[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230921061641.273654-5-mic@digikod.net>
Date: Thu, 21 Sep 2023 08:16:38 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Eric Paris <eparis@...hat.com>, James Morris <jmorris@...ei.org>,
Paul Moore <paul@...l-moore.com>,
"Serge E . Hallyn" <serge@...lyn.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
Ben Scarlato <akhna@...gle.com>,
Günther Noack <gnoack@...gle.com>,
Jeff Xu <jeffxu@...gle.com>,
Jorge Lucangeli Obes <jorgelo@...gle.com>,
Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
Shervin Oloumi <enlightened@...gle.com>, audit@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: [RFC PATCH v1 4/7] landlock: Log domain creation and enforcement
Add audit support for domain creation, i.e. task self-restriction.
Signed-off-by: Mickaël Salaün <mic@...ikod.net>
---
security/landlock/audit.c | 24 ++++++++++++++++++++++++
security/landlock/audit.h | 8 ++++++++
security/landlock/syscalls.c | 4 ++++
3 files changed, 36 insertions(+)
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index f58bd529784a..d9589d07e126 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -84,6 +84,30 @@ void landlock_log_create_ruleset(struct landlock_ruleset *const ruleset)
audit_log_end(ab);
}
+void landlock_log_restrict_self(struct landlock_ruleset *const domain,
+ struct landlock_ruleset *const ruleset)
+{
+ struct audit_buffer *ab;
+
+ WARN_ON_ONCE(domain->id);
+ WARN_ON_ONCE(!ruleset->id);
+
+ ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_LANDLOCK);
+ if (!ab)
+ /* audit_log_lost() call */
+ return;
+
+ domain->hierarchy->id =
+ atomic64_inc_return(&ruleset_and_domain_counter);
+ log_task(ab);
+ audit_log_format(ab, " op=restrict-self domain=%llu ruleset=%llu",
+ domain->hierarchy->id, ruleset->id);
+ audit_log_format(
+ ab, " parent=%llu",
+ domain->hierarchy->parent ? domain->hierarchy->parent->id : 0);
+ audit_log_end(ab);
+}
+
/*
* This is useful to know when a domain or a ruleset will never show again in
* the audit log.
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 2666e9151627..bc17dc8ca6f1 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -16,6 +16,8 @@
#ifdef CONFIG_AUDIT
void landlock_log_create_ruleset(struct landlock_ruleset *const ruleset);
+void landlock_log_restrict_self(struct landlock_ruleset *const domain,
+ struct landlock_ruleset *const ruleset);
void landlock_log_release_ruleset(const struct landlock_ruleset *const ruleset);
#else /* CONFIG_AUDIT */
@@ -25,6 +27,12 @@ landlock_log_create_ruleset(struct landlock_ruleset *const ruleset)
{
}
+static inline void
+landlock_log_restrict_self(struct landlock_ruleset *const domain,
+ struct landlock_ruleset *const ruleset)
+{
+}
+
static inline void
landlock_log_release_ruleset(const struct landlock_ruleset *const ruleset)
{
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 373997a356e7..bfe5417a06c3 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -452,6 +452,10 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
landlock_put_ruleset(new_llcred->domain);
new_llcred->domain = new_dom;
+ // FIXME: Must be atomic between the ruleset merge and the audit log to
+ // be sure about the content of the domain.
+ // -> move mutex_lock() from merge_ruleset() into this function
+ landlock_log_restrict_self(new_dom, ruleset);
landlock_put_ruleset(ruleset);
return commit_creds(new_cred);
--
2.42.0
Powered by blists - more mailing lists