[apparmor] [PATCH] apparmor: audit_cap dedup based on subj_cred instead of profile
John Johansen
john.johansen at canonical.com
Sat Nov 9 20:32:17 UTC 2024
On 9/25/24 11:30, Ryan Lee wrote:
> The previous audit_cap cache deduping was based on the profile that was
> being audited. This could cause confusion due to the deduplication then
> occurring across multiple processes, which could happen if multiple
> instances of binaries matched the same profile attachment (and thus ran
> under the same profile) or a profile was attached to a container and its
> processes.
>
> Instead, perform audit_cap deduping over ad->subj_cred, which ensures the
> deduping only occurs across a single process, instead of across all
> processes that match the current one's profile.
>
> Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
Acked-by: John Johansen <john.johansen at canoical.com>
I have pulled this into my tree
> ---
> security/apparmor/capability.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
> index 61d7ab4255b0..3729c7fc86f9 100644
> --- a/security/apparmor/capability.c
> +++ b/security/apparmor/capability.c
> @@ -32,7 +32,7 @@ struct aa_sfs_entry aa_sfs_entry_caps[] = {
> };
>
> struct audit_cache {
> - struct aa_profile *profile;
> + const struct cred *ad_subj_cred;
> /* Capabilities go from 0 to CAP_LAST_CAP */
> u64 ktime_ns_expiration[CAP_LAST_CAP+1];
> };
> @@ -95,14 +95,14 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile
> /* Do simple duplicate message elimination */
> ent = &get_cpu_var(audit_cache);
> /* If the capability was never raised the timestamp check would also catch that */
> - if (profile == ent->profile && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) {
> + if (ad->subj_cred == ent->ad_subj_cred && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) {
> put_cpu_var(audit_cache);
> if (COMPLAIN_MODE(profile))
> return complain_error(error);
> return error;
> } else {
> - aa_put_profile(ent->profile);
> - ent->profile = aa_get_profile(profile);
> + put_cred(ent->ad_subj_cred);
> + ent->ad_subj_cred = get_cred(ad->subj_cred);
> ent->ktime_ns_expiration[cap] = ktime_get_ns() + AUDIT_CACHE_TIMEOUT_NS;
> }
> put_cpu_var(audit_cache);
More information about the AppArmor
mailing list