The process SELinux contexts can be added to the output using the -Z option. Using the -z option will show the process and socket contexts (see the man page for details). For netlink sockets: if valid process show process context, if pid = 0 show kernel initial context, if unknown show "not available". Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> --- configure | 16 +++ man/man8/ss.8 | 34 ++++++ misc/Makefile | 12 ++ misc/ss.c | 375 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- 4 files changed, 387 insertions(+), 50 deletions(-) diff --git a/configure b/configure index da01c19..854837e 100755 --- a/configure +++ b/configure @@ -231,6 +231,19 @@ EOF rm -f $TMPDIR/ipsettest.c $TMPDIR/ipsettest } +check_selinux() +# SELinux is a compile time option in the ss utility +{ + SELINUX_LIB=$(${PKG_CONFIG} --silence-errors libselinux --libs) + if [ -n "$SELINUX_LIB" ] + then + echo "HAVE_SELINUX:=y" >>Config + echo "yes" + else + echo "no" + fi +} + echo "# Generated config based on" $INCLUDE >Config check_toolchain @@ -253,3 +266,6 @@ check_ipt_lib_dir echo -n "libc has setns: " check_setns + +echo -n "SELinux support: " +check_selinux diff --git a/man/man8/ss.8 b/man/man8/ss.8 index 807d9dc..d6e43ba 100644 --- a/man/man8/ss.8 +++ b/man/man8/ss.8 @@ -53,6 +53,37 @@ Print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing /proc/net/tcp is painful. .TP +.B \-Z, \-\-context +As the +.B \-p +option but also shows process security context. +.sp +For +.BR netlink (7) +sockets the initiating process context is displayed as follows: +.RS +.RS +.IP "1." 4 +If valid pid show the process context. +.IP "2." 4 +If destination is kernel (pid = 0) show kernel initial context. +.IP "3." 4 +If a unique identifier has been allocated by the kernel or netlink user, +show context as "not available". This will generally indicate that a +process has more than one netlink socket active. +.RE +.RE +.TP +.B \-z, \-\-contexts +As the +.B \-Z +option but also shows the socket context. The socket context is +taken from the associated inode and is not the actual socket +context held by the kernel. Sockets are typically labeled with the +context of the creating process, however the context shown will reflect +any policy role, type and/or range transition rules applied, +and is therefore a useful reference. +.TP .B \-b, \-\-bpf Show socket BPF filters (only administrators are allowed to get these information). .TP @@ -103,6 +134,9 @@ Please take a look at the official documentation (Debian package iproute-doc) fo .B ss -t -a Display all TCP sockets. .TP +.B ss -t -a -Z +Display all TCP sockets with process SELinux security contexts. +.TP .B ss -u -a Display all UDP sockets. .TP diff --git a/misc/Makefile b/misc/Makefile index a59ff87..a946a85 100644 --- a/misc/Makefile +++ b/misc/Makefile @@ -8,6 +8,18 @@ include ../Config all: $(TARGETS) ss: $(SSOBJ) +ifeq ($(HAVE_SELINUX),y) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(SSOBJ) $(LDLIBS) -lselinux +else + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(SSOBJ) $(LDLIBS) +endif + +ss.o: ss.c +ifeq ($(HAVE_SELINUX),y) + $(CC) $(CFLAGS) -DHAVE_SELINUX -c $+ +else + $(CC) $(CFLAGS) -c $+ +endif nstat: nstat.c $(CC) $(CFLAGS) $(LDFLAGS) -o nstat nstat.c -lm diff --git a/misc/ss.c b/misc/ss.c index 764ffe2..e14c645 100644 --- a/misc/ss.c +++ b/misc/ss.c @@ -40,6 +40,9 @@ #include <linux/filter.h> #include <linux/packet_diag.h> #include <linux/netlink_diag.h> +#if HAVE_SELINUX +#include <selinux/selinux.h> +#endif int resolve_hosts = 0; int resolve_services = 1; @@ -50,6 +53,12 @@ int show_users = 0; int show_mem = 0; int show_tcpinfo = 0; int show_bpf = 0; +#if HAVE_SELINUX +int show_proc_ctx = 0; +int show_sock_ctx = 0; +/* If show_users & show_proc_ctx only do user_ent_hash_build() once */ +int user_ent_hash_build_init = 0; +#endif int netid_width; int state_width; @@ -207,7 +216,11 @@ struct user_ent { unsigned int ino; int pid; int fd; - char process[0]; + char *process; +#if HAVE_SELINUX + security_context_t process_ctx; + security_context_t socket_ctx; +#endif }; #define USER_ENT_HASH_SIZE 256 @@ -220,26 +233,58 @@ static int user_ent_hashfn(unsigned int ino) return val & (USER_ENT_HASH_SIZE - 1); } -static void user_ent_add(unsigned int ino, const char *process, int pid, int fd) +#if HAVE_SELINUX +static void user_ent_add(unsigned int ino, char *process, + int pid, int fd, + security_context_t proc_ctx, + security_context_t sock_ctx) +#else +static void user_ent_add(unsigned int ino, char *process, int pid, int fd) +#endif { struct user_ent *p, **pp; - int str_len; - str_len = strlen(process) + 1; - p = malloc(sizeof(struct user_ent) + str_len); - if (!p) + p = malloc(sizeof(struct user_ent)); + if (!p) { + fprintf(stderr, "ss: failed to malloc buffer\n"); abort(); + } p->next = NULL; p->ino = ino; p->pid = pid; p->fd = fd; - strcpy(p->process, process); + p->process = strdup(process); +#if HAVE_SELINUX + p->process_ctx = strdup(proc_ctx); + p->socket_ctx = strdup(sock_ctx); +#endif pp = &user_ent_hash[user_ent_hashfn(ino)]; p->next = *pp; *pp = p; } +static void user_ent_destroy(void) +{ + struct user_ent *p, *p_next; + int cnt = 0; + + while (cnt != USER_ENT_HASH_SIZE) { + p = user_ent_hash[cnt]; + while (p) { + free(p->process); +#if HAVE_SELINUX + freecon(p->process_ctx); + freecon(p->socket_ctx); +#endif + p_next = p->next; + free(p); + p = p_next; + } + cnt++; + } +} + static void user_ent_hash_build(void) { const char *root = getenv("PROC_ROOT") ? : "/proc/"; @@ -247,6 +292,17 @@ static void user_ent_hash_build(void) char name[1024]; int nameoff; DIR *dir; +#if HAVE_SELINUX + security_context_t pid_context; + security_context_t sock_context; + security_context_t no_ctx = "not available"; + + /* If show_users and show_proc_ctx set only do this once */ + if (user_ent_hash_build_init != 0) + return; + + user_ent_hash_build_init = 1; +#endif strcpy(name, root); if (strlen(name) == 0 || name[strlen(name)-1] != '/') @@ -261,19 +317,24 @@ static void user_ent_hash_build(void) while ((d = readdir(dir)) != NULL) { struct dirent *d1; char process[16]; + char *p; int pid, pos; DIR *dir1; char crap; if (sscanf(d->d_name, "%d%c", &pid, &crap) != 1) continue; - +#if HAVE_SELINUX + if (getpidcon(pid, &pid_context) != 0) + pid_context = strdup(no_ctx); +#endif sprintf(name + nameoff, "%d/fd/", pid); pos = strlen(name); if ((dir1 = opendir(name)) == NULL) continue; process[0] = '\0'; + p = process; while ((d1 = readdir(dir1)) != NULL) { const char *pattern = "socket:["; @@ -281,6 +342,7 @@ static void user_ent_hash_build(void) char lnk[64]; int fd; ssize_t link_len; + char tmp[1024]; if (sscanf(d1->d_name, "%d%c", &fd, &crap) != 1) continue; @@ -296,56 +358,122 @@ static void user_ent_hash_build(void) continue; sscanf(lnk, "socket:[%u]", &ino); - - if (process[0] == '\0') { - char tmp[1024]; +#if HAVE_SELINUX + snprintf(tmp, sizeof(tmp), "%s/%d/fd/%s", + root, pid, d1->d_name); + + if (getfilecon(tmp, &sock_context) < 0) + sock_context = strdup(no_ctx); +#endif + if (*p == '\0') { FILE *fp; - snprintf(tmp, sizeof(tmp), "%s/%d/stat", root, pid); + snprintf(tmp, sizeof(tmp), "%s/%d/stat", + root, pid); if ((fp = fopen(tmp, "r")) != NULL) { - fscanf(fp, "%*d (%[^)])", process); + fscanf(fp, "%*d (%[^)])", p); fclose(fp); } } - - user_ent_add(ino, process, pid, fd); +#if HAVE_SELINUX + user_ent_add(ino, p, pid, fd, + pid_context, sock_context); + freecon(sock_context); + } + freecon(pid_context); + closedir(dir1); +#else + user_ent_add(ino, p, pid, fd); } closedir(dir1); +#endif } closedir(dir); } -static int find_users(unsigned ino, char *buf, int buflen) +#if HAVE_SELINUX +enum entry_types { + USERS, + PROC_CTX, + PROC_SOCK_CTX +}; +#else +enum entry_types { + USERS +}; +#endif + +#define ENTRY_BUF_SIZE 512 +static int find_entry(unsigned ino, char **buf, int type) { struct user_ent *p; int cnt = 0; char *ptr; + char **new_buf = buf; + int len, new_buf_len; + int buf_used = 0; + int buf_len = 0; if (!ino) return 0; p = user_ent_hash[user_ent_hashfn(ino)]; - ptr = buf; + ptr = *buf = NULL; while (p) { if (p->ino != ino) goto next; - if (ptr - buf >= buflen - 1) - break; + while (1) { + ptr = *buf + buf_used; + switch (type) { + case USERS: + len = snprintf(ptr, buf_len - buf_used, + "(\"%s\",pid=%d,fd=%d),", + p->process, p->pid, p->fd); + break; +#if HAVE_SELINUX + case PROC_CTX: + len = snprintf(ptr, buf_len - buf_used, + "(\"%s\",pid=%d,proc_ctx=%s,fd=%d),", + p->process, p->pid, + p->process_ctx, p->fd); + break; + case PROC_SOCK_CTX: + len = snprintf(ptr, buf_len - buf_used, + "(\"%s\",pid=%d,proc_ctx=%s,fd=%d,sock_ctx=%s),", + p->process, p->pid, + p->process_ctx, p->fd, + p->socket_ctx); + break; +#endif + default: + fprintf(stderr, "ss: invalid type: %d\n", type); + abort(); + } - snprintf(ptr, buflen - (ptr - buf), - "(\"%s\",%d,%d),", - p->process, p->pid, p->fd); - ptr += strlen(ptr); + if (len < 0 || len >= buf_len - buf_used) { + new_buf_len = buf_len + ENTRY_BUF_SIZE; + *new_buf = realloc(*buf, new_buf_len); + if (!new_buf) { + fprintf(stderr, "ss: failed to malloc buffer\n"); + abort(); + } + **buf = **new_buf; + buf_len = new_buf_len; + continue; + } else { + buf_used += len; + break; + } + } cnt++; - - next: +next: p = p->next; } - - if (ptr != buf) + if (buf_used) { + ptr = *buf + buf_used; ptr[-1] = '\0'; - + } return cnt; } @@ -1282,11 +1410,25 @@ static int tcp_show_line(char *line, const struct filter *f, int family) if (s.qack&1) printf(" bidir"); } + char *buf = NULL; +#if HAVE_SELINUX + if (show_proc_ctx || show_sock_ctx) { + if (find_entry(s.ino, &buf, + (show_proc_ctx & show_sock_ctx) ? + PROC_SOCK_CTX : PROC_CTX) > 0) { + printf(" users:(%s)", buf); + free(buf); + } + } else if (show_users) { +#else if (show_users) { - char ubuf[4096]; - if (find_users(s.ino, ubuf, sizeof(ubuf)) > 0) - printf(" users:(%s)", ubuf); +#endif + if (find_entry(s.ino, &buf, USERS) > 0) { + printf(" users:(%s)", buf); + free(buf); + } } + if (show_details) { if (s.uid) printf(" uid:%u", (unsigned)s.uid); @@ -1506,11 +1648,25 @@ static int inet_show_sock(struct nlmsghdr *nlh, struct filter *f) r->idiag_retrans); } } + char *buf = NULL; +#if HAVE_SELINUX + if (show_proc_ctx || show_sock_ctx) { + if (find_entry(r->idiag_inode, &buf, + (show_proc_ctx & show_sock_ctx) ? + PROC_SOCK_CTX : PROC_CTX) > 0) { + printf(" users:(%s)", buf); + free(buf); + } + } else if (show_users) { +#else if (show_users) { - char ubuf[4096]; - if (find_users(r->idiag_inode, ubuf, sizeof(ubuf)) > 0) - printf(" users:(%s)", ubuf); +#endif + if (find_entry(r->idiag_inode, &buf, USERS) > 0) { + printf(" users:(%s)", buf); + free(buf); + } } + if (show_details) { if (r->idiag_uid) printf(" uid:%u", (unsigned)r->idiag_uid); @@ -1995,10 +2151,23 @@ static int dgram_show_line(char *line, const struct filter *f, int family) formatted_print(&s.local, s.lport); formatted_print(&s.remote, s.rport); + char *buf = NULL; +#if HAVE_SELINUX + if (show_proc_ctx || show_sock_ctx) { + if (find_entry(s.ino, &buf, + (show_proc_ctx & show_sock_ctx) ? + PROC_SOCK_CTX : PROC_CTX) > 0) { + printf(" users:(%s)", buf); + free(buf); + } + } else if (show_users) { +#else if (show_users) { - char ubuf[4096]; - if (find_users(s.ino, ubuf, sizeof(ubuf)) > 0) - printf(" users:(%s)", ubuf); +#endif + if (find_entry(s.ino, &buf, USERS) > 0) { + printf(" users:(%s)", buf); + free(buf); + } } if (show_details) { @@ -2185,10 +2354,23 @@ static void unix_list_print(struct unixstat *list, struct filter *f) printf("%*s %-*d %*s %-*d", addr_width, s->name ? : "*", serv_width, s->ino, addr_width, peer, serv_width, s->peer); + char *buf = NULL; +#if HAVE_SELINUX + if (show_proc_ctx || show_sock_ctx) { + if (find_entry(s->ino, &buf, + (show_proc_ctx & show_sock_ctx) ? + PROC_SOCK_CTX : PROC_CTX) > 0) { + printf(" users:(%s)", buf); + free(buf); + } + } else if (show_users) { +#else if (show_users) { - char ubuf[4096]; - if (find_users(s->ino, ubuf, sizeof(ubuf)) > 0) - printf(" users:(%s)", ubuf); +#endif + if (find_entry(s->ino, &buf, USERS) > 0) { + printf(" users:(%s)", buf); + free(buf); + } } printf("\n"); } @@ -2250,10 +2432,23 @@ static int unix_show_sock(struct nlmsghdr *nlh, struct filter *f) addr_width, "*", /* FIXME */ serv_width, peer_ino); + char *buf = NULL; +#if HAVE_SELINUX + if (show_proc_ctx || show_sock_ctx) { + if (find_entry(r->udiag_ino, &buf, + (show_proc_ctx & show_sock_ctx) ? + PROC_SOCK_CTX : PROC_CTX) > 0) { + printf(" users:(%s)", buf); + free(buf); + } + } else if (show_users) { +#else if (show_users) { - char ubuf[4096]; - if (find_users(r->udiag_ino, ubuf, sizeof(ubuf)) > 0) - printf(" users:(%s)", ubuf); +#endif + if (find_entry(r->udiag_ino, &buf, USERS) > 0) { + printf(" users:(%s)", buf); + free(buf); + } } if (show_mem) { @@ -2511,11 +2706,25 @@ static int packet_show_sock(struct nlmsghdr *nlh, struct filter *f) printf("%*s*%-*s", addr_width, "", serv_width, ""); + char *buf = NULL; +#if HAVE_SELINUX + if (show_proc_ctx || show_sock_ctx) { + if (find_entry(r->pdiag_ino, &buf, + (show_proc_ctx & show_sock_ctx) ? + PROC_SOCK_CTX : PROC_CTX) > 0) { + printf(" users:(%s)", buf); + free(buf); + } + } else if (show_users) { +#else if (show_users) { - char ubuf[4096]; - if (find_users(r->pdiag_ino, ubuf, sizeof(ubuf)) > 0) - printf(" users:(%s)", ubuf); +#endif + if (find_entry(r->pdiag_ino, &buf, USERS) > 0) { + printf(" users:(%s)", buf); + free(buf); + } } + if (show_details) { __u32 uid = 0; @@ -2706,11 +2915,25 @@ static int packet_show(struct filter *f) printf("%*s*%-*s", addr_width, "", serv_width, ""); + char *buf = NULL; +#if HAVE_SELINUX + if (show_proc_ctx || show_sock_ctx) { + if (find_entry(ino, &buf, + (show_proc_ctx & show_sock_ctx) ? + PROC_SOCK_CTX : PROC_CTX) > 0) { + printf(" users:(%s)", buf); + free(buf); + } + } else if (show_users) { +#else if (show_users) { - char ubuf[4096]; - if (find_users(ino, ubuf, sizeof(ubuf)) > 0) - printf(" users:(%s)", ubuf); +#endif + if (find_entry(ino, &buf, USERS) > 0) { + printf(" users:(%s)", buf); + free(buf); + } } + if (show_details) { printf(" ino=%u uid=%u sk=%llx", ino, uid, sk); } @@ -2785,6 +3008,29 @@ static void netlink_show_one(struct filter *f, printf("%*s*%-*s", addr_width, "", serv_width, ""); } +#if HAVE_SELINUX + security_context_t pid_context = NULL; + + if (show_proc_ctx) { + /* The pid value will either be: + * 0 if destination kernel - show kernel initial context. + * A valid process pid - use getpidcon. + * A unique value allocated by the kernel or netlink user + * to the process - show context as "not available". + */ + if (!pid) + security_get_initial_context("kernel", &pid_context); + else if (pid > 0) + getpidcon(pid, &pid_context); + + if (pid_context != NULL) { + printf("proc_ctx=%-*s ", serv_width, pid_context); + freecon(pid_context); + } else { + printf("%-*s ", serv_width, "context not available"); + } + } +# endif if (show_details) { printf(" sk=%llx cb=%llx groups=0x%08x", sk, cb, groups); @@ -3060,6 +3306,8 @@ static void _usage(FILE *dest) " -i, --info show internal TCP information\n" " -s, --summary show socket usage summary\n" " -b, --bpf show bpf filter socket information\n" +" -Z, --context display process SELinux security contexts\n" +" -z, --contexts display process and socket SELinux security contexts\n" "\n" " -4, --ipv4 display only IP version 4 sockets\n" " -6, --ipv6 display only IP version 6 sockets\n" @@ -3149,6 +3397,8 @@ static const struct option long_opts[] = { { "filter", 1, 0, 'F' }, { "version", 0, 0, 'V' }, { "help", 0, 0, 'h' }, + { "context", 0, 0, 'Z' }, + { "contexts", 0, 0, 'z' }, { 0 } }; @@ -3167,7 +3417,7 @@ int main(int argc, char *argv[]) current_filter.states = default_filter.states; - while ((ch = getopt_long(argc, argv, "dhaletuwxnro460spbf:miA:D:F:vV", + while ((ch = getopt_long(argc, argv, "dhaletuwxnro460spbf:miA:D:F:vVzZ", long_opts, NULL)) != EOF) { switch(ch) { case 'n': @@ -3327,6 +3577,23 @@ int main(int argc, char *argv[]) case 'V': printf("ss utility, iproute2-ss%s\n", SNAPSHOT); exit(0); + case 'z': +#if HAVE_SELINUX + show_sock_ctx++; +#endif + case 'Z': +#if HAVE_SELINUX + if (is_selinux_enabled() <= 0) { + fprintf(stderr, "ss: SELinux is not enabled.\n"); + exit(1); + } + show_proc_ctx++; + user_ent_hash_build(); +#else + fprintf(stderr, "ss: version does not support SELinux.\n"); + exit(1); +#endif + break; case 'h': case '?': help(); @@ -3514,5 +3781,13 @@ int main(int argc, char *argv[]) tcp_show(¤t_filter, IPPROTO_TCP); if (current_filter.dbs & (1<<DCCP_DB)) tcp_show(¤t_filter, IPPROTO_DCCP); + +#if HAVE_SELINUX + if (show_users || show_proc_ctx || show_sock_ctx) +#else + if (show_users) +#endif + user_ent_destroy(); + return 0; } -- 1.8.5.3 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.