selinux/libsepol/fuzz/secilc-fuzzer.c

#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <getopt.h>
#include <sys/stat.h>

#include <sepol/cil/cil.h>
#include <sepol/policydb.h>

static void log_handler(__attribute__((unused)) int lvl, __attribute__((unused)) const char *msg) {
	/* be quiet */
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
	enum cil_log_level log_level = CIL_ERR;
	struct sepol_policy_file *pf = NULL;
	FILE *dev_null = NULL;
	int target = SEPOL_TARGET_SELINUX;
	int disable_dontaudit = 0;
	int multiple_decls = 0;
	int disable_neverallow = 0;
	int preserve_tunables = 0;
	int policyvers = POLICYDB_VERSION_MAX;
	int mls = -1;
	int attrs_expand_generated = 0;
	struct cil_db *db = NULL;
	sepol_policydb_t *pdb = NULL;

	cil_set_log_level(log_level);
	cil_set_log_handler(log_handler);

	cil_db_init(&db);
	cil_set_disable_dontaudit(db, disable_dontaudit);
	cil_set_multiple_decls(db, multiple_decls);
	cil_set_disable_neverallow(db, disable_neverallow);
	cil_set_preserve_tunables(db, preserve_tunables);
	cil_set_mls(db, mls);
	cil_set_target_platform(db, target);
	cil_set_policy_version(db, policyvers);
	cil_set_attrs_expand_generated(db, attrs_expand_generated);

	if (cil_add_file(db, "fuzz", (const char *)data, size) != SEPOL_OK)
		goto exit;

	if (cil_compile(db) != SEPOL_OK)
		goto exit;

	if (cil_build_policydb(db, &pdb) != SEPOL_OK)
		goto exit;

	if (sepol_policydb_optimize(pdb) != SEPOL_OK)
		goto exit;

	dev_null = fopen("/dev/null", "w");
	if (dev_null == NULL)
		goto exit;

	if (sepol_policy_file_create(&pf) != 0)
		goto exit;

	sepol_policy_file_set_fp(pf, dev_null);

	if (sepol_policydb_write(pdb, pf) != 0)
		goto exit;
exit:
	if (dev_null != NULL)
		fclose(dev_null);

	cil_db_destroy(&db);
	sepol_policydb_free(pdb);
	sepol_policy_file_free(pf);
	return 0;
}
libsepol/cil: move the fuzz target and build script to the selinux repository It should make it easier to reproduce bugs found by OSS-Fuzz locally without docker. The fuzz target can be built and run with the corpus OSS-Fuzz has accumulated so far by running the following commands: ``` ./scripts/oss-fuzz.sh wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip unzip -d CORPUS public.zip ./out/secilc-fuzzer CORPUS/ ``` It was tested in https://github.com/google/oss-fuzz/pull/6026 by pointing OSS-Fuzz to the branch containing the patch and running all the tests with all the sanitizers and fuzzing engines there: https://github.com/google/oss-fuzz/actions/runs/1024673143 [v2] [1] oss-fuzz: make shellcheck happy [2] oss-fuzz: build libsepol only The fuzz target covers libsepol so it's unnecessary to build everything else. Apart from that, the "LDFLAGS" kludge was removed since libsepol is compatible with the sanitizers flags passed via CFLAGS only. It should be brought back one way or another eventually though to fix build failures like ``` clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile /usr/bin/ld: sefcontext_compile.o: in function `usage': /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8' /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return' /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor': ``` [3] oss-fuzz: make it possible to run the script more than once by removing various build artifacts [4] oss-fuzz: make it possible to run the script from any directory [5] oss-fuzz: be a little bit more specific about what the script does [6] oss-fuzz: stop overwriting all the Makefiles Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2021-07-15 06:11:35 +00:00			`#include <stdlib.h>`
			`#include <stdio.h>`
			`#include <stdint.h>`
			`#include <string.h>`
			`#include <getopt.h>`
			`#include <sys/stat.h>`

			`#include <sepol/cil/cil.h>`
			`#include <sepol/policydb.h>`

libsepol/fuzz: silence secilc-fuzzer Do not output CIL log messages while fuzzing, since their amount are huge, e.g. for neverallow or typebounds violations. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-12-09 16:48:55 +00:00			`static void log_handler(__attribute__((unused)) int lvl, __attribute__((unused)) const char *msg) {`
			`/* be quiet */`
			`}`

