| Message ID | 20230511142535.732324-1-cgzones@googlemail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:6358:3046:b0:115:7a1d:dabb with SMTP id p6csp4478812rwl;
Thu, 11 May 2023 07:28:22 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ4kW2TDbCevbxy/wcp9XTG/BpoaDloJVv6T8+OrMUsRCSRDYc92E0gNVw9tw+GasssJf/0d
X-Received: by 2002:a17:902:ea0f:b0:1a6:846f:90cb with SMTP id
s15-20020a170902ea0f00b001a6846f90cbmr34238168plg.11.1683815301794;
Thu, 11 May 2023 07:28:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683815301; cv=none;
d=google.com; s=arc-20160816;
b=yk5e5rHIjTlxWLBcDC3yfVegPqqwiJ/p22jcNwKJjmKsdnde3A1nfyCbjLIBXQ4+rS
/iuUR0KtrNa5ZcIq7TPBh3oae+SOX2QmCSlTEYCdrW6PQbLbzVK4nZ5nkCfp3rKzB8Yr
tPDGJuE0nCMk5YUY1APHKc23Q+TWt0Ico5LD3tkWIzaEKpOkVQz3EsHZVUSiW2ABhJzt
vorYpJsxDnxps5KsmSKr4SvtIFE3VhlAiV9mu7EoG/QCmsbJOy/sBvsxrwBewWdw6w8v
GPyP4yRZf0tQGkHGGEw+d4rQgjOQPQkNrYL0p9sCjlMOCImY4C6y6SVr7g90gmrqV770
nxug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=FfHvJaE373FwPkBo+MbvKKH9vrJm6j2m01pppMLR2Fs=;
b=ghvaoPeV0ZHwMo02ddShHH0BqjpHpzxrb4dGjgaKK5JM9orTCSsHGoVTNn80aVr8Yf
ANVPvt15G5jy7ejn9bLtCpTUmHV03gzPI3ejHPrQ+0QH/7OCBDtJ5LaYBqL83yUr7NUY
fK3BZ+OhNMy8x5eqp0vmLoJGotLytpMHNIUokPEOiRaymIJcQMly1kBulOil0Bd1Z4Hy
0Lgki1g7mGZWQfjMpCTTTb1MOHYPTiGly6dAVeUMchjNGfF6dKywTRqrAwrs2bKY6J8D
XcJqLs8+Q2PwGMR0d68hZAUHUqQuroGKZbSN3SYugq8UBxh+TUZXXfvVwWyS+crvpX+7
J7yQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@googlemail.com header.s=20221208 header.b=n9Y7Em7S;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)
header.from=googlemail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
k7-20020a635607000000b0052cb36e0bfdsi6640583pgb.429.2023.05.11.07.28.07;
Thu, 11 May 2023 07:28:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@googlemail.com header.s=20221208 header.b=n9Y7Em7S;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)
header.from=googlemail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S238415AbjEKO06 (ORCPT <rfc822;peekingduck44@gmail.com>
+ 99 others); Thu, 11 May 2023 10:26:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46574 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S238459AbjEKO0n (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 11 May 2023 10:26:43 -0400
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com
[IPv6:2a00:1450:4864:20::52e])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D8CF11600;
Thu, 11 May 2023 07:26:32 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id
4fb4d7f45d1cf-50b383222f7so12957097a12.3;
Thu, 11 May 2023 07:26:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlemail.com; s=20221208; t=1683815191; x=1686407191;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=FfHvJaE373FwPkBo+MbvKKH9vrJm6j2m01pppMLR2Fs=;
b=n9Y7Em7SkB9orYrAbcCUvQXxkKi727MiQdFajf4HlIYSHX2PG9dMO34uyKqJrZ5cit
