[v8] security: add trace event for cap_capable
Paul Moore
paul at paul-moore.com
Sat Nov 30 02:57:54 UTC 2024
On Thu, Nov 28, 2024 at 5:49 PM Jordan Rome <linux at jordanrome.com> wrote:
>
> In cases where we want a stable way to observe/trace
> cap_capable (e.g. protection from inlining and API updates)
> add a tracepoint that passes:
> - The credentials used
> - The user namespace of the resource being accessed
> - The user namespace in which the credential provides the
> capability to access the targeted resource
> - The capability to check for
> - The return value of the check
>
> Signed-off-by: Jordan Rome <linux at jordanrome.com>
> ---
> MAINTAINERS | 1 +
> include/trace/events/capability.h | 57 +++++++++++++++++++++++++++++++
> security/commoncap.c | 57 +++++++++++++++++++++----------
> 3 files changed, 97 insertions(+), 18 deletions(-)
> create mode 100644 include/trace/events/capability.h
I'm personally not a fan of the helper based approach here, it adds
unnecessary complexity in my opinion, but I understand that was an
edict handed to you. Otherwise, and within the other constraints, I
think this looks okay.
Reviewed-by: Paul Moore <paul at paul-moore.com>
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list