linux.git/security/apparmor/capability.c, branch v6.18.21 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git apparmor: transition from a list of rules to a vector of rules 2025-07-20T09:31:06+00:00 John Johansen john.johansen@canonical.com 2025-02-17T09:46:37+00:00 9afdc6abb007d5a86f54e9f10870ac1468155ca5 The set of rules on a profile is not dynamically extended, instead if a new ruleset is needed a new version of the profile is created. This allows us to use a vector of rules instead of a list, slightly reducing memory usage and simplifying the code. Signed-off-by: John Johansen <john.johansen@canonical.com> 
The set of rules on a profile is not dynamically extended, instead
if a new ruleset is needed a new version of the profile is created.
This allows us to use a vector of rules instead of a list, slightly
reducing memory usage and simplifying the code.

Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: add ability to mediate caps with policy state machine 2025-01-18T14:47:12+00:00 John Johansen john.johansen@canonical.com 2024-01-04T17:00:49+00:00 ce9e3b3fa25a239f5c80989a1d05719bb2793fd4 Currently the caps encoding is very limited and can't be used with conditionals. Allow capabilities to be mediated by the state machine. This will allow us to add conditionals to capabilities that aren't possible with the current encoding. This patch only adds support for using the state machine and retains the old encoding lookup as part of the runtime mediation code to support older policy abis. A follow on patch will move backwards compatibility to a mapping function done at policy load time. Signed-off-by: John Johansen <john.johansen@canonical.com> 
Currently the caps encoding is very limited and can't be used with
conditionals. Allow capabilities to be mediated by the state
machine. This will allow us to add conditionals to capabilities that
aren't possible with the current encoding.

This patch only adds support for using the state machine and retains
the old encoding lookup as part of the runtime mediation code to
support older policy abis. A follow on patch will move backwards
compatibility to a mapping function done at policy load time.

Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: audit_cap dedup based on subj_cred instead of profile 2024-11-27T03:21:06+00:00 Ryan Lee ryan.lee@canonical.com 2024-09-25T18:30:11+00:00 74a96bbe1294b0a118e173ce20f60f5838aabaed The previous audit_cap cache deduping was based on the profile that was being audited. This could cause confusion due to the deduplication then occurring across multiple processes, which could happen if multiple instances of binaries matched the same profile attachment (and thus ran under the same profile) or a profile was attached to a container and its processes. Instead, perform audit_cap deduping over ad->subj_cred, which ensures the deduping only occurs across a single process, instead of across all processes that match the current one's profile. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
The previous audit_cap cache deduping was based on the profile that was
being audited. This could cause confusion due to the deduplication then
occurring across multiple processes, which could happen if multiple
instances of binaries matched the same profile attachment (and thus ran
under the same profile) or a profile was attached to a container and its
processes.

Instead, perform audit_cap deduping over ad->subj_cred, which ensures the
deduping only occurs across a single process, instead of across all
processes that match the current one's profile.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: add a cache entry expiration time aging out capability audit cache 2024-11-27T03:21:06+00:00 Ryan Lee ryan.lee@canonical.com 2024-09-20T19:53:15+00:00 fee7a2340f18f48713a4ac7dd5e42b77d963062f When auditing capabilities, AppArmor uses a per-CPU, per-profile cache such that the same capability for the same profile doesn't get repeatedly audited, with the original goal of reducing audit logspam. However, this cache does not have an expiration time, resulting in confusion when a profile is shared across binaries (for example) and an expected DENIED audit entry doesn't appear, despite the cache entry having been populated much longer ago. This confusion was exacerbated by the per-CPU nature of the cache resulting in the expected entries sporadically appearing when the later denial+audit occurred on a different CPU. To resolve this, record the last time a capability was audited for a profile and add a timestamp expiration check before doing the audit. v1 -> v2: - Hardcode a longer timeout and drop the patches making it a sysctl, after discussion with John Johansen. - Cache the expiration time instead of the last-audited time. This value can never be zero, which lets us drop the kernel_cap_t caps field from the cache struct. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
When auditing capabilities, AppArmor uses a per-CPU, per-profile cache
such that the same capability for the same profile doesn't get repeatedly
audited, with the original goal of reducing audit logspam. However, this
cache does not have an expiration time, resulting in confusion when a
profile is shared across binaries (for example) and an expected DENIED
audit entry doesn't appear, despite the cache entry having been populated
much longer ago. This confusion was exacerbated by the per-CPU nature of
the cache resulting in the expected entries sporadically appearing when
the later denial+audit occurred on a different CPU.

