From nobody Tue Nov 26 04:49:51 2024 Received: from smtp-8faf.mail.infomaniak.ch (smtp-8faf.mail.infomaniak.ch [83.166.143.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6EAA1A3BC0 for ; Tue, 22 Oct 2024 16:10:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729613436; cv=none; b=d/uJIdfSVF871qQWbQYBkzCETb2z3N4XZOG70RsObkgjEoM/QiYF9Dn9sLTD8EymKsH0Rl0Prx2eyzqBb5CIH5F0NOHou6tKFqoS7vGen/aZT+TqDkHueQy70fI279rpvv8SFnIH5Whgyf1rhhXyIFbUz+1twULkJVjQn8L0B6s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729613436; c=relaxed/simple; bh=CbChgtXckXk3u1m3Yox0x6RBMdZITj8ROOX7Y3B0368=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=JgAaiVDTzunoriYtUhumk++Hvv0wWebZ0Z+AoGz9SvMXBsAwRKuvqM5iIJf7EuAoyfY/5HgII6bq5MfqtNx1v+dKXr2bnOvjBy8CCD2R3ZTRHPkPRF7HWR/N7AkgdObBfEUFoYchF9YAo9I/CDlv/swQRJZdeC0T4x6LfQ6XczM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=WQstIalo; arc=none smtp.client-ip=83.166.143.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="WQstIalo" Received: from smtp-4-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:7:10:40ca:feff:fe05:1]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4XXxwm1dmRzvm; Tue, 22 Oct 2024 18:10:32 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1729613432; bh=JIkFdcA2MSd0H2lV7JeqWVnBj8kE454w4i9hCEh/p08=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WQstIalo/8jZU1OYFvp0FdW++30j1fOyZZJqdKc1yLUnd0wsDTdEx+HI74LnYwu4m nhF4YH5RCw0nXACPx5pSi93ZxouwgFu/Rqcu+Qn97SA4HTLI82Fb8DwAYoLfo438Wp bRTC/Z4QnTcL2uJzcEZ8sJ6RG4gHCKdOSFXYRkJo= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4XXxwl2w77z1D4; Tue, 22 Oct 2024 18:10:31 +0200 (CEST) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?UTF-8?q?G=C3=BCnther=20Noack?= , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH v2 09/14] landlock: Log mount-related denials Date: Tue, 22 Oct 2024 18:10:04 +0200 Message-ID: <20241022161009.982584-10-mic@digikod.net> In-Reply-To: <20241022161009.982584-1-mic@digikod.net> References: <20241022161009.982584-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Infomaniak-Routing: alpha Add audit support for sb_mount, move_mount, sb_umount, sb_remount, and sb_pivot_root hooks. Add and use a new landlock_match_layer_level() helper. Audit record sample: DENY: blockers=3Dfs_change_layout name=3D"/" dev=3D"tmpfs" ino=3D1 SYSCALL: arch=3Dc000003e syscall=3D166 success=3Dno exit=3D-1 ... Cc: G=C3=BCnther Noack Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20241022161009.982584-10-mic@digikod.net --- Changes since v2: * Log the domain that denied the action because not all layers block FS layout changes. Changes since v1: * Rebased on the TCP patch series. * Don't log missing permissions, only domain layer, and then remove the permission word (suggested by G=C3=BCnther) --- security/landlock/audit.c | 3 ++ security/landlock/audit.h | 1 + security/landlock/fs.c | 64 ++++++++++++++++++++++++++++++++++--- security/landlock/ruleset.h | 31 ++++++++++++++++++ 4 files changed, 94 insertions(+), 5 deletions(-) diff --git a/security/landlock/audit.c b/security/landlock/audit.c index f5860f396044..4cd9407459d2 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -21,6 +21,9 @@ static const char *get_blocker(const enum landlock_reques= t_type type) switch (type) { case LANDLOCK_REQUEST_PTRACE: return "ptrace"; + + case LANDLOCK_REQUEST_FS_CHANGE_LAYOUT: + return "fs_change_layout"; } =20 WARN_ON_ONCE(1); diff --git a/security/landlock/audit.h b/security/landlock/audit.h index 7a1b1652f21b..6f5ad04b83c2 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -15,6 +15,7 @@ =20 enum landlock_request_type { LANDLOCK_REQUEST_PTRACE =3D 1, + LANDLOCK_REQUEST_FS_CHANGE_LAYOUT, }; =20 /* diff --git a/security/landlock/fs.c b/security/landlock/fs.c index e0e5775b75ae..a099167d2347 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -37,6 +38,7 @@ #include =20 #include "access.h" +#include "audit.h" #include "common.h" #include "cred.h" #include "fs.h" @@ -1308,6 +1310,38 @@ static void hook_sb_delete(struct super_block *const= sb) !atomic_long_read(&landlock_superblock(sb)->inode_refs)); } =20 +static void +log_fs_change_layout_path(const struct landlock_ruleset *const domain, + const struct path *const path) +{ + const struct landlock_request request =3D { + .type =3D LANDLOCK_REQUEST_FS_CHANGE_LAYOUT, + .audit =3D { + .type =3D LSM_AUDIT_DATA_PATH, + .u.path =3D *path, + }, + .layer_plus_one =3D landlock_match_layer_level(domain, any_fs) + 1, + }; + + landlock_log_denial(domain, &request); +} + +static void +log_fs_change_layout_dentry(const struct landlock_ruleset *const domain, + struct dentry *const dentry) +{ + const struct landlock_request request =3D { + .type =3D LANDLOCK_REQUEST_FS_CHANGE_LAYOUT, + .audit =3D { + .type =3D LSM_AUDIT_DATA_DENTRY, + .u.dentry =3D dentry, + }, + .layer_plus_one =3D landlock_match_layer_level(domain, any_fs) + 1, + }; + + landlock_log_denial(domain, &request); +} + /* * Because a Landlock security policy is defined according to the filesyst= em * topology (i.e. the mount namespace), changing it may grant access to fi= les @@ -1330,16 +1364,24 @@ static int hook_sb_mount(const char *const dev_name, const struct path *const path, const char *const type, const unsigned long flags, void *const data) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom =3D get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_path(dom, path); return -EPERM; } =20 static int hook_move_mount(const struct path *const from_path, const struct path *const to_path) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom =3D get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_path(dom, to_path); return -EPERM; } =20 @@ -1349,15 +1391,23 @@ static int hook_move_mount(const struct path *const= from_path, */ static int hook_sb_umount(struct vfsmount *const mnt, const int flags) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom =3D get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_dentry(dom, mnt->mnt_root); return -EPERM; } =20 static int hook_sb_remount(struct super_block *const sb, void *const mnt_o= pts) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom =3D get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_dentry(dom, sb->s_root); return -EPERM; } =20 @@ -1372,8 +1422,12 @@ static int hook_sb_remount(struct super_block *const= sb, void *const mnt_opts) static int hook_sb_pivotroot(const struct path *const old_path, const struct path *const new_path) { - if (!get_current_fs_domain()) + const struct landlock_ruleset *const dom =3D get_current_fs_domain(); + + if (!dom) return 0; + + log_fs_change_layout_path(dom, new_path); return -EPERM; } =20 diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h index 1fe88027404b..c463ff9a6615 100644 --- a/security/landlock/ruleset.h +++ b/security/landlock/ruleset.h @@ -278,6 +278,37 @@ landlock_match_ruleset(const struct landlock_ruleset *= const ruleset, return NULL; } =20 +/** + * landlock_match_layer_level - Return the layer level restricting @masks + * + * @ruleset: Landlock ruleset (used as a domain) + * @masks: access masks + * + * Returns: the number of the layer restricting/handling any right of @acc= ess, + * or return 0 (i.e. first layer) otherwise. + */ +static inline size_t +landlock_match_layer_level(const struct landlock_ruleset *const ruleset, + const struct access_masks masks) +{ + const union access_masks_all masks_all =3D { + .masks =3D masks, + }; + size_t layer_level; + + for (layer_level =3D ruleset->num_layers; layer_level >=3D 0; + layer_level--) { + union access_masks_all layer =3D { + .masks =3D ruleset->access_masks[layer_level], + }; + + if (masks_all.all & layer.all) + return layer_level; + } + + return 0; +} + static inline void landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, const access_mask_t fs_access_mask, --=20 2.47.0