[WIP] fuzzer: attach security contexts to programs

Added two new experimental flags that allow the fuzzer to attach
simple security contexts to each program that will be executed on the
target. The objective is to allow syzkaller to fuzz syscalls under
specific security contexts that match the SELinux policy that is loaded
on target.

The `enforce_policy` flag may be used to enforce the policy before the
executor forks and calls the `execute_one()` function. The default
Debian security policy does not allow the dynamic transition to
`user_u:user_r:user_t:s0` through `setcon()`.

Signed-off-by: Rares Constantin <[email protected]>

Author: winrares

executor/common.h

@@ -34,6 +34,7 @@ typedef signed int ssize_t;
 #else
 #include <endian.h> // for htobe*.
 #endif
+#include <fstream>
 #include <stdint.h>
 #include <stdio.h> // for fmt arguments
 #include <stdlib.h>
@@ -601,6 +602,15 @@ static void execute_one(void);
 #define WAIT_FLAGS 0
 #endif
 
+void enforce_policy(bool enforce)
+{
+	std::ofstream outFile("/sys/fs/selinux/enforce");
+	if (outFile.is_open()) {
+		outFile << (enforce ? "1" : "0");
+		outFile.close();
+	}
+}
+
 #if SYZ_EXECUTOR_USES_FORK_SERVER
 #include <signal.h>
 #include <sys/types.h>
@@ -636,6 +646,7 @@ static void loop(void)
 		if (!flag_snapshot)
 			receive_execute();
 #endif
+		enforce_policy(flag_enforce_policy);
 		int pid = fork();
 		if (pid < 0)
 			fail("clone failed");
@@ -737,6 +748,7 @@ static void loop(void)
 			errno = 0;
 			fail("child failed");
 		}
+		enforce_policy(false);
 		reply_execute(0);
 #endif
 #if SYZ_EXECUTOR || SYZ_USE_TMP_DIR

executor/common_linux.h

@@ -4455,7 +4455,7 @@ static void getcon(char* context, size_t context_size)
 // - Uses fail() instead of returning an error code
 static void setcon(const char* context)
 {
-	char new_context[512];
+	char new_context[512] = {0};
 
 	// Attempt to write the new context
 	int fd = open(SELINUX_CONTEXT_FILE, O_WRONLY);
@@ -4470,7 +4470,7 @@ static void setcon(const char* context)
 	close(fd);
 
 	if (bytes_written != (ssize_t)strlen(context))
-		failmsg("setcon: could not write entire context", "wrote=%zi, expected=%zu", bytes_written, strlen(context));
+		failmsg("setcon: could not write entire context", "context: %s, wrote=%zi, expected=%zu", context, bytes_written, strlen(context));
 
 	// Validate the transition by checking the context
 	getcon(new_context, sizeof(new_context));

executor/executor.cc

@@ -273,6 +273,7 @@ static bool flag_nic_vf;
 static bool flag_vhci_injection;
 static bool flag_wifi;
 static bool flag_delay_kcov_mmap;
+static bool flag_enforce_policy;
 
 static bool flag_collect_cover;
 static bool flag_collect_signal;
@@ -306,6 +307,7 @@ const uint64 instr_eof = -1;
 const uint64 instr_copyin = -2;
 const uint64 instr_copyout = -3;
 const uint64 instr_setprops = -4;
+const uint64 instr_seccontext = -5;
 
 const uint64 arg_const = 0;
 const uint64 arg_addr32 = 1;
@@ -847,6 +849,7 @@ void parse_handshake(const handshake_req& req)
 	flag_wifi = (bool)(req.flags & rpc::ExecEnv::EnableWifi);
 	flag_delay_kcov_mmap = (bool)(req.flags & rpc::ExecEnv::DelayKcovMmap);
 	flag_nic_vf = (bool)(req.flags & rpc::ExecEnv::EnableNicVF);
+	flag_enforce_policy = (bool)(req.flags & rpc::ExecEnv::EnforcePolicy);
 }
 
 void receive_execute()
@@ -970,10 +973,25 @@ void execute_one()
 	memset(&call_props, 0, sizeof(call_props));
 
