chore(fuzzing): extend syscall whitelist in sandbox fuzzers (dfinity#3659)

venkkatesh-sekar · web-flow · commit cfdddeec51f9 · 2025-01-30T15:19:52.000Z
In the sandbox monitor function, the parent thread calls
`std::thread::sleep(std::time::Duration::from_secs(1))` to allow the
sandbox to spawn all its threads before tracing begins.

However, this approach is unreliable—the sleep duration is arbitrary,
and attachment can occur at any point in execution. This led to
`getrandom` failures in CI.

This PR removes the sleep timer and instead continuously fetches `tid`s
as threads spawn, attaching to them dynamically. The trade-off is that
it requires knowing the number of sandbox threads in advance.
diff --git a/rs/execution_environment/fuzz/src/lib.rs b/rs/execution_environment/fuzz/src/lib.rs
@@ -10,8 +10,8 @@ use std::os::raw::c_char;
 #[cfg(target_os = "linux")]
 use {
     nix::{
-        sys::ptrace, sys::ptrace::Options, sys::wait::waitpid, sys::wait::WaitStatus, unistd::fork,
-        unistd::ForkResult, unistd::Pid,
+        sys::ptrace, sys::ptrace::Options, sys::wait::waitpid, sys::wait::WaitPidFlag,
+        sys::wait::WaitStatus, unistd::fork, unistd::ForkResult, unistd::Pid,
     },
     procfs::process::Process,
     std::collections::BTreeSet,
@@ -90,8 +90,16 @@ where
             sandbox();
         }
         Ok(ForkResult::Parent { child }) => {
-            std::thread::sleep(std::time::Duration::from_secs(1));
             let allowed_syscalls: BTreeSet<Sysno> = BTreeSet::from([
+                // Init
+                Sysno::gettid,
+                Sysno::rt_sigprocmask,
+                Sysno::clone,
+                Sysno::sched_yield,
+                Sysno::sched_getaffinity,
+                Sysno::prctl,
+                Sysno::getrandom, // probably due to hashbrown dependency
+                // Execution
                 Sysno::mmap,
                 Sysno::mprotect,
                 Sysno::munmap,
@@ -102,20 +110,29 @@ where
                 Sysno::close,
                 Sysno::restart_syscall,
             ]);
-            let children = get_children(child.into());
-            let threads: Vec<_> = children
-                .iter()
-                .map(|child| {
-                    std::thread::spawn({
+
+            let mut threads: Vec<_> = vec![];
+            let mut visited = BTreeSet::new();
+            while let Ok(WaitStatus::StillAlive) = waitpid(child, Some(WaitPidFlag::WNOHANG)) {
+                let children = get_children(child.into());
+
+                for pid in children {
+                    if visited.contains(&pid) {
+                        continue;
+                    }
+
+                    visited.insert(pid);
+
+                    threads.push(std::thread::spawn({
                         let allowed_syscalls = allowed_syscalls.clone();
-                        let child = *child;
+                        let child = pid;
                         let name = name.to_string();
                         move || {
                             trace(name, Pid::from_raw(child), allowed_syscalls);
                         }
-                    })
-                })
-                .collect();
+                    }));
+                }
+            }
 
             for handle in threads {
                 handle.join().unwrap();
