[apparmor] [PATCH] apparmor: audit_cap dedup based on subj_cred instead of profile

Ryan Lee ryan.lee at canonical.com
Wed Sep 25 18:30:11 UTC 2024 

The previous audit_cap cache deduping was based on the profile that was
being audited. This could cause confusion due to the deduplication then
occurring across multiple processes, which could happen if multiple
instances of binaries matched the same profile attachment (and thus ran
under the same profile) or a profile was attached to a container and its
processes.

Instead, perform audit_cap deduping over ad->subj_cred, which ensures the
deduping only occurs across a single process, instead of across all
processes that match the current one's profile.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
 security/apparmor/capability.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 61d7ab4255b0..3729c7fc86f9 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -32,7 +32,7 @@ struct aa_sfs_entry aa_sfs_entry_caps[] = {
 };
 
 struct audit_cache {
-	struct aa_profile *profile;
+	const struct cred *ad_subj_cred;
 	/* Capabilities go from 0 to CAP_LAST_CAP */
 	u64 ktime_ns_expiration[CAP_LAST_CAP+1];
 };
@@ -95,14 +95,14 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile
 	/* Do simple duplicate message elimination */
 	ent = &get_cpu_var(audit_cache);
 	/* If the capability was never raised the timestamp check would also catch that */
-	if (profile == ent->profile && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) {
+	if (ad->subj_cred == ent->ad_subj_cred && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) {
 		put_cpu_var(audit_cache);
 		if (COMPLAIN_MODE(profile))
 			return complain_error(error);
 		return error;
 	} else {
-		aa_put_profile(ent->profile);
-		ent->profile = aa_get_profile(profile);
+		put_cred(ent->ad_subj_cred);
+		ent->ad_subj_cred = get_cred(ad->subj_cred);
 		ent->ktime_ns_expiration[cap] = ktime_get_ns() + AUDIT_CACHE_TIMEOUT_NS;
 	}
 	put_cpu_var(audit_cache);
-- 
2.43.0
The patch, as currently presented, depends on the patch "apparmor: add a
cache entr expiration time aging out capability audit cache"
(https://lists.ubuntu.com/archives/apparmor/2024-September/013368.html)
being applied first, but I can produce a version of this patch that applies
without that one if necessary.

More information about the AppArmor mailing list