We already check for deny_ptrace and allow_execstack before stapdyn can
proceed, but it turns out that allow_execmod is also important for
Dyninst to attach to processes (e.g. stapdyn -x PID).
* stapdyn/dynutil.cxx (check_dyninst_sebools): If we're going to be
attaching to a process, check allow_execmod too.
* stapdyn/stapdyn.cxx (main): Indicate whether we're attaching.
// Check that SELinux settings are ok for Dyninst operation.
bool
-check_dyninst_sebools(void)
+check_dyninst_sebools(bool attach)
{
#ifdef HAVE_SELINUX
// For all these checks, we could examine errno on failure to act differently
warnx("SELinux boolean 'allow_execstack' is disabled, which blocks Dyninst");
return false;
}
+
+ // In process-attach mode, SELinux will trigger "avc: denied { execmod }"
+ // on ld.so, when the mutator is injecting the dlopen for libdyninstAPI_RT.so.
+ if (attach && security_get_boolean_active("allow_execmod") == 0)
+ {
+ warnx("SELinux boolean 'allow_execmod' is disabled, which blocks Dyninst");
+ return false;
+ }
#endif
return true;
bool check_dyninst_rt(void);
// Check that SELinux settings are ok for Dyninst operation.
-bool check_dyninst_sebools(void);
+bool check_dyninst_sebools(bool attach=false);
// Check whether a process exited cleanly
bool check_dyninst_exit(BPatch_process *process);
// Make sure that environment variables and selinux are set ok.
if (!check_dyninst_rt())
return 1;
- if (!check_dyninst_sebools())
+ if (!check_dyninst_sebools(pid != 0))
return 1;
auto_ptr<mutator> session(new mutator(module, modoptions));
git://sourceware.org / systemtap.git / commitdiff