From: Francis Laniel <flaniel@linux.microsoft.com>
To: "Eric Paris" <eparis@redhat.com>,
"Paul Moore" <paul@paul-moore.com>,
"Günther Noack" <gnoack@google.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Mickaël Salaün" <mic@digikod.net>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Ben Scarlato" <akhna@google.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Charles Zaffery" <czaffery@roblox.com>,
"James Morris" <jmorris@namei.org>,
"Jann Horn" <jannh@google.com>, "Jeff Xu" <jeffxu@google.com>,
"Jorge Lucangeli Obes" <jorgelo@google.com>,
"Kees Cook" <kees@kernel.org>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Matt Bobrowski" <mattbobrowski@google.com>,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
"Praveen K Paladugu" <prapal@linux.microsoft.com>,
"Robert Salvet" <robert.salvet@roblox.com>,
"Shervin Oloumi" <enlightened@google.com>,
"Song Liu" <song@kernel.org>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v2 12/14] landlock: Log TCP bind and connect denials
Date: Fri, 25 Oct 2024 17:25:45 +0200 [thread overview]
Message-ID: <2345615.iZASKD2KPV@pwmachine> (raw)
In-Reply-To: <20241022161009.982584-13-mic@digikod.net>
Le mardi 22 octobre 2024, 18:10:07 CEST Mickaël Salaün a écrit :
> Add audit support to socket_bind and socket_connect hooks.
>
> Audit record sample:
>
> DENY: domain=4533720601 blockers=net_connect_tcp daddr=127.0.0.1
> dest=80 SYSCALL: arch=c000003e syscall=42 success=no exit=-13 ...
>
> Cc: Günther Noack <gnoack@google.com>
> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> Cc: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> Link: https://lore.kernel.org/r/20241022161009.982584-13-mic@digikod.net
> ---
> security/landlock/audit.c | 11 +++++++++
> security/landlock/audit.h | 1 +
> security/landlock/net.c | 52 ++++++++++++++++++++++++++++++++++++---
> 3 files changed, 60 insertions(+), 4 deletions(-)
>
> diff --git a/security/landlock/audit.c b/security/landlock/audit.c
> index 898c95ebe847..c31a4a8719ee 100644
> --- a/security/landlock/audit.c
> +++ b/security/landlock/audit.c
> @@ -41,6 +41,12 @@ static const char *const fs_access_strings[] = {
> };
> static_assert(ARRAY_SIZE(fs_access_strings) == LANDLOCK_NUM_ACCESS_FS);
>
> +static const char *const net_access_strings[] = {
> + [BIT_INDEX(LANDLOCK_ACCESS_NET_BIND_TCP)] = "net_bind_tcp",
> + [BIT_INDEX(LANDLOCK_ACCESS_NET_CONNECT_TCP)] = "net_connect_tcp",
> +};
> +static_assert(ARRAY_SIZE(net_access_strings) == LANDLOCK_NUM_ACCESS_NET);
> +
> static __attribute_const__ const char *
> get_blocker(const enum landlock_request_type type,
> const unsigned long access_bit)
> @@ -58,6 +64,11 @@ get_blocker(const enum landlock_request_type type,
> if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(fs_access_strings)))
> return "unknown";
> return fs_access_strings[access_bit];
> +
> + case LANDLOCK_REQUEST_NET_ACCESS:
> + if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(net_access_strings)))
> + return "unknown";
> + return net_access_strings[access_bit];
> }
>
> WARN_ON_ONCE(1);
> diff --git a/security/landlock/audit.h b/security/landlock/audit.h
> index 320394fd6b84..1075b0c8401f 100644
> --- a/security/landlock/audit.h
> +++ b/security/landlock/audit.h
> @@ -18,6 +18,7 @@ enum landlock_request_type {
> LANDLOCK_REQUEST_PTRACE = 1,
> LANDLOCK_REQUEST_FS_CHANGE_LAYOUT,
> LANDLOCK_REQUEST_FS_ACCESS,
> + LANDLOCK_REQUEST_NET_ACCESS,
> };
>
> /*
> diff --git a/security/landlock/net.c b/security/landlock/net.c
> index 27872d0f7e11..c21afd6e0b4d 100644
> --- a/security/landlock/net.c
> +++ b/security/landlock/net.c
> @@ -7,10 +7,12 @@
> */
>
> #include <linux/in.h>
> +#include <linux/lsm_audit.h>
> #include <linux/net.h>
> #include <linux/socket.h>
> #include <net/ipv6.h>
>
> +#include "audit.h"
> #include "common.h"
> #include "cred.h"
> #include "limits.h"
> @@ -56,6 +58,10 @@ static int current_check_access_socket(struct socket
> *const sock, };
> const struct landlock_ruleset *const dom =
> landlock_match_ruleset(landlock_get_current_domain(), any_net);
> + struct lsm_network_audit audit_net = {};
> + struct landlock_request request = {
> + .type = LANDLOCK_REQUEST_NET_ACCESS,
> + };
>
> if (!dom)
> return 0;
> @@ -72,18 +78,49 @@ static int current_check_access_socket(struct socket
> *const sock,
>
> switch (address->sa_family) {
> case AF_UNSPEC:
> - case AF_INET:
> + case AF_INET: {
> + const struct sockaddr_in *addr4;
> +
> if (addrlen < sizeof(struct sockaddr_in))
> return -EINVAL;
> - port = ((struct sockaddr_in *)address)->sin_port;
> +
> + addr4 = (struct sockaddr_in *)address;
> + port = addr4->sin_port;
> +
> + if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
> + audit_net.dport = port;
> + audit_net.v4info.daddr = addr4->sin_addr.s_addr;
> + } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
> + audit_net.sport = port;
> + audit_net.v4info.saddr = addr4->sin_addr.s_addr;
> + } else {
> + WARN_ON_ONCE(1);
> + }
> break;
> + }
>
> #if IS_ENABLED(CONFIG_IPV6)
> - case AF_INET6:
> + case AF_INET6: {
> + const struct sockaddr_in6 *addr6;
> +
> if (addrlen < SIN6_LEN_RFC2133)
> return -EINVAL;
> - port = ((struct sockaddr_in6 *)address)->sin6_port;
> +
> + addr6 = (struct sockaddr_in6 *)address;
> + port = addr6->sin6_port;
> + audit_net.v6info.saddr = addr6->sin6_addr;
You set this for all access_request, but not for IPv4, is this done on
purpose?
