From patchwork Thu Oct 24 10:40:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jordan Rome X-Patchwork-Id: 13848767 Received: from mout.perfora.net (mout.perfora.net [74.208.4.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 437C414831C; Thu, 24 Oct 2024 10:54:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.208.4.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729767259; cv=none; b=rdAzDXI1IfDm6HldyHol3amaNy0jkVkiRhRQ7hnpCIpDEiVQ5svyTOE6etBqQAroRldir/Oop9PCtEihxvTYbC1AUgJOQQvwqGaQmKwhFO0qmI6h0t5lViujEDKK4oVwTiNdHap9II6zBmAPQ3NSD+9qGjo89wq6udmCKYL2L+E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729767259; c=relaxed/simple; bh=yGIhl8mYevvDwyWw0FFi2f+T/poFxSeXxHfTIzF4olA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=DNgRv93/NRRkI2N3qPMpG8wPdJqaGwuscz343Y/f2wYfY4gijofdsv9Urq4pX00MKY7b4uymB1OBZb7E1gPQkJ5zjtn556GWetoMMThnnMYi/HQpnfjUdkhqxxeQUeiN/ppSc6ullyohM4mjQA+0Z3Brb31x+O9VJKuxB0aOzrc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=jordanrome.com; spf=pass smtp.mailfrom=jordanrome.com; dkim=pass (2048-bit key) header.d=jordanrome.com header.i=linux@jordanrome.com header.b=yVPt70Ay; arc=none smtp.client-ip=74.208.4.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=jordanrome.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=jordanrome.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=jordanrome.com header.i=linux@jordanrome.com header.b="yVPt70Ay" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jordanrome.com; s=s1-ionos; t=1729767255; x=1730372055; i=linux@jordanrome.com; bh=oJqlOpA89ifM9UfzkwxEnEOmCn8Ap7GuPAMpz+Oz/kk=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID: MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=yVPt70AyWB5HYKSf/5Xr3eF7oS5J1Yh/LZ85KvlmGJcizowMLvHfUMNMR/dImE/w c7Fmwpiv+l25dhBuIBrbdzGw5KqkFYPLv0Y1JNBh/eFYIuPNZs4M3lsO2U1XAu4It KEFOG1kk31EgzxgrRVWBR2fHoTy3hKyjZofLNyu0JGgqX6ITncBtHAS+4jhIgbOuK aeLGUwRJqB35cJtHhqbBbH30j7fkCHOibRUzcU4fGnxmGnOIQ1OPLVlirOyt/nmKl ClOiDFNHwf0mxGHqD2iaSdVb5eB6DYx6QaspyO+suA5KqbG5BEayY0f0ZBp9t4+ZU Pv2V2ap8/nN/BH9q3Q== X-UI-Sender-Class: 55c96926-9e95-11ee-ae09-1f7a4046a0f6 Received: from localhost ([69.171.251.3]) by mrelay.perfora.net (mreueus003 [74.208.5.2]) with ESMTPSA (Nemesis) id 0MgdCj-1tI2263BkV-00QPIJ; Thu, 24 Oct 2024 12:40:29 +0200 From: Jordan Rome To: linux-security-module@vger.kernel.org Cc: linux-trace-kernel@vger.kernel.org, Andrii Nakryiko , Kernel Team , Serge Hallyn , Yonghong Song Subject: [v1] security: add trace event for cap_capable Date: Thu, 24 Oct 2024 03:40:12 -0700 Message-ID: <20241024104012.1815022-1-linux@jordanrome.com> X-Mailer: git-send-email 2.43.5 Precedence: bulk X-Mailing-List: linux-trace-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Provags-ID: V03:K1:TVLmjv9MGLQr2eBCQ37lyn4wW2quWy1IpY9KEsq7D1rmN4JXD0N vVc8FcYlq5By0D2QXlZetNCFrJVTSUI+qx73ky1b1JhUewG9xqzS7QgvCJwVUo/LajQWVuh rSSx6rgZpnN2PyIcOo7VvfMn1Cbm7NdJT8AV7zZ8DwHJjb6u5u440p5nqHYob6dpVUEdZZd qPHv99tjWF322v5FRvNtg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:8uJ27nw4f44=;aKSKps/DGaGxF+uMKLQPLJTFIlH +BRb3dGAi4khsG1Xg0td5apFwTEjXfZBFYIdaUevRcmwwJgN07hqVWaMr6E943Uh8QsGpuIqn 6AA1yYi+Pd6qB+2hBlEq5TUA/YBE4jnYIiOowCCELWpf6E20ZDGtnRjMYzaGMnc9NY5XlXPu2 svwIfu38SBNXeZPy1hSlG+R/g7vJAEc0vHlwYnAxFUpkutZ2DDOP/jyt97PHoIyU2ocsn+h4T ol5Zfk+uySBOlwL0lvexcauC9y2gSIHvforw7BQO0rJh6pROFu36rPgeGko5nxXLzKqlUYbjj 3ypmzbwI6WKiwrwejRsaj8MeW4cWUN24/xd7zw8B6r4+GvjFsjGTrCBFfXNIdr1rT0tpsYWoG 5G8hu1HO99fau+AHwKYTakUIMAH93YIddSeDQnGZQS2Bh7u9oO8kH9H2OBIkkCKhCtZMO1MjB up5zWtpjDOUS2FP6ciLFR3cQMrMIhpvvuZ0evsJbsoSSCpj0UR2OP47/v36erztZwSg/VggCa 6OTyzTMcyTinPJv+he4imqvQbqqtXtRymiYE4/NpnO7MbCNe5OusGs5Ce88tPrR86WgP+8PEq PS0Wzi+TKd7Z7UJmgofRPPE5SNzOioi+1aobUAFkssWv8srIhoXwwYJg1LdpbJW/I00BxL5OY KlCzjuGSSqfkbiInvIRmfEhPc5zEdeT0zNc+F/Ii14iPfZzLeLTCADOFRN9CZjbNWIPglE+2h T5BdrHK342ND0b8hyrsncMyXWV+wK3EYg== In cases where we want a stable way to observe/trace cap_capable (e.g. protection from inlining and API updates) add a tracepoint that passes: - The credentials used - The user namespace which needs the capability - The user namespace that actually has the