From: Jeff Xu <jeffxu@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Eric Paris" <eparis@redhat.com>,
"James Morris" <jmorris@namei.org>,
"Paul Moore" <paul@paul-moore.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Ben Scarlato" <akhna@google.com>,
"Günther Noack" <gnoack@google.com>,
"Jorge Lucangeli Obes" <jorgelo@google.com>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Shervin Oloumi" <enlightened@google.com>,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v1 5/7] landlock: Log file-related requests
Date: Mon, 25 Sep 2023 18:26:28 -0700 [thread overview]
Message-ID: <CALmYWFubLv+yd9NWMMwt4FUdYnbghMC=GHeZm4oaSOctqnwbVA@mail.gmail.com> (raw)
In-Reply-To: <20230921061641.273654-6-mic@digikod.net>
On Wed, Sep 20, 2023 at 11:17 PM Mickaël Salaün <mic@digikod.net> wrote:
>
> Add audit support for mkdir, mknod, symlink, unlink, rmdir, truncate,
> and open requests.
>
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> ---
> security/landlock/audit.c | 114 ++++++++++++++++++++++++++++++++++++++
> security/landlock/audit.h | 32 +++++++++++
> security/landlock/fs.c | 62 ++++++++++++++++++---
> 3 files changed, 199 insertions(+), 9 deletions(-)
>
> diff --git a/security/landlock/audit.c b/security/landlock/audit.c
> index d9589d07e126..148fc0fafef4 100644
> --- a/security/landlock/audit.c
> +++ b/security/landlock/audit.c
> @@ -14,6 +14,25 @@
>
> atomic64_t ruleset_and_domain_counter = ATOMIC64_INIT(0);
>
> +static const char *op_to_string(enum landlock_operation operation)
> +{
> + const char *const desc[] = {
> + [0] = "",
> + [LANDLOCK_OP_MKDIR] = "mkdir",
> + [LANDLOCK_OP_MKNOD] = "mknod",
> + [LANDLOCK_OP_SYMLINK] = "symlink",
> + [LANDLOCK_OP_UNLINK] = "unlink",
> + [LANDLOCK_OP_RMDIR] = "rmdir",
> + [LANDLOCK_OP_TRUNCATE] = "truncate",
> + [LANDLOCK_OP_OPEN] = "open",
> + };
> +
> + if (WARN_ON_ONCE(operation < 0 || operation > ARRAY_SIZE(desc)))
> + return "unknown";
> +
> + return desc[operation];
> +}
> +
> #define BIT_INDEX(bit) HWEIGHT(bit - 1)
>
> static void log_accesses(struct audit_buffer *const ab,
> @@ -141,3 +160,98 @@ void landlock_log_release_ruleset(const struct landlock_ruleset *const ruleset)
> audit_log_format(ab, "op=release-%s %s=%llu", name, name, id);
> audit_log_end(ab);
> }
> +
> +/* Update request.youngest_domain and request.missing_access */
> +static void
> +update_request(struct landlock_request *const request,
> + const struct landlock_ruleset *const domain,
> + const access_mask_t access_request,
> + const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
> +{
> + const unsigned long access_req = access_request;
> + unsigned long access_bit;
> + long youngest_denied_layer = -1;
> + const struct landlock_hierarchy *node = domain->hierarchy;
> + size_t i;
> +
> + WARN_ON_ONCE(request->youngest_domain);
> + WARN_ON_ONCE(request->missing_access);
> +
> + if (WARN_ON_ONCE(!access_request))
> + return;
> +
> + if (WARN_ON_ONCE(!layer_masks))
> + return;
> +
> + for_each_set_bit(access_bit, &access_req, ARRAY_SIZE(*layer_masks)) {
> + long domain_layer;
> +
> + if (!(*layer_masks)[access_bit])
> + continue;
> +
> + domain_layer = __fls((*layer_masks)[access_bit]);
> +
> + /*
> + * Gets the access rights that are missing from
> + * the youngest (i.e. closest) domain.
