[WIP] fuzzer: add security context generator

winrares · winrares · commit 4d3462767dc8 · 2025-09-25T10:19:35.000Z
Added the security context generator in the fuzzer package which will
contain the implementation for loading a binary security policy, parse
it and then generate an appropiate security context based on the
syscalls that are fuzzed in a program.

Signed-off-by: Rares Constantin &lt;rarescon@google.com&gt;
diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go
@@ -24,8 +24,9 @@ import (
 
 type Fuzzer struct {
 	Stats
-	Config *Config
-	Cover  *Cover
+	Config        *Config
+	Cover         *Cover
+	SecContextGen *SecContextGenerator
 
 	ctx          context.Context
 	mu           sync.Mutex
@@ -43,16 +44,17 @@ type Fuzzer struct {
 }
 
 func NewFuzzer(ctx context.Context, cfg *Config, rnd *rand.Rand,
-	target *prog.Target) *Fuzzer {
+	target *prog.Target, seclabelgen *SecContextGenerator) *Fuzzer {
 	if cfg.NewInputFilter == nil {
 		cfg.NewInputFilter = func(call string) bool {
 			return true
 		}
 	}
 	f := &Fuzzer{
-		Stats:  newStats(target),
-		Config: cfg,
-		Cover:  newCover(),
+		Stats:         newStats(target),
+		Config:        cfg,
+		Cover:         newCover(),
+		SecContextGen: seclabelgen,
 
 		ctx:         ctx,
 		rnd:         rnd,
@@ -219,8 +221,6 @@ type Config struct {
 	EnabledCalls     map[*prog.Syscall]bool
 	NoMutateCalls    map[int]bool
 	FetchRawCover    bool
-	Sandbox          string
-	SandboxArg       int64
 	AttachSecContext bool
 	NewInputFilter   func(call string) bool
 	PatchTest        bool
@@ -374,16 +374,8 @@ func (fuzzer *Fuzzer) AddCandidates(candidates []Candidate) {
 			Stat:      fuzzer.statExecCandidate,
 			Important: true,
 		}
-		req.Prog.SecContext = ""
-		if fuzzer.Config.AttachSecContext {
-			req.Prog.SecContext = "user_u:user_r:user_t:s0"
-			if fuzzer.Config.Sandbox == "android" {
-				if fuzzer.Config.SandboxArg == 0 {
-					req.Prog.SecContext = "u:r:untrusted_app:s0:c512,c768"
-				} else {
-					req.Prog.SecContext = ""
-				}
-			}
+		if fuzzer.SecContextGen != nil {
+			req.Prog.SecContext = fuzzer.SecContextGen.getSecLabel()
 		}
 		fuzzer.enqueue(fuzzer.candidateQueue, req, candidate.Flags|progCandidate, 0)
 	}
diff --git a/pkg/fuzzer/fuzzer_test.go b/pkg/fuzzer/fuzzer_test.go
@@ -59,7 +59,7 @@ func TestFuzz(t *testing.T) {
 		EnabledCalls: map[*prog.Syscall]bool{
 			target.SyscallMap["syz_test_fuzzer1"]: true,
 		},
-	}, rand.New(testutil.RandSource(t)), target)
+	}, rand.New(testutil.RandSource(t)), target, nil)
 
 	go func() {
 		for {
@@ -108,7 +108,7 @@ func BenchmarkFuzzer(b *testing.B) {
 		Corpus:       corpus.NewCorpus(ctx),
 		Coverage:     true,
 		EnabledCalls: calls,
-	}, rand.New(rand.NewSource(time.Now().UnixNano())), target)
+	}, rand.New(rand.NewSource(time.Now().UnixNano())), target, nil)
 
