* [v9] security: add trace event for cap_capable
@ 2024-12-04 15:59 Jordan Rome
2024-12-05 3:04 ` Serge E. Hallyn
0 siblings, 1 reply; 2+ messages in thread
From: Jordan Rome @ 2024-12-04 15:59 UTC (permalink / raw)
To: linux-security-module
Cc: linux-trace-kernel, Andrii Nakryiko, Kernel Team, Serge Hallyn,
Yonghong Song, Linus Torvalds
In cases where we want a stable way to observe/trace
cap_capable (e.g. protection from inlining and API updates)
add a tracepoint that passes:
- The credentials used
- The user namespace of the resource being accessed
- The user namespace in which the credential provides the
capability to access the targeted resource
- The capability to check for
- The return value of the check
Signed-off-by: Jordan Rome <linux@jordanrome.com>
---
MAINTAINERS | 1 +
include/trace/events/capability.h | 57 +++++++++++++++++++++++++++++++
security/commoncap.c | 54 ++++++++++++++++++++++-------
3 files changed, 99 insertions(+), 13 deletions(-)
create mode 100644 include/trace/events/capability.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 1e930c7a58b1..33fde7f660d0 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -5147,6 +5147,7 @@ M: Serge Hallyn <serge@hallyn.com>
L: linux-security-module@vger.kernel.org
S: Supported
F: include/linux/capability.h
+F: include/trace/events/capability.h
F: include/uapi/linux/capability.h
F: kernel/capability.c
F: security/commoncap.c
diff --git a/include/trace/events/capability.h b/include/trace/events/capability.h
new file mode 100644
index 000000000000..17340257946c
--- /dev/null
+++ b/include/trace/events/capability.h
@@ -0,0 +1,57 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM capability
+
+#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_CAPABILITY_H
+
+#include <linux/cred.h>
+#include <linux/tracepoint.h>
+#include <linux/user_namespace.h>
+
+/**
+ * cap_capable - called after it's determined if a task has a particular
+ * effective capability
+ *
+ * @cred: The credentials used
+ * @target_ns: The user namespace of the resource being accessed
+ * @capable_ns: The user namespace in which the credential provides the
+ * capability to access the targeted resource.
+ * This will be NULL if ret is not 0.
+ * @cap: The capability to check for
+ * @ret: The return value of the check: 0 if it does, -ve if it does not
+ *
+ * Allows to trace calls to cap_capable in commoncap.c
+ */
+TRACE_EVENT(cap_capable,
+
+ TP_PROTO(const struct cred *cred, struct user_namespace *target_ns,
+ const struct user_namespace *capable_ns, int cap, int ret),
+
+ TP_ARGS(cred, target_ns, capable_ns, cap, ret),
+
+ TP_STRUCT__entry(
+ __field(const struct cred *, cred)
+ __field(struct user_namespace *, target_ns)
+ __field(const struct user_namespace *, capable_ns)
+ __field(int, cap)
+ __field(int, ret)
+ ),
+
+ TP_fast_assign(
+ __entry->cred = cred;
+ __entry->target_ns = target_ns;
+ __entry->capable_ns = ret == 0 ? capable_ns : NULL;
+ __entry->cap = cap;
+ __entry->ret = ret;
+ ),
+
+ TP_printk("cred %p, target_ns %p, capable_ns %p, cap %d, ret %d",
+ __entry->cred, __entry->target_ns, __entry->capable_ns, __entry->cap,
+ __entry->ret)
+);
+
+#endif /* _TRACE_CAPABILITY_H */
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
diff --git a/security/commoncap.c b/security/commoncap.c
index cefad323a0b1..7b6984b27127 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,6 +27,9 @@
#include <linux/mnt_idmapping.h>
#include <uapi/linux/lsm.h>
+#define CREATE_TRACE_POINTS
+#include <trace/events/capability.h>
+
/*
* If a non-root user executes a setuid-root binary in
* !secure(SECURE_NOROOT) mode, then we raise capabilities.
@@ -50,24 +53,24 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
}
/**
- * cap_capable - Determine whether a task has a particular effective capability
+ * cap_capable_helper - Determine whether a task has a particular effective
+ * capability.
* @cred: The credentials to use
- * @targ_ns: The user namespace in which we need the capability
+ * @target_ns: The user namespace of the resource being accessed
+ * @cred_ns: The user namespace of the credentials
* @cap: The capability to check for
- * @opts: Bitmask of options defined in include/linux/security.h
*
* Determine whether the nominated task has the specified capability amongst
* its effective set, returning 0 if it does, -ve if it does not.
*
- * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
- * and has_capability() functions. That is, it has the reverse semantics:
- * cap_has_capability() returns 0 when a task has a capability, but the
- * kernel's capable() and has_capability() returns 1 for this case.
+ * See cap_capable for more details.