> +
> + if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
> + audit_net.dport = port;
> + audit_net.v6info.daddr = addr6->sin6_addr;
> + } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
> + audit_net.sport = port;
> + audit_net.v6info.saddr = addr6->sin6_addr;
> + } else {
> + WARN_ON_ONCE(1);
> + }
> break;
> + }
> #endif /* IS_ENABLED(CONFIG_IPV6) */
>
> default:
> @@ -152,6 +189,13 @@ static int current_check_access_socket(struct socket
> *const sock, ARRAY_SIZE(layer_masks)))
> return 0;
>
> + audit_net.family = address->sa_family;
> + request.audit.type = LSM_AUDIT_DATA_NET;
> + request.audit.u.net = &audit_net;
> + request.access = access_request;
> + request.layer_masks = &layer_masks;
> + request.layer_masks_size = ARRAY_SIZE(layer_masks);
> + landlock_log_denial(dom, &request);
> return -EACCES;
> }
next prev parent reply other threads:[~2024-10-25 15:25 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-22 16:09 [RFC PATCH v2 00/14] Landlock audit support Mickaël Salaün
2024-10-22 16:09 ` [RFC PATCH v2 01/14] lsm: Only build lsm_audit.c if CONFIG_AUDIT is set Mickaël Salaün
2024-10-23 0:07 ` Paul Moore
2024-10-23 18:51 ` Guenter Roeck
2024-10-23 21:21 ` Paul Moore
2024-10-22 16:09 ` [RFC PATCH v2 02/14] lsm: Add audit_log_lsm_data() helper Mickaël Salaün
2024-10-23 0:07 ` Paul Moore
2024-10-24 16:30 ` Paul Moore
2024-10-22 16:09 ` [RFC PATCH v2 03/14] landlock: Factor out check_access_path() Mickaël Salaün
2024-10-22 16:09 ` [RFC PATCH v2 04/14] landlock: Add unique ID generator Mickaël Salaün
2024-10-25 15:18 ` Francis Laniel
2024-11-13 15:18 ` Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 05/14] landlock: Move access types Mickaël Salaün
2024-10-25 15:20 ` Francis Laniel
2024-11-13 15:18 ` Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 06/14] landlock: Move domain hierarchy management Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 07/14] landlock: Log ptrace denials Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 08/14] landlock: Log domain properties and release Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 09/14] landlock: Log mount-related denials Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 10/14] landlock: Log file-related denials Mickaël Salaün
2024-10-25 15:23 ` Francis Laniel
2024-11-13 15:21 ` Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 11/14] landlock: Log truncate and ioctl denials Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 12/14] landlock: Log TCP bind and connect denials Mickaël Salaün
2024-10-25 15:25 ` Francis Laniel [this message]
2024-11-13 15:21 ` Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 13/14] landlock: Log scoped denials Mickaël Salaün
2024-10-22 16:10 ` [RFC PATCH v2 14/14] landlock: Control log events with LANDLOCK_RESTRICT_SELF_LOGLESS Mickaël Salaün
2024-10-22 16:18 ` [RFC PATCH v2 00/14] Landlock audit support Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2345615.iZASKD2KPV@pwmachine \
--to=flaniel@linux.microsoft.com \
--cc=akhna@google.com \
--cc=audit@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=czaffery@roblox.com \
--cc=enlightened@google.com \
--cc=eparis@redhat.com \
--cc=fahimitahera@gmail.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=jmorris@namei.org \
--cc=jorgelo@google.com \
--cc=kees@kernel.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mattbobrowski@google.com \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=prapal@linux.microsoft.com \
--cc=robert.salvet@roblox.com \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.