diff options
author | Renaud Métrich <rmetrich@redhat.com> | 2020-01-29 15:22:47 +0100 |
---|---|---|
committer | Dmitry V. Levin <ldv@strace.io> | 2021-04-04 12:04:24 +0000 |
commit | e921913eecd5025dae688fdf9c365023fe3b8a0c (patch) | |
tree | b0ba2a6ba4ef974badff858496d0df13474de545 /tests/fchmodat.c | |
parent | b19eaf8aa02f95b7e0e395d74e0c6af0600b5fac (diff) | |
download | strace-e921913eecd5025dae688fdf9c365023fe3b8a0c.tar.gz |
Implement --secontext[=full] option to display SELinux contextsldv/secontext
This is very useful when debugging SELinux issues, in particular, when
a process runs in an unexpected context or didn't transition properly,
or typically when a file being opened does not have the proper context.
When --secontext=full is specified, strace will print the complete
context (user, role, type and category) instead of just the type which
is printed for --secontext option, as shown in the examples below:
Without any "--secontext" options:
-----------------------------------------------------------------------
118104 16:52:11.141122 select(9, [4<TCP:[0.0.0.0:22]> 6<TCPv6:[[::]:22]>], NULL, NULL, NULL) = 1 (in [4]) <1.845416>
119820 16:52:13.133319 openat(AT_FDCWD, "/home/rmetrich/.ssh/authorized_keys", O_RDONLY|O_NONBLOCK) = 11</home/rmetrich/.ssh/authorized_keys> <0.000399>
-----------------------------------------------------------------------
With "--secontext=full" option:
-----------------------------------------------------------------------
118104 [system_u:system_r:sshd_t:s0-s0:c0.c1023] 16:52:11.141122 select(9, [4<TCP:[0.0.0.0:22]> 6<TCPv6:[[::]:22]>], NULL, NULL, NULL) = 1 (in [4]) <1.845416>
119820 [system_u:system_r:sshd_t:s0-s0:c0.c1023] 16:52:13.133319 openat(AT_FDCWD, "/home/rmetrich/.ssh/authorized_keys" [system_u:object_r:nfs_t:s0], O_RDONLY|O_NONBLOCK) = 11</home/rmetrich/.ssh/authorized_keys> [system_u:object_r:nfs_t:s0] <0.000399>
-----------------------------------------------------------------------
With "--secontext" option:
-----------------------------------------------------------------------
118104 [sshd_t] 16:52:11.141122 select(9, [4<TCP:[0.0.0.0:22]> 6<TCPv6:[[::]:22]>], NULL, NULL, NULL) = 1 (in [4]) <1.845416>
119820 [sshd_t] 16:52:13.133319 openat(AT_FDCWD, "/home/rmetrich/.ssh/authorized_keys" [nfs_t], O_RDONLY|O_NONBLOCK) = 11</home/rmetrich/.ssh/authorized_keys> [nfs_t] <0.000399>
-----------------------------------------------------------------------
To implement this, a new "--with-libselinux" configure option has been
introduced. It defaults to "check", which means automatic support on
SELinux aware systems.
Co-authored-by: Dmitry V. Levin <ldv@strace.io>
Diffstat (limited to 'tests/fchmodat.c')
-rw-r--r-- | tests/fchmodat.c | 67 |
1 files changed, 62 insertions, 5 deletions
diff --git a/tests/fchmodat.c b/tests/fchmodat.c index 37dc6b563..2c69f4624 100644 --- a/tests/fchmodat.c +++ b/tests/fchmodat.c @@ -17,6 +17,8 @@ # include <stdio.h> # include <unistd.h> +# include "secontext.h" + int main(void) { @@ -26,26 +28,81 @@ main(void) */ create_and_enter_subdir("fchmodat_subdir"); - static const char sample[] = "fchmodat_sample"; + char *my_secontext = SECONTEXT_PID_MY(); + static const char sample[] = "fchmodat_sample_file"; if (open(sample, O_RDONLY | O_CREAT, 0400) < 0) perror_msg_and_fail("open"); + char *sample_secontext = SECONTEXT_FILE(sample); + + /* + * Tests with AT_FDCWD. + */ + long rc = syscall(__NR_fchmodat, -100, sample, 0600); - printf("fchmodat(AT_FDCWD, \"%s\", 0600) = %s\n", - sample, sprintrc(rc)); + printf("%s%s(AT_FDCWD, \"%s\"%s, 0600) = %s\n", + my_secontext, "fchmodat", + sample, sample_secontext, + sprintrc(rc)); if (unlink(sample)) perror_msg_and_fail("unlink"); rc = syscall(__NR_fchmodat, -100, sample, 051); - printf("fchmodat(AT_FDCWD, \"%s\", 051) = %s\n", + printf("%s%s(AT_FDCWD, \"%s\", 051) = %s\n", + my_secontext, "fchmodat", sample, sprintrc(rc)); rc = syscall(__NR_fchmodat, -100, sample, 004); - printf("fchmodat(AT_FDCWD, \"%s\", 004) = %s\n", + printf("%s%s(AT_FDCWD, \"%s\", 004) = %s\n", + my_secontext, "fchmodat", sample, sprintrc(rc)); + /* + * Tests with dirfd. + */ + + int cwd_fd = get_dir_fd("."); + char *cwd = get_fd_path(cwd_fd); + char *cwd_secontext = SECONTEXT_FILE("."); + char *sample_realpath = xasprintf("%s/%s", cwd, sample); + + /* no file */ + rc = syscall(__NR_fchmodat, cwd_fd, sample, 0400); + printf("%s%s(%d%s, \"%s\", 0400) = %s\n", + my_secontext, "fchmodat", + cwd_fd, cwd_secontext, + sample, + sprintrc(rc)); + + if (open(sample, O_RDONLY | O_CREAT, 0400) < 0) + perror_msg_and_fail("open"); + + rc = syscall(__NR_fchmodat, cwd_fd, sample, 0400); + printf("%s%s(%d%s, \"%s\"%s, 0400) = %s\n", + my_secontext, "fchmodat", + cwd_fd, cwd_secontext, + sample, sample_secontext, + sprintrc(rc)); + + /* cwd_fd ignored when path is absolute */ + if (chdir("../..")) + perror_msg_and_fail("chdir"); + + rc = syscall(__NR_fchmodat, cwd_fd, sample_realpath, 0400); + printf("%s%s(%d%s, \"%s\"%s, 0400) = %s\n", + my_secontext, "fchmodat", + cwd_fd, cwd_secontext, + sample_realpath, sample_secontext, + sprintrc(rc)); + + if (fchdir(cwd_fd)) + perror_msg_and_fail("fchdir"); + + if (unlink(sample)) + perror_msg_and_fail("unlink"); + leave_and_remove_subdir(); puts("+++ exited with 0 +++"); |