[PATCH v3 00/23] Landlock audit support
Francis Laniel
flaniel at linux.microsoft.com
Fri Dec 20 14:36:40 UTC 2024
Hi!
Le vendredi 22 novembre 2024, 15:33:30 CET Mickaël Salaün a écrit :
> Hi,
>
> This patch series adds audit support to Landlock.
>
> Logging denied requests is useful for different use cases:
> - sysadmins: to look for users' issues
> - security experts: to detect attack attempts
> - power users: to understand denials
> - app developers: to ease and speed up sandboxing support
>
> To make logs useful, they need to contain the most relevant Landlock
> domain that denied an action, and the reason of such denial. This
> translates to the latest nested domain and the related blockers: missing
> access rights or other kind of constraints (e.g. scoped domain).
>
> # Changes from previous version
>
> This third patch series reduces the amount of domain information
> records: instead of creating a record for a domain hierarchy, only the
> domain that denied the request is logged, which is enough.
>
> The log format for domain information don't include the parent anymore
> but the creation time instead, which is useful to know how old a domain
> is relative to a first denial. We also now use hexadecimal numbers for
> domain IDs.
>
> Another major addition of this patch series are the new tests. The new
> syscall flag is tested, and all the ptrace tests are extended to check
> the source of the denials (e.g. Landlock or Yama). This greatly improve
> test consistency and I plan to extend all Landlock tests with these
> audit checks.
>
> The sandboxer sample is also updated to not generate logs by default.
>
> # Design
>
> Log records are created for any denied actions caused by a Landlock
> policy, which means that a well-sandboxed applications should not log
> anything except for unattended access requests that might be the result
> of attacks or bugs.
>
> However, sandbox tools creating restricted environments could lead to
> abundant log entries because the sandboxed processes may not be aware of
> the related restrictions. To avoid log spam, the
> landlock_restrict_self(2) syscall gets a new
> LANDLOCK_RESTRICT_SELF_LOGLESS flag to not log denials related to this
> specific domain. Except for well-understood exceptions, this flag
> should not be set. Indeed, applications sandboxing themselves should
> only try to bypass their own sandbox if they are compromised, which
> should ring a bell thanks to log events.
>
> When an action is denied, the related Landlock domain ID is specified.
> If this domain was not previously described in a log record, one is
> created. This record contains the domain ID, its creation time, and
> informations about the process that enforced the restriction (at the
> time of the call to landlock_restrict_self): PID, UID, executable path,
> and name (comm).
>
> This new approach also brings building blocks for an upcoming
> unprivileged introspection interface. The unique Landlock IDs will be
> useful to tie audit log entries to running processes, and to get
> properties of the related Landlock domains. This will replace the
> previously logged ruleset properties.
>
> # Samples
>
> Here are two examples of log events:
>
> $ LL_FS_RO=/ LL_FS_RW=/ LL_SCOPED=s LL_FORCE_LOG=1 ./sandboxer kill 1
>
> type=UNKNOWN[1423] msg=audit(1732186800.268:30): domain=1a6fdc66f
> blockers=scope_signal opid=1 ocomm="systemd" type=UNKNOWN[1424]
> msg=audit(1732186800.268:30): domain=1a6fdc66f creation=1732186800.264
> pid=286 uid=0 exe="/root/sandboxer" comm="sandboxer"UID="root" type=SYSCALL
> msg=audit(1732186800.268:30): arch=c000003e syscall=62 success=no exit=-1
> [..] ppid=272 pid=286 auid=0 uid=0 gid=0 [...] comm="kill" [...]
> type=PROCTITLE msg=audit(1732186800.268:30): proctitle=6B696C6C0031
> type=UNKNOWN[1425] msg=audit(1732186800.324:31): domain=1a6fdc66f
>
> $ LL_FS_RO=/ LL_FS_RW=/tmp LL_FORCE_LOG=1 ./sandboxer sh -c "echo >
> /etc/passwd"
>
> type=UNKNOWN[1423] msg=audit(1732186800.221:33): domain=1a6fdc679
> blockers=fs_write_file path="/dev/tty" dev="devtmpfs" ino=9
> type=UNKNOWN[1424] msg=audit(1732186800.221:33): domain=1a6fdc679
> creation=1732186800.221 pid=289 uid=0 exe="/root/sandboxer"
> comm="sandboxer"UID="root" type=SYSCALL msg=audit(1732186800.221:33):
> arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0
> uid=0 gid=0 [...] comm="sh" [...] type=PROCTITLE
> msg=audit(1732186800.221:33):
> proctitle=7368002D63006563686F203E202F6574632F706173737764
> type=UNKNOWN[1423] msg=audit(1732186800.221:34): domain=1a6fdc679
> blockers=fs_write_file path="/etc/passwd" dev="vda2" ino=143821
> type=SYSCALL msg=audit(1732186800.221:34): arch=c000003e syscall=257
> success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...]