i4+wO58Ror05WSxbokgiqseHvrBbqqie2cxX7KTFU071x1BQhSh+2dEnOHgunVWzaPOO
IQvNEKYfRGf05i3DNDX88Njr55+onoL6F2nnpPjanz16zRSjfQdZj6yyRVqiQrzImILd
Z/OWXk2gkmISUByuBUlZnuNGfbmO4N9WHTkesGj3dEgnTkcJmbXkIqjAHdpjSzgn8YLm
wTv3jqTgBm+oKURueLWtI94wjqxO2TmC1YXk9er+4EojpU1xst3Cr6Jg+XEtf2oScBgM
odyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1683815191; x=1686407191;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=FfHvJaE373FwPkBo+MbvKKH9vrJm6j2m01pppMLR2Fs=;
b=l9eaLf5Zu+DvpscGeB6yQrBViffhtwaRVI2YX+Izny+pezvhT7zBj7pmBFtBYB70Wv
ylUFhwVfCbdk9rX7V04m/N8747AoAPf56lfzUXxh7YHY4pCZHz1crkyu0G00CxbjlFDJ
emgTYKddD4GXNssnFQbvfxw/OJWi5kLEjK6PGVdhtMdL403gvIWPgtJKZrFHmWRJx/j8
k8F3NoCB7lraMg6c3mT3+LXw3Sm6LS9Leeu1Pyt2nBsOtLLAYZiUgYWpFUrp7Bs3OLZJ
Ml1PlDcLplxvu8hq3lNEzdtcYa74mpebOf3G+Pf/HyHDCJDqQeWiNSfR961IPz/V5+tW
+hQw==
X-Gm-Message-State: AC+VfDwOa1LydRGbHSNmP9YW/CWzf+wGyU4ycosvmVHI5oGQk6vEvnS9
JnN2bmQgW63dq797dKEos36qjCx6TMY9og==
X-Received: by 2002:a17:907:a46:b0:94f:2b80:f3b4 with SMTP id
be6-20020a1709070a4600b0094f2b80f3b4mr17315061ejc.69.1683815190662;
Thu, 11 May 2023 07:26:30 -0700 (PDT)
Received: from debianHome.localdomain
(dynamic-077-008-180-228.77.8.pool.telefonica.de. [77.8.180.228])
by smtp.gmail.com with ESMTPSA id
hf15-20020a1709072c4f00b0094f58a85bc5sm4056647ejc.180.2023.05.11.07.26.28
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 11 May 2023 07:26:29 -0700 (PDT)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
John Johansen <john.johansen@canonical.com>,
James Morris <jmorris@namei.org>, "Serge E. Hallyn" <serge@hallyn.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>, Christian Brauner <brauner@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>, Dave Chinner <dchinner@redhat.com>,
Nathan Lynch <nathanl@linux.ibm.com>, Al Viro <viro@zeniv.linux.org.uk>,
Roberto Sassu <roberto.sassu@huawei.com>,
Micah Morton <mortonm@chromium.org>, Frederick Lawler <fred@cloudflare.com>,
=?utf-8?q?G=C3=BCnther_Noack?= <gnoack3000@gmail.com>,
linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com,
linux-security-module@vger.kernel.org, bpf@vger.kernel.org
Subject: [PATCH v4 1/9] capability: introduce new capable flag NODENYAUDIT
Date: Thu, 11 May 2023 16:25:24 +0200
Message-Id: <20230511142535.732324-1-cgzones@googlemail.com>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1765608313788879084?=
X-GMAIL-MSGID: =?utf-8?q?1765608313788879084?=
|
| Series |
[v4,1/9] capability: introduce new capable flag NODENYAUDIT
|
|
Commit Message
Christian Göttsche
May 11, 2023, 2:25 p.m. UTC
Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate
an audit event if the requested capability is not granted. This will be
used in a new capable_any() functionality to reduce the number of
necessary capable calls.
Handle the flag accordingly in AppArmor and SELinux.
