Thread (3 messages) 3 messages, 3 authors, 2024-10-29

Re: [v3] security: add trace event for cap_capable

From: "Serge E. Hallyn" <serge@hallyn.com>
Date: 2024-10-29 20:20:25
Also in: linux-security-module 

On Tue, Oct 29, 2024 at 10:03:29AM -0700, Andrii Nakryiko wrote:
On Tue, Oct 29, 2024 at 4:21 AM Jordan Rome [off-list ref] wrote:
quoted
In cases where we want a stable way to observe/trace
cap_capable (e.g. protection from inlining and API updates)
add a tracepoint that passes:
- The credentials used
- The user namespace of the resource being accessed
- The user namespace in which the credential provides the
capability to access the targeted resource
- The capability to check for
- Bitmask of options defined in include/linux/security.h
- The return value of the check

Signed-off-by: Jordan Rome <redacted>
---
 MAINTAINERS                       |  1 +
 include/trace/events/capability.h | 60 +++++++++++++++++++++++++++++++
 security/commoncap.c              | 32 ++++++++++++-----
 3 files changed, 85 insertions(+), 8 deletions(-)
 create mode 100644 include/trace/events/capability.h

diff --git a/MAINTAINERS b/MAINTAINERS
index cc40a9d9b8cd..210e9076c858 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4994,6 +4994,7 @@ M:        Serge Hallyn <serge@hallyn.com>
 L:     linux-security-module@vger.kernel.org
 S:     Supported
 F:     include/linux/capability.h
+F:     include/trace/events/capability.h
 F:     include/uapi/linux/capability.h
 F:     kernel/capability.c
 F:     security/commoncap.c
diff --git a/include/trace/events/capability.h b/include/trace/events/capability.h
new file mode 100644
index 000000000000..e706ce690c38
--- /dev/null
+++ b/include/trace/events/capability.h
@@ -0,0 +1,60 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM capability
+
+#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_CAPABILITY_H
+
+#include <linux/cred.h>
+#include <linux/tracepoint.h>
+#include <linux/user_namespace.h>
+
+/**
+ * cap_capable - called after it's determined if a task has a particular
+ * effective capability
+ *
+ * @cred: The credentials used
+ * @targ_ns: The user namespace of the resource being accessed
+ * @capable_ns: The user namespace in which the credential provides the
+ *              capability to access the targeted resource.
+ *              This will be NULL if ret is not 0.
+ * @cap: The capability to check for
+ * @opts: Bitmask of options defined in include/linux/security.h
+ * @ret: The return value of the check: 0 if it does, -ve if it does not
+ *
+ * Allows to trace calls to cap_capable in commoncap.c
+ */
+TRACE_EVENT(cap_capable,
+
+       TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns,
+               struct user_namespace *capable_ns, int cap, unsigned int opts, int ret),
+
+       TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret),
+
+       TP_STRUCT__entry(
+               __field(const struct cred *, cred)
+               __field(struct user_namespace *, targ_ns)
+               __field(struct user_namespace *, capable_ns)
+               __field(int, cap)
+               __field(unsigned int, opts)
+               __field(int, ret)
+       ),
+
+       TP_fast_assign(
+               __entry->cred       = cred;
+               __entry->targ_ns    = targ_ns;
+               __entry->capable_ns = capable_ns;
+               __entry->cap        = cap;
+               __entry->opts       = opts;
+               __entry->ret        = ret;
+       ),
+
+       TP_printk("cred %p, targ_ns %p, capable_ns %p, cap %d, opts %u, ret %d",
+               __entry->cred, __entry->targ_ns, __entry->capable_ns, __entry->cap,
+               __entry->opts, __entry->ret)
+);
+
+#endif /* _TRACE_CAPABILITY_H */
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
diff --git a/security/commoncap.c b/security/commoncap.c
index 162d96b3a676..7287feee0683 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,6 +27,9 @@
 #include <linux/mnt_idmapping.h>
 #include <uapi/linux/lsm.h>

+#define CREATE_TRACE_POINTS
+#include <trace/events/capability.h>
+
 /*
  * If a non-root user executes a setuid-root binary in
  * !secure(SECURE_NOROOT) mode, then we raise capabilities.
@@ -52,7 +55,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
 /**
  * cap_capable - Determine whether a task has a particular effective capability
  * @cred: The credentials to use
- * @targ_ns:  The user namespace in which we need the capability
+ * @targ_ns:  The user namespace of the resource being accessed
  * @cap: The capability to check for
  * @opts: Bitmask of options defined in include/linux/security.h
  *
@@ -67,7 +70,11 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
 int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
                int cap, unsigned int opts)
 {
-       struct user_namespace *ns = targ_ns;
+       int ret = -EPERM;
+       struct user_namespace *capable_ns, *ns;
+
+       capable_ns = NULL;
+       ns = targ_ns;
nit:

struct user_namespace *capable_ns = NULL, *ns = targ_ns;
int ret = -EPERM;

would be more succinct.

But regardless:

Acked-by: Andrii Nakryiko <andrii@kernel.org>
Agreed, that would look nicer.  Maybe even

	int ret = -EPERM;
	struct user_namespace *capable_ns = NULL,
			      *ns = targ_ns;

Reviewed-by: Serge Hallyn <serge@hallyn.com>

-serge
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help