[WIP] fuzzer: attach security labels to programs

Signed-off-by: Rares Constantin <[email protected]>

Author: winrares

executor/common.h

@@ -34,6 +34,7 @@ typedef signed int ssize_t;
 #else
 #include <endian.h> // for htobe*.
 #endif
+#include <fstream>
 #include <stdint.h>
 #include <stdio.h> // for fmt arguments
 #include <stdlib.h>
@@ -601,6 +602,15 @@ static void execute_one(void);
 #define WAIT_FLAGS 0
 #endif
 
+void enforce_policy(bool enforce)
+{
+	std::ofstream outFile("/sys/fs/selinux/enforce");
+	if (outFile.is_open()) {
+		outFile << (enforce ? "1" : "0");
+		outFile.close();
+	}
+}
+
 #if SYZ_EXECUTOR_USES_FORK_SERVER
 #include <signal.h>
 #include <sys/types.h>
@@ -636,6 +646,7 @@ static void loop(void)
 		if (!flag_snapshot)
 			receive_execute();
 #endif
+		enforce_policy(flag_enforce_policy);
 		int pid = fork();
 		if (pid < 0)
 			fail("clone failed");
@@ -737,6 +748,7 @@ static void loop(void)
 			errno = 0;
 			fail("child failed");
 		}
+		enforce_policy(false);
 		reply_execute(0);
 #endif
 #if SYZ_EXECUTOR || SYZ_USE_TMP_DIR

executor/common_linux.h

@@ -4455,7 +4455,7 @@ static void getcon(char* context, size_t context_size)
 // - Uses fail() instead of returning an error code
 static void setcon(const char* context)
 {
-	char new_context[512];
+	char new_context[512] = {0};
 
 	// Attempt to write the new context
 	int fd = open(SELINUX_CONTEXT_FILE, O_WRONLY);
@@ -4470,7 +4470,7 @@ static void setcon(const char* context)
 	close(fd);
 
 	if (bytes_written != (ssize_t)strlen(context))
-		failmsg("setcon: could not write entire context", "wrote=%zi, expected=%zu", bytes_written, strlen(context));
+		failmsg("setcon: could not write entire context", "context: %s, wrote=%zi, expected=%zu", context, bytes_written, strlen(context));
 
 	// Validate the transition by checking the context
 	getcon(new_context, sizeof(new_context));

executor/executor.cc

@@ -273,6 +273,7 @@ static bool flag_nic_vf;
 static bool flag_vhci_injection;
 static bool flag_wifi;
 static bool flag_delay_kcov_mmap;
+static bool flag_enforce_policy;
 
 static bool flag_collect_cover;
 static bool flag_collect_signal;
@@ -296,6 +297,8 @@ static uint64 slowdown_scale;
 // or we already execute programs.
 static bool in_execute_one = false;
 
+static bool flag_apply_seclabel = false;
+
 #define SYZ_EXECUTOR 1
 #include "common.h"
 
@@ -306,6 +309,7 @@ const uint64 instr_eof = -1;
 const uint64 instr_copyin = -2;
 const uint64 instr_copyout = -3;
 const uint64 instr_setprops = -4;
+const uint64 instr_seclabel = -5;
 
 const uint64 arg_const = 0;
 const uint64 arg_addr32 = 1;
@@ -847,6 +851,7 @@ void parse_handshake(const handshake_req& req)
 	flag_wifi = (bool)(req.flags & rpc::ExecEnv::EnableWifi);
 	flag_delay_kcov_mmap = (bool)(req.flags & rpc::ExecEnv::DelayKcovMmap);
 	flag_nic_vf = (bool)(req.flags & rpc::ExecEnv::EnableNicVF);
+	flag_enforce_policy = (bool)(req.flags & rpc::ExecEnv::EnforcePolicy);
 }
 
 void receive_execute()
@@ -869,13 +874,14 @@ void parse_execute(const execute_req& req)
 	flag_dedup_cover = req.exec_flags & (uint64)rpc::ExecFlag::DedupCover;
 	flag_comparisons = req.exec_flags & (uint64)rpc::ExecFlag::CollectComps;
 	flag_threaded = req.exec_flags & (uint64)rpc::ExecFlag::Threaded;
+	flag_apply_seclabel = req.exec_flags & (uint64)rpc::ExecFlag::SetDynamicSecLabel;
 	all_call_signal = req.all_call_signal;
 	all_extra_signal = req.all_extra_signal;
 
