[PATCH 1/1] Track (in /proc/<pid>/status) which capabilities are hit during execution.

From: Andrew G. Morgan <morgan_at_nospam>
Date: Mon Oct 27 2008 - 04:21:02 GMT
To: "Serge E. Hallyn" <serue@us.ibm.com>

This is a simple mechanism for tracking which capabilities are actually used by a running application.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org> --- fs/proc/array.c | 1 + include/linux/init_task.h | 1 + include/linux/sched.h | 1 + kernel/capability.c | 1 + security/commoncap.c | 1 + 5 files changed, 5 insertions(+), 0 deletions(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index bb9f4b0..08a6811 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -297,6 +297,7 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p) render_cap_t(m, "CapPrm:\t", &p->cap_permitted); render_cap_t(m, "CapEff:\t", &p->cap_effective); render_cap_t(m, "CapBnd:\t", &p->cap_bset); + render_cap_t(m, "CapHit:\t", &p->cap_hits); } static inline void task_context_switch_counts(struct seq_file *m, diff --git a/include/linux/init_task.h b/include/linux/init_task.h index 23fd890..38f7487 100644 --- a/include/linux/init_task.h +++ b/include/linux/init_task.h @@ -152,6 +152,7 @@ extern struct group_info init_groups;
.cap_inheritable = CAP_INIT_INH_SET, \
.cap_permitted = CAP_FULL_SET, \
.cap_bset = CAP_INIT_BSET, \
+ .cap_hits = CAP_EMPTY_SET, \
.securebits = SECUREBITS_DEFAULT, \
.user = INIT_USER, \
.comm = "swapper", \
diff --git a/include/linux/sched.h b/include/linux/sched.h index 8478f33..dce9e37 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1183,6 +1183,7 @@ struct task_struct { gid_t gid,egid,sgid,fsgid; struct group_info *group_info; kernel_cap_t cap_effective, cap_inheritable, cap_permitted, cap_bset; + kernel_cap_t cap_hits; struct user_struct *user; unsigned securebits; #ifdef CONFIG_KEYS diff --git a/kernel/capability.c b/kernel/capability.c index 33e51e7..eb49e8f 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -499,6 +499,7 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data) int capable(int cap) { if (has_capability(current, cap)) { + cap_raise(current->cap_hits, cap); current->flags |= PF_SUPERPRIV; return 1; } diff --git a/security/commoncap.c b/security/commoncap.c index 399bfdb..84dbe6d 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -396,6 +396,7 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) /* AUD: Audit candidate if current->cap_effective is set */ current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); + cap_clear(current->cap_hits); } int cap_bprm_secureexec (struct linux_binprm *bprm) -- 1.6.0.1 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

This message: [ Message body ]
Next message: Kentaro Takeda: "Re: path based security in 4 easy steps with minimal kernel changes"
Previous message: Andrew G. Morgan: "[PATCH 0/1] What capabilities is a process using?"
Next in thread: James Morris: "Re: [PATCH 1/1] Track (in /proc/<pid>/status) which capabilities are hit during execution."
Reply: James Morris: "Re: [PATCH 1/1] Track (in /proc/<pid>/status) which capabilities are hit during execution."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]