Proposing SELinux support in strace

Dmitry V. Levin ldv at altlinux.org
Sun Apr 4 00:53:55 UTC 2021 

Hi Renaud,

On Tue, Mar 30, 2021 at 04:47:59AM +0300, Dmitry V. Levin wrote:
> On Mon, Mar 29, 2021 at 05:36:42PM +0200, Renaud Métrich wrote:
> > Thanks, all fixed, PR updated accordindly.
> > 
> > I introduced stripping of trailing newlines in the context (see 
> > selinux.c), after digging into a CI issue for a few hours:
> > 
> > for some reason, on the CI, the context for processes (there is no file 
> > contexts at all) have a trailing "\n" (actually it's "unconfined\n")!
> > 
> > I think it's safe to keep this stripping in the normal code, just in 
> > case, that would avoid unintended newlines in strace output.
> 
> I also think it's OK.

I've prepared and pushed to branch ldv/secontext an edition that seems
to be OK, at least it passes tests on many different systems.

There are some cosmetic changes in non-tests area:
- renamed USE_SELINUX to ENABLE_SECONTEXT;
- renamed with_secontexts to enable_secontext;
- renamed selinux.[ch] to secontext.[ch];
- renamed SELINUX_OPT to SECONTEXT_OPT;
- renamed GETOPT_SELINUX_CONTEXT to GETOPT_SECONTEXT.
These changed shouldn't affect the generated code.

There are some changes in tests, too:
- moved fchmod-y test to a separate commit along with dirfd.c,
  replaced get_curdir_fd with get_fd_path;
- added a commit introducing a pair of functions that is going to be used
  to make sure the current workdir of the tracee is different from the
  current workdir of the tracer, which is relevant with --secontext option;
- replaced all tests/execve--secontext*.c files and their corresponding
  tests/Makefile.am data with gen_secontext.sh script that generated all
  these files and the tests/Makefile.am data from tests/gen_tests.in;
- rewrote selinux.c into secontext.c and secontext.h.

Looks like some of tests are now expecting some of *at functions to work,
such tests should no longer pass on systems where old *at syscalls are not
supported by the kernel, but I don't see any such regressions anywhere
I can run tests, so this is probably OK.

Please have a look whether it's fine with you.


-- 
ldv

More information about the Strace-devel mailing list