RFC Fuzzing SE Linux interfaces

RFC Fuzzing SE Linux interfaces

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 309 bytes --]


A quick google search didn't yield much, neither did a grep of the selinux-testsuite, but is their currently any fuzzing work being done on the selinux interfaces?

Also, I noticed that the test suite has some ToDo's and I didn't see tests surrounding ioctlcmd there, are their some implemented?

Bill

[-- Attachment #2: Type: text/html, Size: 2175 bytes --]

Re: RFC Fuzzing SE Linux interfaces

[Paul Moore]

On Fri, Jul 15, 2016 at 4:18 PM, Roberts, William C
<william.c.roberts@intel.com> wrote:
> A quick google search didn’t yield much, neither did a grep of the
> selinux-testsuite, but is their currently any fuzzing work being done on the
> selinux interfaces?

I'm not aware of any.

> Also, I noticed that the test suite has some ToDo’s and I didn’t see tests
> surrounding ioctlcmd there, are their some implemented?

Not that I'm aware of at the moment, perhaps the SEAndroid folks have
some?  I think the initial problem was that the new ioctl xperms
didn't play well with modular policy, although I believe that has now
been fixed.  If you've got the time to write some tests, I'd love to
have them in the testsuite.

-- 
paul moore
www.paul-moore.com

Re: RFC Fuzzing SE Linux interfaces

[Stephen Smalley]

On 07/15/2016 04:18 PM, Roberts, William C wrote:
>  
> 
> A quick google search didn’t yield much, neither did a grep of the
> selinux-testsuite, but is their currently any fuzzing work being done on
> the selinux interfaces?

Not AFAIK.  There are general system call fuzzers for Linux such trinity
and syzkaller; if you want to do full fledged fuzzing, you probably want
to use one of those frameworks rather than rolling your own in
selinux-testsuite.  On the other hand, if you just want to write some
specific tests of the selinuxfs and /proc/pid/attr interfaces and add
them to selinux-testsuite, that's fine too.

> Also, I noticed that the test suite has some ToDo’s and I didn’t see
> tests surrounding ioctlcmd there, are their some implemented?

Not implemented yet, but they are mentioned in the ToDo list:
$ grep ioctl ToDo
ioctl: Test new ioctl whitelisting feature.

You'll need Fedora 24 or newer in order to have the corresponding
libsepol/checkpolicy support.

RE: RFC Fuzzing SE Linux interfaces

[Roberts, William C]

> -----Original Message-----
> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> Sent: Monday, July 18, 2016 6:21 AM
> To: Roberts, William C <william.c.roberts@intel.com>; selinux@tycho.nsa.gov
> Subject: Re: RFC Fuzzing SE Linux interfaces
> 
> On 07/15/2016 04:18 PM, Roberts, William C wrote:
> >
> >
> > A quick google search didn’t yield much, neither did a grep of the
> > selinux-testsuite, but is their currently any fuzzing work being done
> > on the selinux interfaces?
> 
> Not AFAIK.  There are general system call fuzzers for Linux such trinity and
> syzkaller; if you want to do full fledged fuzzing, you probably want to use one of
> those frameworks rather than rolling your own in selinux-testsuite.  On the other

I planned on using one of the frameworks, not sure which yet. I didn't plan on adding
Any fuzzing tests into selinux-testsuite. However, if I find issues, I'll likely take the malformed
Input and create a test case on that one, that way we can at least detect regressions on
Known bad inputs.

> hand, if you just want to write some specific tests of the selinuxfs and
> /proc/pid/attr interfaces and add them to selinux-testsuite, that's fine too.
> 
> > Also, I noticed that the test suite has some ToDo’s and I didn’t see
> > tests surrounding ioctlcmd there, are their some implemented?
> 
> Not implemented yet, but they are mentioned in the ToDo list:
> $ grep ioctl ToDo
> ioctl: Test new ioctl whitelisting feature.

IMHO we should probably not take new features without a tests.

> 
> You'll need Fedora 24 or newer in order to have the corresponding
> libsepol/checkpolicy support.
> 

Re: RFC Fuzzing SE Linux interfaces

[Paul Moore]

On Mon, Jul 18, 2016 at 1:07 PM, Roberts, William C
<william.c.roberts@intel.com> wrote:
>> -----Original Message-----
>> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
>> Sent: Monday, July 18, 2016 6:21 AM
>> To: Roberts, William C <william.c.roberts@intel.com>; selinux@tycho.nsa.gov
>> Subject: Re: RFC Fuzzing SE Linux interfaces
>>
>> On 07/15/2016 04:18 PM, Roberts, William C wrote:
>> >
>> >
>> > A quick google search didn’t yield much, neither did a grep of the
>> > selinux-testsuite, but is their currently any fuzzing work being done
>> > on the selinux interfaces?
>>
>> Not AFAIK.  There are general system call fuzzers for Linux such trinity and
>> syzkaller; if you want to do full fledged fuzzing, you probably want to use one of
>> those frameworks rather than rolling your own in selinux-testsuite.  On the other
>
> I planned on using one of the frameworks, not sure which yet. I didn't plan on adding
> Any fuzzing tests into selinux-testsuite. However, if I find issues, I'll likely take the malformed
> Input and create a test case on that one, that way we can at least detect regressions on
> Known bad inputs.

Yes, fuzzing doesn't belong in selinux-testsuite; I want to keep that
as a relatively simple testsuite that is reasonably self-contained and
can be run easily and quickly.  Think regression testing.

>> hand, if you just want to write some specific tests of the selinuxfs and
>> /proc/pid/attr interfaces and add them to selinux-testsuite, that's fine too.
>>
>> > Also, I noticed that the test suite has some ToDo’s and I didn’t see
>> > tests surrounding ioctlcmd there, are their some implemented?
>>
>> Not implemented yet, but they are mentioned in the ToDo list:
>> $ grep ioctl ToDo
>> ioctl: Test new ioctl whitelisting feature.
>
> IMHO we should probably not take new features without a tests.

Yes, that is something I'm getting stricter about.

-- 
paul moore
www.paul-moore.com