> comm="sh" [...] type=PROCTITLE msg=audit(1732186800.221:34):
> proctitle=7368002D63006563686F203E202F6574632F706173737764
> type=UNKNOWN[1425] msg=audit(1732186800.261:35): domain=1a6fdc679
>
> # Future changes
>
> It would be interesting to enhance audit with the ability to filter on
> the executable path that created a sandbox, or to filter on a Landlock
> domain ID.
>
Thank you for this series, I tested with a sandboxed program trying to
fstatat("/proc/1/ns/pid") and I indeed got audit logs:
root at vm-amd64:~# uname -r
6.12.0-00023-gab1009f970a0
root at vm-amd64:~# ./share/kinvolk/landlock/landlock
Failed to fstatat: Permission denied
root at vm-amd64:~# grep 'domain=' /var/log/audit/audit.log
type=UNKNOWN[1423] msg=audit(1734704806.184:61): domain=1e925333c
blockers=ptrace opid=1 ocomm="systemd"
type=UNKNOWN[1424] msg=audit(1734704806.184:61): domain=1e925333c
creation=1734704806.184 pid=288 uid=0 exe="/root/share/kinvolk/landlock/
landlock" comm="landlock"UID="root"
type=UNKNOWN[1425] msg=audit(1734704806.191:62): domain=1e925333c
>
> Previous versions:
> v1: https://lore.kernel.org/r/20241022161009.982584-1-mic@digikod.net
> v1: https://lore.kernel.org/r/20230921061641.273654-1-mic@digikod.net
>
> Regards,
>
> Mickaël Salaün (23):
> lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are
> set
> lsm: Add audit_log_lsm_data() helper
> landlock: Factor out check_access_path()
> landlock: Add unique ID generator
> landlock: Move access types
> landlock: Simplify initially denied access rights
> landlock: Move domain hierarchy management
> landlock: Log ptrace denials
> audit: Add a new audit_get_ctime() helper
> landlock: Log domain properties and release
> landlock: Log mount-related denials
> landlock: Align partial refer access checks with final ones
> selftests/landlock: Add test to check partial access in a mount tree
> landlock: Optimize file path walks and prepare for audit support
> landlock: Log file-related denials
> landlock: Log truncate and ioctl denials
> landlock: Log TCP bind and connect denials
> landlock: Log scoped denials
> landlock: Control log events with LANDLOCK_RESTRICT_SELF_LOGLESS
> samples/landlock: Do not log denials from the sandboxer by default
> selftests/landlock: Extend tests for landlock_restrict_self()'s flags
> selftests/landlock: Add tests for audit
> selftests/landlock: Add audit tests for ptrace
>
> Documentation/userspace-api/landlock.rst | 2 +-
> include/linux/audit.h | 8 +
> include/linux/lsm_audit.h | 22 +
> include/uapi/linux/audit.h | 5 +-
> include/uapi/linux/landlock.h | 14 +
> kernel/auditsc.c | 21 +-
> samples/landlock/sandboxer.c | 35 +-
> security/Kconfig | 5 +
> security/Makefile | 2 +-
> security/landlock/.kunitconfig | 2 +
> security/landlock/Makefile | 2 +
> security/landlock/access.h | 100 ++++
> security/landlock/audit.c | 495 ++++++++++++++++++
> security/landlock/audit.h | 76 +++
> security/landlock/domain.c | 195 +++++++
> security/landlock/domain.h | 117 +++++
> security/landlock/fs.c | 279 +++++++---
> security/landlock/fs.h | 10 +
> security/landlock/id.c | 242 +++++++++
> security/landlock/id.h | 25 +
> security/landlock/net.c | 51 +-
> security/landlock/ruleset.c | 35 +-
> security/landlock/ruleset.h | 96 ++--
> security/landlock/setup.c | 2 +
> security/landlock/syscalls.c | 26 +-
> security/landlock/task.c | 150 +++++-
> security/lsm_audit.c | 27 +-
> tools/testing/kunit/configs/all_tests.config | 2 +
> tools/testing/selftests/landlock/audit.h | 308 +++++++++++
> tools/testing/selftests/landlock/audit_test.c | 168 ++++++
> tools/testing/selftests/landlock/base_test.c | 18 +-
> tools/testing/selftests/landlock/common.h | 2 +
> tools/testing/selftests/landlock/config | 1 +
> tools/testing/selftests/landlock/fs_test.c | 54 +-
> .../testing/selftests/landlock/ptrace_test.c | 62 ++-
> 35 files changed, 2454 insertions(+), 205 deletions(-)
> create mode 100644 security/landlock/access.h
> create mode 100644 security/landlock/audit.c
> create mode 100644 security/landlock/audit.h
> create mode 100644 security/landlock/domain.c
> create mode 100644 security/landlock/domain.h
> create mode 100644 security/landlock/id.c
> create mode 100644 security/landlock/id.h
> create mode 100644 tools/testing/selftests/landlock/audit.h
> create mode 100644 tools/testing/selftests/landlock/audit_test.c
>
>
> base-commit: adc218676eef25575469234709c2d87185ca223a
More information about the Linux-security-module-archive
mailing list