*/
-int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
- int cap, unsigned int opts)
+static inline int cap_capable_helper(const struct cred *cred,
+ struct user_namespace *target_ns,
+ const struct user_namespace *cred_ns,
+ int cap)
{
- struct user_namespace *ns = targ_ns;
+ struct user_namespace *ns = target_ns;
/* See if cred has the capability in the target user namespace
* by examining the target user namespace and all of the target
@@ -75,21 +78,21 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
*/
for (;;) {
/* Do we have the necessary capabilities? */
- if (ns == cred->user_ns)
+ if (likely(ns == cred_ns))
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
/*
* If we're already at a lower level than we're looking for,
* we're done searching.
*/
- if (ns->level <= cred->user_ns->level)
+ if (ns->level <= cred_ns->level)
return -EPERM;
/*
* The owner of the user namespace in the parent of the
* user namespace has all caps.
*/
- if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
+ if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid))
return 0;
/*
@@ -102,6 +105,31 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
/* We never get here */
}
+/**
+ * cap_capable - Determine whether a task has a particular effective capability
+ * @cred: The credentials to use
+ * @target_ns: The user namespace of the resource being accessed
+ * @cap: The capability to check for
+ * @opts: Bitmask of options defined in include/linux/security.h (unused)
+ *
+ * Determine whether the nominated task has the specified capability amongst
+ * its effective set, returning 0 if it does, -ve if it does not.
+ *
+ * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
+ * and has_capability() functions. That is, it has the reverse semantics:
+ * cap_has_capability() returns 0 when a task has a capability, but the
+ * kernel's capable() and has_capability() returns 1 for this case.
+ */
+int cap_capable(const struct cred *cred, struct user_namespace *target_ns,
+ int cap, unsigned int opts)
+{
+ const struct user_namespace *cred_ns = cred->user_ns;
+ int ret = cap_capable_helper(cred, target_ns, cred_ns, cap);
+
+ trace_cap_capable(cred, target_ns, cred_ns, cap, ret);
+ return ret;
+}
+
/**
* cap_settime - Determine whether the current process may set the system clock
* @ts: The time to set
--
2.43.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [v9] security: add trace event for cap_capable
2024-12-04 15:59 [v9] security: add trace event for cap_capable Jordan Rome
@ 2024-12-05 3:04 ` Serge E. Hallyn
0 siblings, 0 replies; 2+ messages in thread
From: Serge E. Hallyn @ 2024-12-05 3:04 UTC (permalink / raw)
To: Jordan Rome
Cc: linux-security-module, linux-trace-kernel, Andrii Nakryiko,
Kernel Team, Serge Hallyn, Yonghong Song, Linus Torvalds
On Wed, Dec 04, 2024 at 07:59:11AM -0800, Jordan Rome wrote:
> In cases where we want a stable way to observe/trace
> cap_capable (e.g. protection from inlining and API updates)
> add a tracepoint that passes:
> - The credentials used
> - The user namespace of the resource being accessed
> - The user namespace in which the credential provides the
> capability to access the targeted resource
> - The capability to check for
> - The return value of the check
>
> Signed-off-by: Jordan Rome <linux@jordanrome.com>
Thanks, applied to caps-next.
> ---
> MAINTAINERS | 1 +
> include/trace/events/capability.h | 57 +++++++++++++++++++++++++++++++
> security/commoncap.c | 54 ++++++++++++++++++++++-------
> 3 files changed, 99 insertions(+), 13 deletions(-)
> create mode 100644 include/trace/events/capability.h
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 1e930c7a58b1..33fde7f660d0 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -5147,6 +5147,7 @@ M: Serge Hallyn <serge@hallyn.com>
> L: linux-security-module@vger.kernel.org
> S: Supported
> F: include/linux/capability.h
> +F: include/trace/events/capability.h
> F: include/uapi/linux/capability.h
> F: kernel/capability.c
> F: security/commoncap.c
> diff --git a/include/trace/events/capability.h b/include/trace/events/capability.h
> new file mode 100644
> index 000000000000..17340257946c
> --- /dev/null
> +++ b/include/trace/events/capability.h
> @@ -0,0 +1,57 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#undef TRACE_SYSTEM
> +#define TRACE_SYSTEM capability
> +
> +#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
> +#define _TRACE_CAPABILITY_H
> +
> +#include <linux/cred.h>
> +#include <linux/tracepoint.h>
> +#include <linux/user_namespace.h>
> +
> +/**
> + * cap_capable - called after it's determined if a task has a particular
> + * effective capability
> + *
> + * @cred: The credentials used
> + * @target_ns: The user namespace of the resource being accessed
> + * @capable_ns: The user namespace in which the credential provides the
> + * capability to access the targeted resource.
> + * This will be NULL if ret is not 0.