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
include/linux/security.h | 2 ++
security/apparmor/capability.c | 8 +++++---
security/selinux/hooks.c | 14 ++++++++------
3 files changed, 15 insertions(+), 9 deletions(-)
Comments
On Thu, May 11, 2023 at 04:25:24PM +0200, Christian Göttsche wrote: > Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate > an audit event if the requested capability is not granted. This will be > used in a new capable_any() functionality to reduce the number of > necessary capable calls. > > Handle the flag accordingly in AppArmor and SELinux. > > Suggested-by: Paul Moore <paul@paul-moore.com> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> > --- > include/linux/security.h | 2 ++ > security/apparmor/capability.c | 8 +++++--- > security/selinux/hooks.c | 14 ++++++++------ > 3 files changed, 15 insertions(+), 9 deletions(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index e2734e9e44d5..629c775ec297 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -67,6 +67,8 @@ struct watch_notification; > #define CAP_OPT_NOAUDIT BIT(1) > /* If capable is being called by a setid function */ > #define CAP_OPT_INSETID BIT(2) > +/* If capable should audit the security request for authorized requests only */ > +#define CAP_OPT_NODENYAUDIT BIT(3) > > /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ > #define SECURITY_LSM_NATIVE_LABELS 1 > diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c > index 326a51838ef2..98120dd62ca7 100644 > --- a/security/apparmor/capability.c > +++ b/security/apparmor/capability.c > @@ -108,7 +108,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile, > * profile_capable - test if profile allows use of capability @cap > * @profile: profile being enforced (NOT NULL, NOT unconfined) > * @cap: capability to test if allowed > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > + * record is generated > * @sa: audit data (MAY BE NULL indicating no auditing) > * > * Returns: 0 if allowed else -EPERM > @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap, > else > error = -EPERM; > > - if (opts & CAP_OPT_NOAUDIT) { > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && error)) { > if (!COMPLAIN_MODE(profile)) > return error; > /* audit the cap request in complain mode but note that it > @@ -142,7 +143,8 @@ static int profile_capable(struct aa_profile *profile, int cap, > * aa_capable - test permission to use capability > * @label: label being tested for capability (NOT NULL) > * @cap: capability to be tested > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > + * record is generated > * > * Look up capability in profile capability set. > * > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 79b4890e9936..0730edf2f5f1 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1571,7 +1571,7 @@ static int cred_has_capability(const struct cred *cred, > u16 sclass; > u32 sid = cred_sid(cred); > u32 av = CAP_TO_MASK(cap); > - int rc; > + int rc, rc2; > > ad.type = LSM_AUDIT_DATA_CAP; > ad.u.cap = cap; > @@ -1590,11 +1590,13 @@ static int cred_has_capability(const struct cred *cred, > } > > rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); > - if (!(opts & CAP_OPT_NOAUDIT)) { > - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > - if (rc2) > - return rc2; > - } > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && rc)) > + return rc; Hm, if the caller passes only CAP_OPT_NODENYAUDIT, and rc == 0, then you will audit the allow. Is that what you want, or did you want, or did you want CAP_OPT_NODENYAUDIT to imply CAP_OPT_NOAUDIT? > + > + rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > + if (rc2) > + return rc2; > + > return rc; > } > > -- > 2.40.1
On Wed, May 31, 2023 at 09:07:34AM -0500, Serge E. Hallyn wrote: > On Thu, May 11, 2023 at 04:25:24PM +0200, Christian Göttsche wrote: > > Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate > > an audit event if the requested capability is not granted. This will be > > used in a new capable_any() functionality to reduce the number of > > necessary capable calls. > > > > Handle the flag accordingly in AppArmor and SELinux. > > > > Suggested-by: Paul Moore <paul@paul-moore.com> > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Reviewed-by: Serge Hallyn <serge@hallyn.com> Sorry, obviously I should have removed this, until the comment below was answered :) > > --- > > include/linux/security.h | 2 ++ > > security/apparmor/capability.c | 8 +++++--- > > security/selinux/hooks.c | 14 ++++++++------ > > 3 files changed, 15 insertions(+), 