Instead of hardcoding the Apparmor capability audit cache timeout, expose
it as a sysctl. This uses the helper introduced in the previous patch of
this series.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
security/apparmor/capability.c | 6 ++++--
security/apparmor/include/capability.h | 2 ++
security/apparmor/lsm.c | 7 +++++++
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 64005b3d0fcc..764b5dd93366 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -25,6 +25,8 @@
*/
#include "capability_names.h"
+unsigned int audit_cap_cache_timeout_us = 100;
+
struct aa_sfs_entry aa_sfs_entry_caps[] = {
AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
AA_SFS_FILE_BOOLEAN("extended", 1),
@@ -68,12 +70,12 @@ static void audit_cb(struct audit_buffer *ab, void *va)
static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile
*profile,
int cap, int error)
{
- const u64 AUDIT_CACHE_TIMEOUT_NS = 100*1000; /* 100 us */
u64 audit_cache_expiration;
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
struct audit_cache *ent;
int type = AUDIT_APPARMOR_AUTO;
+ u64 audit_cap_cache_timeout_ns = 1000*(u64) audit_cap_cache_timeout_us;
ad->error = error;
@@ -95,7 +97,7 @@ static int audit_caps(struct apparmor_audit_data *ad, struct
aa_profile *profile
/* Do simple duplicate message elimination */
ent = &get_cpu_var(audit_cache);
- audit_cache_expiration = ent->ktime_ns_last_audited[cap] +
AUDIT_CACHE_TIMEOUT_NS;
+ audit_cache_expiration = ent->ktime_ns_last_audited[cap] +
audit_cap_cache_timeout_ns;
if (profile == ent->profile && cap_raised(ent->caps, cap)
&& ktime_get_ns() <= audit_cache_expiration) {
put_cpu_var(audit_cache);
diff --git a/security/apparmor/include/capability.h
b/security/apparmor/include/capability.h
index 1ddcec2d1160..c38488b3fe00 100644
--- a/security/apparmor/include/capability.h
+++ b/security/apparmor/include/capability.h
@@ -34,6 +34,8 @@ struct aa_caps {
kernel_cap_t extended;
};
+extern unsigned int audit_cap_cache_timeout_us;
+
extern struct aa_sfs_entry aa_sfs_entry_caps[];
kernel_cap_t aa_profile_capget(struct aa_profile *profile);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b9a92e500242..4af50bd3628a 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2480,6 +2480,13 @@ static struct ctl_table apparmor_sysctl_table[] = {
.mode = 0600,
.proc_handler = apparmor_dointvec,
},
+ {
+ .procname = "apparmor_audit_capability_dedup_timeout_us",
+ .data = &audit_cap_cache_timeout_us,
+ .maxlen = sizeof(unsigned int),
+ .mode = 0644,
+ .proc_handler = apparmor_can_read_douintvec,
+ },
{ }
};
--
Major items I'm seeking input on (reason for RFC designation):
- Whether to hardcode the expiration offset or whether to expose it as a sysctl
Items to bikeshed before merging:
- Name for the sysctl
- Name for the static variable that the sysctl writes to
- Type for the sysctl variable
(I used unsigned int to match the int type for the other sysctls, but
semantically this should be a u64)
