From FEDORA_PATCHES Mon Sep 17 00:00:00 2001

From: Fedora GDB patches <invalid@email.com>

Date: Fri, 27 Oct 2017 21:07:50 +0200

Subject: gdb-attach-fail-reasons-5of5.patch

;; Print reasons for failed attach/spawn incl. SELinux deny_ptrace (BZ 786878).

;;=push+jan

http://sourceware.org/ml/gdb-patches/2012-03/msg00171.html

Hi,

and here is the last bit for new SELinux 'deny_ptrace':

	https://bugzilla.redhat.com/show_bug.cgi?id=786878

As even PTRACE_TRACEME fails in such case it needs to install hook for even

that event.

Thanks,

Jan

gdb/

2012-03-06  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* common/linux-ptrace.c [HAVE_SELINUX_SELINUX_H]: include

	selinux/selinux.h.

	(linux_ptrace_attach_warnings): Call linux_ptrace_create_warnings.

	(linux_ptrace_create_warnings): New.

	* common/linux-ptrace.h (linux_ptrace_create_warnings): New declaration.

	* config.in: Regenerate.

	* configure: Regenerate.

	* configure.ac: Check selinux/selinux.h and the selinux library.

	* inf-ptrace.c (inf_ptrace_me): Check the ptrace result.

	* linux-nat.c (linux_nat_create_inferior): New variable ex.  Wrap

	to_create_inferior into TRY_CATCH, call linux_ptrace_create_warnings.

gdb/gdbserver/

	* config.in: Regenerate.

	* configure: Regenerate.

	* configure.ac: Check selinux/selinux.h and the selinux library.

	* linux-low.c (linux_traceme): New function.

	(linux_create_inferior, linux_tracefork_child): Call it instead of

	direct ptrace.

diff --git a/gdb/config.in b/gdb/config.in

--- a/gdb/config.in

+++ b/gdb/config.in

@@ -253,6 +253,9 @@

 /* Define if librpm library is being used. */

 #undef HAVE_LIBRPM

+/* Define to 1 if you have the `selinux' library (-lselinux). */

+#undef HAVE_LIBSELINUX

+

 /* Define to 1 if you have the <libunwind-ia64.h> header file. */

 #undef HAVE_LIBUNWIND_IA64_H

@@ -388,6 +391,9 @@

 /* Define to 1 if you have the `scm_new_smob' function. */

 #undef HAVE_SCM_NEW_SMOB

+/* Define to 1 if you have the <selinux/selinux.h> header file. */

+#undef HAVE_SELINUX_SELINUX_H

+

 /* Define to 1 if you have the `setlocale' function. */

 #undef HAVE_SETLOCALE

diff --git a/gdb/configure b/gdb/configure

--- a/gdb/configure

+++ b/gdb/configure

@@ -16861,6 +16861,64 @@ cat >>confdefs.h <<_ACEOF

 _ACEOF

+for ac_header in selinux/selinux.h

+do :

+  ac_fn_c_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default"

+if test "x$ac_cv_header_selinux_selinux_h" = x""yes; then :

+  cat >>confdefs.h <<_ACEOF

+#define HAVE_SELINUX_SELINUX_H 1

+_ACEOF

+

+fi

+

+done

+

+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for security_get_boolean_active in -lselinux" >&5

+$as_echo_n "checking for security_get_boolean_active in -lselinux... " >&6; }

+if test "${ac_cv_lib_selinux_security_get_boolean_active+set}" = set; then :

+  $as_echo_n "(cached) " >&6

+else

+  ac_check_lib_save_LIBS=$LIBS

+LIBS="-lselinux  $LIBS"

+cat confdefs.h - <<_ACEOF >conftest.$ac_ext

+/* end confdefs.h.  */

+

+/* Override any GCC internal prototype to avoid an error.

+   Use char because int might match the return type of a GCC

+   builtin and then its argument prototype would still apply.  */

+#ifdef __cplusplus

+extern "C"

+#endif

+char security_get_boolean_active ();

+int

+main ()

+{

+return security_get_boolean_active ();

+  ;

+  return 0;

+}

+_ACEOF

+if ac_fn_c_try_link "$LINENO"; then :

+  ac_cv_lib_selinux_security_get_boolean_active=yes

+else

+  ac_cv_lib_selinux_security_get_boolean_active=no

+fi

+rm -f core conftest.err conftest.$ac_objext \

+    conftest$ac_exeext conftest.$ac_ext

+LIBS=$ac_check_lib_save_LIBS

+fi

+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_security_get_boolean_active" >&5