To resolve this, record the last time a capability was audited for a
profile and add a timestamp expiration check before doing the audit.

v1 -> v2:
 - Hardcode a longer timeout and drop the patches making it a sysctl,
   after discussion with John Johansen.
 - Cache the expiration time instead of the last-audited time. This value
   can never be zero, which lets us drop the kernel_cap_t caps field from
   the cache struct.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: document capability.c:profile_capable ad ptr not being NULL 2024-11-27T03:21:06+00:00 Ryan Lee ryan.lee@canonical.com 2024-09-25T00:56:05+00:00 8532503eac69c65182939d2aefc6d01c9f421a46 The profile_capabile function takes a struct apparmor_audit_data *ad, which is documented as possibly being NULL. However, the single place that calls this function never passes it a NULL ad. If we were ever to call profile_capable with a NULL ad elsewhere, we would need to rework the function, as its very first use of ad is to dereference ad->class without checking if ad is NULL. Thus, document profile_capable's ad parameter as not accepting NULL. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
The profile_capabile function takes a struct apparmor_audit_data *ad,
which is documented as possibly being NULL. However, the single place that
calls this function never passes it a NULL ad. If we were ever to call
profile_capable with a NULL ad elsewhere, we would need to rework the
function, as its very first use of ad is to dereference ad->class without
checking if ad is NULL.

Thus, document profile_capable's ad parameter as not accepting NULL.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: fix 'Do simple duplicate message elimination' 2024-11-27T03:21:05+00:00 chao liu liuzgyid@outlook.com 2023-06-27T02:03:16+00:00 9b897132424fe76bf6c61f22f9cf12af7f1d1e6a Multiple profiles shared 'ent->caps', so some logs missed. Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects") Signed-off-by: chao liu <liuzgyid@outlook.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
Multiple profiles shared 'ent->caps', so some logs missed.

Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects")
Signed-off-by: chao liu <liuzgyid@outlook.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: Fix some kernel-doc comments 2023-10-23T07:25:49+00:00 Yang Li yang.lee@linux.alibaba.com 2023-10-23T00:55:17+00:00 6a81051398bc3fa84199fc701b94aadc37da1684 Fix some kernel-doc comments to silence the warnings: security/apparmor/capability.c:66: warning: Function parameter or member 'ad' not described in 'audit_caps' security/apparmor/capability.c:66: warning: Excess function parameter 'as' description in 'audit_caps' security/apparmor/capability.c:154: warning: Function parameter or member 'subj_cred' not described in 'aa_capable' security/apparmor/capability.c:154: warning: Excess function parameter 'subj_cread' description in 'aa_capable' Reported-by: Abaci Robot <abaci@linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=7035 Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
Fix some kernel-doc comments to silence the warnings:
security/apparmor/capability.c:66: warning: Function parameter or member 'ad' not described in 'audit_caps'
security/apparmor/capability.c:66: warning: Excess function parameter 'as' description in 'audit_caps'
security/apparmor/capability.c:154: warning: Function parameter or member 'subj_cred' not described in 'aa_capable'
security/apparmor/capability.c:154: warning: Excess function parameter 'subj_cread' description in 'aa_capable'

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=7035
Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: pass cred through to audit info. 2023-10-18T22:30:38+00:00 John Johansen john.johansen@canonical.com 2022-09-20T03:48:48+00:00 90c436a64a6e20482a9a613c47eb4af2e8a5328e The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: combine common_audit_data and apparmor_audit_data 2023-10-18T22:30:29+00:00 John Johansen john.johansen@canonical.com 2022-09-14T07:20:12+00:00 bd7bd201ca46c211c3ab251ca9854787d1331a2f Everywhere where common_audit_data is used apparmor audit_data is also used. We can simplify the code and drop the use of the aad macro everywhere by combining the two structures. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
everywhere by combining the two structures.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: Fix kernel-doc warnings in apparmor/capability.c 2023-07-10T08:05:41+00:00 Gaosheng Cui cuigaosheng1@huawei.com 2023-06-25T01:13:40+00:00 c98c8972feb3bdf2e197e63403305176217c78a7 Fix kernel-doc warnings: security/apparmor/capability.c:45: warning: Function parameter or member 'ab' not described in 'audit_cb' security/apparmor/capability.c:45: warning: Function parameter or member 'va' not described in 'audit_cb' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
Fix kernel-doc warnings:

security/apparmor/capability.c:45: warning: Function parameter
or member 'ab' not described in 'audit_cb'
security/apparmor/capability.c:45: warning: Function parameter
or member 'va' not described in 'audit_cb'

Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>