Proposing SELinux support in strace

Dmitry V. Levin ldv at altlinux.org
Mon Mar 15 20:33:28 UTC 2021 

On Mon, Mar 15, 2021 at 06:09:34PM +0100, Renaud Métrich wrote:
[...]
> On 3/15/21 2:10 AM, Dmitry V. Levin wrote:

> > For example:
> >
> >                 AS_IF([test "x$with_secontexts$st_cv_mpers$st_cv_runtime" = xyesyesyes],
> >                       [AC_CACHE_CHECK([whether selinux runtime works with mpers_name personality],
> >                         [st_cv_selinux_runtime],
> >                         [saved_CPPFLAGS="$CPPFLAGS"
> >                          saved_LDFLAGS="$LDFLAGS"
> >                          saved_LIBS="$LIBS"
> >                          CPPFLAGS="$CPPFLAGS libselinux_CPPFLAGS"
> >                          LDFLAGS="$LDFLAGS libselinux_LDFLAGS"
> >                          LIBS="$LIBS libselinux_LIBS"

Oops, I've made a typo, of course it should be $libselinux_CPPFLAGS,
$libselinux_LDFLAGS, and $libselinux_LIBS.

[...]
> >> diff --git a/src/access.c b/src/access.c
> >> index 2936242f7..81b78889b 100644
> >> --- a/src/access.c
> >> +++ b/src/access.c
> >> @@ -34,8 +34,10 @@ decode_faccessat(struct tcb *tcp)
> >>   {
> >>   	/* dirfd */
> >>   	print_dirfd(tcp, tcp->u_arg[0]);
> >> +#ifdef USE_SELINUX
> >> +	tcp->dirfd = (int)(tcp->u_arg[0]);
> >> +#endif
> >>   	tprint_arg_next();
> >> -
> >>   	decode_access(tcp, 1);
> >>   }
> >> [...]
> >> You've added a lot of such tcp->dirfd assignments.  Apparently,
> >> they are added after every print_dirfd invocation except one (and that one
> >> seems to be omitted by mistake).  If you want to cache dirfd processed by
> >> print_dirfd, it would be much easier if you just moved this assignment
> >> inside print_dirfd.
> 
> Initially I had this idea as well but then thought it was ugly to have 
> this state saved in print_dirfd().
> 
> Additionally we need to really know when to set the dirfd: there may be 
> cases where print_dirfd() is called but the next arguments to the 
> syscall won't use that dirfd as "reference".
> 
> Hence it's safer to assign dirfd in the syscall handler itself.

I did "git grep -A1 'print_dirfd(' src/*.c" just to confirm that the only
place where print_dirfd invocation is not followed by "#ifdef USE_SELINUX"
is fsconfig where print_dirfd is used to print the last syscall argument.

[...]
> >> +	}
> >> +	xsprintf(pathtoresolve, "%s/%s", resolved, path);
> >> +	if (realpath(pathtoresolve, resolved) == NULL) {
> > Interesting.  Why realpath?  Would stat_file be enough?
> No, because the path to check needs to be absolute, or else cwd of 
> strace will be used for resolving the context, which is wrong.

realpath is very expensive because it performs canonicalization.
To check whether resolved/path is an absolute path, all we need is
to check whether resolved[0] == '/'.


-- 
ldv

More information about the Strace-devel mailing list