platform_external_selinux/scripts/oss-fuzz.sh

#!/bin/bash

# The script is used to build the fuzz targets run on ClusterFuzz. It has to be
# compatible with the "build.sh" script described at
# https://google.github.io/oss-fuzz/getting-started/new-project-guide/#buildsh
# More precisely, it should use environment variables like OUT, LIB_FUZZING_ENGINE
# and so on (https://google.github.io/oss-fuzz/getting-started/new-project-guide/#buildsh-script-environment),
# and the fuzz targets have to be linked with $CXX even though the project is written
# in C: https://google.github.io/oss-fuzz/getting-started/new-project-guide/#Requirements

# To make it easier to build the fuzz targets locally, the script can also work in "local"
# mode. To run secilc-fuzzer against a test case (named, say, CRASH) triggering an issue
# the following commands should be run
#
# $ ./scripts/oss-fuzz.sh
# $ ./out/secilc-fuzzer CRASH

# To run the fuzzer against the corpus OSS-Fuzz has accumulated so far it should be
# downloaded, unpacked and passed to the fuzzer:
#
# $ wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip
# $ unzip -d CORPUS public.zip
# $ ./out/secilc-fuzzer CORPUS/

set -eux

cd "$(dirname -- "$0")/.."

export DESTDIR=${DESTDIR:-$(pwd)/DESTDIR}

SANITIZER=${SANITIZER:-address}
flags="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER -fsanitize=fuzzer-no-link"

export CC=${CC:-clang}
export CFLAGS="${CFLAGS:-$flags} -I$DESTDIR/usr/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64"

export CXX=${CXX:-clang++}
export CXXFLAGS=${CXXFLAGS:-$flags}

export OUT=${OUT:-$(pwd)/out}
mkdir -p "$OUT"

export LIB_FUZZING_ENGINE=${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}

rm -rf "$DESTDIR"
make -C libsepol clean
# LIBSO and LIBMAP shouldn't be expanded here because their values are unknown until Makefile
# has been read by make
# shellcheck disable=SC2016
make -C libsepol V=1 LD_SONAME_FLAGS='-soname,$(LIBSO),--version-script=$(LIBMAP)' -j"$(nproc)" install

## secilc fuzzer ##

# CFLAGS, CXXFLAGS and LIB_FUZZING_ENGINE have to be split to be accepted by
# the compiler/linker so they shouldn't be quoted
# shellcheck disable=SC2086
$CC $CFLAGS -c -o secilc-fuzzer.o libsepol/fuzz/secilc-fuzzer.c
# shellcheck disable=SC2086
$CXX $CXXFLAGS $LIB_FUZZING_ENGINE secilc-fuzzer.o "$DESTDIR/usr/lib/libsepol.a" -o "$OUT/secilc-fuzzer"

zip -r "$OUT/secilc-fuzzer_seed_corpus.zip" secilc/test

## binary policy fuzzer ##

# CFLAGS, CXXFLAGS and LIB_FUZZING_ENGINE have to be split to be accepted by
# the compiler/linker so they shouldn't be quoted
# shellcheck disable=SC2086
$CC $CFLAGS -c -o binpolicy-fuzzer.o libsepol/fuzz/binpolicy-fuzzer.c
# shellcheck disable=SC2086
$CXX $CXXFLAGS $LIB_FUZZING_ENGINE binpolicy-fuzzer.o "$DESTDIR/usr/lib/libsepol.a" -o "$OUT/binpolicy-fuzzer"

zip -j "$OUT/binpolicy-fuzzer_seed_corpus.zip" libsepol/fuzz/policy.bin
libsepol/cil: move the fuzz target and build script to the selinux repository It should make it easier to reproduce bugs found by OSS-Fuzz locally without docker. The fuzz target can be built and run with the corpus OSS-Fuzz has accumulated so far by running the following commands: ``` ./scripts/oss-fuzz.sh wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip unzip -d CORPUS public.zip ./out/secilc-fuzzer CORPUS/ ``` It was tested in https://github.com/google/oss-fuzz/pull/6026 by pointing OSS-Fuzz to the branch containing the patch and running all the tests with all the sanitizers and fuzzing engines there: https://github.com/google/oss-fuzz/actions/runs/1024673143 [v2] [1] oss-fuzz: make shellcheck happy [2] oss-fuzz: build libsepol only The fuzz target covers libsepol so it's unnecessary to build everything else. Apart from that, the "LDFLAGS" kludge was removed since libsepol is compatible with the sanitizers flags passed via CFLAGS only. It should be brought back one way or another eventually though to fix build failures like ``` clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile /usr/bin/ld: sefcontext_compile.o: in function `usage': /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8' /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return' /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor': ``` [3] oss-fuzz: make it possible to run the script more than once by removing various build artifacts [4] oss-fuzz: make it possible to run the script from any directory [5] oss-fuzz: be a little bit more specific about what the script does [6] oss-fuzz: stop overwriting all the Makefiles Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2021-07-15 08:11:35 +02:00			`#!/bin/bash`

