github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/gvisor/README.md (about) 1 # gVisor 2 3 [gVisor](https://github.com/google/gvisor) is a user-space kernel, written in 4 Go, that implements a substantial portion of the Linux system surface. 5 6 `gVisor` uses `linux` OS, but the special `gvisor` VM type. There is nothing 7 special regarding `gVisor` besides that. Here is an example manager config: 8 9 ``` 10 { 11 "name": "gvisor", 12 "target": "linux/amd64", 13 "http": ":12345", 14 "workdir": "/workdir", 15 "image": "/usr/local/bin/runsc", 16 "syzkaller": "/gopath/src/github.com/google/syzkaller", 17 "cover": false, 18 "procs": 8, 19 "type": "gvisor", 20 "vm": { 21 "count": 5, 22 "runsc_args": "-platform=kvm" 23 } 24 } 25 ``` 26 27 ## Reproducing crashes 28 29 `syz-execprog` can be used inside gVisor to (hopefully) reproduce crashes. 30 31 To run a single program inside a minimal gVisor sandbox, do the following. 32 33 1. Build all of the syzkaller tools: 34 35 ```bash 36 $ cd $SYZKALLER_DIR 37 $ make 38 ``` 39 40 2. Build runsc: 41 42 ```bash 43 $ cd $GVISOR_DIR 44 $ bazel build //runsc 45 ``` 46 47 3. Create a `bundle/` directory with a config like the one below. Be sure to 48 update the paths to the `linux_amd64` directory and input log/program file. 49 50 ```bash 51 $ mkdir bundle 52 $ $EDITOR bundle/config.json 53 ``` 54 55 4. Run gVisor: 56 57 ```bash 58 $ sudo bazel-bin/runsc/linux_amd64_pure_stripped/runsc \ 59 -platform=ptrace \ 60 -file-access=shared \ 61 -network=host \ 62 run \ 63 -bundle /PATH/TO/bundle/ \ 64 syzkaller 65 ``` 66 67 5. Remove container: 68 69 ```bash 70 $ sudo bazel-bin/runsc/linux_amd64_pure_stripped/runsc delete -force syzkaller 71 ``` 72 73 Note that you'll want to adjust the `runsc` args to match the config in which 74 the crash was discovered. You may also want to add `-debug -strace` for more 75 debugging information. 76 77 You can also adjust the args to `syz-execprog` in `config.json`. e.g., add 78 `-repeat` to repeat the program. 79 80 ### config.json 81 82 ```json 83 { 84 "root": { 85 "path": "/PATH/TO/syzkaller/bin/linux_amd64", 86 "readonly": true 87 }, 88 "mounts": [ 89 { 90 "destination": "/input", 91 "source": "/PATH/TO/INPUT/LOG", 92 "type": "bind", 93 "options": ["ro"] 94 } 95 ], 96 "process":{ 97 "args": ["/syz-execprog", "-executor=/syz-executor", "-cover=false", "-sandbox=none", "/input"], 98 "cwd": "/tmp", 99 "capabilities": { 100 "bounding": [ 101 "CAP_CHOWN", 102 "CAP_DAC_OVERRIDE", 103 "CAP_DAC_READ_SEARCH", 104 "CAP_FOWNER", 105 "CAP_FSETID", 106 "CAP_KILL", 107 "CAP_SETGID", 108 "CAP_SETUID", 109 "CAP_SETPCAP", 110 "CAP_LINUX_IMMUTABLE", 111 "CAP_NET_BIND_SERVICE", 112 "CAP_NET_BROADCAST", 113 "CAP_NET_ADMIN", 114 "CAP_NET_RAW", 115 "CAP_IPC_LOCK", 116 "CAP_IPC_OWNER", 117 "CAP_SYS_MODULE", 118 "CAP_SYS_RAWIO", 119 "CAP_SYS_CHROOT", 120 "CAP_SYS_PTRACE", 121 "CAP_SYS_PACCT", 122 "CAP_SYS_ADMIN", 123 "CAP_SYS_BOOT", 124 "CAP_SYS_NICE", 125 "CAP_SYS_RESOURCE", 126 "CAP_SYS_TIME", 127 "CAP_SYS_TTY_CONFIG", 128 "CAP_MKNOD", 129 "CAP_LEASE", 130 "CAP_AUDIT_WRITE", 131 "CAP_AUDIT_CONTROL", 132 "CAP_SETFCAP", 133 "CAP_MAC_OVERRIDE", 134 "CAP_MAC_ADMIN", 135 "CAP_SYSLOG", 136 "CAP_WAKE_ALARM", 137 "CAP_BLOCK_SUSPEND", 138 "CAP_AUDIT_READ" 139 ], 140 "effective": [ 141 "CAP_CHOWN", 142 "CAP_DAC_OVERRIDE", 143 "CAP_DAC_READ_SEARCH", 144 "CAP_FOWNER", 145 "CAP_FSETID", 146 "CAP_KILL", 147 "CAP_SETGID", 148 "CAP_SETUID", 149 "CAP_SETPCAP", 150 "CAP_LINUX_IMMUTABLE", 151 "CAP_NET_BIND_SERVICE", 152 "CAP_NET_BROADCAST", 153 "CAP_NET_ADMIN", 154 "CAP_NET_RAW", 155 "CAP_IPC_LOCK", 156 "CAP_IPC_OWNER", 157 "CAP_SYS_MODULE", 158 "CAP_SYS_RAWIO", 159 "CAP_SYS_CHROOT", 160 "CAP_SYS_PTRACE", 161 "CAP_SYS_PACCT", 162 "CAP_SYS_ADMIN", 163 "CAP_SYS_BOOT", 164 "CAP_SYS_NICE", 165 "CAP_SYS_RESOURCE", 166 "CAP_SYS_TIME", 167 "CAP_SYS_TTY_CONFIG", 168 "CAP_MKNOD", 169 "CAP_LEASE", 170 "CAP_AUDIT_WRITE", 171 "CAP_AUDIT_CONTROL", 172 "CAP_SETFCAP", 173 "CAP_MAC_OVERRIDE", 174 "CAP_MAC_ADMIN", 175 "CAP_SYSLOG", 176 "CAP_WAKE_ALARM", 177 "CAP_BLOCK_SUSPEND", 178 "CAP_AUDIT_READ" 179 ], 180 "inheritable": [ 181 "CAP_CHOWN", 182 "CAP_DAC_OVERRIDE", 183 "CAP_DAC_READ_SEARCH", 184 "CAP_FOWNER", 185 "CAP_FSETID", 186 "CAP_KILL", 187 "CAP_SETGID", 188 "CAP_SETUID", 189 "CAP_SETPCAP", 190 "CAP_LINUX_IMMUTABLE", 191 "CAP_NET_BIND_SERVICE", 192 "CAP_NET_BROADCAST", 193 "CAP_NET_ADMIN", 194 "CAP_NET_RAW", 195 "CAP_IPC_LOCK", 196 "CAP_IPC_OWNER", 197 "CAP_SYS_MODULE", 198 "CAP_SYS_RAWIO", 199 "CAP_SYS_CHROOT", 200 "CAP_SYS_PTRACE", 201 "CAP_SYS_PACCT", 202 "CAP_SYS_ADMIN", 203 "CAP_SYS_BOOT", 204 "CAP_SYS_NICE", 205 "CAP_SYS_RESOURCE", 206 "CAP_SYS_TIME", 207 "CAP_SYS_TTY_CONFIG", 208 "CAP_MKNOD", 209 "CAP_LEASE", 210 "CAP_AUDIT_WRITE", 211 "CAP_AUDIT_CONTROL", 212 "CAP_SETFCAP", 213 "CAP_MAC_OVERRIDE", 214 "CAP_MAC_ADMIN", 215 "CAP_SYSLOG", 216 "CAP_WAKE_ALARM", 217 "CAP_BLOCK_SUSPEND", 218 "CAP_AUDIT_READ" 219 ], 220 "permitted": [ 