| Message ID | 20230921061641.273654-1-mic@digikod.net (mailing list archive) |
|---|---|
| Headers | show |
| Series | Landlock audit support | expand |
Hi Mickaël On Wed, Sep 20, 2023 at 11:16 PM Mickaël Salaün <mic@digikod.net> wrote: > > Hi, > > This patch series adds basic audit support to Landlock for most actions. > Logging denied requests is useful for different use cases: > * app developers: to ease and speed up sandboxing support > * power users: to understand denials > * sysadmins: to look for users' issues > * tailored distro maintainers: to get usage metrics from their fleet > * security experts: to detect attack attempts > This is a highly desired feature, I think this will save dev's time when developing Landlock rule sets. Thanks for adding this patch set! -Jeff > To make logs useful, they need to contain the most relevant Landlock > domain that denied an action, and the reason. This translates to the > latest nested domain and the related missing access rights. > > Two "Landlock permissions" are used to describe mandatory restrictions > enforced on all domains: > * fs_layout: change the view of filesystem with mount operations. > * ptrace: tamper with a process. > > Here is an example of logs, result of the sandboxer activity: > tid=267 comm="sandboxer" op=create-ruleset ruleset=1 handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate > tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0 > op=release-ruleset ruleset=1 > tid=267 comm="bash" domain=2 op=open errno=13 missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" dev="devtmpfs" ino=9 > tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir missing-permission= path="/" dev="vda2" ino=256 > tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg missing-permission= path="/" dev="vda2" ino=256 > tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= missing-permission=fs_layout name="/" dev="tmpfs" ino=1 > tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= missing-permission=ptrace opid=1 ocomm="systemd" > > As highlighted in comments, support for audit is not complete yet with > this series: some actions are not logged (e.g. file reparenting), and > rule additions are not logged neither. > > I'm also not sure if we need to have seccomp-like features such as > SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and > /proc/sys/kernel/seccomp/actions_logged > > I'd like to get some early feedback on this proposal. > > This series is based on v6.6-rc2 > > Regards, > > Mickaël Salaün (7): > lsm: Add audit_log_lsm_data() helper > landlock: Factor out check_access_path() > landlock: Log ruleset creation and release > landlock: Log domain creation and enforcement > landlock: Log file-related requests > landlock: Log mount-related requests > landlock: Log ptrace requests > > include/linux/lsm_audit.h | 2 + > include/uapi/linux/audit.h | 1 + > security/landlock/Makefile | 2 + > security/landlock/audit.c | 283 +++++++++++++++++++++++++++++++++++ > security/landlock/audit.h | 88 +++++++++++ > security/landlock/fs.c | 169 ++++++++++++++++----- > security/landlock/ptrace.c | 47 +++++- > security/landlock/ruleset.c | 6 + > security/landlock/ruleset.h | 10 ++ > security/landlock/syscalls.c | 12 ++ > security/lsm_audit.c | 26 ++-- > 11 files changed, 595 insertions(+), 51 deletions(-) > create mode 100644 security/landlock/audit.c > create mode 100644 security/landlock/audit.h > > > base-commit: ce9ecca0238b140b88f43859b211c9fdfd8e5b70 > -- > 2.42.0 >
Hi Mickaël! On Thu, Sep 21, 2023 at 08:16:34AM +0200, Mickaël Salaün wrote: > This patch series adds basic audit support to Landlock for most actions. > Logging denied requests is useful for different use cases: > * app developers: to ease and speed up sandboxing support > * power users: to understand denials > * sysadmins: to look for users' issues > * tailored distro maintainers: to get usage metrics from their fleet > * security experts: to detect attack attempts > > To make logs useful, they need to contain the most relevant Landlock > domain that denied an action, and the reason. This translates to the > latest nested domain and the related missing access rights. Is "domain" always the latest nested domain, or is that the domain which caused the check to fail because it denied the requested access right? (If it is just the counter of how many domains are stacked, this could maybe also be queried through proc instead?) > Two "Landlock permissions" are used to describe mandatory restrictions > enforced on all domains: > * fs_layout: change the view of filesystem with mount