[PATCH 00/10] Introduce capable_any()

Christian Göttsche cgzones at googlemail.com
Fri Mar 15 11:37:32 UTC 2024


Add the interfaces `capable_any()` and `ns_capable_any()` as an
alternative to multiple `capable()`/`ns_capable()` calls, like
`capable_any(CAP_SYS_NICE, CAP_SYS_ADMIN)` instead of
`capable(CAP_SYS_NICE) || capable(CAP_SYS_ADMIN)`.

`capable_any()`/`ns_capable_any()` will in particular generate exactly
one audit message, either for the left most capability in effect or, if
the task has none, the first one.

This is especially helpful with regard to SELinux, where each audit
message about a not allowed capability request will create a denial
message.  Using this new wrapper with the least invasive capability as
left most argument (e.g. CAP_SYS_NICE before CAP_SYS_ADMIN) enables
policy writers to only grant the least invasive one for the particular
subject instead of both.

v4 discussion:
https://lore.kernel.org/all/20230511142535.732324-10-cgzones@googlemail.com/

v3 discussion:
https://patchwork.kernel.org/project/selinux/patch/20220615152623.311223-8-cgzones@googlemail.com/

v5:
  - rename flag to CAP_OPT_NOAUDIT_ONDENY and internal helper to
    ns_capable_noauditondeny()
  - add check for identical capabilities passed to simplify bpf call sites
  - make use in bpf code
  - add coccinelle script
v4:
  - add CAP_OPT_NODENYAUDIT capable flag

Christian Göttsche (10):
  capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY
  capability: add any wrappers to test for multiple caps with exactly
    one audit message
  capability: use new capable_any functionality
  block: use new capable_any functionality
  drivers: use new capable_any functionality
  fs: use new capable_any functionality
  kernel: use new capable_any functionality
  net: use new capable_any functionality
  bpf: use new capable_any functionality
  coccinelle: add script for capable_any()

 MAINTAINERS                              |   1 +
 block/ioprio.c                           |   9 +-
 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c |   3 +-
 drivers/net/caif/caif_serial.c           |   2 +-
 drivers/s390/block/dasd_eckd.c           |   2 +-
 fs/pipe.c                                |   2 +-
 include/linux/bpf.h                      |   2 +-
 include/linux/capability.h               |  17 ++-
 include/linux/security.h                 |   2 +
 include/net/sock.h                       |   1 +
 kernel/bpf/syscall.c                     |   2 +-
 kernel/bpf/token.c                       |   2 +-
 kernel/capability.c                      |  73 ++++++++++
 kernel/fork.c                            |   2 +-
 net/caif/caif_socket.c                   |   2 +-
 net/core/sock.c                          |  15 ++-
 net/ieee802154/socket.c                  |   6 +-
 net/ipv4/ip_sockglue.c                   |   5 +-
 net/ipv6/ipv6_sockglue.c                 |   3 +-
 net/unix/af_unix.c                       |   2 +-
 scripts/coccinelle/api/capable_any.cocci | 164 +++++++++++++++++++++++
 security/apparmor/capability.c           |   8 +-
 security/selinux/hooks.c                 |  14 +-
 23 files changed, 293 insertions(+), 46 deletions(-)
 create mode 100644 scripts/coccinelle/api/capable_any.cocci

-- 
2.43.0




More information about the Linux-security-module-archive mailing list