From 3ad490ea48468e50fe91f6f6b2ca4cbc74d924bf Mon Sep 17 00:00:00 2001
From: Aleksandr Nogikh <nogikh@google.com>
Date: Mon, 18 Dec 2023 11:58:39 +0100
Subject: executor: introduce syz_pidfd_open()

This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.

Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.

We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
---
 executor/common_linux.h | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'executor/common_linux.h')

diff --git a/executor/common_linux.h b/executor/common_linux.h
index 2f10ae3d6..85f9b966a 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -5655,3 +5655,21 @@ static void setup_swap()
 }
 
 #endif
+
+#if SYZ_EXECUTOR || __NR_syz_pidfd_open
+#include <sys/syscall.h>
+
+// TODO: long-term we should improve our sandboxing rules since there are also
+// many other opportunities for a fuzzer process to access what it shouldn't.
+// Here we only shut down one of the recently discovered ways.
+static long syz_pidfd_open(volatile long pid, volatile long flags)
+{
+	if (pid == 1) {
+		// Under a PID namespace, pid=1 is the parent process.
+		// We don't want a forked child to mangle parent syz-executor's fds.
+		pid = 0;
+	}
+	return syscall(__NR_pidfd_open, pid, flags);
+}
+
+#endif
-- 
cgit mrf-deployment