| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Move the remaining sysctls from image creation scripts into executor.
We have the rest in executor now, and these are captured in reproducers
and are not duplicated.
It seems that ping_group_range was accidentially lost along the way,
re-add it.
|
| |
|
|
|
|
|
|
|
|
|
| |
* pkg/vcs: remove obsolete test script
Per Dmitry, this should have been removed as part of 8f58e4b
("pkg/bisect: switch to kconfig.Minimize").
* all: convert shebang lines to use /usr/bin/env
* Makefile: fix non-portable use of find(1)
|
| |
|
|
|
|
|
|
|
|
| |
to the $KERNEL src
current script hard-coded the basename for the path of kernel source
if the basename of the path for the kernel source code is not "linux",
this script will just abort.
Fix this by using the basename obtained by the basename utility.
|
| |
|
|
|
|
|
|
| |
riscv64 is not yet a released Debian port, so it's hosted by the
debian-ports repository. Add a special case to use debian-ports if the
architecture is riscv64.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When building an i386 image on an x86_64 host, we don't need to use qemu or
check for the presence of an appropriate qemu binfmt_misc configuration.
i386 binaries can run natively, so we also don't need to do debootstrap in
two stages.
Skip qemu checks and run debootstrap in one stage when building i386 on an
x86_64 host.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
| |
Add a mapping from qemu architecture x86_64 to Debian architecture amd64
which I forgot to add earlier.
(Also fix up the indentation to be consistent while we're here.)
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
create-image.sh assumes that the qemu name and the Debian name for the
target architecture are the same. This is not always true.
For comedy and/or historical reasons, Debian refers to 64-bit little
endian PowerPC as ppc64el, whereas qemu and most other things use ppc64le.
Debian refers to aarch64 as arm64, and 32-bit little endian arm as armel.
Add special cases to handle this.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| | |
|
| |
|
|
|
|
| |
Also update sy-env to be able to build the root image inside.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
| |
Add a default udev rule file to the image creation process in
create-gce-image.sh and create-image.sh.
This change creates a default rule to make udev create a custom-named
symlink for the specific vim2m device.
|
| | |
|
| |
|
|
|
|
|
| |
Among other things this changes timeout for USB programs from 2 to 3 seconds.
ath9k fuzzing also requires ath9k firmware to be present, so system images
need to be regenerated with the updated script.
|
| |
|
|
| |
It's quite useful for debugging network related stuff.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usage of current create-image.sh:
```
./create-image.sh -d=stretch -f=minimal --add-perf
The options are in the following:
-d, --distribution Set on which debian distribution to create
-f, --feature Check what packages to install in the image, options are minimal, full
-s, --seek Image size (MB), default 2048 (2G)
-p, --add-perf Add perf support with this option enabled
The default image size may too small (2G) in some debugging scenarios, so change it to configurable.
|
| |
|
|
| |
allow user to provide ADD_PACKAGE and double check if KERNEL is set when perf is enabled
|
| |
|
|
|
| |
The list of packages to install is comma-separated, not space. This
fixes the "-f full" argument to actually install the expected packages.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usage of current create-image.sh:
```
./create-image.sh -d=stretch -f=minimal --add-perf
The options are in the following:
-d, --distribution Set on which debian distribution to create
-f, --feature Check what packages to install in the image, options are minimal, full
-p, --add-perf Add perf support with this option enabled
The default image is stretch with minimal feature, without perf.
|
| | |
|
| |
|
|
|
|
|
| |
This updates the image creation tool to use Debian stretch (current stable)
instead of wheezy, which is very out of date. The only change needed here
was a hint to systemd to make the root filesystem read-write after booting.
Documentation has also been updated.
|
| |
|
|
|
|
|
| |
Upstream "selinux: fix mounting of cgroup2 under older policies"
commit fixes mounting of cgroup2 under wheezy selinux policy.
So don't disable selinux on start.
Create separate cmdline arguments that enable selinux and apparmor.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I had missed that once hardening is enabled, it automatically disables
any exposure of JITed addresses, therefore when crashes or warnings are
thrown we don't unwind beyond a helper function. For now disable hardening.
After merge window I'll see if it's possible to detangle the case where
kernel queries kallsyms internally to find function names whenever a WARN
or BUG is thrown. If that's not possible easily, we can potentially add a
harden mode 3 which does hardening but does not disable kallsyms exposure
and then set this here for tools like syzkaller.
Fixes: ac9b19d2e435 ("bpf: enable hardening mode 1 for jited images")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[dvyukov: also updated dashboard/config/upstream.sysctl]
|
| |
|
|
|
|
|
|
| |
This will harden non-root programs from kernel side, but not
root-only ones. Helps also to increase coverage a bit since
syzkaller generates programs for both cases.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
| |
|
|
|
|
|
| |
Helps syzkaller in particular for unwinding full stack in case
of warnings or crashes.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
| |
|
| |
watchdog_thresh is capped at 60, so 120 causes EINVAL.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
The comments were unintentionally committed in a previous commit.
|
| | |
|
| |
|
|
| |
Uncomment unintentionally commented out lines from a previous commit.
|
| |
|
|
| |
These packages are required to actually activate selinux during boot.
|
| |
|
|
|
| |
1G does not seem to be enough.
Create 2G images as we do in create-gce-image.sh.
|
| | |
|
| |
|
|
| |
Move few additional settings from create-gce-image.sh to create-image.sh.
|
| | |
|
| | |
|
| |
|
|
| |
+ raise console output level, otherwise stack traces may be dropped
|
| |
|
|
| |
Checkout necessary packages during debootstrap instead of a separate step.
|
| | |
|
| |
|
|
|
| |
bpf_jit_enable = 2 causes printing of all programs to console.
Produces lots of output and is not very useful. Disable it.
|
| |
|
|
| |
JIT should be more interesting to fuzz.
|
| |
|
|
|
|
|
|
|
|
|
| |
create-image.sh adds the string "V0:23:respawn:/sbin/getty 115200 hvc0" to inittab
of a virtual machine, but a fresh debian-wheezy doesn't have a hvc0 device.
So getty fails to start and respawns over and over again:
INIT: Id "V0" respawning too fast: disabled for 5 minutes
Let's fix create-image.sh to have a working VM terminal.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
|
| |
|
|
|
| |
An error in the multi-line string results in apt-get install not running in
create-image.sh, this fixes that.
|
| |
|
|
|
|
|
| |
When chroot'ing into the generated debian rootfs PATH is inherited from the host
and assumed to reference each of: /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin and /usr/local/sbin. Not all distros use all of these, so enforce
these in the chroot command.
|
| |
|