9 deletions(-) > > > > diff --git a/include/linux/security.h b/include/linux/security.h > > index e2734e9e44d5..629c775ec297 100644 > > --- a/include/linux/security.h > > +++ b/include/linux/security.h > > @@ -67,6 +67,8 @@ struct watch_notification; > > #define CAP_OPT_NOAUDIT BIT(1) > > /* If capable is being called by a setid function */ > > #define CAP_OPT_INSETID BIT(2) > > +/* If capable should audit the security request for authorized requests only */ > > +#define CAP_OPT_NODENYAUDIT BIT(3) > > > > /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ > > #define SECURITY_LSM_NATIVE_LABELS 1 > > diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c > > index 326a51838ef2..98120dd62ca7 100644 > > --- a/security/apparmor/capability.c > > +++ b/security/apparmor/capability.c > > @@ -108,7 +108,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile, > > * profile_capable - test if profile allows use of capability @cap > > * @profile: profile being enforced (NOT NULL, NOT unconfined) > > * @cap: capability to test if allowed > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > > + * record is generated > > * @sa: audit data (MAY BE NULL indicating no auditing) > > * > > * Returns: 0 if allowed else -EPERM > > @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap, > > else > > error = -EPERM; > > > > - if (opts & CAP_OPT_NOAUDIT) { > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && error)) { > > if (!COMPLAIN_MODE(profile)) > > return error; > > /* audit the cap request in complain mode but note that it > > @@ -142,7 +143,8 @@ static int profile_capable(struct aa_profile *profile, int cap, > > * aa_capable - test permission to use capability > > * @label: label being tested for capability (NOT NULL) > > * @cap: capability to be tested > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > > + * record is generated > > * > > * Look up capability in profile capability set. > > * > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index 79b4890e9936..0730edf2f5f1 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -1571,7 +1571,7 @@ static int cred_has_capability(const struct cred *cred, > > u16 sclass; > > u32 sid = cred_sid(cred); > > u32 av = CAP_TO_MASK(cap); > > - int rc; > > + int rc, rc2; > > > > ad.type = LSM_AUDIT_DATA_CAP; > > ad.u.cap = cap; > > @@ -1590,11 +1590,13 @@ static int cred_has_capability(const struct cred *cred, > > } > > > > rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); > > - if (!(opts & CAP_OPT_NOAUDIT)) { > > - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > > - if (rc2) > > - return rc2; > > - } > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && rc)) > > + return rc; > > Hm, if the caller passes only CAP_OPT_NODENYAUDIT, and rc == 0, then > you will audit the allow. Is that what you want, or did you want, or > did you want CAP_OPT_NODENYAUDIT to imply CAP_OPT_NOAUDIT? > > > + > > + rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > > + if (rc2) > > + return rc2; > > + > > return rc; > > } > > > > -- > > 2.40.1
On Wed, 31 May 2023 at 16:08, Serge E. Hallyn <serge@hallyn.com> wrote: > > On Wed, May 31, 2023 at 09:07:34AM -0500, Serge E. Hallyn wrote: > > On Thu, May 11, 2023 at 04:25:24PM +0200, Christian Göttsche wrote: > > > Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate > > > an audit event if the requested capability is not granted. This will be > > > used in a new capable_any() functionality to reduce the number of > > > necessary capable calls. > > > > > > Handle the flag accordingly in AppArmor and SELinux. > > > > > > Suggested-by: Paul Moore <paul@paul-moore.com> > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > > > Reviewed-by: Serge Hallyn <serge@hallyn.com> > > Sorry, obviously I should have removed this, until the comment below was > answered :) > > > > --- > > > include/linux/security.h | 2 ++ > > > security/apparmor/capability.c | 8 +++++--- > > > security/selinux/hooks.c | 14 ++++++++------ > > > 3 files changed, 15 insertions(+), 9 deletions(-) > > > > > > diff --git a/include/linux/security.h b/include/linux/security.h > > > index e2734e9e44d5..629c775ec297 100644 > > > --- a/include/linux/security.h > > > +++ b/include/linux/security.h > > > @@ -67,6 +67,8 @@ struct watch_notification; > > > #define CAP_OPT_NOAUDIT BIT(1) > > > /* If capable is being called by a setid function */ > > > #define CAP_OPT_INSETID BIT(2) > > > +/* If capable should audit the security request for authorized requests only */ > > > +#define CAP_OPT_NODENYAUDIT