On powerpc, the "stat" syscall is implemented by "sys_newstat" entry point.
This causes a test failure as we can't find "sys_stat" in kallsyms.
Add "stat" -> "newstat" to the kallsyms rename map to work around this.
Closes: #1083 ("pkg/host: TestSupportedSyscalls fails on ppc64le")
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Most probably limited to input validation for now. In the future, it
could be extended to provide a bootable kernel during vm create (/bsd)
and turn vmid into a proper resource.
The OpenBSD VMs on GCE does support vmm(4).
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
pkg/host/host_linux.go: Add "arm" to kallsyms support test.
pkg/host/host_test.go: TestKallsymsParse(): Add entry to test arm kallsyms parsing support.
Add a regex for syscall symbol extraction on ppc64le. ppc64le doesn't have
any special arch prefix.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Right now syz-fuzzer does a search through /proc/kallsyms for each syscall
to check whether it's supported. Do one search instead and save the results
to a map. This speeds up syscall detection ~60 times when testing arm64 kernel
on x86. Also add another search pattern for arm64 and add some logging.
* Revert "Revert "executor: add setuid sandbox for openbsd""
The problem is the low file descriptor limit.
This reverts commit 4093e33b13.
* executor/executor make sure the file descriptor limit is sufficient
EBUSY is returned when KMEMLEAK is in fact turned off,
not when scanning is already turned off.
That can't be recovered.
So instead check that we can write to the file in the check
function and give useful diagnostics.
Rewind kmemleak fd before reading it second time,
otherwise we will read truncated reports.
Auto-learn what leak reports we've already seen
and ignore them in future. This is required because
there are some false positives and some fire too frequently.
So now we will hit each leak only once per manager run,
but we still will try to reproduce them.
executor: add support for android_untrusted_app sandbox
This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.
In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.
Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files. The underlying mechanisms are relatively simple.
Fixesgoogle/syzkaller#643
Test: make presubmit
Bug: http://b/112900774
We have fallback coverage implmentation for freebsd.
1. It's broken after some recent changes.
2. We need it for fuchsia, windows, akaros, linux too.
3. It's painful to work with C code.
Move fallback coverage to ipc package,
fix it and provide for all OSes.
Currently host feature detection/setup code is spread
across platform-independent fuzzer code, pkg/host, pkg/ipc
and executor.
Move this all into pkg/host and show readable info
about features on manager start.
Fixes#46
