[v3] security: add trace event for cap_capable

Serge E. Hallyn serge at hallyn.com
Tue Oct 29 20:20:18 UTC 2024 

On Tue, Oct 29, 2024 at 10:03:29AM -0700, Andrii Nakryiko wrote:
> On Tue, Oct 29, 2024 at 4:21 AM Jordan Rome <linux at jordanrome.com> wrote:
> >
> > In cases where we want a stable way to observe/trace
> > cap_capable (e.g. protection from inlining and API updates)
> > add a tracepoint that passes:
> > - The credentials used
> > - The user namespace of the resource being accessed
> > - The user namespace in which the credential provides the
> > capability to access the targeted resource
> > - The capability to check for
> > - Bitmask of options defined in include/linux/security.h
> > - The return value of the check
> >
> > Signed-off-by: Jordan Rome <linux at jordanrome.com>
> > ---
> >  MAINTAINERS                       |  1 +
> >  include/trace/events/capability.h | 60 +++++++++++++++++++++++++++++++
> >  security/commoncap.c              | 32 ++++++++++++-----
> >  3 files changed, 85 insertions(+), 8 deletions(-)
> >  create mode 100644 include/trace/events/capability.h
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index cc40a9d9b8cd..210e9076c858 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -4994,6 +4994,7 @@ M:        Serge Hallyn <serge at hallyn.com>
> >  L:     linux-security-module at vger.kernel.org
> >  S:     Supported
> >  F:     include/linux/capability.h
> > +F:     include/trace/events/capability.h
> >  F:     include/uapi/linux/capability.h
> >  F:     kernel/capability.c
> >  F:     security/commoncap.c
> > diff --git a/include/trace/events/capability.h b/include/trace/events/capability.h
> > new file mode 100644
> > index 000000000000..e706ce690c38
> > --- /dev/null
> > +++ b/include/trace/events/capability.h
> > @@ -0,0 +1,60 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +#undef TRACE_SYSTEM
> > +#define TRACE_SYSTEM capability
> > +
> > +#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
> > +#define _TRACE_CAPABILITY_H
> > +
> > +#include <linux/cred.h>
> > +#include <linux/tracepoint.h>
> > +#include <linux/user_namespace.h>
> > +
> > +/**
> > + * cap_capable - called after it's determined if a task has a particular
> > + * effective capability
> > + *
> > + * @cred: The credentials used
> > + * @targ_ns: The user namespace of the resource being accessed
> > + * @capable_ns: The user namespace in which the credential provides the
> > + *              capability to access the targeted resource.
> > + *              This will be NULL if ret is not 0.
> > + * @cap: The capability to check for
> > + * @opts: Bitmask of options defined in include/linux/security.h
> > + * @ret: The return value of the check: 0 if it does, -ve if it does not
> > + *
> > + * Allows to trace calls to cap_capable in commoncap.c
> > + */
> > +TRACE_EVENT(cap_capable,
> > +
> > +       TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns,
> > +               struct user_namespace *capable_ns, int cap, unsigned int opts, int ret),
> > +
> > +       TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret),
> > +
> > +       TP_STRUCT__entry(
> > +               __field(const struct cred *, cred)
> > +               __field(struct user_namespace *, targ_ns)
> > +               __field(struct user_namespace *, capable_ns)
> > +               __field(int, cap)
> > +               __field(unsigned int, opts)
> > +               __field(int, ret)
> > +       ),
> > +
> > +       TP_fast_assign(
> > +               __entry->cred       = cred;
> > +               __entry->targ_ns    = targ_ns;
> > +               __entry->capable_ns = capable_ns;
> > +               __entry->cap        = cap;
> > +               __entry->opts       = opts;
> > +               __entry->ret        = ret;
> > +       ),
> > +
> > +       TP_printk("cred %p, targ_ns %p, capable_ns %p, cap %d, opts %u, ret %d",
> > +               __entry->cred, __entry->targ_ns, __entry->capable_ns, __entry->cap,
> > +               __entry->opts, __entry->ret)
> > +);
> > +
> > +#endif /* _TRACE_CAPABILITY_H */
> > +
> > +/* This part must be outside protection */
> > +#include <trace/define_trace.h>
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index 162d96b3a676..7287feee0683 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -27,6 +27,9 @@
> >  #include <linux/mnt_idmapping.h>
> >  #include <uapi/linux/lsm.h>
> >
> > +#define CREATE_TRACE_POINTS
> > +#include <trace/events/capability.h>
> > +
> >  /*
> >   * If a non-root user executes a setuid-root binary in
> >   * !secure(SECURE_NOROOT) mode, then we raise capabilities.
> > @@ -52,7 +55,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
> >  /**
> >   * cap_capable - Determine whether a task has a particular effective capability
> >   * @cred: The credentials to use
> > - * @targ_ns:  The user namespace in which we need the capability
> > + * @targ_ns:  The user namespace of the resource being accessed
> >   * @cap: The capability to check for
> >   * @opts: Bitmask of options defined in include/linux/security.h
> >   *
> > @@ -67,7 +70,11 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
> >  int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
> >                 int cap, unsigned int opts)
> >  {
> > -       struct user_namespace *ns = targ_ns;
> > +       int ret = -EPERM;
> > +       struct user_namespace *capable_ns, *ns;
> > +
> > +       capable_ns = NULL;
> > +       ns = targ_ns;
> 
> nit:
> 
> struct user_namespace *capable_ns = NULL, *ns = targ_ns;
> int ret = -EPERM;
> 
> would be more succinct.
> 
> But regardless:
> 
> Acked-by: Andrii Nakryiko <andrii at kernel.org>

Agreed, that would look nicer.  Maybe even

	int ret = -EPERM;
	struct user_namespace *capable_ns = NULL,
			      *ns = targ_ns;

Reviewed-by: Serge Hallyn <serge at hallyn.com>

-serge

More information about the Linux-security-module-archive mailing list