BIT(3) > > > > > > /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ > > > #define SECURITY_LSM_NATIVE_LABELS 1 > > > diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c > > > index 326a51838ef2..98120dd62ca7 100644 > > > --- a/security/apparmor/capability.c > > > +++ b/security/apparmor/capability.c > > > @@ -108,7 +108,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile, > > > * profile_capable - test if profile allows use of capability @cap > > > * @profile: profile being enforced (NOT NULL, NOT unconfined) > > > * @cap: capability to test if allowed > > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > > > + * record is generated > > > * @sa: audit data (MAY BE NULL indicating no auditing) > > > * > > > * Returns: 0 if allowed else -EPERM > > > @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap, > > > else > > > error = -EPERM; > > > > > > - if (opts & CAP_OPT_NOAUDIT) { > > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && error)) { > > > if (!COMPLAIN_MODE(profile)) > > > return error; > > > /* audit the cap request in complain mode but note that it > > > @@ -142,7 +143,8 @@ static int profile_capable(struct aa_profile *profile, int cap, > > > * aa_capable - test permission to use capability > > > * @label: label being tested for capability (NOT NULL) > > > * @cap: capability to be tested > > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > > > + * record is generated > > > * > > > * Look up capability in profile capability set. > > > * > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > index 79b4890e9936..0730edf2f5f1 100644 > > > --- a/security/selinux/hooks.c > > > +++ b/security/selinux/hooks.c > > > @@ -1571,7 +1571,7 @@ static int cred_has_capability(const struct cred *cred, > > > u16 sclass; > > > u32 sid = cred_sid(cred); > > > u32 av = CAP_TO_MASK(cap); > > > - int rc; > > > + int rc, rc2; > > > > > > ad.type = LSM_AUDIT_DATA_CAP; > > > ad.u.cap = cap; > > > @@ -1590,11 +1590,13 @@ static int cred_has_capability(const struct cred *cred, > > > } > > > > > > rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); > > > - if (!(opts & CAP_OPT_NOAUDIT)) { > > > - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > > > - if (rc2) > > > - return rc2; > > > - } > > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && rc)) > > > + return rc; > > > > Hm, if the caller passes only CAP_OPT_NODENYAUDIT, and rc == 0, then > > you will audit the allow. Is that what you want, or did you want, or > > did you want CAP_OPT_NODENYAUDIT to imply CAP_OPT_NOAUDIT? > > The new option should cause to issue an audit event if (and only if) the requested capability is in effect for the current task. If the task does not have the capability no audit event should be issued. The new option should not imply CAP_OPT_NOAUDIT since we want an audit event in the case the capability is in effect. I admit the naming is a bit confusing as CAP_OPT_NODENYAUDIT as well as the commit description contains a double negation (while the inline comment for the macro definition does not). Do you prefer naming the constant CAP_OPT_ALLOWAUDIT or CAP_OPT_AUDIT_ON_ALLOW? > > > + > > > + rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > > > + if (rc2) > > > + return rc2; > > > + > > > return rc; > > > } > > > > > > -- > > > 2.40.1
On Wed, May 31, 2023 at 2:34 PM Christian Göttsche <cgzones@googlemail.com> wrote: > On Wed, 31 May 2023 at 16:08, Serge E. Hallyn <serge@hallyn.com> wrote: > > > > On Wed, May 31, 2023 at 09:07:34AM -0500, Serge E. Hallyn wrote: > > > On Thu, May 11, 2023 at 04:25:24PM +0200, Christian Göttsche wrote: > > > > Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate > > > > an audit event if the requested capability is not granted. This will be > > > > used in a new capable_any() functionality to reduce the number of > > > > necessary capable calls. > > > > > > > > Handle the flag accordingly in AppArmor and SELinux. > > > > > > > > Suggested-by: Paul Moore <paul@paul-moore.com> > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > > > > > Reviewed-by: Serge Hallyn <serge@hallyn.com> > > > > Sorry, obviously I should have removed this, until the comment below was > > answered :) > > > > > > --- > > > > include/linux/security.h | 2 ++ > > > > security/apparmor/capability.c | 8 +++++--- > > > > security/selinux/hooks.c | 14 ++++++++------ > > > > 3 files changed, 15 insertions(+), 9 deletions(-) > > > > > > > > diff --git a/include/linux/security.h b/include/linux/security.h > > > > index e2734e9e44d5..629c775ec297 100644 > > > > --- a/include/linux/security.h > > > > +++ b/include/linux/security.h > > > > @@ -67,6 +67,8 @@ struct watch_notification; > > > > #define CAP_OPT_NOAUDIT BIT(1) > > > > /* If capable is being called by a setid function */ > > > > #define CAP_OPT_INSETID BIT(2) > > > > +/* If capable should audit the security request for authorized requests only */ > > > > +#define CAP_OPT_NODENYAUDIT BIT(3) > > > > > > > > /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ > > > > #define SECURITY_LSM_NATIVE_LABELS 1 > > > > diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c > > > > index 326a51838ef2..98120dd62ca7 100644 > > > > --- a/security/apparmor/capability.c > > > > +++ b/security/apparmor/capability.c > > > > @@ -108,7 +108,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile, > > > > * profile_capable - test if profile allows use of capability @cap > > > > * @profile: profile being enforced (NOT NULL, NOT unconfined) > > > > * @cap: capability to test if allowed > > > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > > > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > > > > + * record is generated > > > > * @sa: audit data (MAY BE NULL indicating no auditing) > > > > * > > > > * Returns: 0 if allowed else -EPERM > > > > @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap, > > > > else > > > > error = -EPERM; > > > > > > > > - if (opts & CAP_OPT_NOAUDIT) { > > > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && error)) { > > > > if (!COMPLAIN_MODE(profile)) > > > > return error; > > > > /* audit the cap request in complain mode but note that it > > > > @@ -142,7 +143,8 @@ static int profile_capable(struct aa_profile *profile, int cap, > > > > * aa_capable - test permission to use capability > > > > * @label: label being tested for capability (NOT NULL) > > > > * @cap: capability to be tested > > > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > > > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > > > > + * record is generated > > > > * > > > > * Look up capability in profile capability set. > > > > * > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > > index 79b4890e9936..0730edf2f5f1 100644 > > > > --- a/security/selinux/hooks.c > > > > +++ b/security/selinux/hooks.c > > > > @@ -1571,7 +1571,7 @@ static int cred_has_capability(const struct cred *cred, > > > > u16 sclass; > > > > u32 sid = cred_sid(cred); > > > > u32 av = CAP_TO_MASK(cap); > > > > - int rc; > > > > + int rc, rc2; > > > > > > > > ad.type = LSM_AUDIT_DATA_CAP; > > > > ad.u.cap = cap; > > > > @@ -1590,11 +1590,13 @@ static int cred_has_capability(const struct cred *cred, > > > > } > > > > > > > > rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); > > > > - if (!(opts & CAP_OPT_NOAUDIT)) { > > > > - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > > > > - if (rc2) > > > > - return rc2; > > > > - } > > > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && rc)) > > > > + return rc; > > > > > > Hm, if the caller passes only CAP_OPT_NODENYAUDIT, and rc == 0, then > > > you will audit the allow. Is that what you want, or did you want, or > > > did you want CAP_OPT_NODENYAUDIT to imply CAP_OPT_NOAUDIT? > > > > > The new option should cause to issue an audit event if (and only if) > the requested capability is in effect for the current task. If the > task does not have the capability no audit event should be issued. > > The new option should not imply CAP_OPT_NOAUDIT since we want an audit > event in the case the capability is in effect. > > I admit the naming is a bit confusing as CAP_OPT_NODENYAUDIT as well > as the commit description contains a double negation (while the inline > comment for the macro definition does not). > > Do you prefer naming the constant CAP_OPT_ALLOWAUDIT or CAP_OPT_AUDIT_ON_ALLOW? I think we need a different name, although I'm struggling to think of something ... I don't think ALLOWAUDIT is right, as I believe it implies that it is needed to "allow" auditing to take place for the operation. AUDIT_ON_ALLOW is better, but it still seems like it would be required if you wanted to generate audit records on a successful operation, which isn't correct. I think we need to focus on the idea that the flag blocks auditing for denials. CAP_OPT_NOAUDITDENY is pretty much what you have, but in my mind the NOAUDITDENY shares enough with the existing NOAUDIT flag that it makes a bit more sense. I honestly don't know. However, whatever you pick, make sure you update patch 2/X so that the name of ns_capable_nodenyaudit() is kept close to the flag's name.
