[WIP] fuzzer: attach security labels to programs

Signed-off-by: Rares Constantin <rarescon@google.com>

Author: winrares

executor/common.h

@@ -34,6 +34,7 @@ typedef signed int ssize_t;
 #else
 #include <endian.h> // for htobe*.
 #endif
+#include <fstream>
 #include <stdint.h>
 #include <stdio.h> // for fmt arguments
 #include <stdlib.h>
@@ -601,6 +602,15 @@ static void execute_one(void);
 #define WAIT_FLAGS 0
 #endif
 
+void enforce_policy(bool enforce)
+{
+	std::ofstream outFile("/sys/fs/selinux/enforce");
+	if (outFile.is_open()) {
+		outFile << (enforce ? "1" : "0");
+		outFile.close();
+	}
+}
+
 #if SYZ_EXECUTOR_USES_FORK_SERVER
 #include <signal.h>
 #include <sys/types.h>
@@ -636,6 +646,7 @@ static void loop(void)
 		if (!flag_snapshot)
 			receive_execute();
 #endif
+		enforce_policy(flag_enforce_policy);
 		int pid = fork();
 		if (pid < 0)
 			fail("clone failed");
@@ -737,6 +748,7 @@ static void loop(void)
 			errno = 0;
 			fail("child failed");
 		}
+		enforce_policy(false);
 		reply_execute(0);
 #endif
 #if SYZ_EXECUTOR || SYZ_USE_TMP_DIR

executor/common_linux.h

@@ -4455,7 +4455,7 @@ static void getcon(char* context, size_t context_size)
 // - Uses fail() instead of returning an error code
 static void setcon(const char* context)
 {
-	char new_context[512];
+	char new_context[512] = {0};
 
 	// Attempt to write the new context
 	int fd = open(SELINUX_CONTEXT_FILE, O_WRONLY);
@@ -4470,7 +4470,7 @@ static void setcon(const char* context)
 	close(fd);
 
 	if (bytes_written != (ssize_t)strlen(context))
-		failmsg("setcon: could not write entire context", "wrote=%zi, expected=%zu", bytes_written, strlen(context));
+		failmsg("setcon: could not write entire context", "context: %s, wrote=%zi, expected=%zu", context, bytes_written, strlen(context));
 
 	// Validate the transition by checking the context
 	getcon(new_context, sizeof(new_context));

executor/executor.cc

@@ -273,6 +273,7 @@ static bool flag_nic_vf;
 static bool flag_vhci_injection;
 static bool flag_wifi;
 static bool flag_delay_kcov_mmap;
+static bool flag_enforce_policy;
 
 static bool flag_collect_cover;
 static bool flag_collect_signal;
@@ -306,6 +307,7 @@ const uint64 instr_eof = -1;
 const uint64 instr_copyin = -2;
 const uint64 instr_copyout = -3;
 const uint64 instr_setprops = -4;
+const uint64 instr_seclabel = -5;
 
 const uint64 arg_const = 0;
 const uint64 arg_addr32 = 1;
@@ -847,6 +849,7 @@ void parse_handshake(const handshake_req& req)
 	flag_wifi = (bool)(req.flags & rpc::ExecEnv::EnableWifi);
 	flag_delay_kcov_mmap = (bool)(req.flags & rpc::ExecEnv::DelayKcovMmap);
 	flag_nic_vf = (bool)(req.flags & rpc::ExecEnv::EnableNicVF);
+	flag_enforce_policy = (bool)(req.flags & rpc::ExecEnv::EnforcePolicy);
 }
 
 void receive_execute()
@@ -970,10 +973,25 @@ void execute_one()
 	memset(&call_props, 0, sizeof(call_props));
 
