[v4] security: add trace event for cap_capable

Message ID	20241030013314.2188163-1-linux@jordanrome.com (mailing list archive)
State	Handled Elsewhere
Headers	show Received: from mout.perfora.net (mout.perfora.net [74.208.4.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E40DBE46; Wed, 30 Oct 2024 01:34:02 +0000 (UTC) From: Jordan Rome <linux@jordanrome.com> To: linux-security-module@vger.kernel.org Cc: linux-trace-kernel@vger.kernel.org, Andrii Nakryiko <andrii@kernel.org>, Kernel Team <kernel-team@fb.com>, Serge Hallyn <serge@hallyn.com>, Yonghong Song <yonghong.song@linux.dev> Subject: [v4] security: add trace event for cap_capable Date: Tue, 29 Oct 2024 18:33:14 -0700 Message-ID: <20241030013314.2188163-1-linux@jordanrome.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable UI-OutboundReport: notjunk:1;M01:P0:aTxEpAd42b8=;v84bSkeqsgygOMOBKAVi3lLmrb6 YECwjj9bURukzABB2xk4ZUYwytlGjH0ks+UhwfNtTZQctQz99BcSNjdd018/xBbFiXgKo5yKt gORnI5vPpFNrlp37Tt5Okn5c+//qfFhxkhqT94GFdZutASPTTM+UTFhDdvEo4JNxtuJcGrOkR hQOt8KzNl7HkqWI3PdXbXTshd/YDRO1/v87Rd1uUn+oLKhwizVSPzu+xTCeG9Xciyp5Y9akle rIQyEV4O0IAgJfwZqFjTsoJ3EiD7XlF1hNIxttbhYbND7VgqX9FnEqTvYRB+I7wg38LgFgkIS iamjz/vdEVaCc+PbzMv6aEiPklBpHK/GqITRNqKLMlfWE2ECTkCedyUBT5xtnAvOgceUIINLW u0O5LzmH3jAY4yrzy5jebphb+X0v8+jdOJqLgCpmUSAWrgd5ZE5zX3lg9RJyEKx0/aUhBMU8T GyaaMGX/GUl4xKlzNhGXv9ozjTvY+PkXfkimx1seWk2wkKq3uF0UCEhI/0YqfdTygCtb+kiYg 8v+A1txlOyi5UNCRLL/rxTGc+oJ9PJB3XCnjjeVD6G8EpBL75g/E1Vu33TPN+voLG1CPe65J7 UayletCDt1sQG9g7TzEerQ6UncCm3Oy/F07oa96J3+qWLHW/TCxKfnXN1Gol8DIVlj5qNxd8U QDhpHf/9TVrQfAboxQRaVGrMpm5oQW3T6ZOfdWnZ2RGhZbvECG0jQ0EwOF3an2wvlsO7UIGCd iNT4bSTwLltlwQvkAnvtfUR1qmquL6sHA==
Series	[v4] security: add trace event for cap_capable \| expand [v4] security: add trace event for cap_capable

Message ID

20241030013314.2188163-1-linux@jordanrome.com (mailing list archive)

