capabilities patches for 6.14-rc1
This branch contains basically the same two patches as last time:
1. A patch by Paul Moore to remove the cap_mmap_file() hook, as it simply
returned the default return value and so doesn't need to exist.
2. A patch by Jordan Rome to add a trace event for cap_capable(), updated
to address your feedback during the last cycle.
Both patches have been sitting in linux-next since 6.13-rc1 with no
issues.
Signed-off-by: Serge E. Hallyn <serge@hallyn.com>
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmeOxO0ACgkQNXDaFycK
ziSbqwf9FmQbCG9zpgHhAaODz8GXPn1EYm0TfabbfuG+hRvTQLt/7eVuLB6Tt69l
lx7zM8HUjZLQW8qsDc1nmdnrvvLK6z8e97yGBBMG4uzFyzsCgNQowyDRz69IOG+l
eTCUMXOQXYtO4OYm7pECBeUos8yCOpW7vdZzyyKInw0A8JXy98K880HlYoiYc7wI
9xXtKWTmqry156llwIYU/opo/Pag480Y2hzP9x5EqvTNqJ/iMEUb2Dswhf+53dOY
HePwerTu1BYYupSC2gl3ujl/m6R2BroLBmOMApLiAhNtRZCm+J6rkhmMW9cFqyxZ
Nyw8nAuc08cAKoobAdggD+cgFy9e6g==
=WKYe
-----END PGP SIGNATURE-----
Merge tag 'caps-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux
Pull capabilities updates from Serge Hallyn:
- remove the cap_mmap_file() hook, as it simply returned the default
return value and so doesn't need to exist (Paul Moore)
- add a trace event for cap_capable() (Jordan Rome)
* tag 'caps-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux:
security: add trace event for cap_capable
capabilities: remove cap_mmap_file()
This commit is contained in:
Linus Torvalds
commit
754916d4a2
3 changed files with 99 additions and 20 deletions
|
|
@ -5182,6 +5182,7 @@ M: Serge Hallyn <serge@hallyn.com>
|
|||
L: linux-security-module@vger.kernel.org
|
||||
S: Supported
|
||||
F: include/linux/capability.h
|
||||
F: include/trace/events/capability.h
|
||||
F: include/uapi/linux/capability.h
|
||||
F: kernel/capability.c
|
||||
F: security/commoncap.c
|
||||
|
|
|
|||
57
include/trace/events/capability.h
Normal file
57
include/trace/events/capability.h
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0 */
|
||||
#undef TRACE_SYSTEM
|
||||
#define TRACE_SYSTEM capability
|
||||
|
||||
#if !defined(_TRACE_CAPABILITY_H) || defined(TRACE_HEADER_MULTI_READ)
|
||||
#define _TRACE_CAPABILITY_H
|
||||
|
||||
#include <linux/cred.h>
|
||||
#include <linux/tracepoint.h>
|
||||
#include <linux/user_namespace.h>
|
||||
|
||||
/**
|
||||
* cap_capable - called after it's determined if a task has a particular
|
||||
* effective capability
|
||||
*
|
||||
* @cred: The credentials used
|
||||
* @target_ns: The user namespace of the resource being accessed
|
||||
* @capable_ns: The user namespace in which the credential provides the
|
||||
* capability to access the targeted resource.
|
||||
* This will be NULL if ret is not 0.
|
||||
* @cap: The capability to check for
|
||||
* @ret: The return value of the check: 0 if it does, -ve if it does not
|
||||
*
|
||||
* Allows to trace calls to cap_capable in commoncap.c
|
||||
*/
|
||||
TRACE_EVENT(cap_capable,
|
||||
|
||||
TP_PROTO(const struct cred *cred, struct user_namespace *target_ns,
|
||||
const struct user_namespace *capable_ns, int cap, int ret),
|
||||
|
||||
TP_ARGS(cred, target_ns, capable_ns, cap, ret),
|
||||
|
||||
TP_STRUCT__entry(
|
||||
__field(const struct cred *, cred)
|
||||
__field(struct user_namespace *, target_ns)
|
||||
__field(const struct user_namespace *, capable_ns)
|
||||
__field(int, cap)
|
||||
__field(int, ret)
|
||||
),
|
||||
|
||||
TP_fast_assign(
|
||||
__entry->cred = cred;
|
||||
__entry->target_ns = target_ns;
|
||||
__entry->capable_ns = ret == 0 ? capable_ns : NULL;
|
||||
__entry->cap = cap;
|
||||
__entry->ret = ret;
|
||||
),
|
||||
|
||||
TP_printk("cred %p, target_ns %p, capable_ns %p, cap %d, ret %d",
|
||||
__entry->cred, __entry->target_ns, __entry->capable_ns, __entry->cap,
|
||||
__entry->ret)
|
||||
);
|
||||
|
||||
#endif /* _TRACE_CAPABILITY_H */
|
||||
|
||||
/* This part must be outside protection */
|
||||
#include <trace/define_trace.h>
|
||||
|
|
@ -27,6 +27,9 @@
|
|||
#include <linux/mnt_idmapping.h>
|
||||
#include <uapi/linux/lsm.h>
|
||||
|
||||
#define CREATE_TRACE_POINTS
|
||||
#include <trace/events/capability.h>
|
||||
|
||||
/*
|
||||
* If a non-root user executes a setuid-root binary in
|
||||
* !secure(SECURE_NOROOT) mode, then we raise capabilities.
