Skip to content
 编辑

gVisor

gVisor

gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface.

gVisor uses linux OS, but the special gvisor VM type. There is nothing special regarding gVisor besides that. Here is an example manager config:

{
	"name": "gvisor",
	"target": "linux/amd64",
	"http": ":12345",
	"workdir": "/workdir",
	"image": "/usr/local/bin/runsc",
	"syzkaller": "/gopath/src/github.com/google/syzkaller",
	"cover": false,
	"procs": 8,
	"type": "gvisor",
	"vm": {
		"count": 5,
		"runsc_args": "-platform=kvm"
	}
}

Reproducing crashes

syz-execprog can be used inside gVisor to (hopefully) reproduce crashes.

To run a single program inside a minimal gVisor sandbox, do the following.

  1. Build all of the syzkaller tools:
$ cd $SYZKALLER_DIR
$ make
  1. Build runsc:
$ cd $GVISOR_DIR
$ bazel build //runsc
  1. Create a bundle/ directory with a config like the one below. Be sure to update the paths to the linux_amd64 directory and input log/program file.
$ mkdir bundle
$ $EDITOR bundle/config.json
  1. Run gVisor:
$ sudo bazel-bin/runsc/linux_amd64_pure_stripped/runsc \
    -platform=ptrace \
    -file-access=shared \
    -network=host \
    run \
    -bundle /PATH/TO/bundle/ \
    syzkaller
  1. Remove container:
$ sudo bazel-bin/runsc/linux_amd64_pure_stripped/runsc delete -force syzkaller

Note that you’ll want to adjust the runsc args to match the config in which the crash was discovered. You may also want to add -debug -strace for more debugging information.

You can also adjust the args to syz-execprog in config.json. e.g., add -repeat to repeat the program.

