Re: [apparmor] [RFC, PATCH 3/3] apparmor: Make the audit cap cache timeout a sysctl

John Johansen Sat, 09 Nov 2024 12:26:35 -0800

On 9/13/24 16:21, Ryan Lee wrote:

Instead of hardcoding the Apparmor capability audit cache timeout, expose
it as a sysctl. This uses the helper introduced in the previous patch of
this series.


Signed-off-by: Ryan Lee <ryan....@canonical.com>


NAK. At least atm the audit cache for capabilities is a temporary solution.
there is a larger rework coming that will bring caching to complain mode
which is generic enough that it should replace the caps cache, so I don't
want to expose the caps cache to userspace.

---
  security/apparmor/capability.c         | 6 ++++--
  security/apparmor/include/capability.h | 2 ++
  security/apparmor/lsm.c                | 7 +++++++
  3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 64005b3d0fcc..764b5dd93366 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -25,6 +25,8 @@
   */
  #include "capability_names.h"

+unsigned int audit_cap_cache_timeout_us = 100;

+
  struct aa_sfs_entry aa_sfs_entry_caps[] = {
        AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
        AA_SFS_FILE_BOOLEAN("extended", 1),
@@ -68,12 +70,12 @@ static void audit_cb(struct audit_buffer *ab, void *va)
  static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile 
*profile,
                      int cap, int error)
  {
-       const u64 AUDIT_CACHE_TIMEOUT_NS = 100*1000; /* 100 us */
        u64 audit_cache_expiration;
        struct aa_ruleset *rules = list_first_entry(&profile->rules,
                                                    typeof(*rules), list);
        struct audit_cache *ent;
        int type = AUDIT_APPARMOR_AUTO;
+       u64 audit_cap_cache_timeout_ns = 1000*(u64) audit_cap_cache_timeout_us;

ad->error = error;@@ -95,7 +97,7 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile/* Do simple duplicate message elimination */

        ent = &get_cpu_var(audit_cache);
-       audit_cache_expiration = ent->ktime_ns_last_audited[cap] + 
AUDIT_CACHE_TIMEOUT_NS;
+       audit_cache_expiration = ent->ktime_ns_last_audited[cap] + 
audit_cap_cache_timeout_ns;
        if (profile == ent->profile && cap_raised(ent->caps, cap)
                        && ktime_get_ns() <= audit_cache_expiration) {
                put_cpu_var(audit_cache);
diff --git a/security/apparmor/include/capability.h 
b/security/apparmor/include/capability.h
index 1ddcec2d1160..c38488b3fe00 100644
--- a/security/apparmor/include/capability.h
+++ b/security/apparmor/include/capability.h
@@ -34,6 +34,8 @@ struct aa_caps {
        kernel_cap_t extended;
  };

+extern unsigned int audit_cap_cache_timeout_us;

+
  extern struct aa_sfs_entry aa_sfs_entry_caps[];

kernel_cap_t aa_profile_capget(struct aa_profile *profile);

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b9a92e500242..4af50bd3628a 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2480,6 +2480,13 @@ static struct ctl_table apparmor_sysctl_table[] = {
                .mode           = 0600,
                .proc_handler   = apparmor_dointvec,
        },
+       {
+               .procname       = "apparmor_audit_capability_dedup_timeout_us",
+               .data           = &audit_cap_cache_timeout_us,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = apparmor_can_read_douintvec,
+       },
        { }
  };

Re: [apparmor] [RFC, PATCH 3/3] apparmor: Make the audit cap cache timeout a sysctl

Reply via email to