[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240315113828.258005-10-cgzones@googlemail.com>
Date: Fri, 15 Mar 2024 12:37:31 +0100
From: Christian Göttsche <cgzones@...glemail.com>
To: linux-security-module@...r.kernel.org
Cc: Serge Hallyn <serge@...lyn.com>,
Julia Lawall <Julia.Lawall@...ia.fr>,
Nicolas Palix <nicolas.palix@...g.fr>,
linux-kernel@...r.kernel.org,
cocci@...ia.fr,
bpf@...r.kernel.org
Subject: [PATCH 10/10] coccinelle: add script for capable_any()
Add a script to find and replace chained capable() calls with
capable_any().
Also find and replace capable_any() calls where CAP_SYS_ADMIN was passed
as first argument.
Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
---
v5:
add patch
---
MAINTAINERS | 1 +
scripts/coccinelle/api/capable_any.cocci | 164 +++++++++++++++++++++++
2 files changed, 165 insertions(+)
create mode 100644 scripts/coccinelle/api/capable_any.cocci
diff --git a/MAINTAINERS b/MAINTAINERS
index f4d7f7cb7577..32349e4c5f56 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4731,6 +4731,7 @@ S: Supported
F: include/linux/capability.h
F: include/uapi/linux/capability.h
F: kernel/capability.c
+F: scripts/coccinelle/api/capable_any.cocci
F: security/commoncap.c
CAPELLA MICROSYSTEMS LIGHT SENSOR DRIVER
diff --git a/scripts/coccinelle/api/capable_any.cocci b/scripts/coccinelle/api/capable_any.cocci
new file mode 100644
index 000000000000..83aedd3bf81d
--- /dev/null
+++ b/scripts/coccinelle/api/capable_any.cocci
@@ -0,0 +1,164 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/// Use capable_any rather than chaining capable and order CAP_SYS_ADMIN last
+///
+// Confidence: High
+// Copyright: (C) 2024 Christian Göttsche.
+// URL: https://coccinelle.gitlabpages.inria.fr/website
+// Options: --no-includes --include-headers
+// Keywords: capable, capable_any, ns_capable, ns_capable_any, sockopt_ns_capable, sockopt_ns_capable_any
+
+virtual patch
+virtual context
+virtual org
+virtual report
+
+//----------------------------------------------------------
+// For patch mode
+//----------------------------------------------------------
+
+@ depends on patch@
+binary operator op;
+expression cap1,cap2,E;
+expression ns;
+@@
+
+(
+- capable(cap1) || capable(cap2)
++ capable_any(cap1, cap2)
+|
+- E op capable(cap1) || capable(cap2)
++ E op capable_any(cap1, cap2)
+|
+- !capable(cap1) && !capable(cap2)
++ !capable_any(cap1, cap2)
+|
+- E op !capable(cap1) && !capable(cap2)
++ E op !capable_any(cap1, cap2)
+|
+- ns_capable(ns, cap1) || ns_capable(ns, cap2)
++ ns_capable_any(ns, cap1, cap2)
+|
+- E op ns_capable(ns, cap1) || ns_capable(ns, cap2)
++ E op ns_capable_any(ns, cap1, cap2)
+|
+- !ns_capable(ns, cap1) && !ns_capable(ns, cap2)
++ !ns_capable_any(ns, cap1, cap2)
+|
+- E op !ns_capable(ns, cap1) && !ns_capable(ns, cap2)
++ E op !ns_capable_any(ns, cap1, cap2)
+|
+- sockopt_ns_capable(ns, cap1) || sockopt_ns_capable(ns, cap2)
++ sockopt_ns_capable_any(ns, cap1, cap2)
+|
+- E op sockopt_ns_capable(ns, cap1) || sockopt_ns_capable(ns, cap2)
++ E op sockopt_ns_capable_any(ns, cap1, cap2)
+|
+- !sockopt_ns_capable(ns, cap1) && !sockopt_ns_capable(ns, cap2)
++ !sockopt_ns_capable_any(ns, cap1, cap2)
+|
+- E op !sockopt_ns_capable(ns, cap1) && !sockopt_ns_capable(ns, cap2)
++ E op !sockopt_ns_capable_any(ns, cap1, cap2)
+)
+
+@ depends on patch@
+identifier func = { capable_any, ns_capable_any, sockopt_ns_capable_any };
+expression cap;
+expression ns;
+@@
+
+(
+- func(CAP_SYS_ADMIN, cap)
++ func(cap, CAP_SYS_ADMIN)
+|
+- func(ns, CAP_SYS_ADMIN, cap)
++ func(ns, cap, CAP_SYS_ADMIN)
+)
+
+//----------------------------------------------------------
+// For context mode
+//----------------------------------------------------------
+
+@r1 depends on !patch exists@
+binary operator op;
+expression cap1,cap2,E;
+expression ns;
+position p1,p2;
+@@
+
+(
+* capable@p1(cap1) || capable@p2(cap2)
+|
+* E op capable@p1(cap1) || capable@p2(cap2)
+|
+* !capable@p1(cap1) && !capable@p2(cap2)
+|
+* E op !capable@p1(cap1) && !capable@p2(cap2)
+|
+* ns_capable@p1(ns, cap1) || ns_capable@p2(ns, cap2)
+|
+* E op ns_capable@p1(ns, cap1) || ns_capable@p2(ns, cap2)
+|
+* !ns_capable@p1(ns, cap1) && !ns_capable@p2(ns, cap2)
+|
+* E op !ns_capable@p1(ns, cap1) && !ns_capable@p2(ns, cap2)
+|
+* sockopt_ns_capable@p1(ns, cap1) || sockopt_ns_capable@p2(ns, cap2)
+|
+* E op sockopt_ns_capable@p1(ns, cap1) || sockopt_ns_capable@p2(ns, cap2)
+|
+* !sockopt_ns_capable@p1(ns, cap1) && !sockopt_ns_capable@p2(ns, cap2)
+|
+* E op !sockopt_ns_capable@p1(ns, cap1) && !sockopt_ns_capable@p2(ns, cap2)
+)
+
+@r2 depends on !patch exists@
+identifier func = { capable_any, ns_capable_any, sockopt_ns_capable_any };
+expression cap;
+expression ns;
+position p;
+@@
+
+(
+* func@p(CAP_SYS_ADMIN, cap)
+|
+* func@p(ns, CAP_SYS_ADMIN, cap)
+)
+
+//----------------------------------------------------------
+// For org mode
+//----------------------------------------------------------
+
+@...ipt:python depends on org@
+p1 << r1.p1;
+p2 << r1.p2;
+@@
+
+cocci.print_main("WARNING opportunity for capable_any",p1)
+cocci.print_secs("chained capable",p2)
+
+@...ipt:python depends on org@
+p << r2.p;
+f << r2.func;
+@@
+
+cocci.print_main("WARNING " + f + " arguments should be reordered",p)
+
+//----------------------------------------------------------
+// For report mode
+//----------------------------------------------------------
+
+@...ipt:python depends on report@
+p1 << r1.p1;
+p2 << r1.p2;
+@@
+
+msg = "WARNING opportunity for capable_any (chained capable line %s)" % (p2[0].line)
+coccilib.report.print_report(p1[0], msg)
+
+@...ipt:python depends on report@
+p << r2.p;
+f << r2.func;
+@@
+
+msg = "WARNING %s arguments should be reordered" % (f)
+coccilib.report.print_report(p[0], msg)
--
2.43.0
Powered by blists - more mailing lists