gdb/gdb-attach-fail-reasons-5of5.patch
Richard Biener 355c8053f0 - Use patchlist.pl to merge with gdb-7.9-10.fc22, a rebase to FSF GDB 7.9.
The GDB 7.8 features are:
  * Python Scripting
   - You can now access frame registers from Python scripts.
   - New attribute 'producer' for gdb.Symtab objects.
  * New Python-based convenience functions:
   - $_caller_is(name [, number_of_frames])
   - $_caller_matches(regexp [, number_of_frames])
   - $_any_caller_is(name [, number_of_frames])
   - $_any_caller_matches(regexp [, number_of_frames])
  * New commands
   - queue-signal signal-name-or-number
     Queue a signal to be delivered to the thread when it is resumed.
  * On resume, GDB now always passes the signal the program had stopped
    for to the thread the signal was sent to, even if the user changed
    threads before resuming.  Previously GDB would often (but not
    always) deliver the signal to the thread that happens to be current
    at resume time.
  * Conversely, the "signal" command now consistently delivers the
    requested signal to the current thread.  GDB now asks for
    confirmation if the program had stopped for a signal and the user
    switched threads meanwhile.
  * "breakpoint always-inserted" modes "off" and "auto" merged.
    Now, when 'breakpoint always-inserted mode' is set to "off", GDB
    won't remove breakpoints from the target until all threads stop,
    even in non-stop mode.  The "auto" mode has been removed, and "off"
    is now the default mode.
  * MI changes
   - The -list-thread-groups command outputs an exit-code field for
     inferiors that have exited.

OBS-URL: https://build.opensuse.org/package/show/devel:gcc/gdb?expand=0&rev=115
2015-02-25 13:45:10 +00:00

427 lines
14 KiB
Diff

http://sourceware.org/ml/gdb-patches/2012-03/msg00171.html
Subject: [patch 3/3] attach-fail-reasons: SELinux deny_ptrace
Hi,
and here is the last bit for new SELinux 'deny_ptrace':
https://bugzilla.redhat.com/show_bug.cgi?id=786878
As even PTRACE_TRACEME fails in such case it needs to install hook for even
that event.
Thanks,
Jan
gdb/
2012-03-06 Jan Kratochvil <jan.kratochvil@redhat.com>
* common/linux-ptrace.c [HAVE_SELINUX_SELINUX_H]: include
selinux/selinux.h.
(linux_ptrace_attach_warnings): Call linux_ptrace_create_warnings.
(linux_ptrace_create_warnings): New.
* common/linux-ptrace.h (linux_ptrace_create_warnings): New declaration.
* config.in: Regenerate.
* configure: Regenerate.
* configure.ac: Check selinux/selinux.h and the selinux library.
* inf-ptrace.c (inf_ptrace_me): Check the ptrace result.
* linux-nat.c (linux_nat_create_inferior): New variable ex. Wrap
to_create_inferior into TRY_CATCH, call linux_ptrace_create_warnings.
gdb/gdbserver/
* config.in: Regenerate.
* configure: Regenerate.
* configure.ac: Check selinux/selinux.h and the selinux library.
* linux-low.c (linux_traceme): New function.
(linux_create_inferior, linux_tracefork_child): Call it instead of
direct ptrace.
