Add checkpolicy-fuzzer

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

checkpolicy/.gitignore

@@ -3,3 +3,7 @@ checkpolicy
 lex.yy.c
 y.tab.c
 y.tab.h
+checkmodule-fuzzer
+checkpolicy-fuzzer
+corpus_dir/
+fuzz-*.log

checkpolicy/Makefile

@@ -50,6 +50,18 @@ y.tab.c: policy_parse.y
 lex.yy.c: policy_scan.l y.tab.c
 	$(LEX) policy_scan.l
 
+checkpolicy-fuzzer: checkpolicy-fuzzer.o $(CHECKOBJS) $(LIBSEPOLA)
+	$(CC) -fsanitize=fuzzer $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
+
+checkpolicy-fuzzer.o: checkpolicy-fuzzer.c
+	$(CC) -fsanitize=fuzzer $(CFLAGS) -o $@ -c $<
+
+checkmodule-fuzzer: checkmodule-fuzzer.o $(CHECKOBJS) $(LIBSEPOLA)
+	$(CC) -fsanitize=fuzzer $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
+
+checkmodule-fuzzer.o: checkmodule-fuzzer.c
+	$(CC) -fsanitize=fuzzer $(CFLAGS) -o $@ -c $<
+
 install: all
 	-mkdir -p $(DESTDIR)$(BINDIR)
 	-mkdir -p $(DESTDIR)$(MANDIR)/man8

checkpolicy/checkmodule-fuzzer.c

@@ -0,0 +1,153 @@
+#define _GNU_SOURCE
+
+#include <unistd.h>
+#include <sys/mman.h>
+
+#include <sepol/debug.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/link.h>
+
+#include "queue.h"
+
+extern void yyerror(const char *msg);
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+extern int mlspol;
+extern int werror;
+extern policydb_t *policydbp;
+extern queue_t id_queue;
+extern unsigned int policydb_errors;
+
+unsigned int policy_type = POLICY_BASE;
+unsigned int policyvers = MOD_POLICYDB_VERSION_MAX;
+
+extern FILE *yyin;
+extern void init_parser(int);
+extern int yyparse(void);
+extern void yyrestart(FILE *);
+extern void set_source_file(const char *name);
+
+void yyerror(const char *msg __attribute__((unused)))
+{
+	policydb_errors++;
+}
+
+static int read_source_policy(policydb_t * p, const uint8_t *data, size_t size)
+{
+	int fd;
+	ssize_t wr;
+
+	fd = memfd_create("fuzz-input", MFD_CLOEXEC);
+	if (fd < 0)
+		return -1;
+
+	wr = write(fd, data, size);
+	if (wr < 0 || (size_t)wr != size)
+		return -1;
+
+
+	yyin = fdopen(fd, "r");
+	if (!yyin)
+		return -1;
+
+	set_source_file("fuzz-input");
+
+	if ((id_queue = queue_create()) == NULL)
+		goto exit;
+
+	policydbp = p;
+	mlspol = p->mls;
+
+	init_parser(1);
+
+	if (yyparse() || policydb_errors)
+		goto exit;
+
+	rewind(yyin);
+	init_parser(2);
+	set_source_file("fuzz-input");
+	yyrestart(yyin);
+
+	if (yyparse() || policydb_errors)
+		goto exit;
+
+exit:
+	queue_destroy(id_queue);
+	fclose(yyin);
+
+	return 0;
+}
+
+/*static int write_binary_policy(policydb_t * p, FILE *outfp)
+{
+	struct policy_file pf;
+
+	p->policy_type = policy_type;
+	p->policyvers = policyvers;
+	p->handle_unknown = SEPOL_DENY_UNKNOWN;
+
+	policy_file_init(&pf);
+	pf.type = PF_USE_STDIO;
+	pf.fp = outfp;
+	return policydb_write(p, &pf);
+}*/
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	sidtab_t sidtab;
+	policydb_t modpolicydb;
+	policydb_t kernpolicydb;
+	FILE *devnull = NULL;
+
+	werror = 1;
+	sepol_debug(0);
+	sepol_set_policydb(&modpolicydb);
+	sepol_set_sidtab(&sidtab);
+
+	if (policydb_init(&modpolicydb))
+		goto exit;
+
+	modpolicydb.policy_type = POLICY_BASE;
+	modpolicydb.mls = 1;
+	modpolicydb.handle_unknown = DENY_UNKNOWN;
+
+	if (read_source_policy(&modpolicydb, data, size))
+		goto exit;
+
+	if (hierarchy_check_constraints(NULL, &modpolicydb))
+		goto exit;
+
+	if (policydb_init(&kernpolicydb))
+		goto exit;
+
+	if (link_modules(NULL, &modpolicydb, NULL, 0, 0))
+		goto exit;
+
+	if (expand_module(NULL, &modpolicydb, &kernpolicydb, 0, 1))
+		goto exit;
+
+	if (policydb_load_isids(&modpolicydb, &sidtab))
+		goto exit;
+
+	sepol_sidtab_destroy(&sidtab);
+
+	/*devnull = fopen("/dev/null", "w");
+	if (devnull == NULL)
+		goto exit;
+
+
+	if (write_binary_policy(&modpolicydb, devnull))
+		goto exit;*/
+
+exit:
+	if (devnull != NULL)
+		fclose(devnull);
+
+	policydb_destroy(&kernpolicydb);
+	policydb_destroy(&modpolicydb);
+
+	return 0;
+}