lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250108154338.1129069-1-mic@digikod.net>
Date: Wed,  8 Jan 2025 16:43:08 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Eric Paris <eparis@...hat.com>,
	Paul Moore <paul@...l-moore.com>,
	Günther Noack <gnoack@...gle.com>,
	"Serge E . Hallyn" <serge@...lyn.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
	Ben Scarlato <akhna@...gle.com>,
	Casey Schaufler <casey@...aufler-ca.com>,
	Charles Zaffery <czaffery@...lox.com>,
	Daniel Burgener <dburgener@...ux.microsoft.com>,
	Francis Laniel <flaniel@...ux.microsoft.com>,
	James Morris <jmorris@...ei.org>,
	Jann Horn <jannh@...gle.com>,
	Jeff Xu <jeffxu@...gle.com>,
	Jorge Lucangeli Obes <jorgelo@...gle.com>,
	Kees Cook <kees@...nel.org>,
	Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
	Matt Bobrowski <mattbobrowski@...gle.com>,
	Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>,
	Phil Sutter <phil@....cc>,
	Praveen K Paladugu <prapal@...ux.microsoft.com>,
	Robert Salvet <robert.salvet@...lox.com>,
	Shervin Oloumi <enlightened@...gle.com>,
	Song Liu <song@...nel.org>,
	Tahera Fahimi <fahimitahera@...il.com>,
	Tyler Hicks <code@...icks.com>,
	audit@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org
Subject: [PATCH v4 00/30] Landlock audit support

Hi,

This patch series adds audit support to Landlock.

Logging denied requests is useful for different use cases:
- sysadmins: to look for users' issues,
- security experts: to detect attack attempts,
- power users: to understand denials,
- developers: to ease sandboxing support and get feedback from users.

Because of its unprivileged nature, Landlock can compose standalone
security policies (i.e. domains).  To make logs useful, they need to
contain the most relevant Landlock domain that denied an action, and the
reason of such denial.  This translates to the latest nested domain and
the related blockers: missing access rights or other kind of
restrictions.

# Changes from previous version

This fourth patch series mainly adds a new AUDIT_EXE_LANDLOCK_DENY rule
type to filter Landlock denials according to the executable that loaded
the policy responsible for this restriction.  New tests are added on top
of that.

Domain's metadata are now stored in a dedicated struct landlock_details
that contains the resolved exe's path, because we cannot keep a
reference to the related struct path.  This fixes umount of the
mount point containing a binary that restricted itself (if the domain is
still alive).  Add a dedicated test to check this issue.

Formatting of blockers are slightly improved.

Audit timestamps are no longer exported but dedicated Landlock
timestamps are use instead for domain creation.

The new landlock_restrict_self()'s flag is renamed to
LANDLOCK_RESTRICT_SELF_QUIET.

# Design

Log records are created for any denied actions caused by a Landlock
policy, which means that a well-sandboxed applications should not log
anything except for unattended access requests that might be the result
of attacks or bugs.

However, sandbox tools creating restricted environments could lead to
abundant log entries because the sandboxed processes may not be aware of
the related restrictions.  To avoid log spam, the
landlock_restrict_self(2) syscall gets a new
LANDLOCK_RESTRICT_SELF_QUIET flag to not log denials related to this
specific domain.  Except for well-understood exceptions, this flag
should not be set.  Indeed, applications sandboxing themselves should
only try to bypass their own sandbox if they are compromised, which
should ring a bell thanks to log events.

When an action is denied, the related Landlock domain ID is specified.
If this domain was not previously described in a log record, one is
created.  This record contains the domain ID, its creation time, and
informations about the process that enforced the restriction (at the
time of the call to landlock_restrict_self): PID, UID, executable path,
and name (comm).

This new approach also brings building blocks for an upcoming
unprivileged introspection interface.  The unique Landlock IDs will be
useful to tie audit log entries to running processes, and to get
properties of the related Landlock domains.  This will replace the
previously logged ruleset properties.