Index: gdb-7.8.90.20150125/gdb/nat/linux-ptrace.c
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/nat/linux-ptrace.c 2015-01-25 08:36:55.710884511 +0100
+++ gdb-7.8.90.20150125/gdb/nat/linux-ptrace.c 2015-01-25 08:38:43.157347627 +0100
@@ -25,6 +25,10 @@
#include <stdint.h>
+#ifdef HAVE_SELINUX_SELINUX_H
+# include <selinux/selinux.h>
+#endif /* HAVE_SELINUX_SELINUX_H */
+
/* Stores the currently supported ptrace options. A value of
-1 means we did not check for features yet. A value of 0 means
there are no supported features. */
@@ -53,6 +57,8 @@ linux_ptrace_attach_fail_reason (pid_t p
buffer_xml_printf (buffer, _("process %d is a zombie "
"- the process has already terminated"),
(int) pid);
+
+ linux_ptrace_create_warnings (buffer);
}
/* See linux-ptrace.h. */
@@ -595,6 +601,22 @@ linux_ptrace_init_warnings (void)
linux_ptrace_test_ret_to_nx ();
}
+/* Print all possible reasons we could fail to create a traced process. */
+
+void
+linux_ptrace_create_warnings (struct buffer *buffer)
+{
+#ifdef HAVE_LIBSELINUX
+ /* -1 is returned for errors, 0 if it has no effect, 1 if PTRACE_ATTACH is
+ forbidden. */
+ if (security_get_boolean_active ("deny_ptrace") == 1)
+ buffer_xml_printf (buffer,
+ _("the SELinux boolean 'deny_ptrace' is enabled, "
+ "you can disable this process attach protection by: "
+ "(gdb) shell sudo setsebool deny_ptrace=0"));
+#endif /* HAVE_LIBSELINUX */
+}
+
/* Set additional ptrace flags to use. Some such flags may be checked
by the implementation above. This function must be called before
any other function in this file; otherwise the flags may not take
Index: gdb-7.8.90.20150125/gdb/nat/linux-ptrace.h
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/nat/linux-ptrace.h 2015-01-25 08:37:02.800915071 +0100
+++ gdb-7.8.90.20150125/gdb/nat/linux-ptrace.h 2015-01-25 08:38:16.565233009 +0100
@@ -98,6 +98,7 @@ extern void linux_ptrace_attach_fail_rea
extern char *linux_ptrace_attach_fail_reason_string (ptid_t ptid, int err);
extern void linux_ptrace_init_warnings (void);
+extern void linux_ptrace_create_warnings (struct buffer *buffer);
extern void linux_enable_event_reporting (pid_t pid, int attached);
extern void linux_disable_event_reporting (pid_t pid);
extern int linux_supports_tracefork (void);
Index: gdb-7.8.90.20150125/gdb/configure.ac
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/configure.ac 2015-01-25 08:36:55.712884520 +0100
+++ gdb-7.8.90.20150125/gdb/configure.ac 2015-01-25 08:37:02.801915075 +0100
@@ -2117,6 +2117,10 @@ case $host_os in
esac
AC_DEFINE_UNQUOTED(GDBINIT,"$gdbinit",[The .gdbinit filename.])
+dnl Check security_get_boolean_active availability.
+AC_CHECK_HEADERS(selinux/selinux.h)
+AC_CHECK_LIB(selinux, security_get_boolean_active)
+
dnl Handle optional features that can be enabled.
# Support for --with-sysroot is a copy of GDB_AC_WITH_DIR,
Index: gdb-7.8.90.20150125/gdb/gdbserver/configure.ac
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/gdbserver/configure.ac 2015-01-25 08:36:55.712884520 +0100
+++ gdb-7.8.90.20150125/gdb/gdbserver/configure.ac 2015-01-25 08:37:02.801915075 +0100
@@ -461,6 +461,10 @@ if $want_ipa ; then
fi
fi
+dnl Check security_get_boolean_active availability.
+AC_CHECK_HEADERS(selinux/selinux.h)
+AC_CHECK_LIB(selinux, security_get_boolean_active)
+
AC_SUBST(GDBSERVER_DEPFILES)
AC_SUBST(GDBSERVER_LIBS)
AC_SUBST(srv_xmlbuiltin)
Index: gdb-7.8.90.20150125/gdb/gdbserver/linux-low.c
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/gdbserver/linux-low.c 2015-01-25 08:36:55.714884529 +0100
+++ gdb-7.8.90.20150125/gdb/gdbserver/linux-low.c 2015-01-25 08:37:02.803915084 +0100
@@ -591,6 +591,29 @@ add_lwp (ptid_t ptid)
return lwp;
}
+/* Execute PTRACE_TRACEME with error checking. */
+
+static void
+linux_traceme (const char *program)
+{
+ int save_errno;
+ struct buffer buffer;
+
+ errno = 0;
+ if (ptrace (PTRACE_TRACEME, 0,
+ (PTRACE_TYPE_ARG3) 0, (PTRACE_TYPE_ARG4) 0) == 0)
+ return;
+
+ save_errno = errno;
+ buffer_init (&buffer);
+ linux_ptrace_create_warnings (&buffer);
+ buffer_grow_str0 (&buffer, "");
+ fprintf (stderr, _("%sCannot trace created process %s: %s.\n"),
+ buffer_finish (&buffer), program, strerror (save_errno));
+ fflush (stderr);
+ _exit (0177);
+}
+
/* Start an inferior process and returns its pid.