> + */
> + if (domain_layer == youngest_denied_layer) {
> + request->missing_access |= BIT_ULL(access_bit);
> + } else if (domain_layer > youngest_denied_layer) {
> + youngest_denied_layer = domain_layer;
> + request->missing_access = BIT_ULL(access_bit);
> + }
> + }
> +
> + WARN_ON_ONCE(!request->missing_access);
> + WARN_ON_ONCE(youngest_denied_layer < 0);
> +
> + /* Gets the nearest domain ID that denies request.missing_access */
> + for (i = domain->num_layers - youngest_denied_layer - 1; i > 0; i--)
> + node = node->parent;
> + request->youngest_domain = node->id;
> +}
> +
> +static void
> +log_request(const int error, struct landlock_request *const request,
> + const struct landlock_ruleset *const domain,
> + const access_mask_t access_request,
> + const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
> +{
> + struct audit_buffer *ab;
> +
> + if (WARN_ON_ONCE(!error))
> + return;
> + if (WARN_ON_ONCE(!request))
> + return;
> + if (WARN_ON_ONCE(!domain || !domain->hierarchy))
> + return;
> +
> + /* Uses GFP_ATOMIC to not sleep. */
> + ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
> + AUDIT_LANDLOCK);
> + if (!ab)
> + return;
> +
> + update_request(request, domain, access_request, layer_masks);
> +
> + log_task(ab);
> + audit_log_format(ab, " domain=%llu op=%s errno=%d missing-fs-accesses=",
> + request->youngest_domain,
> + op_to_string(request->operation), -error);
> + log_accesses(ab, request->missing_access);
> + audit_log_lsm_data(ab, &request->audit);
> + audit_log_end(ab);
> +}
> +
> +// TODO: Make it generic, not FS-centric.
> +int landlock_log_request(
> + const int error, struct landlock_request *const request,
> + const struct landlock_ruleset *const domain,
> + const access_mask_t access_request,
> + const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
> +{
> + /* No need to log the access request, only the missing accesses. */
> + log_request(error, request, domain, access_request, layer_masks);
> + return error;
> +}
> diff --git a/security/landlock/audit.h b/security/landlock/audit.h
> index bc17dc8ca6f1..8edc68b98fca 100644
> --- a/security/landlock/audit.h
> +++ b/security/landlock/audit.h
> @@ -13,6 +13,23 @@
>
> #include "ruleset.h"
>
> +enum landlock_operation {
> + LANDLOCK_OP_MKDIR = 1,
> + LANDLOCK_OP_MKNOD,
> + LANDLOCK_OP_SYMLINK,
> + LANDLOCK_OP_UNLINK,
> + LANDLOCK_OP_RMDIR,
> + LANDLOCK_OP_TRUNCATE,
> + LANDLOCK_OP_OPEN,
> +};
> +
> +struct landlock_request {
> + const enum landlock_operation operation;
> + access_mask_t missing_access;
> + u64 youngest_domain;
> + struct common_audit_data audit;
> +};
> +
> #ifdef CONFIG_AUDIT
>
> void landlock_log_create_ruleset(struct landlock_ruleset *const ruleset);
> @@ -20,6 +37,12 @@ void landlock_log_restrict_self(struct landlock_ruleset *const domain,
> struct landlock_ruleset *const ruleset);
> void landlock_log_release_ruleset(const struct landlock_ruleset *const ruleset);
>
> +int landlock_log_request(
> + const int error, struct landlock_request *const request,
> + const struct landlock_ruleset *const domain,
> + const access_mask_t access_request,
> + const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS]);
> +
> #else /* CONFIG_AUDIT */
>
> static inline void
> @@ -38,6 +61,15 @@ landlock_log_release_ruleset(const struct landlock_ruleset *const ruleset)
> {
> }
>
> +static inline int landlock_log_request(
> + const int error, struct landlock_request *const request,
> + const struct landlock_ruleset *const domain,
> + const access_mask_t access_request,
