| Brendan Gregg | 1298998 | 2016-09-14 08:15:09 -0700 | [diff] [blame] | 1 | #!/usr/bin/python |
| 2 | # @lint-avoid-python-3-compatibility-imports |
| 3 | # |
| 4 | # capable Trace security capabilitiy checks (cap_capable()). |
| 5 | # For Linux, uses BCC, eBPF. Embedded C. |
| 6 | # |
| 7 | # USAGE: capable [-h] [-v] [-p PID] |
| 8 | # |
| 9 | # ToDo: add -s for kernel stacks. |
| 10 | # |
| 11 | # Copyright 2016 Netflix, Inc. |
| 12 | # Licensed under the Apache License, Version 2.0 (the "License") |
| 13 | # |
| 14 | # 13-Sep-2016 Brendan Gregg Created this. |
| 15 | |
| 16 | from __future__ import print_function |
| 17 | from bcc import BPF |
| 18 | import argparse |
| 19 | from time import strftime |
| 20 | import ctypes as ct |
| 21 | |
| 22 | # arguments |
| 23 | examples = """examples: |
| 24 | ./capable # trace capability checks |
| 25 | ./capable -v # verbose: include non-audit checks |
| 26 | ./capable -p 181 # only trace PID 181 |
| 27 | """ |
| 28 | parser = argparse.ArgumentParser( |
| 29 | description="Trace security capability checks", |
| 30 | formatter_class=argparse.RawDescriptionHelpFormatter, |
| 31 | epilog=examples) |
| 32 | parser.add_argument("-v", "--verbose", action="store_true", |
| 33 | help="include non-audit checks") |
| 34 | parser.add_argument("-p", "--pid", |
| 35 | help="trace this PID only") |
| 36 | args = parser.parse_args() |
| 37 | debug = 0 |
| 38 | |
| 39 | # capabilities to names, generated from (and will need updating): |
| 40 | # awk '/^#define.CAP_.*[0-9]$/ { print " " $3 ": \"" $2 "\"," }' \ |
| 41 | # include/uapi/linux/capability.h |
| 42 | capabilities = { |
| 43 | 0: "CAP_CHOWN", |
| 44 | 1: "CAP_DAC_OVERRIDE", |
| 45 | 2: "CAP_DAC_READ_SEARCH", |
| 46 | 3: "CAP_FOWNER", |
| 47 | 4: "CAP_FSETID", |
| 48 | 5: "CAP_KILL", |
| 49 | 6: "CAP_SETGID", |
| 50 | 7: "CAP_SETUID", |
| 51 | 8: "CAP_SETPCAP", |
| 52 | 9: "CAP_LINUX_IMMUTABLE", |
| 53 | 10: "CAP_NET_BIND_SERVICE", |
| 54 | 11: "CAP_NET_BROADCAST", |
| 55 | 12: "CAP_NET_ADMIN", |
| 56 | 13: "CAP_NET_RAW", |
| 57 | 14: "CAP_IPC_LOCK", |
| 58 | 15: "CAP_IPC_OWNER", |
| 59 | 16: "CAP_SYS_MODULE", |
| 60 | 17: "CAP_SYS_RAWIO", |
| 61 | 18: "CAP_SYS_CHROOT", |
| 62 | 19: "CAP_SYS_PTRACE", |
| 63 | 20: "CAP_SYS_PACCT", |
| 64 | 21: "CAP_SYS_ADMIN", |
| 65 | 22: "CAP_SYS_BOOT", |
| 66 | 23: "CAP_SYS_NICE", |
| 67 | 24: "CAP_SYS_RESOURCE", |
| 68 | 25: "CAP_SYS_TIME", |
| 69 | 26: "CAP_SYS_TTY_CONFIG", |
| 70 | 27: "CAP_MKNOD", |
| 71 | 28: "CAP_LEASE", |
| 72 | 29: "CAP_AUDIT_WRITE", |
| 73 | 30: "CAP_AUDIT_CONTROL", |
| 74 | 31: "CAP_SETFCAP", |
| 75 | 32: "CAP_MAC_OVERRIDE", |
| 76 | 33: "CAP_MAC_ADMIN", |
| 77 | 34: "CAP_SYSLOG", |
| 78 | 35: "CAP_WAKE_ALARM", |
| 79 | 36: "CAP_BLOCK_SUSPEND", |
