From 56098c7902aebf5f33f117d8763125dbd51666e1 Mon Sep 17 00:00:00 2001 From: Josh Stone Date: Wed, 19 Jun 2013 18:23:24 -0700 Subject: [PATCH] PR15656: Check allow_execmod for stapdyn attach We already check for deny_ptrace and allow_execstack before stapdyn can proceed, but it turns out that allow_execmod is also important for Dyninst to attach to processes (e.g. stapdyn -x PID). * stapdyn/dynutil.cxx (check_dyninst_sebools): If we're going to be attaching to a process, check allow_execmod too. * stapdyn/stapdyn.cxx (main): Indicate whether we're attaching. --- stapdyn/dynutil.cxx | 10 +++++++++- stapdyn/dynutil.h | 2 +- stapdyn/stapdyn.cxx | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/stapdyn/dynutil.cxx b/stapdyn/dynutil.cxx index 3675ec808..9af9bfd92 100644 --- a/stapdyn/dynutil.cxx +++ b/stapdyn/dynutil.cxx @@ -94,7 +94,7 @@ check_dyninst_rt(void) // Check that SELinux settings are ok for Dyninst operation. bool -check_dyninst_sebools(void) +check_dyninst_sebools(bool attach) { #ifdef HAVE_SELINUX // For all these checks, we could examine errno on failure to act differently @@ -116,6 +116,14 @@ check_dyninst_sebools(void) warnx("SELinux boolean 'allow_execstack' is disabled, which blocks Dyninst"); return false; } + + // In process-attach mode, SELinux will trigger "avc: denied { execmod }" + // on ld.so, when the mutator is injecting the dlopen for libdyninstAPI_RT.so. + if (attach && security_get_boolean_active("allow_execmod") == 0) + { + warnx("SELinux boolean 'allow_execmod' is disabled, which blocks Dyninst"); + return false; + } #endif return true; diff --git a/stapdyn/dynutil.h b/stapdyn/dynutil.h index c5eac9d46..914ddcce2 100644 --- a/stapdyn/dynutil.h +++ b/stapdyn/dynutil.h @@ -20,7 +20,7 @@ bool check_dyninst_rt(void); // Check that SELinux settings are ok for Dyninst operation. -bool check_dyninst_sebools(void); +bool check_dyninst_sebools(bool attach=false); // Check whether a process exited cleanly bool check_dyninst_exit(BPatch_process *process); diff --git a/stapdyn/stapdyn.cxx b/stapdyn/stapdyn.cxx index 8052033ac..a2c070d9f 100644 --- a/stapdyn/stapdyn.cxx +++ b/stapdyn/stapdyn.cxx @@ -119,7 +119,7 @@ main(int argc, char * const argv[]) // Make sure that environment variables and selinux are set ok. if (!check_dyninst_rt()) return 1; - if (!check_dyninst_sebools()) + if (!check_dyninst_sebools(pid != 0)) return 1; auto_ptr session(new mutator(module, modoptions)); -- 2.43.5