[RFC PATCH v1 4/5] landlock: Add landlock_add_rule_fs tracepoint
Tingmao Wang
m at maowtm.org
Mon May 26 18:37:52 UTC 2025
On 5/23/25 17:57, Mickaël Salaün wrote:
> Add a tracepoint for Landlock path_beneath rule addition. This is
> useful to tie a Landlock object with a file for debug purpose.
>
> Allocate the absolute path names when adding new rules. This is OK
> because landlock_add_rule(2) is not a performance critical code.
>
> Here is an example of landlock_add_rule_fs traces:
> ruleset=0x000000007e3b1c4a key=inode:0xffff888004f59260 allowed=0xd dev=0:16 ino=306 path=/usr
> ruleset=0x000000007e3b1c4a key=inode:0xffff888004f59240 allowed=0xffff dev=0:16 ino=346 path=/root
>
> TODO: Use Landlock IDs instead of kernel addresses to identify Landlock
> objects (e.g. inode).
Do you mean like the u64 domain ID for audit, but for objects? Since
there currently isn't a u64, non-pointer ID, I guess we would have to
create one for the object just for tracing?
My understanding is that kernel pointers are not hidden from the root
user / someone who can read traces, so maybe just printing the pointer
is good enough?
>
> Cc: Günther Noack <gnoack at google.com>
> Cc: Masami Hiramatsu <mhiramat at kernel.org>
> Cc: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
> Cc: Steven Rostedt <rostedt at goodmis.org>
> Cc: Tingmao Wang <m at maowtm.org>
> Signed-off-by: Mickaël Salaün <mic at digikod.net>
> ---
> MAINTAINERS | 1 +
> include/trace/events/landlock.h | 68 +++++++++++++++++++++++++++++++++
> security/landlock/Makefile | 11 +++++-
> security/landlock/fs.c | 22 +++++++++++
> security/landlock/fs.h | 3 ++
> security/landlock/trace.c | 14 +++++++
> 6 files changed, 117 insertions(+), 2 deletions(-)
> create mode 100644 include/trace/events/landlock.h
> create mode 100644 security/landlock/trace.c
>
> > [...]
> > diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index 73a20a501c3c..e5d673240882 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -36,6 +36,7 @@
> #include <linux/types.h>
> #include <linux/wait_bit.h>
> #include <linux/workqueue.h>
> +#include <trace/events/landlock.h>
> #include <uapi/linux/fiemap.h>
> #include <uapi/linux/landlock.h>
>
> @@ -345,6 +346,27 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
> mutex_lock(&ruleset->lock);
> err = landlock_insert_rule(ruleset, ref, access_rights);
> mutex_unlock(&ruleset->lock);
> +
> + if (!err && trace_landlock_add_rule_fs_enabled()) {
> + const char *pathname;
> + /* Does not handle deleted files. */
> + char *buffer __free(__putname) = __getname();
> +
> + if (buffer) {
> + const char *absolute_path =
> + d_absolute_path(path, buffer, PATH_MAX);
> + if (!IS_ERR_OR_NULL(absolute_path))
> + pathname = absolute_path;
> + else
> + pathname = "<too_long>";
Not sure if it's necessary to go that far, but I think d_absolute_path
returns -ENAMETOOLONG in the too long case, and -EINVAL in the "not
possible to construct a path" case (I guess e.g. if it's an anonymous
file or detached mount). We could add an else if branch to check which
case it is and use different strings.
> + } else {
> + /* Same format as audit_log_d_path(). */
> + pathname = "<no_memory>";
> + }
> + trace_landlock_add_rule_fs(ruleset, &ref, access_rights, path,
> + pathname);
> + }
> +
> /*
> * No need to check for an error because landlock_insert_rule()
> * increments the refcount for the new object if needed.
> diff --git a/security/landlock/fs.h b/security/landlock/fs.h
> index bf9948941f2f..60be95ebfb0b 100644
> --- a/security/landlock/fs.h
> +++ b/security/landlock/fs.h
> @@ -11,6 +11,7 @@
> #define _SECURITY_LANDLOCK_FS_H
>
> #include <linux/build_bug.h>
> +#include <linux/cleanup.h>
> #include <linux/fs.h>
> #include <linux/init.h>
> #include <linux/rcupdate.h>
> @@ -128,4 +129,6 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
> const struct path *const path,
> access_mask_t access_hierarchy);
>
> +DEFINE_FREE(__putname, char *, if (_T) __putname(_T))
Out of curiosity why not put this in include/linux/fs.h (seems to
compile for me when added there)?
> +
> #endif /* _SECURITY_LANDLOCK_FS_H */
> diff --git a/security/landlock/trace.c b/security/landlock/trace.c
> new file mode 100644
> index 000000000000..98874cda473b
> --- /dev/null
> +++ b/security/landlock/trace.c
> @@ -0,0 +1,14 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * Landlock - Tracepoints
> + *
> + * Copyright © 2025 Microsoft Corporation
> + */
> +
> +#include <linux/path.h>
> +
> +#include "access.h"
> +#include "ruleset.h"
> +
> +#define CREATE_TRACE_POINTS
> +#include <trace/events/landlock.h>
More information about the Linux-security-module-archive
mailing list