How to use onlySandboxNoneOrNamespace method of host Package
Best Syzkaller code snippet using host.onlySandboxNoneOrNamespace
syscalls_linux.go
Source:syscalls_linux.go 
...239func isSyzFuseSupported(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) {240 if ok, reason := isSupportedFilesystem("fuse"); !ok {241 return ok, reason242 }243 if ok, reason := onlySandboxNoneOrNamespace(sandbox); !ok {244 return false, reason245 }246 return true, ""247}248func isSyzUsbIPSupported(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) {249 if err := osutil.IsWritable("/sys/devices/platform/vhci_hcd.0/attach"); err != nil {250 return false, err.Error()251 }252 return onlySandboxNoneOrNamespace(sandbox)253}254var syzkallSupport = map[string]func(*prog.Syscall, *prog.Target, string) (bool, string){255 "syz_open_dev": isSyzOpenDevSupported,256 "syz_open_procfs": isSyzOpenProcfsSupported,257 "syz_open_pts": alwaysSupported,258 "syz_execute_func": alwaysSupported,259 "syz_emit_ethernet": isNetInjectionSupported,260 "syz_extract_tcp_res": isNetInjectionSupported,261 "syz_usb_connect": isSyzUsbSupported,262 "syz_usb_connect_ath9k": isSyzUsbSupported,263 "syz_usb_disconnect": isSyzUsbSupported,264 "syz_usb_control_io": isSyzUsbSupported,265 "syz_usb_ep_write": isSyzUsbSupported,266 "syz_usb_ep_read": isSyzUsbSupported,267 "syz_kvm_setup_cpu": isSyzKvmSetupCPUSupported,268 "syz_emit_vhci": isVhciInjectionSupported,269 "syz_init_net_socket": isSyzInitNetSocketSupported,270 "syz_genetlink_get_family_id": isSyzGenetlinkGetFamilyIDSupported,271 "syz_mount_image": isSyzMountImageSupported,272 "syz_read_part_table": isSyzReadPartTableSupported,273 "syz_io_uring_submit": isSyzIoUringSupported,274 "syz_io_uring_complete": isSyzIoUringSupported,275 "syz_io_uring_setup": isSyzIoUringSupported,276 // syz_memcpy_off is only used for io_uring descriptions, thus, enable it277 // only if io_uring syscalls are enabled.278 "syz_memcpy_off": isSyzIoUringSupported,279 "syz_btf_id_by_name": isBtfVmlinuxSupported,280 "syz_fuse_handle_req": isSyzFuseSupported,281 "syz_80211_inject_frame": isWifiEmulationSupported,282 "syz_80211_join_ibss": isWifiEmulationSupported,283 "syz_usbip_server_init": isSyzUsbIPSupported,284}285func isSupportedSyzkall(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) {286 if isSupported, ok := syzkallSupport[c.CallName]; ok {287 return isSupported(c, target, sandbox)288 }289 panic("unknown syzkall: " + c.Name)290}291func isSupportedSyzOpenDev(sandbox string, c *prog.Syscall) (bool, string) {292 if _, ok := c.Args[0].Type.(*prog.ConstType); ok {293 // This is for syz_open_dev$char/block.294 return true, ""295 }296 fname, ok := extractStringConst(c.Args[0].Type)297 if !ok {298 panic("first open arg is not a pointer to string const")299 }300 if strings.Contains(fname, "/dev/raw/raw#") {301 // For syz_open_dev$char_raw, these files don't exist initially.302 return true, ""303 }304 if !strings.Contains(fname, "#") {305 panic(fmt.Sprintf("%v does not contain # in the file name (should be openat)", c.Name))306 }307 if checkUSBEmulation() == "" {308 // These entries might not be available at boot time,309 // but will be created by connected USB devices.310 USBDevicePrefixes := []string{311 "/dev/hidraw", "/dev/usb/hiddev", "/dev/input/",312 }313 for _, prefix := range USBDevicePrefixes {314 if strings.HasPrefix(fname, prefix) {315 return true, ""316 }317 }318 }319 var check func(dev string) bool320 check = func(dev string) bool {321 if !strings.Contains(dev, "#") {322 // Note: don't try to open them all, some can hang (e.g. /dev/snd/pcmC#D#p).323 return osutil.IsExist(dev)324 }325 for i := 0; i < 10; i++ {326 if check(strings.Replace(dev, "#", strconv.Itoa(i), 1)) {327 return true328 }329 }330 return false331 }332 if !check(fname) {333 return false, fmt.Sprintf("file %v does not exist", fname)334 }335 return onlySandboxNoneOrNamespace(sandbox)336}337func isSupportedLSM(c *prog.Syscall) string {338 lsmOnce.Do(func() {339 data, err := ioutil.ReadFile("/sys/kernel/security/lsm")340 if err != nil {341 // securityfs may not be mounted, but it does not mean342 // that no LSMs are enabled.343 if !os.IsNotExist(err) {344 lsmError = err345 }346 return347 }348 lsmDisabled = make(map[string]bool)349 for _, lsm := range []string{"selinux", "apparmor", "smack"} {350 if !strings.Contains(string(data), lsm) {351 lsmDisabled[lsm] = true352 }353 }354 })355 if lsmError != nil {356 return lsmError.Error()357 }358 for lsm := range lsmDisabled {359 if strings.Contains(strings.ToLower(c.Name), lsm) {360 return fmt.Sprintf("LSM %v is not enabled", lsm)361 }362 }363 return ""364}365func onlySandboxNone(sandbox string) (bool, string) {366 if syscall.Getuid() != 0 || sandbox != "none" {367 return false, "only supported under root with sandbox=none"368 }369 return true, ""370}371func onlySandboxNoneOrNamespace(sandbox string) (bool, string) {372 if syscall.Getuid() != 0 || sandbox == "setuid" {373 return false, "only supported under root with sandbox=none/namespace"374 }375 return true, ""376}377func isSupportedSocket(c *prog.Syscall) (bool, string) {378 af, ok := c.Args[0].Type.(*prog.ConstType)379 if !ok {380 panic("socket family is not const")381 }382 fd, err := syscall.Socket(int(af.Val), 0, 0)383 if fd != -1 {384 syscall.Close(fd)385 }386 if err == syscall.ENOSYS {387 return false, "socket syscall returns ENOSYS"388 }389 if err == syscall.EAFNOSUPPORT {390 return false, "socket family is not supported (EAFNOSUPPORT)"391 }392 proto, ok := c.Args[2].Type.(*prog.ConstType)393 if !ok {394 return true, ""395 }396 var typ uint64397 if arg, ok := c.Args[1].Type.(*prog.ConstType); ok {398 typ = arg.Val399 } else if arg, ok := c.Args[1].Type.(*prog.FlagsType); ok {400 typ = arg.Vals[0]401 } else {402 return true, ""403 }404 fd, err = syscall.Socket(int(af.Val), int(typ), int(proto.Val))405 if fd != -1 {406 syscall.Close(fd)407 return true, ""408 }409 return false, err.Error()410}411func isSyzOpenProcfsSupported(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) {412 return isSupportedOpenFile(c, 1, nil)413}414func isSupportedOpenAt(c *prog.Syscall) (bool, string) {415 // Attempt to extract flags from the syscall description.416 var modes []int417 if mode, ok := c.Args[2].Type.(*prog.ConstType); ok {418 modes = []int{int(mode.Val)}419 }420 return isSupportedOpenFile(c, 1, modes)421}422func isSupportedOpenFile(c *prog.Syscall, filenameArg int, modes []int) (bool, string) {423 fname, ok := extractStringConst(c.Args[filenameArg].Type)424 if !ok || fname == "" || fname[0] != '/' {425 return true, ""426 }427 if len(modes) == 0 {428 modes = []int{syscall.O_RDONLY, syscall.O_WRONLY, syscall.O_RDWR, syscall.O_RDONLY | syscall.O_NONBLOCK}429 }430 var err error431 for _, mode := range modes {432 var fd int433 fd, err = syscall.Open(fname, mode, 0)434 if fd != -1 {435 syscall.Close(fd)436 }437 if err == nil {438 return true, ""439 }440 }441 return false, fmt.Sprintf("open(%v) failed: %v", fname, err)442}443func isSupportedMount(c *prog.Syscall, sandbox string) (bool, string) {444 fstype, ok := extractStringConst(c.Args[2].Type)445 if !ok {446 panic(fmt.Sprintf("%v: filesystem is not string const", c.Name))447 }448 if ok, reason := isSupportedFilesystem(fstype); !ok {449 return ok, reason450 }451 switch fstype {452 case "fuse", "fuseblk":453 if err := osutil.IsAccessible("/dev/fuse"); err != nil {454 return false, err.Error()455 }456 return onlySandboxNoneOrNamespace(sandbox)457 default:458 return onlySandboxNone(sandbox)459 }460}461func isSupportedFilesystem(fstype string) (bool, string) {462 filesystemsOnce.Do(func() {463 filesystems, _ = ioutil.ReadFile("/proc/filesystems")464 })465 if !bytes.Contains(filesystems, []byte("\t"+fstype+"\n")) {466 return false, fmt.Sprintf("/proc/filesystems does not contain %v", fstype)467 }468 return true, ""469}470func extractStringConst(typ prog.Type) (string, bool) {...
