executor/linux: unshare mount namespace #2047
Conversation
With commit 598f493 ("executor/linux: dump more information when failed to open kcov file"), we got an unexpected result. (1) sysfs was already detached from /sys/ . (2) procfs was still mounted on /proc/ even when /proc/mounts could not be opened. (3) Mounting another procfs on /proc/ failed on some reports and did not fail on other reports. (4) Only / and several /proc/ are shown by /proc/mounts . Since "umount -l /" cannot explain (2) and (3), I don't know what is happening. But we might be able to mitigate this problem by always unsharing mount namespace and changing mount propagation type to 'private'.
It seems that unshare() fails with EPERM in some callers.
|
We already do unshare(CLONE_NEWNS) in sandbox_common() so all test processes are in separate mount namespace. I am also nervous merging this. I am not sure it will work on e.g. Android, I am not sure we mount back all filesystems we possibly need for fuzzing, e.g. #2017 uses files from /. This may also lead to difference with C reproduces as C reproducers don't include os_init logic. And we already do this during sandboxing, if anything the sandboxing code need to be changed. Sandboxing code is also part of C reproducers. |
Well, unshare(CLONE_NEWNS) might not be sufficient. If a system is controlled by systemd, systemd issues "mount --make-rshared /" request. #define _GNU_SOURCE
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mount.h>
#include <sched.h>
int main(int argc, char *argv[])
{
char c;
const int fd = open("/proc/mounts", O_RDONLY);
if (fd < 0)
return 1;
if (unshare(CLONE_NEWNS))
return 1;
if (argc > 1)
if (mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL))
return 1;
if (mount("/mnt", "/mnt", "tmpfs", 0, NULL))
return 1;
while (read(fd, &c, 1) == 1 && write(1, &c, 1) == 1);
return 0;
}And we can find reports like https://syzkaller.appspot.com/text?tag=CrashLog&x=172b47be900000 that contains |
Then, can we try "retry open("/sys/kernel/debug/kcov") after mounting /sys/ and /sys/kernel/debug/ when open("/sys/kernel/debug/kcov") failed" (though there is no guarantee that mounting only these is sufficient) ? An alternative approach (though Linux 5.2+ kernels only) might be to use fsopen()/fsconfig()/fsmount()/openat() instead of relying on readiness of mount point. Below example reads /sys/kernel/debug/memcg_slabinfo without accessing mount point. #include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <linux/mount.h>
#include <sys/syscall.h>
static inline int fsopen(const char *fsname, unsigned int flags)
{
return syscall(__NR_fsopen, fsname, flags);
}
static inline int fsconfig(int fs_fd, enum fsconfig_command cmd, const char *key,
const void *value, int aux)
{
return syscall(__NR_fsconfig, fs_fd, cmd, key, value, aux);
}
static inline int fsmount(int fd, unsigned int flags, unsigned int mount_attrs)
{
return syscall(__NR_fsmount, fd, flags, mount_attrs);
}
int main(int argc, char *argv[])
{
int sfd = fsopen("debugfs", FSOPEN_CLOEXEC);
int mfd;
int fd;
char c;
if (fsconfig(sfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0))
return 1;
mfd = fsmount(sfd, FSMOUNT_CLOEXEC, MOUNT_ATTR_NODEV);
close(sfd);
fd = openat(mfd, "memcg_slabinfo", O_RDONLY);
close(mfd);
while (read(fd, &c, 1) == 1 && write(1, &c, 1) == 1);
close(fd);
return 0;
} |
|
Superseded by #2051. |
With commit 598f493 ("executor/linux: dump more information when failed to open kcov file"), we got an unexpected result.
(1) sysfs was already detached from /sys/ .
(2) procfs was still mounted on /proc/ even when /proc/mounts could not be opened.
(3) Mounting another procfs on /proc/ failed on some reports and did not fail on other reports.
(4) Only / and several /proc/ are shown by /proc/mounts .
Since "umount -l /" cannot explain (2) and (3), I don't know what is happening.
But we might be able to mitigate this problem by always unsharing mount namespace and changing mount propagation type to 'private'.