executor: refactor sandbox flags

In preparation for future changes.

10 files changed, 51 insertions, 55 deletions

diff --git a/pkg/csource/common.go b/pkg/csource/common.go
index 2d3f35b52..d30a3c268 100644
--- a/pkg/csource/common.go
+++ b/pkg/csource/common.go
@@ -24,10 +24,10 @@ const (
 	openbsd = "openbsd"
 	netbsd  = "netbsd"
 
-	sandboxNone                = "none"
-	sandboxSetuid              = "setuid"
-	sandboxNamespace           = "namespace"
-	sandboxAndroidUntrustedApp = "android_untrusted_app"
+	sandboxNone      = "none"
+	sandboxSetuid    = "setuid"
+	sandboxNamespace = "namespace"
+	sandboxAndroid   = "android"
 )
 
 func createCommonHeader(p, mmapProg *prog.Prog, replacements map[string]string, opts Options) ([]byte, error) {
@@ -96,7 +96,7 @@ func commonDefines(p *prog.Prog, opts Options) map[string]bool {
 		"SYZ_SANDBOX_NONE":              opts.Sandbox == sandboxNone,
 		"SYZ_SANDBOX_SETUID":            opts.Sandbox == sandboxSetuid,
 		"SYZ_SANDBOX_NAMESPACE":         opts.Sandbox == sandboxNamespace,
-		"SYZ_SANDBOX_ANDROID":           opts.Sandbox == sandboxAndroidUntrustedApp,
+		"SYZ_SANDBOX_ANDROID":           opts.Sandbox == sandboxAndroid,
 		"SYZ_THREADED":                  opts.Threaded,
 		"SYZ_COLLIDE":                   opts.Collide,
 		"SYZ_REPEAT":                    opts.Repeat,
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index 7d40c5615..cc75000d5 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -4595,9 +4595,7 @@ static void reset_ebtables()
 static void checkpoint_net_namespace(void)
 {
 #if SYZ_EXECUTOR
-	if (!flag_net_reset)
-		return;
-	if (flag_sandbox == sandbox_setuid)
+	if (!flag_net_reset || flag_sandbox_setuid)
 		return;
 #endif
 	checkpoint_ebtables();
@@ -4609,9 +4607,7 @@ static void checkpoint_net_namespace(void)
 static void reset_net_namespace(void)
 {
 #if SYZ_EXECUTOR
-	if (!flag_net_reset)
-		return;
-	if (flag_sandbox == sandbox_setuid)
+	if (!flag_net_reset || flag_sandbox_setuid)
 		return;
 #endif
 	reset_ebtables();
@@ -5139,8 +5135,8 @@ static void syz_setfilecon(const char* path, const char* context)
 		fail("setfilecon: could not set context to %s, currently %s", context, new_context);
 }
 
