From 22968d01cc9189de5506bf05739b8715c4edae3f Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Wed, 31 Dec 2025 10:26:06 +0100 Subject: sys/linux: enable some disabled syscalls in snapshot mode Enable some previously disabled syscalls in snapshot mode that look safe for snapshot mode. In snapshot mode we don't rely on the actual networking, and should be able to survive runner process kills, and disk shutdown. --- sys/linux/bpf_trace.txt | 6 ++++-- sys/linux/dev_snapshot.txt | 6 +++--- sys/linux/fs_ioctl_ext4.txt | 4 ++-- sys/linux/fs_ioctl_f2fs.txt | 2 +- sys/linux/sys.txt | 8 ++++---- sys/linux/sys.txt.const | 1 + 6 files changed, 15 insertions(+), 12 deletions(-) (limited to 'sys/linux') diff --git a/sys/linux/bpf_trace.txt b/sys/linux/bpf_trace.txt index 9ee5334af..d358ca181 100644 --- a/sys/linux/bpf_trace.txt +++ b/sys/linux/bpf_trace.txt @@ -15,8 +15,10 @@ syz_btf_id_by_name$bpf_lsm(name ptr[in, string[bpf_lsm_func_names]]) bpf_lsm_btf bpf$BPF_PROG_WITH_BTFID_LOAD(cmd const[BPF_PROG_LOAD], arg ptr[in, bpf_prog_with_btfid], size len[arg]) fd_bpf_prog_with_btfid (timeout[500]) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(cmd const[BPF_PROG_LOAD], arg ptr[in, bpf_prog_raw_tracepoint], size len[arg]) fd_bpf_prog_raw_tracepoint (timeout[500]) -bpf$BPF_RAW_TRACEPOINT_OPEN_UNNAMED(cmd const[BPF_RAW_TRACEPOINT_OPEN], arg ptr[in, bpf_raw_tracepoint_unnamed], size len[arg]) fd_perf_base (timeout[500]) -bpf$BPF_RAW_TRACEPOINT_OPEN(cmd const[BPF_RAW_TRACEPOINT_OPEN], arg ptr[in, bpf_raw_tracepoint], size len[arg]) fd_perf_base (timeout[500]) +# BPF programs attached to random tracepoints can kill any process (including the executor runner process), +# leading to false "lost connection" crashes. So we enable them only in snapshot mode. +bpf$BPF_RAW_TRACEPOINT_OPEN_UNNAMED(cmd const[BPF_RAW_TRACEPOINT_OPEN], arg ptr[in, bpf_raw_tracepoint_unnamed], size len[arg]) fd_perf_base (snapshot, timeout[500]) +bpf$BPF_RAW_TRACEPOINT_OPEN(cmd const[BPF_RAW_TRACEPOINT_OPEN], arg ptr[in, bpf_raw_tracepoint], size len[arg]) fd_perf_base (snapshot, timeout[500]) bpf_prog_with_btfid [ bpf_lsm bpf_lsm_prog diff --git a/sys/linux/dev_snapshot.txt b/sys/linux/dev_snapshot.txt index 0d06459c4..435727192 100644 --- a/sys/linux/dev_snapshot.txt +++ b/sys/linux/dev_snapshot.txt @@ -11,9 +11,9 @@ openat$snapshot(fd const[AT_FDCWD], file ptr[in, string["/dev/snapshot"]], flags write$snapshot(fd fd_snapshot, buffer ptr[in, array[int8]], len bytesize[buffer]) read$snapshot(fd fd_snapshot, buffer ptr[out, array[int8]], len bytesize[buffer]) -# These are disabled because they can easily kill the machine. -ioctl$SNAPSHOT_FREEZE(fd fd_snapshot, cmd const[SNAPSHOT_FREEZE]) (disabled) -ioctl$SNAPSHOT_POWER_OFF(fd fd_snapshot, cmd const[SNAPSHOT_POWER_OFF]) (disabled) +# These are enabled only in snapshot mode because they can easily kill the machine. +ioctl$SNAPSHOT_FREEZE(fd fd_snapshot, cmd const[SNAPSHOT_FREEZE]) (snapshot) +ioctl$SNAPSHOT_POWER_OFF(fd fd_snapshot, cmd const[SNAPSHOT_POWER_OFF]) (snapshot) ioctl$SNAPSHOT_UNFREEZE(fd fd_snapshot, cmd const[SNAPSHOT_UNFREEZE]) ioctl$SNAPSHOT_CREATE_IMAGE(fd fd_snapshot, cmd const[SNAPSHOT_CREATE_IMAGE], arg ptr[out, int32]) diff --git a/sys/linux/fs_ioctl_ext4.txt b/sys/linux/fs_ioctl_ext4.txt index 7993d7cf7..c883ce8fb 100644 --- a/sys/linux/fs_ioctl_ext4.txt +++ b/sys/linux/fs_ioctl_ext4.txt @@ -24,13 +24,13 @@ ext4_checkpoint_flags = EXT4_IOC_CHECKPOINT_FLAG_DISCARD, EXT4_IOC_CHECKPOINT_FL # EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways. # Fortunately, the value does not conflict with any other ioctl commands for now. -ioctl$EXT4_IOC_SHUTDOWN(fd fd, cmd const[EXT4_IOC_SHUTDOWN]) (disabled) +ioctl$EXT4_IOC_SHUTDOWN(fd fd, cmd const[EXT4_IOC_SHUTDOWN]) (snapshot) # EXT4_IOC_RESIZE_FS on root fs can shrink it to 0 (or whatever is the minimum size) # and then creation of new temp dirs for tests will fail. # TODO: not necessary for sandbox=namespace as it tests in a tmpfs # and/or if we mount tmpfs for sandbox=none (#971). -ioctl$EXT4_IOC_RESIZE_FS(fd fd, cmd const[EXT4_IOC_RESIZE_FS]) (disabled) +ioctl$EXT4_IOC_RESIZE_FS(fd fd, cmd const[EXT4_IOC_RESIZE_FS]) (snapshot) ext4_new_group_input { group int32 diff --git a/sys/linux/fs_ioctl_f2fs.txt b/sys/linux/fs_ioctl_f2fs.txt index c89496eff..10dfbbb39 100644 --- a/sys/linux/fs_ioctl_f2fs.txt +++ b/sys/linux/fs_ioctl_f2fs.txt @@ -33,7 +33,7 @@ ioctl$F2FS_IOC_COMPRESS_FILE(fd fd, cmd const[F2FS_IOC_COMPRESS_FILE], arg const # F2FS_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways. # Fortunately, the value does not conflict with any other ioctl commands for now. -ioctl$F2FS_IOC_SHUTDOWN(fd fd, cmd const[F2FS_IOC_SHUTDOWN], args ptr[in, flags[f2fs_shutdown_flag, int32]]) (disabled) +ioctl$F2FS_IOC_SHUTDOWN(fd fd, cmd const[F2FS_IOC_SHUTDOWN], args ptr[in, flags[f2fs_shutdown_flag, int32]]) (snapshot) f2fs_gc_range { sync bool32 diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt index 947be41ab..7f7db60a1 100644 --- a/sys/linux/sys.txt +++ b/sys/linux/sys.txt @@ -262,8 +262,8 @@ ioctl$FIOCLEX(fd fd, cmd const[FIOCLEX]) ioctl$FIONCLEX(fd fd, cmd const[FIONCLEX]) ioctl$FITHAW(fd fd, cmd const[FITHAW]) -# FIFREEZE is disabled because it can easily kill the machine. -ioctl$FIFREEZE(fd fd, cmd const[FIFREEZE]) (disabled) +# FIFREEZE is enabled in sandbox mode only because it can easily kill the machine. +ioctl$FIFREEZE(fd fd, cmd const[FIFREEZE]) (snapshot) fcntl$dupfd(fd fd, cmd flags[fcntl_dupfd], arg fd) fd fcntl$getflags(fd fd, cmd flags[fcntl_getflags]) @@ -544,8 +544,8 @@ waitid(which flags[waitid_which], pid pid, infop ptr[out, siginfo, opt], options waitid$P_PIDFD(which const[P_PIDFD], pidfd fd_pidfd, infop ptr[out, siginfo, opt], options flags[wait_options], ru ptr[out, rusage, opt]) wait4(pid pid, status ptr[out, int32, opt], options flags[wait_options], ru ptr[out, rusage, opt]) times(buf ptr[out, tms]) -# Can send signals to all processes (pid=-1). -#kill(pid pid, sig signalno) +# Can send signals to all processes (pid=-1) so it's enabled only in snapshot mode. +kill(pid pid, sig signalno) (snapshot) set_thread_area(info ptr[in, user_desc]) get_thread_area(info ptr[in, user_desc]) diff --git a/sys/linux/sys.txt.const b/sys/linux/sys.txt.const index ba024ae99..0fd1acc76 100644 --- a/sys/linux/sys.txt.const +++ b/sys/linux/sys.txt.const @@ -700,6 +700,7 @@ __NR_ioprio_get = 31, 386:290, amd64:252, arm:315, mips64le:5274, ppc64le:274, s __NR_ioprio_set = 30, 386:289, amd64:251, arm:314, mips64le:5273, ppc64le:273, s390x:282 __NR_kcmp = 272, 386:349, amd64:312, arm:378, mips64le:5306, ppc64le:354, s390x:343 __NR_kexec_load = 104, 386:283, amd64:246, arm:347, mips64le:5270, ppc64le:268, s390x:277 +__NR_kill = 37, amd64:62, arm64:riscv64:129, mips64le:5060 __NR_lchown = 16, amd64:94, arm64:riscv64:???, mips64le:5092, s390x:198 __NR_link = 9, amd64:86, arm64:riscv64:???, mips64le:5084 __NR_linkat = 37, 386:303, amd64:265, arm:330, mips64le:5255, ppc64le:294, s390x:296 -- cgit mrf-deployment