Skip to content
Permalink
Browse files

Android: Fix sandbox implementation

My test harness for this code performed some steps that are not
performed when syz-executor is invoked directy.

Specifcally, we need to operate from a directory under /data/data,
and have the correct UID/GID set as the owner of the directory.

My test harness now correctly sets these, all sandbox operations
succeed, and loop() is invoked.
  • Loading branch information...
zachriggle authored and dvyukov committed Oct 11, 2018
1 parent 6e32776 commit 751b7baf9499cf287eaaa58e0978e377fa651015
Showing with 20 additions and 6 deletions.
  1. +6 −2 executor/common.h
  2. +4 −1 executor/common_linux.h
  3. +10 −3 pkg/csource/generated.go
@@ -151,14 +151,18 @@ static uint64 current_time_ms(void)
}
#endif

#if SYZ_EXECUTOR || SYZ_USE_TMP_DIR
#if SYZ_EXECUTOR || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP || SYZ_USE_TMP_DIR
#include <stdlib.h>
#include <sys/stat.h>
#include <unistd.h>

static void use_temporary_dir(void)
{
#if SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
char tmpdir_template[] = "/data/data/syzkaller/syzkaller.XXXXXX";
#else
char tmpdir_template[] = "./syzkaller.XXXXXX";
#endif
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
@@ -665,7 +669,7 @@ int main(void)
for (procid = 0; procid < [[PROCS]]; procid++) {
if (fork() == 0) {
#endif
#if SYZ_USE_TMP_DIR
#if SYZ_USE_TMP_DIR || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
use_temporary_dir();
#endif
[[SANDBOX_FUNC]]
@@ -1867,7 +1867,7 @@ static void syz_setfilecon(const char* path, const char* context)
if (setxattr(path, SELINUX_XATTR_NAME, context, strlen(context) + 1, 0) != 0)
fail("setfilecon: setxattr failed");

if (syz_getfilecon(path, new_context, sizeof(new_context)) != 0)
if (syz_getfilecon(path, new_context, sizeof(new_context)) <= 0)
fail("setfilecon: getfilecon failed");

if (strcmp(context, new_context) != 0)
@@ -1880,6 +1880,9 @@ static int do_sandbox_android_untrusted_app(void)
setup_common();
sandbox_common();

if (chown(".", UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
fail("chmod failed");

if (setgroups(UNTRUSTED_APP_NUM_GROUPS, UNTRUSTED_APP_GROUPS) != 0)
fail("setgroups failed");

@@ -136,14 +136,18 @@ static uint64 current_time_ms(void)
}
#endif
#if SYZ_EXECUTOR || SYZ_USE_TMP_DIR
#if SYZ_EXECUTOR || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP || SYZ_USE_TMP_DIR
#include <stdlib.h>
#include <sys/stat.h>
#include <unistd.h>
static void use_temporary_dir(void)
{
#if SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
char tmpdir_template[] = "/data/data/syzkaller/syzkaller.XXXXXX";
#else
char tmpdir_template[] = "./syzkaller.XXXXXX";
#endif
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
@@ -3336,7 +3340,7 @@ static void syz_setfilecon(const char* path, const char* context)
if (setxattr(path, SELINUX_XATTR_NAME, context, strlen(context) + 1, 0) != 0)
fail("setfilecon: setxattr failed");
if (syz_getfilecon(path, new_context, sizeof(new_context)) != 0)
if (syz_getfilecon(path, new_context, sizeof(new_context)) <= 0)
fail("setfilecon: getfilecon failed");
if (strcmp(context, new_context) != 0)
@@ -3349,6 +3353,9 @@ static int do_sandbox_android_untrusted_app(void)
setup_common();
sandbox_common();
if (chown(".", UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
fail("chmod failed");
if (setgroups(UNTRUSTED_APP_NUM_GROUPS, UNTRUSTED_APP_GROUPS) != 0)
fail("setgroups failed");
@@ -4147,7 +4154,7 @@ int main(void)
for (procid = 0; procid < [[PROCS]]; procid++) {
if (fork() == 0) {
#endif
#if SYZ_USE_TMP_DIR
#if SYZ_USE_TMP_DIR || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
use_temporary_dir();
#endif
[[SANDBOX_FUNC]]

0 comments on commit 751b7ba

Please sign in to comment.
You can’t perform that action at this time.