host_linux.go
Source:host_linux.go
...87 }88 if !check(fname) {89 return false, fmt.Sprintf("file %v does not exist", fname)90 }91 return onlySandboxNoneOrNamespace(sandbox)92 case "syz_open_procfs":93 return true, ""94 case "syz_open_pts":95 return true, ""96 case "syz_fuse_mount":97 if !osutil.IsExist("/dev/fuse") {98 return false, "/dev/fuse does not exist"99 }100 return onlySandboxNoneOrNamespace(sandbox)101 case "syz_fuseblk_mount":102 if !osutil.IsExist("/dev/fuse") {103 return false, "/dev/fuse does not exist"104 }105 return onlySandboxNoneOrNamespace(sandbox)106 case "syz_emit_ethernet", "syz_extract_tcp_res":107 fd, err := syscall.Open("/dev/net/tun", syscall.O_RDWR, 0)108 if err != nil {109 return false, fmt.Sprintf("open(/dev/net/tun) failed: %v", err)110 }111 syscall.Close(fd)112 return true, ""113 case "syz_kvm_setup_cpu":114 switch c.Name {115 case "syz_kvm_setup_cpu$x86":116 if runtime.GOARCH == "amd64" || runtime.GOARCH == "386" {117 return true, ""118 }119 case "syz_kvm_setup_cpu$arm64":120 if runtime.GOARCH == "arm64" {121 return true, ""122 }123 }124 return false, "unsupported arch"125 case "syz_init_net_socket":126 // Unfortunately this only works with sandbox none at the moment.127 // The problem is that setns of a network namespace requires CAP_SYS_ADMIN128 // in the target namespace, and we've lost all privs in the init namespace129 // during creation of a user namespace.130 if ok, reason := onlySandboxNone(sandbox); !ok {131 return false, reason132 }133 return isSupportedSocket(c)134 case "syz_genetlink_get_family_id":135 fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, syscall.NETLINK_GENERIC)136 if fd == -1 {137 return false, fmt.Sprintf("socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) failed: %v", err)138 }139 syscall.Close(fd)140 return true, ""141 case "syz_mount_image":142 return onlySandboxNone(sandbox)143 case "syz_read_part_table":144 return onlySandboxNone(sandbox)145 }146 panic("unknown syzkall: " + c.Name)147}148func onlySandboxNone(sandbox string) (bool, string) {149 if syscall.Getuid() != 0 || sandbox != "none" {150 return false, "only supported under root with sandbox=none"151 }152 return true, ""153}154func onlySandboxNoneOrNamespace(sandbox string) (bool, string) {155 if syscall.Getuid() != 0 || sandbox == "setuid" {156 return false, "only supported under root with sandbox=none/namespace"157 }158 return true, ""159}160func isSupportedSocket(c *prog.Syscall) (bool, string) {161 af, ok := c.Args[0].(*prog.ConstType)162 if !ok {163 panic("socket family is not const")164 }165 fd, err := syscall.Socket(int(af.Val), 0, 0)166 if fd != -1 {167 syscall.Close(fd)168 }...