ALLARGS is a vector of program-name and args. */
@@ -632,7 +655,7 @@ linux_create_inferior (char *program, ch
if (pid == 0)
{
close_most_fds ();
- ptrace (PTRACE_TRACEME, 0, (PTRACE_TYPE_ARG3) 0, (PTRACE_TYPE_ARG4) 0);
+ linux_traceme (program);
#ifndef __ANDROID__ /* Bionic doesn't use SIGRTMIN the way glibc does. */
signal (__SIGRTMIN + 1, SIG_DFL);
Index: gdb-7.8.90.20150125/gdb/inf-ptrace.c
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/inf-ptrace.c 2015-01-25 08:36:55.715884533 +0100
+++ gdb-7.8.90.20150125/gdb/inf-ptrace.c 2015-01-25 08:37:02.803915084 +0100
@@ -67,7 +67,15 @@ static void
inf_ptrace_me (void)
{
/* "Trace me, Dr. Memory!" */
+ errno = 0;
ptrace (PT_TRACE_ME, 0, (PTRACE_TYPE_ARG3)0, 0);
+ if (errno != 0)
+ {
+ fprintf_unfiltered (gdb_stderr, _("Cannot create process: %s\n"),
+ safe_strerror (errno));
+ gdb_flush (gdb_stderr);
+ _exit (0177);
+ }
}
/* Start a new inferior Unix child process. EXEC_FILE is the file to
Index: gdb-7.8.90.20150125/gdb/linux-nat.c
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/linux-nat.c 2015-01-25 08:36:55.717884541 +0100
+++ gdb-7.8.90.20150125/gdb/linux-nat.c 2015-01-25 08:37:52.054127362 +0100
@@ -1109,6 +1109,7 @@ linux_nat_create_inferior (struct target
#ifdef HAVE_PERSONALITY
int personality_orig = 0, personality_set = 0;
#endif /* HAVE_PERSONALITY */
+ volatile struct gdb_exception ex;
/* The fork_child mechanism is synchronous and calls target_wait, so
we have to mask the async mode. */
@@ -1133,7 +1134,10 @@ linux_nat_create_inferior (struct target
/* Make sure we report all signals during startup. */
linux_nat_pass_signals (ops, 0, NULL);
- linux_ops->to_create_inferior (ops, exec_file, allargs, env, from_tty);
+ TRY_CATCH (ex, RETURN_MASK_ERROR)
+ {
+ linux_ops->to_create_inferior (ops, exec_file, allargs, env, from_tty);
+ }
#ifdef HAVE_PERSONALITY
if (personality_set)
@@ -1145,6 +1149,24 @@ linux_nat_create_inferior (struct target
safe_strerror (errno));
}
#endif /* HAVE_PERSONALITY */
+
+ if (ex.reason < 0)
+ {
+ struct buffer buffer;
+ char *message, *buffer_s;
+
+ message = xstrdup (ex.message);
+ make_cleanup (xfree, message);
+
+ buffer_init (&buffer);
+ linux_ptrace_create_warnings (&buffer);
+
+ buffer_grow_str0 (&buffer, "");
+ buffer_s = buffer_finish (&buffer);
+ make_cleanup (xfree, buffer_s);
+
+ throw_error (ex.error, "%s%s", buffer_s, message);
+ }
}
/* Callback for linux_proc_attach_tgid_threads. Attach to PTID if not
Index: gdb-7.8.90.20150125/gdb/config.in
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/config.in 2015-01-25 08:36:55.718884546 +0100
+++ gdb-7.8.90.20150125/gdb/config.in 2015-01-25 08:37:02.805915092 +0100
@@ -213,6 +213,9 @@
/* Define if librpm library is being used. */
#undef HAVE_LIBRPM
+/* Define to 1 if you have the `selinux' library (-lselinux). */
+#undef HAVE_LIBSELINUX
+
/* Define to 1 if you have the <libunwind-ia64.h> header file. */
#undef HAVE_LIBUNWIND_IA64_H
@@ -342,6 +345,9 @@
/* Define to 1 if you have the `scm_new_smob' function. */
#undef HAVE_SCM_NEW_SMOB
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
+#undef HAVE_SELINUX_SELINUX_H
+
/* Define to 1 if you have the `setlocale' function. */
#undef HAVE_SETLOCALE
Index: gdb-7.8.90.20150125/gdb/configure
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/configure 2015-01-25 08:36:55.722884563 +0100
+++ gdb-7.8.90.20150125/gdb/configure 2015-01-25 08:37:02.809915110 +0100
@@ -13270,6 +13270,64 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