-#define SYZ_HAVE_SANDBOX_ANDROID_UNTRUSTED_APP 1
-static int do_sandbox_android_untrusted_app(void)
+#define SYZ_HAVE_SANDBOX_ANDROID 1
+static int do_sandbox_android(void)
 {
 	setup_common();
 	sandbox_common();
diff --git a/pkg/csource/options.go b/pkg/csource/options.go
index 57e9fc9dc..8e78d44e9 100644
--- a/pkg/csource/options.go
+++ b/pkg/csource/options.go
@@ -54,7 +54,7 @@ type Options struct {
 // Invalid combinations must not be passed to Write.
 func (opts Options) Check(OS string) error {
 	switch opts.Sandbox {
-	case "", sandboxNone, sandboxNamespace, sandboxSetuid, sandboxAndroidUntrustedApp:
+	case "", sandboxNone, sandboxNamespace, sandboxSetuid, sandboxAndroid:
 	default:
 		return fmt.Errorf("unknown sandbox %v", opts.Sandbox)
 	}
@@ -133,7 +133,7 @@ func (opts Options) checkLinuxOnly(OS string) error {
 	}
 	if opts.Sandbox == sandboxNamespace ||
 		(opts.Sandbox == sandboxSetuid && !(OS == openbsd || OS == freebsd || OS == netbsd)) ||
-		opts.Sandbox == sandboxAndroidUntrustedApp {
+		opts.Sandbox == sandboxAndroid {
 		return fmt.Errorf("option Sandbox=%v is not supported on %v", opts.Sandbox, OS)
 	}
 	if opts.Fault {
diff --git a/pkg/csource/options_test.go b/pkg/csource/options_test.go
index 8a38553fc..1834803ff 100644
--- a/pkg/csource/options_test.go
+++ b/pkg/csource/options_test.go
@@ -49,7 +49,7 @@ func TestParseOptionsCanned(t *testing.T) {
 			HandleSegv:       true,
 			Repro:            true,
 		},
-		`{"threaded":true,"collide":true,"repeat":true,"procs":10,"sandbox":"android_untrusted_app",
+		`{"threaded":true,"collide":true,"repeat":true,"procs":10,"sandbox":"android",
 		"fault":true,"fault_call":1,"fault_nth":2,"tun":true,"tmpdir":true,"cgroups":true,
 		"netdev":true,"resetnet":true,
 		"segv":true,"waitrepeat":true,"debug":true,"repro":true}`: {
@@ -57,7 +57,7 @@ func TestParseOptionsCanned(t *testing.T) {
 			Collide:          true,
 			Repeat:           true,
 			Procs:            10,
-			Sandbox:          "android_untrusted_app",
+			Sandbox:          "android",
 			Fault:            true,
 			FaultCall:        1,
 			FaultNth:         2,
@@ -170,7 +170,7 @@ func enumerateField(OS string, opt Options, field int) []Options {
 	fldName := s.Type().Field(field).Name
 	fld := s.Field(field)
 	if fldName == "Sandbox" {
-		for _, sandbox := range []string{"", "none", "setuid", "namespace", "android_untrusted_app"} {
+		for _, sandbox := range []string{"", "none", "setuid", "namespace", "android"} {
 			fld.SetString(sandbox)
 			opts = append(opts, opt)
 		}
diff --git a/pkg/host/features.go b/pkg/host/features.go
index 8c3945a98..53af77241 100644
--- a/pkg/host/features.go
+++ b/pkg/host/features.go
@@ -18,7 +18,7 @@ const (
 	FeatureExtraCoverage
 	FeatureSandboxSetuid
 	FeatureSandboxNamespace
-	FeatureSandboxAndroidUntrustedApp
+	FeatureSandboxAndroid
 	FeatureFaultInjection
 	FeatureLeakChecking
 	FeatureNetworkInjection
@@ -46,18 +46,18 @@ func unconditionallyEnabled() string { return "" }
 func Check(target *prog.Target) (*Features, error) {
 	const unsupported = "support is not implemented in syzkaller"
 	res := &Features{
-		FeatureCoverage:                   {Name: "code coverage", Reason: unsupported},
-		FeatureComparisons:                {Name: "comparison tracing", Reason: unsupported},
-		FeatureExtraCoverage:              {Name: "extra coverage", Reason: unsupported},
-		FeatureSandboxSetuid:              {Name: "setuid sandbox", Reason: unsupported},
-		FeatureSandboxNamespace:           {Name: "namespace sandbox", Reason: unsupported},
-		FeatureSandboxAndroidUntrustedApp: {Name: "Android sandbox", Reason: unsupported},
-		FeatureFaultInjection:             {Name: "fault injection", Reason: unsupported},
-		FeatureLeakChecking:               {Name: "leak checking", Reason: unsupported},
-		FeatureNetworkInjection:           {Name: "net packet injection", Reason: unsupported},
-		FeatureNetworkDevices:             {Name: "net device setup", Reason: unsupported},
-		FeatureKCSAN:                      {Name: "concurrency sanitizer", Reason: unsupported},
-		FeatureDevlinkPCI:                 {Name: "devlink PCI setup", Reason: unsupported},
+		FeatureCoverage:         {Name: "code coverage", Reason: unsupported},
+		FeatureComparisons:      {Name: "comparison tracing", Reason: unsupported},
+		FeatureExtraCoverage:    {Name: "extra coverage", Reason: unsupported},
+		FeatureSandboxSetuid:    {Name: "setuid sandbox", Reason: unsupported},
+		FeatureSandboxNamespace: {Name: "namespace sandbox", Reason: unsupported},
+		FeatureSandboxAndroid:   {Name: "Android sandbox", Reason: unsupported},
+		FeatureFaultInjection:   {Name: "fault injection", Reason: unsupported},
+		FeatureLeakChecking:     {Name: "leak checking", Reason: unsupported},
+		FeatureNetworkInjection: {Name: "net packet injection", Reason: unsupported},
+		FeatureNetworkDevices:   {Name: "net device setup", Reason: unsupported},
+		FeatureKCSAN:            {Name: "concurrency sanitizer", Reason: unsupported},
+		FeatureDevlinkPCI:       {Name: "devlink PCI setup", Reason: unsupported},
 	}
 	if targets.Get(target.OS, target.Arch).HostFuzzer {
 		return res, nil
diff --git a/pkg/host/features_linux.go b/pkg/host/features_linux.go
index 780c938a1..a1586e8ac 100644
--- a/pkg/host/features_linux.go
+++ b/pkg/host/features_linux.go
@@ -20,7 +20,7 @@ func init() {
 	checkFeature[FeatureExtraCoverage] = checkExtraCoverage
 	checkFeature[FeatureSandboxSetuid] = unconditionallyEnabled
 	checkFeature[FeatureSandboxNamespace] = checkSandboxNamespace
-	checkFeature[FeatureSandboxAndroidUntrustedApp] = checkSandboxAndroidUntrustedApp
+	checkFeature[FeatureSandboxAndroid] = checkSandboxAndroid
 	checkFeature[FeatureFaultInjection] = checkFaultInjection
 	checkFeature[FeatureLeakChecking] = checkLeakChecking
 	checkFeature[FeatureNetworkInjection] = checkNetworkInjection
@@ -169,7 +169,7 @@ func checkSandboxNamespace() string {
 	return ""
 }
 