State

Handled Elsewhere

Headers

From: Jordan Rome <linux@jordanrome.com>
To: linux-security-module@vger.kernel.org
Cc: linux-trace-kernel@vger.kernel.org,
	Andrii Nakryiko <andrii@kernel.org>,
	Kernel Team <kernel-team@fb.com>,
	Serge Hallyn <serge@hallyn.com>,
	Yonghong Song <yonghong.song@linux.dev>
Subject: [v4] security: add trace event for cap_capable
Date: Tue, 29 Oct 2024 18:33:14 -0700
Message-ID: <20241030013314.2188163-1-linux@jordanrome.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
UI-OutboundReport: notjunk:1;M01:P0:aTxEpAd42b8=;v84bSkeqsgygOMOBKAVi3lLmrb6
 YECwjj9bURukzABB2xk4ZUYwytlGjH0ks+UhwfNtTZQctQz99BcSNjdd018/xBbFiXgKo5yKt
 gORnI5vPpFNrlp37Tt5Okn5c+//qfFhxkhqT94GFdZutASPTTM+UTFhDdvEo4JNxtuJcGrOkR
 hQOt8KzNl7HkqWI3PdXbXTshd/YDRO1/v87Rd1uUn+oLKhwizVSPzu+xTCeG9Xciyp5Y9akle
 rIQyEV4O0IAgJfwZqFjTsoJ3EiD7XlF1hNIxttbhYbND7VgqX9FnEqTvYRB+I7wg38LgFgkIS
 iamjz/vdEVaCc+PbzMv6aEiPklBpHK/GqITRNqKLMlfWE2ECTkCedyUBT5xtnAvOgceUIINLW
 u0O5LzmH3jAY4yrzy5jebphb+X0v8+jdOJqLgCpmUSAWrgd5ZE5zX3lg9RJyEKx0/aUhBMU8T
 GyaaMGX/GUl4xKlzNhGXv9ozjTvY+PkXfkimx1seWk2wkKq3uF0UCEhI/0YqfdTygCtb+kiYg
 8v+A1txlOyi5UNCRLL/rxTGc+oJ9PJB3XCnjjeVD6G8EpBL75g/E1Vu33TPN+voLG1CPe65J7
 UayletCDt1sQG9g7TzEerQ6UncCm3Oy/F07oa96J3+qWLHW/TCxKfnXN1Gol8DIVlj5qNxd8U
 QDhpHf/9TVrQfAboxQRaVGrMpm5oQW3T6ZOfdWnZ2RGhZbvECG0jQ0EwOF3an2wvlsO7UIGCd
 iNT4bSTwLltlwQvkAnvtfUR1qmquL6sHA==

Series

[v4] security: add trace event for cap_capable | expand

Commit Message

Jordan Rome Oct. 30, 2024, 1:33 a.m. UTC

In cases where we want a stable way to observe/trace
cap_capable (e.g. protection from inlining and API updates)
add a tracepoint that passes:
- The credentials used
- The user namespace of the resource being accessed
- The user namespace in which the credential provides the
capability to access the targeted resource
- The capability to check for
- Bitmask of options defined in include/linux/security.h
- The return value of the check

Signed-off-by: Jordan Rome <linux@jordanrome.com>
---
 MAINTAINERS                       |  1 +
 include/trace/events/capability.h | 60 +++++++++++++++++++++++++++++++
 security/commoncap.c              | 30 +++++++++++-----
 3 files changed, 83 insertions(+), 8 deletions(-)
 create mode 100644 include/trace/events/capability.h

--
2.43.5

Comments

Serge E. Hallyn Oct. 30, 2024, 3:18 a.m. UTC | #1

On Tue, Oct 29, 2024 at 06:33:14PM -0700, Jordan Rome wrote:
> In cases where we want a stable way to observe/trace
> cap_capable (e.g. protection from inlining and API updates)
> add a tracepoint that passes:
> - The credentials used
> - The user namespace of the resource being accessed
> - The user namespace in which the credential provides the
> capability to access the targeted resource
> - The capability to check for
> - Bitmask of options defined in include/linux/security.h
> - The return value of the check
> 
> Signed-off-by: Jordan Rome <linux@jordanrome.com>

Thanks.  I'll pull this into the capability tree tomorrow so it can be
tested in linux-next  (and Andrii's ack unless he objects).

