From: "Mickaël Salaün" <mic@digikod.net>
To: "Eric Paris" <eparis@redhat.com>,
	"Paul Moore" <paul@paul-moore.com>,
	"Günther Noack" <gnoack@google.com>,
	"Serge E . Hallyn" <serge@hallyn.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	"Ben Scarlato" <akhna@google.com>,
	"Casey Schaufler" <casey@schaufler-ca.com>,
	"Charles Zaffery" <czaffery@roblox.com>,
	"Daniel Burgener" <dburgener@linux.microsoft.com>,
	"Francis Laniel" <flaniel@linux.microsoft.com>,
	"James Morris" <jmorris@namei.org>,
	"Jann Horn" <jannh@google.com>, "Jeff Xu" <jeffxu@google.com>,
	"Jorge Lucangeli Obes" <jorgelo@google.com>,
	"Kees Cook" <kees@kernel.org>,
	"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
	"Matt Bobrowski" <mattbobrowski@google.com>,
	"Matthieu Buffet" <matthieu@buffet.re>,
	"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
	"Phil Sutter" <phil@nwl.cc>,
	"Praveen K Paladugu" <prapal@linux.microsoft.com>,
	"Robert Salvet" <robert.salvet@roblox.com>,
	"Shervin Oloumi" <enlightened@google.com>,
	"Song Liu" <song@kernel.org>,
	"Tahera Fahimi" <fahimitahera@gmail.com>,
	"Tingmao Wang" <m@maowtm.org>, "Tyler Hicks" <code@tyhicks.com>,
	audit@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [PATCH v7 16/28] landlock: Log scoped denials
Date: Thu, 20 Mar 2025 20:07:05 +0100	[thread overview]
Message-ID: <20250320190717.2287696-17-mic@digikod.net> (raw)
In-Reply-To: <20250320190717.2287696-1-mic@digikod.net>

Add audit support for unix_stream_connect, unix_may_send, task_kill, and
file_send_sigiotask hooks.

The related blockers are:
- scope.abstract_unix_socket
- scope.signal

Audit event sample for abstract unix socket:

  type=LANDLOCK_DENY msg=audit(1729738800.268:30): domain=195ba459b blockers=scope.abstract_unix_socket path=00666F6F

Audit event sample for signal:

  type=LANDLOCK_DENY msg=audit(1729738800.291:31): domain=195ba459b blockers=scope.signal opid=1 ocomm="systemd"

Refactor and simplify error handling in LSM hooks.

Extend struct landlock_file_security with fown_layer and use it to log
the blocking domain.  The struct aligned size is still 16 bytes.

Cc: Günther Noack <gnoack@google.com>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---

Changes since v6:
- Fix missing ifdef CONFIG_AUDIT for fown_layer, spotted by kernel test
  robot.
- Update headers.

Changes since v5:
- Move request declarations in the landlock_log_denial() calls to
  not impact allowed requests with audit, and return as soon as
  possible when access is allowed.
- Store a fown_layer per file and use it to log the blocking domain.
- Refactor and simplify error handling in LSM hooks.

Changes since v4:
- Rebase on top of the landlock_log_denial() and subject type changes.

Changes since v3:
- Cosmetic change to the "scope.*" blocker names.
- Extend commit message.

Changes since v1:
- New patch.
---
 security/landlock/audit.c |  8 ++++
 security/landlock/audit.h |  2 +
 security/landlock/fs.c    |  8 +++-
 security/landlock/fs.h    | 16 ++++++++
 security/landlock/task.c  | 84 +++++++++++++++++++++++++++++++--------
 5 files changed, 99 insertions(+), 19 deletions(-)

diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index 66ff9a5d9866..2dcc55ad451c 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -70,6 +70,14 @@ get_blocker(const enum landlock_request_type type,
 		if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(net_access_strings)))
 			return "unknown";
 		return net_access_strings[access_bit];
+
+	case LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET:
+		WARN_ON_ONCE(access_bit != -1);
+		return "scope.abstract_unix_socket";
+
+	case LANDLOCK_REQUEST_SCOPE_SIGNAL:
+		WARN_ON_ONCE(access_bit != -1);
+		return "scope.signal";
 	}
 
