UBUNTU: SAUCE: apparmor4.0.0 [61/76]: prompt - refactor to moving caching to uresponse

BugLink: https://bugs.launchpad.net/bugs/2028253

To be able to be more responsive to prompt return values refactor the
code more to make caching operations distinct from user interaction
and move adding to the cache into the uresps side, so actions don't
have to be passed back to the paused process.

This is a step towards allowing response that will use a named
response instead of permissions and also allow for reuse of knotif
for notifications, heartbeat and canceled.

Signed-off-by: John Johansen <[email protected]>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <[email protected]>

Author: jrjohansen

security/apparmor/file.c

@@ -79,14 +79,16 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
 	}
 }
 
+// ??? differentiate between
+// cached - allow    : no audit == 1
+// cached - deny     : no audit < 0
+// cached - complain : no audit
+// cached - partial  : audit missing part : as miss
+// not cached = 0
 static int check_cache(struct aa_profile *profile,
-		       struct apparmor_audit_data *ad,
-		       struct aa_perms *perms)
+		       struct apparmor_audit_data *ad)
 {
-	struct aa_audit_node *node = NULL;
 	struct aa_audit_node *hit;
-	bool cache_response;
-	int err;
 
 	AA_BUG(!profile);
 	ad->subj_label = &profile->label; // normally set in aa_audit
@@ -116,34 +118,48 @@ static int check_cache(struct aa_profile *profile,
 			/* continue to do prompt */
 		} else {
 			AA_DEBUG(DEBUG_UPCALL, "cache hit");
-			ad->error = 0;
 			aa_put_audit_node(hit);
-			/* do audit */
-			return 0;
+			/* don't audit: if its in the cache already audited */
+			return 1;
 		}
 		aa_put_audit_node(hit);
 		hit = NULL;
 	} else {
 		AA_DEBUG(DEBUG_UPCALL, "cache miss");
 	}
+
+	return 0;
+}
+
+// error - immediate return
+//       - debug message do audit
+// caching is handled on listener task side
+static int check_user(struct aa_profile *profile,
+		      struct apparmor_audit_data *ad,
+		      struct aa_perms *perms)
+{
+	struct aa_audit_node *node = NULL;
+	int err;
+
 	/* assume we are going to dispatch */
 	node = aa_dup_audit_data(ad, GFP_KERNEL);
 	if (!node) {
 		AA_DEBUG(DEBUG_UPCALL,
 			 "notifcation failed to duplicate with error -ENOMEM\n");
 		/* do audit */
-		return 0;
+		return -ENOMEM;
 	}
 
 	get_task_struct(current);
 	node->data.subjtsk = current;
 	node->data.type = AUDIT_APPARMOR_USER;
 	node->data.request = ad->request;
 	node->data.denied = ad->request & ~perms->allow;
-	err = aa_do_notification(APPARMOR_NOTIF_OP, node, &cache_response);
+	err = aa_do_notification(APPARMOR_NOTIF_OP, node);
 	put_task_struct(node->data.subjtsk);
 
 	if (err) {
+		// do we want to do something special with -ERESTARTSYS
 		AA_DEBUG(DEBUG_UPCALL, "notifcation failed with error %d\n",
 			 ad->error);
 		goto return_to_audit;
@@ -154,33 +170,9 @@ static int check_cache(struct aa_profile *profile,
 	ad->denied = node->data.denied;
 	ad->error = node->data.error;
 
-	if (cache_response) {
-		/* TODO: shouldn't add until after auditing it, or at
-		 * least having a refcount. Fix once removing entry is
-		 * allowed
-		 */
-		AA_DEBUG(DEBUG_UPCALL, "inserting cache entry requ 0x%x  denied 0x%x",
-			 node->data.request, node->data.denied);
-		hit = aa_audit_cache_insert(&profile->learning_cache,
-					    node);
-		AA_DEBUG(DEBUG_UPCALL, "cache insert %s: name %s node %s\n",
-			 hit != node ? "lost race" : "",
-			 hit->data.name, node->data.name);
-		if (hit != node) {
-			AA_DEBUG(DEBUG_UPCALL, "updating existing cache entry");
-			aa_audit_cache_update_ent(&profile->learning_cache,
-						  hit, &node->data);
-			aa_put_audit_node(hit);
-		} else {
-
-			AA_DEBUG(DEBUG_UPCALL, "inserted into cache");
-		}
-		/* now to audit */
-	} /* cache_response */
-
 return_to_audit:
 	aa_put_audit_node(node);
-	return 0;
+	return err;
 }
 
 /**
@@ -220,14 +212,33 @@ int aa_audit_file(const struct cred *subj_cred,
 	ad.common.u.tsk = NULL;
 	ad.subjtsk = NULL;
 
-	if (unlikely(ad.error) && ((prompt && USER_MODE(profile)) ||
-				   ((request & perms->prompt) &&
-				    ((request & (perms->prompt |
-						 perms->allow)) == request)))) {
-		err = check_cache(profile, &ad, perms);
-		if (err)
-			/* only happens if already cached */
-			return err;
+	ad.denied = denied_perms(perms, ad.request);
+
+	if (unlikely(ad.error)) {
+		u32 implicit_deny;
+
+		/* learning cache - not audit dedup yet */
+		err = check_cache(profile, &ad);
+		if (err != 0)
+			/* cached */
+			return ad.error;
+
+		implicit_deny = (ad.request & ~perms->allow) & ~perms->deny;
+		if (USER_MODE(profile))
+			perms->prompt = ALL_PERMS_MASK;
+
+		/* don't prompt
+		 * - if explicit deny
+		 * - if implicit_deny is not entirely covered by prompt
+		 *   as no point asking user to just deny it anyway.
+		 */
+		if (prompt && !(request & perms->deny) &&
+		    (perms->prompt & implicit_deny) == implicit_deny) {
+			err = check_user(profile, &ad, perms);
+			if (err == -ERESTARTSYS)
+				/* are there other errors we should bail on */
+				return err;
+		}
 	}
 
 	if (likely(!ad.error)) {
@@ -260,7 +271,6 @@ int aa_audit_file(const struct cred *subj_cred,
 			return ad.error;
 	}
 
-	ad.denied = ad.request & ~perms->allow;
 	err = aa_audit(type, profile, &ad, file_audit_cb);
 	return err;
 }

security/apparmor/include/notify.h

@@ -50,6 +50,9 @@ struct aa_listener_proxy {
 	struct list_head nslist;
 };
 
+#define KNOTIF_PULSE
+#define KNOTIF_PENDING
+#define KNOTIF_CANCELLED
 /* need to split knofif into audit_proxy
  * prompt notifications only go to first taker so no need for completion
  * in the proxy, it increases size of proxy in non-prompt case
@@ -60,14 +63,14 @@ struct aa_knotif {
 	struct completion ready;
 	u64 id;
 	u16 ntype;
+	u16 flags;
 };
 
 void aa_free_listener_proxy(struct aa_listener_proxy *proxy);
 bool aa_register_listener_proxy(struct aa_listener *listener, struct aa_ns *ns);
 struct aa_listener *aa_new_listener(struct aa_ns *ns, gfp_t gfp);
 struct aa_knotif *__aa_find_notif(struct aa_listener *listener, u64 id);
-int aa_do_notification(u16 ntype, struct aa_audit_node *node,
-		       bool *cache_response);
+int aa_do_notification(u16 ntype, struct aa_audit_node *node);
 
 long aa_listener_unotif_recv(struct aa_listener *listener, void __user *buf,
 			     u16 max_size);