From: "Mickaël Salaün" <mic@digikod.net>
To: Paul Moore <paul@paul-moore.com>
Cc: "Eric Paris" <eparis@redhat.com>,
"Günther Noack" <gnoack@google.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Ben Scarlato" <akhna@google.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Charles Zaffery" <czaffery@roblox.com>,
"Francis Laniel" <flaniel@linux.microsoft.com>,
"James Morris" <jmorris@namei.org>,
"Jann Horn" <jannh@google.com>, "Jeff Xu" <jeffxu@google.com>,
"Jorge Lucangeli Obes" <jorgelo@google.com>,
"Kees Cook" <kees@kernel.org>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Matt Bobrowski" <mattbobrowski@google.com>,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
"Phil Sutter" <phil@nwl.cc>,
"Praveen K Paladugu" <prapal@linux.microsoft.com>,
"Robert Salvet" <robert.salvet@roblox.com>,
"Shervin Oloumi" <enlightened@google.com>,
"Song Liu" <song@kernel.org>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v3 17/23] landlock: Log TCP bind and connect denials
Date: Tue, 7 Jan 2025 15:17:49 +0100 [thread overview]
Message-ID: <20250107.Amu1eiPohwei@digikod.net> (raw)
In-Reply-To: <CAHC9VhRh+_CM5kVmuXkttCn-3f3X8TR4n2q7MzrxCBXhbb2n-Q@mail.gmail.com>
On Mon, Jan 06, 2025 at 05:29:51PM -0500, Paul Moore wrote:
> On Mon, Jan 6, 2025 at 9:51 AM Mickaël Salaün <mic@digikod.net> wrote:
> > On Sat, Jan 04, 2025 at 08:23:52PM -0500, Paul Moore wrote:
> > > On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net> wrote:
> > > >
> > > > Add audit support to socket_bind and socket_connect hooks.
> > > >
> > > > Audit event sample:
> > > >
> > > > type=LL_DENY [...]: domain=195ba459b blockers=net_connect_tcp daddr=127.0.0.1 dest=80
> > >
> > > The destination address and port is already captured in the SOCKADDR
> > > record for bind() and connect(), please don't duplicate it here.
> >
> > This does not show up when a connect or bind is denied. I guess this is
> > because move_addr_to_kernel() is called at syscall entry when there is
> > no context, whereas a Landlock denial is created after that. For this
> > to work, users would have to log a list of syscalls, which would not be
> > usable (nor reliably maintainable) for most users.
>
> Quick question, can you share the audit filter configuration you are
> using on your dev/test systems (just dump /etc/audit/audit.rules,
> unless you are doing it by hand)?
This file only contains a comment. auditctl -l says that there is no
rules.
>
> One can make an argument that if syscall auditing is being explicitly
> denied, then the user has decided that the syscall related information
> is not important to them. I'm somewhat conflicted on that argument,
> but I believe the argument is at least valid.
I did not disable syscall auditing, I get the type=SYSCALL record for
every Landlock deny event, but there is no SOCKADDR one. For instance:
type=UNKNOWN[1423] msg=audit(1736258533.147:45): domain=190464446 blockers=net.connect_tcp daddr=127.0.0.1 dest=80
type=UNKNOWN[1424] msg=audit(1736258533.147:45): domain=190464446 creation=1736258533.135 pid=359 uid=0 exe="/root/sandboxer" comm="sandboxer"UID="root"
type=SYSCALL msg=audit(1736258533.147:45): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=5647c6a26b98 a2=10 a3=7ffd2f5f6acc items=0 ppid=356 pid=359 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="curl" exe="/usr/bin/curl" key=(null)ARCH=x86_64 SYSCALL=connect AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1736258533.147:45): proctitle=6375726C00687474703A2F2F3132372E31
type=UNKNOWN[1425] msg=audit(1736258533.199:46): domain=190464446
>
> > I guess this might be different with io_uring too.
>
> There are other issues with SOCKADDR and io_uring related to how
> io_uring wants to separate the work into different execution contexts.
> In general I wouldn't spend too much time worrying about auditing and
> io_uring right now, there are some general issues that need to be
> resolved in io_uring/audit that are much larger than just Landlock's
> audit usage.
