3ce82c330b
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/gdb.git#ed8730b4d9720b8c71cb7de29ce2165f730955cc
357 lines
10 KiB
Diff
357 lines
10 KiB
Diff
From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
|
|
From: Fedora GDB patches <invalid@email.com>
|
|
Date: Fri, 27 Oct 2017 21:07:50 +0200
|
|
Subject: gdb-attach-fail-reasons-5of5.patch
|
|
|
|
;; Print reasons for failed attach/spawn incl. SELinux deny_ptrace (BZ 786878).
|
|
;;=push+jan
|
|
|
|
http://sourceware.org/ml/gdb-patches/2012-03/msg00171.html
|
|
|
|
Hi,
|
|
|
|
and here is the last bit for new SELinux 'deny_ptrace':
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=786878
|
|
|
|
As even PTRACE_TRACEME fails in such case it needs to install hook for even
|
|
that event.
|
|
|
|
Thanks,
|
|
Jan
|
|
|
|
gdb/
|
|
2012-03-06 Jan Kratochvil <jan.kratochvil@redhat.com>
|
|
|
|
* common/linux-ptrace.c [HAVE_SELINUX_SELINUX_H]: include
|
|
selinux/selinux.h.
|
|
(linux_ptrace_attach_warnings): Call linux_ptrace_create_warnings.
|
|
(linux_ptrace_create_warnings): New.
|
|
* common/linux-ptrace.h (linux_ptrace_create_warnings): New declaration.
|
|
* config.in: Regenerate.
|
|
* configure: Regenerate.
|
|
* configure.ac: Check selinux/selinux.h and the selinux library.
|
|
* inf-ptrace.c (inf_ptrace_me): Check the ptrace result.
|
|
* linux-nat.c (linux_nat_create_inferior): New variable ex. Wrap
|
|
to_create_inferior into TRY_CATCH, call linux_ptrace_create_warnings.
|
|
|
|
gdb/gdbserver/
|
|
* config.in: Regenerate.
|
|
* configure: Regenerate.
|
|
* configure.ac: Check selinux/selinux.h and the selinux library.
|
|
* linux-low.c (linux_traceme): New function.
|
|
(linux_create_inferior, linux_tracefork_child): Call it instead of
|
|
direct ptrace.
|
|
|
|
diff --git a/gdb/config.in b/gdb/config.in
|
|
--- a/gdb/config.in
|
|
+++ b/gdb/config.in
|
|
@@ -253,6 +253,9 @@
|
|
/* Define if librpm library is being used. */
|
|
#undef HAVE_LIBRPM
|
|
|
|
+/* Define to 1 if you have the `selinux' library (-lselinux). */
|
|
+#undef HAVE_LIBSELINUX
|
|
+
|
|
/* Define to 1 if you have the <libunwind-ia64.h> header file. */
|
|
#undef HAVE_LIBUNWIND_IA64_H
|
|
|
|
@@ -388,6 +391,9 @@
|
|
/* Define to 1 if you have the `scm_new_smob' function. */
|
|
#undef HAVE_SCM_NEW_SMOB
|
|
|
|
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
|
|
+#undef HAVE_SELINUX_SELINUX_H
|
|
+
|
|
/* Define to 1 if you have the `setlocale' function. */
|
|
#undef HAVE_SETLOCALE
|
|
|
|
diff --git a/gdb/configure b/gdb/configure
|
|
--- a/gdb/configure
|
|
+++ b/gdb/configure
|
|
@@ -16861,6 +16861,64 @@ cat >>confdefs.h <<_ACEOF
|
|
_ACEOF
|
|
|
|
|
|
+for ac_header in selinux/selinux.h
|
|
+do :
|
|
+ ac_fn_c_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default"
|
|
+if test "x$ac_cv_header_selinux_selinux_h" = x""yes; then :
|
|
+ cat >>confdefs.h <<_ACEOF
|
|
+#define HAVE_SELINUX_SELINUX_H 1
|
|
+_ACEOF
|
|
+
|
|
+fi
|
|
+
|
|
+done
|
|
+
|
|
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for security_get_boolean_active in -lselinux" >&5
|
|
+$as_echo_n "checking for security_get_boolean_active in -lselinux... " >&6; }
|
|
+if test "${ac_cv_lib_selinux_security_get_boolean_active+set}" = set; then :
|
|
+ $as_echo_n "(cached) " >&6
|
|
+else
|
|
+ ac_check_lib_save_LIBS=$LIBS
|
|
+LIBS="-lselinux $LIBS"
|
|
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
|
+/* end confdefs.h. */
|
|
+
|
|
+/* Override any GCC internal prototype to avoid an error.