|
||||
|
|
@ -50,24 +53,24 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
|
|||
}
|
||||
|
||||
/**
|
||||
* cap_capable - Determine whether a task has a particular effective capability
|
||||
* cap_capable_helper - Determine whether a task has a particular effective
|
||||
* capability.
|
||||
* @cred: The credentials to use
|
||||
* @targ_ns: The user namespace in which we need the capability
|
||||
* @target_ns: The user namespace of the resource being accessed
|
||||
* @cred_ns: The user namespace of the credentials
|
||||
* @cap: The capability to check for
|
||||
* @opts: Bitmask of options defined in include/linux/security.h
|
||||
*
|
||||
* Determine whether the nominated task has the specified capability amongst
|
||||
* its effective set, returning 0 if it does, -ve if it does not.
|
||||
*
|
||||
* NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
|
||||
* and has_capability() functions. That is, it has the reverse semantics:
|
||||
* cap_has_capability() returns 0 when a task has a capability, but the
|
||||
* kernel's capable() and has_capability() returns 1 for this case.
|
||||
* See cap_capable for more details.
|
||||
*/
|
||||
int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
||||
int cap, unsigned int opts)
|
||||
static inline int cap_capable_helper(const struct cred *cred,
|
||||
struct user_namespace *target_ns,
|
||||
const struct user_namespace *cred_ns,
|
||||
int cap)
|
||||
{
|
||||
struct user_namespace *ns = targ_ns;
|
||||
struct user_namespace *ns = target_ns;
|
||||
|
||||
/* See if cred has the capability in the target user namespace
|
||||
* by examining the target user namespace and all of the target
|
||||
|
|
@ -75,21 +78,21 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
|||
*/
|
||||
for (;;) {
|
||||
/* Do we have the necessary capabilities? */
|
||||
if (ns == cred->user_ns)
|
||||
if (likely(ns == cred_ns))
|
||||
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
|
||||
|
||||
/*
|
||||
* If we're already at a lower level than we're looking for,
|
||||
* we're done searching.
|
||||
*/
|
||||
if (ns->level <= cred->user_ns->level)
|
||||
if (ns->level <= cred_ns->level)
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
* The owner of the user namespace in the parent of the
|
||||
* user namespace has all caps.
|
||||
*/
|
||||
if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
|
||||
if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid))
|
||||
return 0;
|
||||
|
||||
/*
|
||||
|
|
@ -102,6 +105,31 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
|||
/* We never get here */
|
||||
}
|
||||
|
||||
/**
|
||||
* cap_capable - Determine whether a task has a particular effective capability
|
||||
* @cred: The credentials to use
|
||||
* @target_ns: The user namespace of the resource being accessed
|
||||
* @cap: The capability to check for
|
||||
* @opts: Bitmask of options defined in include/linux/security.h (unused)
|
||||
*
|
||||
* Determine whether the nominated task has the specified capability amongst
|
||||
* its effective set, returning 0 if it does, -ve if it does not.
|
||||
*
|
||||
* NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
|
||||
* and has_capability() functions. That is, it has the reverse semantics:
|
||||
* cap_has_capability() returns 0 when a task has a capability, but the
|
||||
* kernel's capable() and has_capability() returns 1 for this case.
|
||||
*/
|
||||
int cap_capable(const struct cred *cred, struct user_namespace *target_ns,
|
||||
int cap, unsigned int opts)
|
||||
{
|
||||
const struct user_namespace *cred_ns = cred->user_ns;
|
||||
int ret = cap_capable_helper(cred, target_ns, cred_ns, cap);
|
||||
|
||||
trace_cap_capable(cred, target_ns, cred_ns, cap, ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* cap_settime - Determine whether the current process may set the system clock
|
||||
* @ts: The time to set
|
||||
|
|
@ -1445,12 +1473,6 @@ int cap_mmap_addr(unsigned long addr)
|
|||
return ret;
|
||||
}
|
||||
|
||||
int cap_mmap_file(struct file *file, unsigned long reqprot,
|
||||
unsigned long prot, unsigned long flags)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_SECURITY
|
||||
|
||||
static const struct lsm_id capability_lsmid = {
|
||||
|
|
@ -1470,7 +1492,6 @@ static struct security_hook_list capability_hooks[] __ro_after_init = {
|
|||
LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
|
||||
LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
|
||||
LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
|
||||
LSM_HOOK_INIT(mmap_file, cap_mmap_file),
|
||||
LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
|
||||
LSM_HOOK_INIT(task_prctl, cap_task_prctl),
|
||||
LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue