vm/gvisor: always give vm all caps

runsc can crash on nil deref without any caps. So give all of them all the time.
2024-11-23 11:29:46 +00:00 · 2018-06-22 19:56:39 +02:00 · 2018-06-22 19:56:39 +02:00 · bf0a1af0cb
commit bf0a1af0cb
parent 67ce863533
1 changed files with 18 additions and 3 deletions
--- a/vm/gvisor/gvisor.go
+++ b/vm/gvisor/gvisor.go
@ -82,7 +82,15 @@ func (pool *Pool) Create(workdir string, index int) (vmimpl.Instance, error) {
 	osutil.MkdirAll(rootDir)
 	osutil.MkdirAll(bundleDir)
 	osutil.MkdirAll(imageDir)
-	vmConfig := fmt.Sprintf(configTempl, imageDir)
+
+	caps := ""
+	for _, c := range sandboxCaps {
+		if caps != "" {
+			caps += ", "
+		}
+		caps += "\"" + c + "\""
+	}
+	vmConfig := fmt.Sprintf(configTempl, imageDir, caps)
 	if err := osutil.WriteFile(filepath.Join(bundleDir, "config.json"), []byte(vmConfig)); err != nil {
 		return nil, err
 	}
@ -326,13 +334,20 @@ const initStartMsg = "SYZKALLER INIT STARTED\n"
 const configTempl = `
 {
 	"root": {
-		"path": "%v",
+		"path": "%[1]v",
 		"readonly": true
 	},
 	"process":{
                "args": ["/init"],
                "cwd": "/tmp",
-                "env": ["SYZ_GVISOR_PROXY=1"]
+                "env": ["SYZ_GVISOR_PROXY=1"],
+                "capabilities": {
+                	"bounding": [%[2]v],
+                	"effective": [%[2]v],
+                	"inheritable": [%[2]v],
+                	"permitted": [%[2]v],
+                	"ambient": [%[2]v]
+                }
 	}
 }
 `