> ---
>  MAINTAINERS                       |  1 +
>  include/trace/events/capability.h | 60 +++++++++++++++++++++++++++++++
>  security/commoncap.c              | 30 +++++++++++-----
>  3 files changed, 83 insertions(+), 8 deletions(-)
>  create mode 100644 include/trace/events/capability.h
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index cc40a9d9b8cd..210e9076c858 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -4994,6 +4994,7 @@ M:	Serge Hallyn <serge@hallyn.com>
>  L:	linux-security-module@vger.kernel.org
>  S:	Supported
>  F:	include/linux/capability.h
> +F:	include/trace/events/capability.h
>  F:	include/uapi/linux/capability.h
>  F:	kernel/capability.c
>  F:	security/commoncap.c
> diff --git a/include/trace/events/capability.h b/include/trace/events/capability.h
> new file mode 100644
> index 000000000000..e706ce690c38
> --- /dev/null
> +++ b/include/trace/events/capability.h
> @@ -0,0 +1,60 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#undef TRACE_SYSTEM
> +#define TRACE_SYSTEM capability
> +
> +#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
> +#define _TRACE_CAPABILITY_H
> +
> +#include <linux/cred.h>
> +#include <linux/tracepoint.h>
> +#include <linux/user_namespace.h>
> +
> +/**
> + * cap_capable - called after it's determined if a task has a particular
> + * effective capability
> + *
> + * @cred: The credentials used
> + * @targ_ns: The user namespace of the resource being accessed
> + * @capable_ns: The user namespace in which the credential provides the
> + *              capability to access the targeted resource.
> + *              This will be NULL if ret is not 0.
> + * @cap: The capability to check for
> + * @opts: Bitmask of options defined in include/linux/security.h
> + * @ret: The return value of the check: 0 if it does, -ve if it does not
> + *
> + * Allows to trace calls to cap_capable in commoncap.c
> + */
> +TRACE_EVENT(cap_capable,
> +
> +	TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns,
> +		struct user_namespace *capable_ns, int cap, unsigned int opts, int ret),
> +
> +	TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret),
> +
> +	TP_STRUCT__entry(
> +		__field(const struct cred *, cred)
> +		__field(struct user_namespace *, targ_ns)
> +		__field(struct user_namespace *, capable_ns)
> +		__field(int, cap)
> +		__field(unsigned int, opts)
> +		__field(int, ret)
> +	),
> +
> +	TP_fast_assign(
> +		__entry->cred       = cred;
> +		__entry->targ_ns    = targ_ns;
> +		__entry->capable_ns = capable_ns;
> +		__entry->cap        = cap;
> +		__entry->opts       = opts;
> +		__entry->ret        = ret;
> +	),
> +
> +	TP_printk("cred %p, targ_ns %p, capable_ns %p, cap %d, opts %u, ret %d",
> +		__entry->cred, __entry->targ_ns, __entry->capable_ns, __entry->cap,
> +		__entry->opts, __entry->ret)
> +);
> +
> +#endif /* _TRACE_CAPABILITY_H */
> +
> +/* This part must be outside protection */
> +#include <trace/define_trace.h>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 162d96b3a676..7a74eb27eebf 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -27,6 +27,9 @@
>  #include <linux/mnt_idmapping.h>
>  #include <uapi/linux/lsm.h>
> 
> +#define CREATE_TRACE_POINTS
> +#include <trace/events/capability.h>
> +
>  /*
>   * If a non-root user executes a setuid-root binary in
>   * !secure(SECURE_NOROOT) mode, then we raise capabilities.
> @@ -52,7 +55,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
>  /**
>   * cap_capable - Determine whether a task has a particular effective capability
>   * @cred: The credentials to use
> - * @targ_ns:  The user namespace in which we need the capability
> + * @targ_ns:  The user namespace of the resource being accessed
>   * @cap: The capability to check for
>   * @opts: Bitmask of options defined in include/linux/security.h
>   *
> @@ -67,7 +70,9 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
>  int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
>  		int cap, unsigned int opts)
>  {
> -	struct user_namespace *ns = targ_ns;
> +	int ret = -EPERM;
> +	struct user_namespace *capable_ns = NULL,
> +		*ns = targ_ns;
> 
>  	/* See if cred has the capability in the target user namespace
>  	 * by examining the target user namespace and all of the target
> @@ -75,22 +80,30 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
>  	 */
>  	for (;;) {
>  		/* Do we have the necessary capabilities? */
> -		if (ns == cred->user_ns)
> -			return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
> +		if (ns == cred->user_ns) {
> +			if (cap_raised(cred->cap_effective, cap)) {
> +				capable_ns = ns;
> +				ret = 0;
> +			}
> +			break;
> +		}
> 
>  		/*
>  		 * If we're already at a lower level than we're looking for,
>  		 * we're done searching.
>  		 */
>  		if (ns->level <= cred->user_ns->level)
> -			return -EPERM;
> +			break;
> 
>  		/*
>  		 * The owner of the user namespace in the parent of the
>  		 * user namespace has all caps.
>  		 */
> -		if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
> -			return 0;
> +		if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid)) {
> +			capable_ns = ns->parent;
> +			ret = 0;
> +			break;
> +		}
> 
>  		/*
>  		 * If you have a capability in a parent user ns, then you have
> @@ -99,7 +112,8 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
>  		ns = ns->parent;
>  	}
> 
> -	/* We never get here */
> +	trace_cap_capable(cred, targ_ns, capable_ns, cap, opts, ret);
> +	return ret;
>  }
> 
>  /**
> --
> 2.43.5

