[PATCH v3 17/23] landlock: Log TCP bind and connect denials
Mickaël Salaün
mic at digikod.net
Mon Jan 6 14:51:39 UTC 2025
On Sat, Jan 04, 2025 at 08:23:52PM -0500, Paul Moore wrote:
> On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic at digikod.net> wrote:
> >
> > Add audit support to socket_bind and socket_connect hooks.
> >
> > Audit event sample:
> >
> > type=LL_DENY [...]: domain=195ba459b blockers=net_connect_tcp daddr=127.0.0.1 dest=80
>
> The destination address and port is already captured in the SOCKADDR
> record for bind() and connect(), please don't duplicate it here.
This does not show up when a connect or bind is denied. I guess this is
because move_addr_to_kernel() is called at syscall entry when there is
no context, whereas a Landlock denial is created after that. For this
to work, users would have to log a list of syscalls, which would not be
usable (nor reliably maintainable) for most users. I guess this might
be different with io_uring too.
SELinux and other LSMs log it this way, which makes sense to me.
>
> > Cc: Günther Noack <gnoack at google.com>
> > Cc: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
> > Cc: Mikhail Ivanov <ivanov.mikhail1 at huawei-partners.com>
> > Signed-off-by: Mickaël Salaün <mic at digikod.net>
> > Link: https://lore.kernel.org/r/20241122143353.59367-18-mic@digikod.net
> > ---
> > Changes since v2:
> > - Remove potentially superfluous IPv6 saddr log, spotted by Francis
> > Laniel.
> > - Cosmetic improvements.
> > ---
> > security/landlock/audit.c | 12 +++++++++
> > security/landlock/audit.h | 1 +
> > security/landlock/net.c | 51 ++++++++++++++++++++++++++++++++++++---
> > 3 files changed, 60 insertions(+), 4 deletions(-)
>
> --
> paul-moore.com
More information about the Linux-security-module-archive
mailing list