[RFC PATCH v1 5/7] landlock: Log file-related requests

Mickaël Salaün mic at digikod.net
Thu Dec 21 18:47:40 UTC 2023 

On Wed, Dec 20, 2023 at 04:22:33PM -0500, Paul Moore wrote:
> On Thu, Sep 21, 2023 at 2:17 AM Mickaël Salaün <mic at digikod.net> wrote:
> >
> > Add audit support for mkdir, mknod, symlink, unlink, rmdir, truncate,
> > and open requests.
> >
> > Signed-off-by: Mickaël Salaün <mic at digikod.net>
> > ---
> >  security/landlock/audit.c | 114 ++++++++++++++++++++++++++++++++++++++
> >  security/landlock/audit.h |  32 +++++++++++
> >  security/landlock/fs.c    |  62 ++++++++++++++++++---
> >  3 files changed, 199 insertions(+), 9 deletions(-)
> >
> > diff --git a/security/landlock/audit.c b/security/landlock/audit.c
> > index d9589d07e126..148fc0fafef4 100644
> > --- a/security/landlock/audit.c
> > +++ b/security/landlock/audit.c
> > @@ -14,6 +14,25 @@
> >
> >  atomic64_t ruleset_and_domain_counter = ATOMIC64_INIT(0);
> >
> > +static const char *op_to_string(enum landlock_operation operation)
> > +{
> > +       const char *const desc[] = {
> > +               [0] = "",
> > +               [LANDLOCK_OP_MKDIR] = "mkdir",
> > +               [LANDLOCK_OP_MKNOD] = "mknod",
> > +               [LANDLOCK_OP_SYMLINK] = "symlink",
> > +               [LANDLOCK_OP_UNLINK] = "unlink",
> > +               [LANDLOCK_OP_RMDIR] = "rmdir",
> > +               [LANDLOCK_OP_TRUNCATE] = "truncate",
> > +               [LANDLOCK_OP_OPEN] = "open",
> > +       };
> 
> If you're going to be using a single AUDIT_LANDLOCK record type, do
> you want to somehow encode that the above are access/permission
> requests in the "op=" field name?

I'll use several audit record types, one for a denial and others for the
related kernel objects. See my other reply.

> 
> > +static void
> > +log_request(const int error, struct landlock_request *const request,
> > +           const struct landlock_ruleset *const domain,
> > +           const access_mask_t access_request,
> > +           const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
> > +{
> > +       struct audit_buffer *ab;
> > +
> > +       if (WARN_ON_ONCE(!error))
> > +               return;
> > +       if (WARN_ON_ONCE(!request))
> > +               return;
> > +       if (WARN_ON_ONCE(!domain || !domain->hierarchy))
> > +               return;
> > +
> > +       /* Uses GFP_ATOMIC to not sleep. */
> > +       ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
> > +                            AUDIT_LANDLOCK);
> > +       if (!ab)
> > +               return;
> > +
> > +       update_request(request, domain, access_request, layer_masks);
> > +
> > +       log_task(ab);
> > +       audit_log_format(ab, " domain=%llu op=%s errno=%d missing-fs-accesses=",
> > +                        request->youngest_domain,
> > +                        op_to_string(request->operation), -error);
> > +       log_accesses(ab, request->missing_access);
> > +       audit_log_lsm_data(ab, &request->audit);
> > +       audit_log_end(ab);
> > +}
> 
> See my previous comments about record format consistency.

right

> 
> --
> paul-moore.com
>

More information about the Linux-security-module-archive mailing list