Report generation date: 2024-07-27

Project overview: selinux

High level conclusions

Fuzzers reach 81.08% of cyclomatic complexity.

The runtime code coverage of checkpolicy-fuzzer covers 5.688% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

1769 / 2248

Cyclomatic complexity statically reachable by fuzzers

13691 / 16885

Runtime code coverage of functions

1528 / 2248

Fuzzers overview

Fuzzer	Fuzzer filename	Functions Reached	Functions unreached	Fuzzer depth	Files reached	Basic blocks reached	Cyclomatic complexity	Details
checkpolicy-fuzzer	checkpolicy/fuzz/checkpolicy-fuzzer.c	879	329	12	37	20971	7548	checkpolicy-fuzzer.c
binpolicy-fuzzer	libsepol/fuzz/binpolicy-fuzzer.c	652	166	11	30	16506	5909	binpolicy-fuzzer.c
secilc-fuzzer	libsepol/fuzz/secilc-fuzzer.c	1145	648	19	43	18179	7260	secilc-fuzzer.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer details

Fuzzer: checkpolicy-fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 4185 97.8%

gold [1:9] 1 0.02%

yellow [10:29] 0 0.0%

greenyellow [30:49] 60 1.40%

lawngreen 50+ 32 0.74%

All colors 4278 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	4185	97.8%
gold	[1:9]	1	0.02%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	60	1.40%
lawngreen	50+	32	0.74%
All colors	4278	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
25	25	2 : View List ['cond_node_destroy', 'free']	25	25	cond_list_destroy	call site: 00014	/src/selinux/libsepol/src/conditional.c:502
2	2	2 : View List ['calloc', 'free']	2	2	hashtab_check_resize	call site: 00065	/src/selinux/libsepol/src/hashtab.c:73
2	2	1 : View List ['reallocarray']	2	2	add_i_to_a	call site: 00072	/src/selinux/libsepol/src/util.c:54
0	4	1 : View List ['ebitmap_destroy']	0	4	scope_index_destroy	call site: 00051	/src/selinux/libsepol/src/avrule_block.c:86
0	4	2 : View List ['ebitmap_destroy', 'free']	0	4	policydb_destroy	call site: 04275	/src/selinux/libsepol/src/policydb.c:1582
0	0	None	11	11	avrule_list_destroy	call site: 00017	/src/selinux/libsepol/src/policydb.c:751
0	0	None	4	4	full_write	call site: 00094	/src/selinux/checkpolicy/fuzz/checkpolicy-fuzzer.c:45
0	0	None	2	66	roles_init	call site: 00061	/src/selinux/libsepol/src/policydb.c:775
0	0	None	0	257	policydb_destroy	call site: 04247	/src/selinux/libsepol/src/policydb.c:1497
0	0	None	0	235	policydb_destroy	call site: 04250	/src/selinux/libsepol/src/policydb.c:1507
0	0	None	0	235	policydb_destroy	call site: 04250	/src/selinux/libsepol/src/policydb.c:1511
0	0	None	0	235	policydb_destroy	call site: 04250	/src/selinux/libsepol/src/policydb.c:1513

