libsepol/fuzz: more strict fuzzing of binary policies

Validate policy after optimizing. Run policy assertion check, ignoring any assertions. Abort on failures writing the parsed policy, as writing should not fail on validated policies. Set close-on-exec flag in case of any sibling thread. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
SELinuxProject · Jul 12, 2023 · 1d20735 · 1d20735
1 parent df666f7
commit 1d20735
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/libsepol/fuzz/binpolicy-fuzzer.c b/libsepol/fuzz/binpolicy-fuzzer.c
@@ -3,6 +3,8 @@
 #include <sepol/kernel_to_conf.h>
 #include <sepol/policydb/policydb.h>
 
+extern int policydb_validate(sepol_handle_t *handle, const policydb_t *p);
+
 extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
 
 static int write_binary_policy(policydb_t *p, FILE *outfp)
@@ -38,18 +40,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	if (policydb_load_isids(&policydb, &sidtab))
 		goto exit;
 
-	if (policydb.policy_type == POLICY_KERN)
+	if (policydb.policy_type == POLICY_KERN) {
 		(void) policydb_optimize(&policydb);
 
-	devnull = fopen("/dev/null", "w");
+		if (policydb_validate(NULL, &policydb) == -1)
+			abort();
+	}
+
+	(void) check_assertions(NULL, &policydb, policydb.global->branch_list->avrules);
+
+	devnull = fopen("/dev/null", "we");
 	if (!devnull)
 		goto exit;
 
-	(void) write_binary_policy(&policydb, devnull);
+	if (write_binary_policy(&policydb, devnull))
+		abort();
 
-	(void) sepol_kernel_policydb_to_conf(devnull, &policydb);
+	if (sepol_kernel_policydb_to_conf(devnull, &policydb))
+		abort();
 
-	(void) sepol_kernel_policydb_to_cil(devnull, &policydb);
+	if (sepol_kernel_policydb_to_cil(devnull, &policydb))
+		abort();
 
 exit:
 	if (devnull != NULL)