libselinux: add getpidprevcon

Add the public interfaces getpidprevcon(3) and getpidprevcon_raw(3), and
the utility getpidprevcon to gather the previous context before the last
exec of a given process.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>

libselinux/include/selinux/selinux.h

@@ -54,6 +54,11 @@ extern int getpidcon_raw(pid_t pid, char ** con);
 extern int getprevcon(char ** con);
 extern int getprevcon_raw(char ** con);
 
+/* Get previous context (prior to last exec) of process identified by pid, and
+   set *con to refer to it.  Caller must free via freecon. */
+extern int getpidprevcon(pid_t pid, char ** con);
+extern int getpidprevcon_raw(pid_t pid, char ** con);
+
 /* Get exec context, and set *con to refer to it.
    Sets *con to NULL if no exec context has been set, i.e. using default.
    If non-NULL, caller must free via freecon. */

libselinux/man/man3/getcon.3

@@ -23,6 +23,10 @@ setcon \- set current security context of a process
 .sp
 .BI "int getpidcon_raw(pid_t " pid ", char **" context );
 .sp
+.BI "int getpidprevcon(pid_t " pid ", char **" context );
+.sp
+.BI "int getpidprevcon_raw(pid_t " pid ", char **" context );
+.sp
 .BI "int getpeercon(int " fd ", char **" context );
 .sp
 .BI "int getpeercon_raw(int " fd ", char **" context );
@@ -50,6 +54,11 @@ same as getcon but gets the context before the last exec.
 returns the process context for the specified PID, which must be free'd with
 .BR freecon ().
 
+.TP
+.BR getpidprevcon ()
+returns the process context before the last exec for the specified PID, which must be free'd with
+.BR freecon ().
+
 .TP
 .BR getpeercon ()
 retrieves the context of the peer socket, which must be free'd with
@@ -125,6 +134,7 @@ will fail if it is not allowed by policy.
 .BR getcon_raw (),
 .BR getprevcon_raw (),
 .BR getpidcon_raw (),
+.BR getpidprevcon_raw (),
 .BR getpeercon_raw ()
 and
 .BR setcon_raw ()

libselinux/man/man3/getpidprevcon.3

@@ -0,0 +1 @@
+.so man3/getcon.3

libselinux/man/man3/getpidprevcon_raw.3

@@ -0,0 +1 @@
+.so man3/getcon.3

libselinux/src/libselinux.map

@@ -246,3 +246,9 @@ LIBSELINUX_3.4 {
     selinux_restorecon_get_skipped_errors;
     selinux_restorecon_parallel;
 } LIBSELINUX_1.0;
+
+LIBSELINUX_3.5 {
+  global:
+    getpidprevcon;
+    getpidprevcon_raw;
+} LIBSELINUX_3.4;

libselinux/src/procattr.c

@@ -300,3 +300,21 @@ int getpidcon(pid_t pid, char **c)
 	}
 	return getprocattrcon(c, pid, "current", NULL);
 }
+
+int getpidprevcon_raw(pid_t pid, char **c)
+{
+        if (pid <= 0) {
+                errno = EINVAL;
+                return -1;
+        }
+        return getprocattrcon_raw(c, pid, "prev", NULL);
+}
+
+int getpidprevcon(pid_t pid, char **c)
+{
+        if (pid <= 0) {
+                errno = EINVAL;
+                return -1;
+        }
+        return getprocattrcon(c, pid, "prev", NULL);
+}

libselinux/utils/.gitignore

@@ -9,6 +9,7 @@ getdefaultcon
 getenforce
 getfilecon
 getpidcon
+getpidprevcon
 getsebool
 getseuser
 matchpathcon

libselinux/utils/getpidprevcon.c

@@ -0,0 +1,33 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv)
+{
+	pid_t pid;
+	char *buf;
+	int rc;
+
+	if (argc != 2) {
+		fprintf(stderr, "usage:  %s pid\n", argv[0]);
+		exit(1);
+	}
+
+	if (sscanf(argv[1], "%d", &pid) != 1) {
+		fprintf(stderr, "%s:  invalid pid %s\n", argv[0], argv[1]);
+		exit(2);
+	}
+
+	rc = getpidprevcon(pid, &buf);
+	if (rc < 0) {
+		fprintf(stderr, "%s:  getpidprevcon() failed:  %s\n", argv[0], strerror(errno));
+		exit(3);
+	}
+
+	printf("%s\n", buf);
+	freecon(buf);
+	exit(EXIT_SUCCESS);
+}