Runtime coverage analysis

Covered functions

52

Functions that are reachable but not covered

829

Reachable functions

879

Percentage of reachable functions covered

5.69%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
checkpolicy/fuzz/checkpolicy-fuzzer.c	4
libsepol/src/debug.c	1
libsepol/src/policydb.c	59
libsepol/src/symtab.c	3
libsepol/src/hashtab.c	6
libsepol/src/avrule_block.c	9
libsepol/src/conditional.c	22
libsepol/src/ebitmap.c	12
libsepol/src/mls.c	8
DESTDIR/usr/include/sepol/policydb/ebitmap.h	2
libsepol/src/avtab.c	11
libsepol/src/util.c	4
checkpolicy/policy_scan.l	4
checkpolicy/queue.c	6
checkpolicy/lex.yy.c	18
checkpolicy/policy_define.c	100
checkpolicy/y.tab.c	2
checkpolicy/module_compiler.c	37
libsepol/src/policydb_validate.c	70
libsepol/src/expand.c	58
DESTDIR/usr/include/sepol/policydb/mls_types.h	9
DESTDIR/usr/include/sepol/policydb/context.h	6
libsepol/src/constraint.c	2
libsepol/src/context.c	2
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
libsepol/src/polcaps.c	2
libsepol/src/link.c	35
libsepol/src/hierarchy.c	27
libsepol/src/assertion.c	16
libsepol/src/sidtab.c	3
libsepol/src/optimize.c	16
libsepol/src/kernel_to_common.c	28
libsepol/src/write.c	38
libsepol/src/services.c	1
libsepol/src/kernel_to_conf.c	74
libsepol/src/kernel_to_cil.c	75
libsepol/src/module_to_cil.c	72

Fuzzer: binpolicy-fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 899 33.3%

gold [1:9] 112 4.15%

yellow [10:29] 63 2.33%

greenyellow [30:49] 60 2.22%

lawngreen 50+ 1564 57.9%

All colors 2698 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	899	33.3%
gold	[1:9]	112	4.15%
yellow	[10:29]	63	2.33%
greenyellow	[30:49]	60	2.22%
lawngreen	50+	1564	57.9%
All colors	2698	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
662	1132	8 : View List ['cond_node_map_bools', 'cond_avrule_list_copy', 'cond_normalize_expr', 'cond_node_search', 'cond_node_create', 'cond_node_copy', 'free', 'cond_node_destroy']	662	1132	cond_node_copy	call site: 02576	/src/selinux/libsepol/src/expand.c:2051
250	250	5 : View List ['qsort', 'free', 'calloc', 'cond_expr_to_str.1919', 'write_cond_av_list_to_conf']	250	250	write_cond_nodes_to_conf	call site: 01500	/src/selinux/libsepol/src/kernel_to_conf.c:2123
121	123	2 : View List ['expand_avtab', 'avtab_init']	127	277	avtab_write	call site: 00986	/src/selinux/libsepol/src/write.c:290
17	17	1 : View List ['validate_mls_semantic_cat']	17	17	validate_mls_semantic_level	call site: 00618	/src/selinux/libsepol/src/policydb_validate.c:639
3	77	3 : View List ['avtab_reset_merged', 'put_entry', 'avtab_write_item']	3	84	avtab_write	call site: 01006	/src/selinux/libsepol/src/write.c:323
2	2	1 : View List ['strdup']	14	2379	expand_module	call site: 02313	/src/selinux/libsepol/src/expand.c:2994
2	2	1 : View List ['strdup']	4	50	copy_neverallow	call site: 02537	/src/selinux/libsepol/src/expand.c:2662
2	2	1 : View List ['strdup']	2	39	policydb_filetrans_insert	call site: 00204	/src/selinux/libsepol/src/policydb.c:2609
2	2	2 : View List ['calloc', 'free']	2	26	copy_neverallow	call site: 02542	/src/selinux/libsepol/src/expand.c:2698
2	2	1 : View List ['calloc']	2	23	scope_write	call site: 01134	/src/selinux/libsepol/src/write.c:2139
2	2	1 : View List ['reallocarray']	2	2	strs_add_at_index	call site: 01272	/src/selinux/libsepol/src/kernel_to_common.c:173
2	2	1 : View List ['reallocarray']	2	2	type_vec_append	call site: 00762	/src/selinux/libsepol/src/optimize.c:61

