2012-03-13

Kernel capability usage statistics

(Update: 2012-07-16: I wrote a related article for this blog post, "CAP_SYS_ADMIN: the new root" that was published on LWN.net on 2012-03-14.)

The idea of capabilities is to break the power of root (user ID 0) into independently assigned pieces governing specific privileged operations. Implicit in that model is that the set of privileged operations governed by each capability should be small (otherwise, why break the power of root into pieces at all?). However, that implication hasn't turned out to be true in practice.

Table 1 shows some statistics on the use of the 36 currently existing capabilities in the C files of the Linux 3.2 kernel source code. The "#uses" column is the number of uses of the capability across all source files; the "#files" column is the number of distinct source files where the capability is used.

Table 1: Breakdown of Linux capability uses in Linux 3.2
Capability#uses#files
CAP_AUDIT_CONTROL22
CAP_AUDIT_WRITE11
CAP_CHOWN42
CAP_DAC_OVERRIDE21
CAP_DAC_READ_SEARCH42
CAP_FOWNER98
CAP_FSETID86
CAP_IPC_LOCK138
CAP_IPC_OWNER11
CAP_KILL22
CAP_LEASE11
CAP_LINUX_IMMUTABLE1313
CAP_MAC_ADMIN255
CAP_MAC_OVERRIDE62
CAP_MKNOD33
CAP_NET_ADMIN395182
CAP_NET_BIND_SERVICE1310
CAP_NET_BROADCAST00
CAP_NET_RAW1811
CAP_SETFCAP32
CAP_SETGID106
CAP_SETPCAP22
CAP_SETUID84
CAP_SYS_ADMIN451229
CAP_SYS_BOOT22
CAP_SYS_CHROOT11
CAP_SYSLOG22
CAP_SYS_MODULE43
CAP_SYS_NICE148
CAP_SYS_PACCT11
CAP_SYS_PTRACE116
CAP_SYS_RAWIO6742
CAP_SYS_RESOURCE3624
CAP_SYS_TIME2213
CAP_SYS_TTY_CONFIG114
CAP_WAKE_ALARM21
Total1167610

What is of course notable is the extremely heavy use of  two capabilities: CAP_SYS_ADMIN and CAP_NET_ADMIN. Together, these two capabilities account for more than 70% of all uses of capabilities! The uses of CAP_NET_ADMIN are limited to the drivers/ (mainly drivers/net/) and net/ directories. On the other hand, the uses of CAP_SYS_ADMIN, which accounts for nearly 39% of all capability uses, are spread widely across the kernel source tree.

One might wonder whether either of these two capabilities is overrepresented because of duplications in the drivers/ or the arch/ trees. (In particular, CAP_SYS_ADMIN is used for similar administrative functions on a lot of device drivers.) However, even if we strip drivers/ and architectures other than x86 from the measurements, the overall picture doesn't change greatly, as shown in Table 2.

Table 2: Breakdown of Linux capability uses in Linux 3.2, excluding drivers and architectures other than x86
Capability#uses#files
CAP_AUDIT_CONTROL22
CAP_AUDIT_WRITE11
CAP_CHOWN42
CAP_DAC_OVERRIDE21
CAP_DAC_READ_SEARCH42
CAP_FOWNER98
CAP_FSETID86
CAP_IPC_LOCK116
CAP_IPC_OWNER11
CAP_KILL11
CAP_LEASE11
CAP_LINUX_IMMUTABLE1313
CAP_MAC_ADMIN255
CAP_MAC_OVERRIDE62
CAP_MKNOD33
CAP_NET_ADMIN16773
CAP_NET_BIND_SERVICE129
CAP_NET_BROADCAST00
CAP_NET_RAW1811
CAP_SETFCAP32
CAP_SETGID95
CAP_SETPCAP22
CAP_SETUID84
CAP_SYS_ADMIN16780
CAP_SYS_BOOT22
CAP_SYS_CHROOT11
CAP_SYSLOG22
CAP_SYS_MODULE43
CAP_SYS_NICE126
CAP_SYS_PACCT11
CAP_SYS_PTRACE105
CAP_SYS_RAWIO109
CAP_SYS_RESOURCE2618
CAP_SYS_TIME42
CAP_SYS_TTY_CONFIG11
CAP_WAKE_ALARM21
Total552291

CAP_SYS_ADMIN still accounts for 167 of 552 uses of capabilities--about 30%, and, by chance, usage of CAP_NET_ADMIN is the same.

It turns out that the overall picture hasn't changed that much since capabilities were first introduced with Linux 2.2 (Jan 1999). Then, there were 27 capabilities, broken down as shown in Table 3.

Table 3: Breakdown of Linux capability uses in Linux 2.2
Capability#uses#files
CAP_CHOWN21
CAP_DAC_OVERRIDE55
CAP_DAC_READ_SEARCH44
CAP_FOWNER75
CAP_FSETID32
CAP_IPC_LOCK42
CAP_IPC_OWNER11
CAP_KILL00
CAP_LINUX_IMMUTABLE22
CAP_NET_ADMIN7532
CAP_NET_BIND_SERVICE33
CAP_NET_BROADCAST00
CAP_NET_RAW86
CAP_SETGID72
CAP_SETPCAP22
CAP_SETUID73
CAP_SYS_ADMIN12769
CAP_SYS_BOOT11
CAP_SYS_CHROOT11
CAP_SYS_MODULE42
CAP_SYS_NICE52
CAP_SYS_PACCT11
CAP_SYS_PTRACE99
CAP_SYS_RAWIO21
CAP_SYS_RESOURCE108
CAP_SYS_TIME74
CAP_SYS_TTY_CONFIG11
Total298169

In Linux 2.2, CAP_SYS_ADMIN accounted for 42% of the uses of capabilities, and CAP_NET_ADMIN accounted for 25%.

Table 4 repeats the earlier exercise of excluding drivers/ and architectures other than i386 (as the Intel arch/ directory was then named) from the Linux 2.2 data. In this case, an interesting difference emerges.

Table 4: Breakdown of Linux capability uses in Linux 2.2, excluding drivers and architectures other than i386
Capability#uses#files
CAP_CHOWN21
CAP_DAC_OVERRIDE55
CAP_DAC_READ_SEARCH44
CAP_FOWNER75
CAP_FSETID32
CAP_IPC_LOCK42
CAP_IPC_OWNER11
CAP_KILL00
CAP_LINUX_IMMUTABLE22
CAP_NET_ADMIN4423
CAP_NET_BIND_SERVICE33
CAP_NET_BROADCAST00
CAP_NET_RAW86
CAP_SETGID72
CAP_SETPCAP22
CAP_SETUID73
CAP_SYS_ADMIN2317
CAP_SYS_BOOT11
CAP_SYS_CHROOT11
CAP_SYS_MODULE42
CAP_SYS_NICE52
CAP_SYS_PACCT11
CAP_SYS_PTRACE22
CAP_SYS_RAWIO21
CAP_SYS_RESOURCE54
CAP_SYS_TIME31
CAP_SYS_TTY_CONFIG11
Total14794

The overall picture differs in a way that I suspect is significant: just under 16% (23/147) of the uses of capabilities are CAP_SYS_ADMIN. (As we saw in Table 2, by Linux 3.2, this figure had grown to 30% (167/552).) This difference suggests to me that as a series of kernel developers was faced with the question: "What capability should I use to govern my new privileged kernel feature?", the answer was often something like "I don't know; maybe CAP_SYS_ADMIN?". (That certainly fits with a few anecdotal cases I've encountered while discussing things with kernel developers as I wrote man pages for new kernel features.)

The script (count_kernel_cap_uses.sh) used to generate the data for these statistics can be found here. The first and third tables above are based on analysis of the "p2" output files produced by the script. The second and fourth tables are based on analysis of the "p4" output files.