From 4782c2b8e6d9cf4c75612c444760060d0a103da3 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Fri, 1 Jul 2016 22:20:47 +0200
Subject: executor: revive setuid sandbox

The new namespace-based sanboxing is good,
but it's not always what one wants
(and also requires special kernel configs).

Change dropprivs config value to sandbox,
which can have different values (currently: none, setuid, namespace).
Setuid mode uses setuid(nobody) before fuzzing as before.

In future we can add more sandboxing modes or, say,
extend -sandbox=setuid to -sandbox=setuid:johndoe
to impersonolate into given user.
---
 tools/syz-execprog/execprog.go | 5 ++++-
 tools/syz-stress/stress.go     | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

(limited to 'tools')

diff --git a/tools/syz-execprog/execprog.go b/tools/syz-execprog/execprog.go
index fdba0f258..5b7610754 100644
--- a/tools/syz-execprog/execprog.go
+++ b/tools/syz-execprog/execprog.go
@@ -55,7 +55,10 @@ func main() {
 		return
 	}
 
-	flags, timeout := ipc.DefaultFlags()
+	flags, timeout, err := ipc.DefaultFlags()
+	if err != nil {
+		log.Fatalf("%v", err)
+	}
 	if *flagCoverFile != "" {
 		flags |= ipc.FlagCover
 		flags &= ^ipc.FlagDedupCover
diff --git a/tools/syz-stress/stress.go b/tools/syz-stress/stress.go
index de5f8ddf8..bb2352f76 100644
--- a/tools/syz-stress/stress.go
+++ b/tools/syz-stress/stress.go
@@ -47,7 +47,10 @@ func main() {
 	prios := prog.CalculatePriorities(corpus)
 	ct := prog.BuildChoiceTable(prios, calls)
 
-	flags, timeout := ipc.DefaultFlags()
+	flags, timeout, err := ipc.DefaultFlags()
+	if err != nil {
+		failf("%v", err)
+	}
 	gate = ipc.NewGate(2**flagProcs, nil)
 	for pid := 0; pid < *flagProcs; pid++ {
 		pid := pid
-- 
cgit mrf-deployment