From: "Mickaël Salaün" <mic@digikod.net>
To: "Eric Paris" <eparis@redhat.com>,
"Paul Moore" <paul@paul-moore.com>,
"Günther Noack" <gnoack@google.com>,
"Serge E . Hallyn" <serge@hallyn.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Ben Scarlato" <akhna@google.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Charles Zaffery" <czaffery@roblox.com>,
"Daniel Burgener" <dburgener@linux.microsoft.com>,
"Francis Laniel" <flaniel@linux.microsoft.com>,
"James Morris" <jmorris@namei.org>,
"Jann Horn" <jannh@google.com>, "Jeff Xu" <jeffxu@google.com>,
"Jorge Lucangeli Obes" <jorgelo@google.com>,
"Kees Cook" <kees@kernel.org>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Matt Bobrowski" <mattbobrowski@google.com>,
"Matthieu Buffet" <matthieu@buffet.re>,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
"Phil Sutter" <phil@nwl.cc>,
"Praveen K Paladugu" <prapal@linux.microsoft.com>,
"Robert Salvet" <robert.salvet@roblox.com>,
"Shervin Oloumi" <enlightened@google.com>,
"Song Liu" <song@kernel.org>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
"Tingmao Wang" <m@maowtm.org>, "Tyler Hicks" <code@tyhicks.com>,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v7 11/28] landlock: Log mount-related denials
Date: Thu, 20 Mar 2025 20:07:00 +0100 [thread overview]
Message-ID: <20250320190717.2287696-12-mic@digikod.net> (raw)
In-Reply-To: <20250320190717.2287696-1-mic@digikod.net>
Add audit support for sb_mount, move_mount, sb_umount, sb_remount, and
sb_pivot_root hooks.
The new related blocker is "fs.change_topology".
Audit event sample:
type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.change_topology name="/" dev="tmpfs" ino=1
Remove landlock_get_applicable_domain() and get_current_fs_domain()
which are now fully replaced with landlock_get_applicable_subject().
Cc: Günther Noack <gnoack@google.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
Changes since v6:
- Use "change_topology" instead of "change_layout".
Changes since v5:
- Move request declaration in the landlock_log_denial() calls.
Changes since v4:
- Rebase on top of the landlock_log_denial() and subject type changes.
- Fix off-by-one error in landlock_match_layer_level(), now merged into
landlock_get_applicable_domain().
Changes since v3:
- Cosmetic change to the "fs.change_layout" name.
Changes since v2:
- Log the domain that denied the action because not all layers block FS
layout changes.
- Fix landlock_match_layer_level().
Changes since v1:
- Rebased on the TCP patch series.
- Don't log missing permissions, only domain layer, and then remove the
permission word (suggested by Günther)
---
security/landlock/audit.c | 3 ++
security/landlock/audit.h | 1 +
security/landlock/fs.c | 81 ++++++++++++++++++++++++++++++++-----
security/landlock/ruleset.h | 30 --------------
4 files changed, 74 insertions(+), 41 deletions(-)
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index a0e6041a1e21..423e8c61ebbd 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -21,6 +21,9 @@ static const char *get_blocker(const enum landlock_request_type type)
switch (type) {
case LANDLOCK_REQUEST_PTRACE:
return "ptrace";
+
+ case LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY:
+ return "fs.change_topology";
}
WARN_ON_ONCE(1);
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 40ff230316c4..9ebe8766bbfd 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -15,6 +15,7 @@
enum landlock_request_type {
LANDLOCK_REQUEST_PTRACE = 1,
+ LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
};
/*
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 13d1cd78e8c8..7249371857fc 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -23,6 +23,7 @@
#include <linux/kernel.h>
#include <linux/limits.h>
#include <linux/list.h>
+#include <linux/lsm_audit.h>
#include <linux/lsm_hooks.h>
#include <linux/mount.h>
#include <linux/namei.h>
@@ -39,6 +40,7 @@
#include <uapi/linux/landlock.h>
#include "access.h"
+#include "audit.h"
#include "common.h"
#include "cred.h"
#include "fs.h"
@@ -395,12 +397,6 @@ static const struct access_masks any_fs = {
.fs = ~0,
};
-static const struct landlock_ruleset *get_current_fs_domain(void)
-{
- return landlock_get_applicable_domain(landlock_get_current_domain(),
- any_fs);
-}
-
/*
* Check that a destination file hierarchy has more restrictions than a source
* file hierarchy. This is only used for link and rename actions.
