1 files changed, 52 insertions, 1 deletions
diff --git a/src/strace.c b/src/strace.c
index 950db7af1..61a598cb1 100644
--- a/src/strace.c
+++ b/src/strace.c
@@ -40,6 +40,7 @@
 #include "xstring.h"
 #include "delay.h"
 #include "wait.h"
+#include "secontext.h"
 
 /* In some libc, these aren't declared. Do it ourself: */
 extern char **environ;
@@ -240,6 +241,9 @@ print_version(void)
 		" no-mx32-mpers"
 # endif
 #endif /* SUPPORTED_PERSONALITIES > 2 */
+#ifdef ENABLE_SECONTEXT
+		" secontext"
+#endif
 		"";
 
 	printf("%s -- version %s\n"
@@ -259,11 +263,17 @@ usage(void)
 #else
 # define K_OPT ""
 #endif
+#ifdef ENABLE_SECONTEXT
+# define SECONTEXT_OPT "[--secontext[=full]]\n"
+#else
+# define SECONTEXT_OPT ""
+#endif
 
 	printf("\
 Usage: strace [-ACdffhi" K_OPT "qqrtttTvVwxxyyzZ] [-I N] [-b execve] [-e EXPR]...\n\
               [-a COLUMN] [-o FILE] [-s STRSIZE] [-X FORMAT] [-O OVERHEAD]\n\
-              [-S SORTBY] [-P PATH]... [-p PID]... [-U COLUMNS] [--seccomp-bpf]\n\
+              [-S SORTBY] [-P PATH]... [-p PID]... [-U COLUMNS] [--seccomp-bpf]\n"\
+              SECONTEXT_OPT "\
               { -p PID | [-DDD] [-E VAR=VAL]... [-u USERNAME] PROG [ARGS] }\n\
    or: strace -c[dfwzZ] [-I N] [-b execve] [-e EXPR]... [-O OVERHEAD]\n\
               [-S SORTBY] [-P PATH]... [-p PID]... [-U COLUMNS] [--seccomp-bpf]\n\
@@ -404,6 +414,14 @@ Output format:\n\
   -yy, --decode-fds=all\n\
                  print all available information associated with file\n\
                  descriptors in addition to paths\n\
+"
+#ifdef ENABLE_SECONTEXT
+"\
+  --secontext[=full]\n\
+                 print SELinux contexts (type only unless 'full' is specified)\n\
+"
+#endif
+"\
 \n\
 Statistics:\n\
   -c, --summary-only\n\
@@ -783,6 +801,14 @@ printleader(struct tcb *tcp)
 	else if (nprocs > 1 && !outfname)
 		tprintf("[pid %5u] ", tcp->pid);
 
+#ifdef ENABLE_SECONTEXT
+	char *context;
+	if (!selinux_getpidcon(tcp, &context)) {
+		tprintf("[%s] ", context);
+		free(context);
+	}
+#endif
+
 	if (tflag_format) {
 		struct timespec ts;
 		clock_gettime(CLOCK_REALTIME, &ts);
@@ -897,6 +923,9 @@ alloctcb(int pid)
 #if SUPPORTED_PERSONALITIES > 1
 			tcp->currpers = current_personality;
 #endif
+#ifdef ENABLE_SECONTEXT
+			tcp->last_dirfd = AT_FDCWD;
+#endif
 			nprocs++;
 			debug_msg("new tcb for pid %d, active tcbs:%d",
 				  tcp->pid, nprocs);
@@ -2037,6 +2066,9 @@ init(int argc, char *argv[])
 		GETOPT_OUTPUT_SEPARATELY,
 		GETOPT_TS,
 		GETOPT_PIDNS_TRANSLATION,
+#ifdef ENABLE_SECONTEXT
+		GETOPT_SECONTEXT,
+#endif
 
 		GETOPT_QUAL_TRACE,
 		GETOPT_QUAL_ABBREV,
@@ -2093,6 +2125,9 @@ init(int argc, char *argv[])
 		{ "failed-only",	no_argument,	   0, 'Z' },
 		{ "failing-only",	no_argument,	   0, 'Z' },
 		{ "seccomp-bpf",	no_argument,	   0, GETOPT_SECCOMP },
+#ifdef ENABLE_SECONTEXT
+		{ "secontext",		optional_argument, 0, GETOPT_SECONTEXT },
+#endif
 
 		{ "trace",	required_argument, 0, GETOPT_QUAL_TRACE },
 		{ "abbrev",	required_argument, 0, GETOPT_QUAL_ABBREV },
@@ -2321,6 +2356,17 @@ init(int argc, char *argv[])
 		case GETOPT_SECCOMP:
 			seccomp_filtering = true;
 			break;
+#ifdef ENABLE_SECONTEXT
+		case GETOPT_SECONTEXT:
+			selinux_context = true;
+			if (optarg) {
+				if (!strcmp(optarg, "full"))
+					selinux_context_full = true;
+				else
+					error_opt_arg(c, lopt, optarg);
+			}
+			break;
+#endif
 		case GETOPT_QUAL_TRACE:
 			qualify_trace(optarg);
 			break;
@@ -2503,6 +2549,11 @@ init(int argc, char *argv[])
 		if (!number_set_array_is_empty(decode_fd_set, 0))
 			error_msg("-y/--decode-fds has no effect "
 				  "with -c/--summary-only");
+#ifdef ENABLE_SECONTEXT
+		if (selinux_context)
+			error_msg("--secontext has no effect with "
+				  "-c/--summary-only");
+#endif
 	}
 
 	if (!outfname) {