OK. Anyway, my understanding is that SOCKADDR is just a way to enrich
the syscall record to ease debugging or tracing. In the case of an
access control, we want to identify an object/subject, and each LSM may
have a different way to identify such an object, and this description
should be enough to identify the relevant part of the object.
next prev parent reply other threads:[~2025-01-07 14:17 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-22 14:33 [PATCH v3 00/23] Landlock audit support Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 01/23] lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set Mickaël Salaün
2025-01-04 16:47 ` [PATCH v3 1/23] " Paul Moore
2024-11-22 14:33 ` [PATCH v3 02/23] lsm: Add audit_log_lsm_data() helper Mickaël Salaün
2025-01-05 1:23 ` [PATCH v3 2/23] " Paul Moore
2024-11-22 14:33 ` [PATCH v3 03/23] landlock: Factor out check_access_path() Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 04/23] landlock: Add unique ID generator Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 05/23] landlock: Move access types Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 06/23] landlock: Simplify initially denied access rights Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 07/23] landlock: Move domain hierarchy management Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 08/23] landlock: Log ptrace denials Mickaël Salaün
2024-12-20 14:36 ` Francis Laniel
2024-12-24 14:48 ` Mickaël Salaün
2025-01-05 1:23 ` [PATCH v3 8/23] " Paul Moore
2025-01-06 14:45 ` Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 09/23] audit: Add a new audit_get_ctime() helper Mickaël Salaün
2025-01-05 1:23 ` [PATCH v3 9/23] " Paul Moore
2024-11-22 14:33 ` [PATCH v3 10/23] landlock: Log domain properties and release Mickaël Salaün
2025-01-05 1:23 ` Paul Moore
2025-01-06 14:51 ` Mickaël Salaün
2025-01-06 21:56 ` Paul Moore
2025-01-07 14:16 ` Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 11/23] landlock: Log mount-related denials Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 12/23] landlock: Align partial refer access checks with final ones Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 13/23] selftests/landlock: Add test to check partial access in a mount tree Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 14/23] landlock: Optimize file path walks and prepare for audit support Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 15/23] landlock: Log file-related denials Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 16/23] landlock: Log truncate and ioctl denials Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 17/23] landlock: Log TCP bind and connect denials Mickaël Salaün
2025-01-05 1:23 ` Paul Moore
2025-01-06 14:51 ` Mickaël Salaün
2025-01-06 22:29 ` Paul Moore
2025-01-07 14:17 ` Mickaël Salaün [this message]
2024-11-22 14:33 ` [PATCH v3 18/23] landlock: Log scoped denials Mickaël Salaün
2025-01-05 1:23 ` Paul Moore
2025-01-06 14:51 ` Mickaël Salaün
2025-01-06 22:33 ` Paul Moore
2025-01-07 14:23 ` Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 19/23] landlock: Control log events with LANDLOCK_RESTRICT_SELF_LOGLESS Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 20/23] samples/landlock: Do not log denials from the sandboxer by default Mickaël Salaün
2024-12-20 14:36 ` Francis Laniel
2024-12-24 14:48 ` Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 21/23] selftests/landlock: Extend tests for landlock_restrict_self()'s flags Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 22/23] selftests/landlock: Add tests for audit Mickaël Salaün
2024-11-22 14:33 ` [PATCH v3 23/23] selftests/landlock: Add audit tests for ptrace Mickaël Salaün
2024-12-20 14:36 ` [PATCH v3 00/23] Landlock audit support Francis Laniel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250107.Amu1eiPohwei@digikod.net \
--to=mic@digikod.net \
--cc=akhna@google.com \
--cc=audit@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=czaffery@roblox.com \
--cc=enlightened@google.com \
--cc=eparis@redhat.com \
--cc=fahimitahera@gmail.com \
--cc=flaniel@linux.microsoft.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=jmorris@namei.org \
--cc=jorgelo@google.com \
--cc=kees@kernel.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mattbobrowski@google.com \
--cc=paul@paul-moore.com \
--cc=phil@nwl.cc \
--cc=prapal@linux.microsoft.com \
--cc=robert.salvet@roblox.com \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.