 	read_input(&input_pos); // total number of calls
-	for (;;) {
+	for (int index = 0;; index++) {
 		uint64 call_num = read_input(&input_pos);
 		if (call_num == instr_eof)
 			break;
+#if GOOS_linux
+		if (call_num == instr_seccontext) {
+			if (index) {
+				fail("seclabel instruction is not the first call\n");
+			}
+			uint64 size = read_input(&input_pos);
+			char seclabel[64]{};
+			memcpy(seclabel, input_pos, size);
+			setcon(seclabel);
+			input_pos += size;
+
+			debug_verbose("applied security label: %s\n", seclabel);
+			continue;
+		}
+#endif
 		if (call_num == instr_copyin) {
 			char* addr = (char*)(read_input(&input_pos) + SYZ_DATA_OFFSET);
 			uint64 typ = read_input(&input_pos);

pkg/flatrpc/flatrpc.fbs

@@ -142,6 +142,7 @@ enum ExecEnv : uint64 (bit_flags) {
 	SandboxSetuid,		// impersonate nobody user
 	SandboxNamespace,	// use namespaces for sandboxing
 	SandboxAndroid,		// use Android sandboxing for the untrusted_app domain
+	EnforcePolicy,		// enforce the loaded SELinux policy
 	ExtraCover,		// collect extra coverage
 	EnableTun,		// setup and use /dev/tun for packet injection
 	EnableNetDev,		// setup more network devices for testing

pkg/flatrpc/flatrpc.go

@@ -566,23 +566,24 @@ enum class ExecEnv : uint64_t {
   SandboxSetuid = 32ULL,
   SandboxNamespace = 64ULL,
   SandboxAndroid = 128ULL,
-  ExtraCover = 256ULL,
-  EnableTun = 512ULL,
-  EnableNetDev = 1024ULL,
-  EnableNetReset = 2048ULL,
-  EnableCgroups = 4096ULL,
-  EnableCloseFds = 8192ULL,
-  EnableDevlinkPCI = 16384ULL,
-  EnableVhciInjection = 32768ULL,
-  EnableWifi = 65536ULL,
-  DelayKcovMmap = 131072ULL,
-  EnableNicVF = 262144ULL,
+  EnforcePolicy = 256ULL,
+  ExtraCover = 512ULL,
+  EnableTun = 1024ULL,
+  EnableNetDev = 2048ULL,
+  EnableNetReset = 4096ULL,
+  EnableCgroups = 8192ULL,
+  EnableCloseFds = 16384ULL,
+  EnableDevlinkPCI = 32768ULL,
+  EnableVhciInjection = 65536ULL,
+  EnableWifi = 131072ULL,
+  DelayKcovMmap = 262144ULL,
+  EnableNicVF = 524288ULL,
   NONE = 0,
-  ANY = 524287ULL
+  ANY = 1048575ULL
 };
 FLATBUFFERS_DEFINE_BITMASK_OPERATORS(ExecEnv, uint64_t)
 
-inline const ExecEnv (&EnumValuesExecEnv())[19] {
+inline const ExecEnv (&EnumValuesExecEnv())[20] {
   static const ExecEnv values[] = {
     ExecEnv::Debug,
     ExecEnv::Signal,
@@ -592,6 +593,7 @@ inline const ExecEnv (&EnumValuesExecEnv())[19] {
     ExecEnv::SandboxSetuid,
     ExecEnv::SandboxNamespace,
     ExecEnv::SandboxAndroid,
+    ExecEnv::EnforcePolicy,
     ExecEnv::ExtraCover,
     ExecEnv::EnableTun,
     ExecEnv::EnableNetDev,
@@ -617,6 +619,7 @@ inline const char *EnumNameExecEnv(ExecEnv e) {
     case ExecEnv::SandboxSetuid: return "SandboxSetuid";
     case ExecEnv::SandboxNamespace: return "SandboxNamespace";
     case ExecEnv::SandboxAndroid: return "SandboxAndroid";
+    case ExecEnv::EnforcePolicy: return "EnforcePolicy";
     case ExecEnv::ExtraCover: return "ExtraCover";
     case ExecEnv::EnableTun: return "EnableTun";
     case ExecEnv::EnableNetDev: return "EnableNetDev";

pkg/flatrpc/flatrpc.h

@@ -208,20 +208,23 @@ func (fuzzer *Fuzzer) processResult(req *queue.Request, res *queue.Result, flags
 }
 