 	debug("[%llums] exec opts: reqid=%llu type=%llu procid=%llu threaded=%d cover=%d comps=%d dedup=%d signal=%d "
-	      " sandbox=%d/%d/%d/%d timeouts=%llu/%llu/%llu kernel_64_bit=%d\n",
+	      " seclabel=%d sandbox=%d/%d/%d/%d timeouts=%llu/%llu/%llu kernel_64_bit=%d\n",
 	      current_time_ms() - start_time_ms, request_id, (uint64)request_type, procid, flag_threaded, flag_collect_cover,
-	      flag_comparisons, flag_dedup_cover, flag_collect_signal, flag_sandbox_none, flag_sandbox_setuid,
+	      flag_comparisons, flag_dedup_cover, flag_collect_signal, flag_apply_seclabel, flag_sandbox_none, flag_sandbox_setuid,
 	      flag_sandbox_namespace, flag_sandbox_android, syscall_timeout_ms, program_timeout_ms, slowdown_scale,
 	      is_kernel_64_bit);
 	if (syscall_timeout_ms == 0 || program_timeout_ms <= syscall_timeout_ms || slowdown_scale == 0)
@@ -970,6 +976,22 @@ void execute_one()
 	memset(&call_props, 0, sizeof(call_props));
 
 	read_input(&input_pos); // total number of calls
+#if GOOS_linux
+	// The first call should be seclabel instruction if `flag_apply_seclabel` is true.
+	if (flag_apply_seclabel) {
+		uint64 call_num = read_input(&input_pos);
+		if (call_num != instr_seclabel) {
+			fail("the first call is not a seclabel instruction\n");
+		}
+		uint64 size = read_input(&input_pos);
+		char seclabel[64]{};
+		memcpy(seclabel, input_pos, size);
+		setcon(seclabel);
+		input_pos += size;
+
+		debug("applied security label: %s\n", seclabel);
+	}
+#endif
 	for (;;) {
 		uint64 call_num = read_input(&input_pos);
 		if (call_num == instr_eof)

pkg/flatrpc/flatrpc.fbs

@@ -142,6 +142,7 @@ enum ExecEnv : uint64 (bit_flags) {
 	SandboxSetuid,		// impersonate nobody user
 	SandboxNamespace,	// use namespaces for sandboxing
 	SandboxAndroid,		// use Android sandboxing for the untrusted_app domain
+	EnforcePolicy,		// enforce the loaded SELinux policy	
 	ExtraCover,		// collect extra coverage
 	EnableTun,		// setup and use /dev/tun for packet injection
 	EnableNetDev,		// setup more network devices for testing
@@ -161,6 +162,7 @@ enum ExecFlag : uint64 (bit_flags) {
 	DedupCover,		// deduplicate coverage in executor
 	CollectComps,		// collect KCOV comparisons
 	Threaded,		// use multiple threads to mitigate blocked syscalls
+	SetDynamicSecLabel,
 }
 
 struct ExecOptsRaw {

pkg/flatrpc/flatrpc.go

@@ -566,23 +566,24 @@ enum class ExecEnv : uint64_t {
   SandboxSetuid = 32ULL,
   SandboxNamespace = 64ULL,
   SandboxAndroid = 128ULL,
-  ExtraCover = 256ULL,
-  EnableTun = 512ULL,
-  EnableNetDev = 1024ULL,
-  EnableNetReset = 2048ULL,
-  EnableCgroups = 4096ULL,
-  EnableCloseFds = 8192ULL,
-  EnableDevlinkPCI = 16384ULL,
-  EnableVhciInjection = 32768ULL,
-  EnableWifi = 65536ULL,
-  DelayKcovMmap = 131072ULL,
-  EnableNicVF = 262144ULL,
+  EnforcePolicy = 256ULL,
+  ExtraCover = 512ULL,
+  EnableTun = 1024ULL,
+  EnableNetDev = 2048ULL,
+  EnableNetReset = 4096ULL,
+  EnableCgroups = 8192ULL,
+  EnableCloseFds = 16384ULL,
+  EnableDevlinkPCI = 32768ULL,
+  EnableVhciInjection = 65536ULL,
+  EnableWifi = 131072ULL,
+  DelayKcovMmap = 262144ULL,
+  EnableNicVF = 524288ULL,
   NONE = 0,
-  ANY = 524287ULL
+  ANY = 1048575ULL
 };
 FLATBUFFERS_DEFINE_BITMASK_OPERATORS(ExecEnv, uint64_t)
 