@@ -1335,6 +1331,34 @@ static void hook_sb_delete(struct super_block *const sb)
!atomic_long_read(&landlock_superblock(sb)->inode_refs));
}
+static void
+log_fs_change_topology_path(const struct landlock_cred_security *const subject,
+ size_t handle_layer, const struct path *const path)
+{
+ landlock_log_denial(subject, &(struct landlock_request) {
+ .type = LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
+ .audit = {
+ .type = LSM_AUDIT_DATA_PATH,
+ .u.path = *path,
+ },
+ .layer_plus_one = handle_layer + 1,
+ });
+}
+
+static void log_fs_change_topology_dentry(
+ const struct landlock_cred_security *const subject, size_t handle_layer,
+ struct dentry *const dentry)
+{
+ landlock_log_denial(subject, &(struct landlock_request) {
+ .type = LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
+ .audit = {
+ .type = LSM_AUDIT_DATA_DENTRY,
+ .u.dentry = dentry,
+ },
+ .layer_plus_one = handle_layer + 1,
+ });
+}
+
/*
* Because a Landlock security policy is defined according to the filesystem
* topology (i.e. the mount namespace), changing it may grant access to files
@@ -1357,16 +1381,30 @@ static int hook_sb_mount(const char *const dev_name,
const struct path *const path, const char *const type,
const unsigned long flags, void *const data)
{
- if (!get_current_fs_domain())
+ size_t handle_layer;
+ const struct landlock_cred_security *const subject =
+ landlock_get_applicable_subject(current_cred(), any_fs,
+ &handle_layer);
+
+ if (!subject)
return 0;
+
+ log_fs_change_topology_path(subject, handle_layer, path);
return -EPERM;
}
static int hook_move_mount(const struct path *const from_path,
const struct path *const to_path)
{
- if (!get_current_fs_domain())
+ size_t handle_layer;
+ const struct landlock_cred_security *const subject =
+ landlock_get_applicable_subject(current_cred(), any_fs,
+ &handle_layer);
+
+ if (!subject)
return 0;
+
+ log_fs_change_topology_path(subject, handle_layer, to_path);
return -EPERM;
}
@@ -1376,15 +1414,29 @@ static int hook_move_mount(const struct path *const from_path,
*/
static int hook_sb_umount(struct vfsmount *const mnt, const int flags)
{
- if (!get_current_fs_domain())
+ size_t handle_layer;
+ const struct landlock_cred_security *const subject =
+ landlock_get_applicable_subject(current_cred(), any_fs,
+ &handle_layer);
+
+ if (!subject)
return 0;
+
+ log_fs_change_topology_dentry(subject, handle_layer, mnt->mnt_root);
return -EPERM;
}
static int hook_sb_remount(struct super_block *const sb, void *const mnt_opts)
{
- if (!get_current_fs_domain())
+ size_t handle_layer;
+ const struct landlock_cred_security *const subject =
+ landlock_get_applicable_subject(current_cred(), any_fs,
+ &handle_layer);
+
+ if (!subject)
return 0;
+
+ log_fs_change_topology_dentry(subject, handle_layer, sb->s_root);
return -EPERM;
}
@@ -1399,8 +1451,15 @@ static int hook_sb_remount(struct super_block *const sb, void *const mnt_opts)
static int hook_sb_pivotroot(const struct path *const old_path,
const struct path *const new_path)
{
- if (!get_current_fs_domain())
+ size_t handle_layer;
+ const struct landlock_cred_security *const subject =
+ landlock_get_applicable_subject(current_cred(), any_fs,
+ &handle_layer);
+
+ if (!subject)
return 0;
+
+ log_fs_change_topology_path(subject, handle_layer, new_path);
return -EPERM;
}
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 28af42d66261..5da9a64f5af7 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -243,36 +243,6 @@ landlock_union_access_masks(const struct landlock_ruleset *const domain)
return matches.masks;
}
-/**
- * landlock_get_applicable_domain - Return @domain if it applies to (handles)
- * at least one of the access rights specified
- * in @masks
- *
- * @domain: Landlock ruleset (used as a domain)
- * @masks: access masks
- *
- * Returns: @domain if any access rights specified in @masks is handled, or
- * NULL otherwise.