|
|
+ Use char because int might match the return type of a GCC
|
|
+ builtin and then its argument prototype would still apply. */
|
|
+#ifdef __cplusplus
|
|
+extern "C"
|
|
+#endif
|
|
+char security_get_boolean_active ();
|
|
+int
|
|
+main ()
|
|
+{
|
|
+return security_get_boolean_active ();
|
|
+ ;
|
|
+ return 0;
|
|
+}
|
|
+_ACEOF
|
|
+if ac_fn_c_try_link "$LINENO"; then :
|
|
+ ac_cv_lib_selinux_security_get_boolean_active=yes
|
|
+else
|
|
+ ac_cv_lib_selinux_security_get_boolean_active=no
|
|
+fi
|
|
+rm -f core conftest.err conftest.$ac_objext \
|
|
+ conftest$ac_exeext conftest.$ac_ext
|
|
+LIBS=$ac_check_lib_save_LIBS
|
|
+fi
|
|
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_security_get_boolean_active" >&5
|
|
+$as_echo "$ac_cv_lib_selinux_security_get_boolean_active" >&6; }
|
|
+if test "x$ac_cv_lib_selinux_security_get_boolean_active" = x""yes; then :
|
|
+ cat >>confdefs.h <<_ACEOF
|
|
+#define HAVE_LIBSELINUX 1
|
|
+_ACEOF
|
|
+
|
|
+ LIBS="-lselinux $LIBS"
|
|
+
|
|
+fi
|
|
+
|
|
+
|
|
|
|
# Support for --with-sysroot is a copy of GDB_AC_WITH_DIR,
|
|
# except that the argument to --with-sysroot is optional.
|
|
diff --git a/gdb/configure.ac b/gdb/configure.ac
|
|
--- a/gdb/configure.ac
|
|
+++ b/gdb/configure.ac
|
|
@@ -1900,6 +1900,10 @@ case $host_os in
|
|
esac
|
|
AC_DEFINE_UNQUOTED(GDBINIT,"$gdbinit",[The .gdbinit filename.])
|
|
|
|
+dnl Check security_get_boolean_active availability.
|
|
+AC_CHECK_HEADERS(selinux/selinux.h)
|
|
+AC_CHECK_LIB(selinux, security_get_boolean_active)
|
|
+
|
|
dnl Handle optional features that can be enabled.
|
|
|
|
# Support for --with-sysroot is a copy of GDB_AC_WITH_DIR,
|
|
diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c
|
|
--- a/gdb/linux-nat.c
|
|
+++ b/gdb/linux-nat.c
|
|
@@ -1103,7 +1103,16 @@ linux_nat_target::create_inferior (const char *exec_file,
|
|
/* Make sure we report all signals during startup. */
|
|
pass_signals ({});
|
|
|
|
- inf_ptrace_target::create_inferior (exec_file, allargs, env, from_tty);
|
|
+ try
|
|
+ {
|
|
+ inf_ptrace_target::create_inferior (exec_file, allargs, env, from_tty);
|
|
+ }
|
|
+ catch (const gdb_exception_error &ex)
|
|
+ {
|
|
+ std::string result = linux_ptrace_create_warnings ();
|
|
+
|
|
+ throw_error (ex.error, "%s%s", result.c_str (), ex.message->c_str ());
|
|
+ }
|
|
}
|
|
|
|
/* Callback for linux_proc_attach_tgid_threads. Attach to PTID if not
|
|
diff --git a/gdb/nat/linux-ptrace.c b/gdb/nat/linux-ptrace.c
|
|
--- a/gdb/nat/linux-ptrace.c
|
|
+++ b/gdb/nat/linux-ptrace.c
|
|
@@ -25,6 +25,10 @@
|
|
#include <sys/procfs.h>
|
|
#endif
|
|
|
|
+#ifdef HAVE_SELINUX_SELINUX_H
|
|
+# include <selinux/selinux.h>
|
|
+#endif /* HAVE_SELINUX_SELINUX_H */
|
|
+
|
|
/* Stores the ptrace options supported by the running kernel.
