[RFC,v2,13/14] landlock: Log scoped denials

Message ID	20241022161009.982584-14-mic@digikod.net (mailing list archive)
State	New
Delegated to:	Paul Moore
Headers	show Received: from smtp-bc0b.mail.infomaniak.ch (smtp-bc0b.mail.infomaniak.ch [45.157.188.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 405431C1744 for <linux-security-module@vger.kernel.org>; Tue, 22 Oct 2024 16:10:44 +0000 (UTC) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net> To: Eric Paris <eparis@redhat.com>, Paul Moore <paul@paul-moore.com>, =?utf-8?q?G=C3=BCnther_Noack?= <gnoack@google.com>, "Serge E . Hallyn" <serge@hallyn.com> Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, Ben Scarlato <akhna@google.com>, Casey Schaufler <casey@schaufler-ca.com>, Charles Zaffery <czaffery@roblox.com>, James Morris <jmorris@namei.org>, Jann Horn <jannh@google.com>, Jeff Xu <jeffxu@google.com>, Jorge Lucangeli Obes <jorgelo@google.com>, Kees Cook <kees@kernel.org>, Konstantin Meskhidze <konstantin.meskhidze@huawei.com>, Matt Bobrowski <mattbobrowski@google.com>, Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>, Praveen K Paladugu <prapal@linux.microsoft.com>, Robert Salvet <robert.salvet@roblox.com>, Shervin Oloumi <enlightened@google.com>, Song Liu <song@kernel.org>, Tahera Fahimi <fahimitahera@gmail.com>, audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH v2 13/14] landlock: Log scoped denials Date: Tue, 22 Oct 2024 18:10:08 +0200 Message-ID: <20241022161009.982584-14-mic@digikod.net> In-Reply-To: <20241022161009.982584-1-mic@digikod.net> References: <20241022161009.982584-1-mic@digikod.net> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	Landlock audit support \| expand [RFC,v2,00/14] Landlock audit support [RFC,v2,01/14] lsm: Only build lsm_audit.c if CONFIG_AUDIT is set [RFC,v2,02/14] lsm: Add audit_log_lsm_data() helper [RFC,v2,03/14] landlock: Factor out check_access_path() [RFC,v2,04/14] landlock: Add unique ID generator [RFC,v2,05/14] landlock: Move access types [RFC,v2,06/14] landlock: Move domain hierarchy management [RFC,v2,07/14] landlock: Log ptrace denials [RFC,v2,08/14] landlock: Log domain properties and release [RFC,v2,09/14] landlock: Log mount-related denials [RFC,v2,10/14] landlock: Log file-related denials [RFC,v2,11/14] landlock: Log truncate and ioctl denials [RFC,v2,12/14] landlock: Log TCP bind and connect denials [RFC,v2,13/14] landlock: Log scoped denials [RFC,v2,14/14] landlock: Control log events with LANDLOCK_RESTRICT_SELF_LOGLESS

Message ID

20241022161009.982584-14-mic@digikod.net (mailing list archive)

State

New

Delegated to:

Paul Moore

Headers

From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>
To: Eric Paris <eparis@redhat.com>, Paul Moore <paul@paul-moore.com>,
	=?utf-8?q?G=C3=BCnther_Noack?= <gnoack@google.com>,
 "Serge E . Hallyn" <serge@hallyn.com>
Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>,
 Ben Scarlato <akhna@google.com>, Casey Schaufler <casey@schaufler-ca.com>,
 Charles Zaffery <czaffery@roblox.com>, James Morris <jmorris@namei.org>,
 Jann Horn <jannh@google.com>, Jeff Xu <jeffxu@google.com>,
 Jorge Lucangeli Obes <jorgelo@google.com>, Kees Cook <kees@kernel.org>,
 Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
 Matt Bobrowski <mattbobrowski@google.com>,
 Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>,
 Praveen K Paladugu <prapal@linux.microsoft.com>,
 Robert Salvet <robert.salvet@roblox.com>,
 Shervin Oloumi <enlightened@google.com>, Song Liu <song@kernel.org>,
 Tahera Fahimi <fahimitahera@gmail.com>, audit@vger.kernel.org,
 linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: [RFC PATCH v2 13/14] landlock: Log scoped denials
Date: Tue, 22 Oct 2024 18:10:08 +0200
Message-ID: <20241022161009.982584-14-mic@digikod.net>
In-Reply-To: <20241022161009.982584-1-mic@digikod.net>
References: <20241022161009.982584-1-mic@digikod.net>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

Landlock audit support | expand

Commit Message

Mickaël Salaün Oct. 22, 2024, 4:10 p.m. UTC

Add audit support for unix_stream_connect, unix_may_send, task_kill, and
file_send_sigiotask hooks.

Audit record sample:

  DENY:    domain=4533720578 blockers=scope_abstract_unix_socket path=00666F6F
  SYSCALL: arch=c000003e syscall=42 success=no exit=-1 ...

