How to use onlySandboxNone method of host Package

Best Syzkaller code snippet using host.onlySandboxNone

syscalls_linux.go

Source:syscalls_linux.go Github

copy

Full Screen

...183 // Unfortunately this only works with sandbox none at the moment.184 // The problem is that setns of a network namespace requires CAP_SYS_ADMIN185 // in the target namespace, and we've lost all privs in the init namespace186 // during creation of a user namespace.187 if ok, reason := onlySandboxNone(sandbox); !ok {188 return false, reason189 }190 return isSupportedSocket(c)191 case "syz_genetlink_get_family_id":192 fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, syscall.NETLINK_GENERIC)193 if fd == -1 {194 return false, fmt.Sprintf("socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) failed: %v", err)195 }196 syscall.Close(fd)197 return true, ""198 case "syz_mount_image":199 if ok, reason := onlySandboxNone(sandbox); !ok {200 return ok, reason201 }202 fstype, ok := extractStringConst(c.Args[0].Type)203 if !ok {204 panic("syz_mount_image arg is not string")205 }206 return isSupportedFilesystem(fstype)207 case "syz_read_part_table":208 return onlySandboxNone(sandbox)209 case "syz_execute_func":210 return true, ""211 }212 panic("unknown syzkall: " + c.Name)213}214func isSupportedSyzOpenDev(sandbox string, c *prog.Syscall) (bool, string) {215 if _, ok := c.Args[0].Type.(*prog.ConstType); ok {216 // This is for syz_open_dev$char/block.217 return true, ""218 }219 fname, ok := extractStringConst(c.Args[0].Type)220 if !ok {221 panic("first open arg is not a pointer to string const")222 }223 if !strings.Contains(fname, "#") {224 panic(fmt.Sprintf("%v does not contain # in the file name (should be openat)", c.Name))225 }226 if checkUSBEmulation() == "" {227 // These entries might not be available at boot time,228 // but will be created by connected USB devices.229 USBDevicePrefixes := []string{230 "/dev/hidraw", "/dev/usb/hiddev", "/dev/input/",231 }232 for _, prefix := range USBDevicePrefixes {233 if strings.HasPrefix(fname, prefix) {234 return true, ""235 }236 }237 }238 var check func(dev string) bool239 check = func(dev string) bool {240 if !strings.Contains(dev, "#") {241 // Note: don't try to open them all, some can hang (e.g. /dev/snd/pcmC#D#p).242 return osutil.IsExist(dev)243 }244 for i := 0; i < 10; i++ {245 if check(strings.Replace(dev, "#", strconv.Itoa(i), 1)) {246 return true247 }248 }249 return false250 }251 if !check(fname) {252 return false, fmt.Sprintf("file %v does not exist", fname)253 }254 return onlySandboxNoneOrNamespace(sandbox)255}256func isSupportedLSM(c *prog.Syscall) string {257 lsmOnce.Do(func() {258 data, err := ioutil.ReadFile("/sys/kernel/security/lsm")259 if err != nil {260 // securityfs may not be mounted, but it does not mean261 // that no LSMs are enabled.262 if !os.IsNotExist(err) {263 lsmError = err264 }265 return266 }267 lsmDisabled = make(map[string]bool)268 for _, lsm := range []string{"selinux", "apparmor", "smack"} {269 if !strings.Contains(string(data), lsm) {270 lsmDisabled[lsm] = true271 }272 }273 })274 if lsmError != nil {275 return lsmError.Error()276 }277 for lsm := range lsmDisabled {278 if strings.Contains(strings.ToLower(c.Name), lsm) {279 return fmt.Sprintf("LSM %v is not enabled", lsm)280 }281 }282 return ""283}284func onlySandboxNone(sandbox string) (bool, string) {285 if syscall.Getuid() != 0 || sandbox != "none" {286 return false, "only supported under root with sandbox=none"287 }288 return true, ""289}290func onlySandboxNoneOrNamespace(sandbox string) (bool, string) {291 if syscall.Getuid() != 0 || sandbox == "setuid" {292 return false, "only supported under root with sandbox=none/namespace"293 }294 return true, ""295}296func isSupportedSocket(c *prog.Syscall) (bool, string) {297 af, ok := c.Args[0].Type.(*prog.ConstType)298 if !ok {299 panic("socket family is not const")300 }301 fd, err := syscall.Socket(int(af.Val), 0, 0)302 if fd != -1 {303 syscall.Close(fd)304 }305 if err == syscall.ENOSYS {306 return false, "socket syscall returns ENOSYS"307 }308 if err == syscall.EAFNOSUPPORT {309 return false, "socket family is not supported (EAFNOSUPPORT)"310 }311 proto, ok := c.Args[2].Type.(*prog.ConstType)312 if !ok {313 return true, ""314 }315 var typ uint64316 if arg, ok := c.Args[1].Type.(*prog.ConstType); ok {317 typ = arg.Val318 } else if arg, ok := c.Args[1].Type.(*prog.FlagsType); ok {319 typ = arg.Vals[0]320 } else {321 return true, ""322 }323 fd, err = syscall.Socket(int(af.Val), int(typ), int(proto.Val))324 if fd != -1 {325 syscall.Close(fd)326 return true, ""327 }328 return false, err.Error()329}330func isSupportedOpenAt(c *prog.Syscall) (bool, string) {331 var fd int332 var err error333 fname, ok := extractStringConst(c.Args[1].Type)334 if !ok || len(fname) == 0 || fname[0] != '/' {335 return true, ""336 }337 modes := []int{syscall.O_RDONLY, syscall.O_WRONLY, syscall.O_RDWR}338 // Attempt to extract flags from the syscall description339 if mode, ok := c.Args[2].Type.(*prog.ConstType); ok {340 modes = []int{int(mode.Val)}341 }342 for _, mode := range modes {343 fd, err = syscall.Open(fname, mode, 0)344 if fd != -1 {345 syscall.Close(fd)346 }347 if err == nil {348 return true, ""349 }350 }351 return false, fmt.Sprintf("open(%v) failed: %v", fname, err)352}353func isSupportedMount(c *prog.Syscall, sandbox string) (bool, string) {354 fstype, ok := extractStringConst(c.Args[2].Type)355 if !ok {356 panic(fmt.Sprintf("%v: filesystem is not string const", c.Name))357 }358 if ok, reason := isSupportedFilesystem(fstype); !ok {359 return ok, reason360 }361 switch fstype {362 case "fuse", "fuseblk":363 if err := osutil.IsAccessible("/dev/fuse"); err != nil {364 return false, err.Error()365 }366 return onlySandboxNoneOrNamespace(sandbox)367 default:368 return onlySandboxNone(sandbox)369 }370}371func isSupportedFilesystem(fstype string) (bool, string) {372 filesystemsOnce.Do(func() {373 filesystems, _ = ioutil.ReadFile("/proc/filesystems")374 })375 if !bytes.Contains(filesystems, []byte("\t"+fstype+"\n")) {376 return false, fmt.Sprintf("/proc/filesystems does not contain %v", fstype)377 }378 return true, ""379}380func extractStringConst(typ prog.Type) (string, bool) {381 ptr, ok := typ.(*prog.PtrType)382 if !ok {...

