On Thu, Oct 24, 2024 at 3:40 AM Jordan Rome <[email protected]> wrote: > > In cases where we want a stable way to observe/trace > cap_capable (e.g. protection from inlining and API updates) > add a tracepoint that passes: > - The credentials used > - The user namespace which needs the capability > - The user namespace that actually has the capability (if one exists) > - The capability to check for > - Bitmask of options defined in include/linux/security.h > - The return value of the check > > Signed-off-by: Jordan Rome <[email protected]> > --- > MAINTAINERS | 1 + > include/trace/events/capability.h | 58 +++++++++++++++++++++++++++++++ > security/commoncap.c | 21 +++++++---- > 3 files changed, 74 insertions(+), 6 deletions(-) > create mode 100644 include/trace/events/capability.h > > diff --git a/MAINTAINERS b/MAINTAINERS > index cc40a9d9b8cd..210e9076c858 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -4994,6 +4994,7 @@ M: Serge Hallyn <[email protected]> > L: [email protected] > S: Supported > F: include/linux/capability.h > +F: include/trace/events/capability.h > F: include/uapi/linux/capability.h > F: kernel/capability.c > F: security/commoncap.c > diff --git a/include/trace/events/capability.h > b/include/trace/events/capability.h > new file mode 100644 > index 000000000000..092b8e77063a > --- /dev/null > +++ b/include/trace/events/capability.h > @@ -0,0 +1,58 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +#undef TRACE_SYSTEM > +#define TRACE_SYSTEM capability > + > +#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ) > +#define _TRACE_CAPABILITY_H > + > +#include <linux/cred.h> > +#include <linux/tracepoint.h> > +#include <linux/user_namespace.h> > + > +/** > + * capable - called after it's determined if a task has a particular > + * effective capability > + * > + * @cred: The credentials used > + * @targ_ns: The user namespace which needs the capability > + * @capable_ns: The user namespace that actually has the capability > + * if ret is 0 otherwise this will be NULL > + * @cap: The capability to check for > + * @opts: Bitmask of options defined in include/linux/security.h > + * @ret: The return value of the check: 0 if it does, -ve if it does not > + * > + * Allows to trace calls to cap_capable in commoncap.c > + */ > +TRACE_EVENT(capable, > + > + TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns, > + struct user_namespace *capable_ns, int cap, unsigned int > opts, int ret), > + > + TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret), > + > + TP_STRUCT__entry( > + __field(const struct cred *, cred) > + __field(struct user_namespace *, targ_ns) > + __field(struct user_namespace *, capable_ns) > + __field(int, cap) > + __field(unsigned int, opts) > + __field(int, ret) > + ), > + > + TP_fast_assign( > + __entry->cred = cred; > + __entry->targ_ns = targ_ns; > + __entry->capable_ns = capable_ns; > + __entry->cap = cap; > + __entry->opts = opts; > + __entry->ret = ret; > + ), > + > + TP_printk("cap %d, opts %u, ret %d", > + __entry->cap, __entry->opts, __entry->ret) > +); > + > +#endif /* _TRACE_CAPABILITY_H */ > + > +/* This part must be outside protection */ > +#include <trace/define_trace.h> > diff --git a/security/commoncap.c b/security/commoncap.c > index 162d96b3a676..675d40fbaa77 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -27,6 +27,9 @@ > #include <linux/mnt_idmapping.h> > #include <uapi/linux/lsm.h> > > +#define CREATE_TRACE_POINTS > +#include <trace/events/capability.h> > + > /* > * If a non-root user executes a setuid-root binary in > * !secure(SECURE_NOROOT) mode, then we raise capabilities. > @@ -68,6 +71,7 @@ int cap_capable(const struct cred *cred, struct > user_namespace *targ_ns, > int cap, unsigned int opts) > { > struct user_namespace *ns = targ_ns; > + int ret = 0; > > /* See if cred has the capability in the target user namespace > * by examining the target user namespace and all of the target > @@ -75,22 +79,26 @@ int cap_capable(const struct cred *cred, struct > user_namespace *targ_ns, > */ > for (;;) { > /* Do we have the necessary capabilities? */ > - if (ns == cred->user_ns) > - return cap_raised(cred->cap_effective, cap) ? 0 : > -EPERM; > + if (ns == cred->user_ns) { > + ret = cap_raised(cred->cap_effective, cap) ? 0 : > -EPERM; > + break; > + } > > /* > * If we're already at a lower level than we're looking for, > * we're done searching. > */ > - if (ns->level <= cred->user_ns->level) > - return -EPERM; > + if (ns->level <= cred->user_ns->level) {
I'd do ns = NULL; here > + ret = -EPERM; > + break; > + } > > /* > * The owner of the user namespace in the parent of the > * user namespace has all caps. > */ > if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, > cred->euid)) and this needs `ns = ns->parent;` (because that's the namespace that grants capability, is that right?) > - return 0; > + break; > > /* > * If you have a capability in a parent user ns, then you have > @@ -99,7 +107,8 @@ int cap_capable(const struct cred *cred, struct > user_namespace *targ_ns, > ns = ns->parent; > } > > - /* We never get here */ > + trace_capable(cred, targ_ns, ret == 0 ? ns : NULL, cap, opts, ret); with the above changes just pass ns directly, no need for `ret == 0` check (and it seems it's wrong for one of the case due to ns->parent use) > + return ret; > } > > /** > -- > 2.43.5 >
