Hi.
First, I hope you are fine and the same for your relatives.
Capabilities are used to check if a thread has the right to perform a given
action [1].
For example, a thread with CAP_BPF set can use the bpf() syscall.
Capabilities are used in the container world.
In terms of code, several projects related to container maintain code where the
capabilities are written alike include/uapi/linux/capability.h [2][3][4][5].
For these projects, their codebase should be updated when a new capability is
added to the kernel.
Some other projects rely on <sys/capability.h> [6].
In this case, this header file should reflect the capabilities offered by the
kernel.
So, in this series, I added a new file to sysfs:
/sys/kernel/security/capabilities.
The goal of this file is to be used by "container world" software to know kernel
capabilities at run time instead of compile time.
The "file" is read-only and its content is the capability number associated with
the capability name:
root@vm-amd64:~# cat /sys/kernel/security/capabilities
0 CAP_CHOWN
1 CAP_DAC_OVERRIDE
...
40 CAP_CHECKPOINT_RESTORE
The kernel already exposes the last capability number under:
/proc/sys/kernel/cap_last_cap
So, I think there should not be any issue exposing all the capabilities it
offers.
If there is any, please share it as I do not want to introduce issue with this
series.
Also, if you see any way to improve this series please share it as it would
increase this contribution quality.
Change since v2:
* Use a char * for cap_string instead of an array, each line of this char *
contains the capability number and its name.
* Move the file under /sys/kernel/security instead of /sys/kernel.
Francis Laniel (2):
capability: Add cap_string.
security/inode.c: Add capabilities file.
include/uapi/linux/capability.h | 1 +
kernel/capability.c | 45 +++++++++++++++++++++++++++++++++
security/inode.c | 16 ++++++++++++
3 files changed, 62 insertions(+)
Best regards and thank you in advance for your reviews.
---
[1] man capabilities
[2] https://github.com/containerd/containerd/blob/1a078e6893d07fec10a4940a5664fab21d6f7d1e/pkg/cap/cap_linux.go#L135
[3] https://github.com/moby/moby/commit/485cf38d48e7111b3d1f584d5e9eab46a902aabc#diff-2e04625b209932e74c617de96682ed72fbd1bb0d0cb9fb7c709cf47a86b6f9c1
moby relies on containerd code.
[4] https://github.com/syndtr/gocapability/blob/42c35b4376354fd554efc7ad35e0b7f94e3a0ffb/capability/enum.go#L47
[5] https://github.com/opencontainers/runc/blob/00f56786bb220b55b41748231880ba0e6380519a/libcontainer/capabilities/capabilities.go#L12
runc relies on syndtr package.
[6] https://github.com/containers/crun/blob/fafb556f09e6ffd4690c452ff51856b880c089f1/src/libcrun/linux.c#L35
--
2.30.2
This new read-only file prints the capabilities values with their names:
cat /sys/kernel/security/capabilities
0 CAP_CHOWN
1 CAP_DAC_OVERRIDE
...
40 CAP_CHECKPOINT_RESTORE
Signed-off-by: Francis Laniel <[email protected]>
---
security/inode.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/security/inode.c b/security/inode.c
index 6c326939750d..cef78b497bab 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -21,6 +21,7 @@
#include <linux/security.h>
#include <linux/lsm_hooks.h>
#include <linux/magic.h>
+#include <linux/capability.h>
static struct vfsmount *mount;
static int mount_count;
@@ -328,6 +329,19 @@ static const struct file_operations lsm_ops = {
};
#endif
+static struct dentry *capabilities_dentry;
+static ssize_t capabilities_read(struct file *unused, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ return simple_read_from_buffer(buf, count, ppos, cap_string,
+ strlen(cap_string));
+}
+
+static const struct file_operations capabilities_ops = {
+ .read = capabilities_read,
+ .llseek = generic_file_llseek,
+};
+
static int __init securityfs_init(void)
{
int retval;
@@ -345,6 +359,8 @@ static int __init securityfs_init(void)
lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
&lsm_ops);
#endif
+ capabilities_dentry = securityfs("capabilities", 0444, NULL, NULL,
+ capabilities_ops);
return 0;
}
core_initcall(securityfs_init);
--
2.30.2
Hi.
Le jeudi 20 janvier 2022, 19:01:16 CET Francis Laniel a ?crit :
> This new read-only file prints the capabilities values with their names:
> cat /sys/kernel/security/capabilities
> 0 CAP_CHOWN
> 1 CAP_DAC_OVERRIDE
> ...
> 40 CAP_CHECKPOINT_RESTORE
>
> Signed-off-by: Francis Laniel <[email protected]>
> ---
> security/inode.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/security/inode.c b/security/inode.c
> index 6c326939750d..cef78b497bab 100644
> --- a/security/inode.c
> +++ b/security/inode.c
> @@ -21,6 +21,7 @@
> #include <linux/security.h>
> #include <linux/lsm_hooks.h>
> #include <linux/magic.h>
> +#include <linux/capability.h>
>
> static struct vfsmount *mount;
> static int mount_count;
> @@ -328,6 +329,19 @@ static const struct file_operations lsm_ops = {
> };
> #endif
>
> +static struct dentry *capabilities_dentry;
> +static ssize_t capabilities_read(struct file *unused, char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + return simple_read_from_buffer(buf, count, ppos, cap_string,
> + strlen(cap_string));
> +}
> +
> +static const struct file_operations capabilities_ops = {
> + .read = capabilities_read,
> + .llseek = generic_file_llseek,
> +};
> +
> static int __init securityfs_init(void)
> {
> int retval;
> @@ -345,6 +359,8 @@ static int __init securityfs_init(void)
> lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
> &lsm_ops);
> #endif
> + capabilities_dentry = securityfs("capabilities", 0444, NULL, NULL,
> + capabilities_ops);
Sorry, I sent the old version of the patch and did not fixup this...
Kernel robot kindly show me this error.
I swear the output in the cover letter was done on the compiled kernel within
a VM.
I will send a v4 correcting this but I will wait to get some reviews on v3 to
not send to not generate too much traffic here.
> return 0;
> }
> core_initcall(securityfs_init);
Best regards.