Cc: Günther Noack <gnoack@google.com>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20241022161009.982584-14-mic@digikod.net
---
 security/landlock/audit.c |  8 ++++++
 security/landlock/audit.h |  2 ++
 security/landlock/task.c  | 58 ++++++++++++++++++++++++++++++++++++---
 3 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index c31a4a8719ee..b551812b8bc9 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -69,6 +69,14 @@  get_blocker(const enum landlock_request_type type,
 		if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(net_access_strings)))
 			return "unknown";
 		return net_access_strings[access_bit];
+
+	case LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET:
+		WARN_ON_ONCE(access_bit != -1);
+		return "scope_abstract_unix_socket";
+
+	case LANDLOCK_REQUEST_SCOPE_SIGNAL:
+		WARN_ON_ONCE(access_bit != -1);
+		return "scope_signal";
 	}
 
 	WARN_ON_ONCE(1);
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 1075b0c8401f..1e0a9164bacc 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -19,6 +19,8 @@  enum landlock_request_type {
 	LANDLOCK_REQUEST_FS_CHANGE_LAYOUT,
 	LANDLOCK_REQUEST_FS_ACCESS,
 	LANDLOCK_REQUEST_NET_ACCESS,
+	LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+	LANDLOCK_REQUEST_SCOPE_SIGNAL,
 };
 
 /*
diff --git a/security/landlock/task.c b/security/landlock/task.c
index 8c4468fb86bf..ddcb993bd53a 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -262,13 +262,27 @@  static int hook_unix_stream_connect(struct sock *const sock,
 {
 	const struct landlock_ruleset *const dom = landlock_match_ruleset(
 		landlock_get_current_domain(), unix_scope);
+	struct lsm_network_audit audit_net = {
+		.sk = other,
+	};
+	struct landlock_request request = {
+		.type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+		.audit = {
+			.type = LSM_AUDIT_DATA_NET,
+			.u.net = &audit_net,
+		},
+	};
 
 	/* Quick return for non-landlocked tasks. */
 	if (!dom)
 		return 0;
 
-	if (is_abstract_socket(other) && sock_is_scoped(other, dom))
+	if (is_abstract_socket(other) && sock_is_scoped(other, dom)) {
+		request.layer_plus_one =
+			landlock_match_layer_level(dom, unix_scope) + 1;
+		landlock_log_denial(dom, &request);
 		return -EPERM;
+	}
 
 	return 0;
 }
@@ -278,6 +292,16 @@  static int hook_unix_may_send(struct socket *const sock,
 {
 	const struct landlock_ruleset *const dom = landlock_match_ruleset(
 		landlock_get_current_domain(), unix_scope);
+	struct lsm_network_audit audit_net = {
+		.sk = other->sk,
+	};
+	struct landlock_request request = {
+		.type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+		.audit = {
+			.type = LSM_AUDIT_DATA_NET,
+			.u.net = &audit_net,
+		},
+	};
 
 	if (!dom)
 		return 0;
@@ -289,8 +313,12 @@  static int hook_unix_may_send(struct socket *const sock,
 	if (unix_peer(sock->sk) == other->sk)
 		return 0;
 
-	if (is_abstract_socket(other->sk) && sock_is_scoped(other->sk, dom))
+	if (is_abstract_socket(other->sk) && sock_is_scoped(other->sk, dom)) {
+		request.layer_plus_one =
+			landlock_match_layer_level(dom, unix_scope) + 1;
+		landlock_log_denial(dom, &request);
 		return -EPERM;
+	}
 
 	return 0;
 }
@@ -305,6 +333,13 @@  static int hook_task_kill(struct task_struct *const p,
 {
 	bool is_scoped;
 	const struct landlock_ruleset *dom;
+	struct landlock_request request = {
+		.type = LANDLOCK_REQUEST_SCOPE_SIGNAL,
+		.audit = {
+			.type = LSM_AUDIT_DATA_TASK,
+			.u.tsk = p,
+		},
+	};
 
 	if (cred) {
 		/* Dealing with USB IO. */
@@ -322,8 +357,12 @@  static int hook_task_kill(struct task_struct *const p,
 	is_scoped = domain_is_scoped(dom, landlock_get_task_domain(p),
 				     LANDLOCK_SCOPE_SIGNAL);
 	rcu_read_unlock();
-	if (is_scoped)
+	if (is_scoped) {
+		request.layer_plus_one =
+			landlock_match_layer_level(dom, signal_scope) + 1;
+		landlock_log_denial(dom, &request);
 		return -EPERM;
+	}
 
 	return 0;
 }
@@ -332,6 +371,13 @@  static int hook_file_send_sigiotask(struct task_struct *tsk,
 				    struct fown_struct *fown, int signum)
 {
 	const struct landlock_ruleset *dom;
+	struct landlock_request request = {
+		.type = LANDLOCK_REQUEST_SCOPE_SIGNAL,
+		.audit = {
+			.type = LSM_AUDIT_DATA_TASK,
+			.u.tsk = tsk,
+		},
+	};
 	bool is_scoped = false;
 
 	/* Lock already held by send_sigio() and send_sigurg(). */
@@ -347,8 +393,12 @@  static int hook_file_send_sigiotask(struct task_struct *tsk,
 	is_scoped = domain_is_scoped(dom, landlock_get_task_domain(tsk),
 				     LANDLOCK_SCOPE_SIGNAL);
 	rcu_read_unlock();
-	if (is_scoped)
+	if (is_scoped) {
+		request.layer_plus_one =
+			landlock_match_layer_level(dom, signal_scope) + 1;
+		landlock_log_denial(dom, &request);
 		return -EPERM;
+	}
 
 	return 0;
 }

[RFC,v2,13/14] landlock: Log scoped denials

Commit Message

Patch