From 9a518853aaea13e0a60411b7be7d3ff1f05962de Mon Sep 17 00:00:00 2001 From: Alexander Potapenko Date: Wed, 30 Jul 2025 10:44:47 +0200 Subject: pkg/flatrpc, pkg/vminfo, executor: introduce readonly coverage Add a new vminfo feature, FeatureKcovResetIoctl, that is true if the kernel supports ioctl(KCOV_RESET_TRACE) making it possible to reset the coverage buffer on the kernel side. This, in turn, allows us to map the coverage buffer read-only, which will prevent all sorts of userspace-generated corruptions at a cost of an extra syscall per program execution. The corresponding exec env flag, ExecEnv::ReadOnlyCoverage, turns on read-only coverage in the executor. It is enabled by default if FeatureKcovResetIoctl is on. --- executor/executor.cc | 2 ++ 1 file changed, 2 insertions(+) (limited to 'executor/executor.cc') diff --git a/executor/executor.cc b/executor/executor.cc index a262bff83..25fba22e7 100644 --- a/executor/executor.cc +++ b/executor/executor.cc @@ -257,6 +257,7 @@ static uint64 start_time_ms = 0; static bool flag_debug; static bool flag_snapshot; static bool flag_coverage; +static bool flag_read_only_coverage; static bool flag_sandbox_none; static bool flag_sandbox_setuid; static bool flag_sandbox_namespace; @@ -777,6 +778,7 @@ void parse_handshake(const handshake_req& req) slowdown_scale = req.slowdown_scale; flag_debug = (bool)(req.flags & rpc::ExecEnv::Debug); flag_coverage = (bool)(req.flags & rpc::ExecEnv::Signal); + flag_read_only_coverage = (bool)(req.flags & rpc::ExecEnv::ReadOnlyCoverage); flag_sandbox_none = (bool)(req.flags & rpc::ExecEnv::SandboxNone); flag_sandbox_setuid = (bool)(req.flags & rpc::ExecEnv::SandboxSetuid); flag_sandbox_namespace = (bool)(req.flags & rpc::ExecEnv::SandboxNamespace); -- cgit mrf-deployment