mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2024-12-29 09:12:07 +00:00
security: add trace event for cap_capable
In cases where we want a stable way to observe/trace cap_capable (e.g. protection from inlining and API updates) add a tracepoint that passes: - The credentials used - The user namespace of the resource being accessed - The user namespace in which the credential provides the capability to access the targeted resource - The capability to check for - The return value of the check Signed-off-by: Jordan Rome <linux@jordanrome.com> Acked-by: Andrii Nakryiko <andrii@kernel.org> Reviewed-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> Link: https://lore.kernel.org/r/20241204155911.1817092-1-linux@jordanrome.com Signed-off-by: Serge Hallyn <sergeh@kernel.org>
This commit is contained in:
parent
3f4f1f8a1a
commit
d48da4d5ed
@ -5147,6 +5147,7 @@ M: Serge Hallyn <serge@hallyn.com>
|
|||||||
L: linux-security-module@vger.kernel.org
|
L: linux-security-module@vger.kernel.org
|
||||||
S: Supported
|
S: Supported
|
||||||
F: include/linux/capability.h
|
F: include/linux/capability.h
|
||||||
|
F: include/trace/events/capability.h
|
||||||
F: include/uapi/linux/capability.h
|
F: include/uapi/linux/capability.h
|
||||||
F: kernel/capability.c
|
F: kernel/capability.c
|
||||||
F: security/commoncap.c
|
F: security/commoncap.c
|
||||||
|
57
include/trace/events/capability.h
Normal file
57
include/trace/events/capability.h
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
/* SPDX-License-Identifier: GPL-2.0 */
|
||||||
|
#undef TRACE_SYSTEM
|
||||||
|
#define TRACE_SYSTEM capability
|
||||||
|
|
||||||
|
#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
|
||||||
|
#define _TRACE_CAPABILITY_H
|
||||||
|
|
||||||
|
#include <linux/cred.h>
|
||||||
|
#include <linux/tracepoint.h>
|
||||||
|
#include <linux/user_namespace.h>
|
||||||
|
|
||||||
|
/**
|
||||||
|
* cap_capable - called after it's determined if a task has a particular
|
||||||
|
* effective capability
|
||||||
|
*
|
||||||
|
* @cred: The credentials used
|
||||||
|
* @target_ns: The user namespace of the resource being accessed
|
||||||
|
* @capable_ns: The user namespace in which the credential provides the
|
||||||
|
* capability to access the targeted resource.
|
||||||
|
* This will be NULL if ret is not 0.
|
||||||
|
* @cap: The capability to check for
|
||||||
|
* @ret: The return value of the check: 0 if it does, -ve if it does not
|
||||||
|
*
|
||||||
|
* Allows to trace calls to cap_capable in commoncap.c
|
||||||
|
*/
|
||||||
|
TRACE_EVENT(cap_capable,
|
||||||
|
|
||||||
|
TP_PROTO(const struct cred *cred, struct user_namespace *target_ns,
|
||||||
|
const struct user_namespace *capable_ns, int cap, int ret),
|
||||||
|
|
||||||
|
TP_ARGS(cred, target_ns, capable_ns, cap, ret),
|
||||||
|
|
||||||
|
TP_STRUCT__entry(
|
||||||
|
__field(const struct cred *, cred)
|
||||||
|
__field(struct user_namespace *, target_ns)
|
||||||
|
__field(const struct user_namespace *, capable_ns)
|
||||||
|
__field(int, cap)
|
||||||
|
__field(int, ret)
|
||||||
|
),
|
||||||
|
|
||||||
|
TP_fast_assign(
|
||||||
|
__entry->cred = cred;
|
||||||
|
__entry->target_ns = target_ns;
|
||||||
|
__entry->capable_ns = ret == 0 ? capable_ns : NULL;
|
||||||
|
__entry->cap = cap;
|
||||||
|
__entry->ret = ret;
|
||||||
|
),
|
||||||
|
|
||||||
|
TP_printk("cred %p, target_ns %p, capable_ns %p, cap %d, ret %d",
|
||||||
|
__entry->cred, __entry->target_ns, __entry->capable_ns, __entry->cap,
|
||||||
|
__entry->ret)
|
||||||
|
);
|
||||||
|
|
||||||
|
#endif /* _TRACE_CAPABILITY_H */
|
||||||
|
|
||||||
|
/* This part must be outside protection */
|
||||||
|
#include <trace/define_trace.h>
|
@ -27,6 +27,9 @@
|
|||||||
#include <linux/mnt_idmapping.h>
|
#include <linux/mnt_idmapping.h>
|
||||||
#include <uapi/linux/lsm.h>
|
#include <uapi/linux/lsm.h>
|
||||||
|
|
||||||
|
#define CREATE_TRACE_POINTS
|
||||||
|
#include <trace/events/capability.h>
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If a non-root user executes a setuid-root binary in
|
* If a non-root user executes a setuid-root binary in
|
||||||
* !secure(SECURE_NOROOT) mode, then we raise capabilities.
