lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHC9VhRh+_CM5kVmuXkttCn-3f3X8TR4n2q7MzrxCBXhbb2n-Q@mail.gmail.com>
Date: Mon, 6 Jan 2025 17:29:51 -0500
From: Paul Moore <paul@...l-moore.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Eric Paris <eparis@...hat.com>, Günther Noack <gnoack@...gle.com>, 
	"Serge E . Hallyn" <serge@...lyn.com>, Ben Scarlato <akhna@...gle.com>, 
	Casey Schaufler <casey@...aufler-ca.com>, Charles Zaffery <czaffery@...lox.com>, 
	Francis Laniel <flaniel@...ux.microsoft.com>, James Morris <jmorris@...ei.org>, 
	Jann Horn <jannh@...gle.com>, Jeff Xu <jeffxu@...gle.com>, 
	Jorge Lucangeli Obes <jorgelo@...gle.com>, Kees Cook <kees@...nel.org>, 
	Konstantin Meskhidze <konstantin.meskhidze@...wei.com>, Matt Bobrowski <mattbobrowski@...gle.com>, 
	Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>, Phil Sutter <phil@....cc>, 
	Praveen K Paladugu <prapal@...ux.microsoft.com>, Robert Salvet <robert.salvet@...lox.com>, 
	Shervin Oloumi <enlightened@...gle.com>, Song Liu <song@...nel.org>, 
	Tahera Fahimi <fahimitahera@...il.com>, audit@...r.kernel.org, 
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v3 17/23] landlock: Log TCP bind and connect denials

On Mon, Jan 6, 2025 at 9:51 AM Mickaël Salaün <mic@...ikod.net> wrote:
> On Sat, Jan 04, 2025 at 08:23:52PM -0500, Paul Moore wrote:
> > On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@...ikod.net> wrote:
> > >
> > > Add audit support to socket_bind and socket_connect hooks.
> > >
> > > Audit event sample:
> > >
> > >   type=LL_DENY [...]: domain=195ba459b blockers=net_connect_tcp daddr=127.0.0.1 dest=80
> >
> > The destination address and port is already captured in the SOCKADDR
> > record for bind() and connect(), please don't duplicate it here.
>
> This does not show up when a connect or bind is denied.  I guess this is
> because move_addr_to_kernel() is called at syscall entry when there is
> no context, whereas a Landlock denial is created after that.  For this
> to work, users would have to log a list of syscalls, which would not be
> usable (nor reliably maintainable) for most users.

Quick question, can you share the audit filter configuration you are
using on your dev/test systems (just dump /etc/audit/audit.rules,
unless you are doing it by hand)?

One can make an argument that if syscall auditing is being explicitly
denied, then the user has decided that the syscall related information
is not important to them.  I'm somewhat conflicted on that argument,
but I believe the argument is at least valid.

> I guess this might be different with io_uring too.

There are other issues with SOCKADDR and io_uring related to how
io_uring wants to separate the work into different execution contexts.
In general I wouldn't spend too much time worrying about auditing and
io_uring right now, there are some general issues that need to be
resolved in io_uring/audit that are much larger than just Landlock's
audit usage.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