Runtime coverage analysis

Covered functions

549

Functions that are reachable but not covered

144

Reachable functions

652

Percentage of reachable functions covered

77.91%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
libsepol/fuzz/binpolicy-fuzzer.c	2
libsepol/src/debug.c	1
libsepol/src/policydb.c	85
libsepol/src/symtab.c	3
libsepol/src/hashtab.c	6
libsepol/src/avrule_block.c	8
libsepol/src/conditional.c	25
libsepol/src/ebitmap.c	13
libsepol/src/mls.c	7
DESTDIR/usr/include/sepol/policydb/ebitmap.h	3
libsepol/src/avtab.c	13
libsepol/src/util.c	4
libsepol/src/services.c	3
libsepol/src/./private.h	1
libsepol/src/policydb_validate.c	70
libsepol/src/expand.c	59
DESTDIR/usr/include/sepol/policydb/mls_types.h	9
libsepol/src/context.c	2
DESTDIR/usr/include/sepol/policydb/context.h	5
libsepol/src/polcaps.c	1
libsepol/src/sidtab.c	3
libsepol/src/optimize.c	16
libsepol/src/assertion.c	16
libsepol/src/hierarchy.c	27
libsepol/src/write.c	38
libsepol/src/kernel_to_conf.c	74
libsepol/src/kernel_to_common.c	28
libsepol/src/kernel_to_cil.c	75
libsepol/src/link.c	35
libsepol/src/constraint.c	2

Fuzzer: secilc-fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 690 15.0%

gold [1:9] 317 6.92%

yellow [10:29] 131 2.86%

greenyellow [30:49] 40 0.87%

lawngreen 50+ 3397 74.2%

All colors 4575 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	690	15.0%
gold	[1:9]	317	6.92%
yellow	[10:29]	131	2.86%
greenyellow	[30:49]	40	0.87%
lawngreen	50+	3397	74.2%
All colors	4575	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
520	520	5 : View List ['cil_ioportcon_to_policydb', 'cil_devicetreecon_to_policydb', 'cil_iomemcon_to_policydb', 'cil_pcidevicecon_to_policydb', 'cil_pirqcon_to_policydb']	520	520	__cil_contexts_to_policydb	call site: 03917	/src/selinux/libsepol/src/../cil/src/cil_binary.c:4149
362	375	3 : View List ['hashtab_map', 'avrule_block_write', 'put_entry']	362	616	policydb_write	call site: 04326	/src/selinux/libsepol/src/write.c:2362
137	137	4 : View List ['mls_semantic_range_expand', 'mls_level_destroy.3275', 'mls_range_destroy.3271', 'mls_semantic_level_expand']	137	137	policydb_user_cache	call site: 04193	/src/selinux/libsepol/src/policydb.c:976
127	127	1 : View List ['check_assertion_extended_permissions']	127	127	check_assertion_avtab_match	call site: 03990	/src/selinux/libsepol/src/assertion.c:606
121	123	2 : View List ['expand_avtab', 'avtab_init']	127	277	avtab_write	call site: 04327	/src/selinux/libsepol/src/write.c:290
100	102	2 : View List ['expand_cond_av_list', 'avtab_init']	100	186	cond_write_av_list	call site: 04367	/src/selinux/libsepol/src/write.c:772
96	96	1 : View List ['avrule_write_list']	96	103	cond_write_node	call site: 04366	/src/selinux/libsepol/src/write.c:843
39	39	1 : View List ['avtab_search_node_next']	39	46	avtab_write_item	call site: 04347	/src/selinux/libsepol/src/write.c:119
32	53	2 : View List ['map_ebitmap', 'ebitmap_union']	32	139	role_set_expand	call site: 04197	/src/selinux/libsepol/src/expand.c:2472
27	27	1 : View List ['ocontext_xen_free']	27	96	policydb_destroy	call site: 04246	/src/selinux/libsepol/src/policydb.c:1531
18	18	1 : View List ['role_set_write']	47	97	user_write	call site: 00000	/src/selinux/libsepol/src/write.c:1314
11	11	1 : View List ['cil_list_error']	11	11	cil_list_append	call site: 00444	/src/selinux/libsepol/src/../cil/src/cil_list.c:103