|
|
A value of -1 means we did not check for features yet. A value
|
|
of 0 means there are no supported features. */
|
|
@@ -50,6 +54,8 @@ linux_ptrace_attach_fail_reason (pid_t pid)
|
|
"terminated"),
|
|
(int) pid);
|
|
|
|
+ result += linux_ptrace_create_warnings ();
|
|
+
|
|
return result;
|
|
}
|
|
|
|
@@ -586,6 +592,25 @@ linux_ptrace_init_warnings (void)
|
|
linux_ptrace_test_ret_to_nx ();
|
|
}
|
|
|
|
+/* Print all possible reasons we could fail to create a traced process. */
|
|
+
|
|
+std::string
|
|
+linux_ptrace_create_warnings ()
|
|
+{
|
|
+ std::string result;
|
|
+
|
|
+#ifdef HAVE_LIBSELINUX
|
|
+ /* -1 is returned for errors, 0 if it has no effect, 1 if PTRACE_ATTACH is
|
|
+ forbidden. */
|
|
+ if (security_get_boolean_active ("deny_ptrace") == 1)
|
|
+ string_appendf (result,
|
|
+ _("the SELinux boolean 'deny_ptrace' is enabled, "
|
|
+ "you can disable this process attach protection by: "
|
|
+ "(gdb) shell sudo setsebool deny_ptrace=0\n"));
|
|
+#endif /* HAVE_LIBSELINUX */
|
|
+ return result;
|
|
+}
|
|
+
|
|
/* Extract extended ptrace event from wait status. */
|
|
|
|
int
|
|
diff --git a/gdb/nat/linux-ptrace.h b/gdb/nat/linux-ptrace.h
|
|
--- a/gdb/nat/linux-ptrace.h
|
|
+++ b/gdb/nat/linux-ptrace.h
|
|
@@ -184,6 +184,7 @@ extern std::string linux_ptrace_attach_fail_reason (pid_t pid);
|
|
extern std::string linux_ptrace_attach_fail_reason_string (ptid_t ptid, int err);
|
|
|
|
extern void linux_ptrace_init_warnings (void);
|
|
+extern std::string linux_ptrace_create_warnings ();
|
|
extern void linux_check_ptrace_features (void);
|
|
extern void linux_enable_event_reporting (pid_t pid, int attached);
|
|
extern void linux_disable_event_reporting (pid_t pid);
|
|
diff --git a/gdbserver/config.in b/gdbserver/config.in
|
|
--- a/gdbserver/config.in
|
|
+++ b/gdbserver/config.in
|
|
@@ -143,6 +143,9 @@
|
|
/* Define if you have the ipt library. */
|
|
#undef HAVE_LIBIPT
|
|
|
|
+/* Define to 1 if you have the `selinux' library (-lselinux). */
|
|
+#undef HAVE_LIBSELINUX
|
|
+
|
|
/* Define if the target supports branch tracing. */
|
|
#undef HAVE_LINUX_BTRACE
|
|
|
|
@@ -249,6 +252,9 @@
|
|
/* Define to 1 if you have the `sbrk' function. */
|
|
#undef HAVE_SBRK
|
|
|
|
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
|
|
+#undef HAVE_SELINUX_SELINUX_H
|
|
+
|
|
/* Define to 1 if you have the `setns' function. */
|
|
#undef HAVE_SETNS
|
|
|
|
diff --git a/gdbserver/configure b/gdbserver/configure
|
|
--- a/gdbserver/configure
|
|
+++ b/gdbserver/configure
|
|
@@ -10683,6 +10683,64 @@ if $want_ipa ; then
|
|
fi
|
|
fi
|
|
|
|
+for ac_header in selinux/selinux.h
|
|
+do :
|
|
+ ac_fn_c_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default"
|
|
+if test "x$ac_cv_header_selinux_selinux_h" = x""yes; then :
|
|
+ cat >>confdefs.h <<_ACEOF
|
|
+#define HAVE_SELINUX_SELINUX_H 1
|
|
+_ACEOF
|
|
+
|
|
+fi
|
|
+
|
|
+done
|
|
+
|
|
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for security_get_boolean_active in -lselinux" >&5
|
|
+$as_echo_n "checking for security_get_boolean_active in -lselinux... " >&6; }
|
|
+if test "${ac_cv_lib_selinux_security_get_boolean_active+set}" = set; then :
|
|
+ $as_echo_n "(cached) " >&6
|
|
+else
|
|
+ ac_check_lib_save_LIBS=$LIBS
|
|
+LIBS="-lselinux $LIBS"
|
|
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
|
+/* end confdefs.h. */
|
|
+
|
|
+/* Override any GCC internal prototype to avoid an error.
