tools: add option --cgroupmap to capable.py

Documentation (man page and example text) updated.
Ha-Dj · Mar 9, 2020 · 15e998d · 15e998d
1 parent 2162516
commit 15e998d
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 8 deletions.
diff --git a/man/man8/capable.8 b/man/man8/capable.8
@@ -1,8 +1,8 @@
-.TH capable 8 "2016-09-13" "USER COMMANDS"
+.TH capable 8 "2020-03-06" "USER COMMANDS"
 .SH NAME
 capable \- Trace security capability checks (cap_capable()).
 .SH SYNOPSIS
-.B capable [\-h] [\-v] [\-p PID] [\-K] [\-U]
+.B capable [\-h] [\-v] [\-p PID] [\-K] [\-U] [\-x] [\-\-cgroupmap MAPPATH]
 .SH DESCRIPTION
 This traces security capability checks in the kernel, and prints details for
 each call. This can be useful for general debugging, and also security
@@ -28,6 +28,9 @@ Include user-space stack traces to the output.
 .TP
 \-x
 Show extra fields in TID and INSETID columns.
+.TP
+\-\-cgroupmap MAPPATH
+Trace cgroups in this BPF map only (filtered in-kernel).
 .SH EXAMPLES
 .TP
 Trace all capability checks system-wide:
@@ -37,6 +40,11 @@ Trace all capability checks system-wide:
 Trace capability checks for PID 181:
 #
 .B capable \-p 181
+.TP
+Trace capability checks in a set of cgroups only (see filtering_by_cgroups.md
+from bcc sources for more details):
+#
+.B capable \-\-cgroupmap /sys/fs/bpf/test01
 .SH FIELDS
 .TP
 TIME(s)

diff --git a/tools/capable.py b/tools/capable.py
@@ -27,6 +27,7 @@
  ./capable -K # add kernel stacks to trace
  ./capable -U # add user-space stacks to trace
  ./capable -x # extra fields: show TID and INSETID columns
+ ./capable --cgroupmap ./mappath # only trace cgroups in this BPF map
 """
 parser = argparse.ArgumentParser(
  description="Trace security capability checks",
@@ -42,6 +43,8 @@
  help="output user stack trace")
 parser.add_argument("-x", "--extra", action="store_true",
  help="show extra fields in TID and INSETID columns")
+parser.add_argument("--cgroupmap",
+ help="trace cgroups in this BPF map only")
 args = parser.parse_args()
 debug = 0
 
@@ -122,6 +125,10 @@ def __getattr__(self, name):
 
 BPF_PERF_OUTPUT(events);
 
+#if CGROUPSET
+BPF_TABLE_PINNED("hash", u64, u64, cgroupset, 1024, "CGROUPPATH");
+#endif
+
 #if defined(USER_STACKS) || defined(KERNEL_STACKS)
 BPF_STACK_TRACE(stacks, 2048);
 #endif
@@ -146,6 +153,12 @@ def __getattr__(self, name):
  FILTER1
  FILTER2
  FILTER3
+#if CGROUPSET
+ u64 cgroupid = bpf_get_current_cgroup_id();
+ if (cgroupset.lookup(&cgroupid) == NULL) {
+ return 0;
+ }
+#endif
 
  u32 uid = bpf_get_current_uid_gid();
  struct data_t data = {.tgid = tgid, .pid = pid, .uid = uid, .cap = cap, .audit = audit, .insetid = insetid};
@@ -174,6 +187,11 @@ def __getattr__(self, name):
 bpf_text = bpf_text.replace('FILTER2', '')
 bpf_text = bpf_text.replace('FILTER3',
  'if (pid == %s) { return 0; }' % getpid())
+if args.cgroupmap:
+ bpf_text = bpf_text.replace('CGROUPSET', '1')
+ bpf_text = bpf_text.replace('CGROUPPATH', args.cgroupmap)
+else:
+ bpf_text = bpf_text.replace('CGROUPSET', '0')
 if debug:
  print(bpf_text)
 

diff --git a/tools/capable_example.txt b/tools/capable_example.txt
@@ -88,23 +88,36 @@ TIME UID PID COMM CAP NAME AUDIT
 Similarly, it is possible to include user-space stack with -U (or they can be
 used both at the same time to include user and kernel stack).
 
+The --cgroupmap option filters based on a cgroup set. It is meant to be used
+with an externally created map.
+
+# ./capable.py --cgroupmap /sys/fs/bpf/test01
+
+For more details, see docs/filtering_by_cgroups.md
+
+
 USAGE:
 
 # ./capable.py -h
-usage: capable.py [-h] [-v] [-p PID] [-K] [-U]
+usage: capable.py [-h] [-v] [-p PID] [-K] [-U] [-x] [--cgroupmap CGROUPMAP]
 
 Trace security capability checks
 
 optional arguments:
- -h, --help show this help message and exit
- -v, --verbose include non-audit checks
- -p PID, --pid PID trace this PID only
- -K, --kernel-stack output kernel stack trace
- -U, --user-stack output user stack trace
+ -h, --help show this help message and exit
+ -v, --verbose include non-audit checks
+ -p PID, --pid PID trace this PID only
+ -K, --kernel-stack output kernel stack trace
+ -U, --user-stack output user stack trace
+ -x, --extra show extra fields in TID and INSETID columns
+ --cgroupmap CGROUPMAP
+ trace cgroups in this BPF map only
 
 examples:
  ./capable # trace capability checks
  ./capable -v # verbose: include non-audit checks
  ./capable -p 181 # only trace PID 181
  ./capable -K # add kernel stacks to trace
  ./capable -U # add user-space stacks to trace
+ ./capable -x # extra fields: show TID and INSETID columns
+ ./capable --cgroupmap ./mappath # only trace cgroups in this BPF map