operations. > * ptrace: tamper with a process. I find the term "access" already a bit overloaded, and the term "permission" also already appears in other contexts. Maybe we can avoid the additional terminology by grouping these two together in the log format, and calling them the "cause" or "reason" for the deny decision? In a sense, the access rights and the other permissions can already be told apart by their names, so they might also both appear under the same key without causing additional confusion? > Here is an example of logs, result of the sandboxer activity: > tid=267 comm="sandboxer" op=create-ruleset ruleset=1 handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate > tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0 > op=release-ruleset ruleset=1 > tid=267 comm="bash" domain=2 op=open errno=13 missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" dev="devtmpfs" ino=9 > tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir missing-permission= path="/" dev="vda2" ino=256 > tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg missing-permission= path="/" dev="vda2" ino=256 > tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= missing-permission=fs_layout name="/" dev="tmpfs" ino=1 > tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= missing-permission=ptrace opid=1 ocomm="systemd" In more complicated cases like "refer" and "open", it is possible that more than one access right is missing, and presumably they'll both be listed in missing-fs-accesses=. In this case, it is not clear to me whether the domain= number is referring to the first or the second of these missing rights. (Assuming that the domain= is about the domain which caused the denial.) > As highlighted in comments, support for audit is not complete yet with > this series: some actions are not logged (e.g. file reparenting), and > rule additions are not logged neither. When ftruncate(2) gets denied, it is also not possible to tell which of the nested domains is responsible, without additional changes to what we carry around in the file's security blob. (Right now, we calculate the overall truncation right in advance at open(2) time, and just store that bit with the newly opened file.) > I'm also not sure if we need to have seccomp-like features such as > SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and > /proc/sys/kernel/seccomp/actions_logged > > I'd like to get some early feedback on this proposal. If you want to have the full feature set as proposed above for other operations as well, like file reparenting and truncation, it'll complicate the Landlock logic and increase the amount of data that needs to be kept around just for logging. I'm not convinced that this is worth it. After all, the simpler the Landlock implementation is, the easier it'll be to reason about its logic and its security guarantees. A possible simplification would be to omit the domain number which is responsible for a "deny" decision. I feel that for debugging, knowing the fact that Landlock denied an operation might already be a big step forward, and the exact domain responsible for it might not be that important? —Günther
I talked about this patch series at the Kernel Recipes conference, and
you might want to take a look at the future work:
https://landlock.io/talks/2023-09-25_landlock-audit-kr.pdf
In a nutshell, new syscall flags:
* For landlock_create_ruleset() to opt-in for logging ruleset-related
and domain-related use
* For landlock_add_rule() to opt-in for logging this rule if it granted
the requested access
* For landlock_restrict_self() to opt-in for:
* not log anything
* handle a permissive mode to log actions that would have been denied
(very useful to build a sandbox)
On Thu, Sep 21, 2023 at 08:16:34AM +0200, Mickaël Salaün wrote:
> Hi,
>
> This patch series adds basic audit support to Landlock for most actions.
> Logging denied requests is useful for different use cases:
> * app developers: to ease and speed up sandboxing support
> * power users: to understand denials
> * sysadmins: to look for users' issues
> * tailored distro maintainers: to get usage metrics from their fleet
> * security experts: to detect attack attempts
>
> To make logs useful, they need to contain the most relevant Landlock
> domain that denied an action, and the reason. This translates to the
> latest nested domain and the related missing access rights.
>
> Two "Landlock permissions" are used to describe mandatory restrictions
> enforced on all domains:
> * fs_layout: change the view of filesystem with mount operations.
> * ptrace: tamper with a process.
