lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240315113828.258005-10-cgzones@googlemail.com>
Date: Fri, 15 Mar 2024 12:37:31 +0100
From: Christian Göttsche <cgzones@...glemail.com>
To: linux-security-module@...r.kernel.org
Cc: Serge Hallyn <serge@...lyn.com>,
	Julia Lawall <Julia.Lawall@...ia.fr>,
	Nicolas Palix <nicolas.palix@...g.fr>,
	linux-kernel@...r.kernel.org,
	cocci@...ia.fr,
	bpf@...r.kernel.org
Subject: [PATCH 10/10] coccinelle: add script for capable_any()

Add a script to find and replace chained capable() calls with
capable_any().
Also find and replace capable_any() calls where CAP_SYS_ADMIN was passed
as first argument.

Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
---
v5:
   add patch
---
 MAINTAINERS                              |   1 +
 scripts/coccinelle/api/capable_any.cocci | 164 +++++++++++++++++++++++
 2 files changed, 165 insertions(+)
 create mode 100644 scripts/coccinelle/api/capable_any.cocci

diff --git a/MAINTAINERS b/MAINTAINERS
index f4d7f7cb7577..32349e4c5f56 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4731,6 +4731,7 @@ S:	Supported
 F:	include/linux/capability.h
 F:	include/uapi/linux/capability.h
 F:	kernel/capability.c
+F:	scripts/coccinelle/api/capable_any.cocci
 F:	security/commoncap.c
 
 CAPELLA MICROSYSTEMS LIGHT SENSOR DRIVER
diff --git a/scripts/coccinelle/api/capable_any.cocci b/scripts/coccinelle/api/capable_any.cocci
new file mode 100644
index 000000000000..83aedd3bf81d
--- /dev/null
+++ b/scripts/coccinelle/api/capable_any.cocci
@@ -0,0 +1,164 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/// Use capable_any rather than chaining capable and order CAP_SYS_ADMIN last
+///
+// Confidence: High
+// Copyright: (C) 2024 Christian Göttsche.
+// URL: https://coccinelle.gitlabpages.inria.fr/website
+// Options: --no-includes --include-headers
+// Keywords: capable, capable_any, ns_capable, ns_capable_any, sockopt_ns_capable, sockopt_ns_capable_any
+
+virtual patch
+virtual context
+virtual org
+virtual report
+
+//----------------------------------------------------------
+//  For patch mode
+//----------------------------------------------------------
+
+@ depends on patch@
+binary operator op;
+expression cap1,cap2,E;
+expression ns;
+@@
+
+(
+-  capable(cap1) || capable(cap2)
++  capable_any(cap1, cap2)
+|
+-  E op capable(cap1) || capable(cap2)
++  E op capable_any(cap1, cap2)
+|
+-  !capable(cap1) && !capable(cap2)
++  !capable_any(cap1, cap2)
+|
+-  E op !capable(cap1) && !capable(cap2)
++  E op !capable_any(cap1, cap2)
+|
+-  ns_capable(ns, cap1) || ns_capable(ns, cap2)
++  ns_capable_any(ns, cap1, cap2)
+|
+-  E op ns_capable(ns, cap1) || ns_capable(ns, cap2)
++  E op ns_capable_any(ns, cap1, cap2)
+|
+-  !ns_capable(ns, cap1) && !ns_capable(ns, cap2)
++  !ns_capable_any(ns, cap1, cap2)
+|
+-  E op !ns_capable(ns, cap1) && !ns_capable(ns, cap2)
++  E op !ns_capable_any(ns, cap1, cap2)
+|
+-  sockopt_ns_capable(ns, cap1) || sockopt_ns_capable(ns, cap2)
++  sockopt_ns_capable_any(ns, cap1, cap2)
+|
+-  E op sockopt_ns_capable(ns, cap1) || sockopt_ns_capable(ns, cap2)
++  E op sockopt_ns_capable_any(ns, cap1, cap2)
+|
+-  !sockopt_ns_capable(ns, cap1) && !sockopt_ns_capable(ns, cap2)
++  !sockopt_ns_capable_any(ns, cap1, cap2)
+|
+-  E op !sockopt_ns_capable(ns, cap1) && !sockopt_ns_capable(ns, cap2)
++  E op !sockopt_ns_capable_any(ns, cap1, cap2)
+)
+
+@ depends on patch@
+identifier func = { capable_any, ns_capable_any, sockopt_ns_capable_any };
+expression cap;
+expression ns;
+@@
+
+(
+-  func(CAP_SYS_ADMIN, cap)
++  func(cap, CAP_SYS_ADMIN)
+|
+-  func(ns, CAP_SYS_ADMIN, cap)
++  func(ns, cap, CAP_SYS_ADMIN)
+)
+
+//----------------------------------------------------------
+//  For context mode
+//----------------------------------------------------------
+
+@r1 depends on !patch exists@
+binary operator op;
+expression cap1,cap2,E;
+expression ns;
+position p1,p2;
+@@
+
+(
+*  capable@p1(cap1) || capable@p2(cap2)
+|
+*  E op capable@p1(cap1) || capable@p2(cap2)
+|
+*  !capable@p1(cap1) && !capable@p2(cap2)
+|
+*  E op !capable@p1(cap1) && !capable@p2(cap2)
+|
+*  ns_capable@p1(ns, cap1) || ns_capable@p2(ns, cap2)
+|
+*  E op ns_capable@p1(ns, cap1) || ns_capable@p2(ns, cap2)
+|
+*  !ns_capable@p1(ns, cap1) && !ns_capable@p2(ns, cap2)
+|
+*  E op !ns_capable@p1(ns, cap1) && !ns_capable@p2(ns, cap2)
+|
+*  sockopt_ns_capable@p1(ns, cap1) || sockopt_ns_capable@p2(ns, cap2)
+|
+*  E op sockopt_ns_capable@p1(ns, cap1) || sockopt_ns_capable@p2(ns, cap2)
+|
+*  !sockopt_ns_capable@p1(ns, cap1) && !sockopt_ns_capable@p2(ns, cap2)
+|
+*  E op !sockopt_ns_capable@p1(ns, cap1) && !sockopt_ns_capable@p2(ns, cap2)
+)
+
+@r2 depends on !patch exists@
+identifier func = { capable_any, ns_capable_any, sockopt_ns_capable_any };
+expression cap;
+expression ns;
+position p;
+@@
+
+(
+*  func@p(CAP_SYS_ADMIN, cap)
+|
+*  func@p(ns, CAP_SYS_ADMIN, cap)
+)
+
+//----------------------------------------------------------
+//  For org mode
+//----------------------------------------------------------
+
+@...ipt:python depends on org@
+p1 << r1.p1;
+p2 << r1.p2;
+@@
+
+cocci.print_main("WARNING opportunity for capable_any",p1)
+cocci.print_secs("chained capable",p2)
+
+@...ipt:python depends on org@
+p << r2.p;
+f << r2.func;
+@@
+
+cocci.print_main("WARNING " + f + " arguments should be reordered",p)
+
+//----------------------------------------------------------
+//  For report mode
+//----------------------------------------------------------
+
+@...ipt:python depends on report@
+p1 << r1.p1;
+p2 << r1.p2;
+@@
+
+msg = "WARNING opportunity for capable_any (chained capable line %s)" % (p2[0].line)
+coccilib.report.print_report(p1[0], msg)
+
+@...ipt:python depends on report@
+p << r2.p;
+f << r2.func;
+@@
+
+msg = "WARNING %s arguments should be reordered" % (f)
+coccilib.report.print_report(p[0], msg)
-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