From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Cc: "Paul Moore" <paul@paul-moore.com>,
"John Johansen" <john.johansen@canonical.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Eric Paris" <eparis@parisplace.org>,
"Christian Brauner" <brauner@kernel.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Dave Chinner" <dchinner@redhat.com>,
"Nathan Lynch" <nathanl@linux.ibm.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Micah Morton" <mortonm@chromium.org>,
"Frederick Lawler" <fred@cloudflare.com>,
"Günther Noack" <gnoack3000@gmail.com>,
linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com,
linux-security-module@vger.kernel.org, bpf@vger.kernel.org
Subject: [PATCH v4 1/9] capability: introduce new capable flag NODENYAUDIT
Date: Thu, 11 May 2023 16:25:24 +0200 [thread overview]
Message-ID: <20230511142535.732324-1-cgzones@googlemail.com> (raw)
Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate
an audit event if the requested capability is not granted. This will be
used in a new capable_any() functionality to reduce the number of
necessary capable calls.
Handle the flag accordingly in AppArmor and SELinux.
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
include/linux/security.h | 2 ++
security/apparmor/capability.c | 8 +++++---
security/selinux/hooks.c | 14 ++++++++------
3 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index e2734e9e44d5..629c775ec297 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -67,6 +67,8 @@ struct watch_notification;
#define CAP_OPT_NOAUDIT BIT(1)
/* If capable is being called by a setid function */
#define CAP_OPT_INSETID BIT(2)
+/* If capable should audit the security request for authorized requests only */
+#define CAP_OPT_NODENYAUDIT BIT(3)
/* LSM Agnostic defines for security_sb_set_mnt_opts() flags */
#define SECURITY_LSM_NATIVE_LABELS 1
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 326a51838ef2..98120dd62ca7 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -108,7 +108,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
* profile_capable - test if profile allows use of capability @cap
* @profile: profile being enforced (NOT NULL, NOT unconfined)
* @cap: capability to test if allowed
- * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
+ * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit
+ * record is generated
* @sa: audit data (MAY BE NULL indicating no auditing)
*
* Returns: 0 if allowed else -EPERM
@@ -126,7 +127,7 @@ static int profile_capable(struct aa_profile *profile, int cap,
else
error = -EPERM;
- if (opts & CAP_OPT_NOAUDIT) {
+ if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && error)) {
if (!COMPLAIN_MODE(profile))
return error;
/* audit the cap request in complain mode but note that it
@@ -142,7 +143,8 @@ static int profile_capable(struct aa_profile *profile, int cap,
* aa_capable - test permission to use capability
* @label: label being tested for capability (NOT NULL)
* @cap: capability to be tested
- * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
+ * @opts: CAP_OPT_NOAUDIT/CAP_OPT_NODENYAUDIT bit determines whether audit
+ * record is generated
*
* Look up capability in profile capability set.
*
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 79b4890e9936..0730edf2f5f1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1571,7 +1571,7 @@ static int cred_has_capability(const struct cred *cred,
u16 sclass;
u32 sid = cred_sid(cred);
u32 av = CAP_TO_MASK(cap);
- int rc;
+ int rc, rc2;
ad.type = LSM_AUDIT_DATA_CAP;
ad.u.cap = cap;
@@ -1590,11 +1590,13 @@ static int cred_has_capability(const struct cred *cred,
}
rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
- if (!(opts & CAP_OPT_NOAUDIT)) {
- int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
- if (rc2)
- return rc2;
- }
+ if ((opts & CAP_OPT_NOAUDIT) || ((opts & CAP_OPT_NODENYAUDIT) && rc))
+ return rc;
+
+ rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
+ if (rc2)
+ return rc2;
+
return rc;
}
--
2.40.1
next reply other threads:[~2023-05-11 14:27 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-11 14:25 Christian Göttsche [this message]
2023-05-11 14:25 ` [PATCH v4 2/9] capability: add any wrapper to test for multiple caps with exactly one audit message Christian Göttsche
2023-05-11 14:25 ` [PATCH v4 3/9] capability: use new capable_any functionality Christian Göttsche
2023-05-16 18:42 ` Andrii Nakryiko
2023-05-11 14:25 ` [PATCH v4 4/9] block: " Christian Göttsche
2023-05-11 15:35 ` Christoph Hellwig
2023-05-11 16:53 ` Christian Göttsche
2023-05-11 14:25 ` [PATCH v4 5/9] drivers: " Christian Göttsche
2023-05-11 14:25 ` Christian Göttsche
2023-05-11 14:25 ` Christian Göttsche
2023-05-16 6:33 ` Alexander Gordeev
2023-05-16 6:33 ` Alexander Gordeev
2023-05-16 6:33 ` Alexander Gordeev
2023-05-11 14:25 ` [PATCH v4 6/9] fs: " Christian Göttsche
2023-05-15 7:56 ` Christian Brauner
2023-05-11 14:25 ` [PATCH v4 7/9] kernel: " Christian Göttsche
2023-05-15 7:54 ` Christian Brauner
2023-05-11 14:25 ` [PATCH v4 8/9] bpf: " Christian Göttsche
2023-05-16 18:42 ` Andrii Nakryiko
2023-05-11 14:25 ` [PATCH v4 9/9] net: " Christian Göttsche
2023-05-22 13:56 ` Miquel Raynal
2023-05-11 14:25 ` [PATCH v4 0/9] Introduce capable_any() Christian Göttsche
2023-05-31 14:07 ` [PATCH v4 1/9] capability: introduce new capable flag NODENYAUDIT Serge E. Hallyn
2023-05-31 14:08 ` Serge E. Hallyn
2023-05-31 18:34 ` Christian Göttsche
2023-05-31 22:13 ` Paul Moore
2023-06-06 19:00 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230511142535.732324-1-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=apparmor@lists.ubuntu.com \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=dchinner@redhat.com \
--cc=eparis@parisplace.org \
--cc=fred@cloudflare.com \
--cc=gnoack3000@gmail.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mortonm@chromium.org \
--cc=nathanl@linux.ibm.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.