Full Screen

Full Screen

host_linux.go

Source:host_linux.go Github

copy

Full Screen

...87 }88 if !check(fname) {89 return false, fmt.Sprintf("file %v does not exist", fname)90 }91 return onlySandboxNoneOrNamespace(sandbox)92 case "syz_open_procfs":93 return true, ""94 case "syz_open_pts":95 return true, ""96 case "syz_fuse_mount":97 if !osutil.IsExist("/dev/fuse") {98 return false, "/dev/fuse does not exist"99 }100 return onlySandboxNoneOrNamespace(sandbox)101 case "syz_fuseblk_mount":102 if !osutil.IsExist("/dev/fuse") {103 return false, "/dev/fuse does not exist"104 }105 return onlySandboxNoneOrNamespace(sandbox)106 case "syz_emit_ethernet", "syz_extract_tcp_res":107 fd, err := syscall.Open("/dev/net/tun", syscall.O_RDWR, 0)108 if err != nil {109 return false, fmt.Sprintf("open(/dev/net/tun) failed: %v", err)110 }111 syscall.Close(fd)112 return true, ""113 case "syz_kvm_setup_cpu":114 switch c.Name {115 case "syz_kvm_setup_cpu$x86":116 if runtime.GOARCH == "amd64" || runtime.GOARCH == "386" {117 return true, ""118 }119 case "syz_kvm_setup_cpu$arm64":120 if runtime.GOARCH == "arm64" {121 return true, ""122 }123 }124 return false, "unsupported arch"125 case "syz_init_net_socket":126 // Unfortunately this only works with sandbox none at the moment.127 // The problem is that setns of a network namespace requires CAP_SYS_ADMIN128 // in the target namespace, and we've lost all privs in the init namespace129 // during creation of a user namespace.130 if ok, reason := onlySandboxNone(sandbox); !ok {131 return false, reason132 }133 return isSupportedSocket(c)134 case "syz_genetlink_get_family_id":135 fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, syscall.NETLINK_GENERIC)136 if fd == -1 {137 return false, fmt.Sprintf("socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) failed: %v", err)138 }139 syscall.Close(fd)140 return true, ""141 case "syz_mount_image":142 return onlySandboxNone(sandbox)143 case "syz_read_part_table":144 return onlySandboxNone(sandbox)145 }146 panic("unknown syzkall: " + c.Name)147}148func onlySandboxNone(sandbox string) (bool, string) {149 if syscall.Getuid() != 0 || sandbox != "none" {150 return false, "only supported under root with sandbox=none"151 }152 return true, ""153}154func onlySandboxNoneOrNamespace(sandbox string) (bool, string) {155 if syscall.Getuid() != 0 || sandbox == "setuid" {156 return false, "only supported under root with sandbox=none/namespace"157 }158 return true, ""159}160func isSupportedSocket(c *prog.Syscall) (bool, string) {161 af, ok := c.Args[0].(*prog.ConstType)162 if !ok {163 panic("socket family is not const")164 }165 fd, err := syscall.Socket(int(af.Val), 0, 0)166 if fd != -1 {167 syscall.Close(fd)168 }...