 	WARN_ON_ONCE(1);
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 486b4e7050d3..92428b7fc4d8 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -19,6 +19,8 @@ enum landlock_request_type {
 	LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
 	LANDLOCK_REQUEST_FS_ACCESS,
 	LANDLOCK_REQUEST_NET_ACCESS,
+	LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+	LANDLOCK_REQUEST_SCOPE_SIGNAL,
 };
 
 /*
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 9d7443ff67c7..36d06a8e2287 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1774,6 +1774,7 @@ static void hook_file_set_fowner(struct file *file)
 	struct landlock_ruleset *prev_dom;
 	struct task_struct *p;
 	struct landlock_cred_security fown_subject = {};
+	size_t fown_layer = 0;
 
 	/*
 	 * Lock already held by __f_setown(), see commit 26f204380a3c ("fs: Fix
@@ -1791,8 +1792,8 @@ static void hook_file_set_fowner(struct file *file)
 			.scope = LANDLOCK_SCOPE_SIGNAL,
 		};
 		const struct landlock_cred_security *new_subject =
-			landlock_get_applicable_subject(current_cred(),
-							signal_scope, NULL);
+			landlock_get_applicable_subject(
+				current_cred(), signal_scope, &fown_layer);
 		if (new_subject) {
 			landlock_get_ruleset(new_subject->domain);
 			fown_subject = *new_subject;
@@ -1801,6 +1802,9 @@ static void hook_file_set_fowner(struct file *file)
 
 	prev_dom = landlock_file(file)->fown_subject.domain;
 	landlock_file(file)->fown_subject = fown_subject;
+#ifdef CONFIG_AUDIT
+	landlock_file(file)->fown_layer = fown_layer;
+#endif /* CONFIG_AUDIT*/
 
 	/* Called in an RCU read-side critical section. */
 	landlock_put_ruleset_deferred(prev_dom);
diff --git a/security/landlock/fs.h b/security/landlock/fs.h
index 3a09ba985b74..294ca813c7f2 100644
--- a/security/landlock/fs.h
+++ b/security/landlock/fs.h
@@ -9,6 +9,7 @@
 #ifndef _SECURITY_LANDLOCK_FS_H
 #define _SECURITY_LANDLOCK_FS_H
 
+#include <linux/build_bug.h>
 #include <linux/fs.h>
 #include <linux/init.h>
 #include <linux/rcupdate.h>
@@ -61,6 +62,11 @@ struct landlock_file_security {
 	 * _LANDLOCK_ACCESS_FS_OPTIONAL).
 	 */
 	deny_masks_t deny_masks;
+	/**
+	 * @fown_layer: Layer level of @fown_subject->domain with
+	 * LANDLOCK_SCOPE_SIGNAL.
+	 */
+	u8 fown_layer;
 #endif /* CONFIG_AUDIT */
 
 	/**
@@ -73,6 +79,16 @@ struct landlock_file_security {
 	struct landlock_cred_security fown_subject;
 };
 
+#ifdef CONFIG_AUDIT
+
+/* Makes sure all layers can be identified. */
+/* clang-format off */
+static_assert((typeof_member(struct landlock_file_security, fown_layer))~0 >=
+	      LANDLOCK_MAX_NUM_LAYERS);
+/* clang-format off */
+
+#endif /* CONFIG_AUDIT */
+
 /**
  * struct landlock_superblock_security - Superblock security blob
  *
diff --git a/security/landlock/task.c b/security/landlock/task.c
index 60e2953d2c71..e95e4ebe724d 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -1,9 +1,10 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * Landlock LSM - Ptrace hooks
+ * Landlock - Ptrace hooks
  *
  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
  * Copyright © 2019-2020 ANSSI
+ * Copyright © 2021-2025 Microsoft Corporation
  */
 
