From 21bd55b760f1a39998c1ea5091b4900dea468b9b Mon Sep 17 00:00:00 2001 From: Joel Galenson Date: Mon, 9 Nov 2020 15:10:50 -0800 Subject: [PATCH] Add more fuzzers Test: Run fuzzers Change-Id: Ia4e459821d9f5d20a238cb27f5a2589897b96e24 --- libselinux/fuzzers/Android.bp | 28 ++++++++++++++++ libselinux/fuzzers/lsetfilecon_fuzzer.cpp | 33 +++++++++++++++++++ libselinux/fuzzers/lsetfilecon_fuzzer.dict | 15 +++++++++ .../fuzzers/selinux_android_setcon_fuzzer.cpp | 32 ++++++++++++++++++ .../selinux_android_setcon_fuzzer.dict | 5 +++ libselinux/fuzzers/setfilecon_fuzzer.cpp | 33 +++++++++++++++++++ libselinux/fuzzers/setfilecon_fuzzer.dict | 15 +++++++++ .../string_to_security_class_fuzzer.cpp | 32 ++++++++++++++++++ .../string_to_security_class_fuzzer.dict | 7 ++++ 9 files changed, 200 insertions(+) create mode 100644 libselinux/fuzzers/lsetfilecon_fuzzer.cpp create mode 100644 libselinux/fuzzers/lsetfilecon_fuzzer.dict create mode 100644 libselinux/fuzzers/selinux_android_setcon_fuzzer.cpp create mode 100644 libselinux/fuzzers/selinux_android_setcon_fuzzer.dict create mode 100644 libselinux/fuzzers/setfilecon_fuzzer.cpp create mode 100644 libselinux/fuzzers/setfilecon_fuzzer.dict create mode 100644 libselinux/fuzzers/string_to_security_class_fuzzer.cpp create mode 100644 libselinux/fuzzers/string_to_security_class_fuzzer.dict diff --git a/libselinux/fuzzers/Android.bp b/libselinux/fuzzers/Android.bp index 8b4e9608..1fd86e1d 100644 --- a/libselinux/fuzzers/Android.bp +++ b/libselinux/fuzzers/Android.bp @@ -58,3 +58,31 @@ cc_fuzz { srcs: ["selinux_android_restorecon_fuzzer.cpp"], dictionary: "selinux_android_restorecon_fuzzer.dict", } + +cc_fuzz { + name: "libselinux_selinux_android_setcon_fuzzer", + defaults: ["libselinux_fuzzer_defaults"], + srcs: ["selinux_android_setcon_fuzzer.cpp"], + dictionary: "selinux_android_setcon_fuzzer.dict", +} + +cc_fuzz { + name: "libselinux_setfilecon_fuzzer", + defaults: ["libselinux_fuzzer_defaults"], + srcs: ["setfilecon_fuzzer.cpp"], + dictionary: "setfilecon_fuzzer.dict", +} + +cc_fuzz { + name: "libselinux_lsetfilecon_fuzzer", + defaults: ["libselinux_fuzzer_defaults"], + srcs: ["lsetfilecon_fuzzer.cpp"], + dictionary: "lsetfilecon_fuzzer.dict", +} + +cc_fuzz { + name: "libselinux_string_to_security_class_fuzzer", + defaults: ["libselinux_fuzzer_defaults"], + srcs: ["string_to_security_class_fuzzer.cpp"], + dictionary: "string_to_security_class_fuzzer.dict", +} diff --git a/libselinux/fuzzers/lsetfilecon_fuzzer.cpp b/libselinux/fuzzers/lsetfilecon_fuzzer.cpp new file mode 100644 index 00000000..b5303e58 --- /dev/null +++ b/libselinux/fuzzers/lsetfilecon_fuzzer.cpp @@ -0,0 +1,33 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + */ + +#include +#include +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fdp(data, size); + + std::string path = fdp.ConsumeRandomLengthString(); + std::string con = fdp.ConsumeRemainingBytesAsString(); + + lsetfilecon(path.c_str(), con.c_str()); + + return 0; +} diff --git a/libselinux/fuzzers/lsetfilecon_fuzzer.dict b/libselinux/fuzzers/lsetfilecon_fuzzer.dict new file mode 100644 index 00000000..778b557b --- /dev/null +++ b/libselinux/fuzzers/lsetfilecon_fuzzer.dict @@ -0,0 +1,15 @@ +# A few paths from