Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1319288rwd; Wed, 31 May 2023 12:11:34 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5lDL7f/mCq9Hgd8wAhQBcVVQyNuT2jNq/u7VyFGtTpj7E122FAez9eqXaDjQB4NqTiHxzx X-Received: by 2002:a17:90b:11d8:b0:256:ae6e:993d with SMTP id gv24-20020a17090b11d800b00256ae6e993dmr7798145pjb.1.1685560294394; Wed, 31 May 2023 12:11:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685560294; cv=none; d=google.com; s=arc-20160816; b=M2unsZhS1JUlR/oFfWKxvwvxkH2/vM7evWNUv5/+Ejq+K8wONmCfCgYWjyZ5mKZDBa OC96jsJwpj68MUFe542RIhgcbyxO6xu8O+iATW60TaJRRbgLv/5+gGgGglRcCNREewY1 3mQai6hk6/5zuca5UNZOBKJKpIYeYEOCkq6u3LLybWBeDTC2C3XHphkKcsMDAHIs6s+M KtX3w5NtNM/S4kfn0hzhyrZAphOnlmbEXuw8yB5/MAcUDQdnr8k7LbasRT3jAtpcGK5v c5dRFPJItBc2UAnGL3Xu7dOEcfvsocZMfQOF7I3lwyqR2qRsiXz7sr1LrKd0C5r9B19U LS0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=33aBmP8iR+QR8+u9TV+rf6CnvGlRTn2mBObMMEn9tYI=; b=iXrEhlifrMcx60mRuhUq9p5nKFh+dMMZQ/bdf98jFIV5KJaiyalI6VdNnaGmAxu2gC VttydvYJDOJGYbRj5TjFpwAZkvkIbJ5tHzNV4iKWf9fi8WsGZ+I7Yi2OjeepG+2VKAmb Y30I44RJtiEaLIV+SKE+p3Dj3azgN4kKoJrHWIxgjivj2SM0ATB+LZeAgDKfLQzTCKev IUj5VNyel1EZpdQ2H4PogGrzKX1qjWRgCKcUXEzyc22V77Jc/mLLl40CQC1tosxHpdPS l2mn8YkvmX68fdZOdBqeoy/eynAKyO7SYiEEC8xKsyZxcKT1slA+Oys6zrD14KHlTUR1 OHyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@googlemail.com header.s=20221208 header.b="LJV/baSr"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pc13-20020a17090b3b8d00b0024df993792dsi1522585pjb.80.2023.05.31.12.11.18; Wed, 31 May 2023 12:11:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@googlemail.com header.s=20221208 header.b="LJV/baSr"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230016AbjEaSe1 (ORCPT + 99 others); Wed, 31 May 2023 14:34:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34456 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229553AbjEaSe0 (ORCPT ); Wed, 31 May 2023 14:34:26 -0400 Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDB7710F; Wed, 31 May 2023 11:34:23 -0700 (PDT) Received: by mail-vs1-xe32.google.com with SMTP id ada2fe7eead31-439554d9a69so42338137.1; Wed, 31 May 2023 11:34:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1685558063; x=1688150063; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=33aBmP8iR+QR8+u9TV+rf6CnvGlRTn2mBObMMEn9tYI=; b=LJV/baSrmGNc6tPk8ylKWCuIGECOqrJVAVpDb70Ahb/I/1D8qf9DOJx5k77MTQoFfa p0hdUBhDBzbJBxcYuLo6cQm1LMrXF7Vo2SxMR5zTWN/Is8PE1ctmCI6pV2IhGQWnulM1 qkkehs/umBSgRNRuenpGCPFSSnqTh4mM0SIbamrJ5Tr9MBm2LhMfMcL/VgqQ83JEzS1V xDFyFnGaN3e7afBSbvYJ5IlzbJn50hWvHYBylRWqvcdAF+Ezm0+QzhYqAYD5tVRVvJXs fDbP8y7KTddD3vehSfc8T8j7EJTVogaPc79b+Gz2I+f4zxMfPaFVXpbrtUnW4a8Pft5h 8qug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685558063; x=1688150063; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=33aBmP8iR+QR8+u9TV+rf6CnvGlRTn2mBObMMEn9tYI=; b=L0flot2YaF0ZoWtSxMbFgZLm7miQ+vQ3VsA9UjtyZu0KI9FBH0DjKU7Sp5NmLlmvlM Vfchwl2DCcPXyn/xWfhpoBWXYeQydZsCWrMxdKtsD5vmBDPVt117lqRy+1bRCmgF6Xur hfttdgJW/7s7RRNRAviGYcFoS2cuFnEPtfUxzQv5mbYyqcbT9uN/l0hl+eXJAbPQRAF5 lA3QluGmxRU/jX3NvOInVDS1vp19lqIR4wnZtfUY9txMdhokLKlg9giUc8JThedvQ6xO