+for ac_header in selinux/selinux.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default"
+if test "x$ac_cv_header_selinux_selinux_h" = x""yes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_SELINUX_SELINUX_H 1
+_ACEOF
+
+fi
+
+done
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for security_get_boolean_active in -lselinux" >&5
+$as_echo_n "checking for security_get_boolean_active in -lselinux... " >&6; }
+if test "${ac_cv_lib_selinux_security_get_boolean_active+set}" = set; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lselinux $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char security_get_boolean_active ();
+int
+main ()
+{
+return security_get_boolean_active ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_selinux_security_get_boolean_active=yes
+else
+ ac_cv_lib_selinux_security_get_boolean_active=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_security_get_boolean_active" >&5
+$as_echo "$ac_cv_lib_selinux_security_get_boolean_active" >&6; }
+if test "x$ac_cv_lib_selinux_security_get_boolean_active" = x""yes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSELINUX 1
+_ACEOF
+
+ LIBS="-lselinux $LIBS"
+
+fi
+
+
# Support for --with-sysroot is a copy of GDB_AC_WITH_DIR,
# except that the argument to --with-sysroot is optional.
Index: gdb-7.8.90.20150125/gdb/gdbserver/config.in
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/gdbserver/config.in 2015-01-25 08:36:55.724884572 +0100
+++ gdb-7.8.90.20150125/gdb/gdbserver/config.in 2015-01-25 08:37:02.809915110 +0100
@@ -75,6 +75,9 @@
/* Define to 1 if you have the `mcheck' library (-lmcheck). */
#undef HAVE_LIBMCHECK
+/* Define to 1 if you have the `selinux' library (-lselinux). */
+#undef HAVE_LIBSELINUX
+
/* Define if the target supports branch tracing. */
#undef HAVE_LINUX_BTRACE
@@ -142,6 +145,9 @@
/* Define to 1 if you have the `pwrite' function. */
#undef HAVE_PWRITE
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
+#undef HAVE_SELINUX_SELINUX_H
+
/* Define to 1 if you have the <sgtty.h> header file. */
#undef HAVE_SGTTY_H
Index: gdb-7.8.90.20150125/gdb/gdbserver/configure
===================================================================
--- gdb-7.8.90.20150125.orig/gdb/gdbserver/configure 2015-01-25 08:36:55.726884580 +0100
+++ gdb-7.8.90.20150125/gdb/gdbserver/configure 2015-01-25 08:37:02.811915118 +0100
@@ -6199,6 +6199,64 @@ if $want_ipa ; then
fi
fi
+for ac_header in selinux/selinux.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default"
+if test "x$ac_cv_header_selinux_selinux_h" = x""yes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_SELINUX_SELINUX_H 1
+_ACEOF
+
+fi
+
+done
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for security_get_boolean_active in -lselinux" >&5
+$as_echo_n "checking for security_get_boolean_active in -lselinux... " >&6; }
+if test "${ac_cv_lib_selinux_security_get_boolean_active+set}" = set; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lselinux $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char security_get_boolean_active ();
+int
+main ()
+{
+return security_get_boolean_active ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_selinux_security_get_boolean_active=yes
+else
+ ac_cv_lib_selinux_security_get_boolean_active=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_security_get_boolean_active" >&5
+$as_echo "$ac_cv_lib_selinux_security_get_boolean_active" >&6; }
+if test "x$ac_cv_lib_selinux_security_get_boolean_active" = x""yes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSELINUX 1
+_ACEOF
+
+ LIBS="-lselinux $LIBS"
+
+fi
+
+