From 98f4a9612dd54429b3f92dccf631fdfa4f9018f3 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Mon, 17 Sep 2018 11:39:04 +0200 Subject: executor: make sandboxes more modular Currently we have a global fixed set of sandboxes, which makes it hard to add new OS-specific ones (all OSes need to updated to say that they don't support this sandbox). Let it each OS say what sandboxes it supports instead. --- executor/common_akaros.h | 6 ------ executor/common_bsd.h | 6 ------ executor/common_fuchsia.h | 6 ------ executor/common_linux.h | 3 +++ executor/common_test.h | 6 ------ executor/common_windows.h | 6 ------ executor/executor.cc | 6 ++++++ 7 files changed, 9 insertions(+), 30 deletions(-) (limited to 'executor') diff --git a/executor/common_akaros.h b/executor/common_akaros.h index 8d83749dc..ead67c36c 100644 --- a/executor/common_akaros.h +++ b/executor/common_akaros.h @@ -33,9 +33,3 @@ void child() doexit(0); } #endif - -#if SYZ_EXECUTOR -#define do_sandbox_setuid() 0 -#define do_sandbox_namespace() 0 -#define do_sandbox_android_untrusted_app() 0 -#endif diff --git a/executor/common_bsd.h b/executor/common_bsd.h index 49c6b36de..63ae6c1d1 100644 --- a/executor/common_bsd.h +++ b/executor/common_bsd.h @@ -14,12 +14,6 @@ static int do_sandbox_none(void) } #endif -#if SYZ_EXECUTOR -#define do_sandbox_setuid() 0 -#define do_sandbox_namespace() 0 -#define do_sandbox_android_untrusted_app() 0 -#endif - #if GOOS_openbsd #define __syscall syscall diff --git a/executor/common_fuchsia.h b/executor/common_fuchsia.h index fb08aa2a0..d232f2a14 100644 --- a/executor/common_fuchsia.h +++ b/executor/common_fuchsia.h @@ -241,12 +241,6 @@ static int do_sandbox_none(void) } #endif -#if SYZ_EXECUTOR -#define do_sandbox_setuid() 0 -#define do_sandbox_namespace() 0 -#define do_sandbox_android_untrusted_app() 0 -#endif - // Ugly way to work around gcc's "error: function called through a non-compatible type". // The macro is used in generated C code. #define CAST(f) ({void* p = (void*)f; p; }) diff --git a/executor/common_linux.h b/executor/common_linux.h index 5ae770800..02c1eb82e 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -1561,6 +1561,7 @@ static int do_sandbox_none(void) #include #include +#define SYZ_HAVE_SANDBOX_SETUID 1 static int do_sandbox_setuid(void) { if (unshare(CLONE_NEWPID)) { @@ -1722,6 +1723,7 @@ static int namespace_sandbox_proc(void* arg) doexit(1); } +#define SYZ_HAVE_SANDBOX_NAMESPACE 1 static int do_sandbox_namespace(void) { int pid; @@ -1844,6 +1846,7 @@ static void syz_setfilecon(const char* path, const char* context) fail("setfilecon: could not set context to %s, currently %s", context, new_context); } +#define SYZ_HAVE_SANDBOX_ANDROID_UNTRUSTED_APP 1 static int do_sandbox_android_untrusted_app(void) { setup_common(); diff --git a/executor/common_test.h b/executor/common_test.h index dc162a833..51b135377 100644 --- a/executor/common_test.h +++ b/executor/common_test.h @@ -56,9 +56,3 @@ static int do_sandbox_none(void) doexit(0); } #endif - -#if SYZ_EXECUTOR -#define do_sandbox_setuid() 0 -#define do_sandbox_namespace() 0 -#define do_sandbox_android_untrusted_app() 0 -#endif diff --git a/executor/common_windows.h b/executor/common_windows.h index 2a89ea469..d6b786ac1 100644 --- a/executor/common_windows.h +++ b/executor/common_windows.h @@ -111,9 +111,3 @@ static int do_sandbox_none(void) doexit(0); } #endif - -#if SYZ_EXECUTOR -#define do_sandbox_setuid() 0 -#define do_sandbox_namespace() 0 -#define do_sandbox_android_untrusted_app() 0 -#endif diff --git a/executor/executor.cc b/executor/executor.cc index 2244cc797..fca80e9be 100644 --- a/executor/executor.cc +++ b/executor/executor.cc @@ -364,15 +364,21 @@ int main(int argc, char** argv) case sandbox_none: status = do_sandbox_none(); break; +#if SYZ_HAVE_SANDBOX_SETUID case sandbox_setuid: status = do_sandbox_setuid(); break; +#endif +#if SYZ_HAVE_SANDBOX_NAMESPACE case sandbox_namespace: status = do_sandbox_namespace(); break; +#endif +#if SYZ_HAVE_SANDBOX_ANDROID_UNTRUSTED_APP case sandbox_android_untrusted_app: status = do_sandbox_android_untrusted_app(); break; +#endif default: fail("unknown sandbox type"); } -- cgit mrf-deployment