sys/linux: mark some ioctls as disabled

Mark ioctls we disable in init.go as disabled.

Update #477
Update #502

23 files changed, 43 insertions, 32 deletions

diff --git a/sys/linux/bpf_386.const b/sys/linux/bpf_386.const
index 00a92d0b8..13a70ca0e 100644
--- a/sys/linux/bpf_386.const
+++ b/sys/linux/bpf_386.const
@@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9
 BTF_MAGIC = 60319
 BTF_VERSION = 1
 MAX_BPF_REG = 11
-__BPF_FUNC_MAX_ID = 125
+__BPF_FUNC_MAX_ID = 126
 __MAX_BPF_REG = 11
 __NR_bpf = 357
 bpf_call_code = 133
diff --git a/sys/linux/bpf_amd64.const b/sys/linux/bpf_amd64.const
index b539fc0cb..1aac3b5d3 100644
--- a/sys/linux/bpf_amd64.const
+++ b/sys/linux/bpf_amd64.const
@@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9
 BTF_MAGIC = 60319
 BTF_VERSION = 1
 MAX_BPF_REG = 11
-__BPF_FUNC_MAX_ID = 125
+__BPF_FUNC_MAX_ID = 126
 __MAX_BPF_REG = 11
 __NR_bpf = 321
 bpf_call_code = 133
diff --git a/sys/linux/bpf_arm.const b/sys/linux/bpf_arm.const
index 1f1e1465a..aaeb5db2f 100644
--- a/sys/linux/bpf_arm.const
+++ b/sys/linux/bpf_arm.const
@@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9
 BTF_MAGIC = 60319
 BTF_VERSION = 1
 MAX_BPF_REG = 11
-__BPF_FUNC_MAX_ID = 125
+__BPF_FUNC_MAX_ID = 126
 __MAX_BPF_REG = 11
 __NR_bpf = 386
 bpf_call_code = 133
diff --git a/sys/linux/bpf_arm64.const b/sys/linux/bpf_arm64.const
index d3f42ac85..5b12719a4 100644
--- a/sys/linux/bpf_arm64.const
+++ b/sys/linux/bpf_arm64.const
@@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9
 BTF_MAGIC = 60319
 BTF_VERSION = 1
 MAX_BPF_REG = 11
-__BPF_FUNC_MAX_ID = 125
+__BPF_FUNC_MAX_ID = 126
 __MAX_BPF_REG = 11
 __NR_bpf = 280
 bpf_call_code = 133
diff --git a/sys/linux/bpf_mips64le.const b/sys/linux/bpf_mips64le.const
index b8f3a7c8a..95f68f9c2 100644
--- a/sys/linux/bpf_mips64le.const
+++ b/sys/linux/bpf_mips64le.const
@@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9
 BTF_MAGIC = 60319
 BTF_VERSION = 1
 MAX_BPF_REG = 11
-__BPF_FUNC_MAX_ID = 125
+__BPF_FUNC_MAX_ID = 126
 __MAX_BPF_REG = 11
 __NR_bpf = 5315
 bpf_call_code = 133
diff --git a/sys/linux/bpf_ppc64le.const b/sys/linux/bpf_ppc64le.const
index 1633606c4..f3a381788 100644
--- a/sys/linux/bpf_ppc64le.const
+++ b/sys/linux/bpf_ppc64le.const
@@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9
 BTF_MAGIC = 60319
 BTF_VERSION = 1
 MAX_BPF_REG = 11
-__BPF_FUNC_MAX_ID = 125
+__BPF_FUNC_MAX_ID = 126
 __MAX_BPF_REG = 11
 __NR_bpf = 361
 bpf_call_code = 133
diff --git a/sys/linux/dev_ptmx.txt b/sys/linux/dev_ptmx.txt
index 31277fe38..a03b24c58 100644
--- a/sys/linux/dev_ptmx.txt
+++ b/sys/linux/dev_ptmx.txt
@@ -136,8 +136,17 @@ ioctl$TIOCL_GETKMSGREDIRECT(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[T
 ioctl$TIOCL_SCROLLCONSOLE(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, tioctl_scroll_console])
 ioctl$TIOCL_BLANKSCREEN(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[TIOCL_BLANKSCREEN, int8]])
 
