From 856815515a7a8d05b7ee511c95ca189e41927b4d Mon Sep 17 00:00:00 2001
From: Nick Biryulin <keddad@yandex.ru>
Date: Wed, 22 Jan 2025 22:23:44 +0300
Subject: executor: mount /syz-inputs dir to fuzzing sandbox

Syzkaller allows user to specify filepath arguments in syscalls via globs.
However, on linux, you are effectivly limited to some /sys and /dev paths due to sandboxing.

With this change, user can supply their custom fuzzing artifacts to /syz-inputs to use those in globs.
They are mounted read-only to increase reproducibility.
---
 executor/common_linux.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'executor')

diff --git a/executor/common_linux.h b/executor/common_linux.h
index 635fc25ad..3cf9b87af 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -3953,6 +3953,16 @@ static void sandbox_common_mount_tmpfs(void)
 		fail("mount(smackfs) failed");
 	if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT)
 		fail("mount(binfmt_misc) failed");
+
+	// If user wants to supply custom inputs, those can be placed to /syz-inputs
+	// That folder will be mounted to fuzzer sandbox
+	// https://groups.google.com/g/syzkaller/c/U-DISFjKLzg
+	if (mkdir("./syz-tmp/newroot/syz-inputs", 0700))
+		fail("mkdir(/syz-inputs) failed");
+
+	if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT)
+		fail("mount(syz-inputs) failed");
+
 #if SYZ_EXECUTOR || SYZ_CGROUPS
 	initialize_cgroups();
 #endif
-- 
cgit mrf-deployment