diff mbox series

[10/10] coccinelle: add script for capable_any()

Message ID 20240315113828.258005-10-cgzones@googlemail.com (mailing list archive)
State Not Applicable
Headers show
Series [01/10] capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-VM_Test-35 success Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-42 success Logs for x86_64-llvm-18 / veristat
bpf/vmtest-bpf-next-VM_Test-9 success Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-14 fail Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-15 fail Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-16 success Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-6 success Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-21 success Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-24 success Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-25 success Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-26 success Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-27 success Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-30 success Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-31 success Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-33 success Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-37 success Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-38 success Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-41 success Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-13 success Logs for s390x-gcc / test (test_maps, false, 360) / test_maps on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-22 success Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-23 success Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-32 success Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-36 success Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18 and -O2 optimization
bpf/vmtest-bpf-next-VM_Test-39 success Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-40 success Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18
bpf/vmtest-bpf-next-PR fail PR summary
bpf/vmtest-bpf-next-VM_Test-29 success Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17 and -O2 optimization
bpf/vmtest-bpf-next-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Unittests
bpf/vmtest-bpf-next-VM_Test-3 success Logs for Validate matrix.py
bpf/vmtest-bpf-next-VM_Test-5 success Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-7 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-8 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-4 success Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for aarch64-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-11 success Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-12 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-17 success Logs for s390x-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-18 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-19 success Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-20 success Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-28 success Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-34 success Logs for x86_64-llvm-17 / veristat
netdev/series_format warning Series does not have a cover letter
netdev/tree_selection success Guessed tree name to be net-next, async
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 954 this patch: 954
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 957 this patch: 957
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 969 this patch: 969
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 171 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Christian Göttsche March 15, 2024, 11:37 a.m. UTC 
Add a script to find and replace chained capable() calls with
capable_any().
Also find and replace capable_any() calls where CAP_SYS_ADMIN was passed
as first argument.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v5:
   add patch
---
 MAINTAINERS                              |   1 +
 scripts/coccinelle/api/capable_any.cocci | 164 +++++++++++++++++++++++
 2 files changed, 165 insertions(+)
 create mode 100644 scripts/coccinelle/api/capable_any.cocci
diff mbox series

Patch

diff --git a/MAINTAINERS b/MAINTAINERS
index f4d7f7cb7577..32349e4c5f56 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4731,6 +4731,7 @@  S:	Supported
 F:	include/linux/capability.h
 F:	include/uapi/linux/capability.h
 F:	kernel/capability.c
+F:	scripts/coccinelle/api/capable_any.cocci
 F:	security/commoncap.c
 