+# TIOCSSERIAL can do nasty things under root, like causing writes to random memory
+# pretty much like /dev/mem, but this is also working as intended.
+# For details see:
+# https://groups.google.com/g/syzkaller-bugs/c/1rVENJf9P4U/m/QtGpapRxAgAJ
+# https://syzkaller.appspot.com/bug?extid=f4f1e871965064ae689e
+# TODO: TIOCSSERIAL does some other things that are not dangerous
+# and would be nice to test, if/when we can neutralize based on sandbox value
+# we could prohibit it only under sandbox=none.
+ioctl$TIOCSSERIAL(fd fd, cmd const[TIOCSSERIAL], arg ptr[in, serial_struct]) (disabled)
+
 ioctl$TIOCGSERIAL(fd fd_tty, cmd const[TIOCGSERIAL], arg ptr[out, serial_struct])
-ioctl$TIOCSSERIAL(fd fd_tty, cmd const[TIOCSSERIAL], arg ptr[in, serial_struct])
 ioctl$TCGETS2(fd fd_tty, cmd const[TCGETS2], arg ptr[out, termios2])
 ioctl$TCSETS2(fd fd_tty, cmd const[TCSETS2], arg ptr[in, termios2])
 ioctl$TCSETSF2(fd fd_tty, cmd const[TCSETSF2], arg ptr[in, termios2])
diff --git a/sys/linux/fs_ext4.txt b/sys/linux/fs_ext4.txt
index 20dc4dbf2..56d702bb9 100644
--- a/sys/linux/fs_ext4.txt
+++ b/sys/linux/fs_ext4.txt
@@ -16,8 +16,15 @@ ioctl$EXT4_IOC_PRECACHE_EXTENTS(fd fd, cmd const[EXT4_IOC_PRECACHE_EXTENTS])
 
 ext4_inode_flags = EXT4_SECRM_FL, EXT4_UNRM_FL, EXT4_COMPR_FL, EXT4_SYNC_FL, EXT4_IMMUTABLE_FL, EXT4_APPEND_FL, EXT4_NODUMP_FL, EXT4_NOATIME_FL, EXT4_PROJINHERIT_FL, EXT4_JOURNAL_DATA_FL, EXT4_NOTAIL_FL, EXT4_DIRSYNC_FL, EXT4_TOPDIR_FL, EXT4_EXTENTS_FL
 
-# See comments in init.go.
-_ = EXT4_IOC_SHUTDOWN, EXT4_IOC_RESIZE_FS
+# EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways.
+# Fortunately, the value does not conflict with any other ioctl commands for now.
+ioctl$EXT4_IOC_SHUTDOWN(fd fd, cmd const[EXT4_IOC_SHUTDOWN]) (disabled)
+
+# EXT4_IOC_RESIZE_FS on root fs can shrink it to 0 (or whatever is the minimum size)
+# and then creation of new temp dirs for tests will fail.
+# TODO: not necessary for sandbox=namespace as it tests in a tmpfs
+# and/or if we mount tmpfs for sandbox=none (#971).
+ioctl$EXT4_IOC_RESIZE_FS(fd fd, cmd const[EXT4_IOC_RESIZE_FS]) (disabled)
 
