[RFC PATCH v2 0/2] Add capabilities file to sysfs

[RFC PATCH v2 0/2] Add capabilities file to sysfs

[Francis Laniel]

Hi.


First, I hope you are fine and the same for your relatives.

Capabilities are used to check if a thread has the right to perform a given
action [1].
For example, a thread with CAP_BPF set can use the bpf() syscall.

Capabilities are used in the container world.
In terms of code, several projects related to container maintain code where the
capabilities are written alike include/uapi/linux/capability.h [2][3][4][5].
For these projects, their codebase should be updated when a new capability is
added to the kernel.
Some other projects rely on <sys/capability.h> [6].
In this case, this header file should reflect the capabilities offered by the
kernel.

So, in this series, I added a new file to sysfs: /sys/kernel/capabilities.
The goal of this file is to be used by "container world" software to know kernel
capabilities at run time instead of compile time.

The underlying kernel attribute is read-only and its content is the capability
number associated with the capability name:
root@vm-amd64:~# cat /sys/kernel/capabilities
0       CAP_CHOWN
1       CAP_DAC_OVERRIDE
...
39      CAP_BPF

The kernel already exposes the last capability number under:
/proc/sys/kernel/cap_last_cap
So, I think there should not be any issue exposing all the capabilities it
offers.
If there is any, please share it as I do not want to introduce issue with this
series.

Also, if you see any way to improve this series please share it as it would
increase this contribution quality.

Change since v1:
* Use quotes for cap_strings values instead of __stringify().

Francis Laniel (2):
  capability: Add cap_strings.
  kernel/ksysfs.c: Add capabilities attribute.

 include/uapi/linux/capability.h |  1 +
 kernel/capability.c             | 44 +++++++++++++++++++++++++++++++++
 kernel/ksysfs.c                 | 18 ++++++++++++++
 3 files changed, 63 insertions(+)


Best regards and thank you in advance for your reviews.
---
[1] man capabilities
[2] https://github.com/containerd/containerd/blob/1a078e6893d07fec10a4940a5664fab21d6f7d1e/pkg/cap/cap_linux.go#L135
[3] https://github.com/moby/moby/commit/485cf38d48e7111b3d1f584d5e9eab46a902aabc#diff-2e04625b209932e74c617de96682ed72fbd1bb0d0cb9fb7c709cf47a86b6f9c1
moby relies on containerd code.
[4] https://github.com/syndtr/gocapability/blob/42c35b4376354fd554efc7ad35e0b7f94e3a0ffb/capability/enum.go#L47
[5] https://github.com/opencontainers/runc/blob/00f56786bb220b55b41748231880ba0e6380519a/libcontainer/capabilities/capabilities.go#L12
runc relies on syndtr package.
[6] https://github.com/containers/crun/blob/fafb556f09e6ffd4690c452ff51856b880c089f1/src/libcrun/linux.c#L35
-- 
2.30.2

[RFC PATCH v2 1/2] capability: Add cap_strings.

[Francis Laniel]

This array contains the capability names for the given capabilitiy.
For example, index CAP_BPF contains "CAP_BPF".

Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
---
 include/uapi/linux/capability.h |  1 +
 kernel/capability.c             | 44 +++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 463d1ba2232a..9646654d5111 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -428,5 +428,6 @@ struct vfs_ns_cap_data {
 #define CAP_TO_INDEX(x)     ((x) >> 5)        /* 1 << 5 == bits in __u32 */
 #define CAP_TO_MASK(x)      (1 << ((x) & 31)) /* mask for indexed __u32 */
 
+extern const char *cap_strings[];
 
 #endif /* _UAPI_LINUX_CAPABILITY_H */
diff --git a/kernel/capability.c b/kernel/capability.c
index 46a361dde042..cd386419f2b7 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -27,6 +27,50 @@
 const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
 EXPORT_SYMBOL(__cap_empty_set);
 
