apparmor: add a cache entry expiration time aging out capability audit cache
When auditing capabilities, AppArmor uses a per-CPU, per-profile cache
such that the same capability for the same profile doesn't get repeatedly
audited, with the original goal of reducing audit logspam. However, this
cache does not have an expiration time, resulting in confusion when a
profile is shared across binaries (for example) and an expected DENIED
audit entry doesn't appear, despite the cache entry having been populated
much longer ago. This confusion was exacerbated by the per-CPU nature of
the cache resulting in the expected entries sporadically appearing when
the later denial+audit occurred on a different CPU.
To resolve this, record the last time a capability was audited for a
profile and add a timestamp expiration check before doing the audit.
v1 -> v2:
- Hardcode a longer timeout and drop the patches making it a sysctl,
after discussion with John Johansen.
- Cache the expiration time instead of the last-audited time. This value
can never be zero, which lets us drop the kernel_cap_t caps field from
the cache struct.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
projects / users / jedix / linux-maple.git / commit