Proposing SELinux support in strace
Renaud Métrich
rmetrich at redhat.com
Mon Apr 5 15:58:20 UTC 2021
Hi Dmitry,
Thank you for your hard work here, it's perfect to me.
This new subdir.c entries are indeed nice.
Now that I'm now more used to strace development, I hope to be able to
propose other enhancements in the future that will require less work
from your side.
Best regards,
Renaud.
On 4/4/21 2:53 AM, Dmitry V. Levin wrote:
> Hi Renaud,
>
> On Tue, Mar 30, 2021 at 04:47:59AM +0300, Dmitry V. Levin wrote:
>> On Mon, Mar 29, 2021 at 05:36:42PM +0200, Renaud Métrich wrote:
>>> Thanks, all fixed, PR updated accordindly.
>>>
>>> I introduced stripping of trailing newlines in the context (see
>>> selinux.c), after digging into a CI issue for a few hours:
>>>
>>> for some reason, on the CI, the context for processes (there is no file
>>> contexts at all) have a trailing "\n" (actually it's "unconfined\n")!
>>>
>>> I think it's safe to keep this stripping in the normal code, just in
>>> case, that would avoid unintended newlines in strace output.
>> I also think it's OK.
> I've prepared and pushed to branch ldv/secontext an edition that seems
> to be OK, at least it passes tests on many different systems.
>
> There are some cosmetic changes in non-tests area:
> - renamed USE_SELINUX to ENABLE_SECONTEXT;
> - renamed with_secontexts to enable_secontext;
> - renamed selinux.[ch] to secontext.[ch];
> - renamed SELINUX_OPT to SECONTEXT_OPT;
> - renamed GETOPT_SELINUX_CONTEXT to GETOPT_SECONTEXT.
> These changed shouldn't affect the generated code.
>
> There are some changes in tests, too:
> - moved fchmod-y test to a separate commit along with dirfd.c,
> replaced get_curdir_fd with get_fd_path;
> - added a commit introducing a pair of functions that is going to be used
> to make sure the current workdir of the tracee is different from the
> current workdir of the tracer, which is relevant with --secontext option;
> - replaced all tests/execve--secontext*.c files and their corresponding
> tests/Makefile.am data with gen_secontext.sh script that generated all
> these files and the tests/Makefile.am data from tests/gen_tests.in;
> - rewrote selinux.c into secontext.c and secontext.h.
>
> Looks like some of tests are now expecting some of *at functions to work,
> such tests should no longer pass on systems where old *at syscalls are not
> supported by the kernel, but I don't see any such regressions anywhere
> I can run tests, so this is probably OK.
>
> Please have a look whether it's fine with you.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20210405/9055d6eb/attachment.bin>
More information about the Strace-devel
mailing list