Jordan Rome Oct. 30, 2024, 10:16 a.m. UTC | #2

On Tue, Oct 29, 2024 at 11:18 PM Serge E. Hallyn <serge@hallyn.com> wrote:
>
> On Tue, Oct 29, 2024 at 06:33:14PM -0700, Jordan Rome wrote:
> > In cases where we want a stable way to observe/trace
> > cap_capable (e.g. protection from inlining and API updates)
> > add a tracepoint that passes:
> > - The credentials used
> > - The user namespace of the resource being accessed
> > - The user namespace in which the credential provides the
> > capability to access the targeted resource
> > - The capability to check for
> > - Bitmask of options defined in include/linux/security.h
> > - The return value of the check
> >
> > Signed-off-by: Jordan Rome <linux@jordanrome.com>
>
> Thanks.  I'll pull this into the capability tree tomorrow so it can be
> tested in linux-next  (and Andrii's ack unless he objects).
>

Awesome. Thanks for the review, Serge!

> > ---
> >  MAINTAINERS                       |  1 +
> >  include/trace/events/capability.h | 60 +++++++++++++++++++++++++++++++
> >  security/commoncap.c              | 30 +++++++++++-----
> >  3 files changed, 83 insertions(+), 8 deletions(-)
> >  create mode 100644 include/trace/events/capability.h
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index cc40a9d9b8cd..210e9076c858 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -4994,6 +4994,7 @@ M:      Serge Hallyn <serge@hallyn.com>
> >  L:   linux-security-module@vger.kernel.org
> >  S:   Supported
> >  F:   include/linux/capability.h
> > +F:   include/trace/events/capability.h
> >  F:   include/uapi/linux/capability.h
> >  F:   kernel/capability.c
> >  F:   security/commoncap.c
> > diff --git a/include/trace/events/capability.h b/include/trace/events/capability.h
> > new file mode 100644
> > index 000000000000..e706ce690c38
> > --- /dev/null
> > +++ b/include/trace/events/capability.h
> > @@ -0,0 +1,60 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +#undef TRACE_SYSTEM
> > +#define TRACE_SYSTEM capability
> > +
> > +#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
> > +#define _TRACE_CAPABILITY_H
> > +
> > +#include <linux/cred.h>
> > +#include <linux/tracepoint.h>
> > +#include <linux/user_namespace.h>
> > +
> > +/**
> > + * cap_capable - called after it's determined if a task has a particular
> > + * effective capability
> > + *
> > + * @cred: The credentials used
> > + * @targ_ns: The user namespace of the resource being accessed
> > + * @capable_ns: The user namespace in which the credential provides the
> > + *              capability to access the targeted resource.
> > + *              This will be NULL if ret is not 0.
> > + * @cap: The capability to check for
> > + * @opts: Bitmask of options defined in include/linux/security.h
> > + * @ret: The return value of the check: 0 if it does, -ve if it does not
> > + *
> > + * Allows to trace calls to cap_capable in commoncap.c
> > + */
> > +TRACE_EVENT(cap_capable,
> > +
> > +     TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns,
> > +             struct user_namespace *capable_ns, int cap, unsigned int opts, int ret),
> > +
> > +     TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret),
> > +
> > +     TP_STRUCT__entry(
> > +             __field(const struct cred *, cred)
> > +             __field(struct user_namespace *, targ_ns)
> > +             __field(struct user_namespace *, capable_ns)
> > +             __field(int, cap)
> > +             __field(unsigned int, opts)
> > +             __field(int, ret)
> > +     ),
> > +
> > +     TP_fast_assign(
> > +             __entry->cred       = cred;
> > +             __entry->targ_ns    = targ_ns;
> > +             __entry->capable_ns = capable_ns;
