Proposing SELinux support in strace
rmetrich at redhat.com
Mon Apr 5 15:58:20 UTC 2021
Thank you for your hard work here, it's perfect to me.
This new subdir.c entries are indeed nice.
Now that I'm now more used to strace development, I hope to be able to
propose other enhancements in the future that will require less work
from your side.
On 4/4/21 2:53 AM, Dmitry V. Levin wrote:
> Hi Renaud,
> On Tue, Mar 30, 2021 at 04:47:59AM +0300, Dmitry V. Levin wrote:
>> On Mon, Mar 29, 2021 at 05:36:42PM +0200, Renaud Métrich wrote:
>>> Thanks, all fixed, PR updated accordindly.
>>> I introduced stripping of trailing newlines in the context (see
>>> selinux.c), after digging into a CI issue for a few hours:
>>> for some reason, on the CI, the context for processes (there is no file
>>> contexts at all) have a trailing "\n" (actually it's "unconfined\n")!
>>> I think it's safe to keep this stripping in the normal code, just in
>>> case, that would avoid unintended newlines in strace output.
>> I also think it's OK.
> I've prepared and pushed to branch ldv/secontext an edition that seems
> to be OK, at least it passes tests on many different systems.
> There are some cosmetic changes in non-tests area:
> - renamed USE_SELINUX to ENABLE_SECONTEXT;
> - renamed with_secontexts to enable_secontext;
> - renamed selinux.[ch] to secontext.[ch];
> - renamed SELINUX_OPT to SECONTEXT_OPT;
> - renamed GETOPT_SELINUX_CONTEXT to GETOPT_SECONTEXT.
> These changed shouldn't affect the generated code.
> There are some changes in tests, too:
> - moved fchmod-y test to a separate commit along with dirfd.c,
> replaced get_curdir_fd with get_fd_path;
> - added a commit introducing a pair of functions that is going to be used
> to make sure the current workdir of the tracee is different from the
> current workdir of the tracer, which is relevant with --secontext option;
> - replaced all tests/execve--secontext*.c files and their corresponding
> tests/Makefile.am data with gen_secontext.sh script that generated all
> these files and the tests/Makefile.am data from tests/gen_tests.in;
> - rewrote selinux.c into secontext.c and secontext.h.
> Looks like some of tests are now expecting some of *at functions to work,
> such tests should no longer pass on systems where old *at syscalls are not
> supported by the kernel, but I don't see any such regressions anywhere
> I can run tests, so this is probably OK.
> Please have a look whether it's fine with you.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 840 bytes
Desc: OpenPGP digital signature
More information about the Strace-devel