DEWUSGpqK6j2UeGmMN+XpggZqXUraWzBz6vi3I7tu6Poh+DrG6ATASXVUySqeTpTkLQV LUNQ== X-Gm-Message-State: AC+VfDxrBga5u5TF4CA0+PXK1Y3SQsxACH8jYwhu0Kdpn79yd+UOifkV U6HWll3n2se+aRJ6ezfBqFka4oK1ky1DiMTH5Ldhc108/S0aODsPtoQ= X-Received: by 2002:a05:6102:374:b0:439:4fb6:83fa with SMTP id f20-20020a056102037400b004394fb683famr5202635vsa.9.1685558062408; Wed, 31 May 2023 11:34:22 -0700 (PDT) MIME-Version: 1.0 References: <20230511142535.732324-1-cgzones@googlemail.com> <20230531140734.GA515872@mail.hallyn.com> <20230531140847.GB515872@mail.hallyn.com> In-Reply-To: <20230531140847.GB515872@mail.hallyn.com> From: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Date: Wed, 31 May 2023 20:34:11 +0200 Message-ID: Subject: Re: [PATCH v4 1/9] capability: introduce new capable flag NODENYAUDIT To: "Serge E. Hallyn" Cc: selinux@vger.kernel.org, Paul Moore , John Johansen , James Morris , Stephen Smalley , Eric Paris , Christian Brauner , Casey Schaufler , Dave Chinner , Nathan Lynch , Al Viro , Roberto Sassu , Micah Morton , Frederick Lawler , =?UTF-8?Q?G=C3=BCnther_Noack?= , linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, bpf@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 31 May 2023 at 16:08, Serge E. Hallyn wrote: > > On Wed, May 31, 2023 at 09:07:34AM -0500, Serge E. Hallyn wrote: > > On Thu, May 11, 2023 at 04:25:24PM +0200, Christian G=C3=B6ttsche wrote= : > > > Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate > > > an audit event if the requested capability is not granted. This will= be > > > used in a new capable_any() functionality to reduce the number of > > > necessary capable calls. > > > > > > Handle the flag accordingly in AppArmor and SELinux. > > > > > > Suggested-by: Paul Moore > > > Signed-off-by: Christian G=C3=B6ttsche > > > > Reviewed-by: Serge Hallyn > > Sorry, obviously I should have removed this, until the comment below was > answered :) > > > > --- > > > include/linux/security.h | 2 ++ > > > security/apparmor/capability.c | 8 +++++--- > > > security/selinux/hooks.c | 14 ++++++++------ > > > 3 files changed, 15 insertions(+), 9 deletions(-) > > > > > > diff --git a/include/linux/security.h b/include/linux/security.h > > > index e2734e9e44d5..629c775ec297 100644 > > > --- a/include/linux/security.h > > > +++ b/include/linux/security.h > > > @@ -67,6 +67,8 @@ struct watch_notification; > > > #define CAP_OPT_NOAUDIT BIT(1) > > > /* If capable is being called by a setid function */ > > > #define CAP_OPT_INSETID BIT(2) > > > +/* If capable should audit the security request for authorized reque= sts only */ > > > +#define CAP_OPT_NODENYAUDIT BIT(3) > > > > > > /* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ > > > #define SECURITY_LSM_NATIVE_LABELS 1 > > > diff --git a/security/apparmor/capability.c b/security/apparmor/capab= ility.c > > > index 326a51838ef2..98120dd62ca7 100644 > > > --- a/security/apparmor/capability.c > > > +++ b/security/apparmor/capability.c > > > @@ -108,7 +108,8 @@ static int audit_caps(struct common_audit_data *s= a, struct aa_profile *profile, > > > * profile_capable - test if profile allows use of