From nobody Mon Feb 9 16:06:46 2026 Received: from smtp-190d.mail.infomaniak.ch (smtp-190d.mail.infomaniak.ch [185.125.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE69D1F1526 for ; Fri, 31 Jan 2025 16:32:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.13 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738341157; cv=none; b=mH60YNaI4WwERnnjIB8hrdn3yMzlK4DiYr2RXFN7QDTaWHfs5bR3rBXPpqKD5mBc4P8mQCEg7NSq/Ff6q9dw3Ge+xD9Lj0gFCYuxkFPjy8vaou1q1OoBFeATe8fk2yeTOodoEHq11T1f6i9kX9bcXbmmrRfqOwo20wqKVDYK8HQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738341157; c=relaxed/simple; bh=hLNB+XJF7sBjW62/cnxy26rdc5Fe4GTi618ha0GMCZg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=hdT6iauWvL9kMce9RC95cpm7esj7vaFQ85EjgjYchdz/fBmWsj1boZLMw7kTHt2ZFYN7nSoFK4gOOZhLWoBxTn0gpcagdQrO9dqx4GL3YCVPicZKvYguw3zW/kviF/ISZuUDl8zg5uULEUDzszrJeNy3QTzjpoZptongnd7CrEA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=oKa9H4yu; arc=none smtp.client-ip=185.125.25.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="oKa9H4yu" Received: from smtp-4-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:7:10:40ca:feff:fe05:1]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4Yl1dX0Tbbz98y; Fri, 31 Jan 2025 17:32:32 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1738341151; bh=9msOSoxFbyZ3mUvBdgiO8zt+wCcGQl76yI0cP5soln8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oKa9H4yuVEFcSLEUtN4vyMcjix8PCdN3KMcpzKYnOVbowfBlIATPeZ7MtwH8xImaG WfkmwjMaXC3EBkEgmTJ04yeT0o/Qv7E7mttVyqGcJ+fP3UAWZImu4Oz7GdNF4mC+1y qoGSo215x33nc+to0qoPVqjbBJpCOMxQw4zA+mmA= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4Yl1dV62gHzjVF; Fri, 31 Jan 2025 17:32:30 +0100 (CET) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?UTF-8?q?G=C3=BCnther=20Noack?= , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 24/24] landlock: Add audit documentation Date: Fri, 31 Jan 2025 17:30:59 +0100 Message-ID: <20250131163059.1139617-25-mic@digikod.net> In-Reply-To: <20250131163059.1139617-1-mic@digikod.net> References: <20250131163059.1139617-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Infomaniak-Routing: alpha Because audit is dedicated to the system administrator, create a new entry in Documentation/admin-guide/LSM . Extend other Landlock documentation's pages with this new one. Cc: G=C3=BCnther Noack Cc: Paul Moore Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20250131163059.1139617-25-mic@digikod.net --- Changes since v4: - New patch. --- Documentation/admin-guide/LSM/index.rst | 1 + Documentation/admin-guide/LSM/landlock.rst | 157 +++++++++++++++++++++ Documentation/security/landlock.rst | 7 + Documentation/userspace-api/landlock.rst | 7 + MAINTAINERS | 1 + 5 files changed, 173 insertions(+) create mode 100644 Documentation/admin-guide/LSM/landlock.rst diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-= guide/LSM/index.rst index ce63be6d64ad..b44ef68f6e4d 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -48,3 +48,4 @@ subdirectories. Yama SafeSetID ipe + landlock diff --git a/Documentation/admin-guide/LSM/landlock.rst b/Documentation/adm= in-guide/LSM/landlock.rst new file mode 100644 index 000000000000..d69245ee236a --- /dev/null +++ b/Documentation/admin-guide/LSM/landlock.rst @@ -0,0 +1,157 @@ +.. SPDX-License-Identifier: GPL-2.0 +.. Copyright =C2=A9 2025 Microsoft Corporation + +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D +Landlock: system-wide management +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D + +:Author: Micka=C3=ABl Sala=C3=BCn +:Date: January 2025 + +Landlock can leverage the audit framework to log events. + +User space documentation can be found here: +Documentation/userspace-api/landlock.rst. + +Audit +=3D=3D=3D=3D=3D + +Denied access requests are logged by default if `audit` is enabled. Progr= ams +may opt-out with the ``LANDLOCK_RESTRICT_SELF_QUIET`` flag (cf. +Documentation/userspace-api/landlock.rst). Landlock logs can also be mask= ed +thanks to audit rules. Landlock can generate 2 audit record types. + +Record types +------------ + +AUDIT_LANDLOCK_ACCESS + This record type identifies a denied access request to a kernel resour= ce. + The ``domain`` field indicates the ID of the domain which blocked the + request. The ``blockers`` field indicates the cause(s) of this denial + (separated by a comma), and the following fields identify the kernel o= bject + (similar to SELinux). There may be more than one of this record type = per + audit event. + + Example with a file link request generating two records in the same ev= ent:: + + domain=3D195ba459b blockers=3Dfs.refer path=3D"/usr/bin" dev=3D"vd= a2" ino=3D351 + domain=3D195ba459b blockers=3Dfs.make_reg,fs.refer path=3D"/usr/lo= cal" dev=3D"vda2" ino=3D365 + +AUDIT_LANDLOCK_DOMAIN + This record type describes the status of a Landlock domain. The ``sta= tus`` + field can be either ``allocated`` or ``deallocated``. + + The ``allocated`` status is part of the same audit event and follows + the first logged ``AUDIT_LANDLOCK_ACCESS`` record of a domain. It ide= ntifies + Landlock domain information at the time of the sys_landlock_restrict_s= elf() + call with the following fields: + + - the ``domain`` ID + - the enforcement ``mode`` + - the domain creator's ``pid`` + - the domain creator's ``uid`` + - the domain creator's executable path (``exe``) + - the domain creator's command line (``comm``) + + Example:: + + domain=3D195ba459b status=3Dallocated mode=3Denforcing pid=3D300 u= id=3D0 exe=3D"/root/sandboxer" comm=3D"sandboxer" + + The ``deallocated`` status is an event on its own and it identifies a + Landlock domain release. After such event, it is guarantee that the + related domain ID will never be reused during the lifetime of the syst= em. + The ``domain`` field indicates the ID of the domain which is released,= and + the ``denials`` field indicates the total number of denied access requ= est, + which might not have been logged according to the audit rules and + sys_landlock_restrict_self()'s flags. + + Example:: + + domain=3D195ba459b status=3Ddeallocated denials=3D3 + + +Event samples +-------------- + +Here are two examples of log events (see serial numbers). + +In this example a sandboxed program (``kill``) tries to send a signal to t= he +init process, which is denied because of the signal scoping restriction +(``LL_SCOPED=3Ds``):: + + $ LL_FS_RO=3D/ LL_FS_RW=3D/ LL_SCOPED=3Ds LL_FORCE_LOG=3D1 ./sandboxer k= ill 1 + +This command generates two events, each identified with a unique serial +number following a timestamp (``msg=3Daudit(1729738800.268:30)``). The fi= rst +event (serial ``30``) contains 4 records. The first record +(``type=3DLANDLOCK_ACCESS``) shows an access denied by the domain `1a6fdc6= 6f`. +The cause of this denial is signal scopping restriction +(``blockers=3Dscope.signal``). The process that would have receive this s= ignal +is the init process (``opid=3D1 ocomm=3D"systemd"``). + +The second record (``type=3DLANDLOCK_DOMAIN``) describes (``status=3Dalloc= ated``) +domain `1a6fdc66f`. This domain was created by process ``286`` executing = the +``/root/sandboxer`` program launched by the root user. + +The third record (``type=3DSYSCALL``) describes the syscall, its provided +arguments, its result (``success=3Dno exit=3D-1``), and the process that c= alled it. + +The fourth record (``type=3DPROCTITLE``) shows the command's name as an +hexadecimal value. This can be translated with ``python -c +'print(bytes.fromhex("6B696C6C0031"))'``. + +Finally, the last record (``type=3DLANDLOCK_DOMAIN``) is also the only one= from +the second event (serial ``31``). It is not tied to a direct user space a= ction +but an asynchronous one to free resources tied to a Landlock domain +(``status=3Ddeallocated``). This can be useful to know that the following= logs +will not concern the domain ``1a6fdc66f`` anymore. This record also summa= rize +the number of requests this domain denied (``denials=3D1``), whether they = were +logged or not. + +.. code-block:: + + type=3DLANDLOCK_ACCESS msg=3Daudit(1729738800.268:30): domain=3D1a6fdc66= f blockers=3Dscope.signal opid=3D1 ocomm=3D"systemd" + type=3DLANDLOCK_DOMAIN msg=3Daudit(1729738800.268:30): domain=3D1a6fdc66= f status=3Dallocated mode=3Denforcing pid=3D286 uid=3D0 exe=3D"/root/sandbo= xer" comm=3D"sandboxer" + type=3DSYSCALL msg=3Daudit(1729738800.268:30): arch=3Dc000003e syscall= =3D62 success=3Dno exit=3D-1 [..] ppid=3D272 pid=3D286 auid=3D0 uid=3D0 gid= =3D0 [...] comm=3D"kill" [...] + type=3DPROCTITLE