 #include <asm/current.h>
@@ -265,26 +266,41 @@ static int hook_unix_stream_connect(struct sock *const sock,
 				    struct sock *const other,
 				    struct sock *const newsk)
 {
+	size_t handle_layer;
 	const struct landlock_cred_security *const subject =
 		landlock_get_applicable_subject(current_cred(), unix_scope,
-						NULL);
+						&handle_layer);
 
 	/* Quick return for non-landlocked tasks. */
 	if (!subject)
 		return 0;
 
-	if (is_abstract_socket(other) && sock_is_scoped(other, subject->domain))
-		return -EPERM;
+	if (!is_abstract_socket(other))
+		return 0;
+
+	if (!sock_is_scoped(other, subject->domain))
+		return 0;
 
-	return 0;
+	landlock_log_denial(subject, &(struct landlock_request) {
+		.type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+		.audit = {
+			.type = LSM_AUDIT_DATA_NET,
+			.u.net = &(struct lsm_network_audit) {
+				.sk = other,
+			},
+		},
+		.layer_plus_one = handle_layer + 1,
+	});
+	return -EPERM;
 }
 
 static int hook_unix_may_send(struct socket *const sock,
 			      struct socket *const other)
 {
+	size_t handle_layer;
 	const struct landlock_cred_security *const subject =
 		landlock_get_applicable_subject(current_cred(), unix_scope,
-						NULL);
+						&handle_layer);
 
 	if (!subject)
 		return 0;
@@ -296,11 +312,23 @@ static int hook_unix_may_send(struct socket *const sock,
 	if (unix_peer(sock->sk) == other->sk)
 		return 0;
 
-	if (is_abstract_socket(other->sk) &&
-	    sock_is_scoped(other->sk, subject->domain))
-		return -EPERM;
+	if (!is_abstract_socket(other->sk))
+		return 0;
+
+	if (!sock_is_scoped(other->sk, subject->domain))
+		return 0;
 
-	return 0;
+	landlock_log_denial(subject, &(struct landlock_request) {
+		.type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+		.audit = {
+			.type = LSM_AUDIT_DATA_NET,
+			.u.net = &(struct lsm_network_audit) {
+				.sk = other->sk,
+			},
+		},
+		.layer_plus_one = handle_layer + 1,
+	});
+	return -EPERM;
 }
 
 static const struct access_masks signal_scope = {
@@ -312,6 +340,7 @@ static int hook_task_kill(struct task_struct *const p,
 			  const struct cred *cred)
 {
 	bool is_scoped;
+	size_t handle_layer;
 	const struct landlock_cred_security *subject;
 
 	if (!cred) {
@@ -330,7 +359,8 @@ static int hook_task_kill(struct task_struct *const p,
 		cred = current_cred();
 	}
 
-	subject = landlock_get_applicable_subject(cred, signal_scope, NULL);
+	subject = landlock_get_applicable_subject(cred, signal_scope,
+						  &handle_layer);
 
 	/* Quick return for non-landlocked tasks. */
 	if (!subject)
@@ -342,10 +372,19 @@ static int hook_task_kill(struct task_struct *const p,
 					     landlock_get_task_domain(p),
 					     signal_scope.scope);
 	}
-	if (is_scoped)
-		return -EPERM;
 
-	return 0;
+	if (!is_scoped)
+		return 0;
+
+	landlock_log_denial(subject, &(struct landlock_request) {
+		.type = LANDLOCK_REQUEST_SCOPE_SIGNAL,
+		.audit = {
+			.type = LSM_AUDIT_DATA_TASK,
+			.u.tsk = p,
+		},
+		.layer_plus_one = handle_layer + 1,
+	});
+	return -EPERM;
 }
 
 static int hook_file_send_sigiotask(struct task_struct *tsk,
@@ -374,10 +413,21 @@ static int hook_file_send_sigiotask(struct task_struct *tsk,
 					     landlock_get_task_domain(tsk),
 					     signal_scope.scope);
 	}
-	if (is_scoped)
-		return -EPERM;
 