onlySandboxNoneOrNamespace
Using AI Code Generation
1import (2func main() {3 var (4 spec := specs.Spec{5 Root: &specs.Root{6 },7 Process: &specs.Process{8 User: specs.User{9 AdditionalGids: []uint32{},10 },11 Args: []string{"sh"},12 Env: []string{"PATH=/bin"},13 Capabilities: &specs.LinuxCapabilities{14 Bounding: []string{"CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE"},15 Effective: []string{"CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE"},16 Inheritable: []string{"CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE"},17 Permitted: []string{"CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE"},18 Ambient: []string{"CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE"},19 },20 Rlimits: []specs.POSIXRlimit{21 {22 Hard: uint64(1024),23 Soft: uint64(1024),24 },25 },26 },27 Mounts: []specs.Mount{28 {29 Options: []string{"nosuid", "noexec", "nodev"},30 },31 {32 Options: []string{"nosuid", "strict
onlySandboxNoneOrNamespace
Using AI Code Generation
1import (2func main() {3 cmd := exec.Command("sh")4 cmd.SysProcAttr = &syscall.SysProcAttr{5 }6 if err := cmd.Run(); err != nil {7 fmt.Println(err)8 }9}10import (11func main() {12 cmd := exec.Command("sh")13 cmd.SysProcAttr = &syscall.SysProcAttr{
onlySandboxNoneOrNamespace
Using AI Code Generation
1import (2func main() {3 fmt.Println("main")4}5import (6func main() {7 fmt.Println("main")8}9import (10func main() {11 fmt.Println("main")12}13import (14func main() {15 fmt.Println("main")16}17import (18func main() {19 fmt.Println("main")20}21import (22func main() {23 fmt.Println("main")24}25import (26func main() {27 fmt.Println("main")28}29import (30func main() {31 fmt.Println("main")32}33import (34func main() {35 fmt.Println("main")36}37import (38func main() {39 fmt.Println("main")40}41import (42func main() {43 fmt.Println("main")44}45import (46func main() {47 fmt.Println("main")48}49import (
onlySandboxNoneOrNamespace
Using AI Code Generation
1import (2func main() {3 hostConfig := &container.HostConfig{}4 parsed, err := parser.Parse([]string{"--userns=host"})5 if err != nil {6 fmt.Println("Error")7 }8 if err := opts.ParseHostConfig(hostConfig, parsed); err != nil {9 fmt.Println("Error")10 }11 sysInfo := &sysinfo.SysInfo{}12 sandbox := symlink.FollowSymlinkInScope(sysInfo.GetRemappedRoot(), "/proc/self/ns/user")13 if sandbox == "" {14 }15 if err := hostConfig.OnlySandboxNoneOrNamespace(sysInfo, sandbox); err != nil {16 fmt.Println("Error")17 }18 fmt.Println("Success")19}20import (21func main() {
onlySandboxNoneOrNamespace
Using AI Code Generation
1import (2func main() {3 sandbox, err := NewSandbox()4 if err != nil {5 fmt.Println("Error creating sandbox: ", err)6 os.Exit(1)7 }8 cmd := exec.Command("/bin/ls", "-l", "/")9 cmd.SysProcAttr = &syscall.SysProcAttr{10 }11 cmd.Env = []string{"PATH=/bin"}12 if err := cmd.Start(); err != nil {13 fmt.Println("Error starting command: ", err)14 os.Exit(1)15 }16 if err := cmd.Wait(); err != nil {17 fmt.Println("Error waiting for command: ", err)18 os.Exit(1)19 }20}
onlySandboxNoneOrNamespace
Using AI Code Generation
1import (2func main() {3 fmt.Println("Hello World")4 cmd := exec.Command("ls", "-l")5 cmd.Dir = filepath.Join(os.Getenv("HOME"), "Desktop")6 cmd.Run()7}
onlySandboxNoneOrNamespace
Using AI Code Generation
1func main() {2 h = host.Host{ID: 1, Sandbox: "none"}3 h.onlySandboxNoneOrNamespace()4}5func main() {6 h = host.Host{ID: 1, Sandbox: "namespace"}7 h.onlySandboxNoneOrNamespace()8}9func main() {10 h = host.Host{ID: 1, Sandbox: "other"}11 h.onlySandboxNoneOrNamespace()12}13func main() {14 h = host.Host{ID: 1, Sandbox: "other"}15 h.onlySandboxNoneOrNamespace()16}17func main() {18 h = host.Host{ID: 1, Sandbox: "none"}19 h.onlySandboxNoneOrNamespace()20}21func main() {22 h = host.Host{ID: 1, Sandbox: "namespace"}23 h.onlySandboxNoneOrNamespace()24}25func main() {26 h = host.Host{ID: 1, Sandbox: "other"}27 h.onlySandboxNoneOrNamespace()28}29func main() {30 h = host.Host{ID: 1, Sandbox: "other"}31 h.onlySandboxNoneOrNamespace()32}33func main() {34 h = host.Host{ID: 1, Sandbox: "none"}
onlySandboxNoneOrNamespace
Using AI Code Generation
1import "fmt"2func main() {3 h.OnlySandboxNoneOrNamespace()4 fmt.Println("Hello World")5}6import "fmt"7func main() {8 h.OnlySandboxNoneOrNamespace()9 fmt.Println("Hello World
onlySandboxNoneOrNamespace
Using AI Code Generation
1import (2func main() {3 fmt.Println("Hello, playground")4 host := syscall.SandboxHost{}5 fmt.Println("Hello, playground", host.OnlySandboxNoneOrNamespace)6}7import (8func main() {9 fmt.Println("Hello, playground")10 host := &syscall.SandboxHost{OnlySandboxNoneOrNamespace: syscall.SandboxHost_OnlySandboxNoneOrNamespace}11 fmt.Println("Hello, playground", host.OnlySandboxNoneOrNamespace)12}
onlySandboxNoneOrNamespace
Using AI Code Generation
1func main() {2 host := &host{}3 host.onlySandboxNoneOrNamespace()4}5func main() {6 host := &host{}7 host.OnlySandboxNoneOrNamespace()8}9func main() {10 host := &host{}11 host.OnlySandboxNoneOrNamespace()12}13func main() {14 host := &host{}15 host.OnlySandboxNoneOrNamespace()16}17func main() {18 host := &host{}19 host.OnlySandboxNoneOrNamespace()20}21func main() {22 host := &host{}23 host.OnlySandboxNoneOrNamespace()24}
Automation Testing Tutorials
Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.