Runtime coverage analysis

Covered functions

1137

Functions that are reachable but not covered

116

Reachable functions

1145

Percentage of reachable functions covered

89.87%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
libsepol/fuzz/secilc-fuzzer.c	2
libsepol/src/../cil/src/cil_log.c	5
libsepol/src/../cil/src/cil.c	108
libsepol/src/../cil/src/cil_mem.c	5
libsepol/src/../cil/src/cil_strpool.c	5
libsepol/src/hashtab.c	7
libsepol/src/../cil/src/cil_tree.c	13
libsepol/src/../cil/src/cil_symtab.c	12
libsepol/src/symtab.c	2
libsepol/src/../cil/src/cil_list.c	11
libsepol/src/../cil/src/cil_parser.c	7
libsepol/src/../cil/src/cil_stack.c	7
libsepol/src/../cil/src/cil_lexer.l	3
libsepol/src/../cil/src/cil_lexer.c	20
libsepol/src/../cil/src/cil_build_ast.c	196
libsepol/src/../cil/src/cil_verify.c	55
libsepol/src/ebitmap.c	16
libsepol/src/../cil/src/cil_copy_ast.c	3
libsepol/src/../cil/src/cil_resolve_ast.c	94
libsepol/src/../cil/src/cil_reset_ast.c	57
libsepol/src/../cil/src/cil_fqn.c	3
libsepol/src/../cil/src/cil_post.c	44
DESTDIR/usr/include/sepol/policydb/ebitmap.h	2
libsepol/src/../cil/src/cil_deny.c	41
libsepol/src/../cil/src/cil_find.c	16
libsepol/src/polcaps.c	1
libsepol/src/../cil/src/cil_binary.c	132
libsepol/src/policydb_public.c	7
libsepol/src/policydb.c	41
libsepol/src/avrule_block.c	6
libsepol/src/conditional.c	16
libsepol/src/mls.c	5
libsepol/src/avtab.c	11
libsepol/src/util.c	1
DESTDIR/usr/include/sepol/policydb/mls_types.h	8
libsepol/src/constraint.c	2
DESTDIR/usr/include/sepol/policydb/context.h	3
libsepol/src/assertion.c	9
libsepol/src/hierarchy.c	19
libsepol/src/expand.c	11
libsepol/src/optimize.c	16
libsepol/src/write.c	38
libsepol/src/services.c	1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	instr count	bb count	cyclomatic complexity	Reachable functions	total cyclomatic complexity	Unreached complexity
`cil_write_policy_conf`	/src/selinux/libsepol/src/../cil/src/cil.c	2	['N/A', 'N/A']	16	21	3	2	201	889	371
`cil_write_post_ast`	/src/selinux/libsepol/src/../cil/src/cil.c	2	['N/A', 'N/A']	19	126	16	8	769	4770	285
`sepol_get_user_sids`	/src/selinux/libsepol/src/services.c	4	['int', 'N/A', 'N/A', 'N/A']	8	357	46	18	50	362	211
`sepol_check_context`	/src/selinux/libsepol/src/context.c	1	['N/A']	9	19	3	2	53	328	153
`sepol_ppfile_to_module_package`	/src/selinux/libsepol/src/module_to_cil.c	2	['N/A', 'N/A']	11	264	38	13	260	2147	147
`sepol_module_package_to_cil`	/src/selinux/libsepol/src/module_to_cil.c	2	['N/A', 'N/A']	10	136	21	9	117	705	126
`sepol_load_policy`	/src/selinux/libsepol/src/services.c	2	['N/A', 'size_t']	10	157	18	7	263	2128	106

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

1944 / 2248

Cyclomatic complexity statically reachable by fuzzers

15080 / 16885

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

checkpolicy/fuzz/checkpolicy-fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['role_datum_destroy', 'read_source_policy', 'avrule_decl_destroy', 'policydb_init', 'type_set_destroy']

libsepol/fuzz/binpolicy-fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['prepare_base', 'check_assertion', 'sepol_kernel_policydb_to_conf', 'cond_write_list', 'write_cond_nodes_to_cil', 'user_datum_destroy', 'copy_and_expand_avrule_block', 'is_id_enabled', 'policydb_write']

