[apparmor] [RFC, PATCH 3/3] apparmor: Make the audit cap cache timeout a sysctl

[John Johansen]

On 9/13/24 16:21, Ryan Lee wrote:
> Instead of hardcoding the Apparmor capability audit cache timeout, expose
> it as a sysctl. This uses the helper introduced in the previous patch of
> this series.
> 
> Signed-off-by: Ryan Lee <ryan.lee at canonical.com>

NAK. At least atm the audit cache for capabilities is a temporary solution.
there is a larger rework coming that will bring caching to complain mode
which is generic enough that it should replace the caps cache, so I don't
want to expose the caps cache to userspace.

> ---
>   security/apparmor/capability.c         | 6 ++++--
>   security/apparmor/include/capability.h | 2 ++
>   security/apparmor/lsm.c                | 7 +++++++
>   3 files changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
> index 64005b3d0fcc..764b5dd93366 100644
> --- a/security/apparmor/capability.c
> +++ b/security/apparmor/capability.c
> @@ -25,6 +25,8 @@
>    */
>   #include "capability_names.h"
>   
> +unsigned int audit_cap_cache_timeout_us = 100;
> +
>   struct aa_sfs_entry aa_sfs_entry_caps[] = {
>   	AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
>   	AA_SFS_FILE_BOOLEAN("extended", 1),
> @@ -68,12 +70,12 @@ static void audit_cb(struct audit_buffer *ab, void *va)
>   static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile,
>   		      int cap, int error)
>   {
> -	const u64 AUDIT_CACHE_TIMEOUT_NS = 100*1000; /* 100 us */
>   	u64 audit_cache_expiration;
>   	struct aa_ruleset *rules = list_first_entry(&profile->rules,
>   						    typeof(*rules), list);
>   	struct audit_cache *ent;
>   	int type = AUDIT_APPARMOR_AUTO;
> +	u64 audit_cap_cache_timeout_ns = 1000*(u64) audit_cap_cache_timeout_us;
>   
>   	ad->error = error;
>   
> @@ -95,7 +97,7 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile
>   
>   	/* Do simple duplicate message elimination */
>   	ent = &get_cpu_var(audit_cache);
> -	audit_cache_expiration = ent->ktime_ns_last_audited[cap] + AUDIT_CACHE_TIMEOUT_NS;
> +	audit_cache_expiration = ent->ktime_ns_last_audited[cap] + audit_cap_cache_timeout_ns;
>   	if (profile == ent->profile && cap_raised(ent->caps, cap)
>   			&& ktime_get_ns() <= audit_cache_expiration) {
>   		put_cpu_var(audit_cache);
> diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
> index 1ddcec2d1160..c38488b3fe00 100644
> --- a/security/apparmor/include/capability.h
> +++ b/security/apparmor/include/capability.h
> @@ -34,6 +34,8 @@ struct aa_caps {
>   	kernel_cap_t extended;
>   };
>   
> +extern unsigned int audit_cap_cache_timeout_us;
> +
>   extern struct aa_sfs_entry aa_sfs_entry_caps[];
>   
>   kernel_cap_t aa_profile_capget(struct aa_profile *profile);
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index b9a92e500242..4af50bd3628a 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -2480,6 +2480,13 @@ static struct ctl_table apparmor_sysctl_table[] = {
>   		.mode           = 0600,
>   		.proc_handler   = apparmor_dointvec,
>   	},
> +	{
> +		.procname       = "apparmor_audit_capability_dedup_timeout_us",
> +		.data           = &audit_cap_cache_timeout_us,
> +		.maxlen         = sizeof(unsigned int),
> +		.mode           = 0644,
> +		.proc_handler   = apparmor_can_read_douintvec,
> +	},
>   	{ }
>   };
>