> > +             __entry->cap        = cap;
> > +             __entry->opts       = opts;
> > +             __entry->ret        = ret;
> > +     ),
> > +
> > +     TP_printk("cred %p, targ_ns %p, capable_ns %p, cap %d, opts %u, ret %d",
> > +             __entry->cred, __entry->targ_ns, __entry->capable_ns, __entry->cap,
> > +             __entry->opts, __entry->ret)
> > +);
> > +
> > +#endif /* _TRACE_CAPABILITY_H */
> > +
> > +/* This part must be outside protection */
> > +#include <trace/define_trace.h>
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index 162d96b3a676..7a74eb27eebf 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -27,6 +27,9 @@
> >  #include <linux/mnt_idmapping.h>
> >  #include <uapi/linux/lsm.h>
> >
> > +#define CREATE_TRACE_POINTS
> > +#include <trace/events/capability.h>
> > +
> >  /*
> >   * If a non-root user executes a setuid-root binary in
> >   * !secure(SECURE_NOROOT) mode, then we raise capabilities.
> > @@ -52,7 +55,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
> >  /**
> >   * cap_capable - Determine whether a task has a particular effective capability
> >   * @cred: The credentials to use
> > - * @targ_ns:  The user namespace in which we need the capability
> > + * @targ_ns:  The user namespace of the resource being accessed
> >   * @cap: The capability to check for
> >   * @opts: Bitmask of options defined in include/linux/security.h
> >   *
> > @@ -67,7 +70,9 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
> >  int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
> >               int cap, unsigned int opts)
> >  {
> > -     struct user_namespace *ns = targ_ns;
> > +     int ret = -EPERM;
> > +     struct user_namespace *capable_ns = NULL,
> > +             *ns = targ_ns;
> >
> >       /* See if cred has the capability in the target user namespace
> >        * by examining the target user namespace and all of the target
> > @@ -75,22 +80,30 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
> >        */
> >       for (;;) {
> >               /* Do we have the necessary capabilities? */
> > -             if (ns == cred->user_ns)
> > -                     return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
> > +             if (ns == cred->user_ns) {
> > +                     if (cap_raised(cred->cap_effective, cap)) {
> > +                             capable_ns = ns;
> > +                             ret = 0;
> > +                     }
> > +                     break;
> > +             }
> >
> >               /*
> >                * If we're already at a lower level than we're looking for,
> >                * we're done searching.
> >                */
> >               if (ns->level <= cred->user_ns->level)
> > -                     return -EPERM;
> > +                     break;
> >
> >               /*
> >                * The owner of the user namespace in the parent of the
> >                * user namespace has all caps.
> >                */
> > -             if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
> > -                     return 0;
> > +             if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid)) {
> > +                     capable_ns = ns->parent;
> > +                     ret = 0;
> > +                     break;
> > +             }
> >
> >               /*
> >                * If you have a capability in a parent user ns, then you have
> > @@ -99,7 +112,8 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
> >               ns = ns->parent;
> >       }
> >
> > -     /* We never get here */
> > +     trace_cap_capable(cred, targ_ns, capable_ns, cap, opts, ret);
> > +     return ret;
> >  }
> >
> >  /**
> > --
> > 2.43.5

