From: Casey Schaufler <casey@schaufler-ca.com>
To: cgzones@googlemail.com
Cc: Serge Hallyn <serge@hallyn.com>, Jan Kara <jack@suse.com>,
Julia Lawall <Julia.Lawall@inria.fr>,
Nicolas Palix <nicolas.palix@imag.fr>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, cocci@inria.fr,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v2 01/11] coccinelle: Add script to reorder capable() calls
Date: Sun, 2 Mar 2025 08:53:41 -0800 [thread overview]
Message-ID: <6f74f18f-ba64-4372-8307-efba97c03bf2@schaufler-ca.com> (raw)
In-Reply-To: <20250302160657.127253-11-cgoettsche@seltendoof.de>
On 3/2/2025 8:06 AM, Christian Göttsche wrote:
> From: Christian Göttsche <cgzones@googlemail.com>
>
> capable() calls refer to enabled LSMs whether to permit or deny the
> request. This is relevant in connection with SELinux, where a
> capability check results in a policy decision and by default a denial
> message on insufficient permission is issued.
> It can lead to three undesired cases:
> 1. A denial message is generated, even in case the operation was an
> unprivileged one and thus the syscall succeeded, creating noise.
> 2. To avoid the noise from 1. the policy writer adds a rule to ignore
> those denial messages, hiding future syscalls, where the task
> performs an actual privileged operation, leading to hidden limited
> functionality of that task.
> 3. To avoid the noise from 1. the policy writer adds a rule to permit
> the task the requested capability, while it does not need it,
> violating the principle of least privilege.
What steps are you taking to ensure that these changes do not
negatively impact LSMs other than SELinux? At a glance, I don't
see that there is likely to be a problem. I do see a possibility
that changes in error returns could break test suites and, more
importantly, applications that are careful about using privileged
operations.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> Reviewed-by: Serge Hallyn <serge@hallyn.com>
> ---
> MAINTAINERS | 1 +
> scripts/coccinelle/api/capable_order.cocci | 98 ++++++++++++++++++++++
> 2 files changed, 99 insertions(+)
> create mode 100644 scripts/coccinelle/api/capable_order.cocci
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 8e0736dc2ee0..b1d1c801765b 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -5196,6 +5196,7 @@ F: include/linux/capability.h
> F: include/trace/events/capability.h
> F: include/uapi/linux/capability.h
> F: kernel/capability.c
> +F: scripts/coccinelle/api/capable_order.cocci
> F: security/commoncap.c
>
> CAPELLA MICROSYSTEMS LIGHT SENSOR DRIVER
> diff --git a/scripts/coccinelle/api/capable_order.cocci b/scripts/coccinelle/api/capable_order.cocci
> new file mode 100644
> index 000000000000..4150d91b0f33
> --- /dev/null
> +++ b/scripts/coccinelle/api/capable_order.cocci
> @@ -0,0 +1,98 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +///
> +/// Checks for capable() calls of the left side of a binary expression.
> +/// Reordering might avoid needless checks, LSM log messages, and more
> +/// restrictive LSM security policies (e.g. SELinux).
> +/// Can report false positives if the righthand side contains a nested
> +/// capability check or has side effects.
> +///
> +// Confidence: Moderate
> +// Copyright: (C) 2024 Christian Göttsche.
> +// Options: --no-includes --include-headers
> +// Keywords: capable, ns_capable, sockopt_ns_capable
> +//
> +
> +virtual patch
> +virtual context
> +virtual org
> +virtual report
> +
> +//----------------------------------------------------------
> +// Pattern to ignore
> +//----------------------------------------------------------
> +
> +@ignore@
> +identifier F1 = { capable, ns_capable, sockopt_ns_capable };
> +identifier F2 = { capable, ns_capable, sockopt_ns_capable };
> +binary operator op,op1,op2;
> +expression E;
> +position p;
> +@@
> +
> +(
> +F1@p(...) op F2(...)
> +|
> +E op1 F1@p(...) op2 F2(...)
> +)
> +
> +
> +//----------------------------------------------------------
> +// For patch mode
> +//----------------------------------------------------------
> +
> +@ depends on patch@
> +identifier F = { capable, ns_capable, sockopt_ns_capable };
> +binary operator op,op1,op2;
> +expression E,E1,E2;
> +expression list EL;
> +position p != ignore.p;
> +@@
> +
> +(
> +- F@p(EL) op E
> ++ E op F(EL)
> +|
> +- E1 op1 F@p(EL) op2 E2
> ++ E1 op1 E2 op2 F(EL)
> +)
> +
> +
> +//----------------------------------------------------------
> +// For context mode
> +//----------------------------------------------------------
> +
> +@r1 depends on !patch exists@
> +identifier F = { capable, ns_capable, sockopt_ns_capable };
> +binary operator op,op1,op2;
> +expression E, E1, E2;
> +position p != ignore.p;
> +@@
> +
> +(
> +* F@p(...) op E
> +|
> +* E1 op1 F@p(...) op2 E2
> +)
> +
> +
> +//----------------------------------------------------------
> +// For org mode
> +//----------------------------------------------------------
> +
> +@script:python depends on org@
> +p << r1.p;
> +@@
> +
> +cocci.print_main("WARNING opportunity for capable reordering",p)
> +
> +
> +//----------------------------------------------------------
> +// For report mode
> +//----------------------------------------------------------
> +
> +@script:python depends on report@
> +p << r1.p;
> +@@
> +
> +msg = "WARNING opportunity for capable reordering"
> +coccilib.report.print_report(p[0], msg)
next prev parent reply other threads:[~2025-03-02 17:03 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-02 16:06 [PATCH v2 02/11] quota: reorder capability check last Christian Göttsche
2025-03-02 16:06 ` [PATCH v2 03/11] ext4: " Christian Göttsche
2025-03-04 10:51 ` Jan Kara
2025-03-02 16:06 ` [PATCH v2 04/11] hugetlbfs: " Christian Göttsche
2025-03-02 16:06 ` [PATCH v2 05/11] genwqe: " Christian Göttsche
2025-03-02 16:06 ` [PATCH v2 06/11] ubifs: " Christian Göttsche
2025-03-03 13:49 ` Zhihao Cheng
2025-03-02 16:06 ` [PATCH v2 07/11] drm/panthor: " Christian Göttsche
2025-03-02 16:06 ` [PATCH v2 08/11] ipv4: " Christian Göttsche
2025-03-02 18:24 ` Eric Dumazet
2025-03-02 16:06 ` [PATCH v2 09/11] fs: " Christian Göttsche
2025-03-02 16:06 ` [PATCH v2 10/11] skbuff: " Christian Göttsche
2025-03-04 14:06 ` Willem de Bruijn
2025-03-02 16:06 ` [PATCH v2 11/11] infiniband: " Christian Göttsche
2025-03-03 19:04 ` Leon Romanovsky
2025-03-02 16:06 ` [PATCH v2 01/11] coccinelle: Add script to reorder capable() calls Christian Göttsche
2025-03-02 16:53 ` Casey Schaufler [this message]
2025-03-02 18:35 ` Christian Göttsche
2025-03-18 3:41 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6f74f18f-ba64-4372-8307-efba97c03bf2@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=Julia.Lawall@inria.fr \
--cc=cgzones@googlemail.com \
--cc=cocci@inria.fr \
--cc=jack@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nicolas.palix@imag.fr \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox