[v8] security: add trace event for cap_capable
Serge E. Hallyn
serge at hallyn.com
Sat Nov 30 20:07:05 UTC 2024
On Fri, Nov 29, 2024 at 09:57:54PM -0500, Paul Moore wrote:
> On Thu, Nov 28, 2024 at 5:49 PM Jordan Rome <linux at jordanrome.com> wrote:
> >
> > In cases where we want a stable way to observe/trace
> > cap_capable (e.g. protection from inlining and API updates)
> > add a tracepoint that passes:
> > - The credentials used
> > - The user namespace of the resource being accessed
> > - The user namespace in which the credential provides the
> > capability to access the targeted resource
> > - The capability to check for
> > - The return value of the check
> >
> > Signed-off-by: Jordan Rome <linux at jordanrome.com>
> > ---
> > MAINTAINERS | 1 +
> > include/trace/events/capability.h | 57 +++++++++++++++++++++++++++++++
> > security/commoncap.c | 57 +++++++++++++++++++++----------
> > 3 files changed, 97 insertions(+), 18 deletions(-)
> > create mode 100644 include/trace/events/capability.h
>
> I'm personally not a fan of the helper based approach here, it adds
> unnecessary complexity in my opinion, but I understand that was an
> edict handed to you. Otherwise, and within the other constraints, I
> think this looks okay.
>
> Reviewed-by: Paul Moore <paul at paul-moore.com>
Reviewed-by: Serge Hallyn <serge at hallyn.com>
Thanks, I'll add it to the caps-next tree so it can get some
testing until the next merge window.
>
> --
> paul-moore.com
More information about the Linux-security-module-archive
mailing list