From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: Evgeny Vereshchagin <evvers@ya.ru>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH v2] libsepol/cil: move the fuzz target and build script to the selinux repository
Date: Mon, 16 Aug 2021 11:16:13 +0200 [thread overview]
Message-ID: <CAJfZ7=mDwifrEnFpcJxznSHTDbPwYhkzo1MyZ+-pvsUyiCTBWA@mail.gmail.com> (raw)
In-Reply-To: <20210715061135.2756-1-evvers@ya.ru>
On Thu, Jul 15, 2021 at 8:11 AM Evgeny Vereshchagin <evvers@ya.ru> wrote:
>
> It should make it easier to reproduce bugs found by OSS-Fuzz locally
> without docker. The fuzz target can be built and run with the corpus
> OSS-Fuzz has accumulated so far by running the following commands:
> ```
> ./scripts/oss-fuzz.sh
> wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip
> unzip -d CORPUS public.zip
> ./out/secilc-fuzzer CORPUS/
> ```
>
> It was tested in https://github.com/google/oss-fuzz/pull/6026
> by pointing OSS-Fuzz to the branch containing the patch and
> running all the tests with all the sanitizers and fuzzing engines
> there: https://github.com/google/oss-fuzz/actions/runs/1024673143
>
> [v2]
> [1] oss-fuzz: make shellcheck happy
>
> [2] oss-fuzz: build libsepol only
>
> The fuzz target covers libsepol so it's unnecessary to build everything
> else. Apart from that, the "LDFLAGS" kludge was removed since libsepol
> is compatible with the sanitizers flags passed via CFLAGS only. It
> should be brought back one way or another eventually though to fix
> build failures like
> ```
> clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile
> /usr/bin/ld: sefcontext_compile.o: in function `usage':
> /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8'
> /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return'
> /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor':
> ```
>
> [3] oss-fuzz: make it possible to run the script more than once
> by removing various build artifacts
>
> [4] oss-fuzz: make it possible to run the script from any directory
>
> [5] oss-fuzz: be a little bit more specific about what the script does
>
> [6] oss-fuzz: stop overwriting all the Makefiles
>
> Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
Sorry for the delay. I have now been able to review and test your
script and it seems to work perfectly. Thanks!
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Thanks,
Nicolas
> ---
> libsepol/fuzz/secilc-fuzzer.c | 69 +++++++++++++++++++++++++++++++++++
> scripts/oss-fuzz.sh | 59 ++++++++++++++++++++++++++++++
> 2 files changed, 128 insertions(+)
> create mode 100644 libsepol/fuzz/secilc-fuzzer.c
> create mode 100755 scripts/oss-fuzz.sh
>
> diff --git a/libsepol/fuzz/secilc-fuzzer.c b/libsepol/fuzz/secilc-fuzzer.c
> new file mode 100644
> index 00000000..255b3241
> --- /dev/null
> +++ b/libsepol/fuzz/secilc-fuzzer.c
> @@ -0,0 +1,69 @@
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <stdint.h>
> +#include <string.h>
> +#include <getopt.h>
> +#include <sys/stat.h>
> +
> +#include <sepol/cil/cil.h>
> +#include <sepol/policydb.h>
> +
> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> + enum cil_log_level log_level = CIL_ERR;
> + struct sepol_policy_file *pf = NULL;
> + FILE *dev_null = NULL;
> + int target = SEPOL_TARGET_SELINUX;
> + int disable_dontaudit = 0;
> + int multiple_decls = 0;
> + int disable_neverallow = 0;
> + int preserve_tunables = 0;
> + int policyvers = POLICYDB_VERSION_MAX;
> + int mls = -1;
> + int attrs_expand_generated = 0;
> + struct cil_db *db = NULL;
> + sepol_policydb_t *pdb = NULL;
> +
> + cil_set_log_level(log_level);
> +
> + cil_db_init(&db);
> + cil_set_disable_dontaudit(db, disable_dontaudit);
> + cil_set_multiple_decls(db, multiple_decls);
> + cil_set_disable_neverallow(db, disable_neverallow);
> + cil_set_preserve_tunables(db, preserve_tunables);
> + cil_set_mls(db, mls);
> + cil_set_target_platform(db, target);
> + cil_set_policy_version(db, policyvers);
> + cil_set_attrs_expand_generated(db, attrs_expand_generated);
> +