Serge E. Hallyn Oct. 30, 2024, 3:30 p.m. UTC | #3

On Tue, Oct 29, 2024 at 06:33:14PM -0700, Jordan Rome wrote:
> In cases where we want a stable way to observe/trace
> cap_capable (e.g. protection from inlining and API updates)
> add a tracepoint that passes:
> - The credentials used
> - The user namespace of the resource being accessed
> - The user namespace in which the credential provides the
> capability to access the targeted resource
> - The capability to check for
> - Bitmask of options defined in include/linux/security.h
> - The return value of the check
> 
> Signed-off-by: Jordan Rome <linux@jordanrome.com>

Reviewed-by: Serge Hallyn <serge@hallyn.com>

(To see if b4 will pick this up automagically)

> ---
>  MAINTAINERS                       |  1 +
>  include/trace/events/capability.h | 60 +++++++++++++++++++++++++++++++
>  security/commoncap.c              | 30 +++++++++++-----
>  3 files changed, 83 insertions(+), 8 deletions(-)
>  create mode 100644 include/trace/events/capability.h
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index cc40a9d9b8cd..210e9076c858 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -4994,6 +4994,7 @@ M:	Serge Hallyn <serge@hallyn.com>
>  L:	linux-security-module@vger.kernel.org
>  S:	Supported
>  F:	include/linux/capability.h
> +F:	include/trace/events/capability.h
>  F:	include/uapi/linux/capability.h
>  F:	kernel/capability.c
>  F:	security/commoncap.c
> diff --git a/include/trace/events/capability.h b/include/trace/events/capability.h
> new file mode 100644
> index 000000000000..e706ce690c38
> --- /dev/null
> +++ b/include/trace/events/capability.h
> @@ -0,0 +1,60 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#undef TRACE_SYSTEM
> +#define TRACE_SYSTEM capability
> +
> +#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
> +#define _TRACE_CAPABILITY_H
> +
> +#include <linux/cred.h>
> +#include <linux/tracepoint.h>
> +#include <linux/user_namespace.h>
> +
> +/**
> + * cap_capable - called after it's determined if a task has a particular
> + * effective capability
> + *
> + * @cred: The credentials used
> + * @targ_ns: The user namespace of the resource being accessed
> + * @capable_ns: The user namespace in which the credential provides the
> + *              capability to access the targeted resource.
> + *              This will be NULL if ret is not 0.
> + * @cap: The capability to check for
> + * @opts: Bitmask of options defined in include/linux/security.h
> + * @ret: The return value of the check: 0 if it does, -ve if it does not
> + *
> + * Allows to trace calls to cap_capable in commoncap.c
> + */
> +TRACE_EVENT(cap_capable,
> +
> +	TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns,
> +		struct user_namespace *capable_ns, int cap, unsigned int opts, int ret),
> +
> +	TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret),
> +
> +	TP_STRUCT__entry(
> +		__field(const struct cred *, cred)
> +		__field(struct user_namespace *, targ_ns)
> +		__field(struct user_namespace *, capable_ns)
> +		__field(int, cap)
> +		__field(unsigned int, opts)
> +		__field(int, ret)
