lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231221.inae1eThoeva@digikod.net>
Date: Thu, 21 Dec 2023 19:47:40 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Paul Moore <paul@...l-moore.com>
Cc: Eric Paris <eparis@...hat.com>, James Morris <jmorris@...ei.org>, 
	"Serge E . Hallyn" <serge@...lyn.com>, Ben Scarlato <akhna@...gle.com>, 
	Günther Noack <gnoack@...gle.com>, Jeff Xu <jeffxu@...gle.com>, 
	Jorge Lucangeli Obes <jorgelo@...gle.com>, Konstantin Meskhidze <konstantin.meskhidze@...wei.com>, 
	Shervin Oloumi <enlightened@...gle.com>, audit@...r.kernel.org, linux-kernel@...r.kernel.org, 
	linux-security-module@...r.kernel.org
Subject: Re: [RFC PATCH v1 5/7] landlock: Log file-related requests

On Wed, Dec 20, 2023 at 04:22:33PM -0500, Paul Moore wrote:
> On Thu, Sep 21, 2023 at 2:17 AM Mickaël Salaün <mic@...ikod.net> wrote:
> >
> > Add audit support for mkdir, mknod, symlink, unlink, rmdir, truncate,
> > and open requests.
> >
> > Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> > ---
> >  security/landlock/audit.c | 114 ++++++++++++++++++++++++++++++++++++++
> >  security/landlock/audit.h |  32 +++++++++++
> >  security/landlock/fs.c    |  62 ++++++++++++++++++---
> >  3 files changed, 199 insertions(+), 9 deletions(-)
> >
> > diff --git a/security/landlock/audit.c b/security/landlock/audit.c
> > index d9589d07e126..148fc0fafef4 100644
> > --- a/security/landlock/audit.c
> > +++ b/security/landlock/audit.c
> > @@ -14,6 +14,25 @@
> >
> >  atomic64_t ruleset_and_domain_counter = ATOMIC64_INIT(0);
> >
> > +static const char *op_to_string(enum landlock_operation operation)
> > +{
> > +       const char *const desc[] = {
> > +               [0] = "",
> > +               [LANDLOCK_OP_MKDIR] = "mkdir",
> > +               [LANDLOCK_OP_MKNOD] = "mknod",
> > +               [LANDLOCK_OP_SYMLINK] = "symlink",
> > +               [LANDLOCK_OP_UNLINK] = "unlink",
> > +               [LANDLOCK_OP_RMDIR] = "rmdir",
> > +               [LANDLOCK_OP_TRUNCATE] = "truncate",
> > +               [LANDLOCK_OP_OPEN] = "open",
> > +       };
> 
> If you're going to be using a single AUDIT_LANDLOCK record type, do
> you want to somehow encode that the above are access/permission
> requests in the "op=" field name?

I'll use several audit record types, one for a denial and others for the
related kernel objects. See my other reply.

> 
> > +static void
> > +log_request(const int error, struct landlock_request *const request,
> > +           const struct landlock_ruleset *const domain,
> > +           const access_mask_t access_request,
> > +           const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
> > +{
> > +       struct audit_buffer *ab;
> > +
> > +       if (WARN_ON_ONCE(!error))
> > +               return;
> > +       if (WARN_ON_ONCE(!request))
> > +               return;
> > +       if (WARN_ON_ONCE(!domain || !domain->hierarchy))
> > +               return;
> > +
> > +       /* Uses GFP_ATOMIC to not sleep. */
> > +       ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
> > +                            AUDIT_LANDLOCK);
> > +       if (!ab)
> > +               return;
> > +
> > +       update_request(request, domain, access_request, layer_masks);
> > +
> > +       log_task(ab);
> > +       audit_log_format(ab, " domain=%llu op=%s errno=%d missing-fs-accesses=",
> > +                        request->youngest_domain,
> > +                        op_to_string(request->operation), -error);
> > +       log_accesses(ab, request->missing_access);
> > +       audit_log_lsm_data(ab, &request->audit);
> > +       audit_log_end(ab);
> > +}
> 
> See my previous comments about record format consistency.

right

> 
> --
> paul-moore.com
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