 	b.ResetTimer()
 	b.RunParallel(func(pb *testing.PB) {
diff --git a/pkg/fuzzer/job.go b/pkg/fuzzer/job.go
@@ -45,17 +45,7 @@ func genProgRequest(fuzzer *Fuzzer, rnd *rand.Rand) *queue.Request {
 	p := fuzzer.target.Generate(rnd,
 		fuzzer.RecommendedCalls(),
 		fuzzer.ChoiceTable())
-	p.SecContext = ""
-	if fuzzer.Config.AttachSecContext {
-		p.SecContext = "user_u:user_r:user_t:s0"
-		if fuzzer.Config.Sandbox == "android" {
-			if fuzzer.Config.SandboxArg == 0 {
-				p.SecContext = "u:r:untrusted_app:s0:c512,c768"
-			} else {
-				p.SecContext = ""
-			}
-		}
-	}
+	p.SecContext = fuzzer.SecContextGen.getSecLabel()
 	return &queue.Request{
 		Prog:     p,
 		ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),
diff --git a/pkg/fuzzer/seccontextgen.go b/pkg/fuzzer/seccontextgen.go
@@ -0,0 +1,25 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package fuzzer
+
+type SecContextGenerator struct {	
+	Sandbox         string
+	SandboxArg      int64
+	AttachSecLabels bool
+}
+
+func (secContextGenerator *SecContextGenerator) getSecLabel() string {
+	var secContext string = ""
+	if secContextGenerator.AttachSecLabels {
+		secContext = "user_u:user_r:user_t:s0"
+		if secContextGenerator.Sandbox == "android" {
+			if secContextGenerator.SandboxArg == 0 {
+				secContext = "u:r:untrusted_app:s0:c512,c768"
+			} else {
+				secContext = ""
+			}
+		}
+	}
+	return secContext
+}
diff --git a/pkg/kfuzztest-manager/manager.go b/pkg/kfuzztest-manager/manager.go
@@ -114,7 +114,7 @@ func NewKFuzzTestManager(ctx context.Context, cfg Config) (*kFuzzTestManager, er
 			// Don't filter anything.
 			return true
 		},
-	}, rnd, target)
+	}, rnd, target, nil)
 
 	// TODO: Sufficient for startup, but not ideal that we are passing a
 	// manager config here. Would require changes to pkg/fuzzer if we wanted to
diff --git a/pkg/manager/diff.go b/pkg/manager/diff.go
@@ -571,7 +571,7 @@ func (kc *kernelContext) setupFuzzer(features flatrpc.Feature, syscalls map[*pro
 			}
 			log.Logf(level, msg, args...)
 		},
-	}, rnd, kc.cfg.Target)
+	}, rnd, kc.cfg.Target, nil)
 
 	if kc.http != nil {
 		kc.http.Fuzzer.Store(fuzzerObj)
diff --git a/syz-manager/manager.go b/syz-manager/manager.go
@@ -1176,8 +1176,6 @@ func (mgr *Manager) MachineChecked(features flatrpc.Feature,
 			NoMutateCalls:    mgr.cfg.NoMutateCalls,
 			FetchRawCover:    mgr.cfg.RawCover,
 			AttachSecContext: mgr.cfg.Experimental.AttachSecContexts,
-			Sandbox:          mgr.cfg.Sandbox,
-			SandboxArg:       mgr.cfg.SandboxArg,
 			Logf: func(level int, msg string, args ...interface{}) {
 				if level != 0 {
 					return
@@ -1190,7 +1188,7 @@ func (mgr *Manager) MachineChecked(features flatrpc.Feature,
 				return !mgr.saturatedCalls[call]
 			},
 			ModeKFuzzTest: mgr.cfg.Experimental.EnableKFuzzTest,
-		}, rnd, mgr.target)
+		}, rnd, mgr.target, &fuzzer.SecContextGenerator{ Sandbox: mgr.cfg.Sandbox, SandboxArg: mgr.cfg.SandboxArg, AttachSecLabels: mgr.cfg.Experimental.AttachSecContexts })
 		fuzzerObj.AddCandidates(candidates)
 		mgr.fuzzer.Store(fuzzerObj)
 		mgr.http.Fuzzer.Store(fuzzerObj)

Original file line number	Diff line number	Diff line change
`@@ -571,7 +571,7 @@ func (kc kernelContext) setupFuzzer(features flatrpc.Feature, syscalls map[pro`
`571`	`571`	`}`
`572`	`572`	`log.Logf(level, msg, args...)`
`573`	`573`	`},`
`574`		`- }, rnd, kc.cfg.Target)`
	`574`	`+ }, rnd, kc.cfg.Target, nil)`
`575`	`575`
`576`	`576`	`if kc.http != nil {`
`577`	`577`	`kc.http.Fuzzer.Store(fuzzerObj)`