- */
-static inline const struct landlock_ruleset *
-landlock_get_applicable_domain(const struct landlock_ruleset *const domain,
- const struct access_masks masks)
-{
- const union access_masks_all masks_all = {
- .masks = masks,
- };
- union access_masks_all merge = {};
-
- if (!domain)
- return NULL;
-
- merge.masks = landlock_union_access_masks(domain);
- if (merge.all & masks_all.all)
- return domain;
-
- return NULL;
-}
-
static inline void
landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
const access_mask_t fs_access_mask,
--
2.49.0
next prev parent reply other threads:[~2025-03-20 19:07 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 19:06 [PATCH v7 00/28] Landlock audit support Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 01/28] lsm: Add audit_log_lsm_data() helper Mickaël Salaün
2025-03-25 19:35 ` Günther Noack
2025-03-20 19:06 ` [PATCH v7 02/28] landlock: Add unique ID generator Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 03/28] landlock: Move domain hierarchy management Mickaël Salaün
2025-03-25 19:37 ` Günther Noack
2025-03-20 19:06 ` [PATCH v7 04/28] landlock: Prepare to use credential instead of domain for filesystem Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 05/28] landlock: Prepare to use credential instead of domain for network Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 06/28] landlock: Prepare to use credential instead of domain for scope Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 07/28] landlock: Prepare to use credential instead of domain for fowner Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 08/28] landlock: Identify domain execution crossing Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 09/28] landlock: Add AUDIT_LANDLOCK_ACCESS and log ptrace denials Mickaël Salaün
2025-03-27 21:38 ` Tingmao Wang
2025-03-28 10:33 ` Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 10/28] landlock: Add AUDIT_LANDLOCK_DOMAIN and log domain status Mickaël Salaün
2025-03-20 19:07 ` Mickaël Salaün [this message]
2025-03-20 19:07 ` [PATCH v7 12/28] landlock: Log file-related denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 13/28] landlock: Factor out IOCTL hooks Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 14/28] landlock: Log truncate and IOCTL denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 15/28] landlock: Log TCP bind and connect denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 16/28] landlock: Log scoped denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 17/28] landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 18/28] landlock: Add LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 19/28] samples/landlock: Enable users to log sandbox denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 20/28] selftests/landlock: Add test for invalid ruleset file descriptor Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 21/28] selftests/landlock: Extend tests for landlock_restrict_self(2)'s flags Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 22/28] selftests/landlock: Add tests for audit flags and domain IDs Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 23/28] selftests/landlock: Test audit with restrict flags Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 24/28] selftests/landlock: Add audit tests for ptrace Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 25/28] selftests/landlock: Add audit tests for abstract UNIX socket scoping Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 26/28] selftests/landlock: Add audit tests for filesystem Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 27/28] selftests/landlock: Add audit tests for network Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 28/28] landlock: Add audit documentation Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250320190717.2287696-12-mic@digikod.net \
--to=mic@digikod.net \
--cc=akhna@google.com \
--cc=audit@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=code@tyhicks.com \
--cc=czaffery@roblox.com \
--cc=dburgener@linux.microsoft.com \
--cc=enlightened@google.com \
--cc=eparis@redhat.com \
--cc=fahimitahera@gmail.com \
--cc=flaniel@linux.microsoft.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=jmorris@namei.org \
--cc=jorgelo@google.com \
--cc=kees@kernel.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=mattbobrowski@google.com \
--cc=matthieu@buffet.re \
--cc=paul@paul-moore.com \
--cc=phil@nwl.cc \
--cc=prapal@linux.microsoft.com \
--cc=robert.salvet@roblox.com \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.