frameworks/native. + +path="/data/app/com.example/dir/dir/file" +path="/data/user/0/com.example/secondary.dex" +path="/dev/socket/pdx" +path="/proc/net/xt_qtaguid/iface_stat_all" +path="/sys/devices/system/cpu/cpufreq" +path="/vendor/bin/hw/android.hardware.media.omx@1.0-service" + +# Random contexts from AOSP. + +con="u:r:system_server:s0" +con="u:r:adbd:s0" +con="u:r:shell:s0" +con="u:r:adbd:s0" diff --git a/libselinux/fuzzers/selinux_android_setcon_fuzzer.cpp b/libselinux/fuzzers/selinux_android_setcon_fuzzer.cpp new file mode 100644 index 00000000..28d637f0 --- /dev/null +++ b/libselinux/fuzzers/selinux_android_setcon_fuzzer.cpp @@ -0,0 +1,32 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + */ + +#include +#include +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fdp(data, size); + + std::string con = fdp.ConsumeRemainingBytesAsString(); + + selinux_android_setcon(con.c_str()); + + return 0; +} diff --git a/libselinux/fuzzers/selinux_android_setcon_fuzzer.dict b/libselinux/fuzzers/selinux_android_setcon_fuzzer.dict new file mode 100644 index 00000000..1e286d67 --- /dev/null +++ b/libselinux/fuzzers/selinux_android_setcon_fuzzer.dict @@ -0,0 +1,5 @@ +# Random contexts from AOSP. +"u:r:system_server:s0" +"u:r:adbd:s0" +"u:r:shell:s0" +"u:r:adbd:s0" diff --git a/libselinux/fuzzers/setfilecon_fuzzer.cpp b/libselinux/fuzzers/setfilecon_fuzzer.cpp new file mode 100644 index 00000000..790bcf66 --- /dev/null +++ b/libselinux/fuzzers/setfilecon_fuzzer.cpp @@ -0,0 +1,33 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + */ + +#include +#include +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fdp(data, size); + + std::string path = fdp.ConsumeRandomLengthString(); + std::string con = fdp.ConsumeRemainingBytesAsString(); + + setfilecon(path.c_str(), con.c_str()); + + return 0; +} diff --git a/libselinux/fuzzers/setfilecon_fuzzer.dict b/libselinux/fuzzers/setfilecon_fuzzer.dict new file mode 100644 index 00000000..778b557b --- /dev/null +++ b/libselinux/fuzzers/setfilecon_fuzzer.dict @@ -0,0 +1,15 @@ +# A few paths from frameworks/native. + +path="/data/app/com.example/dir/dir/file" +path="/data/user/0/com.example/secondary.dex" +path="/dev/socket/pdx" +path="/proc/net/xt_qtaguid/iface_stat_all" +path="/sys/devices/system/cpu/cpufreq" +path="/vendor/bin/hw/android.hardware.media.omx@1.0-service" + +# Random contexts from AOSP. + +con="u:r:system_server:s0" +con="u:r:adbd:s0" +con="u:r:shell:s0" +con="u:r:adbd:s0" diff --git a/libselinux/fuzzers/string_to_security_class_fuzzer.cpp b/libselinux/fuzzers/string_to_security_class_fuzzer.cpp new file mode 100644 index 00000000..d264bf86 --- /dev/null +++ b/libselinux/fuzzers/string_to_security_class_fuzzer.cpp @@ -0,0 +1,32 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + */ + +#include +#include +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fdp(data, size); + + std::string name = fdp.ConsumeRemainingBytesAsString(); + + string_to_security_class(name.c_str()); + + return 0; +} diff --git a/libselinux/fuzzers/string_to_security_class_fuzzer.dict b/libselinux/fuzzers/string_to_security_class_fuzzer.dict new file mode 100644 index 00000000..86aeb763 --- /dev/null +++ b/libselinux/fuzzers/string_to_security_class_fuzzer.dict @@ -0,0 +1,7 @@ +"file" +"dir" +"chr_file" +"blk_file" +"fifo_file" +"lnk_file" +"sock_file"