Full Screen

Full Screen

onlySandboxNone

Using AI Code Generation

copy

Full Screen

1import (2func main() {3 cli, err := client.NewEnvClient()4 if err != nil {5 panic(err)6 }7 container, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, nil, "")8 if err != nil {9 panic(err)10 }11 if err := cli.ContainerStart(context.Background(), container.ID, types.ContainerStartOptions{}); err != nil {12 panic(err)13 }14}15import (16func main() {17 cli, err := client.NewEnvClient()18 if err != nil {19 panic(err)20 }21 container, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, nil, "")22 if err != nil {23 panic(err)24 }25 if err := cli.ContainerStart(context.Background(), container.ID, types.ContainerStartOptions{}); err != nil {26 panic(err)27 }28}29import (30func main() {31 cli, err := client.NewEnvClient()32 if err != nil {33 panic(err)34 }35 container, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, nil, "")36 if err != nil {37 panic(err)38 }39 if err := cli.ContainerStart(context.Background(), container.ID, types.ContainerStartOptions{}); err != nil {40 panic(err)41 }42}

Full Screen

Full Screen

onlySandboxNone

Using AI Code Generation

copy

Full Screen

1import (2func main() {3 cli, err := client.NewEnvClient()4 if err != nil {5 panic(err)6 }7 hostConfig := &types.HostConfig{8 SecurityOpt: []string{"seccomp=unconfined"},9 }10 ctx := context.Background()11 _, err = cli.ContainerCreate(ctx, &container.Config{12 Cmd: []string{"echo", "hello world"},13 }, hostConfig, nil, "")14 if err != nil {15 panic(err)16 }17}18import (19func main() {20 cli, err := client.NewEnvClient()21 if err != nil {22 panic(err)23 }24 hostConfig := &types.HostConfig{25 SecurityOpt: []string{"seccomp=unconfined"},26 }27 ctx := context.Background()28 _, err = cli.ContainerCreate(ctx, &container.Config{29 Cmd: []string{"echo", "hello world"},30 }, hostConfig, nil, "")31 if err != nil {32 panic(err)33 }34}35import (36func main() {37 cli, err := client.NewEnvClient()38 if err != nil {39 panic(err)40 }41 hostConfig := &types.HostConfig{42 SecurityOpt: []string{"seccomp=unconfined"},43 }44 ctx := context.Background()45 _, err = cli.ContainerCreate(ctx, &container.Config{46 Cmd: []string{"echo", "hello world"},47 }, hostConfig, nil, "")48 if err != nil {49 panic(err)50 }51}52import (

Full Screen

Full Screen

onlySandboxNone

Using AI Code Generation

copy

Full Screen

1import (2type host struct {3}4func (h *host) onlySandboxNone() {5 fmt.Println("Only Sandbox None")6}7func main() {8 h := host{name: "host1", ip: "

Full Screen

Full Screen

onlySandboxNone

Using AI Code Generation

copy

Full Screen

1import (2func main() {3 host = Host{"Linux"}4 fmt.Println(host.OnlySandboxNone())5}6import (7func main() {8 host = Host{"Linux"}9 fmt.Println(host.OnlySandboxNone())10}11import (12func main() {13 host = Host{"Linux"}14 fmt.Println(host.OnlySandboxNone())15}16import (17func main() {18 host = Host{"Linux"}19 fmt.Println(host.OnlySandboxNone())20}21import (22func main() {23 host = Host{"Linux"}24 fmt.Println(host.OnlySandboxNone())25}26import (27func main() {28 host = Host{"Linux"}29 fmt.Println(host.OnlySandboxNone())30}31import (32func main() {33 host = Host{"Linux"}34 fmt.Println(host.OnlySandboxNone())35}36import (37func main() {38 host = Host{"Linux"}39 fmt.Println(host.OnlySandboxNone())40}

Full Screen

Full Screen

onlySandboxNone

Using AI Code Generation

copy

Full Screen

1import (2func main() {3 hostObj.onlySandboxNone()4}5type host struct {6}7func (h *host) onlySandboxNone() {8 fmt.Println(sandboxObj.SandboxNone())9}

Full Screen

Full Screen

Automation Testing Tutorials

Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.

LambdaTest Learning Hubs:

YouTube

You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.

Run Syzkaller automation tests on LambdaTest cloud grid

Perform automation testing on 3000+ real desktop and mobile devices online.

... View sample repo... View DocumentationSign up Free
_

Most used method in

Try LambdaTest Now !!

Get 100 minutes of automation test minutes FREE!!

...
Sign up with GoogleSign up with Email
Next-Gen App & Browser Testing Cloud

Was this article helpful?

Helpful

NotHelpful