Skip to content

syz-agent: add git cookie authdaemon #7034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
a-nogikh wants to merge 1 commit into
base: master
Choose a base branch
from
Open

syz-agent: add git cookie authdaemon #7034

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion syz-agent/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,11 @@ ADD https://storage.googleapis.com/syzkaller/images/buildroot-amd64-2025.05.gz /
RUN gzip -d /disk-images/buildroot_amd64.gz
ADD https://raw.githubusercontent.com/google/syzkaller/refs/heads/master/dashboard/config/linux/upstream-apparmor-kasan.config /kernel-configs/upstream-apparmor-kasan.config

COPY --from=syz-agent-builder /syzkaller/tools/git-cookie-authdaemon /app/git-cookie-authdaemon
COPY --from=syz-agent-builder /syzkaller/syz-agent/run.sh /app/run.sh
RUN chmod +x /app/git-cookie-authdaemon /app/run.sh
COPY --from=syz-agent-builder /syzkaller/bin/syz-agent /app/syz-agent
COPY --from=syz-agent-builder /syzkaller/bin/ /syzkaller/bin/
COPY --from=syz-agent-builder /syzkaller/sys/ /syzkaller/sys/

ENTRYPOINT ["/app/syz-agent", "-syzkaller=/syzkaller"]
ENTRYPOINT ["/app/run.sh"]
4 changes: 3 additions & 1 deletion syz-agent/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ include ../tools/version.mk

IMAGE_NAME ?= local/syz-agent
IMAGE_TAG ?= latest
GIT_COOKIE_DAEMON ?= 0

.PHONY: container k8s-minikube k8s-prod

Expand All @@ -23,4 +24,5 @@ k8s-minikube:
k8s-prod:
@kubectl kustomize ./k8s/overlays/prod/ | sed \
-e "s~\$${IMAGE_NAME}~$(IMAGE_NAME)~g" \
-e "s~\$${IMAGE_TAG}~$(IMAGE_TAG)~g"
-e "s~\$${IMAGE_TAG}~$(IMAGE_TAG)~g" \
-e "s~\$${GIT_COOKIE_DAEMON}~$(GIT_COOKIE_DAEMON)~g"
1 change: 0 additions & 1 deletion syz-agent/k8s/common/syz-agent.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ spec:
containers:
- name: syz-agent
image: gcr.io/syzkaller/syz-agent:latest # Replace with your image.
command: ["/app/syz-agent"]
args:
- "-name=$(POD_NAME)"
- "-config=/etc/syz-agent/config.json"
Expand Down
5 changes: 5 additions & 0 deletions syz-agent/k8s/overlays/prod/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,8 @@ patches:
operator: "Equal"
value: "nested-vm"
effect: "NoSchedule"
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: GIT_COOKIE_DAEMON
value: "${GIT_COOKIE_DAEMON}"
14 changes: 14 additions & 0 deletions syz-agent/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/bash
# Copyright 2026 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.


if [ "$GIT_COOKIE_DAEMON" = "1" ]; then
# Start git-cookie-authdaemon in the background as syzkaller user.
# It will update cookies in /home/syzkaller/.git-credential-cache/cookie
# We use sudo -u syzkaller and set HOME explicitly.
sudo -u syzkaller HOME=/home/syzkaller /app/git-cookie-authdaemon --nofork &
fi

# Start syz-agent as the foreground process.
exec /app/syz-agent "$@"
Copy link
Copy Markdown
Member

@ramosian-glider ramosian-glider Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You used to pass -syzkaller=/syzkaller to syz-agent in the ENTRYPOINT above, don't you need it anymore?

206 changes: 206 additions & 0 deletions tools/git-cookie-authdaemon
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,206 @@
#!/usr/bin/python
# Copyright (C) 2012 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""
Background daemon to refresh OAuth access tokens.
Tokens are written to ~/.git-credential-cache/cookie
Git config variable http.cookiefile is updated.

Runs only on Google Compute Engine (GCE). On GCE Windows '--nofork' option
is needed. '--debug' option is available.
"""

from __future__ import print_function

import atexit
import contextlib
import json
import os
import platform
import subprocess
import sys
import time

if sys.version_info[0] > 2:
# Python 3 imports
from urllib.request import urlopen, Request
from urllib.error import URLError
from urllib.error import HTTPError
import http.cookiejar as cookielib
else:
# Python 2 imports
from urllib2 import urlopen, Request, HTTPError, URLError
import cookielib

REFRESH = 25 # seconds remaining when starting refresh
RETRY_INTERVAL = 5 # seconds between retrying a failed refresh

