[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231221.inae1eThoeva@digikod.net>
Date: Thu, 21 Dec 2023 19:47:40 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Paul Moore <paul@...l-moore.com>
Cc: Eric Paris <eparis@...hat.com>, James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>, Ben Scarlato <akhna@...gle.com>,
Günther Noack <gnoack@...gle.com>, Jeff Xu <jeffxu@...gle.com>,
Jorge Lucangeli Obes <jorgelo@...gle.com>, Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
Shervin Oloumi <enlightened@...gle.com>, audit@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [RFC PATCH v1 5/7] landlock: Log file-related requests
On Wed, Dec 20, 2023 at 04:22:33PM -0500, Paul Moore wrote:
> On Thu, Sep 21, 2023 at 2:17 AM Mickaël Salaün <mic@...ikod.net> wrote:
> >
> > Add audit support for mkdir, mknod, symlink, unlink, rmdir, truncate,
> > and open requests.
> >
> > Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> > ---
> > security/landlock/audit.c | 114 ++++++++++++++++++++++++++++++++++++++
> > security/landlock/audit.h | 32 +++++++++++
> > security/landlock/fs.c | 62 ++++++++++++++++++---
> > 3 files changed, 199 insertions(+), 9 deletions(-)
> >
> > diff --git a/security/landlock/audit.c b/security/landlock/audit.c
> > index d9589d07e126..148fc0fafef4 100644
> > --- a/security/landlock/audit.c
> > +++ b/security/landlock/audit.c
> > @@ -14,6 +14,25 @@
> >
> > atomic64_t ruleset_and_domain_counter = ATOMIC64_INIT(0);
> >
> > +static const char *op_to_string(enum landlock_operation operation)
> > +{
> > + const char *const desc[] = {
> > + [0] = "",
> > + [LANDLOCK_OP_MKDIR] = "mkdir",
> > + [LANDLOCK_OP_MKNOD] = "mknod",
> > + [LANDLOCK_OP_SYMLINK] = "symlink",
> > + [LANDLOCK_OP_UNLINK] = "unlink",
> > + [LANDLOCK_OP_RMDIR] = "rmdir",
> > + [LANDLOCK_OP_TRUNCATE] = "truncate",
> > + [LANDLOCK_OP_OPEN] = "open",
> > + };
>
> If you're going to be using a single AUDIT_LANDLOCK record type, do
> you want to somehow encode that the above are access/permission
> requests in the "op=" field name?
I'll use several audit record types, one for a denial and others for the
related kernel objects. See my other reply.
>
> > +static void
> > +log_request(const int error, struct landlock_request *const request,
> > + const struct landlock_ruleset *const domain,
> > + const access_mask_t access_request,
> > + const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
> > +{
> > + struct audit_buffer *ab;
> > +
> > + if (WARN_ON_ONCE(!error))
> > + return;
> > + if (WARN_ON_ONCE(!request))
> > + return;
> > + if (WARN_ON_ONCE(!domain || !domain->hierarchy))
> > + return;
> > +
> > + /* Uses GFP_ATOMIC to not sleep. */
> > + ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
> > + AUDIT_LANDLOCK);
> > + if (!ab)
> > + return;
> > +
> > + update_request(request, domain, access_request, layer_masks);
> > +
> > + log_task(ab);
> > + audit_log_format(ab, " domain=%llu op=%s errno=%d missing-fs-accesses=",
> > + request->youngest_domain,
> > + op_to_string(request->operation), -error);
> > + log_accesses(ab, request->missing_access);
> > + audit_log_lsm_data(ab, &request->audit);
> > + audit_log_end(ab);
> > +}
>
> See my previous comments about record format consistency.
right
>
> --
> paul-moore.com
>
Powered by blists - more mailing lists