-inline const ExecEnv (&EnumValuesExecEnv())[19] {
+inline const ExecEnv (&EnumValuesExecEnv())[20] {
   static const ExecEnv values[] = {
     ExecEnv::Debug,
     ExecEnv::Signal,
@@ -592,6 +593,7 @@ inline const ExecEnv (&EnumValuesExecEnv())[19] {
     ExecEnv::SandboxSetuid,
     ExecEnv::SandboxNamespace,
     ExecEnv::SandboxAndroid,
+    ExecEnv::EnforcePolicy,
     ExecEnv::ExtraCover,
     ExecEnv::EnableTun,
     ExecEnv::EnableNetDev,
@@ -617,6 +619,7 @@ inline const char *EnumNameExecEnv(ExecEnv e) {
     case ExecEnv::SandboxSetuid: return "SandboxSetuid";
     case ExecEnv::SandboxNamespace: return "SandboxNamespace";
     case ExecEnv::SandboxAndroid: return "SandboxAndroid";
+    case ExecEnv::EnforcePolicy: return "EnforcePolicy";
     case ExecEnv::ExtraCover: return "ExtraCover";
     case ExecEnv::EnableTun: return "EnableTun";
     case ExecEnv::EnableNetDev: return "EnableNetDev";
@@ -638,49 +641,34 @@ enum class ExecFlag : uint64_t {
   DedupCover = 4ULL,
   CollectComps = 8ULL,
   Threaded = 16ULL,
+  SetDynamicSecLabel = 32ULL,
   NONE = 0,
-  ANY = 31ULL
+  ANY = 63ULL
 };
 FLATBUFFERS_DEFINE_BITMASK_OPERATORS(ExecFlag, uint64_t)
 
-inline const ExecFlag (&EnumValuesExecFlag())[5] {
+inline const ExecFlag (&EnumValuesExecFlag())[6] {
   static const ExecFlag values[] = {
     ExecFlag::CollectSignal,
     ExecFlag::CollectCover,
     ExecFlag::DedupCover,
     ExecFlag::CollectComps,
-    ExecFlag::Threaded
+    ExecFlag::Threaded,
+    ExecFlag::SetDynamicSecLabel
   };
   return values;
 }
 
-inline const char * const *EnumNamesExecFlag() {
-  static const char * const names[17] = {
-    "CollectSignal",
-    "CollectCover",
-    "",
-    "DedupCover",
-    "",
-    "",
-    "",
-    "CollectComps",
-    "",
-    "",
-    "",
-    "",
-    "",
-    "",
-    "",
-    "Threaded",
-    nullptr
-  };
-  return names;
-}
-
 inline const char *EnumNameExecFlag(ExecFlag e) {
-  if (flatbuffers::IsOutRange(e, ExecFlag::CollectSignal, ExecFlag::Threaded)) return "";
-  const size_t index = static_cast<size_t>(e) - static_cast<size_t>(ExecFlag::CollectSignal);
-  return EnumNamesExecFlag()[index];
+  switch (e) {
+    case ExecFlag::CollectSignal: return "CollectSignal";
+    case ExecFlag::CollectCover: return "CollectCover";
+    case ExecFlag::DedupCover: return "DedupCover";
+    case ExecFlag::CollectComps: return "CollectComps";
+    case ExecFlag::Threaded: return "Threaded";
+    case ExecFlag::SetDynamicSecLabel: return "SetDynamicSecLabel";
+    default: return "";
+  }
 }
 
 enum class CallFlag : uint8_t {