diff options
author | Renaud Métrich <rmetrich@redhat.com> | 2020-01-29 15:22:47 +0100 |
---|---|---|
committer | Dmitry V. Levin <ldv@strace.io> | 2021-04-04 12:04:24 +0000 |
commit | e921913eecd5025dae688fdf9c365023fe3b8a0c (patch) | |
tree | b0ba2a6ba4ef974badff858496d0df13474de545 /tests/openat.c | |
parent | b19eaf8aa02f95b7e0e395d74e0c6af0600b5fac (diff) | |
download | strace-ldv/secontext.tar.gz |
Implement --secontext[=full] option to display SELinux contextsldv/secontext
This is very useful when debugging SELinux issues, in particular, when
a process runs in an unexpected context or didn't transition properly,
or typically when a file being opened does not have the proper context.
When --secontext=full is specified, strace will print the complete
context (user, role, type and category) instead of just the type which
is printed for --secontext option, as shown in the examples below:
Without any "--secontext" options:
-----------------------------------------------------------------------
118104 16:52:11.141122 select(9, [4<TCP:[0.0.0.0:22]> 6<TCPv6:[[::]:22]>], NULL, NULL, NULL) = 1 (in [4]) <1.845416>
119820 16:52:13.133319 openat(AT_FDCWD, "/home/rmetrich/.ssh/authorized_keys", O_RDONLY|O_NONBLOCK) = 11</home/rmetrich/.ssh/authorized_keys> <0.000399>
-----------------------------------------------------------------------
With "--secontext=full" option:
-----------------------------------------------------------------------
118104 [system_u:system_r:sshd_t:s0-s0:c0.c1023] 16:52:11.141122 select(9, [4<TCP:[0.0.0.0:22]> 6<TCPv6:[[::]:22]>], NULL, NULL, NULL) = 1 (in [4]) <1.845416>
119820 [system_u:system_r:sshd_t:s0-s0:c0.c1023] 16:52:13.133319 openat(AT_FDCWD, "/home/rmetrich/.ssh/authorized_keys" [system_u:object_r:nfs_t:s0], O_RDONLY|O_NONBLOCK) = 11</home/rmetrich/.ssh/authorized_keys> [system_u:object_r:nfs_t:s0] <0.000399>
-----------------------------------------------------------------------
With "--secontext" option:
-----------------------------------------------------------------------
118104 [sshd_t] 16:52:11.141122 select(9, [4<TCP:[0.0.0.0:22]> 6<TCPv6:[[::]:22]>], NULL, NULL, NULL) = 1 (in [4]) <1.845416>
119820 [sshd_t] 16:52:13.133319 openat(AT_FDCWD, "/home/rmetrich/.ssh/authorized_keys" [nfs_t], O_RDONLY|O_NONBLOCK) = 11</home/rmetrich/.ssh/authorized_keys> [nfs_t] <0.000399>
-----------------------------------------------------------------------
To implement this, a new "--with-libselinux" configure option has been
introduced. It defaults to "check", which means automatic support on
SELinux aware systems.