+$as_echo "$ac_cv_lib_selinux_security_get_boolean_active" >&6; }

+if test "x$ac_cv_lib_selinux_security_get_boolean_active" = x""yes; then :

+  cat >>confdefs.h <<_ACEOF

+#define HAVE_LIBSELINUX 1

+_ACEOF

+

+  LIBS="-lselinux $LIBS"

+

+fi

+

+

 # Support for --with-sysroot is a copy of GDB_AC_WITH_DIR,

 # except that the argument to --with-sysroot is optional.

diff --git a/gdb/configure.ac b/gdb/configure.ac

--- a/gdb/configure.ac

+++ b/gdb/configure.ac

@@ -1900,6 +1900,10 @@ case $host_os in

 esac

 AC_DEFINE_UNQUOTED(GDBINIT,"$gdbinit",[The .gdbinit filename.])

+dnl Check security_get_boolean_active availability.

+AC_CHECK_HEADERS(selinux/selinux.h)

+AC_CHECK_LIB(selinux, security_get_boolean_active)

+

 dnl Handle optional features that can be enabled.

 # Support for --with-sysroot is a copy of GDB_AC_WITH_DIR,

diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c

--- a/gdb/linux-nat.c

+++ b/gdb/linux-nat.c

@@ -1103,7 +1103,16 @@ linux_nat_target::create_inferior (const char *exec_file,

   /* Make sure we report all signals during startup.  */

   pass_signals ({});

-  inf_ptrace_target::create_inferior (exec_file, allargs, env, from_tty);

+  try

+    {

+      inf_ptrace_target::create_inferior (exec_file, allargs, env, from_tty);

+    }

+  catch (const gdb_exception_error &ex)

+    {

+      std::string result =  linux_ptrace_create_warnings ();

+

+      throw_error (ex.error, "%s%s", result.c_str (), ex.message->c_str ());

+    }

 }

 /* Callback for linux_proc_attach_tgid_threads.  Attach to PTID if not

diff --git a/gdb/nat/linux-ptrace.c b/gdb/nat/linux-ptrace.c

--- a/gdb/nat/linux-ptrace.c

+++ b/gdb/nat/linux-ptrace.c

@@ -25,6 +25,10 @@

 #include <sys/procfs.h>

 #endif

+#ifdef HAVE_SELINUX_SELINUX_H

+# include <selinux/selinux.h>

+#endif /* HAVE_SELINUX_SELINUX_H */

+

 /* Stores the ptrace options supported by the running kernel.

    A value of -1 means we did not check for features yet.  A value

    of 0 means there are no supported features.  */

@@ -50,6 +54,8 @@ linux_ptrace_attach_fail_reason (pid_t pid)

 		      "terminated"),

 		    (int) pid);

+  result += linux_ptrace_create_warnings ();

+

   return result;

 }

@@ -586,6 +592,25 @@ linux_ptrace_init_warnings (void)

   linux_ptrace_test_ret_to_nx ();

 }

+/* Print all possible reasons we could fail to create a traced process.  */

+

+std::string

+linux_ptrace_create_warnings ()

+{

+  std::string result;

+

+#ifdef HAVE_LIBSELINUX

+  /* -1 is returned for errors, 0 if it has no effect, 1 if PTRACE_ATTACH is

+     forbidden.  */

+  if (security_get_boolean_active ("deny_ptrace") == 1)

+    string_appendf (result,

+		    _("the SELinux boolean 'deny_ptrace' is enabled, "

+		      "you can disable this process attach protection by: "

+		      "(gdb) shell sudo setsebool deny_ptrace=0\n"));

+#endif /* HAVE_LIBSELINUX */

+  return result;

+}

+

 /* Extract extended ptrace event from wait status.  */

 int

diff --git a/gdb/nat/linux-ptrace.h b/gdb/nat/linux-ptrace.h

--- a/gdb/nat/linux-ptrace.h

+++ b/gdb/nat/linux-ptrace.h

@@ -184,6 +184,7 @@ extern std::string linux_ptrace_attach_fail_reason (pid_t pid);

 extern std::string linux_ptrace_attach_fail_reason_string (ptid_t ptid, int err);

 extern void linux_ptrace_init_warnings (void);