msg=3Daudit(1729738800.268:30): proctitle=3D6B696C6C0031 + type=3DLANDLOCK_DOMAIN msg=3Daudit(1729738800.324:31): domain=3D1a6fdc66= f status=3Ddeallocated denials=3D1 + +Here is another example showcasing filesystem access control:: + + $ LL_FS_RO=3D/ LL_FS_RW=3D/tmp LL_FORCE_LOG=3D1 ./sandboxer sh -c "echo = > /etc/passwd" + +The related audit logs contains 8 records from 3 different events (serials= 33, +34 and 35) created by the same domain `1a6fdc679`:: + + type=3DLANDLOCK_ACCESS msg=3Daudit(1729738800.221:33): domain=3D1a6fdc67= 9 blockers=3Dfs.write_file path=3D"/dev/tty" dev=3D"devtmpfs" ino=3D9 + type=3DLANDLOCK_DOMAIN msg=3Daudit(1729738800.221:33): domain=3D1a6fdc67= 9 status=3Dallocated mode=3Denforcing pid=3D289 uid=3D0 exe=3D"/root/sandbo= xer" comm=3D"sandboxer" + type=3DSYSCALL msg=3Daudit(1729738800.221:33): arch=3Dc000003e syscall= =3D257 success=3Dno exit=3D-13 [...] ppid=3D272 pid=3D289 auid=3D0 uid=3D0 = gid=3D0 [...] comm=3D"sh" [...] + type=3DPROCTITLE msg=3Daudit(1729738800.221:33): proctitle=3D7368002D630= 06563686F203E202F6574632F706173737764 + type=3DLANDLOCK_ACCESS msg=3Daudit(1729738800.221:34): domain=3D1a6fdc67= 9 blockers=3Dfs.write_file path=3D"/etc/passwd" dev=3D"vda2" ino=3D143821 + type=3DSYSCALL msg=3Daudit(1729738800.221:34): arch=3Dc000003e syscall= =3D257 success=3Dno exit=3D-13 [...] ppid=3D272 pid=3D289 auid=3D0 uid=3D0 = gid=3D0 [...] comm=3D"sh" [...] + type=3DPROCTITLE msg=3Daudit(1729738800.221:34): proctitle=3D7368002D630= 06563686F203E202F6574632F706173737764 + type=3DLANDLOCK_DOMAIN msg=3Daudit(1729738800.261:35): domain=3D1a6fdc67= 9 status=3Ddeallocated denials=3D2 + + +Event filtering +--------------- + +If you get spammed with audit logs related to Landlock, this is either an +attack attempt or a bug in the security policy. We can put in place some +filters to limit noise with two complementary ways: + +- with sys_landlock_restrict_self()'s flags if we can fix the sandboxed + programs, +- or with audit rules (see :manpage:`auditctl(8)`). + +Additional documentation +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +* `Linux Audit Documentation`_ +* Documentation/userspace-api/landlock.rst +* Documentation/security/landlock.rst +* https://landlock.io + +.. Links +.. _Linux Audit Documentation: + https://github.com/linux-audit/audit-documentation/wiki diff --git a/Documentation/security/landlock.rst b/Documentation/security/l= andlock.rst index 59ecdb1c0d4d..fe04c1b4d9d8 100644 --- a/Documentation/security/landlock.rst +++ b/Documentation/security/landlock.rst @@ -124,6 +124,13 @@ makes the reasoning much easier and helps avoid pitfal= ls. .. kernel-doc:: security/landlock/ruleset.h :identifiers: =20 +Additional documentation +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +* Documentation/userspace-api/landlock.rst +* Documentation/admin-guide/LSM/landlock.rst +* https://landlock.io + .. Links .. _tools/testing/selftests/landlock/: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/t= ools/testing/selftests/landlock/ diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/users= pace-api/landlock.rst index a7c1ebef2c79..4009179665c9 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -683,9 +683,16 @@ fine-grained restrictions). Moreover, their complexit= y can lead to security issues, especially when untrusted processes can manipulate them (cf. `Controlling access to user namespaces `= _). =20 +How to disable Landlock audit records? +-------------------------------------- + +You might want to put in place filters as explained here: +Documentation/admin-guide/LSM/landlock.rst + Additional documentation =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 +* Documentation/admin-guide/LSM/landlock.rst * Documentation/security/landlock.rst * https://landlock.io =20 diff --git a/MAINTAINERS b/MAINTAINERS index d1086e53a317..70712e823d4c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -13066,6 +13066,7 @@ L: linux-security-module@vger.kernel.org S: Supported W: https://landlock.io T: git https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git +F: Documentation/admin-guide/LSM/landlock.rst F: Documentation/security/landlock.rst F: Documentation/userspace-api/landlock.rst F: fs/ioctl.c --=20 2.48.1