[PATCH] --secontext: Implement displaying of expected context upon mismatch

Renaud Métrich rmetrich at redhat.com
Mon Dec 6 19:40:29 UTC 2021 

Thanks for the suggestion, actually "short" is not needed at all:

"full" and "mismatch" are sufficient (these are orthogonal flags)

What do you mean by "use qualify_tokens"? Would you prefer to have a new 
-e secontext=qualifiers with qualifiers in "full", "mismatch" set and 
stop having "--secontext=full" possibility but just the "--secontext" 
flag to print SEcontexts?

Renaud.

On 12/6/21 09:08, Eugene Syromiatnikov wrote:
> On Fri, Dec 03, 2021 at 03:36:52PM +0100, Renaud Métrich wrote:
>> +void
>> +selinux_set_format(const char *optarg)
>> +{
>> +	uint8_t selected[SFORMAT_MAX] = { 0 };
>> +
>> +	if (!optarg)
>> +		return;
>> +
>> +	const char *prev = optarg;
>> +
>> +	for (;;) {
>> +		bool found = false;
>> +		const char *pos = strchr(prev, ',');
>> +		size_t len = pos ? (size_t) (pos - prev) : strlen(prev);
>> +
>> +		for (size_t i = 0; i < ARRAY_SIZE(format_aliases); i++) {
>> +			if (strncmp(format_aliases[i].name, prev, len) ||
>> +			    format_aliases[i].name[len])
>> +				continue;
>> +			if (selected[format_aliases[i].index]++)
>> +				error_msg_and_help("secontext format has been "
>> +						   "provided more than once: "
>> +						   "'%s'",
>> +						   format_aliases[i].name);
>> +			found = true;
>> +			break; /* for i */
>> +		}
>> +		if (!found)
>> +			error_msg_and_help("unknown secontext format: '%.*s'",
>> +					   (int) MIN(len, INT_MAX), prev);
>> +
>> +		if (!pos)
>> +			break;
>> +
>> +		prev = pos + 1;
>> +	}
>> +
>> +	if (selected[SFORMAT_SHORT] && selected[SFORMAT_FULL])
>> +		error_msg_and_die("secontext format '%s' and '%s' cannot be "
>> +				   "provided simultaneously", "short", "full");
>> +
>> +	if (selected[SFORMAT_FULL])
>> +		selinux_context_full = true;
>> +	if (selected[SFORMAT_MISMATCH])
>> +		selinux_context_mismatch = true;
>>   }
> What do you think about renaming "short" to "type", and using qualify_tokens
> for parsing, with "full" bit implying "type"?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211206/7cbe4506/attachment.bin>

More information about the Strace-devel mailing list