From patchwork Wed Jan 8 15:43:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931222 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-bc0c.mail.infomaniak.ch (smtp-bc0c.mail.infomaniak.ch [45.157.188.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CBAFC1FDE2C for ; Wed, 8 Jan 2025 15:43:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.12 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351039; cv=none; b=FwHNF/CtwyEdT2+uDb4b1AKVh+gkQ5pZnZ18eLNNwXmvCKrUB/XkELGilzOdlF2V8k2l4sUqCn7+qKkFW+IAgyl7ZrpGK0e1KfvcE1IoyPzE5lk+hEuU+xF1zJJJjcWUASrttuKBfvkeFUwBW3EgYRmVawRh3kJYTyjON1wmVNc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351039; c=relaxed/simple; bh=g63Ro45o8hhUGW9H6URxmblZAnLGikpsoa9gZvjVE44=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=HQLCq9QAqRHWKjU1tDLS6hzqDUUXtwEJVQ2L3OnGhsHPAcRtS0Q01xeD+fvOYzYIu8rasTBqj3+w2wEqGHwgFOnbc8D3ypFr+Qo21z3uoBe3JhLxjsusoGBVH8/Zaa6sW4K8/3oCFVtvyzpblwe7yIfAG2UC3EWgeCDzzEk+DRk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=Q3iF1KUd; arc=none smtp.client-ip=45.157.188.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="Q3iF1KUd" Received: from smtp-3-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246c]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsdv5PFBz2Qs; Wed, 8 Jan 2025 16:43:47 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351027; bh=f5Hn5KV22WRjWqDiJSZ/dgncmazJcOwKRibL+A+zwmo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q3iF1KUdqZG0Cygurl6JmKCgzshc2u+o9vEQAKYaYrnovyXbspRSRXciv/UAl8Gqm xBJHlcw0R14/02fnl/RvXmwV9C6fwMCBQApYTfA/i2EL9HmhuL90IWXIjaWPXudj2p kNTOiW5te95uFqsjeF6dXbS8XuIGLDvGRwtb6i5g= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsdt6G7BzLZp; Wed, 8 Jan 2025 16:43:46 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 01/30] lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set Date: Wed, 8 Jan 2025 16:43:09 +0100 Message-ID: <20250108154338.1129069-2-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha When CONFIG_AUDIT is set, its CONFIG_NET dependency is also set, and the dev_get_by_index and init_net symbols (used by dump_common_audit_data) are found by the linker. dump_common_audit_data() should then failed to build when CONFIG_NET is not set. However, because the compiler is smart, it knows that audit_log_start() always return NULL when !CONFIG_AUDIT, and it doesn't build the body of common_lsm_audit(). As a side effect, dump_common_audit_data() is not built and the linker doesn't error out because of missing symbols. Let's only build lsm_audit.o when CONFIG_SECURITY and CONFIG_AUDIT are both set, which is checked with the new CONFIG_HAS_SECURITY_AUDIT. ipv4_skb_to_auditdata() and ipv6_skb_to_auditdata() are only used by Smack if CONFIG_AUDIT is set, so they don't need fake implementations. Because common_lsm_audit() is used in multiple places without CONFIG_AUDIT checks, add a fake implementation. Cc: Casey Schaufler Cc: James Morris Cc: Paul Moore Cc: Serge E. Hallyn Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-2-mic@digikod.net --- Merged in the LSM's next tree. It will be part of Linux v6.13: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git/commit/?h=next&id=7ccbe076d987598b04b4b9c9b61f042291f9cc77 Changes since v2: - Add CONFIG_HAS_SECURITY_AUDIT to fix the build with AUDIT && !SECURITY, reported by Guenter Roeck. --- include/linux/lsm_audit.h | 14 ++++++++++++++ security/Kconfig | 5 +++++ security/Makefile | 2 +- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 97a8b21eb033..c2b01380262c 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -116,14 +116,28 @@ struct common_audit_data { #define v4info fam.v4 #define v6info fam.v6 +#ifdef CONFIG_AUDIT + int ipv4_skb_to_auditdata(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto); +#if IS_ENABLED(CONFIG_IPV6) int ipv6_skb_to_auditdata(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto); +#endif /* IS_ENABLED(CONFIG_IPV6) */ void common_lsm_audit(struct common_audit_data *a, void (*pre_audit)(struct audit_buffer *, void *), void (*post_audit)(struct audit_buffer *, void *)); +#else /* CONFIG_AUDIT */ + +static inline void common_lsm_audit(struct common_audit_data *a, + void (*pre_audit)(struct audit_buffer *, void *), + void (*post_audit)(struct audit_buffer *, void *)) +{ +} + +#endif /* CONFIG_AUDIT */ + #endif diff --git a/security/Kconfig b/security/Kconfig index 28e685f53bd1..f10dbf15c294 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -64,6 +64,11 @@ config SECURITY If you are unsure how to answer this question, answer N. +config HAS_SECURITY_AUDIT + def_bool y + depends on AUDIT + depends on SECURITY + config SECURITYFS bool "Enable the securityfs filesystem" help diff --git a/security/Makefile b/security/Makefile index cc0982214b84..22ff4c8bd8ce 100644 --- a/security/Makefile +++ b/security/Makefile @@ -15,7 +15,7 @@ obj-$(CONFIG_SECURITY) += security.o obj-$(CONFIG_SECURITYFS) += inode.o obj-$(CONFIG_SECURITY_SELINUX) += selinux/ obj-$(CONFIG_SECURITY_SMACK) += smack/ -obj-$(CONFIG_SECURITY) += lsm_audit.o +obj-$(CONFIG_HAS_SECURITY_AUDIT) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ From patchwork Wed Jan 8 15:43:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931221 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-190e.mail.infomaniak.ch (smtp-190e.mail.infomaniak.ch [185.125.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 963AF1FE454 for ; Wed, 8 Jan 2025 15:43:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351038; cv=none; b=FQEC3qz+WdT/WHHUf6E0Mho5PGP6QWsb36F9u25bh2i+1ElCqgql7dkjUvvRz3AROS39Fdh8SN8sMpn1VL5W4rXWH9mGdJTtufZVw6lUltwDvr4j9pSiakaN73RDbgPK64B6cWnsrECDVADgVj0n6r+71u/DgNixmeduZJEbNT8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351038; c=relaxed/simple; bh=5zVGnXTa1+usvTpwU8culfEqlS3sEF1i5t8rb/zI6rw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=YSZProXFfDyWI4JGzly7oSTB7QhTBH8xnhN0iXOPl34sd5U8TF6OUhvuchHjwG86AAe28Z8ro4ehdJXJh1k+QDjVhz9az50pWlzi5uZfYhy1SqcARStUQ6R7EfS/euytmsdMChHL+pYMe7SzwIDBIdE3p9+0syP9kacYZfbOkZU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=i/m5wWyc; arc=none smtp.client-ip=185.125.25.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="i/m5wWyc" Received: from smtp-3-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246c]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsdx20tjz5NN; Wed, 8 Jan 2025 16:43:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351029; bh=ptWW1Oo+AuS07JaYFonBxmB7MtamN9yjaTrkyb0Bsro=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=i/m5wWycFOMKjamAbaaJroHSx8oUWUKAV5kHVv1rmmsDa3UK1qbQX7vrs+PThlTUA Qjv6YZ5KdPr/VZbP4H0LRqvBqtj51ODo4OO3mHLCRs/i3fgC/Q70NOK73Fu1j+x+3b PW200oNMhJtrypxfzE4n2VK54l0cG67uLi3tGgek= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsdw2d2VzKYW; Wed, 8 Jan 2025 16:43:48 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 02/30] lsm: Add audit_log_lsm_data() helper Date: Wed, 8 Jan 2025 16:43:10 +0100 Message-ID: <20250108154338.1129069-3-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Extract code from dump_common_audit_data() into the audit_log_lsm_data() helper. This helps reuse common LSM audit data while not abusing AUDIT_AVC records because of the common_lsm_audit() helper. Cc: Casey Schaufler Cc: James Morris Cc: Serge E. Hallyn Acked-by: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-3-mic@digikod.net --- Changes since v3: - Rebase on top of the v6.13's get_task_comm() fix. - Add Acked-by Paul. Changes since v1: - Fix commit message (spotted by Paul). - Constify dump_common_audit_data()'s and audit_log_lsm_data()'s "a" argument. - Fix build without CONFIG_NET: see previous patch. --- include/linux/lsm_audit.h | 8 ++++++++ security/lsm_audit.c | 27 ++++++++++++++++++--------- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index c2b01380262c..b62769a7c5fa 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -130,6 +130,9 @@ void common_lsm_audit(struct common_audit_data *a, void (*pre_audit)(struct audit_buffer *, void *), void (*post_audit)(struct audit_buffer *, void *)); +void audit_log_lsm_data(struct audit_buffer *ab, + const struct common_audit_data *a); + #else /* CONFIG_AUDIT */ static inline void common_lsm_audit(struct common_audit_data *a, @@ -138,6 +141,11 @@ static inline void common_lsm_audit(struct common_audit_data *a, { } +static inline void audit_log_lsm_data(struct audit_buffer *ab, + const struct common_audit_data *a) +{ +} + #endif /* CONFIG_AUDIT */ #endif diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 9a8352972086..0060b9275f49 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -189,16 +189,13 @@ static inline void print_ipv4_addr(struct audit_buffer *ab, __be32 addr, } /** - * dump_common_audit_data - helper to dump common audit data + * audit_log_lsm_data - helper to log common LSM audit data * @ab : the audit buffer * @a : common audit data - * */ -static void dump_common_audit_data(struct audit_buffer *ab, - struct common_audit_data *a) +void audit_log_lsm_data(struct audit_buffer *ab, + const struct common_audit_data *a) { - char comm[sizeof(current->comm)]; - /* * To keep stack sizes in check force programmers to notice if they * start making this union too large! See struct lsm_network_audit @@ -206,9 +203,6 @@ static void dump_common_audit_data(struct audit_buffer *ab, */ BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2); - audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current)); - audit_log_untrustedstring(ab, get_task_comm(comm, current)); - switch (a->type) { case LSM_AUDIT_DATA_NONE: return; @@ -428,6 +422,21 @@ static void dump_common_audit_data(struct audit_buffer *ab, } /* switch (a->type) */ } +/** + * dump_common_audit_data - helper to dump common audit data + * @ab : the audit buffer + * @a : common audit data + */ +static void dump_common_audit_data(struct audit_buffer *ab, + const struct common_audit_data *a) +{ + char comm[sizeof(current->comm)]; + + audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current)); + audit_log_untrustedstring(ab, get_task_comm(comm, current)); + audit_log_lsm_data(ab, a); +} + /** * common_lsm_audit - generic LSM auditing function * @a: auxiliary audit data From patchwork Wed Jan 8 15:43:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931224 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-8fa8.mail.infomaniak.ch (smtp-8fa8.mail.infomaniak.ch [83.166.143.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B756B1FE477 for ; Wed, 8 Jan 2025 15:43:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.168 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351041; cv=none; b=jViZsQFcQCZ/yOnUdcYXWJ+wBIGRG4kRPEUzx2D+rE7RPsASR1z0VqL5cV7tKWWgsgzFBC6uWcN5uAWHpKRo/W1lPHYt2ZkTAAIv0QiBrTVfzfmSBGBRXZmAXPVBg4NSvj8uGgW6Yb6cjfJMjSw9u8u+vi3+vR4qUL0Ylt8hhso= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351041; c=relaxed/simple; bh=jkCx7VwBn7yzSOYAV94ez6PoPUBt3wBsN+EoH9D7sJk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=aM0kyHRk3oNY/nePzgi1sCYqf5dB+SNG4N+DnH2b3S1YR7/g7X+Y9F9dPYDCCQdjahc8HyHA8XoGNVcSVmgp5RPjFr2BEx9fvSQ9rQ/vqQJ6LhuT0ydIFKjQKy2u9suuG4kVn1wFWlDlVj/t38GuGcw3NuqsmbfGtAOcyEoJvus= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=xPiY44Rh; arc=none smtp.client-ip=83.166.143.168 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="xPiY44Rh" Received: from smtp-3-0001.mail.infomaniak.ch (smtp-3-0001.mail.infomaniak.ch [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsdy6QSpzBLL; Wed, 8 Jan 2025 16:43:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351030; bh=wog4Z8sglJxp2TnTzlne7/LQuXSQ6DLXgDWqI6IW4kg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xPiY44Rh2sAv6WNSrqIoNSJ8vP/a10im8yyioqOPazXDCMOxs6Kim3/hV379hPJLB toojExmoLDOIYQbHQrHVS8B2QXgqJGx16N0dGRuTTlNDgrVB+KsMPHATmVmoVSn186 iaF0fobzVu/aJsNFvSLCstTcnxIKDxSoNOYxa268= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsdy0LzZzJyj; Wed, 8 Jan 2025 16:43:50 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 03/30] landlock: Factor out check_access_path() Date: Wed, 8 Jan 2025 16:43:11 +0100 Message-ID: <20250108154338.1129069-4-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Merge check_access_path() into current_check_access_path() and make hook_path_mknod() use it. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-4-mic@digikod.net --- Changes since v1: - Rebased on the TCP patch series. - Remove inlining removal which was merged. --- security/landlock/fs.c | 32 +++++++++++--------------------- 1 file changed, 11 insertions(+), 21 deletions(-) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index e31b97a9f175..d911c924843f 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -908,28 +908,22 @@ static bool is_access_to_paths_allowed( return allowed_parent1 && allowed_parent2; } -static int check_access_path(const struct landlock_ruleset *const domain, - const struct path *const path, - access_mask_t access_request) -{ - layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; - - access_request = landlock_init_layer_masks( - domain, access_request, &layer_masks, LANDLOCK_KEY_INODE); - if (is_access_to_paths_allowed(domain, path, access_request, - &layer_masks, NULL, 0, NULL, NULL)) - return 0; - return -EACCES; -} - static int current_check_access_path(const struct path *const path, - const access_mask_t access_request) + access_mask_t access_request) { const struct landlock_ruleset *const dom = get_current_fs_domain(); + layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; if (!dom) return 0; - return check_access_path(dom, path, access_request); + + access_request = landlock_init_layer_masks( + dom, access_request, &layer_masks, LANDLOCK_KEY_INODE); + if (is_access_to_paths_allowed(dom, path, access_request, &layer_masks, + NULL, 0, NULL, NULL)) + return 0; + + return -EACCES; } static access_mask_t get_mode_access(const umode_t mode) @@ -1414,11 +1408,7 @@ static int hook_path_mknod(const struct path *const dir, struct dentry *const dentry, const umode_t mode, const unsigned int dev) { - const struct landlock_ruleset *const dom = get_current_fs_domain(); - - if (!dom) - return 0; - return check_access_path(dom, dir, get_mode_access(mode)); + return current_check_access_path(dir, get_mode_access(mode)); } static int hook_path_symlink(const struct path *const dir, From patchwork Wed Jan 8 15:43:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931225 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-bc0c.mail.infomaniak.ch (smtp-bc0c.mail.infomaniak.ch [45.157.188.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F9BB1FE475 for ; Wed, 8 Jan 2025 15:43:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.12 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351042; cv=none; b=p73vJAmOogMPLXUevAKtpxcq4uaFrog7FuHe+b+FjoOSmeRIb4JGi4fRk991F6O5nZOx7BmYzkF0B/FEHs3L4TCYa7lI8DHNPG3Rqq0RLzDuaH3dBFrH8iAnYAs4xdvuMnXL0pwr9vLv0rlKtgi0rxuPmvnNJh5Zg0Ol5c0JxII= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351042; c=relaxed/simple; bh=v+9Cb409l3HmYxdp7o1apSR2rFBOxGPSwvGKTZyvaUQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=fyZl8LwLr8O1fHyy5N1sWgmf/N4eFuDD6qOKA2EAD7uoUUd6DTPzyBsWlKVvofrbcUmsQfBqewBn/2CfWOklZHIS19SYEnpsP4kWzEYLN9gjsQK2X2z0qFnB9GKK89dUSU/fDDAdCeXIaC4nsn6QTXsBWKKX17pxDglWUlJnXAA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=zFd+6e37; arc=none smtp.client-ip=45.157.188.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="zFd+6e37" Received: from smtp-3-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246c]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsf02k9Mz3p8; Wed, 8 Jan 2025 16:43:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351032; bh=RcpVtHXcCpP24wedDZPkye8Qr4zhKMB6KfKGjJ6zlE4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zFd+6e37mQ8OvsJPrqG1U5l1aSnUO+0RokxXMx4ErhSQp92hWPXhZDaJMsCar3nqQ L9Tgc/0M53BC5XmSBY1qaKl1H5czrIfs74dllOypMbbd/yZMHTpg+LGA0hnnvtns50 HWs5W0uCPoQNmu4Mhekv7DkckQF4vYG3ePyVZnOk= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsdz59PYzJt5; Wed, 8 Jan 2025 16:43:51 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 04/30] landlock: Add unique ID generator Date: Wed, 8 Jan 2025 16:43:12 +0100 Message-ID: <20250108154338.1129069-5-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Landlock IDs can be generated to uniquely identify Landlock objects. For now, only Landlock domains get an ID at creation time. These IDs map to immutable domain hierarchies. Landlock IDs have important properties: - They are unique during the lifetime of the running system thanks to the 64-bit values: at worse, 2^60 - 2*2^32 useful IDs. - They are always greater than 2^32 and must then be stored in 64-bit integer types. - The initial ID (at boot time) is randomly picked between 2^32 and 2^33, which limits collisions in logs between different boots. - IDs are sequential, which enables users to order them. - IDs may not be consecutive but increase with a random 2^4 step, which limits side channels. Such IDs can be exposed to unprivileged processes, even if it is not the case with this audit patch series. The domain IDs will be useful for user space to identify sandboxes and get their properties. These Landlock IDs are more robust that other absolute kernel IDs such as pipe's inodes which rely on a shared global counter. For checkpoint/restore features (i.e. CRIU), we could easily implement a privileged interface (e.g. sysfs) to set the next ID counter. IDR/IDA are not used because we only need a bijection from Landlock objects to Landlock IDs, and we must not recycle IDs. This enables us to identify all Landlock objects during the lifetime of the system (e.g. in logs), but not to access an object from an ID nor know if an ID is assigned. Using a counter is simpler, it scales (i.e. avoids growing memory footprint), and it does not require locking. We'll use proper file descriptors (with IDs used as inode numbers) to access Landlock objects. Cc: Günther Noack Cc: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-5-mic@digikod.net --- Changes since v3: - Rename landlock_get_id_range() helper to reflect the "range" of IDs. - Add docstring for landlock_get_id_range(). Changes since v2: - Extend commit message. - Rename global_counter to next_id. - Fix KUnit's test __init types, spotted by kernel test robot. Changes since v1: - New patch. --- security/landlock/.kunitconfig | 2 + security/landlock/Makefile | 2 + security/landlock/id.c | 249 +++++++++++++++++++ security/landlock/id.h | 25 ++ security/landlock/setup.c | 2 + tools/testing/kunit/configs/all_tests.config | 2 + 6 files changed, 282 insertions(+) create mode 100644 security/landlock/id.c create mode 100644 security/landlock/id.h diff --git a/security/landlock/.kunitconfig b/security/landlock/.kunitconfig index 03e119466604..f9423f01ac5b 100644 --- a/security/landlock/.kunitconfig +++ b/security/landlock/.kunitconfig @@ -1,4 +1,6 @@ +CONFIG_AUDIT=y CONFIG_KUNIT=y +CONFIG_NET=y CONFIG_SECURITY=y CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y diff --git a/security/landlock/Makefile b/security/landlock/Makefile index b4538b7cf7d2..e1777abbc413 100644 --- a/security/landlock/Makefile +++ b/security/landlock/Makefile @@ -4,3 +4,5 @@ landlock-y := setup.o syscalls.o object.o ruleset.o \ cred.o task.o fs.o landlock-$(CONFIG_INET) += net.o + +landlock-$(CONFIG_AUDIT) += id.o diff --git a/security/landlock/id.c b/security/landlock/id.c new file mode 100644 index 000000000000..b3c353d6e0cd --- /dev/null +++ b/security/landlock/id.c @@ -0,0 +1,249 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Unique identification number generator + * + * Copyright © 2024-2025 Microsoft Corporation + */ + +#include +#include +#include +#include + +#include "common.h" +#include "id.h" + +#define COUNTER_PRE_INIT 0 + +static atomic64_t next_id = ATOMIC64_INIT(COUNTER_PRE_INIT); + +static void __init init_id(atomic64_t *const counter, const u32 random_32bits) +{ + u64 init; + + /* + * Ensures sure 64-bit values are always used by user space (or may + * fail with -EOVERFLOW), and makes this testable. + */ + init = 1ULL << 32; + + /* + * Makes a large (2^32) boot-time value to limit ID collision in logs + * from different boots, and to limit info leak about the number of + * initially (relative to the reader) created elements (e.g. domains). + */ + init += random_32bits; + + /* Sets first or ignores. This will be the first ID. */ + atomic64_cmpxchg(counter, COUNTER_PRE_INIT, init); +} + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static void __init test_init_min(struct kunit *const test) +{ + atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT); + + init_id(&counter, 0); + KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1ULL + U32_MAX); +} + +static void __init test_init_max(struct kunit *const test) +{ + atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT); + + init_id(&counter, ~0); + KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1 + (2ULL * U32_MAX)); +} + +static void __init test_init_once(struct kunit *const test) +{ + const u64 first_init = 1ULL + U32_MAX; + atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT); + + init_id(&counter, 0); + KUNIT_EXPECT_EQ(test, atomic64_read(&counter), first_init); + + init_id(&counter, ~0); + KUNIT_EXPECT_EQ(test, atomic64_read(&counter), first_init); +} + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ + +void __init landlock_init_id(void) +{ + return init_id(&next_id, get_random_u32()); +} + +/* + * It's not worth it to try to hide the monotonic counter because it can still + * be inferred (with N counter ranges), and if we are allowed to read the inode + * number we should also be allowed to read the time creation anyway, and it + * can be handy to store and sort domain IDs for user space. + * + * Returns the value of next_id and increment it to let some space for the next + * one. + */ +static u64 get_id_range(size_t number_of_ids, atomic64_t *const counter, + u8 random_4bits) +{ + u64 id, step; + + /* + * We should return at least 1 ID, and we may need a set of consecutive + * ones (e.g. to generate a set of inodes). + */ + if (WARN_ON_ONCE(number_of_ids <= 0)) + number_of_ids = 1; + + /* + * Blurs the next ID guess with 1/16 ratio. We get 2^(64 - 4) - + * (2 * 2^32), so a bit less than 2^60 available IDs, which should be + * much more than enough considering the number of CPU cycles required + * to get a new ID (e.g. a full landlock_restrict_self() call), and the + * cost of draining all available IDs during the system's uptime. + */ + random_4bits = random_4bits % (1 << 4); + step = number_of_ids + random_4bits; + + /* It is safe to cast a signed atomic to an unsigned value. */ + id = atomic64_fetch_add(step, counter); + + /* Warns if landlock_init_id() was not called. */ + WARN_ON_ONCE(id == COUNTER_PRE_INIT); + return id; +} + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static void test_range1_rand0(struct kunit *const test) +{ + atomic64_t counter; + u64 init; + + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 0), init); + KUNIT_EXPECT_EQ( + test, get_id_range(get_random_u8(), &counter, get_random_u8()), + init + 1); +} + +static void test_range1_rand1(struct kunit *const test) +{ + atomic64_t counter; + u64 init; + + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 1), init); + KUNIT_EXPECT_EQ( + test, get_id_range(get_random_u8(), &counter, get_random_u8()), + init + 2); +} + +static void test_range1_rand16(struct kunit *const test) +{ + atomic64_t counter; + u64 init; + + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 16), init); + KUNIT_EXPECT_EQ( + test, get_id_range(get_random_u8(), &counter, get_random_u8()), + init + 1); +} + +static void test_range2_rand0(struct kunit *const test) +{ + atomic64_t counter; + u64 init; + + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 0), init); + KUNIT_EXPECT_EQ( + test, get_id_range(get_random_u8(), &counter, get_random_u8()), + init + 2); +} + +static void test_range2_rand1(struct kunit *const test) +{ + atomic64_t counter; + u64 init; + + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 1), init); + KUNIT_EXPECT_EQ( + test, get_id_range(get_random_u8(), &counter, get_random_u8()), + init + 3); +} + +static void test_range2_rand2(struct kunit *const test) +{ + atomic64_t counter; + u64 init; + + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 2), init); + KUNIT_EXPECT_EQ( + test, get_id_range(get_random_u8(), &counter, get_random_u8()), + init + 4); +} + +static void test_range2_rand16(struct kunit *const test) +{ + atomic64_t counter; + u64 init; + + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 16), init); + KUNIT_EXPECT_EQ( + test, get_id_range(get_random_u8(), &counter, get_random_u8()), + init + 2); +} + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ + +/** + * landlock_get_id_range - Get a range of unique IDs + * + * @number_of_ids: Number of IDs to hold. Must be greater than one. + * + * Returns: The first ID in the range. + */ +u64 landlock_get_id_range(size_t number_of_ids) +{ + return get_id_range(number_of_ids, &next_id, get_random_u8()); +} + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static struct kunit_case __refdata test_cases[] = { + /* clang-format off */ + KUNIT_CASE(test_init_min), + KUNIT_CASE(test_init_max), + KUNIT_CASE(test_init_once), + KUNIT_CASE(test_range1_rand0), + KUNIT_CASE(test_range1_rand1), + KUNIT_CASE(test_range1_rand16), + KUNIT_CASE(test_range2_rand0), + KUNIT_CASE(test_range2_rand1), + KUNIT_CASE(test_range2_rand2), + KUNIT_CASE(test_range2_rand16), + {} + /* clang-format on */ +}; + +static struct kunit_suite test_suite = { + .name = "landlock_id", + .test_cases = test_cases, +}; + +kunit_test_init_section_suite(test_suite); + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ diff --git a/security/landlock/id.h b/security/landlock/id.h new file mode 100644 index 000000000000..99f596123c19 --- /dev/null +++ b/security/landlock/id.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Unique identification number generator + * + * Copyright © 2024-2025 Microsoft Corporation + */ + +#ifndef _SECURITY_LANDLOCK_ID_H +#define _SECURITY_LANDLOCK_ID_H + +#ifdef CONFIG_AUDIT + +void __init landlock_init_id(void); + +u64 landlock_get_id_range(size_t number_of_ids); + +#else /* CONFIG_AUDIT */ + +static inline void __init landlock_init_id(void) +{ +} + +#endif /* CONFIG_AUDIT */ + +#endif /* _SECURITY_LANDLOCK_ID_H */ diff --git a/security/landlock/setup.c b/security/landlock/setup.c index 28519a45b11f..d297083efcb1 100644 --- a/security/landlock/setup.c +++ b/security/landlock/setup.c @@ -13,6 +13,7 @@ #include "common.h" #include "cred.h" #include "fs.h" +#include "id.h" #include "net.h" #include "setup.h" #include "task.h" @@ -33,6 +34,7 @@ const struct lsm_id landlock_lsmid = { static int __init landlock_init(void) { + landlock_init_id(); landlock_add_cred_hooks(); landlock_add_task_hooks(); landlock_add_fs_hooks(); diff --git a/tools/testing/kunit/configs/all_tests.config b/tools/testing/kunit/configs/all_tests.config index b3b00269a52a..ea1f824ae70f 100644 --- a/tools/testing/kunit/configs/all_tests.config +++ b/tools/testing/kunit/configs/all_tests.config @@ -44,6 +44,8 @@ CONFIG_DAMON_DBGFS_DEPRECATED=y CONFIG_REGMAP_BUILD=y +CONFIG_AUDIT=y + CONFIG_SECURITY=y CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_LANDLOCK=y From patchwork Wed Jan 8 15:43:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931226 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-8fa8.mail.infomaniak.ch (smtp-8fa8.mail.infomaniak.ch [83.166.143.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A91011FF1BF for ; Wed, 8 Jan 2025 15:44:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.168 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351044; cv=none; b=DQEk+oqNI+DeMBjdAhLBJcw8CR0OQtoNPWeXr8FfFZZDrtnaqJEjzEtGUEEgOUzLGHywvqMc73pwLjS4PlUlVlS276jQeBD9otmZfVHk4OvVsoy58YApvx4VYbatfrYfXonx6F8/oo+mCadSQeiSWO3SlWhyfpef62dh6ezduU4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351044; c=relaxed/simple; bh=P75CK7JRRXm8E6x1Lr4lfu+uwSO7K8J0/i3M+5hxkmY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=rFEhQ5MXnjTl5O0dLeIuZIkTUeKmY1c84SIULTcQoSLn2YjmbY8VT596man8L+T5U61C1qCP/s+ZEwWNLeSFqSMU0FXJD3ujZyDpwMO2Gp73kWSRy4/xbRtvpY7+6xa9LGXUyxnBRgBNLGsW/XgcGa+CpvRat88YwLA18ogRaM0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=j6Oeb3ZY; arc=none smtp.client-ip=83.166.143.168 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="j6Oeb3ZY" Received: from smtp-3-0000.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246b]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsf14xRxz7J6; Wed, 8 Jan 2025 16:43:53 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351033; bh=vuGD/UrIiGnelfO/JN71YY1l1nTe81wNynfpyq1VA8I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=j6Oeb3ZY1a0ET/DVIlgEwlfp/VvaJCp0+E5qFTTD9pweX5aqIyWTAWGTHqU/wT9mc hjeV4zIWHiOAPm42U386n32GjopuM46nwZgY7hXygQckAFLmQNCn+pzDP4KuAf46h7 BKyYNRRdtOBlEIFbjLzRMgACi9bK1xZ5CO2IXFic= Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsf06zglzskN; Wed, 8 Jan 2025 16:43:52 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 05/30] landlock: Move access types Date: Wed, 8 Jan 2025 16:43:13 +0100 Message-ID: <20250108154338.1129069-6-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Move LANDLOCK_ACCESS_FS_INITIALLY_DENIED, access_mask_t, struct access_mask, and struct access_masks_all to a dedicated access.h file. Rename LANDLOCK_ACCESS_FS_INITIALLY_DENIED to _LANDLOCK_ACCESS_FS_INITIALLY_DENIED to make it clear that it's not part of UAPI. Add some newlines when appropriate. This file will be extended with following commits, and it will help to avoid dependency loops. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-6-mic@digikod.net --- Changes since v2: - Rebased on the (now merged) masks improvement patches. - Move ACCESS_FS_OPTIONAL to a following patch introducing deny_masks_t, spotted by Francis Laniel. - Move and rename LANDLOCK_ACCESS_FS_INITIALLY_DENIED to _LANDLOCK_ACCESS_FS_INITIALLY_DENIED. Changes since v1: - New patch --- security/landlock/access.h | 62 +++++++++++++++++++++++++++++++++++++ security/landlock/fs.c | 3 +- security/landlock/fs.h | 1 + security/landlock/ruleset.c | 1 + security/landlock/ruleset.h | 47 ++-------------------------- 5 files changed, 68 insertions(+), 46 deletions(-) create mode 100644 security/landlock/access.h diff --git a/security/landlock/access.h b/security/landlock/access.h new file mode 100644 index 000000000000..9ee4b30a87e6 --- /dev/null +++ b/security/landlock/access.h @@ -0,0 +1,62 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Access types and helpers + * + * Copyright © 2016-2020 Mickaël Salaün + * Copyright © 2018-2020 ANSSI + * Copyright © 2024-2025 Microsoft Corporation + */ + +#ifndef _SECURITY_LANDLOCK_ACCESS_H +#define _SECURITY_LANDLOCK_ACCESS_H + +#include +#include +#include +#include + +#include "limits.h" + +/* + * All access rights that are denied by default whether they are handled or not + * by a ruleset/layer. This must be ORed with all ruleset->access_masks[] + * entries when we need to get the absolute handled access masks. + */ +/* clang-format off */ +#define _LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \ + LANDLOCK_ACCESS_FS_REFER) +/* clang-format on */ + +typedef u16 access_mask_t; + +/* Makes sure all filesystem access rights can be stored. */ +static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS); +/* Makes sure all network access rights can be stored. */ +static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET); +/* Makes sure all scoped rights can be stored. */ +static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE); +/* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */ +static_assert(sizeof(unsigned long) >= sizeof(access_mask_t)); + +/* Ruleset access masks. */ +struct access_masks { + access_mask_t fs : LANDLOCK_NUM_ACCESS_FS; + access_mask_t net : LANDLOCK_NUM_ACCESS_NET; + access_mask_t scope : LANDLOCK_NUM_SCOPE; +}; + +union access_masks_all { + struct access_masks masks; + u32 all; +}; + +/* Makes sure all fields are covered. */ +static_assert(sizeof(typeof_member(union access_masks_all, masks)) == + sizeof(typeof_member(union access_masks_all, all))); + +typedef u16 layer_mask_t; + +/* Makes sure all layers can be checked. */ +static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS); + +#endif /* _SECURITY_LANDLOCK_ACCESS_H */ diff --git a/security/landlock/fs.c b/security/landlock/fs.c index d911c924843f..3da5f1945158 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -36,6 +36,7 @@ #include #include +#include "access.h" #include "common.h" #include "cred.h" #include "fs.h" @@ -393,7 +394,7 @@ get_handled_fs_accesses(const struct landlock_ruleset *const domain) { /* Handles all initially denied by default access rights. */ return landlock_union_access_masks(domain).fs | - LANDLOCK_ACCESS_FS_INITIALLY_DENIED; + _LANDLOCK_ACCESS_FS_INITIALLY_DENIED; } static const struct access_masks any_fs = { diff --git a/security/landlock/fs.h b/security/landlock/fs.h index 1487e1f023a1..d445f411c26a 100644 --- a/security/landlock/fs.h +++ b/security/landlock/fs.h @@ -13,6 +13,7 @@ #include #include +#include "access.h" #include "ruleset.h" #include "setup.h" diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index a93bdbf52fff..cae69f2f01d9 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -20,6 +20,7 @@ #include #include +#include "access.h" #include "limits.h" #include "object.h" #include "ruleset.h" diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h index 631e24d4ffe9..2f29b9f40392 100644 --- a/security/landlock/ruleset.h +++ b/security/landlock/ruleset.h @@ -9,58 +9,15 @@ #ifndef _SECURITY_LANDLOCK_RULESET_H #define _SECURITY_LANDLOCK_RULESET_H -#include -#include -#include #include #include #include #include -#include +#include "access.h" #include "limits.h" #include "object.h" -/* - * All access rights that are denied by default whether they are handled or not - * by a ruleset/layer. This must be ORed with all ruleset->access_masks[] - * entries when we need to get the absolute handled access masks. - */ -/* clang-format off */ -#define LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \ - LANDLOCK_ACCESS_FS_REFER) -/* clang-format on */ - -typedef u16 access_mask_t; -/* Makes sure all filesystem access rights can be stored. */ -static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS); -/* Makes sure all network access rights can be stored. */ -static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET); -/* Makes sure all scoped rights can be stored. */ -static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE); -/* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */ -static_assert(sizeof(unsigned long) >= sizeof(access_mask_t)); - -/* Ruleset access masks. */ -struct access_masks { - access_mask_t fs : LANDLOCK_NUM_ACCESS_FS; - access_mask_t net : LANDLOCK_NUM_ACCESS_NET; - access_mask_t scope : LANDLOCK_NUM_SCOPE; -}; - -union access_masks_all { - struct access_masks masks; - u32 all; -}; - -/* Makes sure all fields are covered. */ -static_assert(sizeof(typeof_member(union access_masks_all, masks)) == - sizeof(typeof_member(union access_masks_all, all))); - -typedef u16 layer_mask_t; -/* Makes sure all layers can be checked. */ -static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS); - /** * struct landlock_layer - Access rights for a given layer */ @@ -366,7 +323,7 @@ landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset, { /* Handles all initially denied by default access rights. */ return ruleset->access_masks[layer_level].fs | - LANDLOCK_ACCESS_FS_INITIALLY_DENIED; + _LANDLOCK_ACCESS_FS_INITIALLY_DENIED; } static inline access_mask_t From patchwork Wed Jan 8 15:43:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931223 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-190c.mail.infomaniak.ch (smtp-190c.mail.infomaniak.ch [185.125.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F3BD1FE45E for ; Wed, 8 Jan 2025 15:43:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.12 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351039; cv=none; b=I67c5O4eIuDKt/totyp5DnKaLIxwHhlXg/8nva6Kzjj1K+KHNz1K5liFXoQLfS4pipIcauD0iP4OZVHU5b/o8hUaPihAg/m0ZGG0pBLbcugZZEF6EMyc8wFhiBvD935EIAI4pWpdr1H2Rb3BbZCGuQC0DshhxPB/+gFsFEl3smU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351039; c=relaxed/simple; bh=pbjs421Pky9glSBPHXWUS1xMZ9hfuvzC41AX1/E76bQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=qSai4qIcXcoSi490C9UUA6FpzfgEMCTR7tVegSbpxbO06LsHI6KdhV38+QKmff4k2FBpuv72bYvNbPc0Vk5XxnX/X0EzRlWAGMaWMrpZD2r7PYIv1ihstMzD65ZpQS337LLBsMQRBWQK5rWJ3+jy7h/InnVW4ZhftcmspXlqem8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=l6GmoPQ7; arc=none smtp.client-ip=185.125.25.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="l6GmoPQ7" Received: from smtp-3-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246c]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsf30x1Bz9s9; Wed, 8 Jan 2025 16:43:55 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351035; bh=f4tHQfJHpRqEk9p+KaoskKp0MCYGZFL6TV5oGOIgc5Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l6GmoPQ72Us7PhF3owCE6mG8SfAdRnQMjDmn0sWMO/XDhJJIZGxz/ncbJajYcSLvR NJ9WcYHAu9SVZ82q/D+yJC6taeexeZWvHB109XzBgIL7A7fE8BpYQxBOvZnWqSrvzl VQtqUwx+TtKAwsLzkf/0N2Q0CIKvweyuO9ds68uc= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsf22RwSzLFX; Wed, 8 Jan 2025 16:43:54 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 06/30] landlock: Simplify initially denied access rights Date: Wed, 8 Jan 2025 16:43:14 +0100 Message-ID: <20250108154338.1129069-7-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Upgrade domain's handled access masks when creating a domain from a ruleset, instead of converting them at runtime. This is more consistent and helps with audit support. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-7-mic@digikod.net --- Changes since v2: - New patch. --- security/landlock/access.h | 17 ++++++++++++++++- security/landlock/fs.c | 10 +--------- security/landlock/ruleset.c | 3 ++- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/security/landlock/access.h b/security/landlock/access.h index 9ee4b30a87e6..74fd8f399fbd 100644 --- a/security/landlock/access.h +++ b/security/landlock/access.h @@ -20,7 +20,8 @@ /* * All access rights that are denied by default whether they are handled or not * by a ruleset/layer. This must be ORed with all ruleset->access_masks[] - * entries when we need to get the absolute handled access masks. + * entries when we need to get the absolute handled access masks, see + * landlock_upgrade_handled_access_masks(). */ /* clang-format off */ #define _LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \ @@ -59,4 +60,18 @@ typedef u16 layer_mask_t; /* Makes sure all layers can be checked. */ static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS); +/* Upgrades with all initially denied by default access rights. */ +static inline struct access_masks +landlock_upgrade_handled_access_masks(struct access_masks access_masks) +{ + /* + * All access rights that are denied by default whether they are + * explicitly handled or not. + */ + if (access_masks.fs) + access_masks.fs |= _LANDLOCK_ACCESS_FS_INITIALLY_DENIED; + + return access_masks; +} + #endif /* _SECURITY_LANDLOCK_ACCESS_H */ diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 3da5f1945158..9779170d9199 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -389,14 +389,6 @@ static bool is_nouser_or_private(const struct dentry *dentry) unlikely(IS_PRIVATE(d_backing_inode(dentry)))); } -static access_mask_t -get_handled_fs_accesses(const struct landlock_ruleset *const domain) -{ - /* Handles all initially denied by default access rights. */ - return landlock_union_access_masks(domain).fs | - _LANDLOCK_ACCESS_FS_INITIALLY_DENIED; -} - static const struct access_masks any_fs = { .fs = ~0, }; @@ -788,7 +780,7 @@ static bool is_access_to_paths_allowed( * a superset of the meaningful requested accesses). */ access_masked_parent1 = access_masked_parent2 = - get_handled_fs_accesses(domain); + landlock_union_access_masks(domain).fs; is_dom_check = true; } else { if (WARN_ON_ONCE(dentry_child1 || dentry_child2)) diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index cae69f2f01d9..dbc528f5f3b7 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -385,7 +385,8 @@ static int merge_ruleset(struct landlock_ruleset *const dst, err = -EINVAL; goto out_unlock; } - dst->access_masks[dst->num_layers - 1] = src->access_masks[0]; + dst->access_masks[dst->num_layers - 1] = + landlock_upgrade_handled_access_masks(src->access_masks[0]); /* Merges the @src inode tree. */ err = merge_tree(dst, src, LANDLOCK_KEY_INODE); From patchwork Wed Jan 8 15:43:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931229 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-42a9.mail.infomaniak.ch (smtp-42a9.mail.infomaniak.ch [84.16.66.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7267B1F869E for ; Wed, 8 Jan 2025 15:44:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351047; cv=none; b=V842z0fkS9AcaN/41s0lGOyvR9r2wQrKhdbIVay2EnfJAizOjzn9249OwpPlI/mPjgvGMafAby+mU4U1DpXSGF+EJrL3l6zy6gdpLa4HhCNHjXKpk5r51vqvA1S+k1AQ+r/9amsZcXDgnkP9BRvYJGkO/xo1kgO+v1BDxVzwcnQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351047; c=relaxed/simple; bh=QJqwYq5frXoftVqz8LmANwAzt2hFiBJ6iJtSHT5ib30=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=E58zqy55UPbfOiEcLDvwS/oxXDZagh2aw/Y2MdvZn6Aw7bEbIPaCzVNbYKeS31N2xKqDnnBbMVBA+c+VHwrs2nnIfeoXnFIWsdCGxp3+YmdVzEYQhmPWI8hbwQY/U0c5vTLs9UETY16Yrvd8tcCRIODcZnmN/b1ANYI2OuPg8Fw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=uKn5Cyt1; arc=none smtp.client-ip=84.16.66.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="uKn5Cyt1" Received: from smtp-4-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:7:10:40ca:feff:fe05:1]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsf46Mrxzt6D; Wed, 8 Jan 2025 16:43:56 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351036; bh=+oXeGTZhWH7zBrQn+Rqm0cL2tmgvGubeqz4bC82gHKw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uKn5Cyt1fy8HNn9dNzo94+saIuMbKk9tuT5fAbXUJKDyV5h0042Kkd0h+reDI/kU5 HRbm+GlmT0ZGqNTml3nG76EaK+VfZsWhf1kwxePlbq4eS+DD89TVgaMw3cVQVTe2Nh YYYy9Vu8vQCXutfEqHClqV3l2i9jH1AO7/ThDHVA= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsf362CyzHf5; Wed, 8 Jan 2025 16:43:55 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 07/30] landlock: Move domain hierarchy management and export helpers Date: Wed, 8 Jan 2025 16:43:15 +0100 Message-ID: <20250108154338.1129069-8-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Create a new domain.h file containing the struct landlock_hierarchy definition and helpers. This type will grow with audit support. This also prepares for a new domain type. Export landlock_get_hierarchy() and landlock_put_hierarchy() that will be used by audit in a following commit. Clean up Makefile entries. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-8-mic@digikod.net --- Changes since v3: - Export landlock_get_hierarchy() and landlock_put_hierarchy(). - Clean up Makefile entries. Changes since v1: - New patch. --- MAINTAINERS | 1 + include/linux/landlock.h | 31 +++++++++++++++++++++++++++++++ security/landlock/Makefile | 11 +++++++++-- security/landlock/domain.c | 29 +++++++++++++++++++++++++++++ security/landlock/domain.h | 31 +++++++++++++++++++++++++++++++ security/landlock/ruleset.c | 22 ++++------------------ security/landlock/ruleset.h | 17 +---------------- security/landlock/task.c | 1 + 8 files changed, 107 insertions(+), 36 deletions(-) create mode 100644 include/linux/landlock.h create mode 100644 security/landlock/domain.c create mode 100644 security/landlock/domain.h diff --git a/MAINTAINERS b/MAINTAINERS index 30cbc3d44cd5..425676b25a4f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -12961,6 +12961,7 @@ T: git https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git F: Documentation/security/landlock.rst F: Documentation/userspace-api/landlock.rst F: fs/ioctl.c +F: include/linux/landlock.h F: include/uapi/linux/landlock.h F: samples/landlock/ F: security/landlock/ diff --git a/include/linux/landlock.h b/include/linux/landlock.h new file mode 100644 index 000000000000..8491142658a1 --- /dev/null +++ b/include/linux/landlock.h @@ -0,0 +1,31 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Landlock - Kernel API + * + * Copyright © 2024-2025 Microsoft Corporation + */ + +#ifndef _LINUX_LANDLOCK_H +#define _LINUX_LANDLOCK_H + +struct landlock_hierarchy; + +#ifdef CONFIG_SECURITY_LANDLOCK + +void landlock_get_hierarchy(struct landlock_hierarchy *hierarchy); + +void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy); + +#else /* CONFIG_SECURITY_LANDLOCK */ + +static inline void landlock_get_hierarchy(struct landlock_hierarchy *hierarchy) +{ +} + +static inline void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy) +{ +} + +#endif /* CONFIG_SECURITY_LANDLOCK */ + +#endif /* _LINUX_LANDLOCK_H */ diff --git a/security/landlock/Makefile b/security/landlock/Makefile index e1777abbc413..51815908a464 100644 --- a/security/landlock/Makefile +++ b/security/landlock/Makefile @@ -1,7 +1,14 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o -landlock-y := setup.o syscalls.o object.o ruleset.o \ - cred.o task.o fs.o +landlock-y := \ + setup.o \ + syscalls.o \ + object.o \ + ruleset.o \ + cred.o \ + task.o \ + fs.o \ + domain.o landlock-$(CONFIG_INET) += net.o diff --git a/security/landlock/domain.c b/security/landlock/domain.c new file mode 100644 index 000000000000..df58638ffc50 --- /dev/null +++ b/security/landlock/domain.c @@ -0,0 +1,29 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Domain management + * + * Copyright © 2016-2020 Mickaël Salaün + * Copyright © 2018-2020 ANSSI + * Copyright © 2024-2025 Microsoft Corporation + */ + +#include +#include + +#include "domain.h" + +void landlock_get_hierarchy(struct landlock_hierarchy *const hierarchy) +{ + if (hierarchy) + refcount_inc(&hierarchy->usage); +} + +void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy) +{ + while (hierarchy && refcount_dec_and_test(&hierarchy->usage)) { + const struct landlock_hierarchy *const freeme = hierarchy; + + hierarchy = hierarchy->parent; + kfree(freeme); + } +} diff --git a/security/landlock/domain.h b/security/landlock/domain.h new file mode 100644 index 000000000000..2e612ef754e3 --- /dev/null +++ b/security/landlock/domain.h @@ -0,0 +1,31 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Domain management + * + * Copyright © 2016-2020 Mickaël Salaün + * Copyright © 2018-2020 ANSSI + */ + +#ifndef _SECURITY_LANDLOCK_DOMAIN_H +#define _SECURITY_LANDLOCK_DOMAIN_H + +#include +#include + +/** + * struct landlock_hierarchy - Node in a domain hierarchy + */ +struct landlock_hierarchy { + /** + * @parent: Pointer to the parent node, or NULL if it is a root + * Landlock domain. + */ + struct landlock_hierarchy *parent; + /** + * @usage: Number of potential children domains plus their parent + * domain. + */ + refcount_t usage; +}; + +#endif /* _SECURITY_LANDLOCK_DOMAIN_H */ diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index dbc528f5f3b7..8b47af69af3e 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -21,6 +22,7 @@ #include #include "access.h" +#include "domain.h" #include "limits.h" #include "object.h" #include "ruleset.h" @@ -305,22 +307,6 @@ int landlock_insert_rule(struct landlock_ruleset *const ruleset, return insert_rule(ruleset, id, &layers, ARRAY_SIZE(layers)); } -static void get_hierarchy(struct landlock_hierarchy *const hierarchy) -{ - if (hierarchy) - refcount_inc(&hierarchy->usage); -} - -static void put_hierarchy(struct landlock_hierarchy *hierarchy) -{ - while (hierarchy && refcount_dec_and_test(&hierarchy->usage)) { - const struct landlock_hierarchy *const freeme = hierarchy; - - hierarchy = hierarchy->parent; - kfree(freeme); - } -} - static int merge_tree(struct landlock_ruleset *const dst, struct landlock_ruleset *const src, const enum landlock_key_type key_type) @@ -475,7 +461,7 @@ static int inherit_ruleset(struct landlock_ruleset *const parent, err = -EINVAL; goto out_unlock; } - get_hierarchy(parent->hierarchy); + landlock_get_hierarchy(parent->hierarchy); child->hierarchy->parent = parent->hierarchy; out_unlock: @@ -499,7 +485,7 @@ static void free_ruleset(struct landlock_ruleset *const ruleset) free_rule(freeme, LANDLOCK_KEY_NET_PORT); #endif /* IS_ENABLED(CONFIG_INET) */ - put_hierarchy(ruleset->hierarchy); + landlock_put_hierarchy(ruleset->hierarchy); kfree(ruleset); } diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h index 2f29b9f40392..39169b6860e3 100644 --- a/security/landlock/ruleset.h +++ b/security/landlock/ruleset.h @@ -15,6 +15,7 @@ #include #include "access.h" +#include "domain.h" #include "limits.h" #include "object.h" @@ -106,22 +107,6 @@ struct landlock_rule { struct landlock_layer layers[] __counted_by(num_layers); }; -/** - * struct landlock_hierarchy - Node in a ruleset hierarchy - */ -struct landlock_hierarchy { - /** - * @parent: Pointer to the parent node, or NULL if it is a root - * Landlock domain. - */ - struct landlock_hierarchy *parent; - /** - * @usage: Number of potential children domains plus their parent - * domain. - */ - refcount_t usage; -}; - /** * struct landlock_ruleset - Landlock ruleset * diff --git a/security/landlock/task.c b/security/landlock/task.c index dc7dab78392e..98894ad1abc7 100644 --- a/security/landlock/task.c +++ b/security/landlock/task.c @@ -18,6 +18,7 @@ #include "common.h" #include "cred.h" +#include "domain.h" #include "fs.h" #include "ruleset.h" #include "setup.h" From patchwork Wed Jan 8 15:43:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931230 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-190b.mail.infomaniak.ch (smtp-190b.mail.infomaniak.ch [185.125.25.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B95BE1FFC57 for ; Wed, 8 Jan 2025 15:44:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.11 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351048; cv=none; b=OsQwP6Dpq3IoMlVLmAPZwhcXgQ0m4m3EJxrNJr3ta6ky9SunJS++N8r5XlBhbJUifB+r51h8I1Iy9p5JyjnoSADLMzXyXJ2lFidFtOpuqpSzGJdGwYh5u0tIGkauOECYi41Po/uEQmrnWefG3vG1GdsV58Lm/E+3k3NwmY+3jW8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351048; c=relaxed/simple; bh=s/M3ay/VwfeFP5whczCJxVeJ+B1y6AMtZjSerZahJuA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Oi3EPr30M1ok/sIFaSOJq7lUj68/IvEviEap8bfxJyM/TzUwCUcY3xWC5CPj2QkYREA1A5gxc2Zs0KSOe6Yvc4j2oKlb8w8gHrBNsRpoFSQ/BDWcXg4JCC8Xqav6OvTmjBNS7lS5sPbVsgszi9VIu4LO7lyA8yACpHW11lKj1zk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=rUu9LOdl; arc=none smtp.client-ip=185.125.25.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="rUu9LOdl" Received: from smtp-4-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:7:10:40ca:feff:fe05:1]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsf63RV8zpc6; Wed, 8 Jan 2025 16:43:58 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351038; bh=e0QcGIXpVa199In/TfXFfssW65LGTCXD2yRYPsXwybw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rUu9LOdlh7ND0wDE+GMdq511WHonJPkE+zOnsPlitolcztVw7RP/l6lwjGoTIceLw 935XI3oGOuB8YlQDozg5ah03WxSvH2V3/YWlC1xJSAsOzuS9aA9OIOWVI1Y05m8Odp waOJDfa1U7JawZ1MSE3OwJlY9liyCCLEJpdHqxEs= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsf53WtSzGTC; Wed, 8 Jan 2025 16:43:57 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 08/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials Date: Wed, 8 Jan 2025 16:43:16 +0100 Message-ID: <20250108154338.1129069-9-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add a new AUDIT_LANDLOCK_DENY record type dedicated to any Landlock denials. This encodes access verdict into the type to be able to filter such denied requests with audit rules. Moreover, it would not make sense for Landlock to log allowed requests (by default). AUDIT_LANDLOCK_DENY indicates that something unexpected happened. A following commit will allow to filter such denials according to the task that created the related security policy. The AUDIT_LANDLOCK_DENY message contains: - the "domain" ID restricting the action on an object, - the "blockers" that are missing to allow the requested access, - a set of fields identifying the related object (e.g. task identified with "opid" and "ocomm"). The blockers are implicit restrictions (e.g. ptrace), or explicit access rights (e.g. filesystem), or explicit scopes (e.g. signal). This field contains a list of at least one element, each separated with a comma. The initial blocker is "ptrace", which describe all implicit Landlock restrictions related to ptrace (e.g. deny tracing of tasks outside a sandbox). Add audit support to ptrace_access_check and ptrace_traceme hooks. For the ptrace_access_check case, we log the current/parent domain and the child task. For the ptrace_traceme case, we log the parent domain and the parent task. Indeed, the requester is the current task, but the action would be performed by the parent task. Audit event sample: type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=ptrace opid=1 ocomm="systemd" type=SYSCALL msg=audit(1729738800.349:44): arch=c000003e syscall=101 success=no [...] pid=300 auid=0 Add KUnit tests to check reading of domain ID relative to layer level. The quick return for non-landlocked tasks is moved from task_ptrace() to each LSM hooks. Cc: Günther Noack Cc: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-9-mic@digikod.net --- Changes since v3: - Extend commit message. Changes since v2: - Log domain IDs as hexadecimal number: this is a more compact notation (i.e. at least one less digit), it improves alignment in logs, and it makes most IDs start with 1 as leading digit (because of the 2^32 minimal value). Do not use the "0x" prefix that would add useless data to logs. - Constify function arguments. - Clean up Makefile entries. Changes since v1: - Move most audit code to this patch. - Rebase on the TCP patch series. - Don't log missing access right: simplify and make it generic for rule types. - Don't log errno and then don't wrap the error with landlock_log_request(), as suggested by Jeff. - Add a WARN_ON_ONCE() check to never dereference null pointers. - Only log when audit is enabled. - Don't log task's PID/TID with log_task() because it would be redundant with the SYSCALL record. - Move the "op" in front and rename "domain" to "denying_domain" to make it more consistent with other entries. - Don't update the request with the domain ID but add an helper to get it from the layer masks (and in a following commit with a struct file). - Revamp get_domain_id_from_layer_masks() into get_level_from_layer_masks(). - For ptrace_traceme, log the parent domain instead of the current one. - Add documentation. - Rename AUDIT_LANDLOCK_DENIAL to AUDIT_LANDLOCK_DENY. - Only log the domain ID and the target task. - Log "blockers", which are either implicit restrictions (e.g. ptrace) or explicit access rights (e.g. filesystem), or scopes (e.g. signal). - Don't log LSM hook names/operations. - Pick an audit event ID folling the IPE ones. - Add KUnit tests. --- include/uapi/linux/audit.h | 3 +- security/landlock/Makefile | 4 +- security/landlock/audit.c | 137 ++++++++++++++++++++++++++++++++++++ security/landlock/audit.h | 52 ++++++++++++++ security/landlock/domain.c | 18 +++++ security/landlock/domain.h | 22 ++++++ security/landlock/ruleset.c | 6 ++ security/landlock/task.c | 93 ++++++++++++++++++------ 8 files changed, 310 insertions(+), 25 deletions(-) create mode 100644 security/landlock/audit.c create mode 100644 security/landlock/audit.h diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 75e21a135483..60c909c396c0 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -33,7 +33,7 @@ * 1100 - 1199 user space trusted application messages * 1200 - 1299 messages internal to the audit daemon * 1300 - 1399 audit event messages - * 1400 - 1499 SE Linux use + * 1400 - 1499 access control messages * 1500 - 1599 kernel LSPP events * 1600 - 1699 kernel crypto events * 1700 - 1799 kernel anomaly records @@ -146,6 +146,7 @@ #define AUDIT_IPE_ACCESS 1420 /* IPE denial or grant */ #define AUDIT_IPE_CONFIG_CHANGE 1421 /* IPE config change */ #define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */ +#define AUDIT_LANDLOCK_DENY 1423 /* Landlock denial */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/security/landlock/Makefile b/security/landlock/Makefile index 51815908a464..64e9fad7de6e 100644 --- a/security/landlock/Makefile +++ b/security/landlock/Makefile @@ -12,4 +12,6 @@ landlock-y := \ landlock-$(CONFIG_INET) += net.o -landlock-$(CONFIG_AUDIT) += id.o +landlock-$(CONFIG_AUDIT) += \ + id.o \ + audit.o diff --git a/security/landlock/audit.c b/security/landlock/audit.c new file mode 100644 index 000000000000..d90680a5026a --- /dev/null +++ b/security/landlock/audit.c @@ -0,0 +1,137 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Audit helpers + * + * Copyright © 2023-2025 Microsoft Corporation + */ + +#include +#include +#include + +#include "audit.h" +#include "domain.h" +#include "ruleset.h" + +static const char *get_blocker(const enum landlock_request_type type) +{ + switch (type) { + case LANDLOCK_REQUEST_PTRACE: + return "ptrace"; + } + + WARN_ON_ONCE(1); + return "unknown"; +} + +static void log_blockers(struct audit_buffer *const ab, + const enum landlock_request_type type) +{ + audit_log_format(ab, "%s", get_blocker(type)); +} + +static struct landlock_hierarchy * +get_hierarchy(const struct landlock_ruleset *const domain, const size_t layer) +{ + struct landlock_hierarchy *node = domain->hierarchy; + ssize_t i; + + if (WARN_ON_ONCE(layer >= domain->num_layers)) + return node; + + for (i = domain->num_layers - 1; i > layer; i--) { + if (WARN_ON_ONCE(!node->parent)) + break; + + node = node->parent; + } + + return node; +} + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static void test_get_hierarchy(struct kunit *const test) +{ + struct landlock_hierarchy dom0_node = { + .id = 10, + }; + struct landlock_hierarchy dom1_node = { + .parent = &dom0_node, + .id = 20, + }; + struct landlock_hierarchy dom2_node = { + .parent = &dom1_node, + .id = 30, + }; + struct landlock_ruleset dom2 = { + .hierarchy = &dom2_node, + .num_layers = 3, + }; + + KUNIT_EXPECT_EQ(test, 10, get_hierarchy(&dom2, 0)->id); + KUNIT_EXPECT_EQ(test, 20, get_hierarchy(&dom2, 1)->id); + KUNIT_EXPECT_EQ(test, 30, get_hierarchy(&dom2, 2)->id); + KUNIT_EXPECT_EQ(test, 30, get_hierarchy(&dom2, -1)->id); +} + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ + +static bool is_valid_request(const struct landlock_request *const request) +{ + if (WARN_ON_ONCE(!request->layer_plus_one)) + return false; + + return true; +} + +/** + * landlock_log_denial - Create audit records related to a denial + * + * @domain: The domain denying an action. + * @request: Detail of the user space request. + */ +void landlock_log_denial(const struct landlock_ruleset *const domain, + const struct landlock_request *const request) +{ + struct audit_buffer *ab; + struct landlock_hierarchy *youngest_denied; + + if (WARN_ON_ONCE(!domain || !domain->hierarchy || !request)) + return; + + if (!is_valid_request(request)) + return; + + if (!unlikely(audit_context() && audit_enabled)) + return; + + ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN, + AUDIT_LANDLOCK_DENY); + if (!ab) + return; + + youngest_denied = get_hierarchy(domain, request->layer_plus_one - 1); + audit_log_format(ab, "domain=%llx blockers=", youngest_denied->id); + log_blockers(ab, request->type); + audit_log_lsm_data(ab, &request->audit); + audit_log_end(ab); +} + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static struct kunit_case test_cases[] = { + /* clang-format off */ + KUNIT_CASE(test_get_hierarchy), + {} + /* clang-format on */ +}; + +static struct kunit_suite test_suite = { + .name = "landlock_audit", + .test_cases = test_cases, +}; + +kunit_test_suite(test_suite); + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ diff --git a/security/landlock/audit.h b/security/landlock/audit.h new file mode 100644 index 000000000000..4a635d8bc1af --- /dev/null +++ b/security/landlock/audit.h @@ -0,0 +1,52 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Audit helpers + * + * Copyright © 2023-2025 Microsoft Corporation + */ + +#ifndef _SECURITY_LANDLOCK_AUDIT_H +#define _SECURITY_LANDLOCK_AUDIT_H + +#include +#include + +#include "ruleset.h" + +enum landlock_request_type { + LANDLOCK_REQUEST_PTRACE = 1, +}; + +/* + * We should be careful to only use a variable of this type for + * landlock_log_denial(). This way, the compiler can remove it entirely if + * CONFIG_AUDIT is not set. + */ +struct landlock_request { + /* Mandatory fields. */ + enum landlock_request_type type; + struct common_audit_data audit; + + /** + * layer_plus_one: First layer level that denies the request + 1. The + * extra one is useful to detect uninitialized field. + */ + size_t layer_plus_one; +}; + +#ifdef CONFIG_AUDIT + +void landlock_log_denial(const struct landlock_ruleset *const domain, + const struct landlock_request *const request); + +#else /* CONFIG_AUDIT */ + +static inline void +landlock_log_denial(const struct landlock_ruleset *const domain, + const struct landlock_request *const request) +{ +} + +#endif /* CONFIG_AUDIT */ + +#endif /* _SECURITY_LANDLOCK_AUDIT_H */ diff --git a/security/landlock/domain.c b/security/landlock/domain.c index df58638ffc50..895874285fe2 100644 --- a/security/landlock/domain.c +++ b/security/landlock/domain.c @@ -11,6 +11,7 @@ #include #include "domain.h" +#include "id.h" void landlock_get_hierarchy(struct landlock_hierarchy *const hierarchy) { @@ -27,3 +28,20 @@ void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy) kfree(freeme); } } + +#ifdef CONFIG_AUDIT + +/** + * landlock_init_current_hierarchy - Partially initialize landlock_hierarchy + * + * @hierarchy: The hierarchy to initialize. + * + * @hierarchy->parent and @hierarchy->usage should already be set. + */ +int landlock_init_current_hierarchy(struct landlock_hierarchy *const hierarchy) +{ + hierarchy->id = landlock_get_id_range(1); + return 0; +} + +#endif /* CONFIG_AUDIT */ diff --git a/security/landlock/domain.h b/security/landlock/domain.h index 2e612ef754e3..514281f64b20 100644 --- a/security/landlock/domain.h +++ b/security/landlock/domain.h @@ -4,6 +4,7 @@ * * Copyright © 2016-2020 Mickaël Salaün * Copyright © 2018-2020 ANSSI + * Copyright © 2024-2025 Microsoft Corporation */ #ifndef _SECURITY_LANDLOCK_DOMAIN_H @@ -26,6 +27,27 @@ struct landlock_hierarchy { * domain. */ refcount_t usage; + +#ifdef CONFIG_AUDIT + /** + * @id: Landlock domain ID, sets once at domain creation time. + */ + u64 id; +#endif /* CONFIG_AUDIT */ }; +#ifdef CONFIG_AUDIT + +int landlock_init_current_hierarchy(struct landlock_hierarchy *const hierarchy); + +#else /* CONFIG_AUDIT */ + +static inline int +landlock_init_current_hierarchy(struct landlock_hierarchy *const hierarchy) +{ + return 0; +} + +#endif /* CONFIG_AUDIT */ + #endif /* _SECURITY_LANDLOCK_DOMAIN_H */ diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index 8b47af69af3e..3e4deb2d0aa3 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -22,6 +22,7 @@ #include #include "access.h" +#include "audit.h" #include "domain.h" #include "limits.h" #include "object.h" @@ -504,6 +505,7 @@ static void free_ruleset_work(struct work_struct *const work) free_ruleset(ruleset); } +/* Only called by hook_cred_free(). */ void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset) { if (ruleset && refcount_dec_and_test(&ruleset->usage)) { @@ -563,6 +565,10 @@ landlock_merge_ruleset(struct landlock_ruleset *const parent, if (err) goto out_put_dom; + err = landlock_init_current_hierarchy(new_dom->hierarchy); + if (err) + goto out_put_dom; + return new_dom; out_put_dom: diff --git a/security/landlock/task.c b/security/landlock/task.c index 98894ad1abc7..4fef963274fd 100644 --- a/security/landlock/task.c +++ b/security/landlock/task.c @@ -10,12 +10,14 @@ #include #include #include +#include #include #include #include #include #include +#include "audit.h" #include "common.h" #include "cred.h" #include "domain.h" @@ -38,41 +40,29 @@ static bool domain_scope_le(const struct landlock_ruleset *const parent, { const struct landlock_hierarchy *walker; + /* Quick return for non-landlocked tasks. */ if (!parent) return true; + if (!child) return false; + for (walker = child->hierarchy; walker; walker = walker->parent) { if (walker == parent->hierarchy) /* @parent is in the scoped hierarchy of @child. */ return true; } + /* There is no relationship between @parent and @child. */ return false; } -static bool task_is_scoped(const struct task_struct *const parent, - const struct task_struct *const child) -{ - bool is_scoped; - const struct landlock_ruleset *dom_parent, *dom_child; - - rcu_read_lock(); - dom_parent = landlock_get_task_domain(parent); - dom_child = landlock_get_task_domain(child); - is_scoped = domain_scope_le(dom_parent, dom_child); - rcu_read_unlock(); - return is_scoped; -} - -static int task_ptrace(const struct task_struct *const parent, - const struct task_struct *const child) +static int domain_ptrace(const struct landlock_ruleset *const parent, + const struct landlock_ruleset *const child) { - /* Quick return for non-landlocked tasks. */ - if (!landlocked(parent)) - return 0; - if (task_is_scoped(parent, child)) + if (domain_scope_le(parent, child)) return 0; + return -EPERM; } @@ -92,7 +82,36 @@ static int task_ptrace(const struct task_struct *const parent, static int hook_ptrace_access_check(struct task_struct *const child, const unsigned int mode) { - return task_ptrace(current, child); + const struct landlock_ruleset *parent_dom, *child_dom; + struct landlock_request request = { + .type = LANDLOCK_REQUEST_PTRACE, + .audit = { + .type = LSM_AUDIT_DATA_TASK, + .u.tsk = child, + }, + }; + int err; + + /* Quick return for non-landlocked tasks. */ + parent_dom = landlock_get_current_domain(); + if (!parent_dom) + return 0; + + rcu_read_lock(); + child_dom = landlock_get_task_domain(child); + err = domain_ptrace(parent_dom, child_dom); + rcu_read_unlock(); + + /* + * For the ptrace_access_check case, we log the current/parent domain + * and the child task. + */ + if (err && !