Re: RFC - Display context information using iproute2 ss utility

[Ole Kliemann <ole@plastictree.net>]

[-- Attachment #1: Type: text/plain, Size: 7565 bytes --]

On Fri, Feb 07, 2014 at 04:22:37PM +0000, Richard Haines wrote:
> I've been patching the iproute2 "ss" utility to display the SELinux
> security contexts for process and sockets, however I'm not sure
> whether the socket contexts are correct (I expected most to show
> system_u:object_r:....). 
> 
> I'm taking the socket contexts from /proc/PID/fd as was mentioned in
> a previous email regarding socket contexts - is this correct ??

I was doing it that way and it seemed to work, I could even 
change the context using 'chcon /proc/PID/fd'.

But I have no idea whether it is supposed to be a reliable way or 
any other methods exist. The whole sockfs thing kept me rather 
wondering...

> 
> I've attached the patch that is built against:
> 
> git clone git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git
> 
> Also is it possible to obtain a sockets peer context from userspace
> using the /proc/PID/fd information as it would be useful to show this.
> 
> Richard

> From 7d61b9f9e5098a594305364e1380c492eef52091 Mon Sep 17 00:00:00 2001
> From: Richard Haines <richard_c_haines@btinternet.com>
> Date: Fri, 7 Feb 2014 15:02:53 +0000
> Subject: [PATCH] ss: Add support for retrieving SELinux contexts
> 
> The SELinux contexts can be added to the output using the -Z option.
> The process and socket contexts are retrieved but for netlink sockets:
> if valid process show process context, if pid = 0 show kernel initial
> context, if unknown show "not available".
> 
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>  configure     |  16 +++++
>  man/man8/ss.8 |  19 ++++++
>  misc/Makefile |  12 ++++
>  misc/ss.c     | 209 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
>  4 files changed, 235 insertions(+), 21 deletions(-)
> 
> diff --git a/configure b/configure
> index da01c19..854837e 100755
> --- a/configure
> +++ b/configure
> @@ -231,6 +231,19 @@ EOF
>      rm -f $TMPDIR/ipsettest.c $TMPDIR/ipsettest
>  }
>  
> +check_selinux()
> +# SELinux is a compile time option in the ss utility
> +{
> +	SELINUX_LIB=$(${PKG_CONFIG} --silence-errors libselinux --libs)
> +	if [ -n "$SELINUX_LIB" ]
> +	then
> +	echo "HAVE_SELINUX:=y" >>Config
> +	echo "yes"
> +    else
> +	echo "no"
> +	fi
> +}
> +
>  echo "# Generated config based on" $INCLUDE >Config
>  check_toolchain
>  
> @@ -253,3 +266,6 @@ check_ipt_lib_dir
>  
>  echo -n "libc has setns: "
>  check_setns
> +
> +echo -n "SELinux support: "
> +check_selinux
> diff --git a/man/man8/ss.8 b/man/man8/ss.8
> index 807d9dc..2fbed36 100644
> --- a/man/man8/ss.8
> +++ b/man/man8/ss.8
> @@ -53,6 +53,22 @@ Print summary statistics. This option does not parse socket lists obtaining
>  summary from various sources. It is useful when amount of sockets is so huge
>  that parsing /proc/net/tcp is painful.
>  .TP
> +.B \-Z, \-\-context
> +Show SELinux security contexts. Both the process and socket contexts will
> +be displayed (for those with socket file descriptors). For 
> +.BR netlink (7)
> +sockets, the context displayed is as follows:
> +.RS
> +.RS
> +.IP "1." 4
> +If a valid process show pid context.
> +.IP "2." 4
> +If destination is kernel (pid = 0) show kernel initial context.
> +.IP "3." 4
> +If allocated by the kernel or netlink user show context as "not available".
> +.RE
> +.RE
> +.TP
>  .B \-b, \-\-bpf
>  Show socket BPF filters (only administrators are allowed to get these information).
>  .TP
> @@ -103,6 +119,9 @@ Please take a look at the official documentation (Debian package iproute-doc) fo
>  .B ss -t -a
>  Display all TCP sockets.
>  .TP
> +.B ss -t -a -Z
