[v1] security: add trace event for cap_capable
Steven Rostedt
rostedt at goodmis.org
Fri Oct 25 00:23:07 UTC 2024
On Thu, 24 Oct 2024 10:48:55 -0700
Andrii Nakryiko <andrii.nakryiko at gmail.com> wrote:
> > You record cred, targ_ns and capable_ns but don't use it in TP_printk?
> >
> > It's fine to print pointers there. Is there a reason you do not?
>
> Are those pointers really useful for anything? Maybe it's better to
> print ns->ns.inum instead? At least that's something that is usable
> from user space side, no?
Pointers are actually useful from user space. It allows you to add
eprobes to get data from the structure. Yes, you can do this from BPF
but sometimes a shell script is nicer to use.
$ gdb vmlinux
(gdb) print &(((struct user_namespace *)0)->ns.inum)
$2 = (unsigned int *) 0xe8
# cd /sys/kernel/tracing
# echo 'e:cap capability/capable num=+0e8($capable-ns)' > dynamic_events
# echo 1 > events/eprobes/cap/enable
# cat trace
Thus pointers give a nice way of getting info dynamically, and having
the pointer printed out in the TP_printk also helps to know you can do
this.
I realize that eprobes is not documented well (or at all) which needs
to be fixed.
-- Steve
More information about the Linux-security-module-archive
mailing list