config.json

{
	"root": {
		"path": "/PATH/TO/syzkaller/bin/linux_amd64",
		"readonly": true
	},
	"mounts": [
		{
			"destination": "/input",
			"source": "/PATH/TO/INPUT/LOG",
			"type": "bind",
			"options": ["ro"]
		}
	],
	"process":{
		"args": ["/syz-execprog", "-executor=/syz-executor", "-cover=false", "-sandbox=none", "/input"],
		"cwd": "/tmp",
		"capabilities": {
			"bounding": [
				"CAP_CHOWN",
				"CAP_DAC_OVERRIDE",
				"CAP_DAC_READ_SEARCH",
				"CAP_FOWNER",
				"CAP_FSETID",
				"CAP_KILL",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_SETPCAP",
				"CAP_LINUX_IMMUTABLE",
				"CAP_NET_BIND_SERVICE",
				"CAP_NET_BROADCAST",
				"CAP_NET_ADMIN",
				"CAP_NET_RAW",
				"CAP_IPC_LOCK",
				"CAP_IPC_OWNER",
				"CAP_SYS_MODULE",
				"CAP_SYS_RAWIO",
				"CAP_SYS_CHROOT",
				"CAP_SYS_PTRACE",
				"CAP_SYS_PACCT",
				"CAP_SYS_ADMIN",
				"CAP_SYS_BOOT",
				"CAP_SYS_NICE",
				"CAP_SYS_RESOURCE",
				"CAP_SYS_TIME",
				"CAP_SYS_TTY_CONFIG",
				"CAP_MKNOD",
				"CAP_LEASE",
				"CAP_AUDIT_WRITE",
				"CAP_AUDIT_CONTROL",
				"CAP_SETFCAP",
				"CAP_MAC_OVERRIDE",
				"CAP_MAC_ADMIN",
				"CAP_SYSLOG",
				"CAP_WAKE_ALARM",
				"CAP_BLOCK_SUSPEND",
				"CAP_AUDIT_READ"
			],
			"effective": [
				"CAP_CHOWN",
				"CAP_DAC_OVERRIDE",
				"CAP_DAC_READ_SEARCH",
				"CAP_FOWNER",
				"CAP_FSETID",
				"CAP_KILL",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_SETPCAP",
				"CAP_LINUX_IMMUTABLE",
				"CAP_NET_BIND_SERVICE",
				"CAP_NET_BROADCAST",
				"CAP_NET_ADMIN",
				"CAP_NET_RAW",
				"CAP_IPC_LOCK",
				"CAP_IPC_OWNER",
				"CAP_SYS_MODULE",
				"CAP_SYS_RAWIO",
				"CAP_SYS_CHROOT",
				"CAP_SYS_PTRACE",
				"CAP_SYS_PACCT",
				"CAP_SYS_ADMIN",
				"CAP_SYS_BOOT",
				"CAP_SYS_NICE",
				"CAP_SYS_RESOURCE",
				"CAP_SYS_TIME",
				"CAP_SYS_TTY_CONFIG",
				"CAP_MKNOD",
				"CAP_LEASE",
				"CAP_AUDIT_WRITE",
				"CAP_AUDIT_CONTROL",
				"CAP_SETFCAP",
				"CAP_MAC_OVERRIDE",
				"CAP_MAC_ADMIN",
				"CAP_SYSLOG",
				"CAP_WAKE_ALARM",
				"CAP_BLOCK_SUSPEND",
				"CAP_AUDIT_READ"
			],
			"inheritable": [
				"CAP_CHOWN",
				"CAP_DAC_OVERRIDE",
				"CAP_DAC_READ_SEARCH",
				"CAP_FOWNER",
				"CAP_FSETID",
				"CAP_KILL",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_SETPCAP",
				"CAP_LINUX_IMMUTABLE",
				"CAP_NET_BIND_SERVICE",
				"CAP_NET_BROADCAST",
				"CAP_NET_ADMIN",
				"CAP_NET_RAW",
				"CAP_IPC_LOCK",
				"CAP_IPC_OWNER",
				"CAP_SYS_MODULE",
				"CAP_SYS_RAWIO",
				"CAP_SYS_CHROOT",
				"CAP_SYS_PTRACE",
				"CAP_SYS_PACCT",
				"CAP_SYS_ADMIN",
				"CAP_SYS_BOOT",
				"CAP_SYS_NICE",
				"CAP_SYS_RESOURCE",
				"CAP_SYS_TIME",
				"CAP_SYS_TTY_CONFIG",
				"CAP_MKNOD",
				"CAP_LEASE",
				"CAP_AUDIT_WRITE",
				"CAP_AUDIT_CONTROL",
				"CAP_SETFCAP",
				"CAP_MAC_OVERRIDE",
				"CAP_MAC_ADMIN",
				"CAP_SYSLOG",
				"CAP_WAKE_ALARM",
				"CAP_BLOCK_SUSPEND",
				"CAP_AUDIT_READ"
			],
			"permitted": [
				"CAP_CHOWN",
				"CAP_DAC_OVERRIDE",
				"CAP_DAC_READ_SEARCH",
				"CAP_FOWNER",
				"CAP_FSETID",
				"CAP_KILL",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_SETPCAP",
				"CAP_LINUX_IMMUTABLE",
				"CAP_NET_BIND_SERVICE",
				"CAP_NET_BROADCAST",
				"CAP_NET_ADMIN",
				"CAP_NET_RAW",
				"CAP_IPC_LOCK",
				"CAP_IPC_OWNER",
				"CAP_SYS_MODULE",
				"CAP_SYS_RAWIO",
				"CAP_SYS_CHROOT",
				"CAP_SYS_PTRACE",
				"CAP_SYS_PACCT",
				"CAP_SYS_ADMIN",
				"CAP_SYS_BOOT",
				"CAP_SYS_NICE",
				"CAP_SYS_RESOURCE",
				"CAP_SYS_TIME",
				"CAP_SYS_TTY_CONFIG",
				"CAP_MKNOD",
				"CAP_LEASE",
				"CAP_AUDIT_WRITE",
				"CAP_AUDIT_CONTROL",
				"CAP_SETFCAP",
				"CAP_MAC_OVERRIDE",
				"CAP_MAC_ADMIN",
				"CAP_SYSLOG",
				"CAP_WAKE_ALARM",
				"CAP_BLOCK_SUSPEND",
				"CAP_AUDIT_READ"
			],
			"ambient": [
				"CAP_CHOWN",
				"CAP_DAC_OVERRIDE",
				"CAP_DAC_READ_SEARCH",
				"CAP_FOWNER",
				"CAP_FSETID",
				"CAP_KILL",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_SETPCAP",
				"CAP_LINUX_IMMUTABLE",
				"CAP_NET_BIND_SERVICE",
				"CAP_NET_BROADCAST",
				"CAP_NET_ADMIN",
				"CAP_NET_RAW",
				"CAP_IPC_LOCK",
				"CAP_IPC_OWNER",
				"CAP_SYS_MODULE",
				"CAP_SYS_RAWIO",
				"CAP_SYS_CHROOT",
				"CAP_SYS_PTRACE",
				"CAP_SYS_PACCT",
				"CAP_SYS_ADMIN",
				"CAP_SYS_BOOT",
				"CAP_SYS_NICE",
				"CAP_SYS_RESOURCE",
				"CAP_SYS_TIME",
				"CAP_SYS_TTY_CONFIG",
				"CAP_MKNOD",
				"CAP_LEASE",
				"CAP_AUDIT_WRITE",
				"CAP_AUDIT_CONTROL",
				"CAP_SETFCAP",
				"CAP_MAC_OVERRIDE",
				"CAP_MAC_ADMIN",
				"CAP_SYSLOG",
				"CAP_WAKE_ALARM",
				"CAP_BLOCK_SUSPEND",
				"CAP_AUDIT_READ"
			]
		}
	}
}

syzkaller way gVisor use

To build specific gVisor ver:

git clone https://github.com/google/gvisor
git checkout be6ffa78e4df78df13d004a17f2a8833305285c4

To build runsc:

bazel build --verbose_failures --collect_code_coverage --instrumentation_filter=//pkg/...,-//pkg/sentry/platform,-//pkg/ring0,-//pkg/coverage:coverage //runsc:runsc

To find runsc binary and get symbols

bazel aquery --collect_code_coverage --instrumentation_filter=//pkg/...,-//pkg/sentry/platform,-//pkg/ring0,-//pkg/coverage:coverage 'mnemonic("GoLink", //runsc:runsc)'
./bazel-out/k8-fastbuild-ST-a2b97ed4b8d6/bin/runsc/runsc_/runsc symbolize -all > symbolize_all_gvisor_be6ffa78e4df78df13d004a17f2a8833305285c4.txt