> + const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
> +{
> + return error;
> +}
> +
> #endif /* CONFIG_AUDIT */
>
> #endif /* _SECURITY_LANDLOCK_AUDIT_H */
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index 978e325d8708..104dfb2abc32 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -18,6 +18,7 @@
> #include <linux/kernel.h>
> #include <linux/limits.h>
> #include <linux/list.h>
> +#include <linux/lsm_audit.h>
> #include <linux/lsm_hooks.h>
> #include <linux/mount.h>
> #include <linux/namei.h>
> @@ -30,6 +31,7 @@
> #include <linux/workqueue.h>
> #include <uapi/linux/landlock.h>
>
> +#include "audit.h"
> #include "common.h"
> #include "cred.h"
> #include "fs.h"
> @@ -636,7 +638,8 @@ static bool is_access_to_paths_allowed(
> }
>
> static int current_check_access_path(const struct path *const path,
> - access_mask_t access_request)
> + access_mask_t access_request,
> + struct landlock_request *const request)
> {
> const struct landlock_ruleset *const dom =
> landlock_get_current_domain();
> @@ -650,7 +653,10 @@ static int current_check_access_path(const struct path *const path,
> NULL, 0, NULL, NULL))
> return 0;
>
> - return -EACCES;
> + request->audit.type = LSM_AUDIT_DATA_PATH;
> + request->audit.u.path = *path;
> + return landlock_log_request(-EACCES, request, dom, access_request,
> + &layer_masks);
It might be more readable to let landlock_log_request return void.
Then the code will look like below.
landlock_log_request(-EACCES, request, dom, access_request, &layer_masks);
return -EACCES;
The allow/deny logic will be in this function, i.e. reader
doesn't need to check landlock_log_request's implementation to find
out it never returns 0.
-Jeff
> }
>
> static inline access_mask_t get_mode_access(const umode_t mode)
> @@ -1097,6 +1103,7 @@ static int hook_path_link(struct dentry *const old_dentry,
> const struct path *const new_dir,
> struct dentry *const new_dentry)
> {
> + // TODO: Implement fine-grained audit
> return current_check_refer_path(old_dentry, new_dir, new_dentry, false,
> false);
> }
> @@ -1115,38 +1122,67 @@ static int hook_path_rename(const struct path *const old_dir,
> static int hook_path_mkdir(const struct path *const dir,
> struct dentry *const dentry, const umode_t mode)
> {
> - return current_check_access_path(dir, LANDLOCK_ACCESS_FS_MAKE_DIR);
> + struct landlock_request request = {
> + .operation = LANDLOCK_OP_MKDIR,
> + };
> +
> + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_MAKE_DIR,
> + &request);
> }
>
> static int hook_path_mknod(const struct path *const dir,
> struct dentry *const dentry, const umode_t mode,
> const unsigned int dev)
> {
> - return current_check_access_path(dir, get_mode_access(mode));
> + struct landlock_request request = {
> + .operation = LANDLOCK_OP_MKNOD,
> + };
> +
> + return current_check_access_path(dir, get_mode_access(mode), &request);
> }
>
> static int hook_path_symlink(const struct path *const dir,
> struct dentry *const dentry,
> const char *const old_name)
> {
> - return current_check_access_path(dir, LANDLOCK_ACCESS_FS_MAKE_SYM);
> + struct landlock_request request = {
> + .operation = LANDLOCK_OP_SYMLINK,
> + };
> +
> + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_MAKE_SYM,
> + &request);
> }
>
> static int hook_path_unlink(const struct path *const dir,
> struct dentry *const dentry)
> {
> - return current_check_access_path(dir, LANDLOCK_ACCESS_FS_REMOVE_FILE);
> + struct landlock_request request = {
> + .operation = LANDLOCK_OP_UNLINK,