Co-authored-by: Dmitry V. Levin <ldv@strace.io>
Diffstat (limited to 'tests/openat.c')
-rw-r--r-- | tests/openat.c | 91 |
1 files changed, 74 insertions, 17 deletions
diff --git a/tests/openat.c b/tests/openat.c index 0c4bb3d10..b43055d3c 100644 --- a/tests/openat.c +++ b/tests/openat.c @@ -15,6 +15,8 @@ # include <stdio.h> # include <unistd.h> +# include "secontext.h" + # ifdef O_TMPFILE /* The kernel & C libraries often inline O_DIRECTORY. */ # define STRACE_O_TMPFILE (O_TMPFILE & ~O_DIRECTORY) @@ -26,10 +28,12 @@ static const char sample[] = "openat.sample"; static void test_mode_flag(unsigned int mode_val, const char *mode_str, - unsigned int flag_val, const char *flag_str) + unsigned int flag_val, const char *flag_str, + const char *my_secontext) { long rc = syscall(__NR_openat, -1, sample, mode_val | flag_val, 0); - printf("openat(-1, \"%s\", %s%s%s%s) = %s\n", + printf("%s%s(-1, \"%s\", %s%s%s%s) = %s\n", + my_secontext, "openat", sample, mode_str, flag_val ? "|" : "", flag_str, flag_val & (O_CREAT | STRACE_O_TMPFILE) ? ", 000" : "", @@ -45,20 +49,7 @@ main(void) */ create_and_enter_subdir("openat_subdir"); - long fd = syscall(__NR_openat, -100, sample, O_RDONLY|O_CREAT, 0400); - printf("openat(AT_FDCWD, \"%s\", O_RDONLY|O_CREAT, 0400) = %s\n", - sample, sprintrc(fd)); - - if (fd != -1) { - close(fd); - if (unlink(sample) == -1) - perror_msg_and_fail("unlink"); - - fd = syscall(__NR_openat, -100, sample, O_RDONLY); - printf("openat(AT_FDCWD, \"%s\", O_RDONLY) = %s\n", - sample, sprintrc(fd)); - } - + char *my_secontext = SECONTEXT_PID_MY(); struct { unsigned int val; const char *str; @@ -105,7 +96,73 @@ main(void) for (unsigned int m = 0; m < ARRAY_SIZE(modes); ++m) for (unsigned int f = 0; f < ARRAY_SIZE(flags); ++f) test_mode_flag(modes[m].val, modes[m].str, - flags[f].val, flags[f].str); + flags[f].val, flags[f].str, + my_secontext); + + /* + * Tests with AT_FDCWD. + */ + + (void) unlink(sample); + long fd = syscall(__NR_openat, -100, sample, O_RDONLY|O_CREAT, 0400); + + char *sample_secontext = SECONTEXT_FILE(sample); + + /* + * File context in openat() is not displayed because file doesn't exist + * yet, but is displayed in return value since the file got created. + */ + printf("%s%s(AT_FDCWD, \"%s\", O_RDONLY|O_CREAT, 0400) = %s%s\n", + my_secontext, "openat", + sample, + sprintrc(fd), sample_secontext); + + close(fd); + + fd = syscall(__NR_openat, -100, sample, O_RDONLY); + printf("%s%s(AT_FDCWD, \"%s\"%s, O_RDONLY) = %s%s\n", + my_secontext, "openat", + sample, sample_secontext, + sprintrc(fd), sample_secontext); + if (fd != -1) { + close(fd); + if (unlink(sample)) + perror_msg_and_fail("unlink"); + } + + /* + * Tests with dirfd. + */ + + int cwd_fd = get_dir_fd("."); + char *cwd_secontext = SECONTEXT_FILE("."); + + fd = syscall(__NR_openat, cwd_fd, sample, O_RDONLY|O_CREAT, 0400); + if (fd == -1) + perror_msg_and_fail("openat"); + close(fd); + + /* + * File context in openat() is not displayed because file doesn't exist + * yet, but is displayed in return value since the file got created. + */ + printf("%s%s(%d%s, \"%s\", O_RDONLY|O_CREAT, 0400) = %s%s\n", + my_secontext, "openat", + cwd_fd, cwd_secontext, + sample, + sprintrc(fd), sample_secontext); + + fd = syscall(__NR_openat, cwd_fd, sample, O_RDONLY); + printf("%s%s(%d%s, \"%s\"%s, O_RDONLY) = %s%s\n", + my_secontext, "openat", + cwd_fd, cwd_secontext, + sample, sample_secontext, + sprintrc(fd), sample_secontext); + if (fd != -1) { + close(fd); + if (unlink(sample)) + perror_msg_and_fail("unlink"); + } leave_and_remove_subdir(); |