capability @cap > > > * @profile: profile being enforced (NOT NULL, NOT unconfined) > > > * @cap: capability to test if allowed > > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is gen= erated > > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether= audit > > > + * record is generated > > > * @sa: audit data (MAY BE NULL indicating no auditing) > > > * > > > * Returns: 0 if allowed else -EPERM > > > @@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *pro= file, int cap, > > > else > > > error =3D -EPERM; > > > > > > - if (opts & CAP_OPT_NOAUDIT) { > > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && = error)) { > > > if (!COMPLAIN_MODE(profile)) > > > return error; > > > /* audit the cap request in complain mode but note that i= t > > > @@ -142,7 +143,8 @@ static int profile_capable(struct aa_profile *pro= file, int cap, > > > * aa_capable - test permission to use capability > > > * @label: label being tested for capability (NOT NULL) > > > * @cap: capability to be tested > > > - * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is gen= erated > > > + * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether= audit > > > + * record is generated > > > * > > > * Look up capability in profile capability set. > > > * > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > index 79b4890e9936..0730edf2f5f1 100644 > > > --- a/security/selinux/hooks.c > > > +++ b/security/selinux/hooks.c > > > @@ -1571,7 +1571,7 @@ static int cred_has_capability(const struct cre= d *cred, > > > u16 sclass; > > > u32 sid =3D cred_sid(cred); > > > u32 av =3D CAP_TO_MASK(cap); > > > - int rc; > > > + int rc, rc2; > > > > > > ad.type =3D LSM_AUDIT_DATA_CAP; > > > ad.u.cap =3D cap; > > > @@ -1590,11 +1590,13 @@ static int cred_has_capability(const struct c= red *cred, > > > } > > > > > > rc =3D avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); > > > - if (!(opts & CAP_OPT_NOAUDIT)) { > > > - int rc2 =3D avc_audit(sid, sid, sclass, av, &avd, rc, &ad= ); > > > - if (rc2) > > > - return rc2; > > > - } > > > + if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && = rc)) > > > + return rc; > > > > Hm, if the caller passes only CAP_OPT_NODENYAUDIT, and rc =3D=3D 0, the= n > > you will audit the allow. Is that what you want, or did you want, or > > did you want CAP_OPT_NODENYAUDIT to imply CAP_OPT_NOAUDIT? > > The new option should cause to issue an audit event if (and only if) the requested capability is in effect for the current task. If the task does not have the capability no audit event should be issued. The new option should not imply CAP_OPT_NOAUDIT since we want an audit event in the case the capability is in effect. I admit the naming is a bit confusing as CAP_OPT_NODENYAUDIT as well as the commit description contains a double negation (while the inline comment for the macro definition does not). Do you prefer naming the constant CAP_OPT_ALLOWAUDIT or CAP_OPT_AUDIT_ON_AL= LOW? > > > + > > > + rc2 =3D avc_audit(sid, sid, sclass, av, &avd, rc, &ad); > > > + if (rc2) > > > + return rc2; > > > + > > > return rc; > > > } > > > > > > -- > > > 2.40.1