libsepol/fuzz/secilc-fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['filename_write_one', 'check_assertion_self_match', 'cil_avrulex_to_hashtable', '__cil_print_classperm', 'role_set_expand', 'policydb_write', 'ocontext_write_selinux', 'cil_ibendportcon_to_policydb', 'cond_write_node', 'cil_parser']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
read_source_policy	60	24	40.0%	['checkpolicy-fuzzer']
policydb_init	51	28	54.90%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
symtab_insert	74	29	39.18%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
roles_init	32	16	50.0%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
type_set_expand	83	44	53.01%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
expand_module	174	88	50.57%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
expand_rule_helper	40	7	17.5%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
copy_role_allows	53	11	20.75%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
copy_role_trans	77	11	14.28%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
expand_filename_trans	42	10	23.80%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
expand_range_trans	41	20	48.78%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
copy_neverallow	79	31	39.24%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
cond_node_copy	46	5	10.86%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
discard_tunables	66	17	25.75%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
attr_convert_callback	31	13	41.93%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
role_copy_callback	67	17	25.37%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
sens_copy_callback	42	7	16.66%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
cats_copy_callback	31	7	22.58%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
user_copy_callback	95	13	13.68%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
role_fix_callback	47	13	27.65%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
ocontext_copy_selinux	88	9	10.22%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
genfs_copy	47	20	42.55%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
sepol_kernel_policydb_to_cil	217	117	53.91%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
constraint_expr_to_str	133	64	48.12%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_cond_nodes_to_cil	64	21	32.81%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_genfscon_rules_to_cil	67	21	31.34%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_selinux_port_rules_to_cil	45	14	31.11%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_selinux_node_rules_to_cil	31	11	35.48%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_xen_ioport_rules_to_cil	34	13	38.23%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_xen_iomem_rules_to_cil	34	13	38.23%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
sepol_kernel_policydb_to_conf	222	120	54.05%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_cond_nodes_to_conf	61	11	18.03%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_genfscon_rules_to_conf	67	21	31.34%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_selinux_port_rules_to_conf	45	14	31.11%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_selinux_node_rules_to_conf	31	11	35.48%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_xen_iomem_rules_to_conf	34	13	38.23%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_xen_ioport_rules_to_conf	34	13	38.23%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
link_modules	90	31	34.44%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
is_decl_requires_met	64	16	25.0%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
expand_role_attributes	33	12	36.36%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
avtab_write	56	26	46.42%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
avtab_write_item	136	39	28.67%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
avrule_write	77	26	33.76%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
role_trans_rule_write	37	14	37.83%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
filename_trans_rule_write	42	12	28.57%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
ocontext_write_xen	104	15	14.42%	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
cil_avrulex_to_hashtable	131	25	19.08%	['secilc-fuzzer']
__cil_contexts_to_policydb	56	25	44.64%	['secilc-fuzzer']
cil_check_neverallow	81	43	53.08%	['secilc-fuzzer']
yy_get_next_buffer	89	18	20.22%	['checkpolicy-fuzzer', 'secilc-fuzzer']
__cil_verify_booleanif_helper	50	20	40.0%	['secilc-fuzzer']
__cil_verify_user_pre_eval	33	15	45.45%	['secilc-fuzzer']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/selinux/libsepol/src/services.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/checkpolicy/policy_define.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_build_ast.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/policydb_convert.c	[]	[]
/src/selinux/DESTDIR/usr/include/sepol/policydb/context.h	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/checkpolicy/module_compiler.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/./private.h	['binpolicy-fuzzer']	[]
/src/selinux/libsepol/src/policydb_public.c	['secilc-fuzzer']	['secilc-fuzzer']
/src/selinux/libsepol/src/write.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/context.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/kernel_to_conf.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_resolve_ast.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_copy_ast.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/optimize.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/checkpolicy/y.tab.c	['checkpolicy-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_binary.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_deny.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_post.c	['secilc-fuzzer']	[]
/usr/include/x86_64-linux-gnu/bits/byteswap.h	['checkpolicy-fuzzer']	[]
/src/selinux/libsepol/src/avtab.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/policydb.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/DESTDIR/usr/include/sepol/policydb/ebitmap.h	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/avrule_block.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/hierarchy.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_tree.c	['secilc-fuzzer']	[]
/src/selinux/DESTDIR/usr/include/sepol/policydb/mls_types.h	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_lexer.l	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/module.c	[]	[]
/src/selinux/libsepol/src/../cil/src/cil_verify.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_symtab.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/fuzz/secilc-fuzzer.c	['secilc-fuzzer']	['secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_parser.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/ebitmap.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/kernel_to_cil.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/hashtab.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/debug.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
/src/selinux/libsepol/src/symtab.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/checkpolicy/policy_scan.l	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_policy.c	[]	[]
/src/selinux/libsepol/fuzz/binpolicy-fuzzer.c	['binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/conditional.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_strpool.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_write_ast.c	[]	[]
/src/selinux/libsepol/src/expand.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_log.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/constraint.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/checkpolicy/fuzz/checkpolicy-fuzzer.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/policydb_validate.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/util.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_find.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/mls.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/kernel_to_common.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_lexer.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_reset_ast.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/sidtab.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_stack.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/polcaps.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_list.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_mem.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_fqn.c	['secilc-fuzzer']	[]
/src/selinux/checkpolicy/lex.yy.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/module_to_cil.c	['checkpolicy-fuzzer']	[]
/src/selinux/libsepol/src/assertion.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/context_record.c	[]	[]
/src/selinux/checkpolicy/queue.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/link.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/checkpolicy/parse_util.c	[]	[]