META_URL = 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/'
SUPPORTED_SCOPES = [
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/gerritcodereview',
'https://www.googleapis.com/auth/source.full_control',
'https://www.googleapis.com/auth/source.read_write',
'https://www.googleapis.com/auth/source.read_only',
]
COOKIE_JAR = None
IS_WINDOWS = platform.system() == 'Windows'

def read_meta(part):
r = Request(META_URL + part)
r.add_header('Metadata-Flavor', 'Google')
return contextlib.closing(urlopen(r))

def select_scope():
with read_meta('scopes') as d:
avail = set(map(lambda s: s.decode('utf-8'), d.read().split()))
scopes = [s for s in SUPPORTED_SCOPES if s in avail]
if scopes:
return next(iter(scopes))
sys.stderr.write('error: VM must have one of these scopes:\n\n')
for s in SUPPORTED_SCOPES:
sys.stderr.write(' %s\n' % (s))
sys.exit(1)

def configure_git():
global COOKIE_JAR

if IS_WINDOWS:
# Git for Windows reads %HOMEPATH%/.gitconfig in Command Prompt,
# but $HOME/.gitconfig in Cygwin. The two paths can be different.
# Cygwin sets env var $HOMEPATH accordingly to %HOMEPATH%.
# Set cookie file as %HOMEPATH%/.git-credential-cache/cookie,
# so it can be used in both cases.
if 'HOMEPATH' in os.environ:
homepath = os.path.join(os.environ.get('HOMEDRIVE'), os.environ['HOMEPATH'])
else:
# When launched as a scheduled task at machine startup
# HOMEPATH may not be set.
sys.stderr.write('HOMEPATH is not set.\n')
sys.exit(1)
else:
homepath = os.environ['HOME']
dir = os.path.join(homepath, '.git-credential-cache')

COOKIE_JAR = os.path.join(dir, 'cookie')
if '--debug' in sys.argv:
print('Cookie file: %s' % COOKIE_JAR)

if os.path.exists(dir):
os.chmod(dir, 0o700)
else:
os.mkdir(dir, 0o700)
subprocess.call([
'git', 'config', '--global',
'http.cookiefile', COOKIE_JAR
])

def acquire_token(scope, retry):
while True:
try:
with read_meta('token?scopes=' + scope) as d:
return json.load(d)
except URLError:
if not retry:
raise
time.sleep(RETRY_INTERVAL)

def update_cookie(scope, retry):
now = int(time.time())
token = acquire_token(scope, retry)
access_token = token['access_token']
expires = now + int(token['expires_in']) # Epoch in sec

tmp_jar = COOKIE_JAR + '.lock'
cj = cookielib.MozillaCookieJar(tmp_jar)

for d in ['source.developers.google.com', '.googlesource.com']:
cj.set_cookie(cookielib.Cookie(
version = 0,
name = 'o',
value = access_token,
port = None,
port_specified = False,
domain = d,
domain_specified = True,
domain_initial_dot = d.startswith('.'),
path = '/',
path_specified = True,
secure = True,
expires = expires,
discard = False,
comment = None,
comment_url = None,
rest = {}))

cj.save()
if '--debug' in sys.argv:
print('Updating %s.' % COOKIE_JAR)
print('Expires: %d, %s, in %d seconds'% (
expires, time.ctime(expires), expires - now))
sys.stdout.flush()
if IS_WINDOWS:
# os.rename() below on Windows will raise OSError when dst exists.
# See https://docs.python.org/2/library/os.html#os.rename
if os.path.isfile(COOKIE_JAR):
os.remove(COOKIE_JAR)
os.rename(tmp_jar, COOKIE_JAR)
return expires

def cleanup():
if COOKIE_JAR:
for p in [COOKIE_JAR, COOKIE_JAR + '.lock']:
if os.path.exists(p):
os.remove(p)

def refresh_loop(scope, expires):
atexit.register(cleanup)
expires = expires - REFRESH
while True:
now = time.time()
expires = max(expires, now + RETRY_INTERVAL)
while now < expires:
time.sleep(expires - now)
now = time.time()
expires = update_cookie(scope, retry=True) - REFRESH

def main():
scope = select_scope()
configure_git()

expires = update_cookie(scope, retry=False)

if '--nofork' not in sys.argv:
if IS_WINDOWS:
# os.fork() is not supported on Windows.
sys.stderr.write('Add \'--nofork\' on Windows\n')
sys.exit(1)

if os.fork() > 0:
sys.exit(0)

os.chdir('/')
os.setsid()
os.umask(0)

pid = os.fork()
if pid > 0:
print('git-cookie-authdaemon PID %d' % (pid))
sys.exit(0)

refresh_loop(scope, expires)

if __name__ == '__main__':
main()
Loading