-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test(test): Adding fuzzer for ContainerPolicy #1797
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: prady0t <[email protected]>
Already found an issue with this. I ran the fuzzer for a while and It failed for this input : {
"0000": "00000000000000",
"oBjeCt": {
"metAdAtA": {
"nAme": "0"
}
}
} Which is totally understandable. To fix this we can also have a condition in fuzzer to check for status as
Marking this as a draft for now. |
I've added a check for If you think it's testing something useful, we can go ahead and merge it. Once we have this inside KubeArmor codebase, we can try writing config files so that we can integrate it with oss-fuzz. Running it locally won't give much fruitful results. Running our fuzzers with oss fuzz will help us improve it even better. We may also find some crucial bugs. This could be a starting point for how we can add more fuzzer. @daemon1024 @DelusionalOptimist Do let me know what you guys think of this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the PR
I think this PR and the resultant image could be uses as input for OSS-Fuzz. How long did you test it on your local system? @prady0t |
For about an hour. Do you want me to run it overnight? It might help us find any early bug or any problems with the fuzzer. |
Signed-off-by: Pradyot Ranjan <[email protected]>
Signed-off-by: Pradyot Ranjan <[email protected]>
Running it in current state won't result in anything since the primary function is stubbed out. |
Signed-off-by: Rahul Jadhav <[email protected]>
The primary updates I made using the last commit is:
This is already showing up some issues during fuzz ... We need to check if those are genuine issues or need stubbing. |
Thanks a Lot for these changes! This makes much more sense now. Let me try to run these locally |
Sorry for the late reply. Fuzzer is failing for this input :
@nyrahul did you find similar results locally? JSON format : {
"oBjeCt": {
"metAdAtA": {
"nAme": "0"
},
"speC": {
"seleCtor": {
"mAtChLABels": {
"": ""
}
}
}
}
}
|
Signed-off-by: prady0t <[email protected]>
The fuzzer is now running. Would like your reviews @nyrahul @daemon1024 @DelusionalOptimist |
initialData := &pb.Policy{ | ||
Policy: []byte(` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's use varied kinds of policy including file, network as seed values. https://github.com/kubearmor/KubeArmor/tree/main/tests/k8s_env/ksp/multiubuntu
if(endpointIdx != -1){ | ||
dm.EndPoints[endpointIdx] = newPoint | ||
dm.Logger.UpdateSecurityPolicies("DELETED", newPoint) | ||
dm.RuntimeEnforcer.UpdateSecurityPolicies(newPoint) | ||
// delete endpoint if no containers or policies |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already found a bug and fixed it, Nice 🔥
Signed-off-by: prady0t <[email protected]>
Purpose of PR?:
This is a fuzzer for
ContainerPolicy
KubeArmor/KubeArmor/policy/policy.go
Line 24 in a5f584c
For seed corpus I referred to this policy and removed
Metadata.Name
from it.With this we are testing if invalid policy results in
PolicyStatus_Invalid
or not.To run the fuzz test,
Addresses #1367
Does this PR introduce a breaking change?
NO