 ext4_new_group_input {
 	group		int32
diff --git a/sys/linux/init.go b/sys/linux/init.go
index 65faad183..f4f000cfa 100644
--- a/sys/linux/init.go
+++ b/sys/linux/init.go
@@ -24,7 +24,6 @@ func InitTarget(target *prog.Target) {
 		FIFREEZE:                    target.GetConst("FIFREEZE"),
 		FITHAW:                      target.GetConst("FITHAW"),
 		SNAPSHOT_FREEZE:             target.GetConst("SNAPSHOT_FREEZE"),
-		SNAPSHOT_UNFREEZE:           target.GetConst("SNAPSHOT_UNFREEZE"),
 		EXT4_IOC_SHUTDOWN:           target.GetConst("EXT4_IOC_SHUTDOWN"),
 		EXT4_IOC_RESIZE_FS:          target.GetConst("EXT4_IOC_RESIZE_FS"),
 		EXT4_IOC_MIGRATE:            target.GetConst("EXT4_IOC_MIGRATE"),
@@ -132,7 +131,6 @@ type arch struct {
 	FIFREEZE                    uint64
 	FITHAW                      uint64
 	SNAPSHOT_FREEZE             uint64
-	SNAPSHOT_UNFREEZE           uint64
 	EXT4_IOC_SHUTDOWN           uint64
 	EXT4_IOC_RESIZE_FS          uint64
 	EXT4_IOC_MIGRATE            uint64
@@ -252,7 +250,7 @@ func (arch *arch) neutralizeIoctl(c *prog.Call) {
 		cmd.Val = arch.FITHAW
 	case arch.SNAPSHOT_FREEZE:
 		// SNAPSHOT_FREEZE freezes all processes and leaves the machine dead.
-		cmd.Val = arch.SNAPSHOT_UNFREEZE
+		cmd.Val = arch.FITHAW
 	case arch.EXT4_IOC_SHUTDOWN:
 		// EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways.
 		// Fortunately, the value does not conflict with any other ioctl commands for now.
diff --git a/sys/linux/init_test.go b/sys/linux/init_test.go
index ba6dd9462..df0622ba3 100644
--- a/sys/linux/init_test.go
+++ b/sys/linux/init_test.go
@@ -131,9 +131,5 @@ syz_open_dev$tty1(0xc, 0x4, 0x4)
 syz_open_dev$tty1(0xc, 0x4, 0x1)
 `,
 		},
-		{
-			In:  `ioctl$TIOCSSERIAL(0x0, 0x541f, 0x0)`,
-			Out: `ioctl$TIOCSSERIAL(0x0, 0x541e, 0x0)`,
-		},
 	})
 }
diff --git a/sys/linux/prctl_386.const b/sys/linux/prctl_386.const
index 0b9c3ab97..10f85c882 100644
--- a/sys/linux/prctl_386.const
+++ b/sys/linux/prctl_386.const
@@ -8,7 +8,7 @@ ARCH_MAP_VDSO_X32 = 8193
 ARCH_SET_CPUID = 4114
 ARCH_SET_FS = 4098
 ARCH_SET_GS = 4097
-CAP_LAST_CAP = 37
+CAP_LAST_CAP = 38
 PR_CAPBSET_DROP = 24
 PR_CAPBSET_READ = 23
 PR_CAP_AMBIENT = 47
diff --git a/sys/linux/prctl_amd64.const b/sys/linux/prctl_amd64.const
index d2c014e56..768de6c29 100644
--- a/sys/linux/prctl_amd64.const
+++ b/sys/linux/prctl_amd64.const
@@ -8,7 +8,7 @@ ARCH_MAP_VDSO_X32 = 8193
 ARCH_SET_CPUID = 4114
 ARCH_SET_FS = 4098
 ARCH_SET_GS = 4097
-CAP_LAST_CAP = 37
+CAP_LAST_CAP = 38
 PR_CAPBSET_DROP = 24
 PR_CAPBSET_READ = 23
 PR_CAP_AMBIENT = 47
diff --git a/sys/linux/prctl_arm.const b/sys/linux/prctl_arm.const
index 11f16c599..1b9433aa4 100644
--- a/sys/linux/prctl_arm.const
+++ b/sys/linux/prctl_arm.const
@@ -8,7 +8,7 @@
 # ARCH_SET_CPUID is not set
 # ARCH_SET_FS is not set
 # ARCH_SET_GS is not set
-CAP_LAST_CAP = 37
+CAP_LAST_CAP = 38
 PR_CAPBSET_DROP = 24
 PR_CAPBSET_READ = 23
 PR_CAP_AMBIENT = 47
diff --git a/sys/linux/prctl_arm64.const b/sys/linux/prctl_arm64.const
index 4444c6eb7..ff36679fd 100644
--- a/sys/linux/prctl_arm64.const
+++ b/sys/linux/prctl_arm64.const
@@ -8,7 +8,7 @@
 # ARCH_SET_CPUID is not set
 # ARCH_SET_FS is not set
 # ARCH_SET_GS is not set
-CAP_LAST_CAP = 37
+CAP_LAST_CAP = 38
 PR_CAPBSET_DROP = 24
 PR_CAPBSET_READ = 23
 PR_CAP_AMBIENT = 47
diff --git a/sys/linux/prctl_mips64le.const b/sys/linux/prctl_mips64le.const
index 2a4998828..6f837a503 100644
--- a/sys/linux/prctl_mips64le.const
+++ b/sys/linux/prctl_mips64le.const
@@ -8,7 +8,7 @@
 # ARCH_SET_CPUID is not set
 # ARCH_SET_FS is not set
 # ARCH_SET_GS is not set
-CAP_LAST_CAP = 37
+CAP_LAST_CAP = 38
 PR_CAPBSET_DROP = 24
 PR_CAPBSET_READ = 23
 PR_CAP_AMBIENT = 47
diff --git a/sys/linux/prctl_ppc64le.const b/sys/linux/prctl_ppc64le.const
index 1ab70e56a..127d8e4aa 100644
--- a/sys/linux/prctl_ppc64le.const
+++ b/sys/linux/prctl_ppc64le.const
@@ -8,7 +8,7 @@
 # ARCH_SET_CPUID is not set
 # ARCH_SET_FS is not set
 # ARCH_SET_GS is not set
-CAP_LAST_CAP = 37
+CAP_LAST_CAP = 38
 PR_CAPBSET_DROP = 24
 PR_CAPBSET_READ = 23
 PR_CAP_AMBIENT = 47
diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt
index b4e470608..78604b717 100644
--- a/sys/linux/sys.txt
+++ b/sys/linux/sys.txt
@@ -182,10 +182,16 @@ restart_syscall()
 # Almighty!
 ioctl(fd fd, cmd int32, arg buffer[in])
 
