Implement --secontext[=full] option to display SELinux contextsldv/secontext

This is very useful when debugging SELinux issues, in particular, when a process runs in an unexpected context or didn't transition properly, or typically when a file being opened does not have the proper context. When --secontext=full is specified, strace will print the complete context (user, role, type and category) instead of just the type which is printed for --secontext option, as shown in the examples below: Without any "--secontext" options: ----------------------------------------------------------------------- 118104 16:52:11.141122 select(9, [4<TCP:[0.0.0.0:22]> 6<TCPv6:[[::]:22]>], NULL, NULL, NULL) = 1 (in [4]) <1.845416> 119820 16:52:13.133319 openat(AT_FDCWD, "/home/rmetrich/.ssh/authorized_keys", O_RDONLY|O_NONBLOCK) = 11</home/rmetrich/.ssh/authorized_keys> <0.000399> ----------------------------------------------------------------------- With "--secontext=full" option: ----------------------------------------------------------------------- 118104 [system_u:system_r:sshd_t:s0-s0:c0.c1023] 16:52:11.141122 select(9, [4<TCP:[0.0.0.0:22]> 6<TCPv6:[[::]:22]>], NULL, NULL, NULL) = 1 (in [4]) <1.845416> 119820 [system_u:system_r:sshd_t:s0-s0:c0.c1023] 16:52:13.133319 openat(AT_FDCWD, "/home/rmetrich/.ssh/authorized_keys" [system_u:object_r:nfs_t:s0], O_RDONLY|O_NONBLOCK) = 11</home/rmetrich/.ssh/authorized_keys> [system_u:object_r:nfs_t:s0] <0.000399> ----------------------------------------------------------------------- With "--secontext" option: ----------------------------------------------------------------------- 118104 [sshd_t] 16:52:11.141122 select(9, [4<TCP:[0.0.0.0:22]> 6<TCPv6:[[::]:22]>], NULL, NULL, NULL) = 1 (in [4]) <1.845416> 119820 [sshd_t] 16:52:13.133319 openat(AT_FDCWD, "/home/rmetrich/.ssh/authorized_keys" [nfs_t], O_RDONLY|O_NONBLOCK) = 11</home/rmetrich/.ssh/authorized_keys> [nfs_t] <0.000399> ----------------------------------------------------------------------- To implement this, a new "--with-libselinux" configure option has been introduced. It defaults to "check", which means automatic support on SELinux aware systems. Co-authored-by: Dmitry V. Levin <ldv@strace.io>
author: Renaud Métrich <rmetrich@redhat.com> 2020-01-29 15:22:47 +0100
committer: Dmitry V. Levin <ldv@strace.io> 2021-04-04 12:04:24 +0000
commit: e921913eecd5025dae688fdf9c365023fe3b8a0c (patch)
tree: b0ba2a6ba4ef974badff858496d0df13474de545 /tests/fchmodat.c
parent: b19eaf8aa02f95b7e0e395d74e0c6af0600b5fac (diff)
download: strace-e921913eecd5025dae688fdf9c365023fe3b8a0c.tar.gz
1 files changed, 62 insertions, 5 deletions
diff --git a/tests/fchmodat.c b/tests/fchmodat.c
index 37dc6b563..2c69f4624 100644
--- a/tests/fchmodat.c
+++ b/tests/fchmodat.c
@@ -17,6 +17,8 @@
 # include <stdio.h>
 # include <unistd.h>
 
+# include "secontext.h"
+
 int
 main(void)
 {
@@ -26,26 +28,81 @@ main(void)
 	 */
 	create_and_enter_subdir("fchmodat_subdir");
 
-	static const char sample[] = "fchmodat_sample";
+	char *my_secontext = SECONTEXT_PID_MY();
 
+	static const char sample[] = "fchmodat_sample_file";
 	if (open(sample, O_RDONLY | O_CREAT, 0400) < 0)
 		perror_msg_and_fail("open");
 
+	char *sample_secontext = SECONTEXT_FILE(sample);
+
+	/*
+	 * Tests with AT_FDCWD.
+	 */
+
 	long rc = syscall(__NR_fchmodat, -100, sample, 0600);
-	printf("fchmodat(AT_FDCWD, \"%s\", 0600) = %s\n",
-	       sample, sprintrc(rc));
+	printf("%s%s(AT_FDCWD, \"%s\"%s, 0600) = %s\n",
+	       my_secontext, "fchmodat",
+	       sample, sample_secontext,
+	       sprintrc(rc));
 
 	if (unlink(sample))
 		perror_msg_and_fail("unlink");
 
 	rc = syscall(__NR_fchmodat, -100, sample, 051);
-	printf("fchmodat(AT_FDCWD, \"%s\", 051) = %s\n",
+	printf("%s%s(AT_FDCWD, \"%s\", 051) = %s\n",
+	       my_secontext, "fchmodat",
 	       sample, sprintrc(rc));
 
 	rc = syscall(__NR_fchmodat, -100, sample, 004);
-	printf("fchmodat(AT_FDCWD, \"%s\", 004) = %s\n",
+	printf("%s%s(AT_FDCWD, \"%s\", 004) = %s\n",
+	       my_secontext, "fchmodat",
 	       sample, sprintrc(rc));
 
+	/*
+	 * Tests with dirfd.
+	 */
+
+	int cwd_fd = get_dir_fd(".");
+	char *cwd = get_fd_path(cwd_fd);
+	char *cwd_secontext = SECONTEXT_FILE(".");
+	char *sample_realpath = xasprintf("%s/%s", cwd, sample);
+
+	/* no file */
+	rc = syscall(__NR_fchmodat, cwd_fd, sample, 0400);
+	printf("%s%s(%d%s, \"%s\", 0400) = %s\n",
+	       my_secontext, "fchmodat",
+	       cwd_fd, cwd_secontext,
+	       sample,
+	       sprintrc(rc));
+
+	if (open(sample, O_RDONLY | O_CREAT, 0400) < 0)
+		perror_msg_and_fail("open");
+
+	rc = syscall(__NR_fchmodat, cwd_fd, sample, 0400);
+	printf("%s%s(%d%s, \"%s\"%s, 0400) = %s\n",
+	       my_secontext, "fchmodat",
+	       cwd_fd, cwd_secontext,
+	       sample, sample_secontext,
+	       sprintrc(rc));
+
+	/* cwd_fd ignored when path is absolute */
+	if (chdir("../.."))
+		perror_msg_and_fail("chdir");
+
+	rc = syscall(__NR_fchmodat, cwd_fd, sample_realpath, 0400);
+	printf("%s%s(%d%s, \"%s\"%s, 0400) = %s\n",
+	       my_secontext, "fchmodat",
+	       cwd_fd, cwd_secontext,
+	       sample_realpath, sample_secontext,
+	       sprintrc(rc));
+
+	if (fchdir(cwd_fd))
+		perror_msg_and_fail("fchdir");
+
+	if (unlink(sample))
+		perror_msg_and_fail("unlink");
+
 	leave_and_remove_subdir();
 
 	puts("+++ exited with 0 +++");
author	Renaud Métrich <rmetrich@redhat.com>	2020-01-29 15:22:47 +0100
committer	Dmitry V. Levin <ldv@strace.io>	2021-04-04 12:04:24 +0000
commit	e921913eecd5025dae688fdf9c365023fe3b8a0c (patch)
tree	b0ba2a6ba4ef974badff858496d0df13474de545 /tests/fchmodat.c
parent	b19eaf8aa02f95b7e0e395d74e0c6af0600b5fac (diff)
download	strace-e921913eecd5025dae688fdf9c365023fe3b8a0c.tar.gz