| Message ID | 20240315113828.258005-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [01/10] capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY | expand |
Add the interfaces `capable_any()` and `ns_capable_any()` as an
alternative to multiple `capable()`/`ns_capable()` calls, like
`capable_any(CAP_SYS_NICE, CAP_SYS_ADMIN)` instead of
`capable(CAP_SYS_NICE) || capable(CAP_SYS_ADMIN)`.
`capable_any()`/`ns_capable_any()` will in particular generate exactly
one audit message, either for the left most capability in effect or, if
the task has none, the first one.
This is especially helpful with regard to SELinux, where each audit
message about a not allowed capability request will create a denial
message. Using this new wrapper with the least invasive capability as
left most argument (e.g. CAP_SYS_NICE before CAP_SYS_ADMIN) enables
policy writers to only grant the least invasive one for the particular
subject instead of both.
v4 discussion:
https://lore.kernel.org/all/20230511142535.732324-10-cgzones@googlemail.com/
v3 discussion:
https://patchwork.kernel.org/project/selinux/patch/20220615152623.311223-8-cgzones@googlemail.com/
v5:
- rename flag to CAP_OPT_NOAUDIT_ONDENY and internal helper to
ns_capable_noauditondeny()
- add check for identical capabilities passed to simplify bpf call sites
- make use in bpf code
- add coccinelle script
v4:
- add CAP_OPT_NODENYAUDIT capable flag
Christian Göttsche (10):
capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY
capability: add any wrappers to test for multiple caps with exactly
one audit message
capability: use new capable_any functionality
block: use new capable_any functionality
drivers: use new capable_any functionality
fs: use new capable_any functionality
kernel: use new capable_any functionality
net: use new capable_any functionality
bpf: use new capable_any functionality
coccinelle: add script for capable_any()
MAINTAINERS | 1 +
block/ioprio.c | 9 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +-
drivers/net/caif/caif_serial.c | 2 +-
drivers/s390/block/dasd_eckd.c | 2 +-
fs/pipe.c | 2 +-
include/linux/bpf.h | 2 +-
include/linux/capability.h | 17 ++-
include/linux/security.h | 2 +
include/net/sock.h | 1 +
kernel/bpf/syscall.c | 2 +-
kernel/bpf/token.c | 2 +-
kernel/capability.c | 73 ++++++++++
kernel/fork.c | 2 +-
net/caif/caif_socket.c | 2 +-
net/core/sock.c | 15 ++-
net/ieee802154/socket.c | 6 +-
net/ipv4/ip_sockglue.c | 5 +-
net/ipv6/ipv6_sockglue.c | 3 +-
net/unix/af_unix.c | 2 +-
scripts/coccinelle/api/capable_any.cocci | 164 +++++++++++++++++++++++
security/apparmor/capability.c | 8 +-
security/selinux/hooks.c | 14 +-
23 files changed, 293 insertions(+), 46 deletions(-)
create mode 100644 scripts/coccinelle/api/capable_any.cocci
On Fri, Mar 15, 2024 at 12:37:22PM +0100, Christian Göttsche wrote: > Introduce a new capable flag, CAP_OPT_NOAUDIT_ONDENY, to not generate > an audit event if the requested capability is not granted. This will be > used in a new capable_any() functionality to reduce the number of > necessary capable calls. > > Handle the flag accordingly in AppArmor and SELinux. > > CC: linux-block@vger.kernel.org > Suggested-by: Paul Moore <paul@paul-moore.com> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Thanks. Reviewed-by: Serge Hallyn <serge@hallyn.com> > --- > v5: > rename flag to CAP_OPT_NOAUDIT_ONDENY, suggested by Serge: > https://lore.kernel.org/all/20230606190013.GA640488@mail.hallyn.com/ > --- > include/linux/security.h | 2 ++ > security/apparmor/capability.c | 8 +++++--- > security/selinux/hooks.c | 14 ++++++++------ > 3 files changed, 15 insertions(+), 9 deletions(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index 41a8f667bdfa..c60cae78ff8b 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -70,6 +70,8 @@ struct lsm_ctx; > #define CAP_OPT_NOAUDIT BIT(1) > /* If capable is being called by a setid function */ > #define CAP_OPT_INSETID BIT(2) > +/* If capable should audit the security request for authorized requests only */ > +#define CAP_OPT_NOAUDIT_ONDENY BIT(3) > > /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ > #define SECURITY_LSM_NATIVE_LABELS 1 > diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c > index 9934df16c843..08c9c9a0fc19 100644 > --- a/security/apparmor/capability.c > +++ b/security/apparmor/capability.c > @@ -108,7 +108,8 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile > * profile_capable - test if profile allows use of capability @cap > * @profile: profile being enforced (NOT NULL, NOT unconfined) > * @cap: capability to test if allowed > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NOAUDIT_ONDENY bit determines whether audit > + * record is generated > * @ad: audit data (MAY BE NULL indicating no auditing) > * > * Returns: 0 if allowed else -EPERM > @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap, > else > error = -EPERM; > > - if (opts & CAP_OPT_NOAUDIT) { > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NOAUDIT_ONDENY) && error)) { > if (!COMPLAIN_MODE(profile)) > return error; > /* audit the cap request in complain mode but note that it > @@ -143,7 +144,8 @@ static int profile_capable(struct aa_profile *profile, int cap, > * @subj_cred: cred we are testing capability against > * @label: label being tested for capability (NOT NULL) > * @cap: capability to be tested > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NOAUDIT_ONDENY bit determines whether audit > + * record is generated > * > * Look up capability in profile capability set. > * > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3448454c82d0..1a2c7c1a89be 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1624,7 +1624,7 @@ static int cred_has_capability(const struct cred *cred, > u16 sclass; > u32 sid = cred_sid(cred); > u32 av = CAP_TO_MASK(cap); > - int rc; > + int rc, rc2; > > ad.type = LSM_AUDIT_DATA_CAP; > ad.u.cap = cap; > @@ -1643,11 +1643,13 @@ static int cred_has_capability(const struct cred *cred, > } > > rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); > - if (!(opts & CAP_OPT_NOAUDIT)) { > - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > - if (rc2) > - return rc2; > - } > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NOAUDIT_ONDENY) && rc)) > + return rc; > + > + rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > + if (rc2) > + return rc2; > + > return rc; > } > > -- > 2.43.0 > >
diff --git a/include/linux/security.h b/include/linux/security.h index 41a8f667bdfa..c60cae78ff8b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -70,6 +70,8 @@ struct lsm_ctx; #define CAP_OPT_NOAUDIT BIT(1) /* If capable is being called by a setid function */ #define CAP_OPT_INSETID BIT(2) +/* If capable should audit the security request for authorized requests only */ +#define CAP_OPT_NOAUDIT_ONDENY BIT(3) /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ #define SECURITY_LSM_NATIVE_LABELS 1 diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c index 9934df16c843..08c9c9a0fc19 100644 --- a/security/apparmor/capability.c +++ b/security/apparmor/capability.c @@ -108,7 +108,8 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile * profile_capable - test if profile allows use of capability @cap * @profile: profile being enforced (NOT NULL, NOT unconfined) * @cap: capability to test if allowed - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NOAUDIT_ONDENY bit determines whether audit + * record is generated * @ad: audit data (MAY BE NULL indicating no auditing) * * Returns: 0 if allowed else -EPERM @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap, else error = -EPERM; - if (opts & CAP_OPT_NOAUDIT) { + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NOAUDIT_ONDENY) && error)) { if (!COMPLAIN_MODE(profile)) return error; /* audit the cap request in complain mode but note that it @@ -143,7 +144,8 @@ static int profile_capable(struct aa_profile *profile, int cap, * @subj_cred: cred we are testing capability against * @label: label being tested for capability (NOT NULL) * @cap: capability to be tested - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NOAUDIT_ONDENY bit determines whether audit + * record is generated * * Look up capability in profile capability set. * diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3448454c82d0..1a2c7c1a89be 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1624,7 +1624,7 @@ static int cred_has_capability(const struct cred *cred, u16 sclass; u32 sid = cred_sid(cred); u32 av = CAP_TO_MASK(cap); - int rc; + int rc, rc2; ad.type = LSM_AUDIT_DATA_CAP; ad.u.cap = cap; @@ -1643,11 +1643,13 @@ static int cred_has_capability(const struct cred *cred, } rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); - if (!(opts & CAP_OPT_NOAUDIT)) { - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); - if (rc2) - return rc2; - } + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NOAUDIT_ONDENY) && rc)) + return rc; + + rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); + if (rc2) + return rc2; + return rc; }
Introduce a new capable flag, CAP_OPT_NOAUDIT_ONDENY, to not generate an audit event if the requested capability is not granted. This will be used in a new capable_any() functionality to reduce the number of necessary capable calls. Handle the flag accordingly in AppArmor and SELinux. CC: linux-block@vger.kernel.org Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v5: rename flag to CAP_OPT_NOAUDIT_ONDENY, suggested by Serge: https://lore.kernel.org/all/20230606190013.GA640488@mail.hallyn.com/ --- include/linux/security.h | 2 ++ security/apparmor/capability.c | 8 +++++--- security/selinux/hooks.c | 14 ++++++++------ 3 files changed, 15 insertions(+), 9 deletions(-)