> +Display all TCP sockets with process and socket SELinux security contexts.
> +.TP
>  .B ss -u -a
>  Display all UDP sockets.
>  .TP
> diff --git a/misc/Makefile b/misc/Makefile
> index a59ff87..a946a85 100644
> --- a/misc/Makefile
> +++ b/misc/Makefile
> @@ -8,6 +8,18 @@ include ../Config
>  all: $(TARGETS)
>  
>  ss: $(SSOBJ)
> +ifeq ($(HAVE_SELINUX),y)
> +	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(SSOBJ) $(LDLIBS) -lselinux
> +else
> +	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(SSOBJ) $(LDLIBS)
> +endif
> +
> +ss.o: ss.c
> +ifeq ($(HAVE_SELINUX),y)
> +	$(CC) $(CFLAGS) -DHAVE_SELINUX -c $+
> +else
> +	$(CC) $(CFLAGS) -c $+
> +endif
>  
>  nstat: nstat.c
>  	$(CC) $(CFLAGS) $(LDFLAGS) -o nstat nstat.c -lm
> diff --git a/misc/ss.c b/misc/ss.c
> index 764ffe2..1e1d3fb 100644
> --- a/misc/ss.c
> +++ b/misc/ss.c
> @@ -40,6 +40,9 @@
>  #include <linux/filter.h>
>  #include <linux/packet_diag.h>
>  #include <linux/netlink_diag.h>
> +#if HAVE_SELINUX
> +#include <selinux/selinux.h>
> +#endif
>  
>  int resolve_hosts = 0;
>  int resolve_services = 1;
> @@ -50,6 +53,11 @@ int show_users = 0;
>  int show_mem = 0;
>  int show_tcpinfo = 0;
>  int show_bpf = 0;
> +#if HAVE_SELINUX
> +int show_context = 0;
> +/* If show_users & show_context only do user_ent_hash_build() once */
> +int user_ent_hash_build_init = 0;
> +#endif
>  
>  int netid_width;
>  int state_width;
> @@ -207,7 +215,11 @@ struct user_ent {
>  	unsigned int	ino;
>  	int		pid;
>  	int		fd;
> -	char		process[0];
> +	char	*process;
> +#if HAVE_SELINUX
> +	security_context_t	process_ctx;
> +	security_context_t	socket_ctx;
> +#endif
>  };
>  
>  #define USER_ENT_HASH_SIZE	256
> @@ -220,20 +232,29 @@ static int user_ent_hashfn(unsigned int ino)
>  	return val & (USER_ENT_HASH_SIZE - 1);
>  }
>  
> -static void user_ent_add(unsigned int ino, const char *process, int pid, int fd)
> +#if HAVE_SELINUX
> +static void user_ent_add(unsigned int ino, char *process,
> +							int pid, int fd,
> +							security_context_t proc_ctx,
> +							security_context_t sock_ctx)
> +#else
> +static void user_ent_add(unsigned int ino, char *process, int pid, int fd)
> +#endif
>  {
>  	struct user_ent *p, **pp;
> -	int str_len;
>  
> -	str_len = strlen(process) + 1;
> -	p = malloc(sizeof(struct user_ent) + str_len);
> +	p = malloc(sizeof(struct user_ent));
>  	if (!p)
>  		abort();
>  	p->next = NULL;
>  	p->ino = ino;
>  	p->pid = pid;
>  	p->fd = fd;
> -	strcpy(p->process, process);
> +	p->process = strdup(process);
> +#if HAVE_SELINUX
> +	p->process_ctx = strdup(proc_ctx);
> +	p->socket_ctx = strdup(sock_ctx);
> +#endif
>  
>  	pp = &user_ent_hash[user_ent_hashfn(ino)];
>  	p->next = *pp;
> @@ -247,6 +268,17 @@ static void user_ent_hash_build(void)
>  	char name[1024];
>  	int nameoff;
>  	DIR *dir;
> +#if HAVE_SELINUX
> +    security_context_t pid_context;
> +    security_context_t sock_context;
> +	security_context_t no_ctx = "not available";
> +
> +	/* If show_users & show_context only do this once */
> +	if (user_ent_hash_build_init != 0)
> +		return;
> +
> +	user_ent_hash_build_init = 1;
> +#endif
>  
>  	strcpy(name, root);
>  	if (strlen(name) == 0 || name[strlen(name)-1] != '/')
> @@ -261,19 +293,24 @@ static void user_ent_hash_build(void)
>  	while ((d = readdir(dir)) != NULL) {
>  		struct dirent *d1;
>  		char process[16];
> +		char *p;
>  		int pid, pos;
>  		DIR *dir1;
>  		char crap;
>  
>  		if (sscanf(d->d_name, "%d%c", &pid, &crap) != 1)
>  			continue;
> -
> +#if HAVE_SELINUX
> +		if (getpidcon(pid, &pid_context) != 0)
> +			pid_context = strdup(no_ctx);
> +#endif
>  		sprintf(name + nameoff, "%d/fd/", pid);
>  		pos = strlen(name);
>  		if ((dir1 = opendir(name)) == NULL)
>  			continue;
>  
>  		process[0] = '