221 "CAP_CHOWN", 222 "CAP_DAC_OVERRIDE", 223 "CAP_DAC_READ_SEARCH", 224 "CAP_FOWNER", 225 "CAP_FSETID", 226 "CAP_KILL", 227 "CAP_SETGID", 228 "CAP_SETUID", 229 "CAP_SETPCAP", 230 "CAP_LINUX_IMMUTABLE", 231 "CAP_NET_BIND_SERVICE", 232 "CAP_NET_BROADCAST", 233 "CAP_NET_ADMIN", 234 "CAP_NET_RAW", 235 "CAP_IPC_LOCK", 236 "CAP_IPC_OWNER", 237 "CAP_SYS_MODULE", 238 "CAP_SYS_RAWIO", 239 "CAP_SYS_CHROOT", 240 "CAP_SYS_PTRACE", 241 "CAP_SYS_PACCT", 242 "CAP_SYS_ADMIN", 243 "CAP_SYS_BOOT", 244 "CAP_SYS_NICE", 245 "CAP_SYS_RESOURCE", 246 "CAP_SYS_TIME", 247 "CAP_SYS_TTY_CONFIG", 248 "CAP_MKNOD", 249 "CAP_LEASE", 250 "CAP_AUDIT_WRITE", 251 "CAP_AUDIT_CONTROL", 252 "CAP_SETFCAP", 253 "CAP_MAC_OVERRIDE", 254 "CAP_MAC_ADMIN", 255 "CAP_SYSLOG", 256 "CAP_WAKE_ALARM", 257 "CAP_BLOCK_SUSPEND", 258 "CAP_AUDIT_READ" 259 ], 260 "ambient": [ 261 "CAP_CHOWN", 262 "CAP_DAC_OVERRIDE", 263 "CAP_DAC_READ_SEARCH", 264 "CAP_FOWNER", 265 "CAP_FSETID", 266 "CAP_KILL", 267 "CAP_SETGID", 268 "CAP_SETUID", 269 "CAP_SETPCAP", 270 "CAP_LINUX_IMMUTABLE", 271 "CAP_NET_BIND_SERVICE", 272 "CAP_NET_BROADCAST", 273 "CAP_NET_ADMIN", 274 "CAP_NET_RAW", 275 "CAP_IPC_LOCK", 276 "CAP_IPC_OWNER", 277 "CAP_SYS_MODULE", 278 "CAP_SYS_RAWIO", 279 "CAP_SYS_CHROOT", 280 "CAP_SYS_PTRACE", 281 "CAP_SYS_PACCT", 282 "CAP_SYS_ADMIN", 283 "CAP_SYS_BOOT", 284 "CAP_SYS_NICE", 285 "CAP_SYS_RESOURCE", 286 "CAP_SYS_TIME", 287 "CAP_SYS_TTY_CONFIG", 288 "CAP_MKNOD", 289 "CAP_LEASE", 290 "CAP_AUDIT_WRITE", 291 "CAP_AUDIT_CONTROL", 292 "CAP_SETFCAP", 293 "CAP_MAC_OVERRIDE", 294 "CAP_MAC_ADMIN", 295 "CAP_SYSLOG", 296 "CAP_WAKE_ALARM", 297 "CAP_BLOCK_SUSPEND", 298 "CAP_AUDIT_READ" 299 ] 300 } 301 } 302 } 303 ``` 304 ## syzkaller way gVisor use 305 306 To build specific gVisor ver: 307 308 ``` 309 git clone https://github.com/google/gvisor 310 git checkout be6ffa78e4df78df13d004a17f2a8833305285c4 311 ``` 312 313 To build runsc: 314 315 ``` 316 bazel build --verbose_failures --collect_code_coverage --instrumentation_filter=//pkg/...,-//pkg/sentry/platform,-//pkg/ring0,-//pkg/coverage:coverage //runsc:runsc 317 ``` 318 319 To find runsc binary and get symbols 320 321 ``` 322 bazel aquery --collect_code_coverage --instrumentation_filter=//pkg/...,-//pkg/sentry/platform,-//pkg/ring0,-//pkg/coverage:coverage 'mnemonic("GoLink", //runsc:runsc)' 323 ./bazel-out/k8-fastbuild-ST-a2b97ed4b8d6/bin/runsc/runsc_/runsc symbolize -all > symbolize_all_gvisor_be6ffa78e4df78df13d004a17f2a8833305285c4.txt 324 ```