Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1015587rwd; Wed, 31 May 2023 08:22:16 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7xc0RtLaDZ7dASs3VcjbLCFlJt36lnL9yQtrLbHJYUFnOOLbJGXUg1CfzXjbTNtCnTescL X-Received: by 2002:a05:6a21:3388:b0:10c:2fe0:b3d with SMTP id yy8-20020a056a21338800b0010c2fe00b3dmr5675352pzb.33.1685546536174; Wed, 31 May 2023 08:22:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685546536; cv=none; d=google.com; s=arc-20160816; b=OxuO2pUJoj9VH5bp42iWINm8q9xxu0bV0teI7kWYUsf8tFR8v78Eg/srbt0l5j7IE8 NnK17PdWbKRpKig01ckIOAV7o3+d1S0y7NXi+nRSw9fulP4/Wz5hBw/qpWmleSAaP4bT AikGXhCOp4Itn5srSgenqpMFoVe+0CjdjiEc0xA23B1JvuKT3iP6hBAE+Io4yrnFRDLN C95ce4oWJUQJis57LH6OcH7k713yQCs5kEOWYziv7USeyJPqMO+IM5VZXz1hZoxlb4KP 5dAM6Uc/1sPJoorRSyTzhp4QVWZRwWFl8SmS8Xvsiz3LQGIUg8+Gb4ZnE9YoBSLyTqCr Cw2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=dCzzImE15F8VxXcGqbZFFlzXpyAkmBmCx/X4lxIadIY=; b=jxuMOD06MSt8NczL2VLczl0jfI5/r7qjsM3iceTuh3rNIYX7zeRnV/uopWnIvECB9X ViVPKM3sFlYPhn1E3eBXcw20CUt0uEqJ2MHTY04QJ6mm1I3zSz5vXsJda9Y58skeLLJn Q1QhLmYo9UK7+rnk+pCxtxFsnXMYO7A7tL++fAkU1/aL7g5/DbPsAW8mh3di5SzJ2pXW ll1zI2rlfO3jCKR3QNZNf6kx+FjfM6BtKPJb6SGE3W7tY6y5AHDSFlIW5A48CqPZIBcI OU0eT8ZDcJlBwjDjfv3y86JZ4bNb1I3t/s7v/WeAoRyvWcWvN1i5nqMTkBLSq2CyykrF 8OXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t127-20020a637885000000b0053f66c75b98si1135112pgc.703.2023.05.31.08.22.02; Wed, 31 May 2023 08:22:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233886AbjEaPHt (ORCPT + 99 others); Wed, 31 May 2023 11:07:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38600 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231215AbjEaPHo (ORCPT ); Wed, 31 May 2023 11:07:44 -0400 Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4BDF3185; Wed, 31 May 2023 08:07:22 -0700 (PDT) Received: by mail.hallyn.com (Postfix, from userid 1001) id 1C6E2EC5; Wed, 31 May 2023 09:07:34 -0500 (CDT) Date: Wed, 31 May 2023 09:07:34 -0500 From: "Serge E. Hallyn" To: Christian =?iso-8859-1?Q?G=F6ttsche?= Cc: selinux@vger.kernel.org, Paul Moore , John Johansen , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Christian Brauner , Casey Schaufler , Dave Chinner , Nathan Lynch , Al Viro , Roberto Sassu , Micah Morton , Frederick Lawler , =?iso-8859-1?Q?G=FCnther?= Noack , linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, bpf@vger.kernel.org Subject: Re: [PATCH v4 1/9] capability: introduce new capable flag NODENYAUDIT Message-ID: <20230531140734.GA515872@mail.hallyn.com> References: <20230511142535.732324-1-cgzones@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230511142535.732324-1-cgzones@googlemail.com> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 11, 2023 at 04:25:24PM +0200, Christian G?ttsche wrote: > Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate > an audit event if the requested capability is not granted. This will be > used in a new capable_any() functionality to reduce the number of > necessary capable calls. > > Handle the flag accordingly in AppArmor and SELinux. > > Suggested-by: Paul Moore > Signed-off-by: Christian G?ttsche Reviewed-by: Serge Hallyn > --- > include/linux/security.h | 2 ++ > security/apparmor/capability.c | 8 +++++--- > security/selinux/hooks.c | 14 ++++++++------ > 3 files changed, 15 insertions(+), 9 deletions(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index e2734e9e44d5..629c775ec297 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -67,6 +67,8 @@ struct watch_notification; > #define CAP_OPT_NOAUDIT BIT(1) > /* If capable is being called by a setid function */ > #define CAP_OPT_INSETID BIT(2) > +/* If capable should audit the security request for authorized requests only */ > +#define CAP_OPT_NODENYAUDIT BIT(3) > > /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ > #define SECURITY_LSM_NATIVE_LABELS 1 > diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c > index 326a51838ef2..98120dd62ca7 100644 > --- a/security/apparmor/capability.c > +++ b/security/apparmor/capability.c > @@ -108,7 +108,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile, > * profile_capable - test if profile allows use of capability @cap > * @profile: profile being enforced (NOT NULL, NOT unconfined) > * @cap: capability to test if allowed > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > + * record is generated > * @sa: audit data (MAY BE NULL indicating no auditing) > * > * Returns: 0 if allowed else -EPERM > @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap, > else > error = -EPERM; > > - if (opts & CAP_OPT_NOAUDIT) { > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && error)) { > if (!COMPLAIN_MODE(profile)) > return error; > /* audit the cap request in complain mode but note that it > @@ -142,7 +143,8 @@ static int profile_capable(struct aa_profile *profile, int cap, > * aa_capable - test permission to use capability > * @label: label being tested for capability (NOT NULL) > * @cap: capability to be tested > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit > + * record is generated > * > * Look up capability in profile capability set. > * > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 79b4890e9936..0730edf2f5f1 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1571,7 +1571,7 @@ static int cred_has_capability(const struct cred *cred, > u16 sclass; > u32 sid = cred_sid(cred); > u32 av = CAP_TO_MASK(cap); > - int rc; > + int rc, rc2; > > ad.type = LSM_AUDIT_DATA_CAP; > ad.u.cap = cap; > @@ -1590,11 +1590,13 @@ static int cred_has_capability(const struct cred *cred, > } > > rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); > - if (!(opts & CAP_OPT_NOAUDIT)) { > - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > - if (rc2) > - return rc2; > - } > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && rc)) > + return rc; Hm, if the caller passes only CAP_OPT_NODENYAUDIT, and rc == 0, then you will audit the allow. Is that what you want, or did you want, or did you want CAP_OPT_NODENYAUDIT to imply CAP_OPT_NOAUDIT? > + > + rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > + if (rc2) > + return rc2; > + > return rc; > } > > -- > 2.40.1