 type Config struct {
-	Debug          bool
-	Corpus         *corpus.Corpus
-	Logf           func(level int, msg string, args ...interface{})
-	Snapshot       bool
-	Coverage       bool
-	FaultInjection bool
-	Comparisons    bool
-	Collide        bool
-	EnabledCalls   map[*prog.Syscall]bool
-	NoMutateCalls  map[int]bool
-	FetchRawCover  bool
-	NewInputFilter func(call string) bool
-	PatchTest      bool
-	ModeKFuzzTest  bool
+	Debug            bool
+	Corpus           *corpus.Corpus
+	Logf             func(level int, msg string, args ...interface{})
+	Snapshot         bool
+	Coverage         bool
+	FaultInjection   bool
+	Comparisons      bool
+	Collide          bool
+	EnabledCalls     map[*prog.Syscall]bool
+	NoMutateCalls    map[int]bool
+	FetchRawCover    bool
+	Sandbox          string
+	SandboxArg       int64
+	AttachSecContext bool
+	NewInputFilter   func(call string) bool
+	PatchTest        bool
+	ModeKFuzzTest    bool
 }
 
 func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call int, triage *map[int]*triageCall) {
@@ -371,6 +374,17 @@ func (fuzzer *Fuzzer) AddCandidates(candidates []Candidate) {
 			Stat:      fuzzer.statExecCandidate,
 			Important: true,
 		}
+		req.Prog.SecContext = ""
+		if fuzzer.Config.AttachSecContext {
+			req.Prog.SecContext = "user_u:user_r:user_t:s0"
+			if fuzzer.Config.Sandbox == "android" {
+				if fuzzer.Config.SandboxArg == 0 {
+					req.Prog.SecContext = "u:r:untrusted_app:s0:c512,c768"
+				} else {
+					req.Prog.SecContext = ""
+				}
+			}
+		}
 		fuzzer.enqueue(fuzzer.candidateQueue, req, candidate.Flags|progCandidate, 0)
 	}
 }
@@ -472,6 +486,9 @@ func DefaultExecOpts(cfg *mgrconfig.Config, features flatrpc.Feature, debug bool
 	if cfg.Cover {
 		env |= flatrpc.ExecEnvSignal
 	}
+	if cfg.Experimental.EnforcePolicy {
+		env |= flatrpc.ExecEnvEnforcePolicy
+	}
 	sandbox, err := flatrpc.SandboxToFlags(cfg.Sandbox)
 	if err != nil {
 		panic(fmt.Sprintf("failed to parse sandbox: %v", err))

pkg/fuzzer/fuzzer.go

@@ -45,6 +45,17 @@ func genProgRequest(fuzzer *Fuzzer, rnd *rand.Rand) *queue.Request {
 	p := fuzzer.target.Generate(rnd,
 		fuzzer.RecommendedCalls(),
 		fuzzer.ChoiceTable())
+	p.SecContext = ""
+	if fuzzer.Config.AttachSecContext {
+		p.SecContext = "user_u:user_r:user_t:s0"
+		if fuzzer.Config.Sandbox == "android" {
+			if fuzzer.Config.SandboxArg == 0 {
+				p.SecContext = "u:r:untrusted_app:s0:c512,c768"
+			} else {
+				p.SecContext = ""
+			}
+		}
+	}
 	return &queue.Request{
 		Prog:     p,
 		ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),

pkg/fuzzer/job.go

@@ -258,6 +258,12 @@ type Experimental struct {
 
 	// Enable dynamic discovery and fuzzing of KFuzzTest targets.
 	EnableKFuzzTest bool `json:"enable_kfuzztest"`
+
+	// Enables the policy enforcement for programs that request this before running syscalls.
+	EnforcePolicy bool `json:"enforce_policy"`
+
+	// Allows the fuzzer to attach a security label to each program.
+	AttachSecContexts bool `json:"attach_seccontexts"`
 }
 
 type FocusArea struct {

pkg/mgrconfig/config.go

@@ -329,6 +329,7 @@ func (runner *Runner) sendRequest(req *queue.Request) error {
 			avoid |= uint64(1 << id.Proc)
 		}
 	}
+
 	msg := &flatrpc.HostMessage{
 		Msg: &flatrpc.HostMessages{
 			Type: flatrpc.HostMessagesRawExecRequest,