> + if (cil_add_file(db, "fuzz", (const char *)data, size) != SEPOL_OK)
> + goto exit;
> +
> + if (cil_compile(db) != SEPOL_OK)
> + goto exit;
> +
> + if (cil_build_policydb(db, &pdb) != SEPOL_OK)
> + goto exit;
> +
> + if (sepol_policydb_optimize(pdb) != SEPOL_OK)
> + goto exit;
> +
> + dev_null = fopen("/dev/null", "w");
> + if (dev_null == NULL)
> + goto exit;
> +
> + if (sepol_policy_file_create(&pf) != 0)
> + goto exit;
> +
> + sepol_policy_file_set_fp(pf, dev_null);
> +
> + if (sepol_policydb_write(pdb, pf) != 0)
> + goto exit;
> +exit:
> + if (dev_null != NULL)
> + fclose(dev_null);
> +
> + cil_db_destroy(&db);
> + sepol_policydb_free(pdb);
> + sepol_policy_file_free(pf);
> + return 0;
> +}
> diff --git a/scripts/oss-fuzz.sh b/scripts/oss-fuzz.sh
> new file mode 100755
> index 00000000..16cc3c0a
> --- /dev/null
> +++ b/scripts/oss-fuzz.sh
> @@ -0,0 +1,59 @@
> +#!/bin/bash
> +
> +# The script is used to build the fuzz targets run on ClusterFuzz. It has to be
> +# compatible with the "build.sh" script described at
> +# https://google.github.io/oss-fuzz/getting-started/new-project-guide/#buildsh
> +# More precisely, it should use environment variables like OUT, LIB_FUZZING_ENGINE
> +# and so on (https://google.github.io/oss-fuzz/getting-started/new-project-guide/#buildsh-script-environment),
> +# and the fuzz targets have to be linked with $CXX even though the project is written
> +# in C: https://google.github.io/oss-fuzz/getting-started/new-project-guide/#Requirements
> +
> +# To make it easier to build the fuzz targets locally, the script can also work in "local"
> +# mode. To run secilc-fuzzer against a test case (named, say, CRASH) triggering an issue
> +# the following commands should be run
> +#
> +# $ ./scripts/oss-fuzz.sh
> +# $ ./out/secilc-fuzzer CRASH
> +
> +# To run the fuzzer against the corpus OSS-Fuzz has accumulated so far it should be
> +# downloaded, unpacked and passed to the fuzzer:
> +#
> +# $ wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip
> +# $ unzip -d CORPUS public.zip
> +# $ ./out/secilc-fuzzer CORPUS/
> +
> +set -eux
> +
> +cd "$(dirname -- "$0")/.."
> +
> +export DESTDIR=${DESTDIR:-$(pwd)/DESTDIR}
> +
> +SANITIZER=${SANITIZER:-address}
> +flags="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER -fsanitize=fuzzer-no-link"
> +
> +export CC=${CC:-clang}
> +export CFLAGS=${CFLAGS:-$flags}
> +
> +export CXX=${CXX:-clang++}
> +export CXXFLAGS=${CXXFLAGS:-$flags}
> +
> +export OUT=${OUT:-$(pwd)/out}
> +mkdir -p "$OUT"
> +
> +export LIB_FUZZING_ENGINE=${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}
> +
> +rm -rf "$DESTDIR"
> +make -C libsepol clean
> +# LIBSO and LIBMAP shouldn't be expanded here because their values are unknown until Makefile
> +# has been read by make
> +# shellcheck disable=SC2016
> +make -C libsepol V=1 LD_SONAME_FLAGS='-soname,$(LIBSO),--version-script=$(LIBMAP)' -j"$(nproc)" install
> +
> +# CFLAGS, CXXFLAGS and LIB_FUZZING_ENGINE have to be split to be accepted by
> +# the compiler/linker so they shouldn't be quoted
> +# shellcheck disable=SC2086
> +$CC $CFLAGS -I"$DESTDIR/usr/include" -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -c -o secilc-fuzzer.o libsepol/fuzz/secilc-fuzzer.c
> +# shellcheck disable=SC2086
> +$CXX $CXXFLAGS $LIB_FUZZING_ENGINE secilc-fuzzer.o "$DESTDIR/usr/lib/libsepol.a" -o "$OUT/secilc-fuzzer"
> +
> +zip -r "$OUT/secilc-fuzzer_seed_corpus.zip" secilc/test
> --
> 2.31.1
>
next prev parent reply other threads:[~2021-08-16 9:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-13 0:04 [PATCH] libsepol/cil: move the fuzz target and build script to the selinux repository Evgeny Vereshchagin
2021-07-13 19:51 ` Nicolas Iooss
2021-07-15 6:11 ` [PATCH v2] " Evgeny Vereshchagin
2021-08-16 9:16 ` Nicolas Iooss [this message]
2021-08-17 18:42 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJfZ7=mDwifrEnFpcJxznSHTDbPwYhkzo1MyZ+-pvsUyiCTBWA@mail.gmail.com' \
--to=nicolas.iooss@m4x.org \
--cc=evvers@ya.ru \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).