[RFC PATCH v1 4/7] landlock: Log domain creation and enforcement

Mickaël Salaün mic at digikod.net
Thu Sep 21 06:16:38 UTC 2023


Add audit support for domain creation, i.e. task self-restriction.

Signed-off-by: Mickaël Salaün <mic at digikod.net>
---
 security/landlock/audit.c    | 24 ++++++++++++++++++++++++
 security/landlock/audit.h    |  8 ++++++++
 security/landlock/syscalls.c |  4 ++++
 3 files changed, 36 insertions(+)

diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index f58bd529784a..d9589d07e126 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -84,6 +84,30 @@ void landlock_log_create_ruleset(struct landlock_ruleset *const ruleset)
 	audit_log_end(ab);
 }
 
+void landlock_log_restrict_self(struct landlock_ruleset *const domain,
+				struct landlock_ruleset *const ruleset)
+{
+	struct audit_buffer *ab;
+
+	WARN_ON_ONCE(domain->id);
+	WARN_ON_ONCE(!ruleset->id);
+
+	ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_LANDLOCK);
+	if (!ab)
+		/* audit_log_lost() call */
+		return;
+
+	domain->hierarchy->id =
+		atomic64_inc_return(&ruleset_and_domain_counter);
+	log_task(ab);
+	audit_log_format(ab, " op=restrict-self domain=%llu ruleset=%llu",
+			 domain->hierarchy->id, ruleset->id);
+	audit_log_format(
+		ab, " parent=%llu",
+		domain->hierarchy->parent ? domain->hierarchy->parent->id : 0);
+	audit_log_end(ab);
+}
+
 /*
  * This is useful to know when a domain or a ruleset will never show again in
  * the audit log.
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 2666e9151627..bc17dc8ca6f1 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -16,6 +16,8 @@
 #ifdef CONFIG_AUDIT
 
 void landlock_log_create_ruleset(struct landlock_ruleset *const ruleset);
+void landlock_log_restrict_self(struct landlock_ruleset *const domain,
+				struct landlock_ruleset *const ruleset);
 void landlock_log_release_ruleset(const struct landlock_ruleset *const ruleset);
 
 #else /* CONFIG_AUDIT */
@@ -25,6 +27,12 @@ landlock_log_create_ruleset(struct landlock_ruleset *const ruleset)
 {
 }
 
+static inline void
+landlock_log_restrict_self(struct landlock_ruleset *const domain,
+			   struct landlock_ruleset *const ruleset)
+{
+}
+
 static inline void
 landlock_log_release_ruleset(const struct landlock_ruleset *const ruleset)
 {
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 373997a356e7..bfe5417a06c3 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -452,6 +452,10 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
 	landlock_put_ruleset(new_llcred->domain);
 	new_llcred->domain = new_dom;
 
+	// FIXME: Must be atomic between the ruleset merge and the audit log to
+	// be sure about the content of the domain.
+	// -> move mutex_lock() from merge_ruleset() into this function
+	landlock_log_restrict_self(new_dom, ruleset);
 	landlock_put_ruleset(ruleset);
 	return commit_creds(new_cred);
 
-- 
2.42.0



More information about the Linux-security-module-archive mailing list