(mode & PTRACE_MODE_NOAUDIT)) { + request.layer_plus_one = parent_dom->num_layers; + landlock_log_denial(parent_dom, &request); + } + + return err; } /** @@ -109,7 +128,35 @@ static int hook_ptrace_access_check(struct task_struct *const child, */ static int hook_ptrace_traceme(struct task_struct *const parent) { - return task_ptrace(parent, current); + const struct landlock_ruleset *parent_dom, *child_dom; + struct landlock_request request = { + .type = LANDLOCK_REQUEST_PTRACE, + .audit = { + .type = LSM_AUDIT_DATA_TASK, + .u.tsk = parent, + }, + }; + int err; + + child_dom = landlock_get_current_domain(); + rcu_read_lock(); + parent_dom = landlock_get_task_domain(parent); + err = domain_ptrace(parent_dom, child_dom); + + /* + * For the ptrace_traceme case, we log the domain which is the cause of + * the denial, which means the parent domain instead of the current + * domain. This may look weird because the ptrace_traceme action is a + * request to be traced, but the semantic is consistent with + * hook_ptrace_access_check(). + */ + if (err) { + request.layer_plus_one = parent_dom->num_layers; + landlock_log_denial(parent_dom, &request); + } + + rcu_read_unlock(); + return err; } /** @@ -128,7 +175,7 @@ static bool domain_is_scoped(const struct landlock_ruleset *const client, access_mask_t scope) { int client_layer, server_layer; - struct landlock_hierarchy *client_walker, *server_walker; + const struct landlock_hierarchy *client_walker, *server_walker; /* Quick return if client has no domain */ if (WARN_ON_ONCE(!client)) From patchwork Wed Jan 8 15:43:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931227 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-8faa.mail.infomaniak.ch (smtp-8faa.mail.infomaniak.ch [83.166.143.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 123251FF1A1 for ; Wed, 8 Jan 2025 15:44:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351045; cv=none; b=MdYgczvxFJ/aAItx4e7xY8GQi8dxCA8oma5FYriO25fQLWmOjrpJPk1fAsbOxiPC3FDhTn3v3RtvMH9xcply2VYmanHRmn+k0qP+lWfXh3sbJ5Um2h2RALhONzgoOHEpSExFIYZzEUHTZFfPtnrYpaDQMC3ivNm2Bi/Qz9FbxvI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351045; c=relaxed/simple; bh=O1ptSGTMtGLCQ6gzOrMyjL3blWYC4kR7zSOgH/Pmki0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=nxzp+4RtfJZTITJ8q5DvJdN9Wt2SZ7OoDizgOlfm3xX5DDQbZcWNNO7wlU/JtsdxG0fLf/oVTWS5rZeeC8rGzaUFc4VEoEanOvMAas5OJN52IJD5yhbIW4yPCiB60lqOWERk1x91oylQY0VinO++F4OOXGp6yiPHAyUzE6luk6s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=nWxGquXP; arc=none smtp.client-ip=83.166.143.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="nWxGquXP" Received: from smtp-3-0001.mail.infomaniak.ch (smtp-3-0001.mail.infomaniak.ch [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsf81pqqz5pK; Wed, 8 Jan 2025 16:44:00 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351040; bh=3Bs0C1dXcwoJq01MaXFSE9CnXw0KoaebNmPaW/e0NYg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nWxGquXPef2Iq/GisAaB8LY6X9Khu6VeOv8ArtzkDs0f/SUSJG1irC94nczqbJm7P cTWjRIFkaVKyrLEBOg9uBOsoN/ntbljsivecJZn8yt3P5zaLJs22W6ErpoBb5LN4Yl 1gAC3A9TtTfeApSjfhfeedmczpcgjt+NsHMuzWME= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsf72CXTzKcS; Wed, 8 Jan 2025 16:43:59 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 09/30] landlock: Add AUDIT_LANDLOCK_DOM_{INFO,DROP} and log domain properties Date: Wed, 8 Jan 2025 16:43:17 +0100 Message-ID: <20250108154338.1129069-10-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Asynchronously log domain information when it first denies an access. This minimize the amount of generated logs, which makes it possible to always log denials since they should not happen (except with the new LANDLOCK_RESTRICT_SELF_QUIET flag). These records are identified with the new AUDIT_LANDLOCK_DOM_INFO type. The AUDIT_LANDLOCK_DOM_INFO message contains: - the "domain" ID which is described, - the "creation" time of this domain, - a minimal set of properties to easily identify the task that loaded the domain's policy with landlock_restrict_self(2): "pid", "uid", executable path ("exe"), and command line ("comm"). This requires each domain to save these task properties at creation time in the new struct landlock_details. A reference to the PID is kept for the lifetime of the domain to avoid race conditions when investigating the related task. The executable path is resolved and stored to not keep a reference to the filesystem and block related actions. All these metadata are stored for the lifetime of the related domain and should then be minimal. The required memory is not accounted to the task calling landlock_restrict_self(2) contrary to most other Landlock allocations (see related comment). The AUDIT_LANDLOCK_DOM_INFO record follows the first AUDIT_LANDLOCK_DENY record for the same domain, which is always followed by AUDIT_SYSCALL and AUDIT_PROCTITLE. This is in line with the audit logic to first record the cause of an event, and then add context with other types of record. Audit event sample for a first denial: type=LANDLOCK_DENY msg=audit(1732186800.349:44): domain=195ba459b blockers=ptrace opid=1 ocomm="systemd" type=LANDLOCK_DOM_INFO msg=audit(1732186800.349:44): domain=195ba459b creation=1732186800.345 pid=300 uid=0 exe="/root/sandboxer" comm="sandboxer" type=SYSCALL msg=audit(1732186800.349:44): arch=c000003e syscall=101 success=no [...] pid=300 auid=0 Audit event sample for a following denial: type=LANDLOCK_DENY msg=audit(1732186800.372:45): domain=195ba459b blockers=ptrace opid=1 ocomm="systemd" type=SYSCALL msg=audit(1732186800.372:45): arch=c000003e syscall=101 success=no [...] pid=300 auid=0 Log domain deletion with the new AUDIT_LANDLOCK_DOM_DROP record type when a domain was previously logged. This makes it possible for log parsers to free potential resources when a domain ID will never show again. The AUDIT_LANDLOCK_DOM_DROP message contains: - the "domain" ID which is being freed, - the number of "denials" accounted to this domain, which is at least 1. The number of denied access requests is useful to easily check how many access requests a domain blocked and potentially if some of them are missing in logs because of audit rate limiting or audit rules. Rate limiting could also drop this record though. Audit event sample for a deletion of a domain that denied something: type=LANDLOCK_DOM_DROP msg=audit(1732186800.393:46): domain=195ba459b denials=2 Cc: Günther Noack Cc: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-10-mic@digikod.net --- Questions about AUDIT_LANDLOCK_DOM_INFO messages (keeping in mind that each logged metadata may need to be stored for the lifetime of each domain): - Should we also log the initially restricted task's loginuid? - Should we also log the initially restricted task's sessionid? Changes since v3: - Log number of denied access requests with AUDIT_LANDLOCK_DOM_DROP records, suggested by Tyler. - Do not store a struct path pointer but the resolved string instead. This enables us to not block unmount of the initially restricted task executable's mount point. See the new get_current_info() and get_current_exe(). A following patch add tests for this case. - Create and allocate a new struct landlock_details for initially restricted task's information. - Remove audit_get_ctime() call, as requested by Paul. We now always have a standalone timestamp per Landlock domain creations. - Fix docstring. Changes since v2: - Fix docstring. - Fix log_status check in log_hierarchy() to also log LANDLOCK_LOG_DISABLED. - Add audit's creation time to domain's properties. - Use hexadecimal notation for domain IDs. - Remove domain's parent records: parent domains are not really useful in the logs. They will be available with the upcoming introspection feature though. - Extend commit message with audit's timestamp explanation. Changes since v1: - Add a ruleset's version for atomic logs. - Rebased on the TCP patch series. - Rename operation using "_" instead of "-". - Rename AUDIT_LANDLOCK to AUDIT_LANDLOCK_RULESET. - Only log when audit is enabled, but always set domain IDs. - Don't log task's PID/TID with log_task() because it would be redundant with the SYSCALL record. - Remove race condition when logging ruleset creation and logging ruleset modification while the related file descriptor was already registered but the ruleset creation not logged yet. - Fix domain drop logs. - Move the domain drop record from the previous patch into this one. - Do not log domain creation but log first domain use instead. - Save task's properties that sandbox themselves. --- include/uapi/linux/audit.h | 2 + security/landlock/audit.c | 88 ++++++++++++++++++++++++++++- security/landlock/audit.h | 7 +++ security/landlock/domain.c | 109 ++++++++++++++++++++++++++++++++++++ security/landlock/domain.h | 63 +++++++++++++++++++++ security/landlock/ruleset.c | 6 ++ 6 files changed, 274 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 60c909c396c0..a72f7b3403be 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -147,6 +147,8 @@ #define AUDIT_IPE_CONFIG_CHANGE 1421 /* IPE config change */ #define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */ #define AUDIT_LANDLOCK_DENY 1423 /* Landlock denial */ +#define AUDIT_LANDLOCK_DOM_INFO 1424 /* Landlock domain properties */ +#define AUDIT_LANDLOCK_DOM_DROP 1425 /* Landlock domain release */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/security/landlock/audit.c b/security/landlock/audit.c index d90680a5026a..ccc591146f8a 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -8,6 +8,8 @@ #include #include #include +#include +#include #include "audit.h" #include "domain.h" @@ -30,6 +32,43 @@ static void log_blockers(struct audit_buffer *const ab, audit_log_format(ab, "%s", get_blocker(type)); } +static void log_node(struct landlock_hierarchy *const node) +{ + struct audit_buffer *ab; + + if (WARN_ON_ONCE(!node)) + return; + + /* Ignores already logged domains. */ + if (READ_ONCE(node->log_status) == LANDLOCK_LOG_RECORDED) + return; + + ab = audit_log_start(audit_context(), GFP_ATOMIC, + AUDIT_LANDLOCK_DOM_INFO); + if (!ab) + return; + + WARN_ON_ONCE(node->id == 0); + audit_log_format( + ab, + "domain=%llx creation=%llu.%03lu pid=%d uid=%u exe=", node->id, + /* See audit_log_start() */ + (unsigned long long)node->details->creation.tv_sec, + node->details->creation.tv_nsec / 1000000, + pid_nr(node->details->pid), + from_kuid(&init_user_ns, node->details->cred->uid)); + audit_log_untrustedstring(ab, node->details->exe_path); + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, node->details->comm); + audit_log_end(ab); + + /* + * There may be race condition leading to logging of the same domain + * several times but that is OK. + */ + WRITE_ONCE(node->log_status, LANDLOCK_LOG_RECORDED); +} + static struct landlock_hierarchy * get_hierarchy(const struct landlock_ruleset *const domain, const size_t layer) { @@ -103,6 +142,15 @@ void landlock_log_denial(const struct landlock_ruleset *const domain, if (!is_valid_request(request)) return; + youngest_denied = get_hierarchy(domain, request->layer_plus_one - 1); + + /* + * Consistently keeps track of the number of denied access requests + * even if audit is currently disabled or if audit rules currently + * exclude this record type. + */ + atomic64_inc(&youngest_denied->num_denials); + if (!unlikely(audit_context() && audit_enabled)) return; @@ -111,11 +159,49 @@ void landlock_log_denial(const struct landlock_ruleset *const domain, if (!ab) return; - youngest_denied = get_hierarchy(domain, request->layer_plus_one - 1); audit_log_format(ab, "domain=%llx blockers=", youngest_denied->id); log_blockers(ab, request->type); audit_log_lsm_data(ab, &request->audit); audit_log_end(ab); + + /* Logs this domain if it is the first time. */ + log_node(youngest_denied); +} + +/** + * landlock_log_drop_domain - Create an audit record when a domain is deleted + * + * @domain: The domain being deleted. + * + * Only domains which previously appeared in the audit logs are logged again. + * This is useful to know when a domain will never show again in the audit log. + * + * This record is not directly tied to a syscall entry. + * + * Called by the cred_free() hook, in an uninterruptible context. + */ +void landlock_log_drop_domain(const struct landlock_ruleset *const domain) +{ + struct audit_buffer *ab; + + if (WARN_ON_ONCE(!domain->hierarchy)) + return; + + if (!audit_enabled) + return; + + /* Ignores domains that were not logged. */ + if (READ_ONCE(domain->hierarchy->log_status) != LANDLOCK_LOG_RECORDED) + return; + + ab = audit_log_start(audit_context(), GFP_ATOMIC, + AUDIT_LANDLOCK_DOM_DROP); + if (!ab) + return; + + audit_log_format(ab, "domain=%llx denials=%llu", domain->hierarchy->id, + atomic64_read(&domain->hierarchy->num_denials)); + audit_log_end(ab); } #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST diff --git a/security/landlock/audit.h b/security/landlock/audit.h index 4a635d8bc1af..7bc67ca2e470 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -36,11 +36,18 @@ struct landlock_request { #ifdef CONFIG_AUDIT +void landlock_log_drop_domain(const struct landlock_ruleset *const domain); + void landlock_log_denial(const struct landlock_ruleset *const domain, const struct landlock_request *const request); #else /* CONFIG_AUDIT */ +static inline void +landlock_log_drop_domain(const struct landlock_ruleset *const domain) +{ +} + static inline void landlock_log_denial(const struct landlock_ruleset *const domain, const struct landlock_request *const request) diff --git a/security/landlock/domain.c b/security/landlock/domain.c index 895874285fe2..d0cb9f8683b4 100644 --- a/security/landlock/domain.c +++ b/security/landlock/domain.c @@ -7,10 +7,17 @@ * Copyright © 2024-2025 Microsoft Corporation */ +#include +#include #include #include +#include +#include +#include +#include #include "domain.h" +#include "fs.h" #include "id.h" void landlock_get_hierarchy(struct landlock_hierarchy *const hierarchy) @@ -24,6 +31,12 @@ void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy) while (hierarchy && refcount_dec_and_test(&hierarchy->usage)) { const struct landlock_hierarchy *const freeme = hierarchy; +#ifdef CONFIG_AUDIT + put_cred(hierarchy->details->cred); + put_pid(hierarchy->details->pid); + kfree(hierarchy->details); +#endif /* CONFIG_AUDIT */ + hierarchy = hierarchy->parent; kfree(freeme); } @@ -31,16 +44,112 @@ void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy) #ifdef CONFIG_AUDIT +/** + * get_current_exe - Get the current's executable path, if any + * + * @path_str: Returned pointer to a path string with a lifetime tied to the + * returned buffer, if any. + * @path_size: Returned size of the @path string (including the trailing null + * character), if any. + * + * Returns: A pointer to an allocated buffer where @path point to, %NULL if + * there is no executable path, or an error otherwise. + */ +static const void *get_current_exe(const char **path_str, size_t *path_size) +{ + struct mm_struct *mm = current->mm; + struct file *file __free(fput) = NULL; + char *buffer __free(kfree) = NULL; + const char *path; + size_t size; + + /* Adds 11 extra characters for the potential " (deleted)" suffix. */ + const size_t buffer_size = PATH_MAX + 11; + + if (!mm) + return NULL; + + file = get_mm_exe_file(mm); + if (!file) + return NULL; + + buffer = kmalloc(buffer_size, GFP_KERNEL); + if (!buffer) + return ERR_PTR(-ENOMEM); + + path = d_path(&file->f_path, buffer, buffer_size); + if (WARN_ON_ONCE(IS_ERR(path))) + /* Should never happen according to buffer_size. */ + return ERR_CAST(path); + + size = buffer + buffer_size - path; + if (WARN_ON_ONCE(size <= 0)) + return ERR_PTR(-ENAMETOOLONG); + + *path_size = size; + *path_str = path; + return no_free_ptr(buffer); +} + +/* + * Returns: A newly allocated object describing a domain, or an error + * otherwise. + */ +static struct landlock_details *get_current_details(void) +{ + /* Cf. audit_log_d_path_exe() */ + static const char null_path[] = "(null)"; + const char *path_str = null_path; + size_t path_size = sizeof(null_path); + struct landlock_details *details; + const void *buffer __free(kfree) = NULL; + + buffer = get_current_exe(&path_str, &path_size); + if (IS_ERR(buffer)) + return ERR_CAST(buffer); + + /* + * Create the new details according to the path's length. Do not + * allocate with GFP_KERNEL_ACCOUNT because it is independent from the + * caller. + */ + details = + kzalloc(struct_size(details, exe_path, path_size), GFP_KERNEL); + if (!details) + return ERR_PTR(-ENOMEM); + + memcpy(details->exe_path, path_str, path_size); + ktime_get_coarse_real_ts64(&details->creation); + + WARN_ON_ONCE(current_cred() != current_real_cred()); + details->cred = get_current_cred(); + details->pid = get_pid(task_pid(current)); + get_task_comm(details->comm, current); + return details; +} + /** * landlock_init_current_hierarchy - Partially initialize landlock_hierarchy * * @hierarchy: The hierarchy to initialize. * + * The current task is referenced as the domain restrictor. The subjective + * credentials must not be in an overridden state. + * * @hierarchy->parent and @hierarchy->usage should already be set. */ int landlock_init_current_hierarchy(struct landlock_hierarchy *const hierarchy) { + struct landlock_details *details; + + details = get_current_details(); + if (IS_ERR(details)) + return PTR_ERR(details); + + hierarchy->details = details; hierarchy->id = landlock_get_id_range(1); + hierarchy->log_status = LANDLOCK_LOG_PENDING; + atomic64_set(&hierarchy->num_denials, 0); return 0; } diff --git a/security/landlock/domain.h b/security/landlock/domain.h index 514281f64b20..a7fda9c6a5a3 100644 --- a/security/landlock/domain.h +++ b/security/landlock/domain.h @@ -10,8 +10,57 @@ #ifndef _SECURITY_LANDLOCK_DOMAIN_H #define _SECURITY_LANDLOCK_DOMAIN_H +#include #include +#include +#include #include +#include +#include + +enum landlock_log_status { + LANDLOCK_LOG_PENDING = 0, + LANDLOCK_LOG_RECORDED, +}; + +/** + * struct landlock_details - Dommain's creation information + * + * Rarely accessed, mainly when logging the first domain's denial. + * + * The contained pointers are initialized at the domain creation time and never + * changed again. Contrary to most other Landlock object types, this one is + * not allocated with GFP_KERNEL_ACCOUNT because its size may not be under the + * caller's control (e.g. unknown exe_path) and the data is not explicitly + * requested nor used by tasks. + */ +struct landlock_details { + /** + * @creation: Time of the domain creation (i.e. syscall entry as used + * in audit context if available). + */ + struct timespec64 creation; + /** + * @cred: Credential of the task that initially restricted itself, at + * creation time. + */ + const struct cred *cred; + /** + * @pid: PID of the task that initially restricted itself. It still + * identifies the same task. + */ + struct pid *pid; + /** + * @comm: Command line of the task that initially restricted itself, at + * creation time. Always NULL terminated. + */ + char comm[TASK_COMM_LEN]; + /** + * @exe_path: Executable path of the task that initially restricted + * itself, at creation time. Always NULL terminated. + */ + char exe_path[]; +}; /** * struct landlock_hierarchy - Node in a domain hierarchy @@ -29,10 +78,24 @@ struct landlock_hierarchy { refcount_t usage; #ifdef CONFIG_AUDIT + /** + * @log_status: Whether this domain should be logged or not. Because + * concurrent log entries may be created at the same time, it is still + * possible to have several domain records of the same domain. + */ + enum landlock_log_status log_status; + /** + * @num_denials: Number of access requests denied by this domain. + */ + atomic64_t num_denials; /** * @id: Landlock domain ID, sets once at domain creation time. */ u64 id; + /** + * @details: Information about the related domain. + */ + const struct landlock_details *details; #endif /* CONFIG_AUDIT */ }; diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index 3e4deb2d0aa3..cd94d4660561 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -509,6 +509,9 @@ static void free_ruleset_work(struct work_struct *const work) void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset) { if (ruleset && refcount_dec_and_test(&ruleset->usage)) { + /* Logs with the current context. */ + landlock_log_drop_domain(ruleset); + INIT_WORK(&ruleset->work_free, free_ruleset_work); schedule_work(&ruleset->work_free); } @@ -520,6 +523,9 @@ void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset) * @parent: Parent domain. * @ruleset: New ruleset to be merged. * + * The current task is requesting to be restricted. The subjective credentials + * must not be in an overridden state (see landlock_init_current_hierarchy). + * * Returns the intersection of @parent and @ruleset, or returns @parent if * @ruleset is empty, or returns a duplicate of @ruleset if @parent is empty. */ From patchwork Wed Jan 8 15:43:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931228 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-8fa8.mail.infomaniak.ch (smtp-8fa8.mail.infomaniak.ch [83.166.143.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8DBAE1FF7BF for ; Wed, 8 Jan 2025 15:44:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.168 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351045; cv=none; b=mb4McsDFzQTeUZlvl4Uh/deV6LnXOZY81i1nUDn/PfJuLJI8MuWJbcW7YmY1XRZBs2cH7zju8vR6mqIwd/HtvQGkua1xxJhIgeK0zEHIrtSXQHgxq9ty0tHNtNBgBtKDd1In+7VAwG22uqKGrVtlhKA4qwcMPK4gjcJ5596buyE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351045; c=relaxed/simple; bh=sIMzLxtiqYnuIL+sirssPezjol92I2zFln5U2PbP2Bs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=bsPKywWuiJWiCkGlAEwJ3hENaWELQK9XoK+4A2802XLrPGaefpHOaXhkBw0SKpF2tn/wNsh7aCTTq7Ua6QIUXwV3JiVoM0K1LEY60PeVYql99eFY2OBLgtufbtC2GMsJ6BjVO38Rt1TjTiGU9hE6yyLkNMIiwAb2ZG8jU7AnsaY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=vMoi7bzn; arc=none smtp.client-ip=83.166.143.168 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="vMoi7bzn" Received: from smtp-3-0000.mail.infomaniak.ch (smtp-3-0000.mail.infomaniak.ch [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsf971Xhz4JR; Wed, 8 Jan 2025 16:44:01 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351041; bh=sA3tQ0E1xt/REioAAG6B7sH7UGS9WSxhmY0Puu/KnBg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vMoi7bznWU0HGrjEeznEs60tb3rtDsKVrjjUa6ObJD27315eokYxbPV1PUr4uWmTx zrTZIELE90PHk+zYE6wA2OJv1liUP0SOPUyIIj17WhDYZhyxpxjQlkhq1UhVzT771T Ae1S2T52dEiHbsKx/BfbA4OZjhp++0XINzAauuH8= Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsf8725Gzs0d; Wed, 8 Jan 2025 16:44:00 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 10/30] landlock: Log mount-related denials Date: Wed, 8 Jan 2025 16:43:18 +0100 Message-ID: <20250108154338.1129069-11-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add audit support for sb_mount, move_mount, sb_umount, sb_remount, and sb_pivot_root hooks. The new related blocker is "fs.change_layout". Add and use a new landlock_match_layer_level() helper. Audit event sample: type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.change_layout name="/" dev="tmpfs" ino=1 Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-11-mic@digikod.net --- Changes since v3: - Cosmetic change to the "fs.change_layout" name. Changes since v2: - Log the domain that denied the action because not all layers block FS layout changes. - Fix landlock_match_layer_level(). Changes since v1: - Rebased on the TCP patch series. - Don't log missing permissions, only domain layer, and then remove the permission word (suggested by Günther) --- security/landlock/audit.c | 3 ++ security/landlock/audit.h | 1 + security/landlock/fs.c | 64 ++++++++++++++++++++++++++++++++++--- security/landlock/ruleset.h | 31 ++++++++++++++++++ 4 files changed, 94 insertions(+), 5 deletions(-) diff --git a/security/landlock/audit.c b/security/landlock/audit.c index ccc591146f8a..aae93b2c994b 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -20,6 +20,9 @@ static const char *get_blocker(const enum landlock_request_type type) switch (type) { case LANDLOCK_REQUEST_PTRACE: return "ptrace"; + + case LANDLOCK_REQUEST_FS_CHANGE_LAYOUT: + return "fs.change_layout"; } WARN_ON_ONCE(1); diff --git a/security/landlock/audit.h b/security/landlock/audit.h index 7bc67ca2e470..745dcf7b1b6d 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -15,6 +15,7 @@ enum landlock_request_type { LANDLOCK_REQUEST_PTRACE = 1, + LANDLOCK_REQUEST_FS_CHANGE_LAYOUT, }; /* diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 9779170d9199..171012efb559 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -37,6 +38,7 @@ #include #include "access.h" +#include "audit.h" #include "common.h" #include "cred.h" #include "fs.h" @@ -1301,6 +1303,38 @@ static void hook_sb_delete(struct super_block *const sb) !atomic_long_read(&landlock_superblock(sb)->inode_refs)); } +static void +log_fs_change_layout_path(const struct landlock_ruleset *const domain, + const struct path *const path) +{ + const struct landlock_request request = { + .type = LANDLOCK_REQUEST_FS_CHANGE_LAYOUT, + .audit = { + .type = LSM_AUDIT_DATA_PATH, + .u.path = *path, + }, + .layer_plus_one = landlock_match_layer_level(domain, any_fs) + 1, + }; + + landlock_log_denial(domain, &request); +} + +static void +log_fs_change_layout_dentry(const struct landlock_ruleset *const domain, + struct dentry *const dentry) +{ + const struct landlock_request request = { + .type = LANDLOCK_REQUEST_FS_CHANGE_LAYOUT, + .audit = { + .type = LSM_AUDIT_DATA_DENTRY, + .u.dentry = dentry, + }, + .layer_plus_one = landlock_match_layer_level(domain, any_fs) + 1, + }; + + landlock_log_denial(domain, &request); +} + /* * Because a Landlock security policy is defined according to the filesystem * topology (i.e. the mount namespace), changing it may grant access to files @@ -1323,16 +1357,24 @@ static int hook_sb_mount(const char *const dev_name, const struct path *const path, const char *const type, const unsigned long flags, void *const data) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom = get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_path(dom, path); return -EPERM; } static int hook_move_mount(const struct path *const from_path, const struct path *const to_path) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom = get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_path(dom, to_path); return -EPERM; } @@ -1342,15 +1384,23 @@ static int hook_move_mount(const struct path *const from_path, */ static int hook_sb_umount(struct vfsmount *const mnt, const int flags) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom = get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_dentry(dom, mnt->mnt_root); return -EPERM; } static int hook_sb_remount(struct super_block *const sb, void *const mnt_opts) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom = get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_dentry(dom, sb->s_root); return -EPERM; } @@ -1365,8 +1415,12 @@ static int hook_sb_remount(struct super_block *const sb, void *const mnt_opts) static int hook_sb_pivotroot(const struct path *const old_path, const struct path *const new_path) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom = get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_path(dom, new_path); return -EPERM; } diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h index 39169b6860e3..7dba8bf960f6 100644 --- a/security/landlock/ruleset.h +++ b/security/landlock/ruleset.h @@ -267,6 +267,37 @@ landlock_get_applicable_domain(const struct landlock_ruleset *const domain, return NULL; } +/** + * landlock_match_layer_level - Return the layer level restricting @masks + * + * @domain: Landlock ruleset (used as a domain) + * @masks: access masks + * + * Returns: the number of the layer restricting/handling any right of @access, + * or return 0 (i.e. first layer) otherwise. + */ +static inline size_t +landlock_match_layer_level(const struct landlock_ruleset *const domain, + const struct access_masks masks) +{ + const union access_masks_all masks_all = { + .masks = masks, + }; + ssize_t layer_level; + + for (layer_level = domain->num_layers; layer_level >= 0; + layer_level--) { + union access_masks_all layer = { + .masks = domain->access_masks[layer_level], + }; + + if (masks_all.all & layer.all) + return layer_level; + } + + return 0; +} + static inline void landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, const access_mask_t fs_access_mask, From patchwork Wed Jan 8 15:43:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931234 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-1909.mail.infomaniak.ch (smtp-1909.mail.infomaniak.ch [185.125.25.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5718A200127 for ; Wed, 8 Jan 2025 15:44:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351054; cv=none; b=BLWuIUOGODdwJinqR3dW67eLmeiuzZGY/Aia8JmrSNxJfa30BqWVMrL8Wvn0PZkpSpk9KDnIY6hMb1zJKHQVkMnvjbrdbCZSai5u8buL8uAnGWx44dStVJHCzjWcn+x67RsG2wHWe0wmBrfu99bipYOk2hsroE8nynuzx/1wpoo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351054; c=relaxed/simple; bh=7ibfBYEi6f3gRg6pygE5JOGwb52bRToRkj9Kef1B8ek=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Ve68zjQvses1QQVJ+WFTQxLlnIWO1wpfkFPzCTawUgZ2QPUwpvUQHKrq8b1zGR2Eg+HK/7AdhhTxOzecYLL1oqTw6CkNf1VLehDm9QCRqJ6EMzkdYE/FIsSXS1yAxQEFjX5smUqG9rZCQHc/PR/SpvEaPTg0fM5I4/mlSpjczxg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=EE6astl+; arc=none smtp.client-ip=185.125.25.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="EE6astl+" Received: from smtp-4-0000.mail.infomaniak.ch (smtp-4-0000.mail.infomaniak.ch [10.7.10.107]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfC2vR0zrLS; Wed, 8 Jan 2025 16:44:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351043; bh=St27lDxiIu3v5ST9RZRvjuRVlErWHof4RK6UwUhVE6s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EE6astl+NKDQZY4iKCq9GAxWqt3IG1EENFRkpE8H4fDeq6O/LM8chyhOGtDypQiPq d/hSPBLSQ9cJyWAPawwpK0HiukFyXm9zAHfl4hHdcaOfIbMxbmVGYDN2sFqhjkzChJ ayrLksfAHMq35lCSixBfhEwAFr4/7LitgPrcg73I= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfB4Ypyz2F3; Wed, 8 Jan 2025 16:44:02 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 11/30] landlock: Align partial refer access checks with final ones Date: Wed, 8 Jan 2025 16:43:19 +0100 Message-ID: <20250108154338.1129069-12-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Fix a logical issue that could have been visible if the source or the destination of a rename/link action was allowed for either the source or the destination but not both. However, this logical bug is unreachable because either: - the rename/link action is allowed by the access rights tied to the same mount point (without relying on access rights in a parent mount point) and the access request is allowed (i.e. allow_parent1 and allow_parent2 are true in current_check_refer_path), - or a common rule in a parent mount point updates the access check for the source and the destination (cf. is_access_to_paths_allowed). See the following layout1.refer_part_mount_tree_is_allowed test that work with and without this fix. This fix does not impact current code but it is required for the audit support. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-12-mic@digikod.net --- Changes since v2: - New patch. --- security/landlock/fs.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 171012efb559..ddadc465581e 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -567,6 +567,12 @@ static void test_no_more_access(struct kunit *const test) #undef NMA_TRUE #undef NMA_FALSE +static bool is_layer_masks_allowed( + layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS]) +{ + return !memchr_inv(layer_masks, 0, sizeof(*layer_masks)); +} + /* * Removes @layer_masks accesses that are not requested. * @@ -584,7 +590,8 @@ scope_to_request(const access_mask_t access_request, for_each_clear_bit(access_bit, &access_req, ARRAY_SIZE(*layer_masks)) (*layer_masks)[access_bit] = 0; - return !memchr_inv(layer_masks, 0, sizeof(*layer_masks)); + + return is_layer_masks_allowed(layer_masks); } #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST @@ -773,9 +780,14 @@ static bool is_access_to_paths_allowed( if (WARN_ON_ONCE(domain->num_layers < 1 || !layer_masks_parent1)) return false; + allowed_parent1 = is_layer_masks_allowed(layer_masks_parent1); + if (unlikely(layer_masks_parent2)) { if (WARN_ON_ONCE(!dentry_child1)) return false; + + allowed_parent2 = is_layer_masks_allowed(layer_masks_parent2); + /* * For a double request, first check for potential privilege * escalation by looking at domain handled accesses (which are From patchwork Wed Jan 8 15:43:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931235 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-42af.mail.infomaniak.ch (smtp-42af.mail.infomaniak.ch [84.16.66.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 35115201033 for ; Wed, 8 Jan 2025 15:44:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351055; cv=none; b=PRTPHKMG4NihwVGkwiYZD+iVnhCTX9ftpsCgSgTvHRodn8chjG3QbaUy8L2AKPz69OPaU4SIlyc7gjAlHcz1qSRLyB3K7L9RTN0R2yZcDRgthNWRJ06qfzzt4ZUex8L5QLoMslyXRg/8JJ2MgZf7Tn5/d5fx48Pi2X9YHyFiq3U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351055; c=relaxed/simple; bh=RlAygBJ9IIVrNtbofL5Dy3vbw+rLKcBXWDSsv9CbMXE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=nxSQcOHrlVlfAr1evPV6rbvNpCjsYvHWVEDaiO8SpwexySe2ZbGw/7gHmr743dnmcuGxZdSyeuOh8vjf0jIGfzhbQDm1SYqCLGBXc9+ZzmRuyrSVTizSp/nbh4VdIG9jBaD3Y2WFJf9IUqLFGf4XfWVqo/7+MKJw1+/shJtxojw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=o718xX7t; arc=none smtp.client-ip=84.16.66.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="o718xX7t" Received: from smtp-4-0000.mail.infomaniak.ch (smtp-4-0000.mail.infomaniak.ch [10.7.10.107]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfD6Thmzpc9; Wed, 8 Jan 2025 16:44:04 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351044; bh=zVKxiiqiK6yNDO4DxcSnrYBrnX+mtc4HDGZXmojhDXo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o718xX7tRrpNay544j121jDjQh1zrHolEPw8wERyjB+qUeD+YcPxBd5CDkEyJaM/s xEhYt1epJgn5G1nA0TQBmUlCw+UIlr8qp8v5iuM2xjXIxBOwakzMxrWRUcyUwxswg1 tPFjxf2ylPMoS4+YJ8PzkRcWJ7+CezP3sQFyk95k= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfD0gdvz2k8; Wed, 8 Jan 2025 16:44:04 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 12/30] selftests/landlock: Add test to check partial access in a mount tree Date: Wed, 8 Jan 2025 16:43:20 +0100 Message-ID: <20250108154338.1129069-13-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add layout1.refer_part_mount_tree_is_allowed to test the masked logical issue regarding collect_domain_accesses() calls followed by the is_access_to_paths_allowed() check in current_check_refer_path(). See previous commit. This test should work without the previous fix as well, but it enables us to make sure future changes will not have impact regarding this behavior. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-13-mic@digikod.net --- Changes since v2: - New patch. --- tools/testing/selftests/landlock/fs_test.c | 54 ++++++++++++++++++++-- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 6788762188fe..42ce1e79ba82 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -85,6 +85,9 @@ static const char file1_s3d1[] = TMP_DIR "/s3d1/f1"; /* dir_s3d2 is a mount point. */ static const char dir_s3d2[] = TMP_DIR "/s3d1/s3d2"; static const char dir_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3"; +static const char file1_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3/f1"; +static const char dir_s3d4[] = TMP_DIR "/s3d1/s3d2/s3d4"; +static const char file1_s3d4[] = TMP_DIR "/s3d1/s3d2/s3d4/f1"; /* * layout1 hierarchy: @@ -108,8 +111,11 @@ static const char dir_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3"; * │   └── f2 * └── s3d1 *    ├── f1 - * └── s3d2 - * └── s3d3 + * └── s3d2 [mount point] + *    ├── s3d3 + *    │ └── f1 + *    └── s3d4 + *    └── f1 */ static bool fgrep(FILE *const inf, const char *const str) @@ -358,7 +364,8 @@ static void create_layout1(struct __test_metadata *const _metadata) ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s3d2)); clear_cap(_metadata, CAP_SYS_ADMIN); - ASSERT_EQ(0, mkdir(dir_s3d3, 0700)); + create_file(_metadata, file1_s3d3); + create_file(_metadata, file1_s3d4); } static void remove_layout1(struct __test_metadata *const _metadata) @@ -378,7 +385,8 @@ static void remove_layout1(struct __test_metadata *const _metadata) EXPECT_EQ(0, remove_path(dir_s2d2)); EXPECT_EQ(0, remove_path(file1_s3d1)); - EXPECT_EQ(0, remove_path(dir_s3d3)); + EXPECT_EQ(0, remove_path(file1_s3d3)); + EXPECT_EQ(0, remove_path(file1_s3d4)); set_cap(_metadata, CAP_SYS_ADMIN); umount(dir_s3d2); clear_cap(_metadata, CAP_SYS_ADMIN); @@ -2444,6 +2452,44 @@ TEST_F_FORK(layout1, refer_mount_root_deny) EXPECT_EQ(0, close(root_fd)); } +TEST_F_FORK(layout1, refer_part_mount_tree_is_allowed) +{ + const struct rule layer1[] = { + { + /* Parent mount point. */ + .path = dir_s3d1, + .access = LANDLOCK_ACCESS_FS_REFER | + LANDLOCK_ACCESS_FS_MAKE_REG, + }, + { + /* + * Removing the source file is allowed because its + * access rights are already a superset of the + * destination. + */ + .path = dir_s3d4, + .access = LANDLOCK_ACCESS_FS_REFER | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_REMOVE_FILE, + }, + {}, + }; + int ruleset_fd; + + ASSERT_EQ(0, unlink(file1_s3d3)); + ruleset_fd = create_ruleset(_metadata, + LANDLOCK_ACCESS_FS_REFER | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_REMOVE_FILE, + layer1); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(0, rename(file1_s3d4, file1_s3d3)); +} + TEST_F_FORK(layout1, reparent_link) { const struct rule layer1[] = { From patchwork Wed Jan 8 15:43:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931231 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-bc0e.mail.infomaniak.ch (smtp-bc0e.mail.infomaniak.ch [45.157.188.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED0761FF1B9 for ; Wed, 8 Jan 2025 15:44:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351051; cv=none; b=ebLcHrZqgu8TQoQu5UE/OZA7NJpU4fGJkalL9HM9/q3lHstWiU5O7QLNJ0Uk/0lgaeV1MRgjraqiKwdqzJFF7fvqjcb1LWJ1As/krok3brEj/dnArzn8/iMMr9EoQbC/k9nw8rkZMUATFsu/mextAUyW8lsUkeB1dMhzdnTmDj0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351051; c=relaxed/simple; bh=lVrV7J5cM/dM3iWDO/GHHdBWIWG4fgHsItD/DNDeEQk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=cGF5//eEiXmgb+qICK3NAAylW//lgLmXK+aiVVKBCnjDEsoTjv4v+ywnmuK9SO3JICKvJDR08ILcEpr8mzpBUQSo5E8KP5XUs9ET+TnCQFrVFRRItONFs8upAIMHZ5pssVX28szURJJKp6jXEYdTEipQ/DPkJ+StazvM4Rht+0I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=Z3hdcn8m; arc=none smtp.client-ip=45.157.188.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="Z3hdcn8m" Received: from smtp-3-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246c]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfG0q3Qz5g6; Wed, 8 Jan 2025 16:44:06 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351046; bh=VyQ3k4Kx2PFxPOjHeB4fbF0Tg3KB0EOFBlUpRjnTNqc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Z3hdcn8mdzC3dOS7hbFk/K0B1Nzvu9i3dX1aRFYcwFnvJ66xQT9u8eivV8ZMh5vFU ZdvwUAouIa8cSHMSQsFD5g6GDKE0OaRF6ZYX6fy+VmXEpUnzHoD125IhNs9y9FE+4F f6APvB8lZmOse/rRTaMvigh1Bi8kM3fV1XZmonys= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfF3JjgzKSg; Wed, 8 Jan 2025 16:44:05 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 13/30] landlock: Optimize file path walks and prepare for audit support Date: Wed, 8 Jan 2025 16:43:21 +0100 Message-ID: <20250108154338.1129069-14-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Always synchronize access_masked_parent* with access_request_parent* according to allowed_parent*. This is required for audit support to be able to get back to the reason of denial. In a rename/link action, instead of always checking a rule two times for the same parent directory of the source and the destination files, only check it when an action on a child was not already allowed. This also enables us to keep consistent allowed_parent* status, which is required to get back to the reason of denial. For internal mount points, only upgrade allowed_parent* to true but do not wrongfully set both of them to false otherwise. This is also required to get back to the reason of denial. This does not impact the current behavior but slightly optimize code and prepare for audit support that needs to know the exact reason why an access was denied. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-14-mic@digikod.net --- Changes since v2: - New patch. --- security/landlock/fs.c | 44 ++++++++++++++++++++++++++---------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index ddadc465581e..01f9d5e78218 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -854,15 +854,6 @@ static bool is_access_to_paths_allowed( child1_is_directory, layer_masks_parent2, layer_masks_child2, child2_is_directory))) { - allowed_parent1 = scope_to_request( - access_request_parent1, layer_masks_parent1); - allowed_parent2 = scope_to_request( - access_request_parent2, layer_masks_parent2); - - /* Stops when all accesses are granted. */ - if (allowed_parent1 && allowed_parent2) - break; - /* * Now, downgrades the remaining checks from domain * handled accesses to requested accesses. @@ -870,15 +861,32 @@ static bool is_access_to_paths_allowed( is_dom_check = false; access_masked_parent1 = access_request_parent1; access_masked_parent2 = access_request_parent2; + + allowed_parent1 = + allowed_parent1 || + scope_to_request(access_masked_parent1, + layer_masks_parent1); + allowed_parent2 = + allowed_parent2 || + scope_to_request(access_masked_parent2, + layer_masks_parent2); + + /* Stops when all accesses are granted. */ + if (allowed_parent1 && allowed_parent2) + break; } rule = find_rule(domain, walker_path.dentry); - allowed_parent1 = landlock_unmask_layers( - rule, access_masked_parent1, layer_masks_parent1, - ARRAY_SIZE(*layer_masks_parent1)); - allowed_parent2 = landlock_unmask_layers( - rule, access_masked_parent2, layer_masks_parent2, - ARRAY_SIZE(*layer_masks_parent2)); + allowed_parent1 = allowed_parent1 || + landlock_unmask_layers( + rule, access_masked_parent1, + layer_masks_parent1, + ARRAY_SIZE(*layer_masks_parent1)); + allowed_parent2 = allowed_parent2 || + landlock_unmask_layers( + rule, access_masked_parent2, + layer_masks_parent2, + ARRAY_SIZE(*layer_masks_parent2)); /* Stops when a rule from each layer grants access. */ if (allowed_parent1 && allowed_parent2) @@ -902,8 +910,10 @@ static bool is_access_to_paths_allowed( * access to internal filesystems (e.g. nsfs, which is * reachable through /proc//ns/). */ - allowed_parent1 = allowed_parent2 = - !!(walker_path.mnt->mnt_flags & MNT_INTERNAL); + if (walker_path.mnt->mnt_flags & MNT_INTERNAL) { + allowed_parent1 = true; + allowed_parent2 = true; + } break; } parent_dentry = dget_parent(walker_path.dentry); From patchwork Wed Jan 8 15:43:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931232 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-190e.mail.infomaniak.ch (smtp-190e.mail.infomaniak.ch [185.125.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 383B6200BA2 for ; Wed, 8 Jan 2025 15:44:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351053; cv=none; b=ZbN2YwPHPVAkNiG+Am9KBwGiMxBXZCve2R7DVdwNVRblpyAhVUhtpvldr4kWAK8+KvMgZHOJF/M1g01SwnrYarKjFD05kXf/D8i6LKUEmt4+4YzN0m9uQuxH4WSrqbp26oWlZcRqz3qTKN9RoraU3odmmhK6Gm0yGDmN/tAded8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351053; c=relaxed/simple; bh=RZwxHrJMgDj5SndDqsvGMaghHawEXk0XcX8ARzfPR5o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=cS0q8ka6M0dac0mLebVfYo+yjt9DfXdX9g0Kj1hU995l5QYXhbI0/qTP0rTj7s91XzX3cI+FIymoMA40Vll6YarcpWPxcs82W7V8D4cpAxASHrQnvkrOy5rQMlsr3TQRmS5guhqxFeL9hx39JpXbt16PEKtAvWVWPnA/GIBj7o4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=c30pmZVb; arc=none smtp.client-ip=185.125.25.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="c30pmZVb" Received: from smtp-3-0000.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246b]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfH5WH4zC77; Wed, 8 Jan 2025 16:44:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351047; bh=SfrAfYYSHBImPzCn8yz6R+GIVRtqTvtKhbY/pZ1i7Eg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=c30pmZVbtiqYQiBJkQ29PpB7pAOV4xZ9WUlmwrvFrJlzvmhuc0XoqNhTOVoGiJjaq prCMzr61SsSErF7JpQ1CLbOeRIJ0jRUCcU1hHbhP6BMjZ6S7iIbdKXX8ixGUKHA7ih Yk8KUPLnEFXzxD1pofdb+QMqyoRBvuvCyVn+5zQU= Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfG5kk8zswB; Wed, 8 Jan 2025 16:44:06 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 14/30] landlock: Log file-related denials Date: Wed, 8 Jan 2025 16:43:22 +0100 Message-ID: <20250108154338.1129069-15-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add audit support for path_mkdir, path_mknod, path_symlink, path_unlink, path_rmdir, path_truncate, path_link, path_rename, and file_open hooks. The dedicated blockers are: - fs.execute - fs.write_file - fs.read_file - fs.read_dir - fs.remove_dir - fs.remove_file - fs.make_char - fs.make_dir - fs.make_reg - fs.make_sock - fs.make_fifo - fs.make_block - fs.make_sym - fs.refer - fs.truncate - fs.ioctl_dev Audit event sample for a denied link action: type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351 type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365 We could pack blocker names (e.g. "fs:make_reg,refer") but that would increase complexity for the kernel and log parsers. Moreover, this could not handle blockers of different classes (e.g. fs and net). Make it simple and flexible instead. Add KUnit tests to check the identification from a layer_mask_t array of the first layer level denying such request. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-15-mic@digikod.net --- Changes since v3: - Rename blockers from fs_* to fs.* - Extend commit message. Changes since v2: - Replace integer with bool in log_blockers(). - Always initialize youngest_layer, spotted by Francis Laniel. - Fix incorrect log reason by using access_masked_parent1 instead of access_request_parent1 (thanks to the previous fix patches). - Clean up formatting. Changes since v1: - Move audit code to the ptrace patch. - Revamp logging and support the path_link and path_rename hooks. - Add KUnit tests. --- security/landlock/audit.c | 177 ++++++++++++++++++++++++++++++++++++-- security/landlock/audit.h | 9 ++ security/landlock/fs.c | 65 +++++++++++--- 3 files changed, 234 insertions(+), 17 deletions(-) diff --git a/security/landlock/audit.c b/security/landlock/audit.c index aae93b2c994b..987b4b15e0d7 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -7,22 +7,55 @@ #include #include +#include #include #include #include +#include #include "audit.h" +#include "common.h" #include "domain.h" #include "ruleset.h" -static const char *get_blocker(const enum landlock_request_type type) +static const char *const fs_access_strings[] = { + [BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = "fs.execute", + [BIT_INDEX(LANDLOCK_ACCESS_FS_WRITE_FILE)] = "fs.write_file", + [BIT_INDEX(LANDLOCK_ACCESS_FS_READ_FILE)] = "fs.read_file", + [BIT_INDEX(LANDLOCK_ACCESS_FS_READ_DIR)] = "fs.read_dir", + [BIT_INDEX(LANDLOCK_ACCESS_FS_REMOVE_DIR)] = "fs.remove_dir", + [BIT_INDEX(LANDLOCK_ACCESS_FS_REMOVE_FILE)] = "fs.remove_file", + [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_CHAR)] = "fs.make_char", + [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_DIR)] = "fs.make_dir", + [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_REG)] = "fs.make_reg", + [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_SOCK)] = "fs.make_sock", + [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_FIFO)] = "fs.make_fifo", + [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_BLOCK)] = "fs.make_block", + [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_SYM)] = "fs.make_sym", + [BIT_INDEX(LANDLOCK_ACCESS_FS_REFER)] = "fs.refer", + [BIT_INDEX(LANDLOCK_ACCESS_FS_TRUNCATE)] = "fs.truncate", + [BIT_INDEX(LANDLOCK_ACCESS_FS_IOCTL_DEV)] = "fs.ioctl_dev", +}; + +static_assert(ARRAY_SIZE(fs_access_strings) == LANDLOCK_NUM_ACCESS_FS); + +static __attribute_const__ const char * +get_blocker(const enum landlock_request_type type, + const unsigned long access_bit) { switch (type) { case LANDLOCK_REQUEST_PTRACE: + WARN_ON_ONCE(access_bit != -1); return "ptrace"; case LANDLOCK_REQUEST_FS_CHANGE_LAYOUT: + WARN_ON_ONCE(access_bit != -1); return "fs.change_layout"; + + case LANDLOCK_REQUEST_FS_ACCESS: + if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(fs_access_strings))) + return "unknown"; + return fs_access_strings[access_bit]; } WARN_ON_ONCE(1); @@ -30,9 +63,20 @@ static const char *get_blocker(const enum landlock_request_type type) } static void log_blockers(struct audit_buffer *const ab, - const enum landlock_request_type type) + const enum landlock_request_type type, + const access_mask_t access) { - audit_log_format(ab, "%s", get_blocker(type)); + const unsigned long access_mask = access; + unsigned long access_bit; + bool is_first = true; + + for_each_set_bit(access_bit, &access_mask, BITS_PER_TYPE(access)) { + audit_log_format(ab, "%s%s", is_first ? "" : ",", + get_blocker(type, access_bit)); + is_first = false; + } + if (is_first) + audit_log_format(ab, "%s", get_blocker(type, -1)); } static void log_node(struct landlock_hierarchy *const node) @@ -119,9 +163,110 @@ static void test_get_hierarchy(struct kunit *const test) #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ +static size_t get_denied_layer(const struct landlock_ruleset *const domain, + access_mask_t *const access_request, + const layer_mask_t (*const layer_masks)[], + const size_t layer_masks_size) +{ + const unsigned long access_req = *access_request; + unsigned long access_bit; + access_mask_t missing = 0; + long youngest_layer = -1; + + for_each_set_bit(access_bit, &access_req, layer_masks_size) { + const access_mask_t mask = (*layer_masks)[access_bit]; + long layer; + + if (!mask) + continue; + + /* __fls(1) == 0 */ + layer = __fls(mask); + if (layer > youngest_layer) { + youngest_layer = layer; + missing = BIT(access_bit); + } else if (layer == youngest_layer) { + missing |= BIT(access_bit); + } + } + + *access_request = missing; + if (youngest_layer == -1) + return domain->num_layers - 1; + + return youngest_layer; +} + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static void test_get_denied_layer(struct kunit *const test) +{ + const struct landlock_ruleset dom = { + .num_layers = 5, + }; + const layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = { + [BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT(0), + [BIT_INDEX(LANDLOCK_ACCESS_FS_READ_FILE)] = BIT(1), + [BIT_INDEX(LANDLOCK_ACCESS_FS_READ_DIR)] = BIT(1) | BIT(0), + [BIT_INDEX(LANDLOCK_ACCESS_FS_REMOVE_DIR)] = BIT(2), + }; + access_mask_t access; + + access = LANDLOCK_ACCESS_FS_EXECUTE; + KUNIT_EXPECT_EQ(test, 0, + get_denied_layer(&dom, &access, &layer_masks, + sizeof(layer_masks))); + KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_EXECUTE); + + access = LANDLOCK_ACCESS_FS_READ_FILE; + KUNIT_EXPECT_EQ(test, 1, + get_denied_layer(&dom, &access, &layer_masks, + sizeof(layer_masks))); + KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_READ_FILE); + + access = LANDLOCK_ACCESS_FS_READ_DIR; + KUNIT_EXPECT_EQ(test, 1, + get_denied_layer(&dom, &access, &layer_masks, + sizeof(layer_masks))); + KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_READ_DIR); + + access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; + KUNIT_EXPECT_EQ(test, 1, + get_denied_layer(&dom, &access, &layer_masks, + sizeof(layer_masks))); + KUNIT_EXPECT_EQ(test, access, + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_READ_DIR); + + access = LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_READ_DIR; + KUNIT_EXPECT_EQ(test, 1, + get_denied_layer(&dom, &access, &layer_masks, + sizeof(layer_masks))); + KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_READ_DIR); + + access = LANDLOCK_ACCESS_FS_WRITE_FILE; + KUNIT_EXPECT_EQ(test, 4, + get_denied_layer(&dom, &access, &layer_masks, + sizeof(layer_masks))); + KUNIT_EXPECT_EQ(test, access, 0); +} + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ + static bool is_valid_request(const struct landlock_request *const request) { - if (WARN_ON_ONCE(!request->layer_plus_one)) + if (WARN_ON_ONCE(!(!!request->layer_plus_one ^ !!request->access))) + return false; + + if (request->access) { + if (WARN_ON_ONCE(!request->layer_masks)) + return false; + } else { + if (WARN_ON_ONCE(request->layer_masks)) + return false; + } + + if (WARN_ON_ONCE(!!request->layer_masks ^ !!request->layer_masks_size)) return false; return true; @@ -138,6 +283,7 @@ void landlock_log_denial(const struct landlock_ruleset *const domain, { struct audit_buffer *ab; struct landlock_hierarchy *youngest_denied; + access_mask_t missing; if (WARN_ON_ONCE(!domain || !domain->hierarchy || !request)) return; @@ -145,7 +291,25 @@ void landlock_log_denial(const struct landlock_ruleset *const domain, if (!is_valid_request(request)) return; - youngest_denied = get_hierarchy(domain, request->layer_plus_one - 1); + missing = request->access; + if (missing) { + size_t youngest_layer; + + /* Gets the nearest domain that denies the request. */ + if (request->layer_masks) { + youngest_layer = get_denied_layer( + domain, &missing, request->layer_masks, + request->layer_masks_size); + } else { + /* This will change with the next commit. */ + WARN_ON_ONCE(1); + youngest_layer = domain->num_layers; + } + youngest_denied = get_hierarchy(domain, youngest_layer); + } else { + youngest_denied = + get_hierarchy(domain, request->layer_plus_one - 1); + } /* * Consistently keeps track of the number of denied access requests @@ -163,7 +327,7 @@ void landlock_log_denial(const struct landlock_ruleset *const domain, return; audit_log_format(ab, "domain=%llx blockers=", youngest_denied->id); - log_blockers(ab, request->type); + log_blockers(ab, request->type, missing); audit_log_lsm_data(ab, &request->audit); audit_log_end(ab); @@ -212,6 +376,7 @@ void landlock_log_drop_domain(const struct landlock_ruleset *const domain) static struct kunit_case test_cases[] = { /* clang-format off */ KUNIT_CASE(test_get_hierarchy), + KUNIT_CASE(test_get_denied_layer), {} /* clang-format on */ }; diff --git a/security/landlock/audit.h b/security/landlock/audit.h index 745dcf7b1b6d..093791929580 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -11,11 +11,13 @@ #include #include +#include "access.h" #include "ruleset.h" enum landlock_request_type { LANDLOCK_REQUEST_PTRACE = 1, LANDLOCK_REQUEST_FS_CHANGE_LAYOUT, + LANDLOCK_REQUEST_FS_ACCESS, }; /* @@ -33,6 +35,13 @@ struct landlock_request { * extra one is useful to detect uninitialized field. */ size_t layer_plus_one; + + /* Required field for configurable access control. */ + access_mask_t access; + + /* Required fields for requests with layer masks. */ + const layer_mask_t (*layer_masks)[]; + size_t layer_masks_size; }; #ifdef CONFIG_AUDIT diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 01f9d5e78218..f38c7a60b9bf 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -730,6 +730,7 @@ static void test_is_eacces_with_write(struct kunit *const test) * those identified by @access_request_parent1). This matrix can * initially refer to domain layer masks and, when the accesses for the * destination and source are the same, to requested layer masks. + * @log_request_parent1: Audit request to fill if the related access is denied. * @dentry_child1: Dentry to the initial child of the parent1 path. This * pointer must be NULL for non-refer actions (i.e. not link nor rename). * @access_request_parent2: Similar to @access_request_parent1 but for a @@ -738,6 +739,7 @@ static void test_is_eacces_with_write(struct kunit *const test) * the source. Must be set to 0 when using a simple path request. * @layer_masks_parent2: Similar to @layer_masks_parent1 but for a refer * action. This must be NULL otherwise. + * @log_request_parent2: Audit request to fill if the related access is denied. * @dentry_child2: Dentry to the initial child of the parent2 path. This * pointer is only set for RENAME_EXCHANGE actions and must be NULL * otherwise. @@ -757,10 +759,12 @@ static bool is_access_to_paths_allowed( const struct path *const path, const access_mask_t access_request_parent1, layer_mask_t (*const layer_masks_parent1)[LANDLOCK_NUM_ACCESS_FS], - const struct dentry *const dentry_child1, + struct landlock_request *const log_request_parent1, + struct dentry *const dentry_child1, const access_mask_t access_request_parent2, layer_mask_t (*const layer_masks_parent2)[LANDLOCK_NUM_ACCESS_FS], - const struct dentry *const dentry_child2) + struct landlock_request *const log_request_parent2, + struct dentry *const dentry_child2) { bool allowed_parent1 = false, allowed_parent2 = false, is_dom_check, child1_is_directory = true, child2_is_directory = true; @@ -922,6 +926,25 @@ static bool is_access_to_paths_allowed( } path_put(&walker_path); + if (!allowed_parent1) { + log_request_parent1->type = LANDLOCK_REQUEST_FS_ACCESS, + log_request_parent1->audit.type = LSM_AUDIT_DATA_PATH, + log_request_parent1->audit.u.path = *path; + log_request_parent1->access = access_masked_parent1; + log_request_parent1->layer_masks = layer_masks_parent1; + log_request_parent1->layer_masks_size = + ARRAY_SIZE(*layer_masks_parent1); + } + + if (!allowed_parent2) { + log_request_parent2->type = LANDLOCK_REQUEST_FS_ACCESS, + log_request_parent2->audit.type = LSM_AUDIT_DATA_PATH, + log_request_parent2->audit.u.path = *path; + log_request_parent2->access = access_masked_parent2; + log_request_parent2->layer_masks = layer_masks_parent2; + log_request_parent2->layer_masks_size = + ARRAY_SIZE(*layer_masks_parent2); + } return allowed_parent1 && allowed_parent2; } @@ -930,6 +953,7 @@ static int current_check_access_path(const struct path *const path, { const struct landlock_ruleset *const dom = get_current_fs_domain(); layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; + struct landlock_request request = {}; if (!dom) return 0; @@ -937,9 +961,10 @@ static int current_check_access_path(const struct path *const path, access_request = landlock_init_layer_masks( dom, access_request, &layer_masks, LANDLOCK_KEY_INODE); if (is_access_to_paths_allowed(dom, path, access_request, &layer_masks, - NULL, 0, NULL, NULL)) + &request, NULL, 0, NULL, NULL, NULL)) return 0; + landlock_log_denial(dom, &request); return -EACCES; } @@ -1108,6 +1133,7 @@ static int current_check_refer_path(struct dentry *const old_dentry, struct dentry *old_parent; layer_mask_t layer_masks_parent1[LANDLOCK_NUM_ACCESS_FS] = {}, layer_masks_parent2[LANDLOCK_NUM_ACCESS_FS] = {}; + struct landlock_request request1 = {}, request2 = {}; if (!dom) return 0; @@ -1139,10 +1165,13 @@ static int current_check_refer_path(struct dentry *const old_dentry, access_request_parent1 = landlock_init_layer_masks( dom, access_request_parent1 | access_request_parent2, &layer_masks_parent1, LANDLOCK_KEY_INODE); - if (is_access_to_paths_allowed( - dom, new_dir, access_request_parent1, - &layer_masks_parent1, NULL, 0, NULL, NULL)) + if (is_access_to_paths_allowed(dom, new_dir, + access_request_parent1, + &layer_masks_parent1, &request1, + NULL, 0, NULL, NULL, NULL)) return 0; + + landlock_log_denial(dom, &request1); return -EACCES; } @@ -1177,12 +1206,22 @@ static int current_check_refer_path(struct dentry *const old_dentry, * parent access rights. This will be useful to compare with the * destination parent access rights. */ - if (is_access_to_paths_allowed( - dom, &mnt_dir, access_request_parent1, &layer_masks_parent1, - old_dentry, access_request_parent2, &layer_masks_parent2, - exchange ? new_dentry : NULL)) + if (is_access_to_paths_allowed(dom, &mnt_dir, access_request_parent1, + &layer_masks_parent1, &request1, + old_dentry, access_request_parent2, + &layer_masks_parent2, &request2, + exchange ? new_dentry : NULL)) return 0; + if (request1.access) { + request1.audit.u.path.dentry = old_parent; + landlock_log_denial(dom, &request1); + } + if (request2.access) { + request2.audit.u.path.dentry = new_dir->dentry; + landlock_log_denial(dom, &request2); + } + /* * This prioritizes EACCES over EXDEV for all actions, including * renames with RENAME_EXCHANGE. @@ -1562,6 +1601,7 @@ static int hook_file_open(struct file *const file) const struct landlock_ruleset *const dom = landlock_get_applicable_domain( landlock_cred(file->f_cred)->domain, any_fs); + struct landlock_request request = {}; if (!dom) return 0; @@ -1587,7 +1627,7 @@ static int hook_file_open(struct file *const file) dom, &file->f_path, landlock_init_layer_masks(dom, full_access_request, &layer_masks, LANDLOCK_KEY_INODE), - &layer_masks, NULL, 0, NULL, NULL)) { + &layer_masks, &request, NULL, 0, NULL, NULL, NULL)) { allowed_access = full_access_request; } else { unsigned long access_bit; @@ -1617,6 +1657,9 @@ static int hook_file_open(struct file *const file) if ((open_access_request & allowed_access) == open_access_request) return 0; + /* Sets access to reflect the actual request. */ + request.access = open_access_request; + landlock_log_denial(dom, &request); return -EACCES; } From patchwork Wed Jan 8 15:43:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931233 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-bc0e.mail.infomaniak.ch (smtp-bc0e.mail.infomaniak.ch [45.157.188.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE25B1FECBB for ; Wed, 8 Jan 2025 15:44:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351053; cv=none; b=d9Jr/yxS5/6PRUAeH2fCPz1KfkWrY6iE0cb36ntir2yqObUcRuETdQ/4toHL1GGSRMYmJnCgiXIIcKczjjCId6/VZrP+vriq0zK2/jn4BjJz+OdoNwTecaeJx8Z+HiWSF3I7U74OKU9VqkvYbfo7JHUycILuoNpZ7qq1/h4LuMk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351053; c=relaxed/simple; bh=IDgmJveT60IsLjyWFw8BsjPdm4KDUSZpqIOkHoaviMc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=am68Q9cTbFULgglCY8/QQzLJ4jC2xP6r6CIk22yTvyl+Plek7O+WKddwVwdd8BJXTQFFCO/0GbiQNAg5lgA/9K0Lk3B/HJFdkLr905xBJUQDLLd+h7uiWqvYr32sffoIgKTbrT5mglaRPy96HNhYDPA0JQE/4TBdujpYzE2x6YU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=PkPhTrY8; arc=none smtp.client-ip=45.157.188.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="PkPhTrY8" Received: from smtp-3-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246c]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfK0H1kzCmG; Wed, 8 Jan 2025 16:44:09 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351048; bh=y+JWdob0dCBZZVwaPutAf3SRuRNflXUaVu2ezHRg90s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PkPhTrY8+sHXKbH23WuuZ6WiCCkqNxL6lefJg2COZ5huvQJ7cH1eDGPW/RDBnCjip Ru+sg7orQes676UpIeXbXJ4GUDRJHjN7pt7rn8ylmU6myDfeaX3GbAin41ZNB1yiGL 94iUdOSO8Lr3buctvnhnsULv/ndtSLD79rLYJoyg= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfJ2RGjzJbX; Wed, 8 Jan 2025 16:44:08 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 15/30] landlock: Log truncate and IOCTL denials Date: Wed, 8 Jan 2025 16:43:23 +0100 Message-ID: <20250108154338.1129069-16-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add audit support to the file_truncate and file_ioctl hooks. Add a deny_masks_t type and related helpers to store the domain's layer level per optional access rights (i.e. LANDLOCK_ACCESS_FS_TRUNCATE and LANDLOCK_ACCESS_FS_IOCTL_DEV) when opening a file, which cannot be inferred later. In practice, the landlock_file_security blob size is unchanged because this new one-byte deny_masks field follows the existing two-bytes allowed_access field. Implementing deny_masks_t with a bitfield instead of a struct enables a generic implementation to store and extract layer levels. Add KUnit tests to check the identification of a layer level from a deny_masks_t, and the computation of a deny_masks_t from an access right with its layer level or a layer_mask_t array. Audit event sample: type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.ioctl_dev path="/dev/tty" dev="devtmpfs" ino=9 Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-16-mic@digikod.net --- Changes since v3: - Rename get_layer_from_deny_masks(). Changes since v2: - Fix !CONFIG_AUDIT build warning. - Rename ACCESS_FS_OPTIONAL to _LANDLOCK_ACCESS_FS_OPTIONAL. --- security/landlock/access.h | 23 +++++++ security/landlock/audit.c | 102 ++++++++++++++++++++++++++-- security/landlock/audit.h | 4 ++ security/landlock/domain.c | 133 +++++++++++++++++++++++++++++++++++++ security/landlock/domain.h | 8 +++ security/landlock/fs.c | 51 ++++++++++++++ security/landlock/fs.h | 9 +++ 7 files changed, 325 insertions(+), 5 deletions(-) diff --git a/security/landlock/access.h b/security/landlock/access.h index 74fd8f399fbd..1eaaafa63178 100644 --- a/security/landlock/access.h +++ b/security/landlock/access.h @@ -28,6 +28,12 @@ LANDLOCK_ACCESS_FS_REFER) /* clang-format on */ +/* clang-format off */ +#define _LANDLOCK_ACCESS_FS_OPTIONAL ( \ + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) +/* clang-format on */ + typedef u16 access_mask_t; /* Makes sure all filesystem access rights can be stored. */ @@ -60,6 +66,23 @@ typedef u16 layer_mask_t; /* Makes sure all layers can be checked. */ static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS); +/* + * Tracks domains responsible of a denied access. This is required to avoid + * storing in each object the full layer_masks[] required by update_request(). + */ +typedef u8 deny_masks_t; + +/* + * Makes sure all optional access rights can be tied to a layer index (cf. + * get_deny_mask). + */ +static_assert(BITS_PER_TYPE(deny_masks_t) >= + (HWEIGHT(LANDLOCK_MAX_NUM_LAYERS - 1) * + HWEIGHT(_LANDLOCK_ACCESS_FS_OPTIONAL))); + +/* LANDLOCK_MAX_NUM_LAYERS must be a power of two (cf. deny_masks_t assert). */ +static_assert(HWEIGHT(LANDLOCK_MAX_NUM_LAYERS) == 1); + /* Upgrades with all initially denied by default access rights. */ static inline struct access_masks landlock_upgrade_handled_access_masks(struct access_masks access_masks) diff --git a/security/landlock/audit.c b/security/landlock/audit.c index 987b4b15e0d7..89446e913d9f 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -13,9 +13,11 @@ #include #include +#include "access.h" #include "audit.h" #include "common.h" #include "domain.h" +#include "fs.h" #include "ruleset.h" static const char *const fs_access_strings[] = { @@ -253,22 +255,111 @@ static void test_get_denied_layer(struct kunit *const test) #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ +static size_t +get_layer_from_deny_masks(access_mask_t *const access_request, + const access_mask_t all_existing_optional_access, + const deny_masks_t deny_masks) +{ + const unsigned long access_opt = all_existing_optional_access; + const unsigned long access_req = *access_request; + access_mask_t missing = 0; + size_t youngest_layer = 0; + size_t access_index = 0; + unsigned long access_bit; + + /* This will require change with new object types. */ + WARN_ON_ONCE(access_opt != _LANDLOCK_ACCESS_FS_OPTIONAL); + + for_each_set_bit(access_bit, &access_opt, + BITS_PER_TYPE(access_mask_t)) { + if (access_req & BIT(access_bit)) { + const size_t layer = + (deny_masks >> (access_index * 4)) & + (LANDLOCK_MAX_NUM_LAYERS - 1); + + if (layer > youngest_layer) { + youngest_layer = layer; + missing = BIT(access_bit); + } else if (layer == youngest_layer) { + missing |= BIT(access_bit); + } + } + access_index++; + } + + *access_request = missing; + return youngest_layer; +} + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static void test_get_layer_from_deny_masks(struct kunit *const test) +{ + deny_masks_t deny_mask; + access_mask_t access; + + /* truncate:0 ioctl_dev:2 */ + deny_mask = 0x20; + + access = LANDLOCK_ACCESS_FS_TRUNCATE; + KUNIT_EXPECT_EQ(test, 0, + get_layer_from_deny_masks(&access, + _LANDLOCK_ACCESS_FS_OPTIONAL, + deny_mask)); + KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); + + access = LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV; + KUNIT_EXPECT_EQ(test, 2, + get_layer_from_deny_masks(&access, + _LANDLOCK_ACCESS_FS_OPTIONAL, + deny_mask)); + KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_IOCTL_DEV); + + /* truncate:15 ioctl_dev:15 */ + deny_mask = 0xff; + + access = LANDLOCK_ACCESS_FS_TRUNCATE; + KUNIT_EXPECT_EQ(test, 15, + get_layer_from_deny_masks(&access, + _LANDLOCK_ACCESS_FS_OPTIONAL, + deny_mask)); + KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); + + access = LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV; + KUNIT_EXPECT_EQ(test, 15, + get_layer_from_deny_masks(&access, + _LANDLOCK_ACCESS_FS_OPTIONAL, + deny_mask)); + KUNIT_EXPECT_EQ(test, access, + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL_DEV); +} + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ + static bool is_valid_request(const struct landlock_request *const request) { if (WARN_ON_ONCE(!(!!request->layer_plus_one ^ !!request->access))) return false; if (request->access) { - if (WARN_ON_ONCE(!request->layer_masks)) + if (WARN_ON_ONCE(!(!!request->layer_masks ^ + !!request->all_existing_optional_access))) return false; } else { - if (WARN_ON_ONCE(request->layer_masks)) + if (WARN_ON_ONCE(request->layer_masks || + request->all_existing_optional_access)) return false; } if (WARN_ON_ONCE(!!request->layer_masks ^ !!request->layer_masks_size)) return false; + if (request->deny_masks) { + if (WARN_ON_ONCE(!request->all_existing_optional_access)) + return false; + } + return true; } @@ -301,9 +392,9 @@ void landlock_log_denial(const struct landlock_ruleset *const domain, domain, &missing, request->layer_masks, request->layer_masks_size); } else { - /* This will change with the next commit. */ - WARN_ON_ONCE(1); - youngest_layer = domain->num_layers; + youngest_layer = get_layer_from_deny_masks( + &missing, request->all_existing_optional_access, + request->deny_masks); } youngest_denied = get_hierarchy(domain, youngest_layer); } else { @@ -377,6 +468,7 @@ static struct kunit_case test_cases[] = { /* clang-format off */ KUNIT_CASE(test_get_hierarchy), KUNIT_CASE(test_get_denied_layer), + KUNIT_CASE(test_get_layer_from_deny_masks), {} /* clang-format on */ }; diff --git a/security/landlock/audit.h b/security/landlock/audit.h index 093791929580..762cdbd10b3a 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -42,6 +42,10 @@ struct landlock_request { /* Required fields for requests with layer masks. */ const layer_mask_t (*layer_masks)[]; size_t layer_masks_size; + + /* Required fields for requests with deny masks. */ + const access_mask_t all_existing_optional_access; + deny_masks_t deny_masks; }; #ifdef CONFIG_AUDIT diff --git a/security/landlock/domain.c b/security/landlock/domain.c index d0cb9f8683b4..f1a0d1b9af7c 100644 --- a/security/landlock/domain.c +++ b/security/landlock/domain.c @@ -7,6 +7,9 @@ * Copyright © 2024-2025 Microsoft Corporation */ +#include +#include +#include #include #include #include @@ -16,6 +19,8 @@ #include #include +#include "access.h" +#include "common.h" #include "domain.h" #include "fs.h" #include "id.h" @@ -153,4 +158,132 @@ int landlock_init_current_hierarchy(struct landlock_hierarchy *const hierarchy) return 0; } +static deny_masks_t +get_layer_deny_mask(const access_mask_t all_existing_optional_access, + const unsigned long access_bit, const size_t layer) +{ + unsigned long access_weight; + + /* This may require change with new object types. */ + WARN_ON_ONCE(all_existing_optional_access != + _LANDLOCK_ACCESS_FS_OPTIONAL); + + if (WARN_ON_ONCE(layer >= LANDLOCK_MAX_NUM_LAYERS)) + return 0; + + access_weight = hweight_long(all_existing_optional_access & + GENMASK(access_bit, 0)); + if (WARN_ON_ONCE(access_weight < 1)) + return 0; + + return layer + << ((access_weight - 1) * HWEIGHT(LANDLOCK_MAX_NUM_LAYERS - 1)); +} + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static void test_get_layer_deny_mask(struct kunit *const test) +{ + const unsigned long truncate = BIT_INDEX(LANDLOCK_ACCESS_FS_TRUNCATE); + const unsigned long ioctl_dev = BIT_INDEX(LANDLOCK_ACCESS_FS_IOCTL_DEV); + + KUNIT_EXPECT_EQ(test, 0, + get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL, + truncate, 0)); + KUNIT_EXPECT_EQ(test, 0x3, + get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL, + truncate, 3)); + + KUNIT_EXPECT_EQ(test, 0, + get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL, + ioctl_dev, 0)); + KUNIT_EXPECT_EQ(test, 0xf0, + get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL, + ioctl_dev, 15)); +} + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ + +deny_masks_t +landlock_get_deny_masks(const access_mask_t all_existing_optional_access, + const access_mask_t optional_access, + const layer_mask_t (*const layer_masks)[], + const size_t layer_masks_size) +{ + const unsigned long access_opt = optional_access; + unsigned long access_bit; + deny_masks_t deny_masks = 0; + + /* This may require change with new object types. */ + WARN_ON_ONCE(access_opt != + (optional_access & all_existing_optional_access)); + + if (WARN_ON_ONCE(!layer_masks)) + return 0; + + if (WARN_ON_ONCE(!access_opt)) + return 0; + + for_each_set_bit(access_bit, &access_opt, layer_masks_size) { + const layer_mask_t mask = (*layer_masks)[access_bit]; + + if (!mask) + continue; + + /* __fls(1) == 0 */ + deny_masks |= get_layer_deny_mask(all_existing_optional_access, + access_bit, __fls(mask)); + } + return deny_masks; +} + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static void test_landlock_get_deny_masks(struct kunit *const test) +{ + const layer_mask_t layers1[BITS_PER_TYPE(access_mask_t)] = { + [BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT_ULL(0) | + BIT_ULL(9), + [BIT_INDEX(LANDLOCK_ACCESS_FS_TRUNCATE)] = BIT_ULL(1), + [BIT_INDEX(LANDLOCK_ACCESS_FS_IOCTL_DEV)] = BIT_ULL(2) | + BIT_ULL(0), + }; + + KUNIT_EXPECT_EQ(test, 0x1, + landlock_get_deny_masks(_LANDLOCK_ACCESS_FS_OPTIONAL, + LANDLOCK_ACCESS_FS_TRUNCATE, + &layers1, ARRAY_SIZE(layers1))); + KUNIT_EXPECT_EQ(test, 0x20, + landlock_get_deny_masks(_LANDLOCK_ACCESS_FS_OPTIONAL, + LANDLOCK_ACCESS_FS_IOCTL_DEV, + &layers1, ARRAY_SIZE(layers1))); + KUNIT_EXPECT_EQ( + test, 0x21, + landlock_get_deny_masks(_LANDLOCK_ACCESS_FS_OPTIONAL, + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL_DEV, + &layers1, ARRAY_SIZE(layers1))); +} + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +static struct kunit_case test_cases[] = { + /* clang-format off */ + KUNIT_CASE(test_get_layer_deny_mask), + KUNIT_CASE(test_landlock_get_deny_masks), + {} + /* clang-format on */ +}; + +static struct kunit_suite test_suite = { + .name = "landlock_domain", + .test_cases = test_cases, +}; + +kunit_test_suite(test_suite); + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ + #endif /* CONFIG_AUDIT */ diff --git a/security/landlock/domain.h b/security/landlock/domain.h index a7fda9c6a5a3..e1129ab09a1b 100644 --- a/security/landlock/domain.h +++ b/security/landlock/domain.h @@ -18,6 +18,8 @@ #include #include +#include "access.h" + enum landlock_log_status { LANDLOCK_LOG_PENDING = 0, LANDLOCK_LOG_RECORDED, @@ -103,6 +105,12 @@ struct landlock_hierarchy { int landlock_init_current_hierarchy(struct landlock_hierarchy *const hierarchy); +deny_masks_t +landlock_get_deny_masks(const access_mask_t all_existing_optional_access, + const access_mask_t optional_access, + const layer_mask_t (*const layer_masks)[], + size_t layer_masks_size); + #else /* CONFIG_AUDIT */ static inline int diff --git a/security/landlock/fs.c b/security/landlock/fs.c index f38c7a60b9bf..6404961ecbc7 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -246,6 +246,17 @@ is_masked_device_ioctl_compat(const unsigned int cmd) } } +static void +update_request(struct landlock_request *const request, + const struct landlock_file_security *const file_security, + const access_mask_t access) +{ + request->access = access; +#ifdef CONFIG_AUDIT + request->deny_masks = file_security->deny_masks; +#endif /* CONFIG_AUDIT */ +} + /* Ruleset management */ static struct landlock_object *get_inode_object(struct inode *const inode) @@ -1653,6 +1664,11 @@ static int hook_file_open(struct file *const file) * file access rights in the opened struct file. */ landlock_file(file)->allowed_access = allowed_access; +#ifdef CONFIG_AUDIT + landlock_file(file)->deny_masks = landlock_get_deny_masks( + _LANDLOCK_ACCESS_FS_OPTIONAL, optional_access, &layer_masks, + ARRAY_SIZE(layer_masks)); +#endif /* CONFIG_AUDIT */ if ((open_access_request & allowed_access) == open_access_request) return 0; @@ -1665,6 +1681,15 @@ static int hook_file_open(struct file *const file) static int hook_file_truncate(struct file *const file) { + struct landlock_request request = { + .type = LANDLOCK_REQUEST_FS_ACCESS, + .audit = { + .type = LSM_AUDIT_DATA_FILE, + .u.file = file, + }, + .all_existing_optional_access = _LANDLOCK_ACCESS_FS_OPTIONAL, + }; + /* * Allows truncation if the truncate right was available at the time of * opening the file, to get a consistent access check as for read, write @@ -1677,12 +1702,24 @@ static int hook_file_truncate(struct file *const file) */ if (landlock_file(file)->allowed_access & LANDLOCK_ACCESS_FS_TRUNCATE) return 0; + + update_request(&request, landlock_file(file), + LANDLOCK_ACCESS_FS_TRUNCATE); + landlock_log_denial(landlock_cred(file->f_cred)->domain, &request); return -EACCES; } static int hook_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { + struct landlock_request request = { + .type = LANDLOCK_REQUEST_FS_ACCESS, + .audit = { + .type = LSM_AUDIT_DATA_FILE, + .u.file = file, + }, + .all_existing_optional_access = _LANDLOCK_ACCESS_FS_OPTIONAL, + }; access_mask_t allowed_access = landlock_file(file)->allowed_access; /* @@ -1700,12 +1737,23 @@ static int hook_file_ioctl(struct file *file, unsigned int cmd, if (is_masked_device_ioctl(cmd)) return 0; + update_request(&request, landlock_file(file), + LANDLOCK_ACCESS_FS_IOCTL_DEV); + landlock_log_denial(landlock_cred(file->f_cred)->domain, &request); return -EACCES; } static int hook_file_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) { + struct landlock_request request = { + .type = LANDLOCK_REQUEST_FS_ACCESS, + .audit = { + .type = LSM_AUDIT_DATA_FILE, + .u.file = file, + }, + .all_existing_optional_access = _LANDLOCK_ACCESS_FS_OPTIONAL, + }; access_mask_t allowed_access = landlock_file(file)->allowed_access; /* @@ -1723,6 +1771,9 @@ static int hook_file_ioctl_compat(struct file *file, unsigned int cmd, if (is_masked_device_ioctl_compat(cmd)) return 0; + update_request(&request, landlock_file(file), + LANDLOCK_ACCESS_FS_IOCTL_DEV); + landlock_log_denial(landlock_cred(file->f_cred)->domain, &request); return -EACCES; } diff --git a/security/landlock/fs.h b/security/landlock/fs.h index d445f411c26a..9f52c9b37898 100644 --- a/security/landlock/fs.h +++ b/security/landlock/fs.h @@ -53,6 +53,15 @@ struct landlock_file_security { * needed to authorize later operations on the open file. */ access_mask_t allowed_access; + +#ifdef CONFIG_AUDIT + /** + * @deny_masks: Domain layer levels that deny an optional access (see + * _LANDLOCK_ACCESS_FS_OPTIONAL). + */ + deny_masks_t deny_masks; +#endif /* CONFIG_AUDIT */ + /** * @fown_domain: Domain of the task that set the PID that may receive a * signal e.g., SIGURG when writing MSG_OOB to the related socket. From patchwork Wed Jan 8 15:43:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931261 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-bc0d.mail.infomaniak.ch (smtp-bc0d.mail.infomaniak.ch [45.157.188.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B11111FF5F6 for ; Wed, 8 Jan 2025 15:50:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.13 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351411; cv=none; b=MyjYV/+svNqcosjl75vOrnR1KNQQQM/9TWj4jd6fQKFpJhNOgdBceHA2AISAecJ+f3ond5mbyZjhBD6wUFd1aqjUFyt9dtFwhYISWV4nFsbLpaCItMjPBYH0NoGCex1qGM+gUqRvgMbrePQD22PrJ8ra1rB1sv0D5NgpjbnNcjo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351411; c=relaxed/simple; bh=dNF9revyAHdaReGII1otboacnCMyx6THKc+/K3qcWn8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=o4hcfFjcwjcC+La4IkX8iSVUS9Rg3sE7WRmynL2qPieTUvveChx5KlEwJ4clucvmbt+v5QBlrKGBjHbSbjfzYiCmvP/x8r7FGzN4GwJpaPnZwpqgaE8z9X29FadpgSwAtj0H0b0Fd9fvsqPYUEPoGrMqDtUd0GmJPoA/TkvK61g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=fr5Dh3T1; arc=none smtp.client-ip=45.157.188.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="fr5Dh3T1" Received: from smtp-4-0000.mail.infomaniak.ch (smtp-4-0000.mail.infomaniak.ch [10.7.10.107]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfL4146zrYM; Wed, 8 Jan 2025 16:44:10 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351050; bh=urI9rHx8OZzAhZ+lkRE6eb+dDcOP0tlB9XFr0Wi2DSc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fr5Dh3T1y5iLXLhJ2sPAis+FhvApVylseUXfAd0NvFehpLiD/qcOsigEgNUSnmuHF g6PBnV4ZHtfBAF1nrbqsOnliGzrK9TedLzubet727F5H5wxb9IUG0pVVsrjQtbdUDT 4G2UDliQ57kg6FXDVlAB84TLsLoxMNjas63XW7VM= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfK5YPsz2yw; Wed, 8 Jan 2025 16:44:09 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 16/30] landlock: Log TCP bind and connect denials Date: Wed, 8 Jan 2025 16:43:24 +0100 Message-ID: <20250108154338.1129069-17-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add audit support to socket_bind and socket_connect hooks. The related blockers are: - net.bind_tcp - net.connect_tcp Audit event sample: type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=net.connect_tcp daddr=127.0.0.1 dest=80 Cc: Günther Noack Cc: Konstantin Meskhidze Cc: Mikhail Ivanov Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-17-mic@digikod.net --- Changes since v3: - Rename blockers from net_* to net.* Changes since v2: - Remove potentially superfluous IPv6 saddr log, spotted by Francis Laniel. - Cosmetic improvements. --- security/landlock/audit.c | 12 +++++++++ security/landlock/audit.h | 1 + security/landlock/net.c | 51 ++++++++++++++++++++++++++++++++++++--- 3 files changed, 60 insertions(+), 4 deletions(-) diff --git a/security/landlock/audit.c b/security/landlock/audit.c index 89446e913d9f..2744e3d4fe73 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -41,6 +41,13 @@ static const char *const fs_access_strings[] = { static_assert(ARRAY_SIZE(fs_access_strings) == LANDLOCK_NUM_ACCESS_FS); +static const char *const net_access_strings[] = { + [BIT_INDEX(LANDLOCK_ACCESS_NET_BIND_TCP)] = "net.bind_tcp", + [BIT_INDEX(LANDLOCK_ACCESS_NET_CONNECT_TCP)] = "net.connect_tcp", +}; + +static_assert(ARRAY_SIZE(net_access_strings) == LANDLOCK_NUM_ACCESS_NET); + static __attribute_const__ const char * get_blocker(const enum landlock_request_type type, const unsigned long access_bit) @@ -58,6 +65,11 @@ get_blocker(const enum landlock_request_type type, if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(fs_access_strings))) return "unknown"; return fs_access_strings[access_bit]; + + case LANDLOCK_REQUEST_NET_ACCESS: + if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(net_access_strings))) + return "unknown"; + return net_access_strings[access_bit]; } WARN_ON_ONCE(1); diff --git a/security/landlock/audit.h b/security/landlock/audit.h index 762cdbd10b3a..9a3697b901b5 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -18,6 +18,7 @@ enum landlock_request_type { LANDLOCK_REQUEST_PTRACE = 1, LANDLOCK_REQUEST_FS_CHANGE_LAYOUT, LANDLOCK_REQUEST_FS_ACCESS, + LANDLOCK_REQUEST_NET_ACCESS, }; /* diff --git a/security/landlock/net.c b/security/landlock/net.c index d5dcc4407a19..45c80fa417c4 100644 --- a/security/landlock/net.c +++ b/security/landlock/net.c @@ -7,10 +7,12 @@ */ #include +#include #include #include #include +#include "audit.h" #include "common.h" #include "cred.h" #include "limits.h" @@ -57,6 +59,10 @@ static int current_check_access_socket(struct socket *const sock, const struct landlock_ruleset *const dom = landlock_get_applicable_domain(landlock_get_current_domain(), any_net); + struct lsm_network_audit audit_net = {}; + struct landlock_request request = { + .type = LANDLOCK_REQUEST_NET_ACCESS, + }; if (!dom) return 0; @@ -73,18 +79,48 @@ static int current_check_access_socket(struct socket *const sock, switch (address->sa_family) { case AF_UNSPEC: - case AF_INET: + case AF_INET: { + const struct sockaddr_in *addr4; + if (addrlen < sizeof(struct sockaddr_in)) return -EINVAL; - port = ((struct sockaddr_in *)address)->sin_port; + + addr4 = (struct sockaddr_in *)address; + port = addr4->sin_port; + + if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) { + audit_net.dport = port; + audit_net.v4info.daddr = addr4->sin_addr.s_addr; + } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { + audit_net.sport = port; + audit_net.v4info.saddr = addr4->sin_addr.s_addr; + } else { + WARN_ON_ONCE(1); + } break; + } #if IS_ENABLED(CONFIG_IPV6) - case AF_INET6: + case AF_INET6: { + const struct sockaddr_in6 *addr6; + if (addrlen < SIN6_LEN_RFC2133) return -EINVAL; - port = ((struct sockaddr_in6 *)address)->sin6_port; + + addr6 = (struct sockaddr_in6 *)address; + port = addr6->sin6_port; + + if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) { + audit_net.dport = port; + audit_net.v6info.daddr = addr6->sin6_addr; + } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { + audit_net.sport = port; + audit_net.v6info.saddr = addr6->sin6_addr; + } else { + WARN_ON_ONCE(1); + } break; + } #endif /* IS_ENABLED(CONFIG_IPV6) */ default: @@ -153,6 +189,13 @@ static int current_check_access_socket(struct socket *const sock, ARRAY_SIZE(layer_masks))) return 0; + audit_net.family = address->sa_family; + request.audit.type = LSM_AUDIT_DATA_NET; + request.audit.u.net = &audit_net; + request.access = access_request; + request.layer_masks = &layer_masks; + request.layer_masks_size = ARRAY_SIZE(layer_masks); + landlock_log_denial(dom, &request); return -EACCES; } From patchwork Wed Jan 8 15:43:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931236 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-bc0d.mail.infomaniak.ch (smtp-bc0d.mail.infomaniak.ch [45.157.188.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE5B220125B for ; Wed, 8 Jan 2025 15:44:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.13 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351056; cv=none; b=KJsqJHAcJsf72TGLDvZx9WHDRtQA0MiWZXG2SAFn76wlAkTh7wGzkMBO8IuEtYgt5gcMIAHqIasAMYhOEvccTc2ul4efApvkOFB+342Gkfnp8oEzEibJdASVwR3dEAP96Vaoo0dH5AcmKINB9peTbsYGmCBdcCyBKCnSXYPCot8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351056; c=relaxed/simple; bh=QGgkX4ZMdgskH5gQyj4rVDmPlqBeDjSuaVFMj8kT34Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Pgvpv2n1MsGsZK12jkyVTEvlKneFfn/zqXRg9QpRktwGM1bMScLRXDHVkWdiNGTowsWlMk/tMeeQOzKTpgkjBFLBrPus8vWY8QhiauaJ7lmceq7nCu+erLAp+D/Hz8odtUdK0Fz6SEg48dTr2JsHG1WoQkiWX1ISJuigoDfn1jM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=A3mJfqi6; arc=none smtp.client-ip=45.157.188.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="A3mJfqi6" Received: from smtp-4-0000.mail.infomaniak.ch (unknown [IPv6:2001:1600:7:10:40ca:feff:fe05:0]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfN21RNzq5T; Wed, 8 Jan 2025 16:44:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351052; bh=AnTdAtgZSuavEJrYHBVG062ie022jRaSQUPxZ972iwQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A3mJfqi6bewyqNslA0nOOEGFG81zT0bApU/gNwKLuasYvLiixaEDzKmTbXyaC6JQP IsGuOe20wbZ7VR0HHF5kbJ4SixdUUVHlouQ9xVniBCohftMO7YL/s58mutt14TslGm 9iyYwsxwwco15sCdqwn5MqFtvPKgGU1oLi/CNxXk= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfM1pmDz4B8; Wed, 8 Jan 2025 16:44:11 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 17/30] landlock: Log scoped denials Date: Wed, 8 Jan 2025 16:43:25 +0100 Message-ID: <20250108154338.1129069-18-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add audit support for unix_stream_connect, unix_may_send, task_kill, and file_send_sigiotask hooks. The related blockers are: - scope.abstract_unix_socket - scope.signal Audit event sample for abstract unix socket: type=LANDLOCK_DENY msg=audit(1729738800.268:30): domain=195ba459b blockers=scope.abstract_unix_socket path=00666F6F Audit event sample for signal: type=LANDLOCK_DENY msg=audit(1729738800.291:31): domain=195ba459b blockers=scope.signal opid=1 ocomm="systemd" Cc: Günther Noack Cc: Tahera Fahimi Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-18-mic@digikod.net --- Changes since v3: - Cosmetic change to the "scope.*" blocker names. - Extend commit message. Changes since v1: - New patch. --- security/landlock/audit.c | 8 ++++++ security/landlock/audit.h | 2 ++ security/landlock/task.c | 58 ++++++++++++++++++++++++++++++++++++--- 3 files changed, 64 insertions(+), 4 deletions(-) diff --git a/security/landlock/audit.c b/security/landlock/audit.c index 2744e3d4fe73..7a2183ac9add 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -70,6 +70,14 @@ get_blocker(const enum landlock_request_type type, if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(net_access_strings))) return "unknown"; return net_access_strings[access_bit]; + + case LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET: + WARN_ON_ONCE(access_bit != -1); + return "scope.abstract_unix_socket"; + + case LANDLOCK_REQUEST_SCOPE_SIGNAL: + WARN_ON_ONCE(access_bit != -1); + return "scope.signal"; } WARN_ON_ONCE(1); diff --git a/security/landlock/audit.h b/security/landlock/audit.h index 9a3697b901b5..dd5deaf7dc4d 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -19,6 +19,8 @@ enum landlock_request_type { LANDLOCK_REQUEST_FS_CHANGE_LAYOUT, LANDLOCK_REQUEST_FS_ACCESS, LANDLOCK_REQUEST_NET_ACCESS, + LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET, + LANDLOCK_REQUEST_SCOPE_SIGNAL, }; /* diff --git a/security/landlock/task.c b/security/landlock/task.c index 4fef963274fd..1b3d5de89e14 100644 --- a/security/landlock/task.c +++ b/security/landlock/task.c @@ -263,13 +263,27 @@ static int hook_unix_stream_connect(struct sock *const sock, const struct landlock_ruleset *const dom = landlock_get_applicable_domain(landlock_get_current_domain(), unix_scope); + struct lsm_network_audit audit_net = { + .sk = other, + }; + struct landlock_request request = { + .type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET, + .audit = { + .type = LSM_AUDIT_DATA_NET, + .u.net = &audit_net, + }, + }; /* Quick return for non-landlocked tasks. */ if (!dom) return 0; - if (is_abstract_socket(other) && sock_is_scoped(other, dom)) + if (is_abstract_socket(other) && sock_is_scoped(other, dom)) { + request.layer_plus_one = + landlock_match_layer_level(dom, unix_scope) + 1; + landlock_log_denial(dom, &request); return -EPERM; + } return 0; } @@ -280,6 +294,16 @@ static int hook_unix_may_send(struct socket *const sock, const struct landlock_ruleset *const dom = landlock_get_applicable_domain(landlock_get_current_domain(), unix_scope); + struct lsm_network_audit audit_net = { + .sk = other->sk, + }; + struct landlock_request request = { + .type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET, + .audit = { + .type = LSM_AUDIT_DATA_NET, + .u.net = &audit_net, + }, + }; if (!dom) return 0; @@ -291,8 +315,12 @@ static int hook_unix_may_send(struct socket *const sock, if (unix_peer(sock->sk) == other->sk) return 0; - if (is_abstract_socket(other->sk) && sock_is_scoped(other->sk, dom)) + if (is_abstract_socket(other->sk) && sock_is_scoped(other->sk, dom)) { + request.layer_plus_one = + landlock_match_layer_level(dom, unix_scope) + 1; + landlock_log_denial(dom, &request); return -EPERM; + } return 0; } @@ -307,6 +335,13 @@ static int hook_task_kill(struct task_struct *const p, { bool is_scoped; const struct landlock_ruleset *dom; + struct landlock_request request = { + .type = LANDLOCK_REQUEST_SCOPE_SIGNAL, + .audit = { + .type = LSM_AUDIT_DATA_TASK, + .u.tsk = p, + }, + }; if (cred) { /* Dealing with USB IO. */ @@ -324,8 +359,12 @@ static int hook_task_kill(struct task_struct *const p, is_scoped = domain_is_scoped(dom, landlock_get_task_domain(p), LANDLOCK_SCOPE_SIGNAL); rcu_read_unlock(); - if (is_scoped) + if (is_scoped) { + request.layer_plus_one = + landlock_match_layer_level(dom, signal_scope) + 1; + landlock_log_denial(dom, &request); return -EPERM; + } return 0; } @@ -334,6 +373,13 @@ static int hook_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { const struct landlock_ruleset *dom; + struct landlock_request request = { + .type = LANDLOCK_REQUEST_SCOPE_SIGNAL, + .audit = { + .type = LSM_AUDIT_DATA_TASK, + .u.tsk = tsk, + }, + }; bool is_scoped = false; /* Lock already held by send_sigio() and send_sigurg(). */ @@ -349,8 +395,12 @@ static int hook_file_send_sigiotask(struct task_struct *tsk, is_scoped = domain_is_scoped(dom, landlock_get_task_domain(tsk), LANDLOCK_SCOPE_SIGNAL); rcu_read_unlock(); - if (is_scoped) + if (is_scoped) { + request.layer_plus_one = + landlock_match_layer_level(dom, signal_scope) + 1; + landlock_log_denial(dom, &request); return -EPERM; + } return 0; } From patchwork Wed Jan 8 15:43:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931237 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-1908.mail.infomaniak.ch (smtp-1908.mail.infomaniak.ch [185.125.25.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2B31A202C31 for ; Wed, 8 Jan 2025 15:44:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.8 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351058; cv=none; b=s660R18t2IyOXAGx5HombKcThte6jpxz0nmpaUuWsOqq0Yqb5xdD9gQXc6by+VaQbEhmLB4rSUeP6m2Lwa4n7rLtkp4X93z9bnIgdaFymbfFVQJiprO1Jdc18mJo+f12cz+Zy/NztuMicCA/O2RntfrA8Dp1s5bYm92E/8zo2M4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351058; c=relaxed/simple; bh=3D9tz0m87YioFlYBEQRLghfdEDKfAu6INajLtJ2N8yU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=FfxBWhotOWAwVYxtTi9QhjbQAdcYDDWj7gtoWxEE+sWY2VOxYCMIDjfSe7J1qIJKbWPpx9R9bTOQloG2ig4Ju75/km+Ezl+6y18s5CkJKYkq4DCfIH3cQFvpbiYhIu5Sv/T6eexiYEA7Zq04SutjlOLfc6v2Aacb5b0N2fiYlYI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=pkMgChsI; arc=none smtp.client-ip=185.125.25.8 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="pkMgChsI" Received: from smtp-3-0000.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246b]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfP4jltzF4p; Wed, 8 Jan 2025 16:44:13 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351053; bh=FaDGX16m1MPjYMA/9MOEmO4u1OscmSfHE6fmKBFPOHE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pkMgChsIpgwvn5ia0Roj/7suOnvN5ppi2wqHqMqx1k28ItUPWNuEVBmEmE7LVeyPe UvmLrMmVNZy8RS3M6JFWjr87/DWIajDAO8DOYwbLbl/uBloEByhvHBn4hSyhBfA5sc F19l2L8qu0bPzfRWl7F6O5PgvGJsz0ONl1mK4hqk= Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfN6yCVztns; Wed, 8 Jan 2025 16:44:12 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 18/30] landlock: Control log events with LANDLOCK_RESTRICT_SELF_QUIET Date: Wed, 8 Jan 2025 16:43:26 +0100 Message-ID: <20250108154338.1129069-19-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Most of the time we want to log denied access because they should not happen and such information helps diagnose issues. However, when sandboxing processes that we know will try to access denied resources (e.g. unknown, bogus, or malicious binary), we might want to not log related access requests that might fill up logs. To disable any log for a specific Landlock domain, add a LANDLOCK_RESTRICT_SELF_QUIET optional flag to the landlock_restrict_self() system call. Because this flag is set for a specific Landlock domain, it makes it possible to selectively mask some access requests that would be logged by a parent domain, which might be handy for unprivileged processes to limit logs. However, system administrators should still use the audit filtering mechanism. There is intentionally no audit nor sysctl configuration to re-enable these quiet domains. This is delegated to the user space program. Increment the Landlock ABI version to reflect this interface change. Cc: Günther Noack Cc: Paul Moore Closes: https://github.com/landlock-lsm/linux/issues/3 Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-19-mic@digikod.net --- Changes since v3: - Rename LANDLOCK_RESTRICT_SELF_LOGLESS to LANDLOCK_RESTRICT_SELF_QUIET. "quiet" is already used by kernel's cmdline to disable most log messages, so this name makes sense for Landlock. - Improve the LANDLOCK_ABI_VERSION comment. Changes since v2: - Update ABI version test. --- Documentation/userspace-api/landlock.rst | 2 +- include/uapi/linux/landlock.h | 14 ++++++++++ security/landlock/audit.c | 3 +++ security/landlock/domain.h | 1 + security/landlock/syscalls.c | 28 ++++++++++++++++---- tools/testing/selftests/landlock/base_test.c | 2 +- 6 files changed, 43 insertions(+), 7 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index d639c61cb472..a7c1ebef2c79 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -8,7 +8,7 @@ Landlock: unprivileged access control ===================================== :Author: Mickaël Salaün -:Date: October 2024 +:Date: January 2025 The goal of Landlock is to enable restriction of ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 33745642f787..b7f78abd6ddd 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -62,6 +62,20 @@ struct landlock_ruleset_attr { #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) /* clang-format on */ +/* + * sys_landlock_restrict_self() flags: + * + * - %LANDLOCK_RESTRICT_SELF_QUIET: Do not create any log related to the + * enforced restrictions. This should only be set by tools launching unknown + * or untrusted programs (e.g. a sandbox tool, container runtime, system + * service manager). Because programs sandboxing themselves should fix any + * denied access, they should not set this flag to be aware of potential + * issues reported by system's logs (i.e. audit). + */ +/* clang-format off */ +#define LANDLOCK_RESTRICT_SELF_QUIET (1U << 0) +/* clang-format on */ + /** * enum landlock_rule_type - Landlock rule type * diff --git a/security/landlock/audit.c b/security/landlock/audit.c index 7a2183ac9add..cc01a0d663f3 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -422,6 +422,9 @@ void landlock_log_denial(const struct landlock_ruleset *const domain, get_hierarchy(domain, request->layer_plus_one - 1); } + if (READ_ONCE(youngest_denied->log_status) == LANDLOCK_LOG_DISABLED) + return; + /* * Consistently keeps track of the number of denied access requests * even if audit is currently disabled or if audit rules currently diff --git a/security/landlock/domain.h b/security/landlock/domain.h index e1129ab09a1b..7176043bd0ff 100644 --- a/security/landlock/domain.h +++ b/security/landlock/domain.h @@ -23,6 +23,7 @@ enum landlock_log_status { LANDLOCK_LOG_PENDING = 0, LANDLOCK_LOG_RECORDED, + LANDLOCK_LOG_DISABLED, }; /** diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 4ed8e70c25ed..8bc14a561e51 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -27,6 +27,7 @@ #include #include "cred.h" +#include "domain.h" #include "fs.h" #include "limits.h" #include "net.h" @@ -150,7 +151,14 @@ static const struct file_operations ruleset_fops = { .write = fop_dummy_write, }; -#define LANDLOCK_ABI_VERSION 6 +/* + * The Landlock ABI version should be incremented for each new Landlock-related + * user space visible change (e.g. Landlock syscalls). This version should + * only be incremented once per Linux release, and the date in + * Documentation/userspace-api/landlock.rst should be updated to reflect the + * UAPI change. + */ +#define LANDLOCK_ABI_VERSION 7 /** * sys_landlock_create_ruleset - Create a new ruleset @@ -434,7 +442,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd, * sys_landlock_restrict_self - Enforce a ruleset on the calling thread * * @ruleset_fd: File descriptor tied to the ruleset to merge with the target. - * @flags: Must be 0. + * @flags: Supported value: %LANDLOCK_RESTRICT_SELF_QUIET. * * This system call enables to enforce a Landlock ruleset on the current * thread. Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its @@ -460,6 +468,7 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32, struct cred *new_cred; struct landlock_cred_security *new_llcred; int err; + bool is_quiet = false; if (!is_initialized()) return -EOPNOTSUPP; @@ -472,9 +481,12 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32, !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; - /* No flag for now. */ - if (flags) - return -EINVAL; + if (flags) { + if (flags == LANDLOCK_RESTRICT_SELF_QUIET) + is_quiet = true; + else + return -EINVAL; + } /* Gets and checks the ruleset. */ ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ); @@ -499,6 +511,12 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32, goto out_put_creds; } + if (is_quiet) { +#ifdef CONFIG_AUDIT + new_dom->hierarchy->log_status = LANDLOCK_LOG_DISABLED; +#endif /* CONFIG_AUDIT */ + } + /* Replaces the old (prepared) domain. */ landlock_put_ruleset(new_llcred->domain); new_llcred->domain = new_dom; diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index 1bc16fde2e8a..fbd687691b3c 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -76,7 +76,7 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(6, landlock_create_ruleset(NULL, 0, + ASSERT_EQ(7, landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)); ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, From patchwork Wed Jan 8 15:43:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931242 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-190f.mail.infomaniak.ch (smtp-190f.mail.infomaniak.ch [185.125.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD0921FF1BD for ; Wed, 8 Jan 2025 15:44:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.15 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351065; cv=none; b=QzsBk5p1oODqoJePh4vD7bhl/O/oO5FzdDsQj0vbBsHUZRQBrfieCiZlHpb9VN7JAZMi+ss3E2XQpK7rnPWjjNjsVayVflwNXMtCcZLuBsBtczVcmFxX3eaKhq9DPzh/LabxTzlDploU+vLDfw2/+3HQn2BQAUd8auaM2czU3Ak= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351065; c=relaxed/simple; bh=UXseJXwoe8+TQHvxbQCzNTz7uAEXL80tPcLYA+qIUj8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=tgzHeBjZp1tXZH4nIOLH/MZKuBmXNxSQ4VUu/wkL47PSPkj2s4pq6HJphugt/65mcPdmKJzaGk+0v02KBqqy17Bmz4U8V4ulRBoWIydlKKY8lQxvtxDcWVlWrQhEB9M5WdYC+1CDEzq756tt9A1rMBk55u+KGaWyUPf5ETrh+OE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=ncxqaA20; arc=none smtp.client-ip=185.125.25.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="ncxqaA20" Received: from smtp-4-0000.mail.infomaniak.ch (smtp-4-0000.mail.infomaniak.ch [10.7.10.107]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfR1QXDzmPT; Wed, 8 Jan 2025 16:44:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351055; bh=UKmay/IzTxgyZVsCRBq/9xe8WuOCLbcexgf3Mv/t7gY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ncxqaA20ytBUF5Q9qWZDiMMYjiX/eYWei/E2CUMv8rv0d+7IA1PYvvS5zlUl7h0U/ 0EW2yhN7oz6TqriCnLA5oF7hHYGR7J/9g9c3n464tm5VKdATfDBJ17cxuxRuxmanQC T4NVBlBrpCz5INY0nrL11BZ6QyLtzqz20ZiHJ524= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfQ3C2Bz5Lp; Wed, 8 Jan 2025 16:44:14 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 19/30] samples/landlock: Do not log denials from the sandboxer by default Date: Wed, 8 Jan 2025 16:43:27 +0100 Message-ID: <20250108154338.1129069-20-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Do not pollute audit logs because of unknown sandboxed programs. Indeed, the sandboxer's security policy might not be fitted to the set of sandboxed processes that could be spawned (e.g. from a shell). The LANDLOCK_RESTRICT_SELF_QUIET flag should be used for all similar sandboxer tools by default. Only natively-sandboxed programs should not use this flag. For test purpose, parse the LL_FORCE_LOG environment variable to still log denials. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-20-mic@digikod.net --- Changes since v3: - Extend error message, suggested by Francis Laniel. Changes since v2: - New patch. --- samples/landlock/sandboxer.c | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index 57565dfd74a2..f132869f55f5 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -58,6 +58,7 @@ static inline int landlock_restrict_self(const int ruleset_fd, #define ENV_TCP_BIND_NAME "LL_TCP_BIND" #define ENV_TCP_CONNECT_NAME "LL_TCP_CONNECT" #define ENV_SCOPED_NAME "LL_SCOPED" +#define ENV_FORCE_LOG_NAME "LL_FORCE_LOG" #define ENV_DELIMITER ":" static int str2num(const char *numstr, __u64 *num_dst) @@ -288,7 +289,7 @@ static bool check_ruleset_scope(const char *const env_var, /* clang-format on */ -#define LANDLOCK_ABI_LAST 6 +#define LANDLOCK_ABI_LAST 7 #define XSTR(s) #s #define STR(s) XSTR(s) @@ -315,6 +316,9 @@ static const char help[] = " - \"a\" to restrict opening abstract unix sockets\n" " - \"s\" to restrict sending signals\n" "\n" + "A sandboxer should not log denied access requests to avoid spamming logs, " + "but to test audit we can set " ENV_FORCE_LOG_NAME "=1\n" + "\n" "Example:\n" ENV_FS_RO_NAME "=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" " ENV_FS_RW_NAME "=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" " @@ -333,7 +337,7 @@ int main(const int argc, char *const argv[], char *const *const envp) const char *cmd_path; char *const *cmd_argv; int ruleset_fd, abi; - char *env_port_name; + char *env_port_name, *env_force_log; __u64 access_fs_ro = ACCESS_FS_ROUGHLY_READ, access_fs_rw = ACCESS_FS_ROUGHLY_READ | ACCESS_FS_ROUGHLY_WRITE; @@ -344,6 +348,8 @@ int main(const int argc, char *const argv[], char *const *const envp) .scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL, }; + /* Do not pollute audit logs because of unknown sandboxed programs. */ + int restrict_flags = LANDLOCK_RESTRICT_SELF_QUIET; if (argc < 2) { fprintf(stderr, help, argv[0]); @@ -415,6 +421,12 @@ int main(const int argc, char *const argv[], char *const *const envp) /* Removes LANDLOCK_SCOPE_* for ABI < 6 */ ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL); + __attribute__((fallthrough)); + case 6: + /* Removes LANDLOCK_RESTRICT_SELF_QUIET for ABI < 7 */ + restrict_flags &= ~LANDLOCK_RESTRICT_SELF_QUIET; + + /* Must be printed for any ABI < LANDLOCK_ABI_LAST. */ fprintf(stderr, "Hint: You should update the running kernel " "to leverage Landlock features " @@ -449,6 +461,23 @@ int main(const int argc, char *const argv[], char *const *const envp) if (check_ruleset_scope(ENV_SCOPED_NAME, &ruleset_attr)) return 1; + /* Enables optional logs. */ + env_force_log = getenv(ENV_FORCE_LOG_NAME); + if (env_force_log) { + if (strcmp(env_force_log, "1") != 0) { + fprintf(stderr, "Unknown value for " ENV_FORCE_LOG_NAME + " (only \"1\" is handled)\n"); + return 1; + } + if (!(restrict_flags & LANDLOCK_RESTRICT_SELF_QUIET)) { + fprintf(stderr, + "Audit logs not supported by current kernel\n"); + return 1; + } + restrict_flags &= ~LANDLOCK_RESTRICT_SELF_QUIET; + unsetenv(ENV_FORCE_LOG_NAME); + } + ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); if (ruleset_fd < 0) { @@ -476,7 +505,7 @@ int main(const int argc, char *const argv[], char *const *const envp) perror("Failed to restrict privileges"); goto err_close_ruleset; } - if (landlock_restrict_self(ruleset_fd, 0)) { + if (landlock_restrict_self(ruleset_fd, restrict_flags)) { perror("Failed to enforce ruleset"); goto err_close_ruleset; } From patchwork Wed Jan 8 15:43:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931238 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-42aa.mail.infomaniak.ch (smtp-42aa.mail.infomaniak.ch [84.16.66.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49FFD2036F0 for ; Wed, 8 Jan 2025 15:44:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351060; cv=none; b=MG3gDHTFq3R8v2HMyU/i8lDk/xu1L2RLl0rapuPJDIoB2G8dEcXuvyEXUOeYe2TrFt/nClQ4B1ewUyKw6f8lvAgFf25kqDnlq+7c1BYkp85mFedPVRPbtvGLdUrRBFrZndGGKJ55vJL5mcyDant6uAYTAUGUbJiareh552vX+ng= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351060; c=relaxed/simple; bh=y/wtqJxZmkGaNNbxtbWPEhGfGtFUdjlHTa/P+YkzL4g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=RHOeOl5i2HeEI5NaxD/EDbF7JtqBFfbG6TimeViAtgTkl2vCkAsK3lKaTnpkE+v+CKOc9mPX7lKiY9RszFbvrdLPJxyCgJdOWrTW/urrZ4xvsiLM4/cycmfOs742t18XWMPwGLwPuWycaXnFOgFL+F4jdZJ0yjjHAOP66iI773k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=XaQBz8Xn; arc=none smtp.client-ip=84.16.66.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="XaQBz8Xn" Received: from smtp-3-0000.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246b]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfS4s6pz7Bw; Wed, 8 Jan 2025 16:44:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351056; bh=mk13RvEuPQJ/sgasE14gboAmV4076jIAJAJ4kAt2QAU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XaQBz8XnskIBQ6GYys95KRNToEY4Oe2nQDcNQSTetTkHWkhMRiaRGnaF+9ohJmEIq abudOrENn3fYyR8VJqNbW1L0hUljXGovj1wCXAyIhCogA78wiskmewKFyRhf5QQVZm lg7g5IYtzJSW8jrRD677CFB1ObGfDSRDi/bbVH1g= Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfR5Fl8zsJG; Wed, 8 Jan 2025 16:44:15 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 20/30] selftests/landlock: Fix error message Date: Wed, 8 Jan 2025 16:43:28 +0100 Message-ID: <20250108154338.1129069-21-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha The global variable errno may not be set in test_execute(). Do not use it in related error message. Cc: Günther Noack Fixes: e1199815b47b ("selftests/landlock: Add user space tests") Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-21-mic@digikod.net --- Changes since v3: - New patch. --- tools/testing/selftests/landlock/fs_test.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 42ce1e79ba82..a359c0d3107f 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -2011,8 +2011,7 @@ static void test_execute(struct __test_metadata *const _metadata, const int err, ASSERT_EQ(1, WIFEXITED(status)); ASSERT_EQ(err ? 2 : 0, WEXITSTATUS(status)) { - TH_LOG("Unexpected return code for \"%s\": %s", path, - strerror(errno)); + TH_LOG("Unexpected return code for \"%s\"", path); }; } From patchwork Wed Jan 8 15:43:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931240 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-190b.mail.infomaniak.ch (smtp-190b.mail.infomaniak.ch [185.125.25.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C78432040BE for ; Wed, 8 Jan 2025 15:44:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.11 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351063; cv=none; b=mv+Lu1dSLImEL0sMReJDr56fLoq0nu1SZqKfCjbXgx8xQsOR1S5crmP+KM40WDGCNyNjrmAL/w3pobKtksa1GkBre+qZN3pLUBYdFvxaG96jDaQVjTCbpgBF+GMc/m7aa/foITjI5VdcN+4iqJ0EnQPHgw/Bgap2QtInspxnfNM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351063; c=relaxed/simple; bh=ys0gfj0ZPhIrZ71rVw4Hj9YHndpMNBXQDbmI490dfc0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=TY21x9HaBz26YGRlbA7YZVcXYHt7kwKqGwQkLRE2WzOpFcGID/BCixIfI9Z3isCBvkqY1V3QijW5i/+mrXZhWTVHk47mjLkrEkPjk4RFVpzHSBc0iGBpW2wcvLisByjTJKzypF97Tz+RUGjsrIEPh3w9ojVZTuEcFr41L4hxEpc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=lMTL62Mr; arc=none smtp.client-ip=185.125.25.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="lMTL62Mr" Received: from smtp-4-0000.mail.infomaniak.ch (smtp-4-0000.mail.infomaniak.ch [10.7.10.107]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfV1Yt2zsKj; Wed, 8 Jan 2025 16:44:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351058; bh=ONxcSYqi3rxpAxp9apstv0/k6UVxQZhru1STqtTkwEs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lMTL62MryvWLepFqJJwgv3K7/MG/Xy8fxEzI/J/K14y9NIyKxUnnxaQkGo2ft00oO eaWinTcw6lRUDG8XZudVeYLuJoZzaOswShJaO8zPqhxJT/qxJlfGVv/KcagLk3oHdg B+BD+odm/MO1uXbt2KydVWBTi/3kMPXlbGQtxdcY= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfT2msmz4Kh; Wed, 8 Jan 2025 16:44:17 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 21/30] selftests/landlock: Add wrappers.h Date: Wed, 8 Jan 2025 16:43:29 +0100 Message-ID: <20250108154338.1129069-22-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Extract syscall wrappers to make them usable by standalone binaries (see next commit). Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-22-mic@digikod.net --- Changes since v3: - New patch. --- tools/testing/selftests/landlock/common.h | 37 +--------------- tools/testing/selftests/landlock/wrappers.h | 47 +++++++++++++++++++++ 2 files changed, 48 insertions(+), 36 deletions(-) create mode 100644 tools/testing/selftests/landlock/wrappers.h diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h index 61056fa074bb..8391ab574f64 100644 --- a/tools/testing/selftests/landlock/common.h +++ b/tools/testing/selftests/landlock/common.h @@ -9,17 +9,15 @@ #include #include -#include #include #include #include -#include -#include #include #include #include #include "../kselftest_harness.h" +#include "wrappers.h" #define TMP_DIR "tmp" @@ -30,34 +28,6 @@ /* TEST_F_FORK() should not be used for new tests. */ #define TEST_F_FORK(fixture_name, test_name) TEST_F(fixture_name, test_name) -#ifndef landlock_create_ruleset -static inline int -landlock_create_ruleset(const struct landlock_ruleset_attr *const attr, - const size_t size, const __u32 flags) -{ - return syscall(__NR_landlock_create_ruleset, attr, size, flags); -} -#endif - -#ifndef landlock_add_rule -static inline int landlock_add_rule(const int ruleset_fd, - const enum landlock_rule_type rule_type, - const void *const rule_attr, - const __u32 flags) -{ - return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, - flags); -} -#endif - -#ifndef landlock_restrict_self -static inline int landlock_restrict_self(const int ruleset_fd, - const __u32 flags) -{ - return syscall(__NR_landlock_restrict_self, ruleset_fd, flags); -} -#endif - static void _init_caps(struct __test_metadata *const _metadata, bool drop_all) { cap_t cap_p; @@ -250,11 +220,6 @@ struct service_fixture { }; }; -static pid_t __maybe_unused sys_gettid(void) -{ - return syscall(__NR_gettid); -} - static void __maybe_unused set_unix_address(struct service_fixture *const srv, const unsigned short index) { diff --git a/tools/testing/selftests/landlock/wrappers.h b/tools/testing/selftests/landlock/wrappers.h new file mode 100644 index 000000000000..32963a44876b --- /dev/null +++ b/tools/testing/selftests/landlock/wrappers.h @@ -0,0 +1,47 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Landlock helpers + * + * Copyright © 2017-2020 Mickaël Salaün + * Copyright © 2019-2020 ANSSI + * Copyright © 2021-2024 Microsoft Corporation + */ + +#define _GNU_SOURCE +#include +#include +#include +#include + +#ifndef landlock_create_ruleset +static inline int +landlock_create_ruleset(const struct landlock_ruleset_attr *const attr, + const size_t size, const __u32 flags) +{ + return syscall(__NR_landlock_create_ruleset, attr, size, flags); +} +#endif + +#ifndef landlock_add_rule +static inline int landlock_add_rule(const int ruleset_fd, + const enum landlock_rule_type rule_type, + const void *const rule_attr, + const __u32 flags) +{ + return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, + flags); +} +#endif + +#ifndef landlock_restrict_self +static inline int landlock_restrict_self(const int ruleset_fd, + const __u32 flags) +{ + return syscall(__NR_landlock_restrict_self, ruleset_fd, flags); +} +#endif + +static inline pid_t sys_gettid(void) +{ + return syscall(__NR_gettid); +} From patchwork Wed Jan 8 15:43:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931239 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-1909.mail.infomaniak.ch (smtp-1909.mail.infomaniak.ch [185.125.25.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 215322036F0; Wed, 8 Jan 2025 15:44:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351063; cv=none; b=QPF8GkAJmc6CqArl0sF2MQJ+TfRG5O3IwmBrg0SAzkxNpWHXK+nePCIm2nZHyyVBoy/KsIJqgeckqL7YpBlHMjIt8YU2zqRSCiiCk9d2LHVY0qfNhDhtvgaaCyCs+T1ts+4CN58G2MBB4M815dClkjkfxj3Myj2u6pcl5cuqmdU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351063; c=relaxed/simple; bh=RtbhPyBFyhB5x2vNbRj8jqFb/hzhPmP64RYNDq+6ohY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=rMFEd01KSYwOHfQEPQHAwwE7wHY1N8EVBllWuw9gzQgTfqaux0+H5DJWNHHmKKyMRACgi93KazB5MGRYqnvF1u/g/0FCId5rHgQI5Ng8zhHW3E6HfrL1yq/oxgewMAC3F7WJ0+tyO3B0GewgvYZJyHfWln1c9wOH0MilrQ2kkJQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=ZUJW0F7O; arc=none smtp.client-ip=185.125.25.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="ZUJW0F7O" Received: from smtp-4-0000.mail.infomaniak.ch (smtp-4-0000.mail.infomaniak.ch [10.7.10.107]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfW4zP2zs3C; Wed, 8 Jan 2025 16:44:19 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351059; bh=GxlkC/SSsmFhpXrA3PtfF/TjkZaBcEeIUBvG0IhW9DQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZUJW0F7OKQtyxwDigOeLs8GiOX2AeadUfAF+jU7Onta/6dLaY3HqyMyJ2T54Qz6zZ XFcEraIVGdJfDdC303kWVnSMAexSTFROYty5IjwvlNrdWiUXm3X486VOlBbcYrnFLL TQQSB+Iw40nzAngarQc+MkglIK93QeCpHHCpyFFI= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfV6JRxz37G; Wed, 8 Jan 2025 16:44:18 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 22/30] selftests/landlock: Add layout1.umount_sandboxer tests Date: Wed, 8 Jan 2025 16:43:30 +0100 Message-ID: <20250108154338.1129069-23-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Check that a domain is not tied to the executable file that created it. For instance, that could happen if a Landlock domain took a reference to a struct path. Move global path names to common.h and replace copy_binary() with a more generic copy_file() helper. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-23-mic@digikod.net --- Changes since v3: - New patch to check issue from v2. --- tools/testing/selftests/landlock/Makefile | 2 +- tools/testing/selftests/landlock/common.h | 3 + tools/testing/selftests/landlock/fs_test.c | 94 +++++++++++++++++-- .../selftests/landlock/sandbox-and-launch.c | 82 ++++++++++++++++ tools/testing/selftests/landlock/wait-pipe.c | 42 +++++++++ 5 files changed, 213 insertions(+), 10 deletions(-) create mode 100644 tools/testing/selftests/landlock/sandbox-and-launch.c create mode 100644 tools/testing/selftests/landlock/wait-pipe.c diff --git a/tools/testing/selftests/landlock/Makefile b/tools/testing/selftests/landlock/Makefile index 348e2dbdb4e0..b1445c8bee50 100644 --- a/tools/testing/selftests/landlock/Makefile +++ b/tools/testing/selftests/landlock/Makefile @@ -10,7 +10,7 @@ src_test := $(wildcard *_test.c) TEST_GEN_PROGS := $(src_test:.c=) -TEST_GEN_PROGS_EXTENDED := true +TEST_GEN_PROGS_EXTENDED := true sandbox-and-launch wait-pipe # Short targets: $(TEST_GEN_PROGS): LDLIBS += -lcap diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h index 8391ab574f64..a604ea5d8297 100644 --- a/tools/testing/selftests/landlock/common.h +++ b/tools/testing/selftests/landlock/common.h @@ -28,6 +28,9 @@ /* TEST_F_FORK() should not be used for new tests. */ #define TEST_F_FORK(fixture_name, test_name) TEST_F(fixture_name, test_name) +static const char bin_sandbox_and_launch[] = "./sandbox-and-launch"; +static const char bin_wait_pipe[] = "./wait-pipe"; + static void _init_caps(struct __test_metadata *const _metadata, bool drop_all) { cap_t cap_p; diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index a359c0d3107f..8ac9aaf38eaa 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -59,7 +59,7 @@ int open_tree(int dfd, const char *filename, unsigned int flags) #define RENAME_EXCHANGE (1 << 1) #endif -#define BINARY_PATH "./true" +static const char bin_true[] = "./true"; /* Paths (sibling number and depth) */ static const char dir_s1d1[] = TMP_DIR "/s1d1"; @@ -1965,8 +1965,8 @@ TEST_F_FORK(layout1, relative_chroot_chdir) test_relative_path(_metadata, REL_CHROOT_CHDIR); } -static void copy_binary(struct __test_metadata *const _metadata, - const char *const dst_path) +static void copy_file(struct __test_metadata *const _metadata, + const char *const src_path, const char *const dst_path) { int dst_fd, src_fd; struct stat statbuf; @@ -1976,11 +1976,10 @@ static void copy_binary(struct __test_metadata *const _metadata, { TH_LOG("Failed to open \"%s\": %s", dst_path, strerror(errno)); } - src_fd = open(BINARY_PATH, O_RDONLY | O_CLOEXEC); + src_fd = open(src_path, O_RDONLY | O_CLOEXEC); ASSERT_LE(0, src_fd) { - TH_LOG("Failed to open \"" BINARY_PATH "\": %s", - strerror(errno)); + TH_LOG("Failed to open \"%s\": %s", src_path, strerror(errno)); } ASSERT_EQ(0, fstat(src_fd, &statbuf)); ASSERT_EQ(statbuf.st_size, @@ -2028,9 +2027,9 @@ TEST_F_FORK(layout1, execute) create_ruleset(_metadata, rules[0].access, rules); ASSERT_LE(0, ruleset_fd); - copy_binary(_metadata, file1_s1d1); - copy_binary(_metadata, file1_s1d2); - copy_binary(_metadata, file1_s1d3); + copy_file(_metadata, bin_true, file1_s1d1); + copy_file(_metadata, bin_true, file1_s1d2); + copy_file(_metadata, bin_true, file1_s1d3); enforce_ruleset(_metadata, ruleset_fd); ASSERT_EQ(0, close(ruleset_fd)); @@ -2048,6 +2047,83 @@ TEST_F_FORK(layout1, execute) test_execute(_metadata, 0, file1_s1d3); } +TEST_F_FORK(layout1, umount_sandboxer) +{ + int pipe_child[2], pipe_parent[2]; + char buf_parent; + pid_t child; + int status; + + copy_file(_metadata, bin_sandbox_and_launch, file1_s3d3); + ASSERT_EQ(0, pipe2(pipe_child, 0)); + ASSERT_EQ(0, pipe2(pipe_parent, 0)); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + char pipe_child_str[12], pipe_parent_str[12]; + char *const argv[] = { (char *)file1_s3d3, + (char *)bin_wait_pipe, pipe_child_str, + pipe_parent_str, NULL }; + + /* Passes the pipe FDs to the executed binary and its child. */ + EXPECT_EQ(0, close(pipe_child[0])); + EXPECT_EQ(0, close(pipe_parent[1])); + snprintf(pipe_child_str, sizeof(pipe_child_str), "%d", + pipe_child[1]); + snprintf(pipe_parent_str, sizeof(pipe_parent_str), "%d", + pipe_parent[0]); + + /* + * We need bin_sandbox_and_launch (copied inside the mount as + * file1_s3d3) to execute bin_wait_pipe (outside the mount) to + * make sure the mount point will not be EBUSY because of + * file1_s3d3 being in use. This avoids a potential race + * condition between the following read() and umount() calls. + */ + ASSERT_EQ(0, execve(argv[0], argv, NULL)) + { + TH_LOG("Failed to execute \"%s\": %s", argv[0], + strerror(errno)); + }; + _exit(1); + return; + } + + EXPECT_EQ(0, close(pipe_child[1])); + EXPECT_EQ(0, close(pipe_parent[0])); + + /* Waits for the child to sandbox itself. */ + EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1)); + + /* Tests that the sandboxer is tied to its mount point. */ + set_cap(_metadata, CAP_SYS_ADMIN); + EXPECT_EQ(-1, umount(dir_s3d2)); + EXPECT_EQ(EBUSY, errno); + clear_cap(_metadata, CAP_SYS_ADMIN); + + /* Signals the child to launch a grandchild. */ + EXPECT_EQ(1, write(pipe_parent[1], ".", 1)); + + /* Waits for the grandchild. */ + EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1)); + + /* Tests that the domain's sandboxer is not tied to its mount point. */ + set_cap(_metadata, CAP_SYS_ADMIN); + EXPECT_EQ(0, umount(dir_s3d2)) + { + TH_LOG("Failed to umount \"%s\": %s", dir_s3d2, + strerror(errno)); + }; + clear_cap(_metadata, CAP_SYS_ADMIN); + + /* Signals the grandchild to terminate. */ + EXPECT_EQ(1, write(pipe_parent[1], ".", 1)); + ASSERT_EQ(child, waitpid(child, &status, 0)); + ASSERT_EQ(1, WIFEXITED(status)); + ASSERT_EQ(0, WEXITSTATUS(status)); +} + TEST_F_FORK(layout1, link) { const struct rule layer1[] = { diff --git a/tools/testing/selftests/landlock/sandbox-and-launch.c b/tools/testing/selftests/landlock/sandbox-and-launch.c new file mode 100644 index 000000000000..1ef49f349429 --- /dev/null +++ b/tools/testing/selftests/landlock/sandbox-and-launch.c @@ -0,0 +1,82 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Sandbox itself and execute another program (in a different mount point). + * + * Used by layout1.umount_sandboxer from fs_test.c + * + * Copyright © 2024 Microsoft Corporation + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include + +#include "wrappers.h" + +int main(int argc, char *argv[]) +{ + struct landlock_ruleset_attr ruleset_attr = { + .scoped = LANDLOCK_SCOPE_SIGNAL, + }; + int pipe_child, pipe_parent, ruleset_fd; + char buf; + + /* + * The first argument must be the file descriptor number of a pipe. + * The second argument must be the program to execute. + */ + if (argc != 4) { + fprintf(stderr, "Wrong number of arguments (not three)\n"); + return 1; + } + + pipe_child = atoi(argv[2]); + pipe_parent = atoi(argv[3]); + + ruleset_fd = + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + if (ruleset_fd < 0) { + perror("Failed to create ruleset"); + return 1; + } + + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("Failed to call prctl()"); + return 1; + } + + if (landlock_restrict_self(ruleset_fd, 0)) { + perror("Failed to restrict self"); + return 1; + } + + if (close(ruleset_fd)) { + perror("Failed to close ruleset"); + return 1; + } + + /* Signals that we are sandboxed. */ + errno = 0; + if (write(pipe_child, ".", 1) != 1) { + perror("Failed to write to the second argument"); + return 1; + } + + /* Waits for the parent to try to umount. */ + if (read(pipe_parent, &buf, 1) != 1) { + perror("Failed to write to the third argument"); + return 1; + } + + /* Shifts arguments. */ + argv[0] = argv[1]; + argv[1] = argv[2]; + argv[2] = argv[3]; + argv[3] = NULL; + execve(argv[0], argv, NULL); + perror("Failed to execute the provided binary"); + return 1; +} diff --git a/tools/testing/selftests/landlock/wait-pipe.c b/tools/testing/selftests/landlock/wait-pipe.c new file mode 100644 index 000000000000..0dbcd260a0fa --- /dev/null +++ b/tools/testing/selftests/landlock/wait-pipe.c @@ -0,0 +1,42 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Write in a pipe and wait. + * + * Used by layout1.umount_sandboxer from fs_test.c + * + * Copyright © 2024-2025 Microsoft Corporation + */ + +#define _GNU_SOURCE +#include +#include +#include + +int main(int argc, char *argv[]) +{ + int pipe_child, pipe_parent; + char buf; + + /* The first argument must be the file descriptor number of a pipe. */ + if (argc != 3) { + fprintf(stderr, "Wrong number of arguments (not two)\n"); + return 1; + } + + pipe_child = atoi(argv[1]); + pipe_parent = atoi(argv[2]); + + /* Signals that we are waiting. */ + if (write(pipe_child, ".", 1) != 1) { + perror("Failed to write to first argument"); + return 1; + } + + /* Waits for the parent do its test. */ + if (read(pipe_parent, &buf, 1) != 1) { + perror("Failed to write to the second argument"); + return 1; + } + + return 0; +} From patchwork Wed Jan 8 15:43:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931241 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-1909.mail.infomaniak.ch (smtp-1909.mail.infomaniak.ch [185.125.25.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 772EA20468A; Wed, 8 Jan 2025 15:44:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351064; cv=none; b=dNhDQencfIx+Npuxe2MHNyFA/kmI1HGro8XWmq+ganUBgkiiv3H/tTerQ38/abP7LOgDBa09spgAJASeyGRFu/ySbFvQkcBuQbEcjM//IjrJ09GdnLHl1YTK0QsrNYmBp4aQ3gr0smZ1rZ559ZSTvevKThvE2dBq+vihq5cZPKk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351064; c=relaxed/simple; bh=IboU/Wm9SZHUTyx08YQifUSsKwvzN4FxDa3AKSp11oY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=syfXJa4QRKx8hGp/HRkqjukm80mAJ2dX+D9nz+wiMr7n4yhezN4uCsGH5lErFvoMzKtOytdk8N53hPgVOGtLwE1yRfgeWGGO6XQiObajV7dSa27wzLpVhvBHrsbjuIs5eq7hk8/z7mrNTvXVDdwT96sLkJdrWKo/h4b+cr7qYHw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=vtxmQ40i; arc=none smtp.client-ip=185.125.25.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="vtxmQ40i" Received: from smtp-4-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:7:10:40ca:feff:fe05:1]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfX74l7zth3; Wed, 8 Jan 2025 16:44:20 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351060; bh=dwOmXNqU5p6Noat4m8y+zwep0NNuioOqubwUKCTUcV0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vtxmQ40ijxDf7pYSN5CcFWEHm0f7+9wAmw45J984HaDShYTJJ2VEweGEiCUmOFCFu RQDfdMUH37LBfNKv4itELweLPqCpSteryUEPLcFDnObLXBlYdHDEAqrG2ywIEV71IK IbkjAWRiAjGwN/bq0gLQNjM9hBH7MizV/Q/cHxqg= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfX1pnmzGqD; Wed, 8 Jan 2025 16:44:20 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 23/30] selftests/landlock: Extend tests for landlock_restrict_self()'s flags Date: Wed, 8 Jan 2025 16:43:31 +0100 Message-ID: <20250108154338.1129069-24-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add the restrict_self_flags test suite to check that LANDLOCK_RESTRICT_SELF_QUIET is valid but not the next bit. Some checks are similar to restrict_self_checks_ordering's ones. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-24-mic@digikod.net --- Changes since v3: - Use a last_flag variable. Changes since v2: - New patch. --- tools/testing/selftests/landlock/base_test.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index fbd687691b3c..1a1603ff178b 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -233,6 +233,23 @@ TEST(restrict_self_checks_ordering) ASSERT_EQ(0, close(ruleset_fd)); } +TEST(restrict_self_flags) +{ + const __u32 last_flag = LANDLOCK_RESTRICT_SELF_QUIET; + + ASSERT_EQ(-1, landlock_restrict_self(-1, 0)); + ASSERT_EQ(EBADF, errno); + + ASSERT_EQ(-1, landlock_restrict_self(-1, LANDLOCK_RESTRICT_SELF_QUIET)); + ASSERT_EQ(EBADF, errno); + + ASSERT_EQ(-1, landlock_restrict_self(-1, last_flag << 1)); + ASSERT_EQ(EINVAL, errno); + + ASSERT_EQ(-1, landlock_restrict_self(-1, -1)); + ASSERT_EQ(EINVAL, errno); +} + TEST(ruleset_fd_io) { struct landlock_ruleset_attr ruleset_attr = { From patchwork Wed Jan 8 15:43:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931243 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-42ac.mail.infomaniak.ch (smtp-42ac.mail.infomaniak.ch [84.16.66.