On Thu, Nov 28, 2024 at 11:34 AM Serge E. Hallyn <se...@hallyn.com> wrote:
>
> On Thu, Nov 28, 2024 at 07:37:33AM -0800, Jordan Rome wrote:
> > In cases where we want a stable way to observe/trace
> > cap_capable (e.g. protection from inlining and API updates)
> > add a tracepoint that passes:
> > - The credentials used
> > - The user namespace of the resource being accessed
> > - The user namespace in which the credential provides the
> > capability to access the targeted resource
> > - The capability to check for
> > - Bitmask of options defined in include/linux/security.h
> > - The return value of the check
> >
> > Signed-off-by: Jordan Rome <li...@jordanrome.com>
> > ---
> > MAINTAINERS | 1 +
> > include/trace/events/capability.h | 60 +++++++++++++++++++++++++++++++
> > security/commoncap.c | 57 +++++++++++++++++++----------
> > 3 files changed, 100 insertions(+), 18 deletions(-)
> > create mode 100644 include/trace/events/capability.h
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index f870842fad9c..b90df58f6030 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -5103,6 +5103,7 @@ M: Serge Hallyn <se...@hallyn.com>
> > L: linux-security-mod...@vger.kernel.org
> > S: Supported
> > F: include/linux/capability.h
> > +F: include/trace/events/capability.h
> > F: include/uapi/linux/capability.h
> > F: kernel/capability.c
> > F: security/commoncap.c
> > diff --git a/include/trace/events/capability.h
> > b/include/trace/events/capability.h
> > new file mode 100644
> > index 000000000000..65311c2652f7
> > --- /dev/null
> > +++ b/include/trace/events/capability.h
> > @@ -0,0 +1,60 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +#undef TRACE_SYSTEM
> > +#define TRACE_SYSTEM capability
> > +
> > +#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
> > +#define _TRACE_CAPABILITY_H
> > +
> > +#include <linux/cred.h>
> > +#include <linux/tracepoint.h>
> > +#include <linux/user_namespace.h>
> > +
> > +/**
> > + * cap_capable - called after it's determined if a task has a particular
> > + * effective capability
> > + *
> > + * @cred: The credentials used
> > + * @target_ns: The user namespace of the resource being accessed
> > + * @capable_ns: The user namespace in which the credential provides the
> > + * capability to access the targeted resource.
> > + * This will be NULL if ret is not 0.
> > + * @cap: The capability to check for
> > + * @opts: Bitmask of options defined in include/linux/security.h
> > + * @ret: The return value of the check: 0 if it does, -ve if it does not
> > + *
> > + * Allows to trace calls to cap_capable in commoncap.c
> > + */
> > +TRACE_EVENT(cap_capable,
> > +
> > + TP_PROTO(const struct cred *cred, struct user_namespace *target_ns,
> > + const struct user_namespace *capable_ns, int cap, unsigned
> > int opts, int ret),
>
> Hi,
>
> you're still sending opts in here. Will that really be helpful for
> your use case, given that cap_capable() ignores it as Linus pointed
> out?
>
Ah, my bad. I'll remove.
> > +
> > + TP_ARGS(cred, target_ns, capable_ns, cap, opts, ret),
> > +
> > + TP_STRUCT__entry(
> > + __field(const struct cred *, cred)
> > + __field(struct user_namespace *, target_ns)
> > + __field(const struct user_namespace *, capable_ns)
> > + __field(int, cap)
> > + __field(unsigned int, opts)
> > + __field(int, ret)
> > + ),
> > +
> > + TP_fast_assign(
> > + __entry->cred = cred;
> > + __entry->target_ns = target_ns;
> > + __entry->capable_ns = ret == 0 ? capable_ns : NULL;
> > + __entry->cap = cap;
> > + __entry->opts = opts;
> > + __entry->ret = ret;
> > + ),
> > +
> > + TP_printk("cred %p, target_ns %p, capable_ns %p, cap %d, opts %u, ret
> > %d",
> > + __entry->cred, __entry->target_ns, __entry->capable_ns,
> > __entry->cap,
> > + __entry->opts, __entry->ret)
> > +);
> > +
> > +#endif /* _TRACE_CAPABILITY_H */
> > +
> > +/* This part must be outside protection */
> > +#include <trace/define_trace.h>
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index cefad323a0b1..9fa9aba3961d 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -27,6 +27,9 @@
> > #include <linux/mnt_idmapping.h>
> > #include <uapi/linux/lsm.h>
> >
> > +#define CREATE_TRACE_POINTS
> > +#include <trace/events/capability.h>
> > +
> > /*
> > * If a non-root user executes a setuid-root binary in
> > * !secure(SECURE_NOROOT) mode, then we raise capabilities.