|
* !secure(SECURE_NOROOT) mode, then we raise capabilities.
|
||||||
@ -50,24 +53,24 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* cap_capable - Determine whether a task has a particular effective capability
|
* cap_capable_helper - Determine whether a task has a particular effective
|
||||||
|
* capability.
|
||||||
* @cred: The credentials to use
|
* @cred: The credentials to use
|
||||||
* @targ_ns: The user namespace in which we need the capability
|
* @target_ns: The user namespace of the resource being accessed
|
||||||
|
* @cred_ns: The user namespace of the credentials
|
||||||
* @cap: The capability to check for
|
* @cap: The capability to check for
|
||||||
* @opts: Bitmask of options defined in include/linux/security.h
|
|
||||||
*
|
*
|
||||||
* Determine whether the nominated task has the specified capability amongst
|
* Determine whether the nominated task has the specified capability amongst
|
||||||
* its effective set, returning 0 if it does, -ve if it does not.
|
* its effective set, returning 0 if it does, -ve if it does not.
|
||||||
*
|
*
|
||||||
* NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
|
* See cap_capable for more details.
|
||||||
* and has_capability() functions. That is, it has the reverse semantics:
|
|
||||||
* cap_has_capability() returns 0 when a task has a capability, but the
|
|
||||||
* kernel's capable() and has_capability() returns 1 for this case.
|
|
||||||
*/
|
*/
|
||||||
int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
static inline int cap_capable_helper(const struct cred *cred,
|
||||||
int cap, unsigned int opts)
|
struct user_namespace *target_ns,
|
||||||
|
const struct user_namespace *cred_ns,
|
||||||
|
int cap)
|
||||||
{
|
{
|
||||||
struct user_namespace *ns = targ_ns;
|
struct user_namespace *ns = target_ns;
|
||||||
|
|
||||||
/* See if cred has the capability in the target user namespace
|
/* See if cred has the capability in the target user namespace
|
||||||
* by examining the target user namespace and all of the target
|
* by examining the target user namespace and all of the target
|
||||||
@ -75,21 +78,21 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
|||||||
*/
|
*/
|
||||||
for (;;) {
|
for (;;) {
|
||||||
/* Do we have the necessary capabilities? */
|
/* Do we have the necessary capabilities? */
|
||||||
if (ns == cred->user_ns)
|
if (likely(ns == cred_ns))
|
||||||
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
|
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If we're already at a lower level than we're looking for,
|
* If we're already at a lower level than we're looking for,
|
||||||
* we're done searching.
|
* we're done searching.
|
||||||
*/
|
*/
|
||||||
if (ns->level <= cred->user_ns->level)
|
if (ns->level <= cred_ns->level)
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The owner of the user namespace in the parent of the
|
* The owner of the user namespace in the parent of the
|
||||||
* user namespace has all caps.
|
* user namespace has all caps.
|
||||||
*/
|
*/
|
||||||
if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
|
if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -102,6 +105,31 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
|||||||
/* We never get here */
|
/* We never get here */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* cap_capable - Determine whether a task has a particular effective capability
|
||||||
|
* @cred: The credentials to use
|
||||||
|
* @target_ns: The user namespace of the resource being accessed
|
||||||
|
* @cap: The capability to check for
|
||||||
|
* @opts: Bitmask of options defined in include/linux/security.h (unused)
|
||||||
|
*
|
||||||
|
* Determine whether the nominated task has the specified capability amongst
|
||||||
|
* its effective set, returning 0 if it does, -ve if it does not.
|
||||||
|
*
|
||||||
|
* NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
|
||||||
|
* and has_capability() functions. That is, it has the reverse semantics:
|
||||||
|
* cap_has_capability() returns 0 when a task has a capability, but the
|
||||||
|
* kernel's capable() and has_capability() returns 1 for this case.
|
||||||
|
*/
|
||||||
|
int cap_capable(const struct cred *cred, struct user_namespace *target_ns,
|
||||||
|
int cap, unsigned int opts)
|
||||||
|
{
|
||||||
|
const struct user_namespace *cred_ns = cred->user_ns;
|
||||||
|
int ret = cap_capable_helper(cred, target_ns, cred_ns, cap);
|
||||||
|
|
||||||
|
trace_cap_capable(cred, target_ns, cred_ns, cap, ret);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* cap_settime - Determine whether the current process may set the system clock
|
* cap_settime - Determine whether the current process may set the system clock
|
||||||
* @ts: The time to set
|
* @ts: The time to set
|
||||||
|
Loading…
Reference in New Issue
Block a user