>
> Here is an example of logs, result of the sandboxer activity:
> tid=267 comm="sandboxer" op=create-ruleset ruleset=1 handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate
> tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0
> op=release-ruleset ruleset=1
> tid=267 comm="bash" domain=2 op=open errno=13 missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" dev="devtmpfs" ino=9
> tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir missing-permission= path="/" dev="vda2" ino=256
> tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg missing-permission= path="/" dev="vda2" ino=256
> tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= missing-permission=fs_layout name="/" dev="tmpfs" ino=1
> tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= missing-permission=ptrace opid=1 ocomm="systemd"
>
> As highlighted in comments, support for audit is not complete yet with
> this series: some actions are not logged (e.g. file reparenting), and
> rule additions are not logged neither.
>
> I'm also not sure if we need to have seccomp-like features such as
> SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and
> /proc/sys/kernel/seccomp/actions_logged
>
> I'd like to get some early feedback on this proposal.
>
> This series is based on v6.6-rc2
>
> Regards,
>
> Mickaël Salaün (7):
> lsm: Add audit_log_lsm_data() helper
> landlock: Factor out check_access_path()
> landlock: Log ruleset creation and release
> landlock: Log domain creation and enforcement
> landlock: Log file-related requests
> landlock: Log mount-related requests
> landlock: Log ptrace requests
>
> include/linux/lsm_audit.h | 2 +
> include/uapi/linux/audit.h | 1 +
> security/landlock/Makefile | 2 +
> security/landlock/audit.c | 283 +++++++++++++++++++++++++++++++++++
> security/landlock/audit.h | 88 +++++++++++
> security/landlock/fs.c | 169 ++++++++++++++++-----
> security/landlock/ptrace.c | 47 +++++-
> security/landlock/ruleset.c | 6 +
> security/landlock/ruleset.h | 10 ++
> security/landlock/syscalls.c | 12 ++
> security/lsm_audit.c | 26 ++--
> 11 files changed, 595 insertions(+), 51 deletions(-)
> create mode 100644 security/landlock/audit.c
> create mode 100644 security/landlock/audit.h
>
>
> base-commit: ce9ecca0238b140b88f43859b211c9fdfd8e5b70
> --
> 2.42.0
>
On Tue, Sep 26, 2023 at 06:24:32PM +0200, Günther Noack wrote: > Hi Mickaël! > > On Thu, Sep 21, 2023 at 08:16:34AM +0200, Mickaël Salaün wrote: > > This patch series adds basic audit support to Landlock for most actions. > > Logging denied requests is useful for different use cases: > > * app developers: to ease and speed up sandboxing support > > * power users: to understand denials > > * sysadmins: to look for users' issues > > * tailored distro maintainers: to get usage metrics from their fleet > > * security experts: to detect attack attempts > > > > To make logs useful, they need to contain the most relevant Landlock > > domain that denied an action, and the reason. This translates to the > > latest nested domain and the related missing access rights. > > Is "domain" always the latest nested domain, or is that the domain which caused > the check to fail because it denied the requested access right? (If it is just > the counter of how many domains are stacked, this could maybe also be queried > through proc instead?) The logged domain is the latest nested domain that denied at least one access request (others might be denied by older domains). What do you mean to query it through proc? > > > > Two "Landlock permissions" are used to describe mandatory restrictions > > enforced on all domains: > > * fs_layout: change the view of filesystem with mount operations. > > * ptrace: tamper with a process. > > I find the term "access" already a bit overloaded, and the term "permission" > also already appears in other contexts. Maybe we can avoid the additional > terminology by grouping these two together in the log format, and calling them > the "cause" or "reason" for the deny decision? In a sense, the access rights > and the other permissions can already be told apart by their names, so they > might also both appear under the same key without causing additional confusion? I choose to have two fields (missing-fs-accesses and missing-permission) because one is specific to the FS access rights and the other is generic. The reason of a deny is specifically the "missing FS accesses or the missing permissions". I though about a generic "missing-accesses" but in this case we'll need to prefix all rights with "fs_" or "generic_", which seems too verbose. I think that tying to the access right types would be less confusing when parsing these logs. I'm not a fan of the "permission" name neither, but I didn't find a better name. This comes from EACCES vs. EPERM. BTW, I