			`# The script is used to build the fuzz targets run on ClusterFuzz. It has to be`
			`# compatible with the "build.sh" script described at`
			`# https://google.github.io/oss-fuzz/getting-started/new-project-guide/#buildsh`
			`# More precisely, it should use environment variables like OUT, LIB_FUZZING_ENGINE`
			`# and so on (https://google.github.io/oss-fuzz/getting-started/new-project-guide/#buildsh-script-environment),`
			`# and the fuzz targets have to be linked with $CXX even though the project is written`
			`# in C: https://google.github.io/oss-fuzz/getting-started/new-project-guide/#Requirements`

			`# To make it easier to build the fuzz targets locally, the script can also work in "local"`
			`# mode. To run secilc-fuzzer against a test case (named, say, CRASH) triggering an issue`
			`# the following commands should be run`
			`#`
			`# $ ./scripts/oss-fuzz.sh`
			`# $ ./out/secilc-fuzzer CRASH`

			`# To run the fuzzer against the corpus OSS-Fuzz has accumulated so far it should be`
			`# downloaded, unpacked and passed to the fuzzer:`
			`#`
			`# $ wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip`
			`# $ unzip -d CORPUS public.zip`
			`# $ ./out/secilc-fuzzer CORPUS/`

			`set -eux`

			`cd "$(dirname -- "$0")/.."`

			`export DESTDIR=${DESTDIR:-$(pwd)/DESTDIR}`

			`SANITIZER=${SANITIZER:-address}`
			`flags="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER -fsanitize=fuzzer-no-link"`

			`export CC=${CC:-clang}`
libsepol: add libfuzz based fuzzer for reading binary policies Introduce a libfuzz[1] based fuzzer testing the parsing of a binary policy. Build the fuzzer in the oss-fuzz script. [1]: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-12-09 17:48:56 +01:00			`export CFLAGS="${CFLAGS:-$flags} -I$DESTDIR/usr/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64"`
libsepol/cil: move the fuzz target and build script to the selinux repository It should make it easier to reproduce bugs found by OSS-Fuzz locally without docker. The fuzz target can be built and run with the corpus OSS-Fuzz has accumulated so far by running the following commands: ``` ./scripts/oss-fuzz.sh wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip unzip -d CORPUS public.zip ./out/secilc-fuzzer CORPUS/ ``` It was tested in https://github.com/google/oss-fuzz/pull/6026 by pointing OSS-Fuzz to the branch containing the patch and running all the tests with all the sanitizers and fuzzing engines there: https://github.com/google/oss-fuzz/actions/runs/1024673143 [v2] [1] oss-fuzz: make shellcheck happy [2] oss-fuzz: build libsepol only The fuzz target covers libsepol so it's unnecessary to build everything else. Apart from that, the "LDFLAGS" kludge was removed since libsepol is compatible with the sanitizers flags passed via CFLAGS only. It should be brought back one way or another eventually though to fix build failures like ``` clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile /usr/bin/ld: sefcontext_compile.o: in function `usage': /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8' /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return' /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor': ``` [3] oss-fuzz: make it possible to run the script more than once by removing various build artifacts [4] oss-fuzz: make it possible to run the script from any directory [5] oss-fuzz: be a little bit more specific about what the script does [6] oss-fuzz: stop overwriting all the Makefiles Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2021-07-15 08:11:35 +02:00
			`export CXX=${CXX:-clang++}`
			`export CXXFLAGS=${CXXFLAGS:-$flags}`

			`export OUT=${OUT:-$(pwd)/out}`
			`mkdir -p "$OUT"`

			`export LIB_FUZZING_ENGINE=${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}`

			`rm -rf "$DESTDIR"`
			`make -C libsepol clean`
			`# LIBSO and LIBMAP shouldn't be expanded here because their values are unknown until Makefile`
			`# has been read by make`
			`# shellcheck disable=SC2016`
			`make -C libsepol V=1 LD_SONAME_FLAGS='-soname,$(LIBSO),--version-script=$(LIBMAP)' -j"$(nproc)" install`

libsepol: add libfuzz based fuzzer for reading binary policies Introduce a libfuzz[1] based fuzzer testing the parsing of a binary policy. Build the fuzzer in the oss-fuzz script. [1]: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-12-09 17:48:56 +01:00			`## secilc fuzzer ##`

