From patchwork Thu May 18 20:45:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shervin Oloumi X-Patchwork-Id: 13247371 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B58ADC77B73 for ; Thu, 18 May 2023 20:46:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230081AbjERUqF (ORCPT ); Thu, 18 May 2023 16:46:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54788 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229550AbjERUqF (ORCPT ); Thu, 18 May 2023 16:46:05 -0400 Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B444EE77 for ; Thu, 18 May 2023 13:46:03 -0700 (PDT) Received: by mail-pg1-x52f.google.com with SMTP id 41be03b00d2f7-51f6461af24so1648882a12.2 for ; Thu, 18 May 2023 13:46:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1684442763; x=1687034763; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=os7qSS/m4bQFZnkpMP/L7Wevy8wc/LYfrUdq+QtdCTg=; b=hbz4jZakYkUHyJ3bH0I6LaTNC8GCU/1RjtSiOlyFcWLPRiM0C4zw97ggug6R30s+gx lkkhZ1kzcfMVrKon/3D4upYuXicpFJn4uNbb2YSz4zFex+m9ZJYNbuplnm9O/kpNqty2 niA+gRwcR2TpbvR8rqIPCO6/k0oJjQ5I811Ek= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684442763; x=1687034763; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=os7qSS/m4bQFZnkpMP/L7Wevy8wc/LYfrUdq+QtdCTg=; b=K+OSBQgaIYGMhq17BgBegrkEd77OuQ4w3jUO3RHlzlcIm5Ay5MxM+qbpAh0RCi4NJa DG6Ai2+jw6rS6ZL2//fUDJtroLnMTBhwxBBDhItl5mWIn/9rdxLd9KDxuF0zl+YBeWgK RdJkI5+RJQ79YCLvJ7Tl/T27yYBQDbyQZ8xrN1LaKtXWm5K9Wa/TbryKVhTfz2nY+CZX t3W1ep6Sf9P0WWKTo7uaJJXO5Cl1/zYkUvdOh148GDCoIYClKfYUAIz31FtwwkjL4Ra0 Tek1KKZ/1kbUokzMSLyOQ+EI+4oqwo0JH1vX7rHG/JPJIAYqmdioDYADJQlK93O6Ymj3 4qHg== X-Gm-Message-State: AC+VfDwLrZNELjrBYtFy9wPjCiGeUfCux+q8JIaHz76PMjptalshdhRe jdQLGdoS9JBmXDM708Q9xJkKcA== X-Google-Smtp-Source: ACHHUZ6ggR4soG8vb+luaw3zbN99oqAEaWuuBehqtbNYw2uEof6brxXzCArmM7sjiY322QPedXHD/w== X-Received: by 2002:a17:902:82c4:b0:1ae:72fc:a625 with SMTP id u4-20020a17090282c400b001ae72fca625mr325645plz.37.1684442763184; Thu, 18 May 2023 13:46:03 -0700 (PDT) Received: from enlightened2.mtv.corp.google.com ([2620:15c:9d:6:1d0:be0c:577f:1a49]) by smtp.gmail.com with ESMTPSA id jj10-20020a170903048a00b001a2104d706fsm1859517plb.225.2023.05.18.13.46.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 May 2023 13:46:02 -0700 (PDT) From: Shervin Oloumi To: mic@digikod.net Cc: linux-security-module@vger.kernel.org, jorgelo@chromium.org, keescook@chromium.org, groeck@chromium.org, jeffxu@chromium.org, allenwebb@chromium.org, gnoack3000@gmail.com, areber@redhat.com, criu@openvz.org, linux-api@vger.kernel.org, jannh@google.com, brauner@kernel.org, Shervin Oloumi Subject: [PATCH v2] lsm: adds process attribute getter for Landlock Date: Thu, 18 May 2023 13:45:28 -0700 Message-ID: <20230518204549.3139044-1-enlightened@chromium.org> X-Mailer: git-send-email 2.40.1.698.g37aff9b760-goog In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: Adds a new getprocattr hook function to the Landlock LSM, which tracks the landlocked state of the process. This is invoked when user-space reads /proc/[pid]/attr/domain to determine whether a given process is sand-boxed using Landlock. When the target process is not sand-boxed, the result is "none", otherwise the result is empty, as we still need to decide what kind of domain information is best to provide in "domain". The hook function also performs an access check. The request is rejected if the tracing process is the same as the target process, or if the tracing process domain is not an ancestor to the target process domain. Adds a new directory for landlock under the process attribute filesystem, and defines "domain" as a read-only process attribute entry for landlock. Signed-off-by: Shervin Oloumi --- fs/proc/base.c | 11 +++++++++++ security/landlock/fs.c | 38 ++++++++++++++++++++++++++++++++++++++ security/landlock/fs.h | 1 + security/landlock/ptrace.c | 4 ++-- security/landlock/ptrace.h | 3 +++ 5 files changed, 55 insertions(+), 2 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 9e479d7d202b..b257ea704666 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2851,6 +2851,13 @@ static const struct pid_entry apparmor_attr_dir_stuff[] = { LSM_DIR_OPS(apparmor); #endif +#ifdef CONFIG_SECURITY_LANDLOCK +static const struct pid_entry landlock_attr_dir_stuff[] = { + ATTR("landlock", "domain", 0444), +}; +LSM_DIR_OPS(landlock); +#endif + static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "current", 0666), ATTR(NULL, "prev", 0444), @@ -2866,6 +2873,10 @@ static const struct pid_entry attr_dir_stuff[] = { DIR("apparmor", 0555, proc_apparmor_attr_dir_inode_ops, proc_apparmor_attr_dir_ops), #endif +#ifdef CONFIG_SECURITY_LANDLOCK + DIR("landlock", 0555, + proc_landlock_attr_dir_inode_ops, proc_landlock_attr_dir_ops), +#endif }; static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index adcea0fe7e68..2f8b0837a0fd 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -1280,6 +1280,42 @@ static int hook_file_truncate(struct file *const file) return -EACCES; } +/* process attribute interfaces */ + +/** + * landlock_getprocattr - Landlock process attribute getter + * @task: the object task + * @name: the name of the attribute in /proc/.../attr + * @value: where to put the result + * + * Performs access checks and writes any applicable results to value + * + * Returns the length of the result inside value or an error code + */ +static int landlock_getprocattr(struct task_struct *task, const char *name, + char **value) +{ + char *val = ""; + int slen; + + // If the tracing process is landlocked, ensure its domain is an + // ancestor to the target process domain. + if (landlocked(current)) + if (current == task || !task_is_scoped(current, task)) + return -EACCES; + + // The only supported attribute is "domain". + if (strcmp(name, "domain") != 0) + return -EINVAL; + + if (!landlocked(task)) + val = "none"; + + slen = strlen(val); + *value = val; + return slen; +} + static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_free_security, hook_inode_free_security), @@ -1302,6 +1338,8 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(file_alloc_security, hook_file_alloc_security), LSM_HOOK_INIT(file_open, hook_file_open), LSM_HOOK_INIT(file_truncate, hook_file_truncate), + + LSM_HOOK_INIT(getprocattr, landlock_getprocattr), }; __init void landlock_add_fs_hooks(void) diff --git a/security/landlock/fs.h b/security/landlock/fs.h index 488e4813680a..64145e8b5537 100644 --- a/security/landlock/fs.h +++ b/security/landlock/fs.h @@ -13,6 +13,7 @@ #include #include +#include "ptrace.h" #include "ruleset.h" #include "setup.h" diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c index 4c5b9cd71286..de943f0f3899 100644 --- a/security/landlock/ptrace.c +++ b/security/landlock/ptrace.c @@ -47,8 +47,8 @@ static bool domain_scope_le(const struct landlock_ruleset *const parent, return false; } -static bool task_is_scoped(const struct task_struct *const parent, - const struct task_struct *const child) +const bool task_is_scoped(const struct task_struct *const parent, + const struct task_struct *const child) { bool is_scoped; const struct landlock_ruleset *dom_parent, *dom_child; diff --git a/security/landlock/ptrace.h b/security/landlock/ptrace.h index 265b220ae3bf..c6eb08951fc1 100644 --- a/security/landlock/ptrace.h +++ b/security/landlock/ptrace.h @@ -11,4 +11,7 @@ __init void landlock_add_ptrace_hooks(void); +const bool task_is_scoped(const struct task_struct *const parent, + const struct task_struct *const child); + #endif /* _SECURITY_LANDLOCK_PTRACE_H */