[PATCH] --secontext: Implement displaying of expected context upon mismatch
Dmitry V. Levin
ldv at altlinux.org
Wed Dec 29 09:47:57 UTC 2021
On Wed, Dec 29, 2021 at 09:52:28AM +0100, Renaud Métrich wrote:
[...]
> >> + /*
> >> + * We need to fully resolve the path, because selabel_lookup() isn't
> >> + * smart enough to automatically resolve
> >> + */
> >> +
> >> + char *resolved = realpath(path, NULL);
> >> + if (!resolved)
> >> + return -1;
> > realpath looks like overkill, it may issue quite a few syscalls while
> > a simple readlink should be enough to resolve the symlink in /proc/.
>
> Unfortunately readlink() is not working here because readlink() doesn't
> resolve fully but selabel_lookup() really requires knowing the path,
> because it just checks in its database for the corresponding regex.
>
> Example:
>
> $ cd /tmp
> $ ln -s /home/rmetrich symlinkdir
> $ touch /home/rmetrich/bar
> $ ln -s /tmp/symlinkdir/bar
> $ matchpathcon $(readlink bar)
> /tmp/symlinkdir/bar <<none>>
>
> ---> WRONG
>
> $ matchpathcon $(realpath bar)
> /home/rmetrich/bar unconfined_u:object_r:user_home_t:s0
When the function is called by selinux_getfdcon, the symlink in question
is /proc/%u/fd/%u and it shouldn't need an extra canonicalization effort.
Maybe in case of selinux_getfilecon you need this awful realpath, though.
--
ldv
More information about the Strace-devel
mailing list