Proposing SELinux support in strace
Renaud Métrich
rmetrich at redhat.com
Thu Mar 18 22:41:29 UTC 2021
If you agree with merging this with the existing PR, attached is the
proposed patch.
It introduces a "nocheck" modifier to --secontext option
(--secontext=nocheck or --secontext=full,nocheck).
On 3/18/21 4:55 PM, Renaud Métrich wrote:
> Hello, I've just realized that the limitation on the mount namespace
> is a real blocker in real world:
>
> it appears that on systemd systems, all systemd services making use of
> PrivateTmp get their own namespace (due to having their own /var/tmp),
> which prevents the --secontext option from working for all files.
>
> I just experienced this with a customer strace ...
>
> I would hence like to add a new option (similar to "full", e.g.
> "nocheck") that would ignore the mount namespace check and resolve
> paths in the strace mount namespace.
>
> This will potentially return invalid context information, but is
> definitely better than returning nothing at all.
>
> This will at least enable to strace normal services just having
> PrivateTmp set: most paths, except stuff in /var/tmp will be correct.
>
> Would you agree with this or would you prefer a new PR to come with this?
>
> Sorry for the late heads up...
>
> Renaud.
>
> On 3/18/21 12:31 PM, Renaud Métrich wrote:
>> See line. Updated patch attached.
>>
>> On 3/18/21 3:49 AM, Dmitry V. Levin wrote:
>>> diff --git a/doc/strace.1.in b/doc/strace.1.in
>>>> index 05c32d902..e310e0877 100644
>>>> --- a/doc/strace.1.in
>>>> +++ b/doc/strace.1.in
>>>> @@ -53,6 +53,7 @@ strace \- trace system calls and signals
>>>> .OM \-P path
>>>> .OM \-p pid
>>>> .OP \-\-seccomp\-bpf
>>>> +.if '@USE_SELINUX_FALSE@'#' .OP \-\-secontext[=full]
>>> [=full] should not be bold, consider changing the line to
>>> .if '@USE_SELINUX_FALSE@'#' .OP \-\-secontext\fR[=\fIfull\fR]
>>
>> Actually "full" is a keyword here and not a variable, hence I think
>> it's better to have it not underlined at all.
>>
>> [<BOLD>--secontext</BOLD>[=full]]
>>
>>>
>>> I think this should go to the end of "Output format:" section rather
>>> "Miscellaneous:".
>> OK, moved the option in the man page also.
>>>> @@ -46,6 +48,7 @@ check_e '-t and --absolute-timestamps cannot be
>>>> provided simultaneously' -t --ti
>>>> check_e '-t and --absolute-timestamps cannot be provided
>>>> simultaneously' --absolute-timestamps -ttt -p $$
>>>> check_e '-t and --absolute-timestamps cannot be provided
>>>> simultaneously' -t --timestamps=ns -t -p $$
>>>> check_e '-t and --absolute-timestamps cannot be provided
>>>> simultaneously' --timestamps=ns -t --absolute-timestamps=unix -p $$
>>>> +[ -n "$compiled_with_secontext" ] && check_h "invalid --secontext
>>>> argument: 'ss'" --secontext=ss
>>> We prefer writing it this way:
>>>
>>> [ -z "$compiled_with_secontext" ] ||
>>> check_h "invalid --secontext argument: 'ss'" --secontext=ss
>> OK, that's what I had written intially, then thought some people
>> don't like that.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Implement-secontext-nocheck-modifier.patch
Type: text/x-patch
Size: 21326 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20210318/df22ceae/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20210318/df22ceae/attachment-0001.bin>
More information about the Strace-devel
mailing list