[apparmor] [RFC, PATCH 3/3] apparmor: Make the audit cap cache timeout a sysctl

[Ryan Lee]

Instead of hardcoding the Apparmor capability audit cache timeout, expose
it as a sysctl. This uses the helper introduced in the previous patch of
this series.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
 security/apparmor/capability.c         | 6 ++++--
 security/apparmor/include/capability.h | 2 ++
 security/apparmor/lsm.c                | 7 +++++++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 64005b3d0fcc..764b5dd93366 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -25,6 +25,8 @@
  */
 #include "capability_names.h"
 
+unsigned int audit_cap_cache_timeout_us = 100;
+
 struct aa_sfs_entry aa_sfs_entry_caps[] = {
 	AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
 	AA_SFS_FILE_BOOLEAN("extended", 1),
@@ -68,12 +70,12 @@ static void audit_cb(struct audit_buffer *ab, void *va)
 static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile,
 		      int cap, int error)
 {
-	const u64 AUDIT_CACHE_TIMEOUT_NS = 100*1000; /* 100 us */
 	u64 audit_cache_expiration;
 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
 						    typeof(*rules), list);
 	struct audit_cache *ent;
 	int type = AUDIT_APPARMOR_AUTO;
+	u64 audit_cap_cache_timeout_ns = 1000*(u64) audit_cap_cache_timeout_us;
 
 	ad->error = error;
 
@@ -95,7 +97,7 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile
 
 	/* Do simple duplicate message elimination */
 	ent = &get_cpu_var(audit_cache);
-	audit_cache_expiration = ent->ktime_ns_last_audited[cap] + AUDIT_CACHE_TIMEOUT_NS;
+	audit_cache_expiration = ent->ktime_ns_last_audited[cap] + audit_cap_cache_timeout_ns;
 	if (profile == ent->profile && cap_raised(ent->caps, cap)
 			&& ktime_get_ns() <= audit_cache_expiration) {
 		put_cpu_var(audit_cache);
diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
index 1ddcec2d1160..c38488b3fe00 100644
--- a/security/apparmor/include/capability.h
+++ b/security/apparmor/include/capability.h
@@ -34,6 +34,8 @@ struct aa_caps {
 	kernel_cap_t extended;
 };
 
+extern unsigned int audit_cap_cache_timeout_us;
+
 extern struct aa_sfs_entry aa_sfs_entry_caps[];
 
 kernel_cap_t aa_profile_capget(struct aa_profile *profile);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b9a92e500242..4af50bd3628a 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2480,6 +2480,13 @@ static struct ctl_table apparmor_sysctl_table[] = {
 		.mode           = 0600,
 		.proc_handler   = apparmor_dointvec,
 	},
+	{
+		.procname       = "apparmor_audit_capability_dedup_timeout_us",
+		.data           = &audit_cap_cache_timeout_us,
+		.maxlen         = sizeof(unsigned int),
+		.mode           = 0644,
+		.proc_handler   = apparmor_can_read_douintvec,
+	},
 	{ }
 };
 
-- 
Major items I'm seeking input on (reason for RFC designation):
- Whether to hardcode the expiration offset or whether to expose it as a sysctl

Items to bikeshed before merging:
- Name for the sysctl
- Name for the static variable that the sysctl writes to
- Type for the sysctl variable
(I used unsigned int to match the int type for the other sysctls, but semantically this should be a u64)