apparmor: audit_cap dedup based on subj_cred instead of profile

The previous audit_cap cache deduping was based on the profile that was
being audited. This could cause confusion due to the deduplica

apparmor: audit_cap dedup based on subj_cred instead of profile

The previous audit_cap cache deduping was based on the profile that was
being audited. This could cause confusion due to the deduplication then
occurring across multiple processes, which could happen if multiple
instances of binaries matched the same profile attachment (and thus ran
under the same profile) or a profile was attached to a container and its
processes.

Instead, perform audit_cap deduping over ad->subj_cred, which ensures the
deduping only occurs across a single process, instead of across all
processes that match the current one's profile.

Signed-off-by: Ryan Lee <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: add a cache entry expiration time aging out capability audit cache

When auditing capabilities, AppArmor uses a per-CPU, per-profile cache
such that the same capability for the same profile

apparmor: add a cache entry expiration time aging out capability audit cache

When auditing capabilities, AppArmor uses a per-CPU, per-profile cache
such that the same capability for the same profile doesn't get repeatedly
audited, with the original goal of reducing audit logspam. However, this
cache does not have an expiration time, resulting in confusion when a
profile is shared across binaries (for example) and an expected DENIED
audit entry doesn't appear, despite the cache entry having been populated
much longer ago. This confusion was exacerbated by the per-CPU nature of
the cache resulting in the expected entries sporadically appearing when
the later denial+audit occurred on a different CPU.

To resolve this, record the last time a capability was audited for a
profile and add a timestamp expiration check before doing the audit.

v1 -> v2:
- Hardcode a longer timeout and drop the patches making it a sysctl,
after discussion with John Johansen.
- Cache the expiration time instead of the last-audited time. This value
can never be zero, which lets us drop the kernel_cap_t caps field from
the cache struct.

Signed-off-by: Ryan Lee <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: document capability.c:profile_capable ad ptr not being NULL

The profile_capabile function takes a struct apparmor_audit_data *ad,
which is documented as possibly being NULL. However, the s

apparmor: document capability.c:profile_capable ad ptr not being NULL

The profile_capabile function takes a struct apparmor_audit_data *ad,
which is documented as possibly being NULL. However, the single place that
calls this function never passes it a NULL ad. If we were ever to call
profile_capable with a NULL ad elsewhere, we would need to rework the
function, as its very first use of ad is to dereference ad->class without
checking if ad is NULL.

Thus, document profile_capable's ad parameter as not accepting NULL.

Signed-off-by: Ryan Lee <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: fix 'Do simple duplicate message elimination'

Multiple profiles shared 'ent->caps', so some logs missed.

Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects")
Signed-off-by: cha

apparmor: fix 'Do simple duplicate message elimination'

Multiple profiles shared 'ent->caps', so some logs missed.

Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects")
Signed-off-by: chao liu <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: Fix some kernel-doc comments

Fix some kernel-doc comments to silence the warnings:
security/apparmor/capability.c:66: warning: Function parameter or member 'ad' not described in 'audit_cap

apparmor: Fix some kernel-doc comments

Fix some kernel-doc comments to silence the warnings:
security/apparmor/capability.c:66: warning: Function parameter or member 'ad' not described in 'audit_caps'
security/apparmor/capability.c:66: warning: Excess function parameter 'as' description in 'audit_caps'
security/apparmor/capability.c:154: warning: Function parameter or member 'subj_cred' not described in 'aa_capable'
security/apparmor/capability.c:154: warning: Excess function parameter 'subj_cread' description in 'aa_capable'

Reported-by: Abaci Robot <[email protected]>
Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=7035
Signed-off-by: Yang Li <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: pass cred through to audit info.

The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmo

apparmor: pass cred through to audit info.

The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.

Reviewed-by: Georgia Garcia <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: combine common_audit_data and apparmor_audit_data

Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
ev

apparmor: combine common_audit_data and apparmor_audit_data

Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
everywhere by combining the two structures.