LambdaTest Learning Hubs:
- JUnit Tutorial
- TestNG Tutorial
- Webdriver Tutorial
- WebDriverIO Tutorial
- Protractor Tutorial
- Selenium 4 Tutorial
- Jenkins Tutorial
- NUnit Tutorial
- Jest Tutorial
- Playwright Tutorial
- Cypress Tutorial
- PyTest Tutorial
YouTube
You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.
Run Syzkaller automation tests on LambdaTest cloud grid
Perform automation testing on 3000+ real desktop and mobile devices online.
Most used method in
- Supported
- unconditionallyEnabled
- Check
- Setup
- noHostChecks
- init
- checkCoverage
- checkComparisons
- checkExtraCoverage
- checkDelayKcovMmap
- kcovTestMmap
- checkCoverageFeature
- checkFault
- checkLeak
- checkSandboxNamespace
- checkSandboxAndroid
- checkNetInjection
- checkUSBEmulation
- checkVhciInjection
- checkDebugFS
- checkKCSAN
- checkDevlinkPCI
- checkNicVF
- checkWifiEmulation
- check802154Emulation
- requireKernel
- matchKernelVersion
- TestRequireKernel
- isSupported
- isSupportedVMM
- TestDetectSupportedSyscalls
- TestCheck
- CollectMachineInfo
- CollectModulesInfo
- CollectGlobsInfo
- readCPUInfo
- scanCPUInfo
- allEqual
- readKVMInfo
- getModulesInfo
- getGlobsInfo
- excludeGlobs
- removeDupValues
- TestCollectMachineInfo
- TestReadCPUInfoLinux
- TestCannedCPUInfoLinux
- checkCPUInfo
- TestReadKVMInfoLinux
- TestScanCPUInfo
- TestGetModulesInfo
- TestGetGlobsInfo
- DetectSupportedSyscalls
- isSupportedSyscall
- isSupportedSyscallName
- parseKallsyms
- isSupportedKallsyms
- isSupportedTrial
- isSyzUsbSupported
- alwaysSupported
- isNetInjectionSupported
- isVhciInjectionSupported
- isWifiEmulationSupported
- isSyzKvmSetupCPUSupported
- isSyzOpenDevSupported
- isSyzInitNetSocketSupported
- isSyzGenetlinkGetFamilyIDSupported
- isSyzMountImageSupported
- isSyzReadPartTableSupported
- isSyzIoUringSupported
- isSyzMemcpySupported
- isBtfVmlinuxSupported
- isSyzFuseSupported
- isSyzUsbIPSupported
- isSupportedSyzkall
- isSupportedSyzOpenDev
- isSupportedLSM
- onlySandboxNone
- onlySandboxNoneOrNamespace
- isSupportedSocket
- isSyzOpenProcfsSupported
- isSupportedOpenAt
- isSupportedOpenFile
- isSupportedMount
- isSupportedFilesystem
- extractStringConst
- TestSupportedSyscalls
- TestKallsymsParse
- TestMatchKernelVersion
Try LambdaTest Now !!
Get 100 minutes of automation test minutes FREE!!
Was this article helpful?