 CAPELLA MICROSYSTEMS LIGHT SENSOR DRIVER
diff --git a/scripts/coccinelle/api/capable_any.cocci b/scripts/coccinelle/api/capable_any.cocci
new file mode 100644
index 000000000000..83aedd3bf81d
--- /dev/null
+++ b/scripts/coccinelle/api/capable_any.cocci
@@ -0,0 +1,164 @@ 
+// SPDX-License-Identifier: GPL-2.0-only
+/// Use capable_any rather than chaining capable and order CAP_SYS_ADMIN last
+///
+// Confidence: High
+// Copyright: (C) 2024 Christian Göttsche.
+// URL: https://coccinelle.gitlabpages.inria.fr/website
+// Options: --no-includes --include-headers
+// Keywords: capable, capable_any, ns_capable, ns_capable_any, sockopt_ns_capable, sockopt_ns_capable_any
+
+virtual patch
+virtual context
+virtual org
+virtual report
+
+//----------------------------------------------------------
+//  For patch mode
+//----------------------------------------------------------
+
+@ depends on patch@
+binary operator op;
+expression cap1,cap2,E;
+expression ns;
+@@
+
+(
+-  capable(cap1) || capable(cap2)
++  capable_any(cap1, cap2)
+|
+-  E op capable(cap1) || capable(cap2)
++  E op capable_any(cap1, cap2)
+|
+-  !capable(cap1) && !capable(cap2)
++  !capable_any(cap1, cap2)
+|
+-  E op !capable(cap1) && !capable(cap2)
++  E op !capable_any(cap1, cap2)
+|
+-  ns_capable(ns, cap1) || ns_capable(ns, cap2)
++  ns_capable_any(ns, cap1, cap2)
+|
+-  E op ns_capable(ns, cap1) || ns_capable(ns, cap2)
++  E op ns_capable_any(ns, cap1, cap2)
+|
+-  !ns_capable(ns, cap1) && !ns_capable(ns, cap2)
++  !ns_capable_any(ns, cap1, cap2)
+|
+-  E op !ns_capable(ns, cap1) && !ns_capable(ns, cap2)
++  E op !ns_capable_any(ns, cap1, cap2)
+|
+-  sockopt_ns_capable(ns, cap1) || sockopt_ns_capable(ns, cap2)
++  sockopt_ns_capable_any(ns, cap1, cap2)
+|
+-  E op sockopt_ns_capable(ns, cap1) || sockopt_ns_capable(ns, cap2)
++  E op sockopt_ns_capable_any(ns, cap1, cap2)
+|
+-  !sockopt_ns_capable(ns, cap1) && !sockopt_ns_capable(ns, cap2)
++  !sockopt_ns_capable_any(ns, cap1, cap2)
+|
+-  E op !sockopt_ns_capable(ns, cap1) && !sockopt_ns_capable(ns, cap2)
++  E op !sockopt_ns_capable_any(ns, cap1, cap2)
+)
+
+@ depends on patch@
+identifier func = { capable_any, ns_capable_any, sockopt_ns_capable_any };
+expression cap;
+expression ns;
+@@
+
+(
+-  func(CAP_SYS_ADMIN, cap)
++  func(cap, CAP_SYS_ADMIN)
+|
+-  func(ns, CAP_SYS_ADMIN, cap)
++  func(ns, cap, CAP_SYS_ADMIN)
+)
+
+//----------------------------------------------------------
+//  For context mode
+//----------------------------------------------------------
+
+@r1 depends on !patch exists@
+binary operator op;
+expression cap1,cap2,E;
+expression ns;
+position p1,p2;
+@@
+
+(
+*  capable@p1(cap1) || capable@p2(cap2)
+|
+*  E op capable@p1(cap1) || capable@p2(cap2)
+|
+*  !capable@p1(cap1) && !capable@p2(cap2)
+|
+*  E op !capable@p1(cap1) && !capable@p2(cap2)
+|
+*  ns_capable@p1(ns, cap1) || ns_capable@p2(ns, cap2)
+|
+*  E op ns_capable@p1(ns, cap1) || ns_capable@p2(ns, cap2)
+|
+*  !ns_capable@p1(ns, cap1) && !ns_capable@p2(ns, cap2)
+|
+*  E op !ns_capable@p1(ns, cap1) && !ns_capable@p2(ns, cap2)
+|
+*  sockopt_ns_capable@p1(ns, cap1) || sockopt_ns_capable@p2(ns, cap2)
+|
+*  E op sockopt_ns_capable@p1(ns, cap1) || sockopt_ns_capable@p2(ns, cap2)
+|
+*  !sockopt_ns_capable@p1(ns, cap1) && !sockopt_ns_capable@p2(ns, cap2)
+|
+*  E op !sockopt_ns_capable@p1(ns, cap1) && !sockopt_ns_capable@p2(ns, cap2)
+)
+
+@r2 depends on !patch exists@
+identifier func = { capable_any, ns_capable_any, sockopt_ns_capable_any };
+expression cap;
+expression ns;
+position p;
+@@
+
+(
+*  func@p(CAP_SYS_ADMIN, cap)
+|
+*  func@p(ns, CAP_SYS_ADMIN, cap)
+)
+
+//----------------------------------------------------------
+//  For org mode
+//----------------------------------------------------------
+
+@script:python depends on org@
+p1 << r1.p1;
+p2 << r1.p2;
+@@
+
+cocci.print_main("WARNING opportunity for capable_any",p1)
+cocci.print_secs("chained capable",p2)
+
+@script:python depends on org@
+p << r2.p;
+f << r2.func;
+@@
+
+cocci.print_main("WARNING " + f + " arguments should be reordered",p)
+
+//----------------------------------------------------------
+//  For report mode
+//----------------------------------------------------------
+
+@script:python depends on report@
+p1 << r1.p1;
+p2 << r1.p2;
+@@
+
+msg = "WARNING opportunity for capable_any (chained capable line %s)" % (p2[0].line)
+coccilib.report.print_report(p1[0], msg)
+
+@script:python depends on report@
+p << r2.p;
+f << r2.func;
+@@
+
+msg = "WARNING %s arguments should be reordered" % (f)
+coccilib.report.print_report(p[0], msg)