Directories in report

Directory

/src/selinux/DESTDIR/usr/include/sepol/policydb/
/src/selinux/checkpolicy/
/src/selinux/libsepol/src/../cil/src/
/src/selinux/libsepol/src/./
/src/selinux/libsepol/src/
/src/selinux/libsepol/fuzz/
/src/selinux/checkpolicy/fuzz/
/usr/include/x86_64-linux-gnu/bits/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file

checkpolicy-fuzzer fuzzerLogFile-0-GtSEpLOrF1.data fuzzerLogFile-0-GtSEpLOrF1.data.yaml checkpolicy-fuzzer.covreport

binpolicy-fuzzer fuzzerLogFile-0-Y3X0KTuLcr.data fuzzerLogFile-0-Y3X0KTuLcr.data.yaml binpolicy-fuzzer.covreport

secilc-fuzzer fuzzerLogFile-0-MEfB8GdwYs.data fuzzerLogFile-0-MEfB8GdwYs.data.yaml secilc-fuzzer.covreport

Fuzzer	Calltree file	Program data file	Coverage file
checkpolicy-fuzzer	fuzzerLogFile-0-GtSEpLOrF1.data	fuzzerLogFile-0-GtSEpLOrF1.data.yaml	checkpolicy-fuzzer.covreport
binpolicy-fuzzer	fuzzerLogFile-0-Y3X0KTuLcr.data	fuzzerLogFile-0-Y3X0KTuLcr.data.yaml	binpolicy-fuzzer.covreport
secilc-fuzzer	fuzzerLogFile-0-MEfB8GdwYs.data	fuzzerLogFile-0-MEfB8GdwYs.data.yaml	secilc-fuzzer.covreport

Table of contents

Project overview: selinux

High level conclusions

Reachability and coverage overview

Fuzzers overview

Project functions overview

Fuzzer details

Fuzzer: checkpolicy-fuzzer

Call tree

Fuzz blockers

Runtime coverage analysis

Files reached

Fuzzer: binpolicy-fuzzer

Call tree

Fuzz blockers

Runtime coverage analysis

Files reached

Fuzzer: secilc-fuzzer

Call tree

Fuzz blockers

Runtime coverage analysis

Files reached

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

All functions overview

Fuzz engine guidance

checkpolicy/fuzz/checkpolicy-fuzzer.c

Dictionary

Fuzzer function priority

libsepol/fuzz/binpolicy-fuzzer.c

Dictionary

Fuzzer function priority

libsepol/fuzz/secilc-fuzzer.c

Dictionary

Fuzzer function priority

Runtime coverage analysis

Complex functions with low coverage

Files and Directories in report

Files in report

Directories in report

Metadata section