-ioctl$void(fd fd, cmd flags[ioctl_void])
 ioctl$int_in(fd fd, cmd flags[ioctl_int_in], v ptr[in, int64])
 ioctl$int_out(fd fd, cmd flags[ioctl_int_out], v ptr[out, intptr])
 
+ioctl$FIOCLEX(fd fd, cmd const[FIOCLEX])
+ioctl$FIONCLEX(fd fd, cmd const[FIONCLEX])
+ioctl$FITHAW(fd fd, cmd const[FITHAW])
+
+# FIFREEZE is disabled because it can easily kill the machine.
+ioctl$FIFREEZE(fd fd, cmd const[FIFREEZE]) (disabled)
+
 fcntl$dupfd(fd fd, cmd flags[fcntl_dupfd], arg fd) fd
 fcntl$getflags(fd fd, cmd flags[fcntl_getflags])
 fcntl$setflags(fd fd, cmd const[F_SETFD], flags flags[fcntl_flags])
@@ -534,7 +540,9 @@ openat$nvme_fabrics(fd const[AT_FDCWD], file ptr[in, string["/dev/nvme-fabrics"]
 openat$bsg(fd const[AT_FDCWD], file ptr[in, string["/dev/bsg"]], flags flags[open_flags], mode const[0]) fd
 
 openat$snapshot(fd const[AT_FDCWD], file ptr[in, string["/dev/snapshot"]], flags flags[open_flags], mode const[0]) fd
-_ = SNAPSHOT_FREEZE, SNAPSHOT_UNFREEZE
+
+# SNAPSHOT_FREEZE is disabled because it can easily kill the machine.
+ioctl$SNAPSHOT_FREEZE(fd fd, cmd const[SNAPSHOT_FREEZE]) (disabled)
 
 pipefd {
 	rfd	fd
@@ -957,7 +965,6 @@ flock_type = F_RDLCK, F_WRLCK, F_UNLCK
 f_owner_type = F_OWNER_TID, F_OWNER_PID, F_OWNER_PGRP
 fcntl_notify = DN_MULTISHOT, DN_ACCESS, DN_MODIFY, DN_CREATE, DN_DELETE, DN_RENAME, DN_ATTRIB
 seal_types = F_SEAL_SEAL, F_SEAL_SHRINK, F_SEAL_GROW, F_SEAL_WRITE
-ioctl_void = FIOCLEX, FIONCLEX, FITHAW
 ioctl_int_in = FIONBIO, FIOASYNC
 ioctl_int_out = FIOQSIZE, FIGETBSZ
 fcntl_rw_hint = RWF_WRITE_LIFE_NOT_SET, RWH_WRITE_LIFE_NONE, RWH_WRITE_LIFE_SHORT, RWH_WRITE_LIFE_MEDIUM, RWH_WRITE_LIFE_LONG, RWH_WRITE_LIFE_EXTREME
@@ -973,7 +980,7 @@ _ = STA_PLL, STA_PPSFREQ, STA_PPSTIME, STA_FLL, STA_INS, STA_DEL, STA_UNSYNC, ST
 _ = ADJ_OFFSET, ADJ_FREQUENCY, ADJ_MAXERROR, ADJ_ESTERROR, ADJ_STATUS, ADJ_TIMECONST, ADJ_TAI, ADJ_SETOFFSET, ADJ_MICRO, ADJ_NANO, ADJ_TICK, ADJ_OFFSET_SINGLESHOT
 