 	read_input(&input_pos); // total number of calls
-	for (;;) {
+	for (int index = 0;; index++) {
 		uint64 call_num = read_input(&input_pos);
 		if (call_num == instr_eof)
 			break;
+#if GOOS_linux
+		if (call_num == instr_seclabel) {
+			if (index) {
+				fail("seclabel instruction is not the first call\n");
+			}
+			uint64 size = read_input(&input_pos);
+			char seclabel[64]{};
+			memcpy(seclabel, input_pos, size);
+			setcon(seclabel);
+			input_pos += size;
+
+			debug("applied security label: %s\n", seclabel);
+			continue;
+		}
+#endif
 		if (call_num == instr_copyin) {
 			char* addr = (char*)(read_input(&input_pos) + SYZ_DATA_OFFSET);
 			uint64 typ = read_input(&input_pos);

pkg/flatrpc/flatrpc.fbs

@@ -142,6 +142,7 @@ enum ExecEnv : uint64 (bit_flags) {
 	SandboxSetuid,		// impersonate nobody user
 	SandboxNamespace,	// use namespaces for sandboxing
 	SandboxAndroid,		// use Android sandboxing for the untrusted_app domain
+	EnforcePolicy,		// enforce the loaded SELinux policy	
 	ExtraCover,		// collect extra coverage
 	EnableTun,		// setup and use /dev/tun for packet injection
 	EnableNetDev,		// setup more network devices for testing

pkg/flatrpc/flatrpc.go

@@ -566,23 +566,24 @@ enum class ExecEnv : uint64_t {
   SandboxSetuid = 32ULL,
   SandboxNamespace = 64ULL,
   SandboxAndroid = 128ULL,
-  ExtraCover = 256ULL,
-  EnableTun = 512ULL,
-  EnableNetDev = 1024ULL,
-  EnableNetReset = 2048ULL,
-  EnableCgroups = 4096ULL,
-  EnableCloseFds = 8192ULL,
-  EnableDevlinkPCI = 16384ULL,
-  EnableVhciInjection = 32768ULL,
-  EnableWifi = 65536ULL,
-  DelayKcovMmap = 131072ULL,
-  EnableNicVF = 262144ULL,
+  EnforcePolicy = 256ULL,
+  ExtraCover = 512ULL,
+  EnableTun = 1024ULL,
+  EnableNetDev = 2048ULL,
+  EnableNetReset = 4096ULL,
+  EnableCgroups = 8192ULL,
+  EnableCloseFds = 16384ULL,
+  EnableDevlinkPCI = 32768ULL,
+  EnableVhciInjection = 65536ULL,
+  EnableWifi = 131072ULL,
+  DelayKcovMmap = 262144ULL,
+  EnableNicVF = 524288ULL,
   NONE = 0,
-  ANY = 524287ULL
+  ANY = 1048575ULL
 };
 FLATBUFFERS_DEFINE_BITMASK_OPERATORS(ExecEnv, uint64_t)
 
-inline const ExecEnv (&EnumValuesExecEnv())[19] {
+inline const ExecEnv (&EnumValuesExecEnv())[20] {
   static const ExecEnv values[] = {
     ExecEnv::Debug,
     ExecEnv::Signal,
@@ -592,6 +593,7 @@ inline const ExecEnv (&EnumValuesExecEnv())[19] {
     ExecEnv::SandboxSetuid,
     ExecEnv::SandboxNamespace,
     ExecEnv::SandboxAndroid,
+    ExecEnv::EnforcePolicy,
     ExecEnv::ExtraCover,
     ExecEnv::EnableTun,
     ExecEnv::EnableNetDev,
@@ -617,6 +619,7 @@ inline const char *EnumNameExecEnv(ExecEnv e) {
     case ExecEnv::SandboxSetuid: return "SandboxSetuid";
     case ExecEnv::SandboxNamespace: return "SandboxNamespace";
     case ExecEnv::SandboxAndroid: return "SandboxAndroid";
+    case ExecEnv::EnforcePolicy: return "EnforcePolicy";
     case ExecEnv::ExtraCover: return "ExtraCover";
     case ExecEnv::EnableTun: return "EnableTun";
     case ExecEnv::EnableNetDev: return "EnableNetDev";

pkg/flatrpc/flatrpc.h

@@ -208,20 +208,22 @@ func (fuzzer *Fuzzer) processResult(req *queue.Request, res *queue.Result, flags
 }
 