-	return 0;
+	if (!is_scoped)
+		return 0;
+
+	landlock_log_denial(subject, &(struct landlock_request) {
+		.type = LANDLOCK_REQUEST_SCOPE_SIGNAL,
+		.audit = {
+			.type = LSM_AUDIT_DATA_TASK,
+			.u.tsk = tsk,
+		},
+#ifdef CONFIG_AUDIT
+		.layer_plus_one = landlock_file(fown->file)->fown_layer + 1,
+#endif /* CONFIG_AUDIT */
+	});
+	return -EPERM;
 }
 
 static struct security_hook_list landlock_hooks[] __ro_after_init = {
-- 
2.49.0


  parent reply	other threads:[~2025-03-20 19:07 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-20 19:06 [PATCH v7 00/28] Landlock audit support Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 01/28] lsm: Add audit_log_lsm_data() helper Mickaël Salaün
2025-03-25 19:35   ` Günther Noack
2025-03-20 19:06 ` [PATCH v7 02/28] landlock: Add unique ID generator Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 03/28] landlock: Move domain hierarchy management Mickaël Salaün
2025-03-25 19:37   ` Günther Noack
2025-03-20 19:06 ` [PATCH v7 04/28] landlock: Prepare to use credential instead of domain for filesystem Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 05/28] landlock: Prepare to use credential instead of domain for network Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 06/28] landlock: Prepare to use credential instead of domain for scope Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 07/28] landlock: Prepare to use credential instead of domain for fowner Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 08/28] landlock: Identify domain execution crossing Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 09/28] landlock: Add AUDIT_LANDLOCK_ACCESS and log ptrace denials Mickaël Salaün
2025-03-27 21:38   ` Tingmao Wang
2025-03-28 10:33     ` Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 10/28] landlock: Add AUDIT_LANDLOCK_DOMAIN and log domain status Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 11/28] landlock: Log mount-related denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 12/28] landlock: Log file-related denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 13/28] landlock: Factor out IOCTL hooks Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 14/28] landlock: Log truncate and IOCTL denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 15/28] landlock: Log TCP bind and connect denials Mickaël Salaün
2025-03-20 19:07 ` Mickaël Salaün [this message]
2025-03-20 19:07 ` [PATCH v7 17/28] landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 18/28] landlock: Add LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 19/28] samples/landlock: Enable users to log sandbox denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 20/28] selftests/landlock: Add test for invalid ruleset file descriptor Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 21/28] selftests/landlock: Extend tests for landlock_restrict_self(2)'s flags Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 22/28] selftests/landlock: Add tests for audit flags and domain IDs Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 23/28] selftests/landlock: Test audit with restrict flags Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 24/28] selftests/landlock: Add audit tests for ptrace Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 25/28] selftests/landlock: Add audit tests for abstract UNIX socket scoping Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 26/28] selftests/landlock: Add audit tests for filesystem Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 27/28] selftests/landlock: Add audit tests for network Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 28/28] landlock: Add audit documentation Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250320190717.2287696-17-mic@digikod.net \
    --to=mic@digikod.net \
    --cc=akhna@google.com \
    --cc=audit@vger.kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=code@tyhicks.com \
    --cc=czaffery@roblox.com \
    --cc=dburgener@linux.microsoft.com \
    --cc=enlightened@google.com \
    --cc=eparis@redhat.com \
    --cc=fahimitahera@gmail.com \
    --cc=flaniel@linux.microsoft.com \
    --cc=gnoack@google.com \
    --cc=ivanov.mikhail1@huawei-partners.com \
    --cc=jannh@google.com \
    --cc=jeffxu@google.com \
    --cc=jmorris@namei.org \
    --cc=jorgelo@google.com \
    --cc=kees@kernel.org \
    --cc=konstantin.meskhidze@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=m@maowtm.org \
    --cc=mattbobrowski@google.com \
    --cc=matthieu@buffet.re \
    --cc=paul@paul-moore.com \
    --cc=phil@nwl.cc \
    --cc=prapal@linux.microsoft.com \
    --cc=robert.salvet@roblox.com \
    --cc=serge@hallyn.com \
    --cc=song@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.