
+	cmd := osutil.Command(command, args...)
+	cmd.Dir = dir
+	if err := osutil.Sandbox(cmd, true, false); err != nil {
+		return nil, err
+	}
+	return osutil.Run(timeout, cmd)
+}
+
 // CheckRepoAddress does a best-effort approximate check of a git repo address.
 func CheckRepoAddress(repo string) bool {
 	return gitRepoRe.MatchString(repo)
diff --git a/pkg/kernel/kernel.go b/pkg/kernel/kernel.go
index 2ec573540..2c35bcc40 100644
--- a/pkg/kernel/kernel.go
+++ b/pkg/kernel/kernel.go
@@ -25,21 +25,30 @@ import (
 )
 
 func Build(dir, compiler, config string) error {
-	if err := osutil.CopyFile(config, filepath.Join(dir, ".config")); err != nil {
+	configFile := filepath.Join(dir, ".config")
+	if err := osutil.CopyFile(config, configFile); err != nil {
 		return fmt.Errorf("failed to write config file: %v", err)
 	}
-	return build(dir, compiler)
-}
-
-func build(dir, compiler string) error {
-	const timeout = 10 * time.Minute // default timeout for command invocations
-	if _, err := osutil.RunCmd(timeout, dir, "make", "olddefconfig"); err != nil {
+	if err := osutil.SandboxChown(configFile); err != nil {
+		return err
+	}
+	cmd := osutil.Command("make", "olddefconfig")
+	if err := osutil.Sandbox(cmd, true, true); err != nil {
+		return err
+	}
+	cmd.Dir = dir
+	if _, err := osutil.Run(10*time.Minute, cmd); err != nil {
 		return err
 	}
 	// We build only bzImage as we currently don't use modules.
-	// Build of a large kernel can take a while on a 1 CPU VM.
 	cpu := strconv.Itoa(runtime.NumCPU())
-	if _, err := osutil.RunCmd(3*time.Hour, dir, "make", "bzImage", "-j", cpu, "CC="+compiler); err != nil {
+	cmd = osutil.Command("make", "bzImage", "-j", cpu, "CC="+compiler)
+	if err := osutil.Sandbox(cmd, true, true); err != nil {
+		return err
+	}
+	cmd.Dir = dir
+	// Build of a large kernel can take a while on a 1 CPU VM.
+	if _, err := osutil.Run(3*time.Hour, cmd); err != nil {
 		return err
 	}
 	return nil
diff --git a/pkg/osutil/osutil_akaros.go b/pkg/osutil/osutil_akaros.go
index 6a69cc033..74061e23d 100644
--- a/pkg/osutil/osutil_akaros.go
+++ b/pkg/osutil/osutil_akaros.go
@@ -19,5 +19,13 @@ func UmountAll(dir string) {
 func prolongPipe(r, w *os.File) {
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_appengine.go b/pkg/osutil/osutil_appengine.go
index 2fc10761c..ce2938a24 100644
--- a/pkg/osutil/osutil_appengine.go
+++ b/pkg/osutil/osutil_appengine.go
@@ -9,5 +9,13 @@ import (
 	"os/exec"
 )
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_bsd.go b/pkg/osutil/osutil_bsd.go
index c955fdd72..569e78618 100644
--- a/pkg/osutil/osutil_bsd.go
+++ b/pkg/osutil/osutil_bsd.go
@@ -16,5 +16,13 @@ func UmountAll(dir string) {
 func prolongPipe(r, w *os.File) {
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_darwin.go b/pkg/osutil/osutil_darwin.go
index 1ade9c12a..da468300b 100644
--- a/pkg/osutil/osutil_darwin.go
+++ b/pkg/osutil/osutil_darwin.go
@@ -13,5 +13,13 @@ import (
 func prolongPipe(r, w *os.File) {
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_fuchsia.go b/pkg/osutil/osutil_fuchsia.go
index de3827b13..e1cbe6046 100644
--- a/pkg/osutil/osutil_fuchsia.go
+++ b/pkg/osutil/osutil_fuchsia.go
@@ -37,5 +37,13 @@ func ProcessSignal(p *os.Process, sig int) bool {
 func prolongPipe(r, w *os.File) {
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }
diff --git a/pkg/osutil/osutil_linux.go b/pkg/osutil/osutil_linux.go
index 0a84f3f14..d2aa34f1f 100644
--- a/pkg/osutil/osutil_linux.go
+++ b/pkg/osutil/osutil_linux.go
@@ -6,11 +6,16 @@
 package osutil
 
 import (
+	"fmt"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
 	"syscall"
+	"time"
 	"unsafe"
 )
 
@@ -27,10 +32,65 @@ func UmountAll(dir string) {
 	}
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	if cmd.SysProcAttr == nil {
+		cmd.SysProcAttr = new(syscall.SysProcAttr)
+	}
+	if user {
+		uid, err := initSandbox()
+		if err != nil {
+			return err
+		}
+		cmd.SysProcAttr.Credential = &syscall.Credential{
+			Uid: uid,
+			Gid: uid,
+		}
+	}
+	if net {
+		cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWNET | syscall.CLONE_NEWIPC |
+			syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID
+	}
+	return nil
+}
+
+func SandboxChown(file string) error {
+	uid, err := initSandbox()
+	if err != nil {
+		return err
+	}
+	return os.Chown(file, int(uid), int(uid))
+}
+
+var (
+	sandboxOnce     sync.Once
+	sandboxUsername = "syzkaller"
+	sandboxUID      = ^uint32(0)
+)
+
+func initSandbox() (uint32, error) {
+	sandboxOnce.Do(func() {
+		out, err := RunCmd(time.Minute, "", "id", "-u", sandboxUsername)
+		if err != nil || len(out) == 0 {
+			return
+		}
+		str := strings.Trim(string(out), " \t\n")
+		uid, err := strconv.ParseUint(str, 10, 32)
+		if err != nil {
+			return
+		}
+		sandboxUID = uint32(uid)
+	})
+	if sandboxUID == ^uint32(0) {
+		return 0, fmt.Errorf("user %q is not found, can't sandbox command", sandboxUsername)
+	}
+	return sandboxUID, nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Pdeathsig: syscall.SIGKILL,
+	if cmd.SysProcAttr == nil {
+		cmd.SysProcAttr = new(syscall.SysProcAttr)
 	}
+	cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
 }
 
 func prolongPipe(r, w *os.File) {
diff --git a/pkg/osutil/osutil_windows.go b/pkg/osutil/osutil_windows.go
index 4a00fe0c2..2d8569921 100644
--- a/pkg/osutil/osutil_windows.go
+++ b/pkg/osutil/osutil_windows.go
@@ -37,5 +37,13 @@ func ProcessSignal(p *os.Process, sig int) bool {
 	return false
 }
 
+func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	return nil
+}
+
+func SandboxChown(file string) error {
+	return nil
+}
+
 func setPdeathsig(cmd *exec.Cmd) {
 }