capability (if one exists) - The capability to check for - Bitmask of options defined in include/linux/security.h - The return value of the check Signed-off-by: Jordan Rome --- MAINTAINERS | 1 + include/trace/events/capability.h | 58 +++++++++++++++++++++++++++++++ security/commoncap.c | 21 +++++++---- 3 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 include/trace/events/capability.h -- 2.43.5 diff --git a/MAINTAINERS b/MAINTAINERS index cc40a9d9b8cd..210e9076c858 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4994,6 +4994,7 @@ M: Serge Hallyn L: linux-security-module@vger.kernel.org S: Supported F: include/linux/capability.h +F: include/trace/events/capability.h F: include/uapi/linux/capability.h F: kernel/capability.c F: security/commoncap.c diff --git a/include/trace/events/capability.h b/include/trace/events/capability.h new file mode 100644 index 000000000000..092b8e77063a --- /dev/null +++ b/include/trace/events/capability.h @@ -0,0 +1,58 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM capability + +#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_CAPABILITY_H + +#include +#include +#include + +/** + * capable - called after it's determined if a task has a particular + * effective capability + * + * @cred: The credentials used + * @targ_ns: The user namespace which needs the capability + * @capable_ns: The user namespace that actually has the capability + * if ret is 0 otherwise this will be NULL + * @cap: The capability to check for + * @opts: Bitmask of options defined in include/linux/security.h + * @ret: The return value of the check: 0 if it does, -ve if it does not + * + * Allows to trace calls to cap_capable in commoncap.c + */ +TRACE_EVENT(capable, + + TP_PROTO(const struct cred *cred, struct user_namespace *targ_ns, + struct user_namespace *capable_ns, int cap, unsigned int opts, int ret), + + TP_ARGS(cred, targ_ns, capable_ns, cap, opts, ret), + + TP_STRUCT__entry( + __field(const struct cred *, cred) + __field(struct user_namespace *, targ_ns) + __field(struct user_namespace *, capable_ns) + __field(int, cap) + __field(unsigned int, opts) + __field(int, ret) + ), + + TP_fast_assign( + __entry->cred = cred; + __entry->targ_ns = targ_ns; + __entry->capable_ns = capable_ns; + __entry->cap = cap; + __entry->opts = opts; + __entry->ret = ret; + ), + + TP_printk("cap %d, opts %u, ret %d", + __entry->cap, __entry->opts, __entry->ret) +); + +#endif /* _TRACE_CAPABILITY_H */ + +/* This part must be outside protection */ +#include diff --git a/security/commoncap.c b/security/commoncap.c index 162d96b3a676..675d40fbaa77 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -27,6 +27,9 @@ #include #include +#define CREATE_TRACE_POINTS +#include + /* * If a non-root user executes a setuid-root binary in * !secure(SECURE_NOROOT) mode, then we raise capabilities. @@ -68,6 +71,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, int cap, unsigned int opts) { struct user_namespace *ns = targ_ns; + int ret = 0; /* See if cred has the capability in the target user namespace * by examining the target user namespace and all of the target @@ -75,22 +79,26 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, */ for (;;) { /* Do we have the necessary capabilities? */ - if (ns == cred->user_ns) - return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; + if (ns == cred->user_ns) { + ret = cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; + break; + } /* * If we're already at a lower level than we're looking for, * we're done searching. */ - if (ns->level <= cred->user_ns->level) - return -EPERM; + if (ns->level <= cred->user_ns->level) { + ret = -EPERM; + break; + } /* * The owner of the user namespace in the parent of the * user namespace has all caps. */ if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid)) - return 0; + break; /* * If you have a capability in a parent user ns, then you have @@ -99,7 +107,8 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, ns = ns->parent; } - /* We never get here */ + trace_capable(cred, targ_ns, ret == 0 ? ns : NULL, cap, opts, ret); + return ret; } /**