From: Josh Stone Date: Thu, 20 Jun 2013 01:23:24 +0000 (-0700) Subject: PR15656: Check allow_execmod for stapdyn attach X-Git-Tag: release-2.3~126 X-Git-Url: https://sourceware.org/git/?a=commitdiff_plain;h=56098c79;p=systemtap.git PR15656: Check allow_execmod for stapdyn attach We already check for deny_ptrace and allow_execstack before stapdyn can proceed, but it turns out that allow_execmod is also important for Dyninst to attach to processes (e.g. stapdyn -x PID). * stapdyn/dynutil.cxx (check_dyninst_sebools): If we're going to be attaching to a process, check allow_execmod too. * stapdyn/stapdyn.cxx (main): Indicate whether we're attaching. --- diff --git a/stapdyn/dynutil.cxx b/stapdyn/dynutil.cxx index 3675ec808..9af9bfd92 100644 --- a/stapdyn/dynutil.cxx +++ b/stapdyn/dynutil.cxx @@ -94,7 +94,7 @@ check_dyninst_rt(void) // Check that SELinux settings are ok for Dyninst operation. bool -check_dyninst_sebools(void) +check_dyninst_sebools(bool attach) { #ifdef HAVE_SELINUX // For all these checks, we could examine errno on failure to act differently @@ -116,6 +116,14 @@ check_dyninst_sebools(void) warnx("SELinux boolean 'allow_execstack' is disabled, which blocks Dyninst"); return false; } + + // In process-attach mode, SELinux will trigger "avc: denied { execmod }" + // on ld.so, when the mutator is injecting the dlopen for libdyninstAPI_RT.so. + if (attach && security_get_boolean_active("allow_execmod") == 0) + { + warnx("SELinux boolean 'allow_execmod' is disabled, which blocks Dyninst"); + return false; + } #endif return true; diff --git a/stapdyn/dynutil.h b/stapdyn/dynutil.h index c5eac9d46..914ddcce2 100644 --- a/stapdyn/dynutil.h +++ b/stapdyn/dynutil.h @@ -20,7 +20,7 @@ bool check_dyninst_rt(void); // Check that SELinux settings are ok for Dyninst operation. -bool check_dyninst_sebools(void); +bool check_dyninst_sebools(bool attach=false); // Check whether a process exited cleanly bool check_dyninst_exit(BPatch_process *process); diff --git a/stapdyn/stapdyn.cxx b/stapdyn/stapdyn.cxx index 8052033ac..a2c070d9f 100644 --- a/stapdyn/stapdyn.cxx +++ b/stapdyn/stapdyn.cxx @@ -119,7 +119,7 @@ main(int argc, char * const argv[]) // Make sure that environment variables and selinux are set ok. if (!check_dyninst_rt()) return 1; - if (!check_dyninst_sebools()) + if (!check_dyninst_sebools(pid != 0)) return 1; auto_ptr session(new mutator(module, modoptions));