-func checkSandboxAndroidUntrustedApp() string {
+func checkSandboxAndroid() string {
 	if err := osutil.IsAccessible("/sys/fs/selinux/policy"); err != nil {
 		return err.Error()
 	}
diff --git a/pkg/ipc/ipc.go b/pkg/ipc/ipc.go
index cd3d6b02e..9fdb63241 100644
--- a/pkg/ipc/ipc.go
+++ b/pkg/ipc/ipc.go
@@ -27,18 +27,18 @@ type EnvFlags uint64
 
 // Note: New / changed flags should be added to parse_env_flags in executor.cc
 const (
-	FlagDebug                      EnvFlags = 1 << iota // debug output from executor
-	FlagSignal                                          // collect feedback signals (coverage)
-	FlagSandboxSetuid                                   // impersonate nobody user
-	FlagSandboxNamespace                                // use namespaces for sandboxing
-	FlagSandboxAndroidUntrustedApp                      // use Android sandboxing for the untrusted_app domain
-	FlagExtraCover                                      // collect extra coverage
-	FlagEnableTun                                       // setup and use /dev/tun for packet injection
-	FlagEnableNetDev                                    // setup more network devices for testing
-	FlagEnableNetReset                                  // reset network namespace between programs
-	FlagEnableCgroups                                   // setup cgroups for testing
-	FlagEnableCloseFds                                  // close fds after each program
-	FlagEnableDevlinkPCI                                // setup devlink PCI device
+	FlagDebug            EnvFlags = 1 << iota // debug output from executor
+	FlagSignal                                // collect feedback signals (coverage)
+	FlagSandboxSetuid                         // impersonate nobody user
+	FlagSandboxNamespace                      // use namespaces for sandboxing
+	FlagSandboxAndroid                        // use Android sandboxing for the untrusted_app domain
+	FlagExtraCover                            // collect extra coverage
+	FlagEnableTun                             // setup and use /dev/tun for packet injection
+	FlagEnableNetDev                          // setup more network devices for testing
+	FlagEnableNetReset                        // reset network namespace between programs
+	FlagEnableCgroups                         // setup cgroups for testing
+	FlagEnableCloseFds                        // close fds after each program
+	FlagEnableDevlinkPCI                      // setup devlink PCI device
 	// Executor does not know about these:
 	FlagUseShmem      // use shared memory instead of pipes for communication
 	FlagUseForkServer // use extended protocol with handshake
@@ -134,10 +134,10 @@ func SandboxToFlags(sandbox string) (EnvFlags, error) {
 		return FlagSandboxSetuid, nil
 	case "namespace":
 		return FlagSandboxNamespace, nil
-	case "android_untrusted_app":
-		return FlagSandboxAndroidUntrustedApp, nil
+	case "android":
+		return FlagSandboxAndroid, nil
 	default:
-		return 0, fmt.Errorf("sandbox must contain one of none/setuid/namespace/android_untrusted_app")
+		return 0, fmt.Errorf("sandbox must contain one of none/setuid/namespace/android")
 	}
 }
 
