[PATCH v5 15/24] landlock: Log scoped denials
Mickaël Salaün
mic at digikod.net
Fri Jan 31 16:30:50 UTC 2025
Add audit support for unix_stream_connect, unix_may_send, task_kill, and
file_send_sigiotask hooks.
The related blockers are:
- scope.abstract_unix_socket
- scope.signal
Audit event sample for abstract unix socket:
type=LANDLOCK_DENY msg=audit(1729738800.268:30): domain=195ba459b blockers=scope.abstract_unix_socket path=00666F6F
Audit event sample for signal:
type=LANDLOCK_DENY msg=audit(1729738800.291:31): domain=195ba459b blockers=scope.signal opid=1 ocomm="systemd"
Cc: Günther Noack <gnoack at google.com>
Cc: Tahera Fahimi <fahimitahera at gmail.com>
Signed-off-by: Mickaël Salaün <mic at digikod.net>
Link: https://lore.kernel.org/r/20250131163059.1139617-16-mic@digikod.net
---
Changes since v4:
- Rebase on top of the landlock_log_denial() and subject type changes.
Changes since v3:
- Cosmetic change to the "scope.*" blocker names.
- Extend commit message.
Changes since v1:
- New patch.
---
security/landlock/audit.c | 8 +++++
security/landlock/audit.h | 2 ++
security/landlock/task.c | 66 ++++++++++++++++++++++++++++++++++-----
3 files changed, 69 insertions(+), 7 deletions(-)
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index 9c856b31f9f6..fc4d1dfb5c25 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -71,6 +71,14 @@ get_blocker(const enum landlock_request_type type,
if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(net_access_strings)))
return "unknown";
return net_access_strings[access_bit];
+
+ case LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET:
+ WARN_ON_ONCE(access_bit != -1);
+ return "scope.abstract_unix_socket";
+
+ case LANDLOCK_REQUEST_SCOPE_SIGNAL:
+ WARN_ON_ONCE(access_bit != -1);
+ return "scope.signal";
}
WARN_ON_ONCE(1);
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index eeff2c5bfa4f..aaf21b31baa8 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -20,6 +20,8 @@ enum landlock_request_type {
LANDLOCK_REQUEST_FS_CHANGE_LAYOUT,
LANDLOCK_REQUEST_FS_ACCESS,
LANDLOCK_REQUEST_NET_ACCESS,
+ LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+ LANDLOCK_REQUEST_SCOPE_SIGNAL,
};
/*
diff --git a/security/landlock/task.c b/security/landlock/task.c
index 7b313a779de5..10bfba1994d0 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -264,16 +264,31 @@ static int hook_unix_stream_connect(struct sock *const sock,
struct sock *const other,
struct sock *const newsk)
{
+ size_t handle_layer;
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), unix_scope,
- NULL);
+ &handle_layer);
+ struct lsm_network_audit audit_net = {
+ .sk = other,
+ };
+ struct landlock_request request = {
+ .type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+ .audit = {
+ .type = LSM_AUDIT_DATA_NET,
+ .u.net = &audit_net,
+ },
+ };
/* Quick return for non-landlocked tasks. */
if (!subject)
return 0;
- if (is_abstract_socket(other) && sock_is_scoped(other, subject->domain))
+ if (is_abstract_socket(other) &&
+ sock_is_scoped(other, subject->domain)) {
+ request.layer_plus_one = handle_layer + 1;
+ landlock_log_denial(subject, &request);
return -EPERM;
+ }
return 0;
}
@@ -281,9 +296,20 @@ static int hook_unix_stream_connect(struct sock *const sock,
static int hook_unix_may_send(struct socket *const sock,
struct socket *const other)
{
+ size_t handle_layer;
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), unix_scope,
- NULL);
+ &handle_layer);
+ struct lsm_network_audit audit_net = {
+ .sk = other->sk,
+ };
+ struct landlock_request request = {
+ .type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+ .audit = {
+ .type = LSM_AUDIT_DATA_NET,
+ .u.net = &audit_net,
+ },
+ };
if (!subject)
return 0;
@@ -296,8 +322,11 @@ static int hook_unix_may_send(struct socket *const sock,
return 0;
if (is_abstract_socket(other->sk) &&
- sock_is_scoped(other->sk, subject->domain))
+ sock_is_scoped(other->sk, subject->domain)) {
+ request.layer_plus_one = handle_layer + 1;
+ landlock_log_denial(subject, &request);
return -EPERM;
+ }
return 0;
}
@@ -311,13 +340,22 @@ static int hook_task_kill(struct task_struct *const p,
const struct cred *cred)
{
bool is_scoped;
+ size_t handle_layer;
const struct landlock_cred_security *subject;
+ struct landlock_request request = {
+ .type = LANDLOCK_REQUEST_SCOPE_SIGNAL,
+ .audit = {
+ .type = LSM_AUDIT_DATA_TASK,
+ .u.tsk = p,
+ },
+ };
if (!cred)
/* Not dealing with USB IO. */
cred = current_cred();
- subject = landlock_get_applicable_subject(cred, signal_scope, NULL);
+ subject = landlock_get_applicable_subject(cred, signal_scope,
+ &handle_layer);
/* Quick return for non-landlocked tasks. */
if (!subject)
@@ -329,8 +367,11 @@ static int hook_task_kill(struct task_struct *const p,
landlock_get_task_domain(p),
signal_scope.scope);
}
- if (is_scoped)
+ if (is_scoped) {
+ request.layer_plus_one = handle_layer + 1;
+ landlock_log_denial(subject, &request);
return -EPERM;
+ }
return 0;
}
@@ -338,7 +379,15 @@ static int hook_task_kill(struct task_struct *const p,
static int hook_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum)
{
+ size_t handle_layer;
const struct landlock_cred_security *subject;
+ struct landlock_request request = {
+ .type = LANDLOCK_REQUEST_SCOPE_SIGNAL,
+ .audit = {
+ .type = LSM_AUDIT_DATA_TASK,
+ .u.tsk = tsk,
+ },
+ };
bool is_scoped = false;
/* Lock already held by send_sigio() and send_sigurg(). */
@@ -361,8 +410,11 @@ static int hook_file_send_sigiotask(struct task_struct *tsk,
landlock_get_task_domain(tsk),
signal_scope.scope);
}
- if (is_scoped)
+ if (is_scoped) {
+ request.layer_plus_one = handle_layer + 1;
+ landlock_log_denial(subject, &request);
return -EPERM;
+ }
return 0;
}
--
2.48.1
More information about the Linux-security-module-archive
mailing list