| 80 | 37: "CAP_AUDIT_READ", |
| 81 | } |
| 82 | |
| 83 | # define BPF program |
| 84 | bpf_text = """ |
| 85 | #include <uapi/linux/ptrace.h> |
| 86 | #include <linux/sched.h> |
| 87 | |
| 88 | struct data_t { |
| 89 | // switch to u32s when supported |
| 90 | u64 pid; |
| 91 | u64 uid; |
| 92 | int cap; |
| 93 | int audit; |
| 94 | char comm[TASK_COMM_LEN]; |
| 95 | }; |
| 96 | |
| 97 | BPF_PERF_OUTPUT(events); |
| 98 | |
| 99 | int kprobe__cap_capable(struct pt_regs *ctx, const struct cred *cred, |
| 100 | struct user_namespace *targ_ns, int cap, int audit) |
| 101 | { |
| 102 | u32 pid = bpf_get_current_pid_tgid(); |
| 103 | FILTER1 |
| 104 | FILTER2 |
| 105 | |
| 106 | u32 uid = bpf_get_current_uid_gid(); |
| 107 | struct data_t data = {.pid = pid, .uid = uid, .cap = cap, .audit = audit}; |
| 108 | bpf_get_current_comm(&data.comm, sizeof(data.comm)); |
| 109 | events.perf_submit(ctx, &data, sizeof(data)); |
| 110 | |
| 111 | return 0; |
| 112 | }; |
| 113 | """ |
| 114 | if args.pid: |
| 115 | bpf_text = bpf_text.replace('FILTER1', |
| 116 | 'if (pid != %s) { return 0; }' % args.pid) |
| 117 | if not args.verbose: |
| 118 | bpf_text = bpf_text.replace('FILTER2', 'if (audit == 0) { return 0; }') |
| 119 | bpf_text = bpf_text.replace('FILTER1', '') |
| 120 | bpf_text = bpf_text.replace('FILTER2', '') |
| 121 | if debug: |
| 122 | print(bpf_text) |
| 123 | |
| 124 | # initialize BPF |
| 125 | b = BPF(text=bpf_text) |
| 126 | |
| 127 | TASK_COMM_LEN = 16 # linux/sched.h |
| 128 | |
| 129 | class Data(ct.Structure): |
| 130 | _fields_ = [ |
| 131 | ("pid", ct.c_ulonglong), |
| 132 | ("uid", ct.c_ulonglong), |
| 133 | ("cap", ct.c_int), |
| 134 | ("audit", ct.c_int), |
| 135 | ("comm", ct.c_char * TASK_COMM_LEN) |
| 136 | ] |
| 137 | |
| 138 | # header |
| 139 | print("%-9s %-6s %-6s %-16s %-4s %-20s %s" % ( |
| 140 | "TIME", "UID", "PID", "COMM", "CAP", "NAME", "AUDIT")) |
| 141 | |
| 142 | # process event |
| 143 | def print_event(cpu, data, size): |
| 144 | event = ct.cast(data, ct.POINTER(Data)).contents |
| 145 | |
| 146 | if event.cap in capabilities: |
| 147 | name = capabilities[event.cap] |
| 148 | else: |
| 149 | name = "?" |
| 150 | print("%-9s %-6d %-6d %-16s %-4d %-20s %d" % (strftime("%H:%M:%S"), |
| jeromemarchand | b96ebcd | 2018-10-10 01:58:15 +0200 | [diff] [blame] | 151 | event.uid, event.pid, event.comm.decode('utf-8', 'replace'), |
| 152 | event.cap, name, event.audit)) |
| Brendan Gregg | 1298998 | 2016-09-14 08:15:09 -0700 | [diff] [blame] | 153 | |
| 154 | # loop with callback to print_event |
| 155 | b["events"].open_perf_buffer(print_event) |
| 156 | while 1: |
| Teng Qin | dbf0029 | 2018-02-28 21:47:50 -0800 | [diff] [blame] | 157 | b.perf_buffer_poll() |