From 0eca949a6c271b879d582e01c3d1d79dc704172c Mon Sep 17 00:00:00 2001 From: Zach Riggle Date: Mon, 17 Sep 2018 04:33:11 -0500 Subject: RFC: android: Add support for untrusted_app sandboxing (#697) executor: add support for android_untrusted_app sandbox This adds a new sandbox type, 'android_untrusted_app', which restricts syz-executor to the privileges which are available to third-party applications, e.g. those installed from the Google Play store. In particular, this uses the UID space reserved for applications (instead of the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534) as well as a set of groups which the Android-specific kernels are aware of, and finally ensures that the SELinux context is set appropriately. Dependencies on libselinux are avoided by manually implementing the few functions that are needed to change the context of the current process, and arbitrary files. The underlying mechanisms are relatively simple. Fixes google/syzkaller#643 Test: make presubmit Bug: http://b/112900774 --- pkg/host/host.go | 18 ++++++++++-------- pkg/host/host_linux.go | 8 ++++++++ 2 files changed, 18 insertions(+), 8 deletions(-) (limited to 'pkg/host') diff --git a/pkg/host/host.go b/pkg/host/host.go index d048b2ade..b23dd9ab2 100644 --- a/pkg/host/host.go +++ b/pkg/host/host.go @@ -47,6 +47,7 @@ const ( FeatureComparisons FeatureSandboxSetuid FeatureSandboxNamespace + FeatureSandboxAndroidUntrustedApp FeatureFaultInjection FeatureLeakChecking FeatureNetworkInjection @@ -74,14 +75,15 @@ func unconditionallyEnabled() string { return "" } func Check(target *prog.Target) (*Features, error) { const unsupported = "support is not implemented in syzkaller" res := &Features{ - FeatureCoverage: {Name: "code coverage", Reason: unsupported}, - FeatureComparisons: {Name: "comparison tracing", Reason: unsupported}, - FeatureSandboxSetuid: {Name: "setuid sandbox", Reason: unsupported}, - FeatureSandboxNamespace: {Name: "namespace sandbox", Reason: unsupported}, - FeatureFaultInjection: {Name: "fault injection", Reason: unsupported}, - FeatureLeakChecking: {Name: "leak checking", Reason: unsupported}, - FeatureNetworkInjection: {Name: "net packed injection", Reason: unsupported}, - FeatureNetworkDevices: {Name: "net device setup", Reason: unsupported}, + FeatureCoverage: {Name: "code coverage", Reason: unsupported}, + FeatureComparisons: {Name: "comparison tracing", Reason: unsupported}, + FeatureSandboxSetuid: {Name: "setuid sandbox", Reason: unsupported}, + FeatureSandboxNamespace: {Name: "namespace sandbox", Reason: unsupported}, + FeatureSandboxAndroidUntrustedApp: {Name: "Android sandbox", Reason: unsupported}, + FeatureFaultInjection: {Name: "fault injection", Reason: unsupported}, + FeatureLeakChecking: {Name: "leak checking", Reason: unsupported}, + FeatureNetworkInjection: {Name: "net packed injection", Reason: unsupported}, + FeatureNetworkDevices: {Name: "net device setup", Reason: unsupported}, } if target.OS == "akaros" || target.OS == "test" { return res, nil diff --git a/pkg/host/host_linux.go b/pkg/host/host_linux.go index 3386113ee..8214b35af 100644 --- a/pkg/host/host_linux.go +++ b/pkg/host/host_linux.go @@ -325,6 +325,7 @@ func init() { checkFeature[FeatureComparisons] = checkComparisons checkFeature[FeatureSandboxSetuid] = unconditionallyEnabled checkFeature[FeatureSandboxNamespace] = checkSandboxNamespace + checkFeature[FeatureSandboxAndroidUntrustedApp] = checkSandboxAndroidUntrustedApp checkFeature[FeatureFaultInjection] = checkFaultInjection setupFeature[FeatureFaultInjection] = setupFaultInjection checkFeature[FeatureLeakChecking] = checkLeakChecking @@ -566,6 +567,13 @@ func checkSandboxNamespace() string { return "" } +func checkSandboxAndroidUntrustedApp() string { + if err := osutil.IsAccessible("/sys/fs/selinux/policy"); err != nil { + return err.Error() + } + return "" +} + func checkNetworkInjection() string { if err := osutil.IsAccessible("/dev/net/tun"); err != nil { return err.Error() -- cgit mrf-deployment