 type Config struct {
-	Debug          bool
-	Corpus         *corpus.Corpus
-	Logf           func(level int, msg string, args ...interface{})
-	Snapshot       bool
-	Coverage       bool
-	FaultInjection bool
-	Comparisons    bool
-	Collide        bool
-	EnabledCalls   map[*prog.Syscall]bool
-	NoMutateCalls  map[int]bool
-	FetchRawCover  bool
-	NewInputFilter func(call string) bool
-	PatchTest      bool
-	ModeKFuzzTest  bool
+	Debug           bool
+	Corpus          *corpus.Corpus
+	Logf            func(level int, msg string, args ...interface{})
+	Snapshot        bool
+	Coverage        bool
+	FaultInjection  bool
+	Comparisons     bool
+	Collide         bool
+	EnabledCalls    map[*prog.Syscall]bool
+	NoMutateCalls   map[int]bool
+	FetchRawCover   bool
+	Sandbox         string
+	AttachSecLabels bool
+	NewInputFilter  func(call string) bool
+	PatchTest       bool
+	ModeKFuzzTest   bool
 }
 
 func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call int, triage *map[int]*triageCall) {
@@ -371,6 +373,13 @@ func (fuzzer *Fuzzer) AddCandidates(candidates []Candidate) {
 			Stat:      fuzzer.statExecCandidate,
 			Important: true,
 		}
+		req.Prog.SecLabel = ""
+		if fuzzer.Config.AttachSecLabels {
+			req.Prog.SecLabel = "user_u:user_r:user_t:s0"
+			if fuzzer.Config.Sandbox == "android" {
+				req.Prog.SecLabel = "u:r:untrusted_app:s0:c512,c768"
+			}
+		}
 		fuzzer.enqueue(fuzzer.candidateQueue, req, candidate.Flags|progCandidate, 0)
 	}
 }
@@ -472,6 +481,9 @@ func DefaultExecOpts(cfg *mgrconfig.Config, features flatrpc.Feature, debug bool
 	if cfg.Cover {
 		env |= flatrpc.ExecEnvSignal
 	}
+	if cfg.Experimental.EnforcePolicy {
+		env |= flatrpc.ExecEnvEnforcePolicy
+	}
 	sandbox, err := flatrpc.SandboxToFlags(cfg.Sandbox)
 	if err != nil {
 		panic(fmt.Sprintf("failed to parse sandbox: %v", err))

pkg/fuzzer/fuzzer.go

@@ -45,6 +45,13 @@ func genProgRequest(fuzzer *Fuzzer, rnd *rand.Rand) *queue.Request {
 	p := fuzzer.target.Generate(rnd,
 		fuzzer.RecommendedCalls(),
 		fuzzer.ChoiceTable())
+	p.SecLabel = ""
+	if fuzzer.Config.AttachSecLabels {
+		p.SecLabel = "user_u:user_r:user_t:s0"
+		if fuzzer.Config.Sandbox == "android" {
+			p.SecLabel = "u:r:untrusted_app:s0:c512,c768"
+		}
+	}
 	return &queue.Request{
 		Prog:     p,
 		ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),

pkg/fuzzer/job.go

@@ -258,6 +258,12 @@ type Experimental struct {
 
 	// Enable dynamic discovery and fuzzing of KFuzzTest targets.
 	EnableKFuzzTest bool `json:"enable_kfuzztest"`
+
+	// Enables the policy enforcement for programs that request this before running syscalls.
+	EnforcePolicy bool `json:"enforce_policy"`
+
+	// Allows the fuzzer to attach a security label to each program.
+	AttachSecLabels bool `json:"attach_seclabels"`
 }
 
 type FocusArea struct {

pkg/mgrconfig/config.go

@@ -329,6 +329,7 @@ func (runner *Runner) sendRequest(req *queue.Request) error {
 			avoid |= uint64(1 << id.Proc)
 		}
 	}
+
 	msg := &flatrpc.HostMessage{
 		Msg: &flatrpc.HostMessages{
 			Type: flatrpc.HostMessagesRawExecRequest,