> +	),
> +
> +	TP_fast_assign(
> +		__entry->cred       = cred;
> +		__entry->targ_ns    = targ_ns;
> +		__entry->capable_ns = capable_ns;
> +		__entry->cap        = cap;
> +		__entry->opts       = opts;
> +		__entry->ret        = ret;
> +	),
> +
> +	TP_printk("cred %p, targ_ns %p, capable_ns %p, cap %d, opts %u, ret %d",
> +		__entry->cred, __entry->targ_ns, __entry->capable_ns, __entry->cap,
> +		__entry->opts, __entry->ret)
> +);
> +
> +#endif /* _TRACE_CAPABILITY_H */
> +
> +/* This part must be outside protection */
> +#include <trace/define_trace.h>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 162d96b3a676..7a74eb27eebf 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -27,6 +27,9 @@
>  #include <linux/mnt_idmapping.h>
>  #include <uapi/linux/lsm.h>
> 
> +#define CREATE_TRACE_POINTS
> +#include <trace/events/capability.h>
> +
>  /*
>   * If a non-root user executes a setuid-root binary in
>   * !secure(SECURE_NOROOT) mode, then we raise capabilities.
> @@ -52,7 +55,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
>  /**
>   * cap_capable - Determine whether a task has a particular effective capability
>   * @cred: The credentials to use
> - * @targ_ns:  The user namespace in which we need the capability
> + * @targ_ns:  The user namespace of the resource being accessed
>   * @cap: The capability to check for
>   * @opts: Bitmask of options defined in include/linux/security.h
>   *
> @@ -67,7 +70,9 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
>  int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
>  		int cap, unsigned int opts)
>  {
> -	struct user_namespace *ns = targ_ns;
> +	int ret = -EPERM;
> +	struct user_namespace *capable_ns = NULL,
> +		*ns = targ_ns;
> 
>  	/* See if cred has the capability in the target user namespace
>  	 * by examining the target user namespace and all of the target
> @@ -75,22 +80,30 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
>  	 */
>  	for (;;) {
>  		/* Do we have the necessary capabilities? */
> -		if (ns == cred->user_ns)
> -			return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
> +		if (ns == cred->user_ns) {
> +			if (cap_raised(cred->cap_effective, cap)) {
> +				capable_ns = ns;
> +				ret = 0;
> +			}
> +			break;
> +		}
> 
>  		/*
>  		 * If we're already at a lower level than we're looking for,
>  		 * we're done searching.
>  		 */
>  		if (ns->level <= cred->user_ns->level)
> -			return -EPERM;
> +			break;
> 
>  		/*
>  		 * The owner of the user namespace in the parent of the
>  		 * user namespace has all caps.
>  		 */
> -		if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
> -			return 0;
> +		if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid)) {
> +			capable_ns = ns->parent;
> +			ret = 0;
> +			break;
> +		}
> 
>  		/*
>  		 * If you have a capability in a parent user ns, then you have
> @@ -99,7 +112,8 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
>  		ns = ns->parent;
>  	}
> 
> -	/* We never get here */
> +	trace_cap_capable(cred, targ_ns, capable_ns, cap, opts, ret);
> +	return ret;
>  }
> 
>  /**
> --
> 2.43.5