should use fs_topology instead of fs_layout. > > > > Here is an example of logs, result of the sandboxer activity: > > tid=267 comm="sandboxer" op=create-ruleset ruleset=1 handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate > > tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0 > > op=release-ruleset ruleset=1 > > tid=267 comm="bash" domain=2 op=open errno=13 missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" dev="devtmpfs" ino=9 > > tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir missing-permission= path="/" dev="vda2" ino=256 > > tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg missing-permission= path="/" dev="vda2" ino=256 > > tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= missing-permission=fs_layout name="/" dev="tmpfs" ino=1 > > tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= missing-permission=ptrace opid=1 ocomm="systemd" > > In more complicated cases like "refer" and "open", it is possible that more than > one access right is missing, and presumably they'll both be listed in > missing-fs-accesses=. In this case, it is not clear to me whether the domain= > number is referring to the first or the second of these missing rights. > (Assuming that the domain= is about the domain which caused the denial.) In the case of "open", only the missing access rigths from the youngest domain (that denied at least one request) are printed. This enables to focus on this one, which should be the most common use case and the more useful when debugging a sandbox. This also means that the logs are not complete, only the more relevant informations are logged. It is more complex in the case of "refer" because two paths/objects are involved. I'm not sure how to log such request yet, but I think an useful log entry should contain both the source and the destination paths, which would be new compared to other LSMs. This would require to extend furthermore audit_log_lsm_data(), probably by adding a prefix to the "path=" string. I'd like to log only one entry per denial, and then only one set of missing rights per domain. This should be OK by extracting the youngest missing access rights from the destination and/or the source (according to the same domain). > > > > As highlighted in comments, support for audit is not complete yet with > > this series: some actions are not logged (e.g. file reparenting), and > > rule additions are not logged neither. > > When ftruncate(2) gets denied, it is also not possible to tell which of the > nested domains is responsible, without additional changes to what we carry > around in the file's security blob. (Right now, we calculate the overall > truncation right in advance at open(2) time, and just store that bit with the > newly opened file.) Right, one solution would be to add a pointer to the domain that set the restrictions, but I'd like to avoid that. Instead, we should be able to identify the struct file at open time (another case for logging a granted access), and then delegate the complexity of domain tracking and file lifetime to the (user space) log parser. > > > > I'm also not sure if we need to have seccomp-like features such as > > SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and > > /proc/sys/kernel/seccomp/actions_logged > > > > I'd like to get some early feedback on this proposal. > > If you want to have the full feature set as proposed above for other operations > as well, like file reparenting and truncation, it'll complicate the Landlock > logic and increase the amount of data that needs to be kept around just for > logging. I'm not convinced that this is worth it. After all, the simpler the > Landlock implementation is, the easier it'll be to reason about its logic and > its security guarantees. I'd also like to keep the *enforcement implementation* as simple as possible, and move most of the logging complexity to the audit.c file and user space parsers. This patch series doesn't add complexity to the enforcement logic, only to the audit logic. The amount of data should only be a 64-bit ID per domain and ruleset, and maybe the same for landlock_file_security (but I guess there are other ways to identify a struct file). Being able to debug Landlock policies is a critical feature for its adoption. > > A possible simplification would be to omit the domain number which is > responsible for a "deny" decision. I feel that for debugging, knowing the fact > that Landlock denied an operation might already be a big step forward, and the > exact domain responsible for it might not be that important? Debugging a set of nested policies would be very challenging without the ability to identify the exact domain causing denials. Storing an ID doesn't look like a significant burden isn't it? > > —Günther > > -- > Sent using Mutt