On Wed, May 31, 2023 at 06:13:55PM -0400, Paul Moore wrote: > On Wed, May 31, 2023 at 2:34 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > On Wed, 31 May 2023 at 16:08, Serge E. Hallyn <serge@hallyn.com> wrote: > > > > > > On Wed, May 31, 2023 at 09:07:34AM -0500, Serge E. Hallyn wrote: > > > > On Thu, May 11, 2023 at 04:25:24PM +0200, Christian Göttsche wrote: > > > > > Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate > > > > > an audit event if the requested capability is not granted. This will be > > > > > used in a new capable_any() functionality to reduce the number of > > > > > necessary capable calls. > > > > > > > > > > Handle the flag accordingly in AppArmor and SELinux. > > > > > > > > > > Suggested-by: Paul Moore <paul@paul-moore.com> > > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > > > > > > > Reviewed-by: Serge Hallyn <serge@hallyn.com> > > > > > > Sorry, obviously I should have removed this, until the comment below was > > > answered :) > > > > > > > > --- > > > > > include/linux/security.h | 2 ++ > > > > > security/apparmor/capability.c | 8 +++++--- > > > > > security/selinux/hooks.c | 14 ++++++++------ > > > > > 3 files changed, 15 insertions(+), 9 deletions(-) > > > > > > > > > > diff --git a/include/linux/security.h b/include/linux/security.h > > > > > index e2734e9e44d5..629c775ec297 100644 > > > > > --- a/include/linux/security.h > > > > > +++ b/include/linux/security.h > > > > > @@ -67,6 +67,8 @@ struct watch_notification; > > > > > #define CAP_OPT_NOAUDIT BIT(1) > > > > > /* If capable is being called by a setid function */ > > > > > #define CAP_OPT_INSETID BIT(2) > > > > > +/* If capable should audit the security request for authorized requests only */ > > > > > +#define CAP_OPT_NODENYAUDIT BIT(3) > > > > > > > > > > /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ > > > > > #define SECURITY_LSM_NATIVE_LABELS 1 > > > > > diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c > > > > > index 326a51838ef2..98120dd62ca7 100644 > > > > > --- a/security/apparmor/capability.c > > > > > +++ b/security/apparmor/capability.c > > > > > @@ -108,7 +108,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile, > > > > > * profile_capable - test if profile allows use of capability @cap > > > > > * @profile: profile being enforced (NOT NULL, NOT unconfined) > > > > > * @cap: capability to test if allowed > > > > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > > > > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > > > > > + * record is generated > > > > > * @sa: audit data (MAY BE NULL indicating no auditing) > > > > > * > > > > > * Returns: 0 if allowed else -EPERM > > > > > @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap, > > > > > else > > > > > error = -EPERM; > > > > > > > > > > - if (opts & CAP_OPT_NOAUDIT) { > > > > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && error)) { > > > > > if (!COMPLAIN_MODE(profile)) > > > > > return error; > > > > > /* audit the cap request in complain mode but note that it > > > > > @@ -142,7 +143,8 @@ static int profile_capable(struct aa_profile *profile, int cap, > > > > > * aa_capable - test permission to use capability > > > > > * @label: label being tested for capability (NOT NULL) > > > > > * @cap: capability to be tested > > > > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > > > > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > > > > > + * record is generated > > > > > * > > > > > * Look up capability in profile capability set. > > > > > * > > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > > > index 79b4890e9936..0730edf2f5f1 100644 > > > > > --- a/security/selinux/hooks.c > > > > > +++ b/security/selinux/hooks.c > > > > > @@ -1571,7 +1571,7 @@ static int cred_has_capability(const struct cred *cred, > > > > > u16 sclass; > > > > > u32 sid = cred_sid(cred); > > > > > u32 av = CAP_TO_MASK(cap); > > > > > - int rc; > > > > > + int rc, rc2; > > > > > > > > > > ad.type = LSM_AUDIT_DATA_CAP; > > > > > ad.u.cap = cap; > > > > > @@ -1590,11 +1590,13 @@ static int cred_has_capability(const struct cred *cred, > > > > > } > > > > > > > > > > rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); > > > > > - if (!