> + };
> +
> + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_REMOVE_FILE,
> + &request);
> }
>
> static int hook_path_rmdir(const struct path *const dir,
> struct dentry *const dentry)
> {
> - return current_check_access_path(dir, LANDLOCK_ACCESS_FS_REMOVE_DIR);
> + struct landlock_request request = {
> + .operation = LANDLOCK_OP_RMDIR,
> + };
> +
> + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_REMOVE_DIR,
> + &request);
> }
>
> static int hook_path_truncate(const struct path *const path)
> {
> - return current_check_access_path(path, LANDLOCK_ACCESS_FS_TRUNCATE);
> + struct landlock_request request = {
> + .operation = LANDLOCK_OP_TRUNCATE,
> + };
> +
> + return current_check_access_path(path, LANDLOCK_ACCESS_FS_TRUNCATE,
> + &request);
> }
>
> /* File hooks */
> @@ -1199,6 +1235,13 @@ static int hook_file_open(struct file *const file)
> const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE;
> const struct landlock_ruleset *const dom =
> landlock_get_current_domain();
> + struct landlock_request request = {
> + .operation = LANDLOCK_OP_OPEN,
> + .audit = {
> + .type = LSM_AUDIT_DATA_PATH,
> + .u.path = file->f_path,
> + },
> + };
>
> if (!dom)
> return 0;
> @@ -1249,7 +1292,8 @@ static int hook_file_open(struct file *const file)
> if ((open_access_request & allowed_access) == open_access_request)
> return 0;
>
> - return -EACCES;
> + return landlock_log_request(-EACCES, &request, dom, open_access_request,
> + &layer_masks);
> }
>
> static int hook_file_truncate(struct file *const file)
> --
> 2.42.0
>
next prev parent reply other threads:[~2023-09-26 1:27 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-21 6:16 [RFC PATCH v1 0/7] Landlock audit support Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 1/7] lsm: Add audit_log_lsm_data() helper Mickaël Salaün
2023-12-20 21:22 ` Paul Moore
2023-09-21 6:16 ` [RFC PATCH v1 2/7] landlock: Factor out check_access_path() Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 3/7] landlock: Log ruleset creation and release Mickaël Salaün
2023-12-20 21:22 ` Paul Moore
2023-12-21 18:45 ` Mickaël Salaün
2023-12-22 22:42 ` Paul Moore
2023-12-29 17:42 ` Mickaël Salaün
2024-01-05 18:12 ` Mickaël Salaün
2024-01-05 22:13 ` Paul Moore
2023-09-21 6:16 ` [RFC PATCH v1 4/7] landlock: Log domain creation and enforcement Mickaël Salaün
2023-12-20 21:22 ` Paul Moore
2023-12-21 18:45 ` Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 5/7] landlock: Log file-related requests Mickaël Salaün
2023-09-26 1:26 ` Jeff Xu [this message]
2023-09-26 13:35 ` Mickaël Salaün
2023-09-26 21:19 ` Jeff Xu
2023-09-28 15:16 ` Mickaël Salaün
2023-09-28 20:04 ` Jeff Xu
2023-09-29 16:04 ` Mickaël Salaün
2023-09-29 16:33 ` Jeff Xu
2023-12-20 21:22 ` Paul Moore
2023-12-21 18:47 ` Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 6/7] landlock: Log mount-related requests Mickaël Salaün
2023-09-21 6:16 ` [RFC PATCH v1 7/7] landlock: Log ptrace requests Mickaël Salaün
2023-09-26 1:24 ` [RFC PATCH v1 0/7] Landlock audit support Jeff Xu
2023-09-26 16:24 ` Günther Noack
2023-09-29 16:03 ` Mickaël Salaün
2023-09-28 15:27 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALmYWFubLv+yd9NWMMwt4FUdYnbghMC=GHeZm4oaSOctqnwbVA@mail.gmail.com' \
--to=jeffxu@google.com \
--cc=akhna@google.com \
--cc=audit@vger.kernel.org \
--cc=enlightened@google.com \
--cc=eparis@redhat.com \
--cc=gnoack@google.com \
--cc=jmorris@namei.org \
--cc=jorgelo@google.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).