mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
synced 2026-04-18 03:23:53 -04:00
security: add trace event for cap_capable
In cases where we want a stable way to observe/trace cap_capable (e.g. protection from inlining and API updates) add a tracepoint that passes: - The credentials used - The user namespace of the resource being accessed - The user namespace in which the credential provides the capability to access the targeted resource - The capability to check for - The return value of the check Signed-off-by: Jordan Rome <linux@jordanrome.com> Acked-by: Andrii Nakryiko <andrii@kernel.org> Reviewed-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> Link: https://lore.kernel.org/r/20241204155911.1817092-1-linux@jordanrome.com Signed-off-by: Serge Hallyn <sergeh@kernel.org>
This commit is contained in:
Jordan Rome
committed by
Serge Hallyn
Serge Hallyn
parent
3f4f1f8a1a
commit
d48da4d5ed
@@ -27,6 +27,9 @@
|
||||
#include <linux/mnt_idmapping.h>
|
||||
#include <uapi/linux/lsm.h>
|
||||
|
||||
#define CREATE_TRACE_POINTS
|
||||
#include <trace/events/capability.h>
|
||||
|
||||
/*
|
||||
* If a non-root user executes a setuid-root binary in
|
||||
* !secure(SECURE_NOROOT) mode, then we raise capabilities.
|
||||
@@ -50,24 +53,24 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
|
||||
}
|
||||
|
||||
/**
|
||||
* cap_capable - Determine whether a task has a particular effective capability
|
||||
* cap_capable_helper - Determine whether a task has a particular effective
|
||||
* capability.
|
||||
* @cred: The credentials to use
|
||||
* @targ_ns: The user namespace in which we need the capability
|
||||
* @target_ns: The user namespace of the resource being accessed
|
||||
* @cred_ns: The user namespace of the credentials
|
||||
* @cap: The capability to check for
|
||||
* @opts: Bitmask of options defined in include/linux/security.h
|
||||
*
|
||||
* Determine whether the nominated task has the specified capability amongst
|
||||
* its effective set, returning 0 if it does, -ve if it does not.
|
||||
*
|
||||
* NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
|
||||
* and has_capability() functions. That is, it has the reverse semantics:
|
||||
* cap_has_capability() returns 0 when a task has a capability, but the
|
||||
* kernel's capable() and has_capability() returns 1 for this case.
|
||||
* See cap_capable for more details.
|
||||
*/
|
||||
int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
||||
int cap, unsigned int opts)
|
||||
static inline int cap_capable_helper(const struct cred *cred,
|
||||
struct user_namespace *target_ns,
|
||||
const struct user_namespace *cred_ns,
|
||||
int cap)
|
||||
{
|
||||
struct user_namespace *ns = targ_ns;
|
||||
struct user_namespace *ns = target_ns;
|
||||
|
||||
/* See if cred has the capability in the target user namespace
|
||||
* by examining the target user namespace and all of the target
|
||||
@@ -75,21 +78,21 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
||||
*/
|
||||
for (;;) {
|
||||
/* Do we have the necessary capabilities? */
|
||||
if (ns == cred->user_ns)
|
||||
if (likely(ns == cred_ns))
|
||||
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
|
||||
|
||||
/*
|
||||
* If we're already at a lower level than we're looking for,
|
||||
* we're done searching.
|
||||
*/
|
||||
if (ns->level <= cred->user_ns->level)
|
||||
if (ns->level <= cred_ns->level)
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
* The owner of the user namespace in the parent of the
|
||||
* user namespace has all caps.
|
||||
*/
|
||||
if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
|
||||
if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid))
|
||||
return 0;
|
||||
|
||||
/*
|
||||
@@ -102,6 +105,31 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
||||
/* We never get here */
|
||||
}
|
||||
|
||||
/**
|
||||
* cap_capable - Determine whether a task has a particular effective capability
|
||||
* @cred: The credentials to use
|
||||
* @target_ns: The user namespace of the resource being accessed
|
||||
* @cap: The capability to check for
|
||||
* @opts: Bitmask of options defined in include/linux/security.h (unused)
|
||||
*
|
||||
* Determine whether the nominated task has the specified capability amongst
|
||||
* its effective set, returning 0 if it does, -ve if it does not.
|
||||
*
|
||||
* NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
|
||||
* and has_capability() functions. That is, it has the reverse semantics:
|
||||
* cap_has_capability() returns 0 when a task has a capability, but the
|
||||
* kernel's capable() and has_capability() returns 1 for this case.
|
||||
*/
|
||||
int cap_capable(const struct cred *cred, struct user_namespace *target_ns,
|
||||
int cap, unsigned int opts)
|
||||
{
|
||||
const struct user_namespace *cred_ns = cred->user_ns;
|
||||
int ret = cap_capable_helper(cred, target_ns, cred_ns, cap);
|
||||
|
||||
trace_cap_capable(cred, target_ns, cred_ns, cap, ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* cap_settime - Determine whether the current process may set the system clock
|
||||
* @ts: The time to set
|
||||
|
||||
Reference in New Issue
Block a user