(opts & CAP_OPT_NOAUDIT)) { > > > > > - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > > > > > - if (rc2) > > > > > - return rc2; > > > > > - } > > > > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && rc)) > > > > > + return rc; > > > > > > > > Hm, if the caller passes only CAP_OPT_NODENYAUDIT, and rc == 0, then > > > > you will audit the allow. Is that what you want, or did you want, or > > > > did you want CAP_OPT_NODENYAUDIT to imply CAP_OPT_NOAUDIT? > > > > > > > > The new option should cause to issue an audit event if (and only if) > > the requested capability is in effect for the current task. If the > > task does not have the capability no audit event should be issued. > > > > The new option should not imply CAP_OPT_NOAUDIT since we want an audit > > event in the case the capability is in effect. > > > > I admit the naming is a bit confusing as CAP_OPT_NODENYAUDIT as well > > as the commit description contains a double negation (while the inline > > comment for the macro definition does not). > > > > Do you prefer naming the constant CAP_OPT_ALLOWAUDIT or CAP_OPT_AUDIT_ON_ALLOW? > > I think we need a different name, although I'm struggling to think of > something ... I don't think ALLOWAUDIT is right, as I believe it > implies that it is needed to "allow" auditing to take place for the > operation. AUDIT_ON_ALLOW is better, but it still seems like it would > be required if you wanted to generate audit records on a successful > operation, which isn't correct. I think we need to focus on the idea > that the flag blocks auditing for denials. > > CAP_OPT_NOAUDITDENY is pretty much what you have, but in my mind the > NOAUDITDENY shares enough with the existing NOAUDIT flag that it makes > a bit more sense. > > I honestly don't know. However, whatever you pick, make sure you > update patch 2/X so that the name of ns_capable_nodenyaudit() is kept > close to the flag's name. (Sorry for the late response. I still need to fix my filters) Is CAP_OPT_NOAUDIT_ONDENY or CAP_OPT_AUDIT_ONLY_ONALLOW too long? :) Anyway, Christian, I leave the final choice to you, then please feel free to add my Reviewed-by. thanks, -serge
diff --git a/include/linux/security.h b/include/linux/security.h index e2734e9e44d5..629c775ec297 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -67,6 +67,8 @@ struct watch_notification; #define CAP_OPT_NOAUDIT BIT(1) /* If capable is being called by a setid function */ #define CAP_OPT_INSETID BIT(2) +/* If capable should audit the security request for authorized requests only */ +#define CAP_OPT_NODENYAUDIT BIT(3) /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ #define SECURITY_LSM_NATIVE_LABELS 1 diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c index 326a51838ef2..98120dd62ca7 100644 --- a/security/apparmor/capability.c +++ b/security/apparmor/capability.c @@ -108,7 +108,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile, * profile_capable - test if profile allows use of capability @cap * @profile: profile being enforced (NOT NULL, NOT unconfined) * @cap: capability to test if allowed - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit + * record is generated * @sa: audit data (MAY BE NULL indicating no auditing) * * Returns: 0 if allowed else -EPERM @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap, else error = -EPERM; - if (opts & CAP_OPT_NOAUDIT) { + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && error)) { if (!COMPLAIN_MODE(profile)) return error; /* audit the cap request in complain mode but note that it @@ -142,7 +143,8 @@ static int profile_capable(struct aa_profile *profile, int cap, * aa_capable - test permission to use capability * @label: label being tested for capability (NOT NULL) * @cap: capability to be tested - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit + * record is generated * * Look up capability in profile capability set. * diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 79b4890e9936..0730edf2f5f1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1571,7 +1571,7 @@ static int cred_has_capability(const struct cred *cred, u16 sclass; u32 sid = cred_sid(cred); u32 av = CAP_TO_MASK(cap); - int rc; + int rc, rc2; ad.type = LSM_AUDIT_DATA_CAP; ad.u.cap = cap; @@ -1590,11 +1590,13 @@ static int cred_has_capability(const struct cred *cred, } rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); - if (!(opts & CAP_OPT_NOAUDIT)) { - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); - if (rc2) - return rc2; - } + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && rc)) + return rc; + + rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); + if (rc2) + return rc2; + return rc; }