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E8D72046A2 for ; Wed, 8 Jan 2025 15:44:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351066; cv=none; b=ePUFCCgimXauhbvhbuG/QNgTqlXNmAihX7AK4qZupVYdOLwsW+w854l3xz8PHW3WNc+OMjcn23MJ1IS2wuYM9QAeSW3hGPJsVSMWcxhrWQqxS7TynX9pdHeFvuv3fVmTBpTnJJTdnzmjk3UxG4toHL2JZyejqHkVRcFPPd1TxM0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351066; c=relaxed/simple; bh=zdNyDHnVXNyIRxoqBjfcYvE0kjw25muyiQgmjqE9URI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Rwezjl5KOHTyBm48fUNuLns1aNOZnbxLn4XuyerTSxxczBW/ojU6bxMn04OULDv1kjE4wC5cyzegwA7TuE9X8FREKaJda4QsE2xmqvvV8hq/qsDeNwTBgHeyKI9JmHqDYIanpQJAY7xV0t+2WM7/E3pndfdu5RAuTzXw8BxODwQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=h3Flo3Vo; arc=none smtp.client-ip=84.16.66.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="h3Flo3Vo" Received: from smtp-3-0000.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246b]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfZ3ZfjzBhQ; Wed, 8 Jan 2025 16:44:22 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351062; bh=ZcqfCsvoziuHXIgLd7kaqhs3S2wO5wuIv1pv4lDS/+I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=h3Flo3VoTn5bBaKf+7n7PoAowKpr63ZaIIsdKdviba+CaSoREx7JEjUOVBldVCcMm zEANzV3v7UJtrvI/RcbkyzOlc3PJrS7ajAmf9vMg8gXDl+cKJ0RWtTQereHtiLgvZu Vv53bQUlhvtegfuFd4wuPKBEr27I0oZVgYB9lYak= Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfY4DzBzv5V; Wed, 8 Jan 2025 16:44:21 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 24/30] selftests/landlock: Add tests for audit and LANDLOCK_RESTRICT_SELF_QUIET Date: Wed, 8 Jan 2025 16:43:32 +0100 Message-ID: <20250108154338.1129069-25-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add audit_test.c to check with and without LANDLOCK_RESTRICT_SELF_QUIET against the three Landlock audit record types: AUDIT_LANDLOCK_DENY, AUDIT_LANDLOCK_DOM_INFO, and AUDIT_LANDLOCK_DOM_DROP. Tests are run with audit filters to ensure the audit records come from the running tests. Moreover, because there can only be one audit process, tests would failed if run in parallel. Because of audit limitations, tests can only be run in the initial namespace. The audit test helpers were inspired by libaudit and tools/testing/selftests/net/netfilter/audit_logread.c Cc: Günther Noack Cc: Paul Moore Cc: Phil Sutter Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-25-mic@digikod.net --- Changes since v3: - Improve audit_request() to check Netlink errors and handle multiple replies. - Make audit_filter_exe() more generic to handle several audit rule lists. - Merge audit_init_state() into audit_init() and create audit_init_with_exe_filter() to handle AUDIT_EXE_LANDLOCK_DENY with an arbitrary path. - Add matches_log_dom_info(). Changes since v2: - New patch. --- tools/testing/selftests/landlock/audit.h | 370 ++++++++++++++++++ tools/testing/selftests/landlock/audit_test.c | 158 ++++++++ tools/testing/selftests/landlock/common.h | 2 + tools/testing/selftests/landlock/config | 1 + 4 files changed, 531 insertions(+) create mode 100644 tools/testing/selftests/landlock/audit.h create mode 100644 tools/testing/selftests/landlock/audit_test.c diff --git a/tools/testing/selftests/landlock/audit.h b/tools/testing/selftests/landlock/audit.h new file mode 100644 index 000000000000..37979a62478c --- /dev/null +++ b/tools/testing/selftests/landlock/audit.h @@ -0,0 +1,370 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Landlock audit helpers + * + * Copyright © 2024-2025 Microsoft Corporation + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define REGEX_LANDLOCK_PREFIX "^audit([0-9.:]\\+): domain=[0-9a-f]\\+" + +struct audit_filter { + __u32 record_type; + size_t exe_len; + char exe[PATH_MAX]; +}; + +struct audit_message { + struct nlmsghdr header; + union { + struct audit_status status; + struct audit_features features; + struct audit_rule_data rule; + struct nlmsgerr err; + char data[PATH_MAX + 200]; + }; +}; + +static int audit_send(const int fd, const struct audit_message *const msg) +{ + struct sockaddr_nl addr = { + .nl_family = AF_NETLINK, + }; + int ret; + + do { + ret = sendto(fd, msg, msg->header.nlmsg_len, 0, + (struct sockaddr *)&addr, sizeof(addr)); + } while (ret < 0 && errno == EINTR); + + if (ret < 0) + return -errno; + + if (ret != msg->header.nlmsg_len) + return -E2BIG; + + return 0; +} + +static int audit_recv(const int fd, struct audit_message *msg) +{ + struct sockaddr_nl addr; + socklen_t addrlen = sizeof(addr); + struct audit_message msg_tmp; + int err; + + if (!msg) + msg = &msg_tmp; + + do { + err = recvfrom(fd, msg, sizeof(*msg), 0, + (struct sockaddr *)&addr, &addrlen); + } while (err < 0 && errno == EINTR); + + if (err < 0) + return -errno; + + if (addrlen != sizeof(addr) || addr.nl_pid != 0) + return -EINVAL; + + /* Checks Netlink error or end of messages. */ + if (msg->header.nlmsg_type == NLMSG_ERROR) + return msg->err.error; + + return 0; +} + +static int audit_request(const int fd, + const struct audit_message *const request, + struct audit_message *reply) +{ + struct audit_message msg_tmp; + bool first_reply = true; + int err; + + err = audit_send(fd, request); + if (err) + return err; + + if (!reply) + reply = &msg_tmp; + + do { + if (first_reply) + first_reply = false; + else + reply = &msg_tmp; + + err = audit_recv(fd, reply); + if (err) + return err; + } while (reply->header.nlmsg_type != NLMSG_ERROR && + reply->err.msg.nlmsg_type != request->header.nlmsg_type); + + return reply->err.error; +} + +static int audit_filter_exe(const int audit_fd, + const struct audit_filter *const filter, + const __u16 type, const __u32 flags) +{ + struct audit_message msg = { + .header = { + .nlmsg_len = NLMSG_SPACE(sizeof(msg.rule)) + + NLMSG_ALIGN(filter->exe_len), + .nlmsg_type = type, + .nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK, + }, + .rule = { + .flags = flags, + .action = AUDIT_NEVER, + .field_count = 1, + .fields[0] = filter->record_type, + .fieldflags[0] = AUDIT_NOT_EQUAL, + .values[0] = filter->exe_len, + .buflen = filter->exe_len, + } + }; + + switch (filter->record_type) { + case AUDIT_EXE: + break; + default: + return -EINVAL; + } + + memcpy(msg.rule.buf, filter->exe, filter->exe_len); + return audit_request(audit_fd, &msg, NULL); +} + +static int audit_filter_drop(const int audit_fd, const __u16 type) +{ + struct audit_message msg = { + .header = { + .nlmsg_len = NLMSG_SPACE(sizeof(msg.rule)), + .nlmsg_type = type, + .nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK, + }, + .rule = { + .flags = AUDIT_FILTER_EXCLUDE, + .action = AUDIT_NEVER, + .field_count = 1, + .fields[0] = AUDIT_MSGTYPE, + .fieldflags[0] = AUDIT_NOT_EQUAL, + .values[0] = AUDIT_LANDLOCK_DOM_DROP, + } + }; + + return audit_request(audit_fd, &msg, NULL); +} + +static int audit_set_status(int fd, __u32 key, __u32 val) +{ + const struct audit_message msg = { + .header = { + .nlmsg_len = NLMSG_SPACE(sizeof(msg.status)), + .nlmsg_type = AUDIT_SET, + .nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK, + }, + .status = { + .mask = key, + .enabled = key == AUDIT_STATUS_ENABLED ? val : 0, + .pid = key == AUDIT_STATUS_PID ? val : 0, + } + }; + + return audit_request(fd, &msg, NULL); +} + +static int audit_match_record(int audit_fd, const __u16 type, + const char *const pattern) +{ + struct audit_message msg; + int ret, err = 0; + bool matches_record = !type; + regex_t regex; + + ret = regcomp(®ex, pattern, 0); + if (ret) + return -EINVAL; + + do { + memset(&msg, 0, sizeof(msg)); + err = audit_recv(audit_fd, &msg); + if (err) + goto out; + + if (msg.header.nlmsg_type == type) + matches_record = true; + } while (!matches_record); + + ret = regexec(®ex, msg.data, 0, NULL, 0); + if (ret) { + printf("DATA: %s\n", msg.data); + printf("ERROR: no match for pattern: %s\n", pattern); + err = -ENOENT; + } + +out: + regfree(®ex); + return err; +} + +struct audit_records { + size_t deny; + size_t info; + size_t drop; +}; + +static void audit_count_records(int audit_fd, struct audit_records *records) +{ + struct audit_message msg; + + records->deny = 0; + records->info = 0; + records->drop = 0; + + do { + memset(&msg, 0, sizeof(msg)); + if (audit_recv(audit_fd, &msg)) + return; + + switch (msg.header.nlmsg_type) { + case AUDIT_LANDLOCK_DENY: + records->deny++; + break; + case AUDIT_LANDLOCK_DOM_INFO: + records->info++; + break; + case AUDIT_LANDLOCK_DOM_DROP: + records->drop++; + break; + } + } while (true); +} + +static int audit_init(void) +{ + const struct timeval tv = { + .tv_usec = 1, + }; + int fd, err; + + fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT); + if (fd < 0) + return -errno; + + err = audit_set_status(fd, AUDIT_STATUS_ENABLED, 1); + if (err) + return err; + + err = audit_set_status(fd, AUDIT_STATUS_PID, getpid()); + if (err) + return err; + + /* Sets a timeout for negative tests. */ + err = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)); + if (err) + return -errno; + + return fd; +} + +static int audit_init_filter_exe(const __u32 record_type, + struct audit_filter *filter, const char *path) +{ + char *absolute_path = NULL; + + // TODO: Make sure there is no rule already filtering. + + filter->record_type = record_type; + + if (!path) { + filter->exe_len = readlink("/proc/self/exe", filter->exe, + sizeof(filter->exe) - 1); + if (filter->exe_len < 0) + return -errno; + + return 0; + } + + absolute_path = realpath(path, NULL); + if (!absolute_path) + return -errno; + + /* No need for the terminating NULL byte. */ + filter->exe_len = strlen(absolute_path); + if (filter->exe_len > sizeof(filter->exe)) + return -E2BIG; + + memcpy(filter->exe, absolute_path, filter->exe_len); + free(absolute_path); + return 0; +} + +static int audit_cleanup(int audit_fd, struct audit_filter *filter) +{ + struct audit_filter new_filter; + + if (audit_fd < 0 || !filter) { + int err; + + /* + * Simulates audit_init_with_exe_filter() when called from + * FIXTURE_TEARDOWN_PARENT(). + */ + audit_fd = audit_init(); + if (audit_fd < 0) + return audit_fd; + + filter = &new_filter; + err = audit_init_filter_exe(AUDIT_EXE, filter, NULL); + if (err) + return err; + } + + /* Filters might not be in place. */ + audit_filter_exe(audit_fd, filter, AUDIT_DEL_RULE, + AUDIT_FILTER_EXCLUDE); + audit_filter_drop(audit_fd, AUDIT_DEL_RULE); + + /* + * Because audit_cleanup() might not be called by the test auditd + * process, it might not be possible to explicitly set it. Anyway, + * AUDIT_STATUS_ENABLED will implicitly be set to 0 when the auditd + * process will exit. + */ + return close(audit_fd); +} + +static int audit_init_with_exe_filter(struct audit_filter *filter) +{ + int fd, err; + + fd = audit_init(); + if (fd < 0) + return fd; + + err = audit_init_filter_exe(AUDIT_EXE, filter, NULL); + if (err) + return err; + + err = audit_filter_exe(fd, filter, AUDIT_ADD_RULE, + AUDIT_FILTER_EXCLUDE); + if (err) + return err; + + return fd; +} diff --git a/tools/testing/selftests/landlock/audit_test.c b/tools/testing/selftests/landlock/audit_test.c new file mode 100644 index 000000000000..d5330e843395 --- /dev/null +++ b/tools/testing/selftests/landlock/audit_test.c @@ -0,0 +1,158 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Landlock tests - Audit + * + * Copyright © 2024 Microsoft Corporation + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include + +#include "audit.h" +#include "common.h" + +static int matches_log_dom_info(struct __test_metadata *const _metadata, + int audit_fd) +{ + return audit_match_record( + audit_fd, AUDIT_LANDLOCK_DOM_INFO, + REGEX_LANDLOCK_PREFIX + " creation=[0-9.]\\+ pid=[0-9]\\+ uid=[0-9]\\+ exe=\"[^\"]\\+\" comm=\"audit_test\"$"); +} + +static int matches_log_umount(struct __test_metadata *const _metadata, + int audit_fd) +{ + return audit_match_record(audit_fd, AUDIT_LANDLOCK_DENY, + REGEX_LANDLOCK_PREFIX " blockers=.*"); +} + +FIXTURE(audit) +{ + struct audit_filter audit_filter; + int audit_fd; +}; + +FIXTURE_VARIANT(audit) +{ + const int restrict_flags; +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(audit, default) {}; +/* clang-format on */ + +/* clang-format off */ +FIXTURE_VARIANT_ADD(audit, quiet) { + /* clang-format on */ + .restrict_flags = LANDLOCK_RESTRICT_SELF_QUIET, +}; + +FIXTURE_SETUP(audit) +{ + disable_caps(_metadata); + set_cap(_metadata, CAP_AUDIT_CONTROL); + self->audit_fd = audit_init_with_exe_filter(&self->audit_filter); + EXPECT_LE(0, self->audit_fd) + { + const char *error_msg; + + /* kill "$(auditctl -s | sed -ne 's/^pid \([0-9]\+\)$/\1/p')" */ + if (self->audit_fd == -EEXIST) + error_msg = "socket already in use (e.g. auditd)"; + else + error_msg = strerror(-self->audit_fd); + TH_LOG("Failed to initialize audit: %s", error_msg); + } + clear_cap(_metadata, CAP_AUDIT_CONTROL); +} + +FIXTURE_TEARDOWN(audit) +{ + set_cap(_metadata, CAP_AUDIT_CONTROL); + EXPECT_EQ(0, audit_cleanup(self->audit_fd, &self->audit_filter)); + clear_cap(_metadata, CAP_AUDIT_CONTROL); +} + +TEST_F(audit, fs_deny) +{ + int status; + pid_t child; + struct audit_records records; + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + const struct landlock_ruleset_attr ruleset_attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE, + }; + int ruleset_fd; + + /* Add filesystem restrictions. */ + ruleset_fd = landlock_create_ruleset(&ruleset_attr, + sizeof(ruleset_attr), 0); + ASSERT_LE(0, ruleset_fd); + EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); + ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, + variant->restrict_flags)); + EXPECT_EQ(0, close(ruleset_fd)); + + /* First umount checks to test log entries. */ + set_cap(_metadata, CAP_SYS_ADMIN); + EXPECT_EQ(-1, umount("/")); + EXPECT_EQ(EPERM, errno); + clear_cap(_metadata, CAP_SYS_ADMIN); + + if (variant->restrict_flags & LANDLOCK_RESTRICT_SELF_QUIET) { + EXPECT_EQ(-EAGAIN, matches_log_umount(_metadata, + self->audit_fd)); + } else { + EXPECT_EQ(0, matches_log_umount(_metadata, + self->audit_fd)); + + /* Checks domain information records. */ + EXPECT_EQ(0, matches_log_dom_info(_metadata, + self->audit_fd)); + } + + /* Second umount checks to test audit_count_records(). */ + set_cap(_metadata, CAP_SYS_ADMIN); + EXPECT_EQ(-1, umount("/")); + EXPECT_EQ(EPERM, errno); + clear_cap(_metadata, CAP_SYS_ADMIN); + + /* Makes sure there is no superfluous logged records. */ + audit_count_records(self->audit_fd, &records); + if (variant->restrict_flags & LANDLOCK_RESTRICT_SELF_QUIET) { + EXPECT_EQ(0, records.deny); + } else { + EXPECT_EQ(1, records.deny); + } + EXPECT_EQ(0, records.info); + EXPECT_EQ(0, records.drop); + + /* Updates filter rules to match the drop record. */ + set_cap(_metadata, CAP_AUDIT_CONTROL); + EXPECT_EQ(0, audit_filter_drop(self->audit_fd, AUDIT_ADD_RULE)); + EXPECT_EQ(0, audit_filter_exe( + self->audit_fd, &self->audit_filter, + AUDIT_DEL_RULE, AUDIT_FILTER_EXCLUDE)); + clear_cap(_metadata, CAP_AUDIT_CONTROL); + + _exit(_metadata->exit_code); + return; + } + + ASSERT_EQ(child, waitpid(child, &status, 0)); + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) != EXIT_SUCCESS) + _metadata->exit_code = KSFT_FAIL; +} + +TEST_HARNESS_MAIN diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h index a604ea5d8297..ea7c4f9638b0 100644 --- a/tools/testing/selftests/landlock/common.h +++ b/tools/testing/selftests/landlock/common.h @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -37,6 +38,7 @@ static void _init_caps(struct __test_metadata *const _metadata, bool drop_all) /* Only these three capabilities are useful for the tests. */ const cap_value_t caps[] = { /* clang-format off */ + CAP_AUDIT_CONTROL, CAP_DAC_OVERRIDE, CAP_MKNOD, CAP_NET_ADMIN, diff --git a/tools/testing/selftests/landlock/config b/tools/testing/selftests/landlock/config index 29af19c4e9f9..3d4eb994d62b 100644 --- a/tools/testing/selftests/landlock/config +++ b/tools/testing/selftests/landlock/config @@ -1,3 +1,4 @@ +CONFIG_AUDIT=y CONFIG_CGROUPS=y CONFIG_CGROUP_SCHED=y CONFIG_INET=y From patchwork Wed Jan 8 15:43:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931244 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-bc0b.mail.infomaniak.ch (smtp-bc0b.mail.infomaniak.ch [45.157.188.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C1D52046B5 for ; Wed, 8 Jan 2025 15:44:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.11 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351067; cv=none; b=oqzgNaaKL5zSzCE+n3WknXcYUO3mlo2E59glGj2H3HLfHch9zOyhv04vRv7PpuI2e4ND6fO2aaZfv5ZOgp6XvGJLjfQw3Ucj5B8/e96VMHh2aNG9WfT7ydFjDCznRa/dz1Cis0bTH2kjO8rVVWk5yPuawTkgGSaquNB2ZgNAahM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351067; c=relaxed/simple; bh=6XP/xC3WVZjggEPtm6+uY2nDqA5pCTb9WxLd8yXQQKU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=gpZiTsJcNl2lm2niukx1XhZG5UQjcr6l0mm7zM1amyoHaTH+5+i1rW1FlAFN7rqOLq6CXBUAZCtUTIJa6KFGCenHfajKiK1B2h93+CoC3zV4yXcwlXvUU127pAdmqCz/0VeQZe7QnUO54kqlt1bkcYr2zIBokgsjQDyaDbCFUA8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=epRy4Xu+; arc=none smtp.client-ip=45.157.188.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="epRy4Xu+" Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfb6h7lzslV; Wed, 8 Jan 2025 16:44:23 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351063; bh=uFtzYGWF8xstOZnxCGiviNFcQ0C9xk8VJGsQEMF8W+w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=epRy4Xu++eO55XgPtBGDshLQNVX9f4ZtiTXgkZX7/tZQZ5ud4NobikIuboRS90l9U NXH3in2SPI7rknrFGCi5oaXDUJFa7n7ruuIGdIbwJZZQL8d8kBhYOLqZ0bhAoeJKYh afvijuGBU9mXotYkp0Cjm90gBjYqokln/CLebkW4= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfb1Nd7zJKV; Wed, 8 Jan 2025 16:44:23 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 25/30] selftests/landlock: Add audit tests for ptrace Date: Wed, 8 Jan 2025 16:43:33 +0100 Message-ID: <20250108154338.1129069-26-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add tests for all ptrace actions. This improves all the ptrace tests by making sure that the restrictions comes from Landlock, and with the expected objects. These extended tests are like enhanced errno checks that make sure Landlock enforcement is consistent. Test coverage for security/landlock is 93.4% of 1619 lines according to gcc/gcov-14. Cc: Günther Noack Cc: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-26-mic@digikod.net --- Changes since v3: - Update test coverage. Changes since v2: - New patch. --- .../testing/selftests/landlock/ptrace_test.c | 67 +++++++++++++++++-- 1 file changed, 63 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/landlock/ptrace_test.c b/tools/testing/selftests/landlock/ptrace_test.c index a19db4d0b3bd..20a1ca7801aa 100644 --- a/tools/testing/selftests/landlock/ptrace_test.c +++ b/tools/testing/selftests/landlock/ptrace_test.c @@ -4,6 +4,7 @@ * * Copyright © 2017-2020 Mickaël Salaün * Copyright © 2019-2020 ANSSI + * Copyright © 2024-2025 Microsoft Corporation */ #define _GNU_SOURCE @@ -17,6 +18,7 @@ #include #include +#include "audit.h" #include "common.h" /* Copied from security/yama/yama_lsm.c */ @@ -85,9 +87,27 @@ static int get_yama_ptrace_scope(void) return ret; } -/* clang-format off */ -FIXTURE(hierarchy) {}; -/* clang-format on */ +static int matches_log_ptrace(struct __test_metadata *const _metadata, + int audit_fd, const pid_t opid) +{ + static const char log_template[] = REGEX_LANDLOCK_PREFIX + " blockers=ptrace opid=%d ocomm=\"ptrace_test\"$"; + char log_match[sizeof(log_template) + 10]; + int log_match_len; + + log_match_len = + snprintf(log_match, sizeof(log_match), log_template, opid); + if (log_match_len > sizeof(log_match)) + return -E2BIG; + + return audit_match_record(audit_fd, AUDIT_LANDLOCK_DENY, log_match); +} + +FIXTURE(hierarchy) +{ + struct audit_filter audit_filter; + int audit_fd; +}; FIXTURE_VARIANT(hierarchy) { @@ -245,10 +265,16 @@ FIXTURE_VARIANT_ADD(hierarchy, deny_with_forked_domain) { FIXTURE_SETUP(hierarchy) { + disable_caps(_metadata); + set_cap(_metadata, CAP_AUDIT_CONTROL); + self->audit_fd = audit_init_with_exe_filter(&self->audit_filter); + EXPECT_LE(0, self->audit_fd); + clear_cap(_metadata, CAP_AUDIT_CONTROL); } -FIXTURE_TEARDOWN(hierarchy) +FIXTURE_TEARDOWN_PARENT(hierarchy) { + EXPECT_EQ(0, audit_cleanup(-1, NULL)); } /* Test PTRACE_TRACEME and PTRACE_ATTACH for parent and child. */ @@ -261,6 +287,7 @@ TEST_F(hierarchy, trace) char buf_parent; long ret; bool can_read_child, can_trace_child, can_read_parent, can_trace_parent; + struct audit_records records; yama_ptrace_scope = get_yama_ptrace_scope(); ASSERT_LE(0, yama_ptrace_scope); @@ -336,17 +363,29 @@ TEST_F(hierarchy, trace) err_proc_read = test_ptrace_read(parent); if (can_read_parent) { EXPECT_EQ(0, err_proc_read); + EXPECT_EQ(-EAGAIN, + matches_log_ptrace(_metadata, self->audit_fd, + parent)); } else { EXPECT_EQ(EACCES, err_proc_read); + EXPECT_EQ(0, + matches_log_ptrace(_metadata, self->audit_fd, + parent)); } /* Tests PTRACE_ATTACH on the parent. */ ret = ptrace(PTRACE_ATTACH, parent, NULL, 0); if (can_trace_parent) { EXPECT_EQ(0, ret); + EXPECT_EQ(-EAGAIN, + matches_log_ptrace(_metadata, self->audit_fd, + parent)); } else { EXPECT_EQ(-1, ret); EXPECT_EQ(EPERM, errno); + EXPECT_EQ(can_read_parent ? -EAGAIN : 0, + matches_log_ptrace(_metadata, self->audit_fd, + parent)); } if (ret == 0) { ASSERT_EQ(parent, waitpid(parent, &status, 0)); @@ -358,9 +397,16 @@ TEST_F(hierarchy, trace) ret = ptrace(PTRACE_TRACEME); if (can_trace_child) { EXPECT_EQ(0, ret); + EXPECT_EQ(-EAGAIN, + matches_log_ptrace(_metadata, self->audit_fd, + parent)); } else { EXPECT_EQ(-1, ret); EXPECT_EQ(EPERM, errno); + /* We should indeed see the parent process. */ + EXPECT_EQ(can_read_child ? -EAGAIN : 0, + matches_log_ptrace(_metadata, self->audit_fd, + parent)); } /* @@ -408,17 +454,25 @@ TEST_F(hierarchy, trace) err_proc_read = test_ptrace_read(child); if (can_read_child) { EXPECT_EQ(0, err_proc_read); + EXPECT_EQ(-EAGAIN, + matches_log_ptrace(_metadata, self->audit_fd, child)); } else { EXPECT_EQ(EACCES, err_proc_read); + EXPECT_EQ(0, + matches_log_ptrace(_metadata, self->audit_fd, child)); } /* Tests PTRACE_ATTACH on the child. */ ret = ptrace(PTRACE_ATTACH, child, NULL, 0); if (can_trace_child) { EXPECT_EQ(0, ret); + EXPECT_EQ(-EAGAIN, + matches_log_ptrace(_metadata, self->audit_fd, child)); } else { EXPECT_EQ(-1, ret); EXPECT_EQ(EPERM, errno); + EXPECT_EQ(can_read_child ? -EAGAIN : 0, + matches_log_ptrace(_metadata, self->audit_fd, child)); } if (ret == 0) { @@ -434,6 +488,11 @@ TEST_F(hierarchy, trace) if (WIFSIGNALED(status) || !WIFEXITED(status) || WEXITSTATUS(status) != EXIT_SUCCESS) _metadata->exit_code = KSFT_FAIL; + + /* Makes sure there is no superfluous logged records. */ + audit_count_records(self->audit_fd, &records); + EXPECT_EQ(0, records.deny); + EXPECT_EQ(0, records.info); } TEST_HARNESS_MAIN From patchwork Wed Jan 8 15:43:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931248 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-42ae.mail.infomaniak.ch (smtp-42ae.mail.infomaniak.ch [84.16.66.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB8BF2054E1 for ; Wed, 8 Jan 2025 15:44:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351075; cv=none; b=CvX9/H0a/Y8P0u1Hfc5kdkBtvzbbLZ11SB30PuT1JwsUywdNYgvS0uLcRklfDhwreTaRoWzS+drPHHOqmqdRCO2Nhk1nzky1bh8xz0IZr3t0bLz+wCakekqM8cQOQh/eyUnTiC0fyoWCdxs5Zg/xn16SBjRfhYn/AMk6NRF5ztg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351075; c=relaxed/simple; bh=gr04gmEEgm3mYJS/FkFRKYILFVc7EQJ9YfJe6y01BrU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=NHpCnZ0XgAK2Idw1F2dDd7dLul3Ddi7ejtrRDXGys1hMFPMf9qclioR6wXfUQPY1GZGf2+hogcOOViBF+Cuh8gPtL2QgtLePvigM1eO26VQckDSeuY+e6L6iaHU7pLFd4CNwYYFeQL9LHtMbzsSaR1lpv5D8x5yUOaoB41gpyJA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=ngm0imtV; arc=none smtp.client-ip=84.16.66.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="ngm0imtV" Received: from smtp-3-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246c]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfd2k2nzCjN; Wed, 8 Jan 2025 16:44:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351065; bh=vYwh4DC0IRpFCSYDmtTUOVM5Ik78zG1VxJIN9X5plHs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ngm0imtVY1ebrW1n+uP0tClXWfpeHRmzTZxGKGwtoGdMVv0hAvKHKgiwzw0zOBn29 17DwbAeZOHGivGe2YaZCdlJjhB++Rpb0cWxrdyS7mt7HPKEWIax+TXDWEdkY/7sR1k kebTljqiFyCXds2XojGkB7PY1xfhronMPD21uuDA= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfc4C0wzHsP; Wed, 8 Jan 2025 16:44:24 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 26/30] landlock: Export and rename landlock_get_inode_object() Date: Wed, 8 Jan 2025 16:43:34 +0100 Message-ID: <20250108154338.1129069-27-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha This will be used by security/landlock/audit.c in a following commit. Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-27-mic@digikod.net --- Changes since v3: - New patch. --- security/landlock/fs.c | 22 ++++++++++++---------- security/landlock/fs.h | 2 ++ 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 6404961ecbc7..4b718b669ebe 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -74,13 +74,14 @@ static void release_inode(struct landlock_object *const object) spin_unlock(&object->lock); /* * Because object->underobj was not NULL, hook_sb_delete() and - * get_inode_object() guarantee that it is safe to reset + * landlock_get_inode_object() guarantee that it is safe to reset * landlock_inode(inode)->object while it is not NULL. It is therefore * not necessary to lock inode->i_lock. */ rcu_assign_pointer(landlock_inode(inode)->object, NULL); /* - * Now, new rules can safely be tied to @inode with get_inode_object(). + * Now, new rules can safely be tied to @inode with + * landlock_get_inode_object(). */ iput(inode); @@ -259,7 +260,7 @@ update_request(struct landlock_request *const request, /* Ruleset management */ -static struct landlock_object *get_inode_object(struct inode *const inode) +struct landlock_object *landlock_get_inode_object(struct inode *const inode) { struct landlock_object *object, *new_object; struct landlock_inode_security *inode_sec = landlock_inode(inode); @@ -291,7 +292,7 @@ static struct landlock_object *get_inode_object(struct inode *const inode) return new_object; /* - * Protects against concurrent calls to get_inode_object() or + * Protects against concurrent calls to landlock_get_inode_object() or * hook_sb_delete(). */ spin_lock(&inode->i_lock); @@ -347,7 +348,8 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, /* Transforms relative access rights to absolute ones. */ access_rights |= LANDLOCK_MASK_ACCESS_FS & ~landlock_get_fs_access_mask(ruleset, 0); - id.key.object = get_inode_object(d_backing_inode(path->dentry)); + id.key.object = + landlock_get_inode_object(d_backing_inode(path->dentry)); if (IS_ERR(id.key.object)) return PTR_ERR(id.key.object); mutex_lock(&ruleset->lock); @@ -1288,7 +1290,7 @@ static void hook_sb_delete(struct super_block *const sb) /* * Protects against concurrent modification of inode (e.g. - * from get_inode_object()). + * from landlock_get_inode_object()). */ spin_lock(&inode->i_lock); /* @@ -1327,16 +1329,16 @@ static void hook_sb_delete(struct super_block *const sb) /* * Because object->underobj was not NULL, - * release_inode() and get_inode_object() guarantee - * that it is safe to reset + * release_inode() and landlock_get_inode_object() + * guarantee that it is safe to reset * landlock_inode(inode)->object while it is not NULL. * It is therefore not necessary to lock inode->i_lock. */ rcu_assign_pointer(landlock_inode(inode)->object, NULL); /* * At this point, we own the ihold() reference that was - * originally set up by get_inode_object() and the - * __iget() reference that we just set in this loop + * originally set up by landlock_get_inode_object() and + * the __iget() reference that we just set in this loop * walk. Therefore the following call to iput() will * not sleep nor drop the inode because there is now at * least two references to it. diff --git a/security/landlock/fs.h b/security/landlock/fs.h index 9f52c9b37898..3e428fa51cec 100644 --- a/security/landlock/fs.h +++ b/security/landlock/fs.h @@ -109,4 +109,6 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, const struct path *const path, access_mask_t access_hierarchy); +struct landlock_object *landlock_get_inode_object(struct inode *const inode); + #endif /* _SECURITY_LANDLOCK_FS_H */ From patchwork Wed Jan 8 15:43:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931245 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-8fa9.mail.infomaniak.ch (smtp-8fa9.mail.infomaniak.ch [83.166.143.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48982204C2A for ; Wed, 8 Jan 2025 15:44:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351071; cv=none; b=XpovOJASf9dZk2GzyD3tU6n1DaKj0EOv7EFNbWYcmNEQhjr8SuLKrCgPK1dKvDeApG/u2oAHJQOj87mdOOWvvEcaCC/cIAntsGeVws1ffvbEDrzHgI8glrZt2ql4VfBSREypqaV/nPx5IerVC6hHCLdJU3C392Mv/1ZYmXH1370= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351071; c=relaxed/simple; bh=pW499YWVaRnWVTNaXtUOgQ7lkzGTPh+Wwe+6wiE8Ohg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ii9pn4Vv0J9o+1TUXZQIbDJFH9CL0ixy0t1cv/Eio4Ub06yuOlNHlk+wEGIgBPBwHCBywE+JJA1+IgrOdmaVni3MbEE8ukiU/I49WbfON44ngQAr8lo13TsvzxlT9v6DEFCKGPp04N8+xyDNg5IFl2uchk9T1ek17YyuV1bPoo8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=DOXHg6Bq; arc=none smtp.client-ip=83.166.143.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="DOXHg6Bq" Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfg53yHztsy; Wed, 8 Jan 2025 16:44:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351067; bh=E2Dmree0e1EpVbxU6ktNYpMoszkVcilFnXqplxTgABI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DOXHg6Bq2lz9wQDlSrRroKlF694ur8X7I+fK9hTTfl6RY1QEIIcUSgEyp3YDpMgzD u1OsD3fGRqXNK/Ab7xlfsoV2Orctoi3WoEIvjIobIUyifJVOFMzp5L/izMKAOmo1UO i2r9Z03M1kn5GZzh6jydRGUaLvB6v1WwagHwGOpY= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfd6q13zFc4; Wed, 8 Jan 2025 16:44:25 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Al Viro , Christian Brauner , Jeff Layton , Josef Bacik Subject: [PATCH v4 27/30] fs: Add iput() cleanup helper Date: Wed, 8 Jan 2025 16:43:35 +0100 Message-ID: <20250108154338.1129069-28-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add a simple scope-based helper to put an inode reference, similar to the fput() helper. This is used in a following commit. Cc: Al Viro Cc: Christian Brauner Cc: Jeff Layton Cc: Josef Bacik Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-28-mic@digikod.net --- Changes since v3: - New patch. --- include/linux/fs.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index 7e29433c5ecc..bd5a28b0871f 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -47,6 +47,8 @@ #include #include #include +#include +#include #include #include @@ -2698,6 +2700,8 @@ extern void iput(struct inode *); int inode_update_timestamps(struct inode *inode, int flags); int generic_update_time(struct inode *, int); +DEFINE_FREE(iput, struct inode *, if (!IS_ERR_OR_NULL(_T)) iput(_T)) + /* /sys/fs */ extern struct kobject *fs_kobj; @@ -3108,8 +3112,6 @@ static inline bool is_dot_dotdot(const char *name, size_t len) (len == 1 || (len == 2 && name[1] == '.')); } -#include - /* needed for stackable file system support */ extern loff_t default_llseek(struct file *file, loff_t offset, int whence); From patchwork Wed Jan 8 15:43:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931246 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-8fa9.mail.infomaniak.ch (smtp-8fa9.mail.infomaniak.ch [83.166.143.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1937204F66 for ; Wed, 8 Jan 2025 15:44:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351073; cv=none; b=cHw4kMhxZtM/R1p6xq04NBDOLQCv7xPz/XI4b776XkZqv2IlW7CnNvU8cUhLud0slGpdN25i1xecj430tNOsi5Lm6a0P4yipGn6Em+vpCxlMKdTuW38KGHnjniCpmYhqYkXLXr1sEDpNrOsnwti0HVtpZdZNpE6QiqeT4kE/F5w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351073; c=relaxed/simple; bh=+c7kVWtu91Ld4/bjYLV7+UCoOamClJkWFYzPi6U0Cs4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=BQ1pUWYaQ52EtHMr3LJwkPY8lJq/tqh/mwq0dZZPIy71P59w48g9HSt0gacIpDa1HKKkU2n9s0XnyuX0sbzVEgG5j1ePjL+/0FCO/Q3FQfQkdBd8pRUNTh/z/SzqpXENnFerZMXwnxqtM+LM+PKHJLruZbZ1F7s3IRmvVKUtRKA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=B8sgXbjO; arc=none smtp.client-ip=83.166.143.