libsepol/cil: move the fuzz target and build script to the selinux repository It should make it easier to reproduce bugs found by OSS-Fuzz locally without docker. The fuzz target can be built and run with the corpus OSS-Fuzz has accumulated so far by running the following commands: ``` ./scripts/oss-fuzz.sh wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip unzip -d CORPUS public.zip ./out/secilc-fuzzer CORPUS/ ``` It was tested in https://github.com/google/oss-fuzz/pull/6026 by pointing OSS-Fuzz to the branch containing the patch and running all the tests with all the sanitizers and fuzzing engines there: https://github.com/google/oss-fuzz/actions/runs/1024673143 [v2] [1] oss-fuzz: make shellcheck happy [2] oss-fuzz: build libsepol only The fuzz target covers libsepol so it's unnecessary to build everything else. Apart from that, the "LDFLAGS" kludge was removed since libsepol is compatible with the sanitizers flags passed via CFLAGS only. It should be brought back one way or another eventually though to fix build failures like ``` clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile /usr/bin/ld: sefcontext_compile.o: in function `usage': /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8' /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return' /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor': ``` [3] oss-fuzz: make it possible to run the script more than once by removing various build artifacts [4] oss-fuzz: make it possible to run the script from any directory [5] oss-fuzz: be a little bit more specific about what the script does [6] oss-fuzz: stop overwriting all the Makefiles Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2021-07-15 06:11:35 +00:00			`int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {`
			`enum cil_log_level log_level = CIL_ERR;`
			`struct sepol_policy_file *pf = NULL;`
			`FILE *dev_null = NULL;`
			`int target = SEPOL_TARGET_SELINUX;`
			`int disable_dontaudit = 0;`
			`int multiple_decls = 0;`
			`int disable_neverallow = 0;`
			`int preserve_tunables = 0;`
			`int policyvers = POLICYDB_VERSION_MAX;`
			`int mls = -1;`
			`int attrs_expand_generated = 0;`
			`struct cil_db *db = NULL;`
			`sepol_policydb_t *pdb = NULL;`

			`cil_set_log_level(log_level);`
libsepol/fuzz: silence secilc-fuzzer Do not output CIL log messages while fuzzing, since their amount are huge, e.g. for neverallow or typebounds violations. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-12-09 16:48:55 +00:00			`cil_set_log_handler(log_handler);`
libsepol/cil: move the fuzz target and build script to the selinux repository It should make it easier to reproduce bugs found by OSS-Fuzz locally without docker. The fuzz target can be built and run with the corpus OSS-Fuzz has accumulated so far by running the following commands: ``` ./scripts/oss-fuzz.sh wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip unzip -d CORPUS public.zip ./out/secilc-fuzzer CORPUS/ ``` It was tested in https://github.com/google/oss-fuzz/pull/6026 by pointing OSS-Fuzz to the branch containing the patch and running all the tests with all the sanitizers and fuzzing engines there: https://github.com/google/oss-fuzz/actions/runs/1024673143 [v2] [1] oss-fuzz: make shellcheck happy [2] oss-fuzz: build libsepol only The fuzz target covers libsepol so it's unnecessary to build everything else. Apart from that, the "LDFLAGS" kludge was removed since libsepol is compatible with the sanitizers flags passed via CFLAGS only. It should be brought back one way or another eventually though to fix build failures like ``` clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile /usr/bin/ld: sefcontext_compile.o: in function `usage': /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8' /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return' /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor': ``` [3] oss-fuzz: make it possible to run the script more than once by removing various build artifacts [4] oss-fuzz: make it possible to run the script from any directory [5] oss-fuzz: be a little bit more specific about what the script does [6] oss-fuzz: stop overwriting all the Makefiles Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2021-07-15 06:11:35 +00:00
			`cil_db_init(&db);`
			`cil_set_disable_dontaudit(db, disable_dontaudit);`
			`cil_set_multiple_decls(db, multiple_decls);`
			`cil_set_disable_neverallow(db, disable_neverallow);`
			`cil_set_preserve_tunables(db, preserve_tunables);`
			`cil_set_mls(db, mls);`
			`cil_set_target_platform(db, target);`
			`cil_set_policy_version(db, policyvers);`
			`cil_set_attrs_expand_generated(db, attrs_expand_generated);`

			`if (cil_add_file(db, "fuzz", (const char *)data, size) != SEPOL_OK)`
			`goto exit;`

			`if (cil_compile(db) != SEPOL_OK)`
			`goto exit;`

			`if (cil_build_policydb(db, &pdb) != SEPOL_OK)`
			`goto exit;`

			`if (sepol_policydb_optimize(pdb) != SEPOL_OK)`
			`goto exit;`

			`dev_null = fopen("/dev/null", "w");`
			`if (dev_null == NULL)`
			`goto exit;`

			`if (sepol_policy_file_create(&pf) != 0)`
			`goto exit;`

			`sepol_policy_file_set_fp(pf, dev_null);`

			`if (sepol_policydb_write(pdb, pf) != 0)`
			`goto exit;`
			`exit:`
			`if (dev_null != NULL)`
			`fclose(dev_null);`

			`cil_db_destroy(&db);`
			`sepol_policydb_free(pdb);`
			`sepol_policy_file_free(pf);`
			`return 0;`
			`}`