Google Git
Sign in
chromium / chromium / src / ce1cad6c10dc7a0245863c30aa284a32efd1ff10^! / . / docs
commitce1cad6c10dc7a0245863c30aa284a32efd1ff10[log] [tgz]
authorAdrian Taylor <[email protected]>Thu Mar 31 03:14:44 2022
committerChromium LUCI CQ <[email protected]>Thu Mar 31 03:14:44 2022
treee330ba5731ac7594d0820ec7699c909ce3240c5a
parentf81dbbe3b0536a92810e337c624fcca6c93d09fd [diff]
Docs: CF supports only harmless workloads.

Document that ClusterFuzz should only be used for harmless workloads,
until we have VM-isolated job types.

Change-Id: I58646d0936bb176667ff6b8d7b643c132ae18ace
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3562180
Reviewed-by: Jonathan Metzman <[email protected]>
Commit-Queue: Adrian Taylor <[email protected]>
Cr-Commit-Position: refs/heads/main@{#987319}

diff --git a/docs/security/clusterfuzz-for-sheriffs.md b/docs/security/clusterfuzz-for-sheriffs.md
index 7f1c81a..961ce23 100644
--- a/docs/security/clusterfuzz-for-sheriffs.md
+++ b/docs/security/clusterfuzz-for-sheriffs.md

@@ -16,6 +16,9 @@
 Please *do* specify the crbug number when uploading the test case. This will allow
 ClusterFuzz to keep the crbug updated with progress.
 
+Please *don't* upload test cases unless they're obviously harmless. Currently
+ClusterFuzz does not support untrusted workloads.
+
 ## Useful jobs
 
 You should chose the right job type depending on the format of file you want to

diff --git a/docs/security/sheriff.md b/docs/security/sheriff.md
index 190de2a..1b04c76 100644
--- a/docs/security/sheriff.md
+++ b/docs/security/sheriff.md

@@ -227,15 +227,16 @@
 
 Tips for reproducing bugs:
 
-* For any sort of a crash, CHECK/DCHECK or memory safety problem
-  [use ClusterFuzz](clusterfuzz-for-sheriffs.md). As well as reproducing bugs,
-  ClusterFuzz will help you with lots of subsequent bisection and labelling
-  tasks.
 * Assume that test cases may be malicious. You should only reproduce bugs
   on your local machine if you're completely certain that you understand
   100% of the test case. If not, use a disposable virtual machine. If you're
   inside Google, a good way to do this is using
   [Redshell](https://goto.google.com/redshell-for-chrome-sheriffs).
+* For any sort of a crash, CHECK/DCHECK or memory safety problem
+  [use ClusterFuzz](clusterfuzz-for-sheriffs.md). As well as reproducing bugs,
+  ClusterFuzz will help you with lots of subsequent bisection and labelling
+  tasks. Currently ClusterFuzz cannot guard against malicious test cases,
+  so be just as paranoid as if you were running a test case locally.
 * [Instructions for using an Android emulator can be found
   here](/docs/android_emulator.md). If you're inside Google, we have a
   [guide for testing using Google infrastructure](https://goto.google.com/android-for-chrome-sheriffs).