+extern std::string linux_ptrace_create_warnings ();

 extern void linux_check_ptrace_features (void);

 extern void linux_enable_event_reporting (pid_t pid, int attached);

 extern void linux_disable_event_reporting (pid_t pid);

diff --git a/gdbserver/config.in b/gdbserver/config.in

--- a/gdbserver/config.in

+++ b/gdbserver/config.in

@@ -143,6 +143,9 @@

 /* Define if you have the ipt library. */

 #undef HAVE_LIBIPT

+/* Define to 1 if you have the `selinux' library (-lselinux). */

+#undef HAVE_LIBSELINUX

+

 /* Define if the target supports branch tracing. */

 #undef HAVE_LINUX_BTRACE

@@ -249,6 +252,9 @@

 /* Define to 1 if you have the `sbrk' function. */

 #undef HAVE_SBRK

+/* Define to 1 if you have the <selinux/selinux.h> header file. */

+#undef HAVE_SELINUX_SELINUX_H

+

 /* Define to 1 if you have the `setns' function. */

 #undef HAVE_SETNS

diff --git a/gdbserver/configure b/gdbserver/configure

--- a/gdbserver/configure

+++ b/gdbserver/configure

@@ -10683,6 +10683,64 @@ if $want_ipa ; then

    fi

 fi

+for ac_header in selinux/selinux.h

+do :

+  ac_fn_c_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default"

+if test "x$ac_cv_header_selinux_selinux_h" = x""yes; then :

+  cat >>confdefs.h <<_ACEOF

+#define HAVE_SELINUX_SELINUX_H 1

+_ACEOF

+

+fi

+

+done

+

+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for security_get_boolean_active in -lselinux" >&5

+$as_echo_n "checking for security_get_boolean_active in -lselinux... " >&6; }

+if test "${ac_cv_lib_selinux_security_get_boolean_active+set}" = set; then :

+  $as_echo_n "(cached) " >&6

+else

+  ac_check_lib_save_LIBS=$LIBS

+LIBS="-lselinux  $LIBS"

+cat confdefs.h - <<_ACEOF >conftest.$ac_ext

+/* end confdefs.h.  */

+

+/* Override any GCC internal prototype to avoid an error.

+   Use char because int might match the return type of a GCC

+   builtin and then its argument prototype would still apply.  */

+#ifdef __cplusplus

+extern "C"

+#endif

+char security_get_boolean_active ();

+int

+main ()

+{

+return security_get_boolean_active ();

+  ;

+  return 0;

+}

+_ACEOF

+if ac_fn_c_try_link "$LINENO"; then :

+  ac_cv_lib_selinux_security_get_boolean_active=yes

+else

+  ac_cv_lib_selinux_security_get_boolean_active=no

+fi

+rm -f core conftest.err conftest.$ac_objext \

+    conftest$ac_exeext conftest.$ac_ext

+LIBS=$ac_check_lib_save_LIBS

+fi

+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_security_get_boolean_active" >&5

+$as_echo "$ac_cv_lib_selinux_security_get_boolean_active" >&6; }

+if test "x$ac_cv_lib_selinux_security_get_boolean_active" = x""yes; then :

+  cat >>confdefs.h <<_ACEOF

+#define HAVE_LIBSELINUX 1

+_ACEOF

+

+  LIBS="-lselinux $LIBS"

+

+fi

+

+

diff --git a/gdbserver/configure.ac b/gdbserver/configure.ac

--- a/gdbserver/configure.ac

+++ b/gdbserver/configure.ac

@@ -401,6 +401,10 @@ if $want_ipa ; then

    fi

 fi

+dnl Check security_get_boolean_active availability.

+AC_CHECK_HEADERS(selinux/selinux.h)

+AC_CHECK_LIB(selinux, security_get_boolean_active)

+

 AC_SUBST(GDBSERVER_DEPFILES)

 AC_SUBST(GDBSERVER_LIBS)

 AC_SUBST(srv_xmlbuiltin)

diff --git a/gdbserver/linux-low.cc b/gdbserver/linux-low.cc

--- a/gdbserver/linux-low.cc

+++ b/gdbserver/linux-low.cc

@@ -932,7 +932,16 @@ linux_ptrace_fun ()

 {

   if (ptrace (PTRACE_TRACEME, 0, (PTRACE_TYPE_ARG3) 0,

 	      (PTRACE_TYPE_ARG4) 0) < 0)

-    trace_start_error_with_name ("ptrace");

+    {

+      int save_errno = errno;

+

+      std::string msg (linux_ptrace_create_warnings ());

+

+      msg += _("Cannot trace created process");

+

+      errno = save_errno;

+      trace_start_error_with_name (msg.c_str ());

+    }

   if (setpgid (0, 0) < 0)

     trace_start_error_with_name ("setpgid");