Skip to content

[WIP] fuzzer: attach security labels to programs #6374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

[WIP] fuzzer: attach security labels to programs #6374

wants to merge 3 commits into from

Conversation

@winrares
Copy link

@winrares winrares commented Sep 23, 2025
edited
Loading

Objective: fuzzing syscalls under specific security contexts that are more focused. For example, if the program contains socket syscalls, we can try to attach a context that is focused on socket manipulation or we can attach a security context that we know will not allow the syscalls to be executed.

Adjacent to this feature, we can implement a security context generator that can scan the syscalls in a program and then decide which security context is appropriate for that program.

This would also allow us to add another functionality for SELinux policy enforcement testing: audit log collection for the programs. This would be used with syz-verifier once it's refactored and merged.

@a-nogikh
Copy link
Collaborator

a-nogikh commented Sep 25, 2025

Hi @winrares!
Please add some more context to the PR (and the commit description): what's the problem it solves, is it the first and final PR or there are more to come, etc.

@winrares
Copy link
Author

winrares commented Sep 25, 2025

Hi @a-nogikh,

I updated the description of the PR and the commit descriptions. I am also working on a third commit that will add the audit log collection.

I did not test this with Android yet, but will do it ASAP. Tested it with the image created by create_image.sh. For now, the default Debian security policy does not allow dynamic transitions to user_u:user_r:user_t:s0 context from the system context, that is why the policy must be permissive for testing.

@winrares
[WIP] fuzzer: attach security contexts to programs
b95bd10 
Added one experimental field that allow the user to add a list of
security contexts that can be used during fuzzing. The security context
is attached to the program as the first "syscall"  and it will be set
using `setcon`. The objective is to allow syzkaller to fuzz syscalls
under specific security contexts that match the SELinux policy that
is loaded on target.

Signed-off-by: Rares Constantin <[email protected]>
@winrares
[WIP] fuzzer: add security context generator stub
dfbb11c 
Added the security context generator in the fuzzer package which will
contain the implementation for loading a binary security policy, parse
it and then generate an appropiate security context based on the
syscalls that are fuzzed in a program.

For now, it will use the first security context provided in the
`seccontexts` list if any is available.

Signed-off-by: Rares Constantin <[email protected]>
@winrares
[WIP] executor: collect and return audit logs
e05ca4c 
Implemented the audit log extraction per program. This is available for
VMs that run only one proc and add `audit` in the experimental config.
The messages are appended to the output of the program and are printed
during result processing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@winrares @a-nogikh