pkg/vcs: don't sandbox syzkaller repo

Currently we sandbox all repos b/c we assumed that all builds are also sandboxes. But this causes havoc for bisection/patch testing b/c syzkaller build is not actually sandboxed anywhere. Build creates root-owned files and then git can't do anything with them but don't report errors either: $ git checkout 8eda0b9 && echo OK error: unable to unlink old 'sys/linux/gen/386.go': Permission denied error: unable to unlink old 'sys/linux/gen/ppc64le.go': Permission denied ... HEAD is now at 8eda0b9 OK We trust own sources and we don't test syzkaller patches, so don't sandbox syzkaller repos.
google · Jul 12, 2020 · 1ad470c · 1ad470c
1 parent 7ba05d2
commit 1ad470c
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 11 deletions.
diff --git a/pkg/vcs/git.go b/pkg/vcs/git.go
@@ -23,12 +23,14 @@ import (
 
 type git struct {
 	dir      string
+	sandbox  bool
 	ignoreCC map[string]bool
 }
 
 func newGit(dir string, ignoreCC map[string]bool) *git {
 	return &git{
 		dir:      dir,
+		sandbox:  true,
 		ignoreCC: ignoreCC,
 	}
 }
@@ -161,8 +163,10 @@ func (git *git) initRepo(reason error) error {
 	if err := osutil.MkdirAll(git.dir); err != nil {
 		return fmt.Errorf("failed to create repo dir: %v", err)
 	}
-	if err := osutil.SandboxChown(git.dir); err != nil {
-		return err
+	if git.sandbox {
+		if err := osutil.SandboxChown(git.dir); err != nil {
+			return err
+		}
 	}
 	if _, err := git.git("init"); err != nil {
 		return err
@@ -325,8 +329,10 @@ func (git *git) fetchCommits(since, base, user, domain string, greps []string, f
 	cmd := exec.Command("git", args...)
 	cmd.Dir = git.dir
 	cmd.Env = filterEnv()
-	if err := osutil.Sandbox(cmd, true, false); err != nil {
-		return nil, err
+	if git.sandbox {
+		if err := osutil.Sandbox(cmd, true, false); err != nil {
+			return nil, err
+		}
 	}
 	stdout, err := cmd.StdoutPipe()
 	if err != nil {
@@ -369,7 +375,15 @@ func (git *git) fetchCommits(since, base, user, domain string, greps []string, f
 }
 
 func (git *git) git(args ...string) ([]byte, error) {
-	return runSandboxedEnv(git.dir, "git", filterEnv(), args...)
+	cmd := osutil.Command("git", args...)
+	cmd.Dir = git.dir
+	cmd.Env = filterEnv()
+	if git.sandbox {
+		if err := osutil.Sandbox(cmd, true, false); err != nil {
+			return nil, err
+		}
+	}
+	return osutil.Run(time.Hour, cmd)
 }
 
 func splitEmail(email string) (user, domain string, err error) {

diff --git a/pkg/vcs/vcs.go b/pkg/vcs/vcs.go
@@ -118,7 +118,9 @@ func NewRepo(os, vm, dir string) (Repo, error) {
 }
 
 func NewSyzkallerRepo(dir string) Repo {
-	return newGit(dir, nil)
+	git := newGit(dir, nil)
+	git.sandbox = false
+	return git
 }
 
 func Patch(dir string, patch []byte) error {
@@ -171,13 +173,8 @@ func CheckCommitHash(hash string) bool {
 }
 
 func runSandboxed(dir, command string, args ...string) ([]byte, error) {
-	return runSandboxedEnv(dir, command, nil, args...)
-}
-
-func runSandboxedEnv(dir, command string, env []string, args ...string) ([]byte, error) {
 	cmd := osutil.Command(command, args...)
 	cmd.Dir = dir
-	cmd.Env = env
 	if err := osutil.Sandbox(cmd, true, false); err != nil {
 		return nil, err
 	}