In cases where we want a stable way to observe/trace
cap_capable (e.g. protection from inlining and API updates)
add a tracepoint that passes:
- The credentials used
- The user namespace of the resource being accessed
- The user namespace in which the credential provides the
capability to access the targeted resource
- The capability to check for
- Bitmask of options defined in include/linux/security.h
- The return value of the check
Signed-off-by: Jordan Rome <li...@jordanrome.com>
---
MAINTAINERS | 1 +
include/trace/events/capability.h | 60 +++++++++++++++++++++++++++++++
security/commoncap.c | 30 +++++++++++-----
3 files changed, 83 insertions(+), 8 deletions(-)
create mode 100644 include/trace/events/capability.h
diff --git a/MAINTAINERS b/MAINTAINERS
index cc40a9d9b8cd..210e9076c858 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4994,6 +4994,7 @@ M: Serge Hallyn <se...@hallyn.com>
L: linux-security-mod...@vger.kernel.org
S: Supported
F: include/linux/capability.h
+F: include/trace/events/capability.h
F: include/uapi/linux/capability.h
F: kernel/capability.c
F: security/commoncap.c
diff --git a/include/trace/events/capability.h
b/include/trace/events/capability.h
new file mode 100644
index 000000000000..e706ce690c38
--- /dev/null
+++ b/include/trace/events/capability.h
@@ -0,0 +1,60 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM capability
+
+#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_CAPABILITY_H
+
+#include <linux/cred.h>
+#include <linux/tracepoint.h>
+#include <linux/user_namespace.h>
+
+/**
+ * cap_capable - called after it's determined if a task has a particular
+ * effective capability
+ *
+ * @cred: The credentials used
+ * @targ_ns: The user namespace of the resource being accessed
+ * @capable_ns: The user namespace in which the credential provides the
+ * capability to access the targeted resource.
+ * This will be NULL if ret is not 0.
+ * @cap: The capability to check for
+ * @opts: Bitmask of options defined in include/linux/security.h
+ * @ret: The return value of the check: 0 if it does, -ve if it does not
+ *
+ * Allows to trace calls to cap_capable in commoncap.c
+ */
+TRACE_EVENT(cap_capable,
+
+ TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns,
+ struct user_namespace *capable_ns, int cap, unsigned int opts,
int ret),
+
+ TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret),
+
+ TP_STRUCT__entry(
+ __field(const struct cred *, cred)
+ __field(struct user_namespace *, targ_ns)
+ __field(struct user_namespace *, capable_ns)
+ __field(int, cap)
+ __field(unsigned int, opts)
+ __field(int, ret)
+ ),
+
+ TP_fast_assign(
+ __entry->cred = cred;
+ __entry->targ_ns = targ_ns;
+ __entry->capable_ns = capable_ns;
+ __entry->cap = cap;
+ __entry->opts = opts;
+ __entry->ret = ret;
+ ),
+
+ TP_printk("cred %p, targ_ns %p, capable_ns %p, cap %d, opts %u, ret %d",
+ __entry->cred, __entry->targ_ns, __entry->capable_ns,
__entry->cap,
+ __entry->opts, __entry->ret)
+);
+
+#endif /* _TRACE_CAPABILITY_H */
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
diff --git a/security/commoncap.c b/security/commoncap.c
index 162d96b3a676..7a74eb27eebf 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,6 +27,9 @@
#include <linux/mnt_idmapping.h>
#include <uapi/linux/lsm.h>
+#define CREATE_TRACE_POINTS
+#include <trace/events/capability.h>
+
/*
* If a non-root user executes a setuid-root binary in
* !secure(SECURE_NOROOT) mode, then we raise capabilities.
@@ -52,7 +55,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
/**
* cap_capable - Determine whether a task has a particular effective capability
* @cred: The credentials to use
- * @targ_ns: The user namespace in which we need the capability
+ * @targ_ns: The user namespace of the resource being accessed
* @cap: The capability to check for
* @opts: Bitmask of options defined in include/linux/security.h
*
@@ -67,7 +70,9 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
int cap, unsigned int opts)
{
- struct user_namespace *ns = targ_ns;
+ int ret = -EPERM;
+ struct user_namespace *capable_ns = NULL,
+ *ns = targ_ns;
/* See if cred has the capability in the target user namespace
* by examining the target user namespace and all of the target
@@ -75,22 +80,30 @@ int cap_capable(const struct cred *cred, struct
user_namespace *targ_ns,
*/
for (;;) {
/* Do we have the necessary capabilities? */
- if (ns == cred->user_ns)
- return cap_raised(cred->cap_effective, cap) ? 0 :
-EPERM;
+ if (ns == cred->user_ns) {
+ if (cap_raised(cred->cap_effective, cap)) {
+ capable_ns = ns;
+ ret = 0;
+ }
+ break;
+ }
/*
* If we're already at a lower level than we're looking for,
* we're done searching.
*/
if (ns->level <= cred->user_ns->level)
- return -EPERM;
+ break;
/*
* The owner of the user namespace in the parent of the
* user namespace has all caps.
*/
- if ((ns->parent == cred->user_ns) && uid_eq(ns->owner,
cred->euid))
- return 0;
+ if ((ns->parent == cred->user_ns) && uid_eq(ns->owner,
cred->euid)) {
+ capable_ns = ns->parent;
+ ret = 0;
+ break;
+ }
/*
* If you have a capability in a parent user ns, then you have
@@ -99,7 +112,8 @@ int cap_capable(const struct cred *cred, struct
user_namespace *targ_ns,
ns = ns->parent;
}
- /* We never get here */
+ trace_cap_capable(cred, targ_ns, capable_ns, cap, opts, ret);
+ return ret;
}
/**
--
2.43.5