 # misc
-_ = KCOV_INIT_TRACE, KCOV_ENABLE, KCOV_DISABLE, KCOV_TRACE_PC, KCOV_TRACE_CMP, FIFREEZE, PTRACE_TRACEME, SYSLOG_ACTION_CONSOLE_ON, SYSLOG_ACTION_CONSOLE_OFF, SYSLOG_ACTION_CONSOLE_LEVEL, SYSLOG_ACTION_CLEAR, __NR_mmap2
+_ = KCOV_INIT_TRACE, KCOV_ENABLE, KCOV_DISABLE, KCOV_TRACE_PC, KCOV_TRACE_CMP, PTRACE_TRACEME, SYSLOG_ACTION_CONSOLE_ON, SYSLOG_ACTION_CONSOLE_OFF, SYSLOG_ACTION_CONSOLE_LEVEL, SYSLOG_ACTION_CLEAR, __NR_mmap2
 
 # Hardcode KCOV_REMOTE_ENABLE value for amd64 until new kcov patches reach mainline.
 define KCOV_REMOTE_ENABLE	1075340134
diff --git a/sys/linux/sys_386.const b/sys/linux/sys_386.const
index ccb7508c2..e0428f856 100644
--- a/sys/linux/sys_386.const
+++ b/sys/linux/sys_386.const
@@ -458,7 +458,6 @@ SIG_BLOCK = 0
 SIG_SETMASK = 2
 SIG_UNBLOCK = 1
 SNAPSHOT_FREEZE = 13057
-SNAPSHOT_UNFREEZE = 13058
 SPLICE_F_GIFT = 8
 SPLICE_F_MORE = 4
 SPLICE_F_MOVE = 1
diff --git a/sys/linux/sys_amd64.const b/sys/linux/sys_amd64.const
index 3b43c4ecd..6951cfaf1 100644
--- a/sys/linux/sys_amd64.const
+++ b/sys/linux/sys_amd64.const
@@ -458,7 +458,6 @@ SIG_BLOCK = 0
 SIG_SETMASK = 2
 SIG_UNBLOCK = 1
 SNAPSHOT_FREEZE = 13057
-SNAPSHOT_UNFREEZE = 13058
 SPLICE_F_GIFT = 8
 SPLICE_F_MORE = 4
 SPLICE_F_MOVE = 1
diff --git a/sys/linux/sys_arm.const b/sys/linux/sys_arm.const
index 531698582..dc2aaf204 100644
--- a/sys/linux/sys_arm.const
+++ b/sys/linux/sys_arm.const
@@ -458,7 +458,6 @@ SIG_BLOCK = 0
 SIG_SETMASK = 2
 SIG_UNBLOCK = 1
 SNAPSHOT_FREEZE = 13057
-SNAPSHOT_UNFREEZE = 13058
 SPLICE_F_GIFT = 8
 SPLICE_F_MORE = 4
 SPLICE_F_MOVE = 1
diff --git a/sys/linux/sys_arm64.const b/sys/linux/sys_arm64.const
index 49a2f6928..5aff308b0 100644
--- a/sys/linux/sys_arm64.const
+++ b/sys/linux/sys_arm64.const
@@ -458,7 +458,6 @@ SIG_BLOCK = 0
 SIG_SETMASK = 2
 SIG_UNBLOCK = 1
 SNAPSHOT_FREEZE = 13057
-SNAPSHOT_UNFREEZE = 13058
 SPLICE_F_GIFT = 8
 SPLICE_F_MORE = 4
 SPLICE_F_MOVE = 1
diff --git a/sys/linux/sys_mips64le.const b/sys/linux/sys_mips64le.const
index e4c37f7f7..2fc44fcff 100644
--- a/sys/linux/sys_mips64le.const
+++ b/sys/linux/sys_mips64le.const
@@ -458,7 +458,6 @@ SIG_BLOCK = 1
 SIG_SETMASK = 3
 SIG_UNBLOCK = 2
 SNAPSHOT_FREEZE = 536883969
-SNAPSHOT_UNFREEZE = 536883970
 SPLICE_F_GIFT = 8
 SPLICE_F_MORE = 4
 SPLICE_F_MOVE = 1
diff --git a/sys/linux/sys_ppc64le.const b/sys/linux/sys_ppc64le.const
index efddafe61..bc2c1ec9e 100644
--- a/sys/linux/sys_ppc64le.const
+++ b/sys/linux/sys_ppc64le.const
@@ -458,7 +458,6 @@ SIG_BLOCK = 0
 SIG_SETMASK = 2
 SIG_UNBLOCK = 1
 SNAPSHOT_FREEZE = 536883969
-SNAPSHOT_UNFREEZE = 536883970
 SPLICE_F_GIFT = 8
 SPLICE_F_MORE = 4
 SPLICE_F_MOVE = 1