From: "Günther Noack" <gnoack@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: Eric Paris <eparis@redhat.com>, James Morris <jmorris@namei.org>,
Paul Moore <paul@paul-moore.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
Ben Scarlato <akhna@google.com>, Jeff Xu <jeffxu@google.com>,
Jorge Lucangeli Obes <jorgelo@google.com>,
Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
Shervin Oloumi <enlightened@google.com>,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v1 0/7] Landlock audit support
Date: Tue, 26 Sep 2023 18:24:32 +0200 [thread overview]
Message-ID: <ZRMFwNzBJyyr85hV@google.com> (raw)
In-Reply-To: <20230921061641.273654-1-mic@digikod.net>
Hi Mickaël!
On Thu, Sep 21, 2023 at 08:16:34AM +0200, Mickaël Salaün wrote:
> This patch series adds basic audit support to Landlock for most actions.
> Logging denied requests is useful for different use cases:
> * app developers: to ease and speed up sandboxing support
> * power users: to understand denials
> * sysadmins: to look for users' issues
> * tailored distro maintainers: to get usage metrics from their fleet
> * security experts: to detect attack attempts
>
> To make logs useful, they need to contain the most relevant Landlock
> domain that denied an action, and the reason. This translates to the
> latest nested domain and the related missing access rights.
Is "domain" always the latest nested domain, or is that the domain which caused
the check to fail because it denied the requested access right? (If it is just
the counter of how many domains are stacked, this could maybe also be queried
through proc instead?)
> Two "Landlock permissions" are used to describe mandatory restrictions
> enforced on all domains:
> * fs_layout: change the view of filesystem with mount operations.
> * ptrace: tamper with a process.
I find the term "access" already a bit overloaded, and the term "permission"
also already appears in other contexts. Maybe we can avoid the additional
terminology by grouping these two together in the log format, and calling them
the "cause" or "reason" for the deny decision? In a sense, the access rights
and the other permissions can already be told apart by their names, so they
might also both appear under the same key without causing additional confusion?
> Here is an example of logs, result of the sandboxer activity:
> tid=267 comm="sandboxer" op=create-ruleset ruleset=1 handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate
> tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0
> op=release-ruleset ruleset=1
> tid=267 comm="bash" domain=2 op=open errno=13 missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" dev="devtmpfs" ino=9
> tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir missing-permission= path="/" dev="vda2" ino=256
> tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg missing-permission= path="/" dev="vda2" ino=256
> tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= missing-permission=fs_layout name="/" dev="tmpfs" ino=1
> tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= missing-permission=ptrace opid=1 ocomm="systemd"
In more complicated cases like "refer" and "open", it is possible that more than
one access right is missing, and presumably they'll both be listed in
missing-fs-accesses=. In this case, it is not clear to me whether the domain=
number is referring to the first or the second of these missing rights.
(Assuming that the domain= is about the domain which caused the denial.)
> As highlighted in comments, support for audit is not complete yet with
> this series: some actions are not logged (e.g. file reparenting), and
> rule additions are not logged neither.
When ftruncate(2) gets denied, it is also not possible to tell which of the
nested domains is responsible, without additional changes to what we carry
around in the file's security blob. (Right now, we calculate the overall
truncation right in advance at open(2) time, and just store that bit with the
newly opened file.)
> I'm also not sure if we need to have seccomp-like features such as
> SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and
> /proc/sys/kernel/seccomp/actions_logged
>
> I'd like to get some early feedback on this proposal.
If you want to have the full feature set as proposed above for other operations
as well, like file reparenting and truncation, it'll complicate the Landlock
logic and increase the amount of data that needs to be kept around just for
logging. I'm not convinced that this is worth it. After all, the simpler the
Landlock implementation is, the easier it'll be to reason about its logic and
its security guarantees.
A possible simplification would be to omit the domain number which is
responsible for a "deny" decision. I feel that for debugging, knowing the fact
that Landlock denied an operation might already be a big step forward, and the
exact domain responsible for it might not be that important?
—Günther
--
Sent using Mutt 🐕 Woof Woof
next prev parent reply other threads:[~2023-09-26 16:24 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-21 6:16 [RFC PATCH v1 0/7] Landlock audit support Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 1/7] lsm: Add audit_log_lsm_data() helper Mickaël Salaün
2023-12-20 21:22 ` Paul Moore
2023-09-21 6:16 ` [RFC PATCH v1 2/7] landlock: Factor out check_access_path() Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 3/7] landlock: Log ruleset creation and release Mickaël Salaün
2023-12-20 21:22 ` Paul Moore
2023-12-21 18:45 ` Mickaël Salaün
2023-12-22 22:42 ` Paul Moore
2023-12-29 17:42 ` Mickaël Salaün
2024-01-05 18:12 ` Mickaël Salaün
2024-01-05 22:13 ` Paul Moore
2023-09-21 6:16 ` [RFC PATCH v1 4/7] landlock: Log domain creation and enforcement Mickaël Salaün
2023-12-20 21:22 ` Paul Moore
2023-12-21 18:45 ` Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 5/7] landlock: Log file-related requests Mickaël Salaün
2023-09-26 1:26 ` Jeff Xu
2023-09-26 13:35 ` Mickaël Salaün
2023-09-26 21:19 ` Jeff Xu
2023-09-28 15:16 ` Mickaël Salaün
2023-09-28 20:04 ` Jeff Xu
2023-09-29 16:04 ` Mickaël Salaün
2023-09-29 16:33 ` Jeff Xu
2023-12-20 21:22 ` Paul Moore
2023-12-21 18:47 ` Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 6/7] landlock: Log mount-related requests Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 7/7] landlock: Log ptrace requests Mickaël Salaün
2023-09-26 1:24 ` [RFC PATCH v1 0/7] Landlock audit support Jeff Xu
2023-09-26 16:24 ` Günther Noack [this message]
2023-09-29 16:03 ` Mickaël Salaün
2023-09-28 15:27 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZRMFwNzBJyyr85hV@google.com \
--to=gnoack@google.com \
--cc=akhna@google.com \
--cc=audit@vger.kernel.org \
--cc=enlightened@google.com \
--cc=eparis@redhat.com \
--cc=jeffxu@google.com \
--cc=jmorris@namei.org \
--cc=jorgelo@google.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox