[RFC PATCH v1 0/7] Landlock audit support

From: Mickaël Salaün
Date: Thu Sep 21 2023 - 13:32:14 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH v3 2/5] dt-bindings: phy: qcom,qmp-usb: Add SDX75 USB3 PHY"
Previous message: Michael Ellerman: "Re: [PATCH v3 1/2] vmcore: remove dependency with is_kdump_kernel() for exporting vmcore"
Next in thread: Mickaël Salaün: "[RFC PATCH v1 5/7] landlock: Log file-related requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This patch series adds basic audit support to Landlock for most actions.
Logging denied requests is useful for different use cases:
* app developers: to ease and speed up sandboxing support
* power users: to understand denials
* sysadmins: to look for users' issues
* tailored distro maintainers: to get usage metrics from their fleet
* security experts: to detect attack attempts

To make logs useful, they need to contain the most relevant Landlock
domain that denied an action, and the reason. This translates to the
latest nested domain and the related missing access rights.

Two "Landlock permissions" are used to describe mandatory restrictions
enforced on all domains:
* fs_layout: change the view of filesystem with mount operations.
* ptrace: tamper with a process.

Here is an example of logs, result of the sandboxer activity:
tid=267 comm="sandboxer" op=create-ruleset ruleset=1 handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate
tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0
op=release-ruleset ruleset=1
tid=267 comm="bash" domain=2 op=open errno=13 missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" dev="devtmpfs" ino=9
tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir missing-permission= path="/" dev="vda2" ino=256
tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg missing-permission= path="/" dev="vda2" ino=256
tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= missing-permission=fs_layout name="/" dev="tmpfs" ino=1
tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= missing-permission=ptrace opid=1 ocomm="systemd"

As highlighted in comments, support for audit is not complete yet with
this series: some actions are not logged (e.g. file reparenting), and
rule additions are not logged neither.

I'm also not sure if we need to have seccomp-like features such as
SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and
/proc/sys/kernel/seccomp/actions_logged

I'd like to get some early feedback on this proposal.

This series is based on v6.6-rc2

Regards,

Mickaël Salaün (7):
lsm: Add audit_log_lsm_data() helper
landlock: Factor out check_access_path()
landlock: Log ruleset creation and release
landlock: Log domain creation and enforcement
landlock: Log file-related requests
landlock: Log mount-related requests
landlock: Log ptrace requests

include/linux/lsm_audit.h | 2 +
include/uapi/linux/audit.h | 1 +
security/landlock/Makefile | 2 +
security/landlock/audit.c | 283 +++++++++++++++++++++++++++++++++++
security/landlock/audit.h | 88 +++++++++++
security/landlock/fs.c | 169 ++++++++++++++++-----
security/landlock/ptrace.c | 47 +++++-
security/landlock/ruleset.c | 6 +
security/landlock/ruleset.h | 10 ++
security/landlock/syscalls.c | 12 ++
security/lsm_audit.c | 26 ++--
11 files changed, 595 insertions(+), 51 deletions(-)
create mode 100644 security/landlock/audit.c
create mode 100644 security/landlock/audit.h

base-commit: ce9ecca0238b140b88f43859b211c9fdfd8e5b70
--
2.42.0

Next message: Krzysztof Kozlowski: "Re: [PATCH v3 2/5] dt-bindings: phy: qcom,qmp-usb: Add SDX75 USB3 PHY"
Previous message: Michael Ellerman: "Re: [PATCH v3 1/2] vmcore: remove dependency with is_kdump_kernel() for exporting vmcore"
Next in thread: Mickaël Salaün: "[RFC PATCH v1 5/7] landlock: Log file-related requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]