On Tue, Oct 29, 2024 at 11:18 PM Serge E. Hallyn <[email protected]> wrote: > > On Tue, Oct 29, 2024 at 06:33:14PM -0700, Jordan Rome wrote: > > In cases where we want a stable way to observe/trace > > cap_capable (e.g. protection from inlining and API updates) > > add a tracepoint that passes: > > - The credentials used > > - The user namespace of the resource being accessed > > - The user namespace in which the credential provides the > > capability to access the targeted resource > > - The capability to check for > > - Bitmask of options defined in include/linux/security.h > > - The return value of the check > > > > Signed-off-by: Jordan Rome <[email protected]> > > Thanks. I'll pull this into the capability tree tomorrow so it can be > tested in linux-next (and Andrii's ack unless he objects). >
Awesome. Thanks for the review, Serge! > > --- > > MAINTAINERS | 1 + > > include/trace/events/capability.h | 60 +++++++++++++++++++++++++++++++ > > security/commoncap.c | 30 +++++++++++----- > > 3 files changed, 83 insertions(+), 8 deletions(-) > > create mode 100644 include/trace/events/capability.h > > > > diff --git a/MAINTAINERS b/MAINTAINERS > > index cc40a9d9b8cd..210e9076c858 100644 > > --- a/MAINTAINERS > > +++ b/MAINTAINERS > > @@ -4994,6 +4994,7 @@ M: Serge Hallyn <[email protected]> > > L: [email protected] > > S: Supported > > F: include/linux/capability.h > > +F: include/trace/events/capability.h > > F: include/uapi/linux/capability.h > > F: kernel/capability.c > > F: security/commoncap.c > > diff --git a/include/trace/events/capability.h > > b/include/trace/events/capability.h > > new file mode 100644 > > index 000000000000..e706ce690c38 > > --- /dev/null > > +++ b/include/trace/events/capability.h > > @@ -0,0 +1,60 @@ > > +/* SPDX-License-Identifier: GPL-2.0 */ > > +#undef TRACE_SYSTEM > > +#define TRACE_SYSTEM capability > > + > > +#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ) > > +#define _TRACE_CAPABILITY_H > > + > > +#include <linux/cred.h> > > +#include <linux/tracepoint.h> > > +#include <linux/user_namespace.h> > > + > > +/** > > + * cap_capable - called after it's determined if a task has a particular > > + * effective capability > > + * > > + * @cred: The credentials used > > + * @targ_ns: The user namespace of the resource being accessed > > + * @capable_ns: The user namespace in which the credential provides the > > + * capability to access the targeted resource. > > + * This will be NULL if ret is not 0. > > + * @cap: The capability to check for > > + * @opts: Bitmask of options defined in include/linux/security.h > > + * @ret: The return value of the check: 0 if it does, -ve if it does not > > + * > > + * Allows to trace calls to cap_capable in commoncap.c > > + */ > > +TRACE_EVENT(cap_capable, > > + > > + TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns, > > + struct user_namespace *capable_ns, int cap, unsigned int > > opts, int ret), > > + > > + TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret), > > + > > + TP_STRUCT__entry( > > + __field(const struct cred *, cred) > > + __field(struct user_namespace *, targ_ns) > > + __field(struct user_namespace *, capable_ns) > > + __field(int, cap) > > + __field(unsigned int, opts) > > + __field(int, ret) > > + ), > > + > > + TP_fast_assign( > > + __entry->cred = cred; > > + __entry->targ_ns = targ_ns; > > + __entry->capable_ns = capable_ns; > > + __entry->cap = cap; > > + __entry->opts = opts; > > + __entry->ret = ret; > > + ), > > + > > + TP_printk("cred %p, targ_ns %p, capable_ns %p, cap %d, opts %u, ret > > %d", > > + __entry->cred, __entry->targ_ns, __entry->capable_ns, > > __entry->cap, > > + __entry->opts, __entry->ret) > > +); > > + > > +#endif /* _TRACE_CAPABILITY_H */ > > + > > +/* This part must be outside protection */ > > +#include <trace/define_trace.h> > > diff --git a/security/commoncap.c b/security/commoncap.c > > index 162d96b3a676..7a74eb27eebf 100644 > > --- a/security/commoncap.c > > +++ b/security/commoncap.c > > @@ -27,6 +27,9 @@ > > #include <linux/mnt_idmapping.h> > > #include <uapi/linux/lsm.h> > > > > +#define CREATE_TRACE_POINTS > > +#include <trace/events/capability.h> > > + > > /* > > * If a non-root user executes a setuid-root binary in > > * !secure(SECURE_NOROOT) mode, then we raise capabilities. > > @@ -52,7 +55,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname) > > /** > > * cap_capable - Determine whether a task has a particular effective > > capability > > * @cred: The credentials to use > > - * @targ_ns: The user namespace in which we need the capability > > + * @targ_ns: The user namespace of the resource being accessed > > * @cap: The capability to check for > > * @opts: Bitmask of options defined in include/linux/security.h > > * > > @@ -67,7 +70,9 @@ static void warn_setuid_and_fcaps_mixed(const char *fname) > > int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, > > int cap, unsigned int opts) > > { > > - struct user_namespace *ns = targ_ns; > > + int ret = -EPERM; > > + struct user_namespace *capable_ns = NULL, > > + *ns = targ_ns; > > > > /* See if cred has the capability in the target user namespace > > * by examining the target user namespace and all of the target > > @@ -75,22 +80,30 @@ int cap_capable(const struct cred *cred, struct > > user_namespace *targ_ns, > > */ > > for (;;) { > > /* Do we have the necessary capabilities? */ > > - if (ns == cred->user_ns) > > - return cap_raised(cred->cap_effective, cap) ? 0 : > > -EPERM; > > + if (ns == cred->user_ns) { > > + if (cap_raised(cred->cap_effective, cap)) { > > + capable_ns = ns; > > + ret = 0; > > + } > > + break; > > + } > > > > /* > > * If we're already at a lower level than we're looking for, > > * we're done searching. > > */ > > if (ns->level <= cred->user_ns->level) > > - return -EPERM; > > + break; > > > > /* > > * The owner of the user namespace in the parent of the > > * user namespace has all caps. > > */ > > - if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, > > cred->euid)) > > - return 0; > > + if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, > > cred->euid)) { > > + capable_ns = ns->parent; > > + ret = 0; > > + break; > > + } > > > > /* > > * If you have a capability in a parent user ns, then you have > > @@ -99,7 +112,8 @@ int cap_capable(const struct cred *cred, struct > > user_namespace *targ_ns, > > ns = ns->parent; > > } > > > > - /* We never get here */ > > + trace_cap_capable(cred, targ_ns, capable_ns, cap, opts, ret); > > + return ret; > > } > > > > /** > > -- > > 2.43.5
