Add script for testing sandbox.

infra/base-images/base-runner/Dockerfile

@@ -18,7 +18,7 @@ FROM gcr.io/oss-fuzz-base/base-image
 MAINTAINER mike.aizatsky@gmail.com
 RUN apt-get install -y zip file libunwind8 binutils libblocksruntime0
 COPY bad_build_check llvm-cov llvm-profdata llvm-symbolizer reproduce \
-    run_fuzzer sancov test_all test_report /usr/local/bin/
+    run_fuzzer sancov test_all test_report minijail0 run_minijail /usr/local/bin/
 
 # Default environment options for various sanitizers.
 # Note that these match the settings used in ClusterFuzz and

infra/base-images/base-runner/run_minijail

@@ -0,0 +1,46 @@
+#!/bin/bash -eu
+# Copyright 2017 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+rm -rf /tmp/chroot
+mkdir /tmp/chroot
+
+mkdir /tmp/chroot/lib
+mkdir /tmp/chroot/lib64
+
+mkdir /tmp/chroot/usr
+mkdir /tmp/chroot/usr/lib
+
+mkdir /tmp/chroot/dev
+mknod -m 666 /tmp/chroot/dev/null c 1 3
+mknod -m 666 /tmp/chroot/dev/urandom c 1 9
+
+mkdir /tmp/chroot/proc
+mkdir /tmp/chroot/tmp
+
+mkdir /tmp/chroot/bin
+cp /bin/sh /tmp/chroot/bin/sh
+cp $(which llvm-symbolizer) /tmp/chroot/bin/llvm-symbolizer
+
+EXE_DIR=$(dirname $(readlink -f $1))
+mkdir -p /tmp/chroot/$EXE_DIR
+
+minijail0 -U -m "0 $UID 1" -T static \
+  -c 0 -n -e -v -p -l -I \
+  -k proc,/proc,proc,1 -P /tmp/chroot \
+  -b /lib,/lib,0 -b /lib64,/lib64,0 -b /usr/lib,/usr/lib,0 \
+  -b /tmp,/tmp,1 \
+  -b $EXE_DIR,$EXE_DIR,0 $@

infra/helper.py

@@ -214,7 +214,7 @@ def _build_image(image_name, no_cache=False, pull=False):
 
 def docker_run(run_args, print_output=True):
   """Call `docker run`."""
-  command = ['docker', 'run', '--rm', '-i', '--cap-add', 'SYS_PTRACE']
+  command = ['docker', 'run', '--rm', '-i', '--privileged']
   command.extend(run_args)
 
   print('Running:', _get_command_string(command))
@@ -462,10 +462,17 @@ def shell(args):
   if args.e:
     env += args.e
 
+  if _is_base_image(args.project_name):
+    image_project = 'oss-fuzz-base'
+    out_dir = os.path.join(BUILD_DIR, 'out');
+  else:
+    image_project = 'oss-fuzz'
+    out_dir = os.path.join(BUILD_DIR, 'out', args.project_name)
+
   run_args = sum([['-e', v] for v in env], []) + [
-      '-v', '%s:/out' % os.path.join(BUILD_DIR, 'out', args.project_name),
+      '-v', '%s:/out' % out_dir,
       '-v', '%s:/work' % os.path.join(BUILD_DIR, 'work', args.project_name),
-      '-t', 'gcr.io/oss-fuzz/%s' % args.project_name,
+      '-t', 'gcr.io/%s/%s' % (image_project, args.project_name),
       '/bin/bash'
   ]