Reviewed-by: Georgia Garcia <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: Fix kernel-doc warnings in apparmor/capability.c

Fix kernel-doc warnings:

security/apparmor/capability.c:45: warning: Function parameter
or member 'ab' not described in 'audit_cb'
securit

apparmor: Fix kernel-doc warnings in apparmor/capability.c

Fix kernel-doc warnings:

security/apparmor/capability.c:45: warning: Function parameter
or member 'ab' not described in 'audit_cb'
security/apparmor/capability.c:45: warning: Function parameter
or member 'va' not described in 'audit_cb'

Signed-off-by: Gaosheng Cui <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: rework profile->rules to be a list

Convert profile->rules to a list as the next step towards supporting
multiple rulesets in a profile. For this step only support a single
list entry item.

apparmor: rework profile->rules to be a list

Convert profile->rules to a list as the next step towards supporting
multiple rulesets in a profile. For this step only support a single
list entry item. The logic for iterating the list will come as a
separate step.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: refactor profile rules and attachments

In preparation for moving from a single set of rules and a single
attachment to multiple rulesets and attachments separate from the
profile refactor

apparmor: refactor profile rules and attachments

In preparation for moving from a single set of rules and a single
attachment to multiple rulesets and attachments separate from the
profile refactor attachment information and ruleset info into their
own structures.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: add mediation class information to auditing

Audit messages currently don't contain the mediation class which can
make them less clear than they should be in some circumstances. With
newer

apparmor: add mediation class information to auditing

Audit messages currently don't contain the mediation class which can
make them less clear than they should be in some circumstances. With
newer mediation classes coming this potential confusion will become
worse.

Fix this by adding the mediatin class to the messages.

Signed-off-by: John Johansen <[email protected]>

show more ...

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

Based on 1 normalized pattern(s):

this program is free software you can redistribute it and or modify
it under the terms of th

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

Based on 1 normalized pattern(s):

this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation version 2 of the license

extracted by the scancode license scanner the SPDX license identifier

GPL-2.0-only

has been chosen to replace the boilerplate/reference in 315 file(s).

Signed-off-by: Thomas Gleixner <[email protected]>
Reviewed-by: Allison Randal <[email protected]>
Reviewed-by: Armijn Hemel <[email protected]>
Cc: [email protected]
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

show more ...

LSM: generalize flag passing to security_capable

This patch provides a general mechanism for passing flags to the
security_capable LSM hook. It replaces the specific 'audit' flag that is
used to tel

LSM: generalize flag passing to security_capable

This patch provides a general mechanism for passing flags to the
security_capable LSM hook. It replaces the specific 'audit' flag that is
used to tell security_capable whether it should log an audit message for
the given capability check. The reason for generalizing this flag
passing is so we can add an additional flag that signifies whether
security_capable is being called by a setid syscall (which is needed by
the proposed SafeSetID LSM).

Signed-off-by: Micah Morton <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Signed-off-by: James Morris <[email protected]>

show more ...

apparmor: move context.h to cred.h

Now that file contexts have been moved into file, and task context
fns() and data have been split from the context, only the cred context
remains in context.h so r

apparmor: move context.h to cred.h

Now that file contexts have been moved into file, and task context
fns() and data have been split from the context, only the cred context
remains in context.h so rename to cred.h to better reflect what it
deals with.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: move capability checks to using labels

Signed-off-by: John Johansen <[email protected]>

apparmor: rename apparmor file fns and data to indicate use

prefixes are used for fns/data that are not static to apparmorfs.c
with the prefixes being
aafs - special magic apparmorfs for policy

apparmor: rename apparmor file fns and data to indicate use

prefixes are used for fns/data that are not static to apparmorfs.c
with the prefixes being
aafs - special magic apparmorfs for policy namespace data
aa_sfs - for fns/data that go into securityfs
aa_fs - for fns/data that may be used in the either of aafs or
securityfs

