From nobody Wed Dec 17 10:46:01 2025 Received: from smtp-42aa.mail.infomaniak.ch (smtp-42aa.mail.infomaniak.ch [84.16.66.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1C92230BC1 for ; Thu, 20 Mar 2025 19:08:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742497693; cv=none; b=X0hfEnfe7QKmpOOXcfNmtyzAA1tUcLlL3Jx9WCyaInc2TtzC3u0Ky+Z/1KPlynhVSuBjBQncWt5rn+3EAwTPJw+Y+zXeOPjHkBRh8bzY0+0LAid5bVXOh/PvC5d1PxOUPAqVm3qnBlz/fwGlh9DPKiRgGQSUobQsu6+xcB98z+E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742497693; c=relaxed/simple; bh=UGUf7M5I7DsUgql+UVd5hOveUA4CNhJTIHz2g5Ux3eY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=iORDpqNYomuJCdU9tYgjRedLAB7jcDn0DLOv+WcnUY6xozYj3d7f29D7kz7WUgA0QqIhitS7FfwOZe9cGhLXKLTagWnKTizyyBSREg7RKObqTEOCs2XNqoNQfivDfXNWSJCIDscbKd3qYJH7b9a7qbNtl001UQFxKpzwiLK550o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=2C2lk9zh; arc=none smtp.client-ip=84.16.66.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="2C2lk9zh" Received: from smtp-3-0001.mail.infomaniak.ch (smtp-3-0001.mail.infomaniak.ch [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4ZJZpx2Skszwyp; Thu, 20 Mar 2025 20:08:09 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1742497689; bh=Qqud428NpK4EewhTaSCY/fAxzA/JX3aYNNj2PSH9jQE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2C2lk9zhn7KttCO+tDu53Dl5CLGir5i7SEBbGMICHfNoMvG4OIXKuJ3dGQGcTdDTs OSwO16ZyGKc7fe8DShKC6hA8dhU0G6wlEfTclQeR9fYGr1Psk/MF3nEc+F6HtFXlqX 1l474iGwiscpeswJrNtKL0qI5e/FKU5qobGZAv80= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4ZJZpw33sMzDtf; Thu, 20 Mar 2025 20:08:08 +0100 (CET) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?UTF-8?q?G=C3=BCnther=20Noack?= , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Matthieu Buffet , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tingmao Wang , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v7 28/28] landlock: Add audit documentation Date: Thu, 20 Mar 2025 20:07:17 +0100 Message-ID: <20250320190717.2287696-29-mic@digikod.net> In-Reply-To: <20250320190717.2287696-1-mic@digikod.net> References: <20250320190717.2287696-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Infomaniak-Routing: alpha Because audit is dedicated to the system administrator, create a new entry in Documentation/admin-guide/LSM . Extend other Landlock documentation's pages with this new one. Extend UAPI with the new log flags. Extend the guiding principles with logs. Cc: G=C3=BCnther Noack Cc: Paul Moore Signed-off-by: Micka=C3=ABl Sala=C3=BCn --- Changes since v6: - Extend UAPI with ABI v7. Changes since v5: - Extend the guiding principles with logs. Changes since v4: - New patch. --- Documentation/admin-guide/LSM/index.rst | 1 + Documentation/admin-guide/LSM/landlock.rst | 158 +++++++++++++++++++++ Documentation/security/landlock.rst | 13 +- Documentation/userspace-api/landlock.rst | 17 +++ MAINTAINERS | 1 + 5 files changed, 189 insertions(+), 1 deletion(-) create mode 100644 Documentation/admin-guide/LSM/landlock.rst diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-= guide/LSM/index.rst index ce63be6d64ad..b44ef68f6e4d 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -48,3 +48,4 @@ subdirectories. Yama SafeSetID ipe + landlock diff --git a/Documentation/admin-guide/LSM/landlock.rst b/Documentation/adm= in-guide/LSM/landlock.rst new file mode 100644 index 000000000000..9e61607def08 --- /dev/null +++ b/Documentation/admin-guide/LSM/landlock.rst @@ -0,0 +1,158 @@ +.. SPDX-License-Identifier: GPL-2.0 +.. Copyright =C2=A9 2025 Microsoft Corporation + +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D +Landlock: system-wide management +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D + +:Author: Micka=C3=ABl Sala=C3=BCn +:Date: March 2025 + +Landlock can leverage the audit framework to log events. + +User space documentation can be found here: +Documentation/userspace-api/landlock.rst. + +Audit +=3D=3D=3D=3D=3D + +Denied access requests are logged by default for a sandboxed program if `a= udit` +is enabled. This default behavior can be changed with the +sys_landlock_restrict_self() flags (cf. +Documentation/userspace-api/landlock.rst). Landlock logs can also be mask= ed +thanks to audit rules. Landlock can generate 2 audit record types. + +Record types +------------ + +AUDIT_LANDLOCK_ACCESS + This record type identifies a denied access request to a kernel resour= ce. + The ``domain`` field indicates the ID of the domain that blocked the + request. The ``blockers`` field indicates the cause(s) of this denial + (separated by a comma), and the following fields identify the kernel o= bject + (similar to SELinux). There may be more than one of this record type = per + audit event. + + Example with a file link request generating two records in the same ev= ent:: + + domain=3D195ba459b blockers=3Dfs.refer path=3D"/usr/bin" dev=3D"vd= a2" ino=3D351 + domain=3D195ba459b blockers=3Dfs.make_reg,fs.refer path=3D"/usr/lo= cal" dev=3D"vda2" ino=3D365 + +AUDIT_LANDLOCK_DOMAIN + This record type describes the status of a Landlock domain. The ``sta= tus`` + field can be either ``allocated`` or ``deallocated``. + + The ``allocated`` status is part of the same audit event and follows + the first logged ``AUDIT_LANDLOCK_ACCESS`` record of a domain. It ide= ntifies + Landlock domain information at the time of the sys_landlock_restrict_s= elf() + call with the following fields: + + - the ``domain`` ID + - the enforcement ``mode`` + - the domain creator's ``pid`` + - the domain creator's ``uid`` + - the domain creator's executable path (``exe``) + - the domain creator's command line (``comm``) + + Example:: + + domain=3D195ba459b status=3Dallocated mode=3Denforcing pid=3D300 u= id=3D0 exe=3D"/root/sandboxer" comm=3D"sandboxer" + + The ``deallocated`` status is an event on its own and it identifies a + Landlock domain release. After such event, it is guarantee that the + related domain ID will never be reused during the lifetime of the syst= em. + The ``domain`` field indicates the ID of the domain which is released,= and + the ``denials`` field indicates the total number of denied access requ= est, + which might not have been logged according to the audit rules and + sys_landlock_restrict_self()'s flags. + + Example:: + + domain=3D195ba459b status=3Ddeallocated denials=3D3 + + +Event samples +-------------- + +Here are two examples of log events (see serial numbers). + +In this example a sandboxed program (``kill``) tries to send a signal to t= he +init process, which is denied because of the signal scoping restriction +(``LL_SCOPED=3Ds``):: + + $ LL_FS_RO=3D/ LL_FS_RW=3D/ LL_SCOPED=3Ds LL_FORCE_LOG=3D1 ./sandboxer k= ill 1 + +This command generates two events, each identified with a unique serial +number following a timestamp (``msg=3Daudit(1729738800.268:30)``). The fi= rst +event (serial ``30``) contains 4 records. The first record +(``type=3DLANDLOCK_ACCESS``) shows an access denied by the domain `1a6fdc6= 6f`. +The cause of this denial is signal scopping restriction +(``blockers=3Dscope.signal``). The process that would have receive this s= ignal +is the init process (``opid=3D1 ocomm=3D"systemd"``). + +The second record (``type=3DLANDLOCK_DOMAIN``) describes (``status=3Dalloc= ated``) +domain `1a6fdc66f`. This domain was created by process ``286`` executing = the +``/root/sandboxer`` program launched by the root user. + +The third record (``type=3DSYSCALL``) describes the syscall, its provided +arguments, its result (``success=3Dno exit=3D-1``), and the process that c= alled it. + +The fourth record (``type=3DPROCTITLE``) shows the command's name as an +hexadecimal value. This can be translated with ``python -c +'print(bytes.fromhex("6B696C6C0031"))'``. + +Finally, the last record (``type=3DLANDLOCK_DOMAIN``) is also the only one= from +the second event (serial ``31``). It is not tied to a direct user space a= ction +but an asynchronous one to free resources tied to a Landlock domain +(``status=3Ddeallocated``). This can be useful to know that the following= logs +will not concern the domain ``1a6fdc66f`` anymore. This record also summa= rize +the number of requests this domain denied (``denials=3D1``), whether they = were +logged or not. + +.. code-block:: + + type=3DLANDLOCK_ACCESS msg=3Daudit(1729738800.268:30): domain=3D1a6fdc66= f blockers=3Dscope.signal opid=3D1 ocomm=3D"systemd" + type=3DLANDLOCK_DOMAIN msg=3Daudit(1729738800.268:30): domain=3D1a6fdc66= f status=3Dallocated mode=3Denforcing pid=3D286 uid=3D0 exe=3D"/root/sandbo= xer" comm=3D"sandboxer" + type=3DSYSCALL msg=3Daudit(1729738800.268:30): arch=3Dc000003e syscall= =3D62 success=3Dno exit=3D-1 [..] ppid=3D272 pid=3D286 auid=3D0 uid=3D0 gid= =3D0 [...] comm=3D"kill" [...] + type=3DPROCTITLE msg=3Daudit(1729738800.268:30): proctitle=3D6B696C6C0031 + type=3DLANDLOCK_DOMAIN msg=3Daudit(1729738800.324:31): domain=3D1a6fdc66= f status=3Ddeallocated denials=3D1 + +Here is another example showcasing filesystem access control:: + + $ LL_FS_RO=3D/ LL_FS_RW=3D/tmp LL_FORCE_LOG=3D1 ./sandboxer sh -c "echo = > /etc/passwd" + +The related audit logs contains 8 records from 3 different events (serials= 33, +34 and 35) created by the same domain `1a6fdc679`:: + + type=3DLANDLOCK_ACCESS msg=3Daudit(1729738800.221:33): domain=3D1a6fdc67= 9 blockers=3Dfs.write_file path=3D"/dev/tty" dev=3D"devtmpfs" ino=3D9 + type=3DLANDLOCK_DOMAIN msg=3Daudit(1729738800.221:33): domain=3D1a6fdc67= 9 status=3Dallocated mode=3Denforcing pid=3D289 uid=3D0 exe=3D"/root/sandbo= xer" comm=3D"sandboxer" + type=3DSYSCALL msg=3Daudit(1729738800.221:33): arch=3Dc000003e syscall= =3D257 success=3Dno exit=3D-13 [...] ppid=3D272 pid=3D289 auid=3D0 uid=3D0 = gid=3D0 [...] comm=3D"sh" [...] + type=3DPROCTITLE msg=3Daudit(1729738800.221:33): proctitle=3D7368002D630= 06563686F203E202F6574632F706173737764 + type=3DLANDLOCK_ACCESS msg=3Daudit(1729738800.221:34): domain=3D1a6fdc67= 9 blockers=3Dfs.write_file path=3D"/etc/passwd" dev=3D"vda2" ino=3D143821 + type=3DSYSCALL msg=3Daudit(1729738800.221:34): arch=3Dc000003e syscall= =3D257 success=3Dno exit=3D-13 [...] ppid=3D272 pid=3D289 auid=3D0 uid=3D0 = gid=3D0 [...] comm=3D"sh" [...] + type=3DPROCTITLE msg=3Daudit(1729738800.221:34): proctitle=3D7368002D630= 06563686F203E202F6574632F706173737764 + type=3DLANDLOCK_DOMAIN msg=3Daudit(1729738800.261:35): domain=3D1a6fdc67= 9 status=3Ddeallocated denials=3D2 + + +Event filtering +--------------- + +If you get spammed with audit logs related to Landlock, this is either an +attack attempt or a bug in the security policy. We can put in place some +filters to limit noise with two complementary ways: + +- with sys_landlock_restrict_self()'s flags if we can fix the sandboxed + programs, +- or with audit rules (see :manpage:`auditctl(8)`). + +Additional documentation +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +* `Linux Audit Documentation`_ +* Documentation/userspace-api/landlock.rst +* Documentation/security/landlock.rst +* https://landlock.io + +.. Links +.. _Linux Audit Documentation: + https://github.com/linux-audit/audit-documentation/wiki diff --git a/Documentation/security/landlock.rst b/Documentation/security/l= andlock.rst index 59ecdb1c0d4d..e0fc54aff09e 100644 --- a/Documentation/security/landlock.rst +++ b/Documentation/security/landlock.rst @@ -7,7 +7,7 @@ Landlock LSM: kernel documentation =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 :Author: Micka=C3=ABl Sala=C3=BCn -:Date: December 2022 +:Date: March 2025 =20 Landlock's goal is to create scoped access-control (i.e. sandboxing). To harden a whole system, this feature should be available to any process, @@ -45,6 +45,10 @@ Guiding principles for safe access controls sandboxed process shall retain their scoped accesses (at the time of res= ource acquisition) whatever process uses them. Cf. `File descriptor access rights`_. +* Access denials shall be logged according to system and Landlock domain + configurations. Log entries must contain information about the cause of= the + denial and the owner of the related security policy. Such log generation + should have a negligible performance and memory impact on allowed reques= ts. =20 Design choices =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D @@ -124,6 +128,13 @@ makes the reasoning much easier and helps avoid pitfal= ls. .. kernel-doc:: security/landlock/ruleset.h :identifiers: =20 +Additional documentation +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +* Documentation/userspace-api/landlock.rst +* Documentation/admin-guide/LSM/landlock.rst +* https://landlock.io + .. Links .. _tools/testing/selftests/landlock/: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/t= ools/testing/selftests/landlock/ diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/users= pace-api/landlock.rst index 900171e3c494..1d0c2c15c22e 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -594,6 +594,16 @@ Starting with the Landlock ABI version 6, it is possib= le to restrict :manpage:`signal(7)` sending by setting ``LANDLOCK_SCOPE_SIGNAL`` to the ``scoped`` ruleset attribute. =20 +Logging (ABI < 7) +----------------- + +Starting with the Landlock ABI version 7, it is possible to control loggin= g of +Landlock audit events with the ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF`= `, +``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``, and +``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF`` flags passed to +sys_landlock_restrict_self(). See Documentation/admin-guide/LSM/landlock.= rst +for more details on audit. + .. _kernel_support: =20 Kernel support @@ -682,9 +692,16 @@ fine-grained restrictions). Moreover, their complexit= y can lead to security issues, especially when untrusted processes can manipulate them (cf. `Controlling access to user namespaces `= _). =20 +How to disable Landlock audit records? +-------------------------------------- + +You might want to put in place filters as explained here: +Documentation/admin-guide/LSM/landlock.rst + Additional documentation =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 +* Documentation/admin-guide/LSM/landlock.rst * Documentation/security/landlock.rst * https://landlock.io =20 diff --git a/MAINTAINERS b/MAINTAINERS index 8e0736dc2ee0..a3aa52e47401 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -13075,6 +13075,7 @@ L: linux-security-module@vger.kernel.org S: Supported W: https://landlock.io T: git https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git +F: Documentation/admin-guide/LSM/landlock.rst F: Documentation/security/landlock.rst F: Documentation/userspace-api/landlock.rst F: fs/ioctl.c --=20 2.49.0