|
|
+ Use char because int might match the return type of a GCC
|
|
+ builtin and then its argument prototype would still apply. */
|
|
+#ifdef __cplusplus
|
|
+extern "C"
|
|
+#endif
|
|
+char security_get_boolean_active ();
|
|
+int
|
|
+main ()
|
|
+{
|
|
+return security_get_boolean_active ();
|
|
+ ;
|
|
+ return 0;
|
|
+}
|
|
+_ACEOF
|
|
+if ac_fn_c_try_link "$LINENO"; then :
|
|
+ ac_cv_lib_selinux_security_get_boolean_active=yes
|
|
+else
|
|
+ ac_cv_lib_selinux_security_get_boolean_active=no
|
|
+fi
|
|
+rm -f core conftest.err conftest.$ac_objext \
|
|
+ conftest$ac_exeext conftest.$ac_ext
|
|
+LIBS=$ac_check_lib_save_LIBS
|
|
+fi
|
|
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_security_get_boolean_active" >&5
|
|
+$as_echo "$ac_cv_lib_selinux_security_get_boolean_active" >&6; }
|
|
+if test "x$ac_cv_lib_selinux_security_get_boolean_active" = x""yes; then :
|
|
+ cat >>confdefs.h <<_ACEOF
|
|
+#define HAVE_LIBSELINUX 1
|
|
+_ACEOF
|
|
+
|
|
+ LIBS="-lselinux $LIBS"
|
|
+
|
|
+fi
|
|
+
|
|
+
|
|
|
|
|
|
|
|
diff --git a/gdbserver/configure.ac b/gdbserver/configure.ac
|
|
--- a/gdbserver/configure.ac
|
|
+++ b/gdbserver/configure.ac
|
|
@@ -401,6 +401,10 @@ if $want_ipa ; then
|
|
fi
|
|
fi
|
|
|
|
+dnl Check security_get_boolean_active availability.
|
|
+AC_CHECK_HEADERS(selinux/selinux.h)
|
|
+AC_CHECK_LIB(selinux, security_get_boolean_active)
|
|
+
|
|
AC_SUBST(GDBSERVER_DEPFILES)
|
|
AC_SUBST(GDBSERVER_LIBS)
|
|
AC_SUBST(srv_xmlbuiltin)
|
|
diff --git a/gdbserver/linux-low.cc b/gdbserver/linux-low.cc
|
|
--- a/gdbserver/linux-low.cc
|
|
+++ b/gdbserver/linux-low.cc
|
|
@@ -932,7 +932,16 @@ linux_ptrace_fun ()
|
|
{
|
|
if (ptrace (PTRACE_TRACEME, 0, (PTRACE_TYPE_ARG3) 0,
|
|
(PTRACE_TYPE_ARG4) 0) < 0)
|
|
- trace_start_error_with_name ("ptrace");
|
|
+ {
|
|
+ int save_errno = errno;
|
|
+
|
|
+ std::string msg (linux_ptrace_create_warnings ());
|
|
+
|
|
+ msg += _("Cannot trace created process");
|
|
+
|
|
+ errno = save_errno;
|
|
+ trace_start_error_with_name (msg.c_str ());
|
|
+ }
|
|
|
|
if (setpgid (0, 0) < 0)
|
|
trace_start_error_with_name ("setpgid");
|