> > @@ -50,24 +53,17 @@ static void warn_setuid_and_fcaps_mixed(const char
> > *fname)
> > }
> >
> > /**
> > - * cap_capable - Determine whether a task has a particular effective
> > capability
> > - * @cred: The credentials to use
> > - * @targ_ns: The user namespace in which we need the capability
> > - * @cap: The capability to check for
> > - * @opts: Bitmask of options defined in include/linux/security.h
> > + * cap_capable_helper - Determine whether a task has a particular effective
> > + * capability.
> > *
> > - * Determine whether the nominated task has the specified capability
> > amongst
> > - * its effective set, returning 0 if it does, -ve if it does not.
> > - *
> > - * NOTE WELL: cap_has_capability() cannot be used like the kernel's
> > capable()
> > - * and has_capability() functions. That is, it has the reverse semantics:
> > - * cap_has_capability() returns 0 when a task has a capability, but the
> > - * kernel's capable() and has_capability() returns 1 for this case.
> > + * See cap_capable for more details.
> > */
> > -int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
> > - int cap, unsigned int opts)
> > +static inline int cap_capable_helper(const struct cred *cred,
> > + struct user_namespace *target_ns,
> > + const struct user_namespace *cred_ns,
> > + int cap)
> > {
> > - struct user_namespace *ns = targ_ns;
> > + struct user_namespace *ns = target_ns;
> >
> > /* See if cred has the capability in the target user namespace
> > * by examining the target user namespace and all of the target
> > @@ -75,21 +71,21 @@ int cap_capable(const struct cred *cred, struct
> > user_namespace *targ_ns,
> > */
> > for (;;) {
> > /* Do we have the necessary capabilities? */
> > - if (ns == cred->user_ns)
> > + if (likely(ns == cred_ns))
> > return cap_raised(cred->cap_effective, cap) ? 0 :
> > -EPERM;
> >
> > /*
> > * If we're already at a lower level than we're looking for,
> > * we're done searching.
> > */
> > - if (ns->level <= cred->user_ns->level)
> > + if (ns->level <= cred_ns->level)
> > return -EPERM;
> >
> > /*
> > * The owner of the user namespace in the parent of the
> > * user namespace has all caps.
> > */
> > - if ((ns->parent == cred->user_ns) && uid_eq(ns->owner,
> > cred->euid))
> > + if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid))
> > return 0;
> >
> > /*
> > @@ -102,6 +98,31 @@ int cap_capable(const struct cred *cred, struct
> > user_namespace *targ_ns,
> > /* We never get here */
> > }
> >
> > +/**
> > + * cap_capable - Determine whether a task has a particular effective
> > capability
> > + * @cred: The credentials to use
> > + * @target_ns: The user namespace of the resource being accessed
> > + * @cap: The capability to check for
> > + * @opts: Bitmask of options defined in include/linux/security.h
> > + *
> > + * Determine whether the nominated task has the specified capability
> > amongst
> > + * its effective set, returning 0 if it does, -ve if it does not.
> > + *
> > + * NOTE WELL: cap_has_capability() cannot be used like the kernel's
> > capable()
> > + * and has_capability() functions. That is, it has the reverse semantics:
> > + * cap_has_capability() returns 0 when a task has a capability, but the
> > + * kernel's capable() and has_capability() returns 1 for this case.
> > + */
> > +int cap_capable(const struct cred *cred, struct user_namespace *target_ns,
> > + int cap, unsigned int opts)
> > +{
> > + const struct user_namespace *cred_ns = cred->user_ns;
> > + int ret = cap_capable_helper(cred, target_ns, cred_ns, cap);
> > +
> > + trace_cap_capable(cred, target_ns, cred_ns, cap, opts, ret);
> > + return ret;
> > +}
> > +
> > /**
> > * cap_settime - Determine whether the current process may set the system
> > clock
> > * @ts: The time to set
> > --
> > 2.43.5
> >
