Re: [RFC PATCH v1 0/7] Landlock audit support

[Mickaël Salaün]

On Tue, Sep 26, 2023 at 06:24:32PM +0200, Günther Noack wrote:
> Hi Mickaël!
> 
> On Thu, Sep 21, 2023 at 08:16:34AM +0200, Mickaël Salaün wrote:
> > This patch series adds basic audit support to Landlock for most actions.
> > Logging denied requests is useful for different use cases:
> > * app developers: to ease and speed up sandboxing support
> > * power users: to understand denials
> > * sysadmins: to look for users' issues
> > * tailored distro maintainers: to get usage metrics from their fleet
> > * security experts: to detect attack attempts
> > 
> > To make logs useful, they need to contain the most relevant Landlock
> > domain that denied an action, and the reason. This translates to the
> > latest nested domain and the related missing access rights.
> 
> Is "domain" always the latest nested domain, or is that the domain which caused
> the check to fail because it denied the requested access right?  (If it is just
> the counter of how many domains are stacked, this could maybe also be queried
> through proc instead?)

The logged domain is the latest nested domain that denied at least one
access request (others might be denied by older domains).

What do you mean to query it through proc?

> 
> 
> > Two "Landlock permissions" are used to describe mandatory restrictions
> > enforced on all domains:
> > * fs_layout: change the view of filesystem with mount operations.
> > * ptrace: tamper with a process.
> 
> I find the term "access" already a bit overloaded, and the term "permission"
> also already appears in other contexts.  Maybe we can avoid the additional
> terminology by grouping these two together in the log format, and calling them
> the "cause" or "reason" for the deny decision?  In a sense, the access rights
> and the other permissions can already be told apart by their names, so they
> might also both appear under the same key without causing additional confusion?

I choose to have two fields (missing-fs-accesses and missing-permission)
because one is specific to the FS access rights and the other is
generic. The reason of a deny is specifically the "missing FS accesses
or the missing permissions". I though about a generic "missing-accesses"
but in this case we'll need to prefix all rights with "fs_" or
"generic_", which seems too verbose. I think that tying to the access
right types would be less confusing when parsing these logs.

I'm not a fan of the "permission" name neither, but I didn't find a
better name. This comes from EACCES vs. EPERM.

BTW, I should use fs_topology instead of fs_layout.

> 
> 
> > Here is an example of logs, result of the sandboxer activity:
> > tid=267 comm="sandboxer" op=create-ruleset ruleset=1 handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate
> > tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0
> > op=release-ruleset ruleset=1
> > tid=267 comm="bash" domain=2 op=open errno=13 missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" dev="devtmpfs" ino=9
> > tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir missing-permission= path="/" dev="vda2" ino=256
> > tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg missing-permission= path="/" dev="vda2" ino=256
> > tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= missing-permission=fs_layout name="/" dev="tmpfs" ino=1
> > tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= missing-permission=ptrace opid=1 ocomm="systemd"
> 
> In more complicated cases like "refer" and "open", it is possible that more than
> one access right is missing, and presumably they'll both be listed in
> missing-fs-accesses=.  In this case, it is not clear to me whether the domain=
> number is referring to the first or the second of these missing rights.
> (Assuming that the domain= is about the domain which caused the denial.)

In the case of "open", only the missing access rigths from the youngest
domain (that denied at least one request) are printed. This enables to
focus on this one, which should be the most common use case and the more
useful when debugging a sandbox. This also means that the logs are not
complete, only the more relevant informations are logged.

It is more complex in the case of "refer" because two paths/objects are
involved. I'm not sure how to log such request yet, but I think an
useful log entry should contain both the source and the destination
paths, which would be new compared to other LSMs. This would require to
extend furthermore audit_log_lsm_data(), probably by adding a prefix to
the "path=" string. I'd like to log only one entry per denial, and then
only one set of missing rights per domain. This should be OK by
extracting the youngest missing access rights from the destination
and/or the source (according to the same domain).

> 
> 
> > As highlighted in comments, support for audit is not complete yet with
> > this series: some actions are not logged (e.g. file reparenting), and
> > rule additions are not logged neither.
> 
> When ftruncate(2) gets denied, it is also not possible to tell which of the
> nested domains is responsible, without additional changes to what we carry
> around in the file's security blob.  (Right now, we calculate the overall
> truncation right in advance at open(2) time, and just store that bit with the
> newly opened file.)

Right, one solution would be to add a pointer to the domain that set the
restrictions, but I'd like to avoid that. Instead, we should be able to
identify the struct file at open time (another case for logging a
granted access), and then delegate the complexity of domain tracking and
file lifetime to the (user space) log parser.

> 
> 
> > I'm also not sure if we need to have seccomp-like features such as
> > SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and
> > /proc/sys/kernel/seccomp/actions_logged
> > 
> > I'd like to get some early feedback on this proposal.
> 
> If you want to have the full feature set as proposed above for other operations
> as well, like file reparenting and truncation, it'll complicate the Landlock
> logic and increase the amount of data that needs to be kept around just for
> logging.  I'm not convinced that this is worth it.  After all, the simpler the
> Landlock implementation is, the easier it'll be to reason about its logic and
> its security guarantees.

I'd also like to keep the *enforcement implementation* as simple as
possible, and move most of the logging complexity to the audit.c file
and user space parsers. This patch series doesn't add complexity to the
enforcement logic, only to the audit logic.

The amount of data should only be a 64-bit ID per domain and ruleset,
and maybe the same for landlock_file_security (but I guess there are
other ways to identify a struct file).

Being able to debug Landlock policies is a critical feature for its
adoption.

> 
> A possible simplification would be to omit the domain number which is
> responsible for a "deny" decision.  I feel that for debugging, knowing the fact
> that Landlock denied an operation might already be a big step forward, and the
> exact domain responsible for it might not be that important?

Debugging a set of nested policies would be very challenging without the
ability to identify the exact domain causing denials. Storing an ID
doesn't look like a significant burden isn't it?

> 
> —Günther
> 
> -- 
> Sent using Mutt 🐕 Woof Woof