> + * @cap: The capability to check for
> + * @ret: The return value of the check: 0 if it does, -ve if it does not
> + *
> + * Allows to trace calls to cap_capable in commoncap.c
> + */
> +TRACE_EVENT(cap_capable,
> +
> + TP_PROTO(const struct cred *cred, struct user_namespace *target_ns,
> + const struct user_namespace *capable_ns, int cap, int ret),
> +
> + TP_ARGS(cred, target_ns, capable_ns, cap, ret),
> +
> + TP_STRUCT__entry(
> + __field(const struct cred *, cred)
> + __field(struct user_namespace *, target_ns)
> + __field(const struct user_namespace *, capable_ns)
> + __field(int, cap)
> + __field(int, ret)
> + ),
> +
> + TP_fast_assign(
> + __entry->cred = cred;
> + __entry->target_ns = target_ns;
> + __entry->capable_ns = ret == 0 ? capable_ns : NULL;
> + __entry->cap = cap;
> + __entry->ret = ret;
> + ),
> +
> + TP_printk("cred %p, target_ns %p, capable_ns %p, cap %d, ret %d",
> + __entry->cred, __entry->target_ns, __entry->capable_ns, __entry->cap,
> + __entry->ret)
> +);
> +
> +#endif /* _TRACE_CAPABILITY_H */
> +
> +/* This part must be outside protection */
> +#include <trace/define_trace.h>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index cefad323a0b1..7b6984b27127 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -27,6 +27,9 @@
> #include <linux/mnt_idmapping.h>
> #include <uapi/linux/lsm.h>
>
> +#define CREATE_TRACE_POINTS
> +#include <trace/events/capability.h>
> +
> /*
> * If a non-root user executes a setuid-root binary in
> * !secure(SECURE_NOROOT) mode, then we raise capabilities.
> @@ -50,24 +53,24 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
> }
>
> /**
> - * cap_capable - Determine whether a task has a particular effective capability
> + * cap_capable_helper - Determine whether a task has a particular effective
> + * capability.
> * @cred: The credentials to use
> - * @targ_ns: The user namespace in which we need the capability
> + * @target_ns: The user namespace of the resource being accessed
> + * @cred_ns: The user namespace of the credentials
> * @cap: The capability to check for
> - * @opts: Bitmask of options defined in include/linux/security.h
> *
> * Determine whether the nominated task has the specified capability amongst
> * its effective set, returning 0 if it does, -ve if it does not.
> *
> - * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
> - * and has_capability() functions. That is, it has the reverse semantics:
> - * cap_has_capability() returns 0 when a task has a capability, but the
> - * kernel's capable() and has_capability() returns 1 for this case.
> + * See cap_capable for more details.
> */
> -int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
> - int cap, unsigned int opts)
> +static inline int cap_capable_helper(const struct cred *cred,
> + struct user_namespace *target_ns,
> + const struct user_namespace *cred_ns,
> + int cap)
> {
> - struct user_namespace *ns = targ_ns;
> + struct user_namespace *ns = target_ns;
>
> /* See if cred has the capability in the target user namespace
> * by examining the target user namespace and all of the target
> @@ -75,21 +78,21 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
> */
> for (;;) {
> /* Do we have the necessary capabilities? */
> - if (ns == cred->user_ns)
> + if (likely(ns == cred_ns))
> return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
>
> /*
> * If we're already at a lower level than we're looking for,
> * we're done searching.
> */
> - if (ns->level <= cred->user_ns->level)
> + if (ns->level <= cred_ns->level)
> return -EPERM;
>
> /*
> * The owner of the user namespace in the parent of the
> * user namespace has all caps.
> */
> - if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
> + if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid))
> return 0;
>
> /*
> @@ -102,6 +105,31 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
> /* We never get here */
> }
>
> +/**
> + * cap_capable - Determine whether a task has a particular effective capability
> + * @cred: The credentials to use
> + * @target_ns: The user namespace of the resource being accessed
> + * @cap: The capability to check for
> + * @opts: Bitmask of options defined in include/linux/security.h (unused)
> + *
> + * Determine whether the nominated task has the specified capability amongst
> + * its effective set, returning 0 if it does, -ve if it does not.
> + *
> + * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
> + * and has_capability() functions. That is, it has the reverse semantics:
> + * cap_has_capability() returns 0 when a task has a capability, but the
> + * kernel's capable() and has_capability() returns 1 for this case.
> + */
> +int cap_capable(const struct cred *cred, struct user_namespace *target_ns,
> + int cap, unsigned int opts)
> +{
> + const struct user_namespace *cred_ns = cred->user_ns;
> + int ret = cap_capable_helper(cred, target_ns, cred_ns, cap);
> +
> + trace_cap_capable(cred, target_ns, cred_ns, cap, ret);
> + return ret;
> +}
> +
> /**
> * cap_settime - Determine whether the current process may set the system clock
> * @ts: The time to set
> --
> 2.43.5
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-12-05 3:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-04 15:59 [v9] security: add trace event for cap_capable Jordan Rome
2024-12-05 3:04 ` Serge E. Hallyn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).