[PATCH] --secontext: Implement displaying of expected context upon mismatch

Renaud Métrich rmetrich at redhat.com
Mon Jan 3 09:43:25 UTC 2022 

Attaching new patch. See inline as well

On 1/3/22 01:47, Dmitry V. Levin wrote:
> On Sun, Jan 02, 2022 at 08:00:04PM +0100, Renaud Métrich wrote:
> [...]
>> +	/*
>> +	 * We need to fully resolve the path, because selabel_lookup() doesn't
>> +	 * resolve anything. Using realpath() is the only solution here to make
>> +	 * sure the path is canonicalized.
>> +	 */
>> +
>> +	char *resolved = realpath(fname, NULL);
>> +	if (!resolved)
>> +		return -1;
> Is it correct to return -1 here, that is, to avoid printing context?
> For comparison, selinux_getfdcon returns 0 when readlink fails.
Right, should be 0 since context exists but expected context cannot be 
resolved.
> [...]
>>   char *
>> -secontext_full_file(const char *filename)
>> +secontext_full_file(const char *filename, bool mismatch)
>>   {
>> -	return FORMAT_SPACE_BEFORE(raw_secontext_full_file(filename));
>> +	char *context = raw_secontext_full_file(filename);
>> +	if (mismatch) {
>> +		char *expected = raw_expected_secontext_full_file(filename);
>> +		if (expected && strcmp(context, expected) != 0) {
> What if context == NULL here?
>
That's wrong indeed. But I have no test case that hit this.

Fixed as

@@ -192,8 +192,8 @@ secontext_full_file(const char *filename, bool mismatch)
         char *context = raw_secontext_full_file(filename);
         if (mismatch) {
                 char *expected = 
raw_expected_secontext_full_file(filename);
-               if (expected && strcmp(context, expected) != 0) {
-                       char *context_mismatch = xasprintf("%s!!%s", 
context, expected);
+               if (expected && (!context || strcmp(context, expected))) {
+                       char *context_mismatch = xasprintf("%s!!%s", 
context ? context : "", expected);

Same for secontext_short_file()

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Implement-displaying-of-expected-context-upon-mismat.patch
Type: text/x-patch
Size: 37441 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20220103/c998880a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20220103/c998880a/attachment-0001.bin>

More information about the Strace-devel mailing list