+const char *cap_strings[] = {
+	[CAP_CHOWN] = "CAP_CHOWN",
+	[CAP_DAC_OVERRIDE] = "CAP_DAC_OVERRIDE",
+	[CAP_DAC_READ_SEARCH] = "CAP_DAC_READ_SEARCH",
+	[CAP_FOWNER] = "CAP_FOWNER",
+	[CAP_FSETID] = "CAP_FSETID",
+	[CAP_KILL] = "CAP_KILL",
+	[CAP_SETGID] = "CAP_SETGID",
+	[CAP_SETUID] = "CAP_SETUID",
+	[CAP_SETPCAP] = "CAP_SETPCAP",
+	[CAP_LINUX_IMMUTABLE] = "CAP_LINUX_IMMUTABLE",
+	[CAP_NET_BIND_SERVICE] = "CAP_NET_BIND_SERVICE",
+	[CAP_NET_BROADCAST] = "CAP_NET_BROADCAST",
+	[CAP_NET_ADMIN] = "CAP_NET_ADMIN",
+	[CAP_NET_RAW] = "CAP_NET_RAW",
+	[CAP_IPC_LOCK] = "CAP_IPC_LOCK",
+	[CAP_IPC_OWNER] = "CAP_IPC_OWNER",
+	[CAP_SYS_MODULE] = "CAP_SYS_MODULE",
+	[CAP_SYS_RAWIO] = "CAP_SYS_RAWIO",
+	[CAP_SYS_CHROOT] = "CAP_SYS_CHROOT",
+	[CAP_SYS_PTRACE] = "CAP_SYS_PTRACE",
+	[CAP_SYS_PACCT] = "CAP_SYS_PACCT",
+	[CAP_SYS_ADMIN] = "CAP_SYS_ADMIN",
+	[CAP_SYS_BOOT] = "CAP_SYS_BOOT",
+	[CAP_SYS_NICE] = "CAP_SYS_NICE",
+	[CAP_SYS_RESOURCE] = "CAP_SYS_RESOURCE",
+	[CAP_SYS_TIME] = "CAP_SYS_TIME",
+	[CAP_SYS_TTY_CONFIG] = "CAP_SYS_TTY_CONFIG",
+	[CAP_MKNOD] = "CAP_MKNOD",
+	[CAP_LEASE] = "CAP_LEASE",
+	[CAP_AUDIT_WRITE] = "CAP_AUDIT_WRITE",
+	[CAP_AUDIT_CONTROL] = "CAP_AUDIT_CONTROL",
+	[CAP_SETFCAP] = "CAP_SETFCAP",
+	[CAP_MAC_OVERRIDE] = "CAP_MAC_OVERRIDE",
+	[CAP_MAC_ADMIN] = "CAP_MAC_ADMIN",
+	[CAP_SYSLOG] = "CAP_SYSLOG",
+	[CAP_WAKE_ALARM] = "CAP_WAKE_ALARM",
+	[CAP_BLOCK_SUSPEND] = "CAP_BLOCK_SUSPEND",
+	[CAP_AUDIT_READ] = "CAP_AUDIT_READ",
+	[CAP_PERFMON] = "CAP_PERFMON",
+	[CAP_BPF] = "CAP_BPF",
+	[CAP_CHECKPOINT_RESTORE] = "CAP_CHECKPOINT_RESTORE",
+};
+
 int file_caps_enabled = 1;
 
 static int __init file_caps_disable(char *str)
-- 
2.30.2

[RFC PATCH v2 2/2] kernel/ksysfs.c: Add capabilities attribute.

[Francis Laniel]

This new read-only attribute prints the capabilities values with their names:
0       CAP_CHOWN
1       CAP_DAC_OVERRIDE
...
39      CAP_BPF

Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
---
 kernel/ksysfs.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
index 35859da8bd4f..7d39794a55bc 100644
--- a/kernel/ksysfs.c
+++ b/kernel/ksysfs.c
@@ -182,6 +182,23 @@ static ssize_t rcu_normal_store(struct kobject *kobj,
 KERNEL_ATTR_RW(rcu_normal);
 #endif /* #ifndef CONFIG_TINY_RCU */
 
+static ssize_t capabilities_show(struct kobject *unused0,
+				struct kobj_attribute *unused1, char *buf)
+{
+	int at = 0;
+	int i;
+
+	for (i = 0; i < CAP_LAST_CAP; i++) {
+		if (at >= PAGE_SIZE)
+			return at;
+
+		at += sysfs_emit_at(buf, at, "%d\t%s\n", i, cap_strings[i]);
+	}
+
+	return at;
+}
+KERNEL_ATTR_RO(capabilities);
+
 /*
  * Make /sys/kernel/notes give the raw contents of our kernel .notes section.
  */
@@ -229,6 +246,7 @@ static struct attribute * kernel_attrs[] = {
 	&rcu_expedited_attr.attr,
 	&rcu_normal_attr.attr,
 #endif
+	&capabilities_attr.attr,
 	NULL
 };
 
-- 
2.30.2