libsepol/cil: move the fuzz target and build script to the selinux repository It should make it easier to reproduce bugs found by OSS-Fuzz locally without docker. The fuzz target can be built and run with the corpus OSS-Fuzz has accumulated so far by running the following commands: ``` ./scripts/oss-fuzz.sh wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip unzip -d CORPUS public.zip ./out/secilc-fuzzer CORPUS/ ``` It was tested in https://github.com/google/oss-fuzz/pull/6026 by pointing OSS-Fuzz to the branch containing the patch and running all the tests with all the sanitizers and fuzzing engines there: https://github.com/google/oss-fuzz/actions/runs/1024673143 [v2] [1] oss-fuzz: make shellcheck happy [2] oss-fuzz: build libsepol only The fuzz target covers libsepol so it's unnecessary to build everything else. Apart from that, the "LDFLAGS" kludge was removed since libsepol is compatible with the sanitizers flags passed via CFLAGS only. It should be brought back one way or another eventually though to fix build failures like ``` clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile /usr/bin/ld: sefcontext_compile.o: in function `usage': /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8' /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return' /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor': ``` [3] oss-fuzz: make it possible to run the script more than once by removing various build artifacts [4] oss-fuzz: make it possible to run the script from any directory [5] oss-fuzz: be a little bit more specific about what the script does [6] oss-fuzz: stop overwriting all the Makefiles Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2021-07-15 08:11:35 +02:00			`# CFLAGS, CXXFLAGS and LIB_FUZZING_ENGINE have to be split to be accepted by`
			`# the compiler/linker so they shouldn't be quoted`
			`# shellcheck disable=SC2086`
libsepol: add libfuzz based fuzzer for reading binary policies Introduce a libfuzz[1] based fuzzer testing the parsing of a binary policy. Build the fuzzer in the oss-fuzz script. [1]: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-12-09 17:48:56 +01:00			`$CC $CFLAGS -c -o secilc-fuzzer.o libsepol/fuzz/secilc-fuzzer.c`
libsepol/cil: move the fuzz target and build script to the selinux repository It should make it easier to reproduce bugs found by OSS-Fuzz locally without docker. The fuzz target can be built and run with the corpus OSS-Fuzz has accumulated so far by running the following commands: ``` ./scripts/oss-fuzz.sh wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip unzip -d CORPUS public.zip ./out/secilc-fuzzer CORPUS/ ``` It was tested in https://github.com/google/oss-fuzz/pull/6026 by pointing OSS-Fuzz to the branch containing the patch and running all the tests with all the sanitizers and fuzzing engines there: https://github.com/google/oss-fuzz/actions/runs/1024673143 [v2] [1] oss-fuzz: make shellcheck happy [2] oss-fuzz: build libsepol only The fuzz target covers libsepol so it's unnecessary to build everything else. Apart from that, the "LDFLAGS" kludge was removed since libsepol is compatible with the sanitizers flags passed via CFLAGS only. It should be brought back one way or another eventually though to fix build failures like ``` clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile /usr/bin/ld: sefcontext_compile.o: in function `usage': /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8' /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return' /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor': ``` [3] oss-fuzz: make it possible to run the script more than once by removing various build artifacts [4] oss-fuzz: make it possible to run the script from any directory [5] oss-fuzz: be a little bit more specific about what the script does [6] oss-fuzz: stop overwriting all the Makefiles Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2021-07-15 08:11:35 +02:00			`# shellcheck disable=SC2086`
			`$CXX $CXXFLAGS $LIB_FUZZING_ENGINE secilc-fuzzer.o "$DESTDIR/usr/lib/libsepol.a" -o "$OUT/secilc-fuzzer"`

			`zip -r "$OUT/secilc-fuzzer_seed_corpus.zip" secilc/test`
libsepol: add libfuzz based fuzzer for reading binary policies Introduce a libfuzz[1] based fuzzer testing the parsing of a binary policy. Build the fuzzer in the oss-fuzz script. [1]: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-12-09 17:48:56 +01:00
			`## binary policy fuzzer ##`

			`# CFLAGS, CXXFLAGS and LIB_FUZZING_ENGINE have to be split to be accepted by`
			`# the compiler/linker so they shouldn't be quoted`
			`# shellcheck disable=SC2086`
			`$CC $CFLAGS -c -o binpolicy-fuzzer.o libsepol/fuzz/binpolicy-fuzzer.c`
			`# shellcheck disable=SC2086`
			`$CXX $CXXFLAGS $LIB_FUZZING_ENGINE binpolicy-fuzzer.o "$DESTDIR/usr/lib/libsepol.a" -o "$OUT/binpolicy-fuzzer"`

			`zip -j "$OUT/binpolicy-fuzzer_seed_corpus.zip" libsepol/fuzz/policy.bin`