summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRyan Lee <ryan.lee@canonical.com>2024-09-25 20:30:11 +0200
committerJohn Johansen <john.johansen@canonical.com>2024-11-27 04:21:06 +0100
commit74a96bbe1294b0a118e173ce20f60f5838aabaed (patch)
tree3bf914b8ff35d29f957f3c57fb4f35380b8a8306 /security
parentapparmor: add a cache entry expiration time aging out capability audit cache (diff)
downloadlinux-74a96bbe1294b0a118e173ce20f60f5838aabaed.tar.xz
linux-74a96bbe1294b0a118e173ce20f60f5838aabaed.zip
apparmor: audit_cap dedup based on subj_cred instead of profile
The previous audit_cap cache deduping was based on the profile that was being audited. This could cause confusion due to the deduplication then occurring across multiple processes, which could happen if multiple instances of binaries matched the same profile attachment (and thus ran under the same profile) or a profile was attached to a container and its processes. Instead, perform audit_cap deduping over ad->subj_cred, which ensures the deduping only occurs across a single process, instead of across all processes that match the current one's profile. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/capability.c10
1 files changed, 4 insertions, 6 deletions
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index bbdc092f8c35..7ca489ee1054 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -31,7 +31,7 @@ struct aa_sfs_entry aa_sfs_entry_caps[] = {
};
struct audit_cache {
- struct aa_profile *profile;
+ const struct cred *ad_subj_cred;
/* Capabilities go from 0 to CAP_LAST_CAP */
u64 ktime_ns_expiration[CAP_LAST_CAP+1];
};
@@ -94,16 +94,14 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile
/* Do simple duplicate message elimination */
ent = &get_cpu_var(audit_cache);
/* If the capability was never raised the timestamp check would also catch that */
- if (profile == ent->profile && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) {
+ if (ad->subj_cred == ent->ad_subj_cred && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) {
put_cpu_var(audit_cache);
if (COMPLAIN_MODE(profile))
return complain_error(error);
return error;
} else {
- aa_put_profile(ent->profile);
- if (profile != ent->profile)
- cap_clear(ent->caps);
- ent->profile = aa_get_profile(profile);
+ put_cred(ent->ad_subj_cred);
+ ent->ad_subj_cred = get_cred(ad->subj_cred);
ent->ktime_ns_expiration[cap] = ktime_get_ns() + AUDIT_CACHE_TIMEOUT_NS;
}
put_cpu_var(audit_cache);