vm/qemu: restrict network access

Restrict access to the external network from within the VM
and access to VM SSH to local interface only.

Fixes #332

3 files changed, 47 insertions, 42 deletions

diff --git a/vm/isolated/isolated.go b/vm/isolated/isolated.go
index e62548e54..3d69683e9 100755
--- a/vm/isolated/isolated.go
+++ b/vm/isolated/isolated.go
@@ -368,12 +368,7 @@ func (inst *instance) Run(timeout time.Duration, stop <-chan bool, command strin
 		return nil, nil, err
 	}
 
-	args = vmimpl.SSHArgs(inst.debug, inst.sshKey, inst.targetPort)
-	// Forward target port as part of the ssh connection (reverse proxy)
-	if inst.forwardPort != 0 {
-		proxy := fmt.Sprintf("%v:127.0.0.1:%v", inst.forwardPort, inst.forwardPort)
-		args = append(args, "-R", proxy)
-	}
+	args = vmimpl.SSHArgsForward(inst.debug, inst.sshKey, inst.targetPort, inst.forwardPort)
 	if inst.cfg.Pstore {
 		args = append(args, "-o", "ServerAliveInterval=6")
 		args = append(args, "-o", "ServerAliveCountMax=5")
diff --git a/vm/qemu/qemu.go b/vm/qemu/qemu.go
index 9c4c2f525..cf36990fc 100644
--- a/vm/qemu/qemu.go
+++ b/vm/qemu/qemu.go
@@ -23,10 +23,6 @@ import (
 	"github.com/google/syzkaller/vm/vmimpl"
 )
 
-const (
-	hostAddr = "10.0.2.10"
-)
-
 func init() {
 	vmimpl.Register("qemu", ctor, true)
 }
@@ -69,28 +65,29 @@ type Pool struct {
 }
 
 type instance struct {
-	index      int
-	cfg        *Config
-	target     *targets.Target
-	archConfig *archConfig
-	image      string
-	debug      bool
-	os         string
-	workdir    string
-	sshkey     string
-	sshuser    string
-	timeouts   targets.Timeouts
-	port       int
-	monport    int
-	mon        net.Conn
-	monEnc     *json.Encoder
-	monDec     *json.Decoder
-	rpipe      io.ReadCloser
-	wpipe      io.WriteCloser
-	qemu       *exec.Cmd
-	merger     *vmimpl.OutputMerger
-	files      map[string]string
-	diagnose   chan bool
+	index       int
+	cfg         *Config
+	target      *targets.Target
+	archConfig  *archConfig
+	image       string
+	debug       bool
+	os          string
+	workdir     string
+	sshkey      string
+	sshuser     string
+	timeouts    targets.Timeouts
+	port        int
+	monport     int
+	forwardPort int
+	mon         net.Conn
+	monEnc      *json.Encoder
+	monDec      *json.Decoder
+	rpipe       io.ReadCloser
+	wpipe       io.WriteCloser
+	qemu        *exec.Cmd
+	merger      *vmimpl.OutputMerger
+	files       map[string]string
+	diagnose    chan bool
 }
 
 type archConfig struct {
@@ -407,7 +404,7 @@ func (inst *instance) boot() error {
 	args = append(args, splitArgs(inst.cfg.QemuArgs, templateDir, inst.index)...)
 	args = append(args,
 		"-device", inst.cfg.NetDev+",netdev=net0",
-		"-netdev", fmt.Sprintf("user,id=net0,host=%v,hostfwd=tcp::%v-:22", hostAddr, inst.port))
+		"-netdev", fmt.Sprintf("user,id=net0,restrict=on,hostfwd=tcp:127.0.0.1:%v-:22", inst.port))
 	if inst.image == "9p" {
 		args = append(args,
 			"-fsdev", "local,id=fsdev0,path=/,security_model=none,readonly",
@@ -518,11 +515,16 @@ func splitArgs(str, templateDir string, index int) (args []string) {
 }
 
 func (inst *instance) Forward(port int) (string, error) {
-	addr := hostAddr
-	if inst.target.HostFuzzer {
-		addr = "127.0.0.1"
+	if port == 0 {
+		return "", fmt.Errorf("vm/qemu: forward port is zero")
+	}
+	if !inst.target.HostFuzzer {
+		if inst.forwardPort != 0 {
+			return "", fmt.Errorf("vm/qemu: forward port already set")
+		}
+		inst.forwardPort = port
 	}
-	return fmt.Sprintf("%v:%v", addr, port), nil
+	return fmt.Sprintf("localhost:%v", port), nil
 }
 
 func (inst *instance) targetDir() string {
@@ -568,11 +570,11 @@ func (inst *instance) Run(timeout time.Duration, stop <-chan bool, command strin
 	}
 	inst.merger.Add("ssh", rpipe)
 
-	sshArgs := vmimpl.SSHArgs(inst.debug, inst.sshkey, inst.port)
+	sshArgs := vmimpl.SSHArgsForward(inst.debug, inst.sshkey, inst.port, inst.forwardPort)
 	args := strings.Split(command, " ")
 	if bin := filepath.Base(args[0]); inst.target.HostFuzzer &&
 		(bin == "syz-fuzzer" || bin == "syz-execprog") {
-		// Weird mode for akaros.
+		// Weird mode for fuchsia and akaros.
 		// Fuzzer and execprog are on host (we did not copy them), so we will run them as is,
 		// but we will also wrap executor with ssh invocation.
 		for i, arg := range args {
diff --git a/vm/vmimpl/util.go b/vm/vmimpl/util.go
index 47340ccde..9a007b386 100644
--- a/vm/vmimpl/util.go
+++ b/vm/vmimpl/util.go
@@ -56,14 +56,18 @@ func WaitForSSH(debug bool, timeout time.Duration, addr, sshKey, sshUser, OS str
 }
 
 func SSHArgs(debug bool, sshKey string, port int) []string {
-	return sshArgs(debug, sshKey, "-p", port)
+	return sshArgs(debug, sshKey, "-p", port, 0)
+}
+
+func SSHArgsForward(debug bool, sshKey string, port, forwardPort int) []string {
+	return sshArgs(debug, sshKey, "-p", port, forwardPort)
 }
 
 func SCPArgs(debug bool, sshKey string, port int) []string {
-	return sshArgs(debug, sshKey, "-P", port)
+	return sshArgs(debug, sshKey, "-P", port, 0)
 }
 
-func sshArgs(debug bool, sshKey, portArg string, port int) []string {
+func sshArgs(debug bool, sshKey, portArg string, port, forwardPort int) []string {
 	args := []string{
 		portArg, fmt.Sprint(port),
 		"-F", "/dev/null",
@@ -76,6 +80,10 @@ func sshArgs(debug bool, sshKey, portArg string, port int) []string {
 	if sshKey != "" {
 		args = append(args, "-i", sshKey)
 	}
+	if forwardPort != 0 {
+		// Forward target port as part of the ssh connection (reverse proxy).
+		args = append(args, "-R", fmt.Sprintf("%v:127.0.0.1:%v", forwardPort, forwardPort))
+	}
 	if debug {
 		args = append(args, "-v")
 	}