tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

apparmor: audit_cap dedup based on subj_cred instead of profile

The previous audit_cap cache deduping was based on the profile that was
being audited. This could cause confusion due to the deduplication then
occurring across multiple processes, which could happen if multiple
instances of binaries matched the same profile attachment (and thus ran
under the same profile) or a profile was attached to a container and its
processes.

Instead, perform audit_cap deduping over ad->subj_cred, which ensures the
deduping only occurs across a single process, instead of across all
processes that match the current one's profile.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Ryan Lee and committed by
John Johansen 74a96bbe fee7a234

+4 -6
+4 -6
security/apparmor/capability.c
··· 31 31 }; 32 32 33 33 struct audit_cache { 34 - struct aa_profile *profile; 34 + const struct cred *ad_subj_cred; 35 35 /* Capabilities go from 0 to CAP_LAST_CAP */ 36 36 u64 ktime_ns_expiration[CAP_LAST_CAP+1]; 37 37 }; ··· 94 94 /* Do simple duplicate message elimination */ 95 95 ent = &get_cpu_var(audit_cache); 96 96 /* If the capability was never raised the timestamp check would also catch that */ 97 - if (profile == ent->profile && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) { 97 + if (ad->subj_cred == ent->ad_subj_cred && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) { 98 98 put_cpu_var(audit_cache); 99 99 if (COMPLAIN_MODE(profile)) 100 100 return complain_error(error); 101 101 return error; 102 102 } else { 103 - aa_put_profile(ent->profile); 104 - if (profile != ent->profile) 105 - cap_clear(ent->caps); 106 - ent->profile = aa_get_profile(profile); 103 + put_cred(ent->ad_subj_cred); 104 + ent->ad_subj_cred = get_cred(ad->subj_cred); 107 105 ent->ktime_ns_expiration[cap] = ktime_get_ns() + AUDIT_CACHE_TIMEOUT_NS; 108 106 } 109 107 put_cpu_var(audit_cache);