From patchwork Thu Sep 21 06:16:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13394616 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40B2AE7D0A2 for ; Thu, 21 Sep 2023 20:59:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231987AbjIUU7i (ORCPT ); Thu, 21 Sep 2023 16:59:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37572 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232230AbjIUU7F (ORCPT ); Thu, 21 Sep 2023 16:59:05 -0400 Received: from smtp-bc0b.mail.infomaniak.ch (smtp-bc0b.mail.infomaniak.ch [IPv6:2001:1600:3:17::bc0b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6AB9B12445 for ; Thu, 21 Sep 2023 10:06:53 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4RrlYF10fszMpnvZ; Thu, 21 Sep 2023 06:17:05 +0000 (UTC) Received: from unknown by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4RrlYD43PYzMppDY; Thu, 21 Sep 2023 08:17:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1695277025; bh=cinTwRA+WcJIbifJHzOy8LJVvQYuI7/JZgdtZ57GtzM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=up0um0B1XHsyeQkuudhIT3U+5pTFTjDV0n7klWUvkP46xo+7VG6DPTYrZ+EB1ewzb pkHEEkMfvi0v0Vu+/YLb64C0x9i3a9Hm07og2eq4jJz/7pVdStNskZGiAewR1Py4Ye hPTIYrcmWLdYpcX3yAH37Zz0KL/duU1m/sFGabHE= From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , James Morris , Paul Moore , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , =?utf-8?q?G=C3=BCnther_Noack?= , Jeff Xu , Jorge Lucangeli Obes , Konstantin Meskhidze , Shervin Oloumi , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH v1 7/7] landlock: Log ptrace requests Date: Thu, 21 Sep 2023 08:16:41 +0200 Message-ID: <20230921061641.273654-8-mic@digikod.net> In-Reply-To: <20230921061641.273654-1-mic@digikod.net> References: <20230921061641.273654-1-mic@digikod.net> MIME-Version: 1.0 X-Infomaniak-Routing: alpha Precedence: bulk List-ID: Add audit support for ptrace and ptrace_traceme requests. Signed-off-by: Mickaël Salaün --- security/landlock/audit.c | 2 ++ security/landlock/audit.h | 4 +++- security/landlock/ptrace.c | 47 ++++++++++++++++++++++++++++++++++---- 3 files changed, 47 insertions(+), 6 deletions(-) diff --git a/security/landlock/audit.c b/security/landlock/audit.c index 89bd701d124f..2ec2a00822d2 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -18,6 +18,8 @@ static const char *op_to_string(enum landlock_operation operation) { const char *const desc[] = { [0] = "", + [LANDLOCK_OP_PTRACE] = "ptrace", + [LANDLOCK_OP_PTRACE_TRACEME] = "ptrace_traceme", [LANDLOCK_OP_MOUNT] = "mount", [LANDLOCK_OP_MOVE_MOUNT] = "move_mount", [LANDLOCK_OP_UMOUNT] = "umount", diff --git a/security/landlock/audit.h b/security/landlock/audit.h index e559fb6a89dd..b69bba7b908c 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -14,7 +14,9 @@ #include "ruleset.h" enum landlock_operation { - LANDLOCK_OP_MOUNT = 1, + LANDLOCK_OP_PTRACE = 1, + LANDLOCK_OP_PTRACE_TRACEME, + LANDLOCK_OP_MOUNT, LANDLOCK_OP_MOVE_MOUNT, LANDLOCK_OP_UMOUNT, LANDLOCK_OP_REMOUNT, diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c index 8a06d6c492bf..dbe219449a32 100644 --- a/security/landlock/ptrace.c +++ b/security/landlock/ptrace.c @@ -10,10 +10,12 @@ #include #include #include +#include #include #include #include +#include "audit.h" #include "common.h" #include "cred.h" #include "ptrace.h" @@ -64,11 +66,9 @@ static bool task_is_scoped(const struct task_struct *const parent, static int task_ptrace(const struct task_struct *const parent, const struct task_struct *const child) { - /* Quick return for non-landlocked tasks. */ - if (!landlocked(parent)) - return 0; if (task_is_scoped(parent, child)) return 0; + return -EPERM; } @@ -88,7 +88,26 @@ static int task_ptrace(const struct task_struct *const parent, static int hook_ptrace_access_check(struct task_struct *const child, const unsigned int mode) { - return task_ptrace(current, child); + const struct landlock_ruleset *const dom = + landlock_get_current_domain(); + struct landlock_request request = { + .operation = LANDLOCK_OP_PTRACE, + .missing_permission = LANDLOCK_PERM_PTRACE, + .audit = { + .type = LSM_AUDIT_DATA_TASK, + .u.tsk = child, + }, + }; + int err; + + if (!dom) + return 0; + + err = task_ptrace(current, child); + if (!err) + return 0; + + return landlock_log_request(err, &request, dom, 0, NULL); } /** @@ -105,7 +124,25 @@ static int hook_ptrace_access_check(struct task_struct *const child, */ static int hook_ptrace_traceme(struct task_struct *const parent) { - return task_ptrace(parent, current); + struct landlock_request request = { + .operation = LANDLOCK_OP_PTRACE_TRACEME, + .missing_permission = LANDLOCK_PERM_PTRACE, + .audit = { + .type = LSM_AUDIT_DATA_TASK, + .u.tsk = parent, + }, + }; + int err; + + if (!landlock_get_task_domain(parent)) + return 0; + + err = task_ptrace(parent, current); + if (!err) + return 0; + + return landlock_log_request(err, &request, + landlock_get_current_domain(), 0, NULL); } static struct security_hook_list landlock_hooks[] __ro_after_init = {