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="B8sgXbjO" Received: from smtp-4-0000.mail.infomaniak.ch (unknown [IPv6:2001:1600:7:10:40ca:feff:fe05:0]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfj1pb1zrYN; Wed, 8 Jan 2025 16:44:29 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351069; bh=TyzYyNTr0OuZU/1uH4aeoapTCDCFto4nCvOZ+6uvQng=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=B8sgXbjOwLGA9KHgbvgMIrSuOMl0gkLJyehxstTnxBgGTqaohGS22F1tAKR60VQ95 RBnkmMd9LpKXDnFUJ2HEdcWbKnsdH4yHPdu8LEmQr15O/jw9Hn8m0d0Xr1EYc0YQJQ 4gxuYZTW08GTScElzp1XiqsZRQjKvp4gxoFljwIY= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfh31g3z2FF; Wed, 8 Jan 2025 16:44:28 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type Date: Wed, 8 Jan 2025 16:43:36 +0100 Message-ID: <20250108154338.1129069-29-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Landlock manages a set of standalone security policies, which can be loaded by any process. Because a sandbox policy may contain errors and can lead to log spam, we need a way to exclude some of them. It is simple and it makes sense to identify Landlock domains (i.e. security policies) per binary path that loaded such policy. Add a new AUDIT_EXE_LANDLOCK_DENY rule type to enables system administrator to filter logs according to the origin or the security policy responsible for a denial. AUDIT_EXE identifies a property of the task calling the kernel, whereas AUDIT_EXE_LANDLOCK_DENY identifies a property of a task that restricted the task calling the kernel. AUDIT_EXE_LANDLOCK_DENY leverages most of AUDIT_EXE's code to track files and compare them. AUDIT_EXE_LANDLOCK_DENY is only handled by these audit rule lists: - AUDIT_FILTER_EXCLUDE - AUDIT_FILTER_EXIT - AUDIT_FILTER_URING_EXIT Add a new audit_set_landlock_hierarchy() helper to enrich the audit context with the Landlock domain's creator which is the origin of the current denial (if any). Pass the current audit context to audit_filter() to be able to filter according to the Landlock domain creator that denied the current action. Add a new landlock_read_domain_exe() helper for audit to compare a Landlock domain creator's inode and device numbers with a rule. If scripts are not directly executed but passed to an interpreter, like with AUDIT_EXE and /proc/self/exe, only this interpreter's path will show in the logs. Scripts enforcing a security policy should then be directly executed to differentiate between different scripts. It does not make sense to add dedicated LSM hooks because it would not make sense to treat all current and future LSM policies the same, and there is currently only Landlock that handles different standalone and unprivileged security policies. Indeed, AUDIT_EXE_LANDLOCK_DENY has a clear semantic: it identifies the source of a Landlock denial. In the future, we might want to extend this filtering capability with other properties of tasks that restrict themselves with Landlock (e.g. UID, loginuid, sessionid). This could be useful on systems where users can bring their own executable code (which can already spam logs). For now, AUDIT_EXE_LANDLOCK_DENY is enough to exclude buggy sandboxed applications that may spam logs. Cc: Günther Noack Cc: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-29-mic@digikod.net --- We could have something like this to filter Landlock domains: -a never,exclude -F exe_landlock_deny=/usr/bin/buggy-sandboxed-app Changes since v3: - New patch. --- include/linux/audit.h | 11 ++++++++ include/linux/landlock.h | 10 +++++++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 4 +-- kernel/audit.h | 5 +++- kernel/auditfilter.c | 30 ++++++++++++++++++++- kernel/auditsc.c | 31 ++++++++++++++++++++++ security/landlock/audit.c | 4 +++ security/landlock/domain.c | 54 ++++++++++++++++++++++++++++++++++++-- security/landlock/domain.h | 20 ++++++++++++++ security/landlock/fs.c | 4 +-- security/landlock/object.h | 4 ++- 12 files changed, 169 insertions(+), 9 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 0050ef288ab3..6397bc01c0c0 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -12,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -305,6 +306,7 @@ extern void audit_seccomp(unsigned long syscall, long signr, int code); extern void audit_seccomp_actions_logged(const char *names, const char *old_names, int res); extern void __audit_ptrace(struct task_struct *t); +extern void __audit_set_landlock_hierarchy(struct landlock_hierarchy *hierarchy); static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) { @@ -357,6 +359,12 @@ static inline void audit_syscall_exit(void *pt_regs) __audit_syscall_exit(success, return_code); } } +static inline void +audit_set_landlock_hierarchy(struct landlock_hierarchy *hierarchy) +{ + if (unlikely(audit_context() && audit_enabled)) + __audit_set_landlock_hierarchy(hierarchy); +} static inline struct filename *audit_reusename(const __user char *name) { if (unlikely(!audit_dummy_context())) @@ -591,6 +599,9 @@ static inline void audit_syscall_entry(int major, unsigned long a0, { } static inline void audit_syscall_exit(void *pt_regs) { } +static inline void +audit_set_landlock_hierarchy(struct landlock_hierarchy *hierarchy) +{ } static inline bool audit_dummy_context(void) { return true; diff --git a/include/linux/landlock.h b/include/linux/landlock.h index 8491142658a1..1b6dae8d5631 100644 --- a/include/linux/landlock.h +++ b/include/linux/landlock.h @@ -16,6 +16,9 @@ void landlock_get_hierarchy(struct landlock_hierarchy *hierarchy); void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy); +bool landlock_read_domain_exe(const struct landlock_hierarchy *const hierarchy, + ino_t *ino, dev_t *dev); + #else /* CONFIG_SECURITY_LANDLOCK */ static inline void landlock_get_hierarchy(struct landlock_hierarchy *hierarchy) @@ -26,6 +29,13 @@ static inline void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy) { } +static inline bool +landlock_read_domain_exe(const struct landlock_hierarchy *const hierarchy, + ino_t *ino, dev_t *dev) +{ + return false; +} + #endif /* CONFIG_SECURITY_LANDLOCK */ #endif /* _LINUX_LANDLOCK_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index a72f7b3403be..07b69d4ef076 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -296,6 +296,7 @@ #define AUDIT_FIELD_COMPARE 111 #define AUDIT_EXE 112 #define AUDIT_SADDR_FAM 113 +#define AUDIT_EXE_LANDLOCK_DENY 114 #define AUDIT_ARG0 200 #define AUDIT_ARG1 (AUDIT_ARG0+1) diff --git a/kernel/audit.c b/kernel/audit.c index 6a95a6077953..edde6f5ebdc7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1381,7 +1381,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, if (data_len < 2) return -EINVAL; - err = audit_filter(msg_type, AUDIT_FILTER_USER); + err = audit_filter(msg_type, AUDIT_FILTER_USER, NULL); if (err == 1) { /* match or error */ char *str = data; @@ -1866,7 +1866,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, if (audit_initialized != AUDIT_INITIALIZED) return NULL; - if (unlikely(!audit_filter(type, AUDIT_FILTER_EXCLUDE))) + if (unlikely(!audit_filter(type, AUDIT_FILTER_EXCLUDE, ctx))) return NULL; /* NOTE: don't ever fail/sleep on these two conditions: diff --git a/kernel/audit.h b/kernel/audit.h index 0211cb307d30..4f20574462b4 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include // struct open_how @@ -209,6 +210,7 @@ struct audit_context { }; int fds[2]; struct audit_proctitle proctitle; + struct landlock_hierarchy *landlock_hierarchy; }; extern bool audit_ever_enabled; @@ -340,7 +342,8 @@ static inline int audit_signal_info_syscall(struct task_struct *t) extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len); -extern int audit_filter(int msgtype, unsigned int listtype); +extern int audit_filter(int msgtype, unsigned int listtype, + const struct audit_context *ctx); extern void audit_ctl_lock(void); extern void audit_ctl_unlock(void); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index bceb9f58a09e..36d258229437 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -340,6 +341,12 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) if (entry->rule.listnr == AUDIT_FILTER_URING_EXIT) return -EINVAL; break; + case AUDIT_EXE_LANDLOCK_DENY: + if (entry->rule.listnr != AUDIT_FILTER_EXCLUDE && + entry->rule.listnr != AUDIT_FILTER_EXIT && + entry->rule.listnr != AUDIT_FILTER_URING_EXIT) + return -EINVAL; + break; } switch (entry->rule.listnr) { @@ -407,6 +414,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_FILETYPE: case AUDIT_FIELD_COMPARE: case AUDIT_EXE: + case AUDIT_EXE_LANDLOCK_DENY: /* only equal and not equal valid ops */ if (f->op != Audit_not_equal && f->op != Audit_equal) return -EINVAL; @@ -583,6 +591,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, entry->rule.filterkey = str; break; case AUDIT_EXE: + case AUDIT_EXE_LANDLOCK_DENY: if (entry->rule.exe || f_val > PATH_MAX) goto exit_free; str = audit_unpack_string(&bufp, &remain, f_val); @@ -681,6 +690,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) audit_pack_string(&bufp, krule->filterkey); break; case AUDIT_EXE: + case AUDIT_EXE_LANDLOCK_DENY: data->buflen += data->values[i] = audit_pack_string(&bufp, audit_mark_path(krule->exe)); break; @@ -749,6 +759,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) return 1; break; case AUDIT_EXE: + case AUDIT_EXE_LANDLOCK_DENY: /* both paths exist based on above type compare */ if (strcmp(audit_mark_path(a->exe), audit_mark_path(b->exe))) @@ -877,6 +888,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old) new->filterkey = fk; break; case AUDIT_EXE: + case AUDIT_EXE_LANDLOCK_DENY: err = audit_dupe_exe(new, old); break; } @@ -1328,7 +1340,8 @@ int audit_compare_dname_path(const struct qstr *dname, const char *path, int par return strncmp(p, dname->name, dlen); } -int audit_filter(int msgtype, unsigned int listtype) +int audit_filter(int msgtype, unsigned int listtype, + const struct audit_context *ctx) { struct audit_entry *e; int ret = 1; /* Audit by default */ @@ -1381,6 +1394,21 @@ int audit_filter(int msgtype, unsigned int listtype) if (f->op == Audit_not_equal) result = !result; break; + case AUDIT_EXE_LANDLOCK_DENY: + if (ctx && ctx->landlock_hierarchy) { + ino_t ino = 0; + dev_t dev = 0; + + result = + landlock_read_domain_exe( + ctx->landlock_hierarchy, + &ino, &dev) && + audit_mark_compare(e->rule.exe, + ino, dev); + if (f->op == Audit_not_equal) + result = !result; + } + break; default: goto unlock_and_return; } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 561d96affe9f..0be7542852de 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -61,6 +61,7 @@ #include #include #include +#include #include #include #include // struct open_how @@ -501,6 +502,20 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->op == Audit_not_equal) result = !result; break; + case AUDIT_EXE_LANDLOCK_DENY: + if (ctx && ctx->landlock_hierarchy) { + ino_t ino = 0; + dev_t dev = 0; + + result = + landlock_read_domain_exe( + ctx->landlock_hierarchy, &ino, + &dev) && + audit_mark_compare(rule->exe, ino, dev); + if (f->op == Audit_not_equal) + result = !result; + } + break; case AUDIT_UID: result = audit_uid_comparator(cred->uid, f->op, f->uid); break; @@ -1025,6 +1040,10 @@ static void audit_reset_context(struct audit_context *ctx) WARN_ON(!list_empty(&ctx->killed_trees)); audit_free_module(ctx); ctx->fds[0] = -1; + if (ctx->landlock_hierarchy) { + landlock_put_hierarchy(ctx->landlock_hierarchy); + ctx->landlock_hierarchy = NULL; + } ctx->type = 0; /* reset last for audit_free_*() */ } @@ -2081,6 +2100,18 @@ void __audit_syscall_exit(int success, long return_code) audit_reset_context(context); } +/** + * __audit_set_landlock_hierarchy - record Landlock domain denying the syscall + * @hierarchy: Landlock domain's hierarchy + */ +void __audit_set_landlock_hierarchy(struct landlock_hierarchy *hierarchy) +{ + struct audit_context *context = audit_context(); + + landlock_get_hierarchy(hierarchy); + context->landlock_hierarchy = hierarchy; +} + static inline void handle_one(const struct inode *inode) { struct audit_context *context; diff --git a/security/landlock/audit.c b/security/landlock/audit.c index cc01a0d663f3..a2d344c24f10 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -8,6 +8,7 @@ #include #include #include +#include #include #include #include @@ -422,6 +423,7 @@ void landlock_log_denial(const struct landlock_ruleset *const domain, get_hierarchy(domain, request->layer_plus_one - 1); } + /* Static filtering. */ if (READ_ONCE(youngest_denied->log_status) == LANDLOCK_LOG_DISABLED) return; @@ -435,6 +437,8 @@ void landlock_log_denial(const struct landlock_ruleset *const domain, if (!unlikely(audit_context() && audit_enabled)) return; + /* Dynamic filtering according to the domain's creator. */ + audit_set_landlock_hierarchy(youngest_denied); ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN, AUDIT_LANDLOCK_DENY); if (!ab) diff --git a/security/landlock/domain.c b/security/landlock/domain.c index f1a0d1b9af7c..7fe2a48ba102 100644 --- a/security/landlock/domain.c +++ b/security/landlock/domain.c @@ -39,6 +39,7 @@ void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy) #ifdef CONFIG_AUDIT put_cred(hierarchy->details->cred); put_pid(hierarchy->details->pid); + landlock_put_object(hierarchy->details->exe_object); kfree(hierarchy->details); #endif /* CONFIG_AUDIT */ @@ -56,11 +57,13 @@ void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy) * returned buffer, if any. * @path_size: Returned size of the @path string (including the trailing null * character), if any. + * @inode: Returned inode of the executable, if any. * * Returns: A pointer to an allocated buffer where @path point to, %NULL if * there is no executable path, or an error otherwise. */ -static const void *get_current_exe(const char **path_str, size_t *path_size) +static const void *get_current_exe(const char **path_str, size_t *path_size, + struct inode **inode) { struct mm_struct *mm = current->mm; struct file *file __free(fput) = NULL; @@ -93,6 +96,8 @@ static const void *get_current_exe(const char **path_str, size_t *path_size) *path_size = size; *path_str = path; + ihold(file_inode(file)); + *inode = file_inode(file); return no_free_ptr(buffer); } @@ -108,8 +113,9 @@ static struct landlock_details *get_current_details(void) size_t path_size = sizeof(null_path); struct landlock_details *details; const void *buffer __free(kfree) = NULL; + struct inode *inode __free(iput) = NULL; - buffer = get_current_exe(&path_str, &path_size); + buffer = get_current_exe(&path_str, &path_size, &inode); if (IS_ERR(buffer)) return ERR_CAST(buffer); @@ -125,6 +131,11 @@ static struct landlock_details *get_current_details(void) memcpy(details->exe_path, path_str, path_size); ktime_get_coarse_real_ts64(&details->creation); + if (inode) { + details->exe_object = landlock_get_inode_object(inode); + details->exe_ino = inode->i_ino; + details->exe_dev = inode->i_sb->s_dev; + } WARN_ON_ONCE(current_cred() != current_real_cred()); details->cred = get_current_cred(); @@ -267,6 +278,45 @@ static void test_landlock_get_deny_masks(struct kunit *const test) #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ +/** + * landlock_read_domain_exe - Read the domain creator's exe information + * + * @ino: Returned inode number, only set if the returned value is true. + * @dev: Returned device number, only set if the returned value is true. + * + * Returns: True if the underlying exe's inode is still alive (i.e. its + * superblock was not unmounted). + * + * To avoid a race condition, the caller must make sure that the compared + * object could not be changed in the check window. audit_filter() and + * audit_filter_rules() dereference the compared audit entry in an RCU + * read-side critical section, which means that the related checked ino/dev + * stays consistent (see audit_update_watch()). + */ +bool landlock_read_domain_exe(const struct landlock_hierarchy *const hierarchy, + ino_t *const ino, dev_t *const dev) +{ + if (!hierarchy || WARN_ON_ONCE(!ino || !dev)) + return false; + + /* + * If the underlying inode does not exist, this means that the inode's + * superblock was unmounted, and @ino and @dev do not identify the same + * file. Similarly, a removed inode leads to the related audit rule + * removal, see audit_watch_handle_event()'s handling of + * FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF. + * + * If the underlying inode exists, this means that the returned @ino + * and @dev may match an audit rule. + */ + if (!READ_ONCE(hierarchy->details->exe_object->underobj)) + return false; + + *ino = hierarchy->details->exe_ino; + *dev = hierarchy->details->exe_dev; + return true; +} + #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST static struct kunit_case test_cases[] = { diff --git a/security/landlock/domain.h b/security/landlock/domain.h index 7176043bd0ff..7cf88b2bc72d 100644 --- a/security/landlock/domain.h +++ b/security/landlock/domain.h @@ -19,6 +19,7 @@ #include #include "access.h" +#include "object.h" enum landlock_log_status { LANDLOCK_LOG_PENDING = 0, @@ -53,6 +54,25 @@ struct landlock_details { * identifies the same task. */ struct pid *pid; + /** + * @exe_object: Landlock object tracking the executable binary that + * restricted itself, for its whole lifetime. + */ + struct landlock_object *exe_object; + /** + * @exe_ino: Inode number cache of the executable binary. This should + * only be read if @exe_object is not NULL, while holding the related + * inode. This is useful to avoid locking @exe_object or the + * underlying inode. + */ + ino_t exe_ino; + /** + * @exe_dev: Device number cache of the executable binary. This should + * only be read if @exe_object is not NULL, while holding the related + * inode. This is useful to avoid locking @exe_object or the + * underlying inode. + */ + dev_t exe_dev; /** * @comm: Command line of the task that initially restricted itself, at * creation time. Always NULL terminated. diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 4b718b669ebe..d67f0da1b782 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -64,7 +64,7 @@ static void release_inode(struct landlock_object *const object) * Protects against concurrent use by hook_sb_delete() of the reference * to the underlying inode. */ - object->underobj = NULL; + WRITE_ONCE(object->underobj, NULL); /* * Makes sure that if the filesystem is concurrently unmounted, * hook_sb_delete() will wait for us to finish iput(). @@ -1323,7 +1323,7 @@ static void hook_sb_delete(struct super_block *const sb) */ spin_lock(&object->lock); if (object->underobj == inode) { - object->underobj = NULL; + WRITE_ONCE(object->underobj, NULL); spin_unlock(&object->lock); rcu_read_unlock(); diff --git a/security/landlock/object.h b/security/landlock/object.h index 5f28c35e8aa8..216351f45e1c 100644 --- a/security/landlock/object.h +++ b/security/landlock/object.h @@ -57,7 +57,9 @@ struct landlock_object { /** * @underobj: Used when cleaning up an object and to mark an object as * tied to its underlying kernel structure. This pointer is protected - * by @lock. Cf. landlock_release_inodes() and release_inode(). + * by @lock, but it may concurrently be checked (but not dereferenced). + * Cf. landlock_release_inodes(), release_inode(), and + * landlock_read_domain_exe(). */ void *underobj; union { From patchwork Wed Jan 8 15:43:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931247 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-bc08.mail.infomaniak.ch (smtp-bc08.mail.infomaniak.ch [45.157.188.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A1D0E204F9D for ; Wed, 8 Jan 2025 15:44:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.8 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351074; cv=none; b=AJIgUINQZ4MWQgMyHRRqUMl7SOwRJnrDnbYsYBVYorcaRdV3Ka+7fjF9XzOfZJTm8r/s8faE9MB6w+Ojj6t3XoLXzzaM6eJ872oaTC2U7BUzsApxROGe5VXxOklrsm4bylJYu+w0dOCQyXKknv5TcTW6lAgMFI94XI9JD/gyPuY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351074; c=relaxed/simple; bh=rRI8LbrBzwR4fcqUqJs4Ps+5BiqPPIchEI6A5hDhvaA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=rk2x7dVtqxiimNJDMZXWumTjTFNsX41vhx0ERIhi4rbAog8tZzqGbY2eNhVRdIcyKrP2xkNMDTgXdsEb59WmhdByBQD1lbeDzYhgvXx0qDClmkLhrwg3Nfn+vFcTdJ04UKmL0B1YPhKY2+Ovudq4V2QkqcJ3c0jcFGiMZfwylu4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=UPj50DYz; arc=none smtp.client-ip=45.157.188.8 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="UPj50DYz" Received: from smtp-3-0000.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246b]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfk637nzCmL; Wed, 8 Jan 2025 16:44:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351070; bh=VLMZtzr5LWcOJwkntjfxNmwyBvU1kjIGz9Bzgk8Ku5c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UPj50DYzQ6ArLkY5rGrskIcWN11x8usKFPRjOqd096YaC565e+jZxhVLV5JZHQPu1 AU+uJK5XjuCMGo5bjIdnbW01yzRoa+omnjc+sRgxat4G0B4MCReHF1p+i0vKHYQqG7 ucold4Vn05shnAz4PseNKaQ1i5pOl1qQEo9JuYBs= Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfj6sb5ztDK; Wed, 8 Jan 2025 16:44:29 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 29/30] selftests/landlock: Test audit rule with AUDIT_EXE_LANDLOCK_DOM Date: Wed, 8 Jan 2025 16:43:37 +0100 Message-ID: <20250108154338.1129069-30-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add audit_rule.exe_landlock_domain tests to filter Landlock denials according to the binary that created the sandbox. The wait-pipe.c test program is updated to sandbox itself and send a (denied) signal to its parent. Cc: Günther Noack Cc: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-30-mic@digikod.net --- Changes since v3: - New patch. --- tools/testing/selftests/landlock/audit.h | 1 + tools/testing/selftests/landlock/audit_test.c | 153 ++++++++++++++++++ tools/testing/selftests/landlock/wait-pipe.c | 30 +++- 3 files changed, 183 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/landlock/audit.h b/tools/testing/selftests/landlock/audit.h index 37979a62478c..fba96123776c 100644 --- a/tools/testing/selftests/landlock/audit.h +++ b/tools/testing/selftests/landlock/audit.h @@ -140,6 +140,7 @@ static int audit_filter_exe(const int audit_fd, switch (filter->record_type) { case AUDIT_EXE: + case AUDIT_EXE_LANDLOCK_DENY: break; default: return -EINVAL; diff --git a/tools/testing/selftests/landlock/audit_test.c b/tools/testing/selftests/landlock/audit_test.c index d5330e843395..921f316ddbf8 100644 --- a/tools/testing/selftests/landlock/audit_test.c +++ b/tools/testing/selftests/landlock/audit_test.c @@ -7,7 +7,9 @@ #define _GNU_SOURCE #include +#include #include +#include #include #include #include @@ -33,6 +35,22 @@ static int matches_log_umount(struct __test_metadata *const _metadata, REGEX_LANDLOCK_PREFIX " blockers=.*"); } +static int matches_log_signal(struct __test_metadata *const _metadata, + int audit_fd, const pid_t opid) +{ + static const char log_template[] = REGEX_LANDLOCK_PREFIX + " blockers=scope.signal opid=%d ocomm=\"audit_test\"$"; + char log_match[sizeof(log_template) + 10]; + int log_match_len; + + log_match_len = + snprintf(log_match, sizeof(log_match), log_template, opid); + if (log_match_len > sizeof(log_match)) + return -E2BIG; + + return audit_match_record(audit_fd, AUDIT_LANDLOCK_DENY, log_match); +} + FIXTURE(audit) { struct audit_filter audit_filter; @@ -155,4 +173,139 @@ TEST_F(audit, fs_deny) _metadata->exit_code = KSFT_FAIL; } +FIXTURE(audit_rule) +{ + struct audit_filter audit_filter_main, audit_filter_test; + int audit_fd; +}; + +FIXTURE_VARIANT(audit_rule) +{ + const bool with_exe_landlock_deny_child; +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(audit_rule, exe_landlock_deny_child) { + /* clang-format on */ + .with_exe_landlock_deny_child = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(audit_rule, exe_landlock_deny_parent) { + /* clang-format on */ + .with_exe_landlock_deny_child = false, +}; + +FIXTURE_SETUP(audit_rule) +{ + const char *path = NULL; + + disable_caps(_metadata); + set_cap(_metadata, CAP_AUDIT_CONTROL); + + if (variant->with_exe_landlock_deny_child) + /* Filter on the sandboxer instead of the current exe. */ + path = bin_wait_pipe; + + self->audit_fd = audit_init(); + EXPECT_LE(0, self->audit_fd) + { + const char *error_msg; + + /* kill "$(auditctl -s | sed -ne 's/^pid \([0-9]\+\)$/\1/p')" */ + if (self->audit_fd == -EEXIST) + error_msg = "socket already in use (e.g. auditd)"; + else + error_msg = strerror(-self->audit_fd); + TH_LOG("Failed to initialize audit: %s", error_msg); + } + + /* Applies main filter for the test task. */ + EXPECT_EQ(0, audit_init_filter_exe(AUDIT_EXE, &self->audit_filter_main, + bin_wait_pipe)); + EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter_main, + AUDIT_ADD_RULE, AUDIT_FILTER_EXCLUDE)); + + /* Applies test filter for the test task or the current task. */ + EXPECT_EQ(0, audit_init_filter_exe(AUDIT_EXE_LANDLOCK_DENY, + &self->audit_filter_test, path)); + EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter_test, + AUDIT_ADD_RULE, AUDIT_FILTER_EXCLUDE)); + + clear_cap(_metadata, CAP_AUDIT_CONTROL); +} + +FIXTURE_TEARDOWN(audit_rule) +{ + set_cap(_metadata, CAP_AUDIT_CONTROL); + EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter_main, + AUDIT_DEL_RULE, AUDIT_FILTER_EXCLUDE)); + EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter_test, + AUDIT_DEL_RULE, AUDIT_FILTER_EXCLUDE)); + clear_cap(_metadata, CAP_AUDIT_CONTROL); + EXPECT_EQ(0, close(self->audit_fd)); +} + +TEST_F(audit_rule, exe_landlock_deny) +{ + struct audit_records records; + int pipe_child[2], pipe_parent[2]; + char buf_parent; + pid_t child; + int status; + + ASSERT_EQ(0, pipe2(pipe_child, 0)); + ASSERT_EQ(0, pipe2(pipe_parent, 0)); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + char pipe_child_str[12], pipe_parent_str[12]; + char *const argv[] = { (char *)bin_wait_pipe, pipe_child_str, + pipe_parent_str, NULL }; + + /* Passes the pipe FDs to the executed binary. */ + EXPECT_EQ(0, close(pipe_child[0])); + EXPECT_EQ(0, close(pipe_parent[1])); + snprintf(pipe_child_str, sizeof(pipe_child_str), "%d", + pipe_child[1]); + snprintf(pipe_parent_str, sizeof(pipe_parent_str), "%d", + pipe_parent[0]); + + ASSERT_EQ(0, execve(argv[0], argv, NULL)) + { + TH_LOG("Failed to execute \"%s\": %s", argv[0], + strerror(errno)); + }; + _exit(1); + return; + } + + EXPECT_EQ(0, close(pipe_child[1])); + EXPECT_EQ(0, close(pipe_parent[0])); + + /* Waits for the child. */ + EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1)); + + /* Tests that there was no denial until now. */ + audit_count_records(self->audit_fd, &records); + EXPECT_EQ(0, records.deny); + + /* Signals the child to terminate. */ + EXPECT_EQ(1, write(pipe_parent[1], ".", 1)); + + /* Tests that the audit record only matches the child. */ + if (variant->with_exe_landlock_deny_child) { + EXPECT_EQ(0, matches_log_signal(_metadata, self->audit_fd, + getpid())); + } else { + audit_count_records(self->audit_fd, &records); + EXPECT_EQ(0, records.deny); + } + + ASSERT_EQ(child, waitpid(child, &status, 0)); + ASSERT_EQ(1, WIFEXITED(status)); + ASSERT_EQ(0, WEXITSTATUS(status)); +} + TEST_HARNESS_MAIN diff --git a/tools/testing/selftests/landlock/wait-pipe.c b/tools/testing/selftests/landlock/wait-pipe.c index 0dbcd260a0fa..153f8ca93ac6 100644 --- a/tools/testing/selftests/landlock/wait-pipe.c +++ b/tools/testing/selftests/landlock/wait-pipe.c @@ -2,20 +2,31 @@ /* * Write in a pipe and wait. * - * Used by layout1.umount_sandboxer from fs_test.c + * Used by layout1.umount_sandboxer from fs_test.c and + * audit_rule.exe_landlock_deny from audit_test.c * * Copyright © 2024-2025 Microsoft Corporation */ #define _GNU_SOURCE +#include +#include +#include #include #include +#include #include +#include "wrappers.h" + int main(int argc, char *argv[]) { + const struct landlock_ruleset_attr ruleset_attr = { + .scoped = LANDLOCK_SCOPE_SIGNAL, + }; int pipe_child, pipe_parent; char buf; + int ruleset_fd; /* The first argument must be the file descriptor number of a pipe. */ if (argc != 3) { @@ -26,6 +37,20 @@ int main(int argc, char *argv[]) pipe_child = atoi(argv[1]); pipe_parent = atoi(argv[2]); + ruleset_fd = + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + if (ruleset_fd < 0) { + perror("Failed to create a ruleset"); + return 1; + } + + prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + if (landlock_restrict_self(ruleset_fd, 0)) { + perror("Failed to restrict self"); + return 1; + } + close(ruleset_fd); + /* Signals that we are waiting. */ if (write(pipe_child, ".", 1) != 1) { perror("Failed to write to first argument"); @@ -38,5 +63,8 @@ int main(int argc, char *argv[]) return 1; } + /* Tries to send a signal. */ + kill(getppid(), 0); + return 0; } From patchwork Wed Jan 8 15:43:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13931249 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp-8faa.mail.infomaniak.ch (smtp-8faa.mail.infomaniak.ch [83.166.143.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C4101FE477 for ; Wed, 8 Jan 2025 15:44:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351076; cv=none; b=dD2ybIvkixburJUxIGAfzsFnJ1GPw2Mn/Loi4G0+qUJu5Rq55EouybYb2xEw3zc/CSPm7qIFXl/1+59bGOy+i2xzwopUpqicdy3mlGmxtAYcIwm7Rb1mOa717AQmIfAIR1OxcpKhwlySlll3slvOnfJhASVZrZdxBAwJfHXuatg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736351076; c=relaxed/simple; bh=r5WlgHY5ekmzAaYDQq4vreiTxEwpar8BE5d+CF5hpSU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Z95WgobeAeMbHh0Y1z9ZKzLhJ1C+nWCKABEyaw8cyL/UIpN97Yd7akT+qHnnM/BNaplfPxdJnAaNnyq4LAQ4l72WZAmaRgOUJEr9Jlc2Y/htyjVGgFgpLvjL2HRJT+8TirXYM0xsvwGuFQ2heJwttVK6UasGomXhULLF1clLhqk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=IEl8243x; arc=none smtp.client-ip=83.166.143.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="IEl8243x" Received: from smtp-3-0001.mail.infomaniak.ch (smtp-3-0001.mail.infomaniak.ch [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YSsfm4SSBzCbs; Wed, 8 Jan 2025 16:44:32 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736351072; bh=L8IBiXUuwC1//+udMff7eh2pXQ6UeLqKYGPADF3RxT0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IEl8243x6fZmwoZSWNsdBZuf6HXEjefSGABSrAkfHnQAq5cQzG8C8TbV9FmYdJq1f ByUgb0fcvzVp7blT0iNH0ZjsVOS+7RHPytcPKGiU8+U61l7ShNZGPtxQBM3ax4PZhA 3NXymRzDIzlBx4sSnaTQg0dBsOM0TQiUV3a0jEco= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4YSsfl4G3tzKQl; Wed, 8 Jan 2025 16:44:31 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?q?G=C3=BCnther_Noack?= , "Serge E . Hallyn" Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 30/30] selftests/landlock: Test compatibility with audit rule lists Date: Wed, 8 Jan 2025 16:43:38 +0100 Message-ID: <20250108154338.1129069-31-mic@digikod.net> In-Reply-To: <20250108154338.1129069-1-mic@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Add compatibility.lists tests to make sure AUDIT_EXE_LANDLOCK_DENY is only allowed for AUDIT_FILTER_EXCLUDE, AUDIT_FILTER_EXIT, and AUDIT_FILTER_URING_EXIT. Test coverage for security/landlock is 93.5% of 1635 lines according to gcc/gcov-14. Cc: Günther Noack Cc: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20250108154338.1129069-31-mic@digikod.net --- Changes since v3: - New patch. --- tools/testing/selftests/landlock/audit_test.c | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/tools/testing/selftests/landlock/audit_test.c b/tools/testing/selftests/landlock/audit_test.c index 921f316ddbf8..d9f227680641 100644 --- a/tools/testing/selftests/landlock/audit_test.c +++ b/tools/testing/selftests/landlock/audit_test.c @@ -308,4 +308,82 @@ TEST_F(audit_rule, exe_landlock_deny) ASSERT_EQ(0, WEXITSTATUS(status)); } +FIXTURE(compatibility) +{ + struct audit_filter filter_self; + int audit_fd; +}; + +FIXTURE_SETUP(compatibility) +{ + disable_caps(_metadata); + set_cap(_metadata, CAP_AUDIT_CONTROL); + self->audit_fd = audit_init_with_exe_filter(&self->filter_self); + EXPECT_LE(0, self->audit_fd) + { + const char *error_msg; + + /* kill "$(auditctl -s | sed -ne 's/^pid \([0-9]\+\)$/\1/p')" */ + if (self->audit_fd == -EEXIST) + error_msg = "socket already in use (e.g. auditd)"; + else + error_msg = strerror(-self->audit_fd); + TH_LOG("Failed to initialize audit: %s", error_msg); + } + clear_cap(_metadata, CAP_AUDIT_CONTROL); +} + +FIXTURE_TEARDOWN(compatibility) +{ + set_cap(_metadata, CAP_AUDIT_CONTROL); + EXPECT_EQ(0, audit_cleanup(self->audit_fd, &self->filter_self)); + clear_cap(_metadata, CAP_AUDIT_CONTROL); +} + +TEST_F(compatibility, lists) +{ + struct audit_filter filter_test; + size_t num_ok = 0; + __u32 list; + + EXPECT_EQ(0, audit_init_filter_exe(AUDIT_EXE_LANDLOCK_DENY, + &filter_test, NULL)); + set_cap(_metadata, CAP_AUDIT_CONTROL); + + for (list = 0; list < AUDIT_NR_FILTERS; list++) { + int err; + + switch (list) { + case AUDIT_FILTER_EXIT: + case AUDIT_FILTER_EXCLUDE: + case AUDIT_FILTER_URING_EXIT: + num_ok++; + err = 0; + break; + default: + err = -EINVAL; + break; + } + + /* + * Testing AUDIT_FILTER_ENTRY prints "auditfilter: + * AUDIT_FILTER_ENTRY is deprecated" in kernel logs. + */ + EXPECT_EQ(err, audit_filter_exe(self->audit_fd, &filter_test, + AUDIT_ADD_RULE, list)) + { + TH_LOG("Unexpected result for list %u", list); + } + EXPECT_EQ(err, audit_filter_exe(self->audit_fd, &filter_test, + AUDIT_DEL_RULE, list)) + { + TH_LOG("Unexpected result for list %u", list); + } + } + + /* Makes sure the three accepted lists are checked. */ + EXPECT_EQ(3, num_ok); + clear_cap(_metadata, CAP_AUDIT_CONTROL); +} + TEST_HARNESS_MAIN