Serge E. Hallyn Oct. 30, 2024, 8:59 p.m. UTC | #4

On Tue, Oct 29, 2024 at 06:33:14PM -0700, Jordan Rome wrote:
> In cases where we want a stable way to observe/trace
> cap_capable (e.g. protection from inlining and API updates)
> add a tracepoint that passes:
> - The credentials used
> - The user namespace of the resource being accessed
> - The user namespace in which the credential provides the
> capability to access the targeted resource
> - The capability to check for
> - Bitmask of options defined in include/linux/security.h
> - The return value of the check
> 
> Signed-off-by: Jordan Rome <linux@jordanrome.com>

Thanks, applied to https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/log/?h=v6.12-rc1%2bcaps

diff --git a/MAINTAINERS b/MAINTAINERS
index cc40a9d9b8cd..210e9076c858 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4994,6 +4994,7 @@  M:	Serge Hallyn <serge@hallyn.com>
 L:	linux-security-module@vger.kernel.org
 S:	Supported
 F:	include/linux/capability.h
+F:	include/trace/events/capability.h
 F:	include/uapi/linux/capability.h
 F:	kernel/capability.c
 F:	security/commoncap.c
diff --git a/include/trace/events/capability.h b/include/trace/events/capability.h
new file mode 100644
index 000000000000..e706ce690c38
--- /dev/null
+++ b/include/trace/events/capability.h
@@ -0,0 +1,60 @@ 
+/* SPDX-License-Identifier: GPL-2.0 */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM capability
+
+#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_CAPABILITY_H
+
+#include <linux/cred.h>
+#include <linux/tracepoint.h>
+#include <linux/user_namespace.h>
+
+/**
+ * cap_capable - called after it's determined if a task has a particular
+ * effective capability
+ *
+ * @cred: The credentials used
+ * @targ_ns: The user namespace of the resource being accessed
+ * @capable_ns: The user namespace in which the credential provides the
+ *              capability to access the targeted resource.
+ *              This will be NULL if ret is not 0.
+ * @cap: The capability to check for
+ * @opts: Bitmask of options defined in include/linux/security.h
+ * @ret: The return value of the check: 0 if it does, -ve if it does not
+ *
+ * Allows to trace calls to cap_capable in commoncap.c
+ */
+TRACE_EVENT(cap_capable,
+
+	TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns,
+		struct user_namespace *capable_ns, int cap, unsigned int opts, int ret),
+
+	TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret),
+
+	TP_STRUCT__entry(
+		__field(const struct cred *, cred)
+		__field(struct user_namespace *, targ_ns)
+		__field(struct user_namespace *, capable_ns)
+		__field(int, cap)
+		__field(unsigned int, opts)
+		__field(int, ret)
+	),
+
+	TP_fast_assign(
+		__entry->cred       = cred;
+		__entry->targ_ns    = targ_ns;
+		__entry->capable_ns = capable_ns;
+		__entry->cap        = cap;
+		__entry->opts       = opts;
+		__entry->ret        = ret;
+	),
+
+	TP_printk("cred %p, targ_ns %p, capable_ns %p, cap %d, opts %u, ret %d",
+		__entry->cred, __entry->targ_ns, __entry->capable_ns, __entry->cap,
+		__entry->opts, __entry->ret)
+);
+
+#endif /* _TRACE_CAPABILITY_H */
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
diff --git a/security/commoncap.c b/security/commoncap.c
index 162d96b3a676..7a74eb27eebf 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,6 +27,9 @@ 
 #include <linux/mnt_idmapping.h>
 #include <uapi/linux/lsm.h>

+#define CREATE_TRACE_POINTS
+#include <trace/events/capability.h>
+
 /*
  * If a non-root user executes a setuid-root binary in
  * !secure(SECURE_NOROOT) mode, then we raise capabilities.
@@ -52,7 +55,7 @@  static void warn_setuid_and_fcaps_mixed(const char *fname)
 /**
  * cap_capable - Determine whether a task has a particular effective capability
  * @cred: The credentials to use
- * @targ_ns:  The user namespace in which we need the capability
+ * @targ_ns:  The user namespace of the resource being accessed
  * @cap: The capability to check for
  * @opts: Bitmask of options defined in include/linux/security.h
  *
@@ -67,7 +70,9 @@  static void warn_setuid_and_fcaps_mixed(const char *fname)
 int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
 		int cap, unsigned int opts)
 {
-	struct user_namespace *ns = targ_ns;
+	int ret = -EPERM;
+	struct user_namespace *capable_ns = NULL,
+		*ns = targ_ns;

 	/* See if cred has the capability in the target user namespace
 	 * by examining the target user namespace and all of the target
@@ -75,22 +80,30 @@  int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
 	 */
 	for (;;) {
 		/* Do we have the necessary capabilities? */
-		if (ns == cred->user_ns)
-			return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
+		if (ns == cred->user_ns) {
+			if (cap_raised(cred->cap_effective, cap)) {
+				capable_ns = ns;
+				ret = 0;
+			}
+			break;
+		}

 		/*
 		 * If we're already at a lower level than we're looking for,
 		 * we're done searching.
 		 */
 		if (ns->level <= cred->user_ns->level)
-			return -EPERM;
+			break;

 		/*
 		 * The owner of the user namespace in the parent of the
 		 * user namespace has all caps.
 		 */
-		if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
-			return 0;
+		if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid)) {
+			capable_ns = ns->parent;
+			ret = 0;
+			break;
+		}

 		/*
 		 * If you have a capability in a parent user ns, then you have
@@ -99,7 +112,8 @@  int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
 		ns = ns->parent;
 	}

-	/* We never get here */
+	trace_cap_capable(cred, targ_ns, capable_ns, cap, opts, ret);
+	return ret;
 }

 /**

[v4] security: add trace event for cap_capable

Commit Message

Comments

Patch