@@ -146,8 +146,8 @@ func FlagsToSandbox(flags EnvFlags) string {
 		return "setuid"
 	} else if flags&FlagSandboxNamespace != 0 {
 		return "namespace"
-	} else if flags&FlagSandboxAndroidUntrustedApp != 0 {
-		return "android_untrusted_app"
+	} else if flags&FlagSandboxAndroid != 0 {
+		return "android"
 	}
 	return "none"
 }
@@ -542,7 +542,7 @@ func makeCommand(pid int, bin []string, config *Config, inFile, outFile *os.File
 		}
 	}()
 
-	if config.Flags&(FlagSandboxSetuid|FlagSandboxNamespace|FlagSandboxAndroidUntrustedApp) != 0 {
+	if config.Flags&(FlagSandboxSetuid|FlagSandboxNamespace|FlagSandboxAndroid) != 0 {
 		if err := os.Chmod(dir, 0777); err != nil {
 			return nil, fmt.Errorf("failed to chmod temp dir: %v", err)
 		}
diff --git a/pkg/ipc/ipcconfig/ipcconfig.go b/pkg/ipc/ipcconfig/ipcconfig.go
index f2bd2028e..55e29fae4 100644
--- a/pkg/ipc/ipcconfig/ipcconfig.go
+++ b/pkg/ipc/ipcconfig/ipcconfig.go
@@ -16,7 +16,7 @@ var (
 	flagThreaded = flag.Bool("threaded", true, "use threaded mode in executor")
 	flagCollide  = flag.Bool("collide", true, "collide syscalls to provoke data races")
 	flagSignal   = flag.Bool("cover", false, "collect feedback signals (coverage)")
-	flagSandbox  = flag.String("sandbox", "none", "sandbox for fuzzing (none/setuid/namespace/android_untrusted_app)")
+	flagSandbox  = flag.String("sandbox", "none", "sandbox for fuzzing (none/setuid/namespace/android)")
 	flagDebug    = flag.Bool("debug", false, "debug output from executor")
 	flagTimeout  = flag.Duration("timeout", 0, "execution timeout")
 )
diff --git a/pkg/mgrconfig/config.go b/pkg/mgrconfig/config.go
index ea03c429e..07df5d0c7 100644
--- a/pkg/mgrconfig/config.go
+++ b/pkg/mgrconfig/config.go
@@ -63,7 +63,7 @@ type Config struct {
 	// "namespace": create a new namespace for fuzzer using CLONE_NEWNS/CLONE_NEWNET/CLONE_NEWPID/etc,
 	//	requires building kernel with CONFIG_NAMESPACES, CONFIG_UTS_NS, CONFIG_USER_NS,
 	//	CONFIG_PID_NS and CONFIG_NET_NS. Supported only for some OSes.
-	// "android_untrusted_app": (Android) Emulate permissions of an untrusted app.
+	// "android": (Android) Emulate permissions of an untrusted app.
 	Sandbox string `json:"sandbox"`
 
 	// Use KCOV coverage (default: true).
diff --git a/pkg/mgrconfig/load.go b/pkg/mgrconfig/load.go
index f02f3c59c..0733a9c2a 100644
--- a/pkg/mgrconfig/load.go
+++ b/pkg/mgrconfig/load.go
@@ -98,9 +98,9 @@ func Complete(cfg *Config) error {
 		return fmt.Errorf("bad config param procs: '%v', want [1, 32]", cfg.Procs)
 	}
 	switch cfg.Sandbox {
-	case "none", "setuid", "namespace", "android_untrusted_app":
+	case "none", "setuid", "namespace", "android":
 	default:
-		return fmt.Errorf("config param sandbox must contain one of none/setuid/namespace/android_untrusted_app")
+		return fmt.Errorf("config param sandbox must contain one of none/setuid/namespace/android")
 	}
 	if err := checkSSHParams(cfg); err != nil {
 		return err