Signed-off-by: John Johansen <[email protected]>
Reviewed-by: Seth Arnold <[email protected]>
Reviewed-by: Kees Cook <[email protected]>

show more ...

apparmor: update cap audit to check SECURITY_CAP_NOAUDIT

apparmor should be checking the SECURITY_CAP_NOAUDIT constant. Also
in complain mode make it so apparmor can elect to log a message,
informin

apparmor: update cap audit to check SECURITY_CAP_NOAUDIT

apparmor should be checking the SECURITY_CAP_NOAUDIT constant. Also
in complain mode make it so apparmor can elect to log a message,
informing of the check.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: change aad apparmor_audit_data macro to a fn macro

The aad macro can replace aad strings when it is not intended to. Switch
to a fn macro so it is only applied when intended.

Also at the

apparmor: change aad apparmor_audit_data macro to a fn macro

The aad macro can replace aad strings when it is not intended to. Switch
to a fn macro so it is only applied when intended.

Also at the same time cleanup audit_data initialization by putting
common boiler plate behind a macro, and dropping the gfp_t parameter
which will become useless.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: fix capability to not use the current task, during reporting

Mediation is based off of the cred but auditing includes the current
task which may not be related to the actual request.

Sign

apparmor: fix capability to not use the current task, during reporting

Mediation is based off of the cred but auditing includes the current
task which may not be related to the actual request.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: export set of capabilities supported by the apparmor module

Signed-off-by: John Johansen <[email protected]>
Acked-by: Seth Arnold <[email protected]>

LSM: do not initialize common_audit_data to 0

It isn't needed. If you don't set the type of the data associated with
that type it is a pretty obvious programming bug. So why waste the cycles?

Sig

LSM: do not initialize common_audit_data to 0

It isn't needed. If you don't set the type of the data associated with
that type it is a pretty obvious programming bug. So why waste the cycles?

Signed-off-by: Eric Paris <[email protected]>

show more ...

apparmor: move task from common_audit_data to apparmor_audit_data

apparmor is the only LSM that uses the common_audit_data tsk field.
Instead of making all LSMs pay for the stack space move the aa u

apparmor: move task from common_audit_data to apparmor_audit_data

apparmor is the only LSM that uses the common_audit_data tsk field.
Instead of making all LSMs pay for the stack space move the aa usage into
the apparmor_audit_data.

Signed-off-by: Eric Paris <[email protected]>

show more ...

LSM: remove the COMMON_AUDIT_DATA_INIT type expansion

Just open code it so grep on the source code works better.

Signed-off-by: Eric Paris <[email protected]>

LSM: shrink sizeof LSM specific portion of common_audit_data

Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. Th

LSM: shrink sizeof LSM specific portion of common_audit_data

Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union. Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.

Signed-off-by: Eric Paris <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>

show more ...

AppArmor: mediation of non file objects

ipc:
AppArmor ipc is currently limited to mediation done by file mediation
and basic ptrace tests. Improved mediation is a wip.

rlimits:
AppArmor provides b

AppArmor: mediation of non file objects

ipc:
AppArmor ipc is currently limited to mediation done by file mediation
and basic ptrace tests. Improved mediation is a wip.

rlimits:
AppArmor provides basic abilities to set and control rlimits at
a per profile level. Only resources specified in a profile are controled
or set. AppArmor rules set the hard limit to a value <= to the current
hard limit (ie. they can not currently raise hard limits), and if
necessary will lower the soft limit to the new hard limit value.

AppArmor does not track resource limits to reset them when a profile
is left so that children processes inherit the limits set by the
parent even if they are not confined by the same profile.

Capabilities: AppArmor provides a per profile mask of capabilities,
that will further restrict.

Signed-off-by: John Johansen <[email protected]>
Signed-off-by: James Morris <[email protected]>

show more ...