[rsbac] appending rsbac data to /proc/$pid/status
Javier Juan Martínez Cabezón
tazok at rsbac.org
Tue Mar 13 23:20:36 CET 2018
Hi Amon, I think it would be useful to append rsbac data to
/proc/$pid/status or make something like this under /proc/rsbac-info. It
would help userspace development tools highly.
For example rc_role of this process, rc_type of proc, w or x enabled or
not, if jailed etc, the kind of data that we could retrieve from
attr_get_process.
Yesterday I just started with (it's only a prototype, I haven't even
tested it xD) and enhanced ps rsbac enabled that parses /proc as other
tools do. The problem is that I have to make use of popen calls and I
think it is too costly.
Below you can find the function that makes the hard work, next pass to
print with colors and check term size and et voilá (Jens initially I
made it under bash, don't get angry with me, I started correcting my
mistake xD).
def scanproc():
try:
from os import scandir
except ImportError:
raise ImportError('scandir not available in module os, change to
python 3.5 or install it at hand :-)')
from errno import ENOENT, EACCESS, EMFILE
from subproccess import Popen, PIPE
path="/proc"
"""get procs and inner files of procs"""
for object in scandir(path):
if object.is_dir(follow_symlinks=False):
name=object.name
if name.isdigit():
newpath=path+name+"/status"
try:
statfile=open(newpath)
except OSError as why:
if why==EACCESS:
pass
if why==ENOENT:
raise ENOENT("¿/proc not mounted?")
if why==EMFILE:
raise EMFILE("too many files opened")
content=statfile.readlines
data_collected=[]
for line in content:
part=line.split(':')
if part[0]=="Name":
name=part[1]
elif part[0]=="State":
state=part[1]
elif part[0]=="Pid":
pid=part[1]
elif part[0]=="PPid":
PPid=part[1]
elif part[0]=="Uid":
uid=part[1]
statfile.close()
try:
cmd=['attr_get_process', 'RC', pid, 'rc_role' ]
proc=Popen(cmd, STDOUT=PIPE, shell=False)
rc_role_nr=proc.communicate()[0]
if proc.returncode != 0:
print ("something went wrong with
attr_get_process RC %(pid) rc_role")
cmd=['attr_get_process', 'RC', pid, 'rc_type' ]
proc=Popen(cmd, STDOUT=PIPE, shell=False)
rc_type_nr=proc.communicate()[0]
if proc.returncode != 0:
print ("something went wrong with
attr_get_process RC %(pid) rc_type")
cmd=['attr_get_process', 'GEN', pid,
'allow_write_exec' ]
proc=Popen('attr_get_process GEN %(pid)
allow_write_exec', STDOUT=PIPE, shell=False)
worx=proc.communicate()[0]
if worx==0:
worx="forbidden"
elif worx==1:
worx="allowed"
elif worx==3:
worx="rel"
if proc.returncode != 0:
print ("something went wrong with
attr_get_process GEN %(pid) allow_write_exec")
cmd=['attr_get_process', 'JAIL', pid, 'jail_id' ]
proc=Popen(cmd, STDOUT=PIPE, shell=False)
jailed=proc.communicate()[0]
if jailed==0:
jailed="no"
elif jailed==1:
jailed="yes"
if proc.returncode != 0:
print ("something went wrong with
attr_get_process JAIL %(pid) jail_id")
cmd=['attr_get_process', 'CAP', pid,
'cap_ld_env' ]
proc=Popen(cmd, STDOUT=PIPE, shell=False)
cap_ld_env=proc.communicate()[0]
if cap_ld_env==0:
cap_ld_env="forbidden"
if proc.returncode != 0:
print ("something went wrong with
attr_get_process CAP %(pid) cap_ld_env")
except:
raise('something went wrong with popen')
data_collected.add(pid, name, state, PPid, uid,
rc_role_nr, rc_type_nr, worx, jailed, cap_ld_env, "\n" )
return (data_collected)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.rsbac.org/pipermail/rsbac/attachments/20180313/0bcd81cd/attachment.sig>
More information about the rsbac
mailing list