# Samples

Here are two examples of log events (see serial numbers):

$ LL_FS_RO=/ LL_FS_RW=/ LL_SCOPED=s LL_FORCE_LOG=1 ./sandboxer kill 1

  type=LANDLOCK_DENY msg=audit(1729738800.268:30): domain=1a6fdc66f blockers=scope.signal opid=1 ocomm="systemd"
  type=LANDLOCK_DOM_INFO msg=audit(1729738800.268:30): domain=1a6fdc66f creation=1729738800.264 pid=286 uid=0 exe="/root/sandboxer" comm="sandboxer"UID="root"
  type=SYSCALL msg=audit(1729738800.268:30): arch=c000003e syscall=62 success=no exit=-1 [..] ppid=272 pid=286 auid=0 uid=0 gid=0 [...] comm="kill" [...]
  type=PROCTITLE msg=audit(1729738800.268:30): proctitle=6B696C6C0031
  type=LANDLOCK_DOM_DROP msg=audit(1729738800.324:31): domain=1a6fdc66f denials=1

$ LL_FS_RO=/ LL_FS_RW=/tmp LL_FORCE_LOG=1 ./sandboxer sh -c "echo > /etc/passwd"

  type=LANDLOCK_DENY msg=audit(1729738800.221:33): domain=1a6fdc679 blockers=fs.write_file path="/dev/tty" dev="devtmpfs" ino=9
  type=LANDLOCK_DOM_INFO msg=audit(1729738800.221:33): domain=1a6fdc679 creation=1729738800.217 pid=289 uid=0 exe="/root/sandboxer" comm="sandboxer"UID="root"
  type=SYSCALL msg=audit(1729738800.221:33): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...]
  type=PROCTITLE msg=audit(1729738800.221:33): proctitle=7368002D63006563686F203E202F6574632F706173737764
  type=LANDLOCK_DENY msg=audit(1729738800.221:34): domain=1a6fdc679 blockers=fs.write_file path="/etc/passwd" dev="vda2" ino=143821
  type=SYSCALL msg=audit(1729738800.221:34): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...]
  type=PROCTITLE msg=audit(1729738800.221:34): proctitle=7368002D63006563686F203E202F6574632F706173737764
  type=LANDLOCK_DOM_DROP msg=audit(1729738800.261:35): domain=1a6fdc679 denials=2

# Future changes

I'll add more tests to check each kind of denied access.

We might want to add new audit rule types to filter according to other
domain properties (e.g. UID, AUID, session ID), but
AUDIT_EXE_LANDLOCK_DENY should be enough to mute buggy programs before
fixing them.

# Previous versions

v3: https://lore.kernel.org/r/20241122143353.59367-1-mic@digikod.net
v2: https://lore.kernel.org/r/20241022161009.982584-1-mic@digikod.net
v1: https://lore.kernel.org/r/20230921061641.273654-1-mic@digikod.net

Regards,

Mickaël Salaün (30):
  lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are
    set
  lsm: Add audit_log_lsm_data() helper
  landlock: Factor out check_access_path()
  landlock: Add unique ID generator
  landlock: Move access types
  landlock: Simplify initially denied access rights
  landlock: Move domain hierarchy management and export helpers
  landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials
  landlock: Add AUDIT_LANDLOCK_DOM_{INFO,DROP} and log domain properties
  landlock: Log mount-related denials
  landlock: Align partial refer access checks with final ones
  selftests/landlock: Add test to check partial access in a mount tree
  landlock: Optimize file path walks and prepare for audit support
  landlock: Log file-related denials
  landlock: Log truncate and IOCTL denials
  landlock: Log TCP bind and connect denials
  landlock: Log scoped denials
  landlock: Control log events with LANDLOCK_RESTRICT_SELF_QUIET
  samples/landlock: Do not log denials from the sandboxer by default
  selftests/landlock: Fix error message
  selftests/landlock: Add wrappers.h
  selftests/landlock: Add layout1.umount_sandboxer tests
  selftests/landlock: Extend tests for landlock_restrict_self()'s flags
  selftests/landlock: Add tests for audit and
    LANDLOCK_RESTRICT_SELF_QUIET
  selftests/landlock: Add audit tests for ptrace
  landlock: Export and rename landlock_get_inode_object()
  fs: Add iput() cleanup helper
  audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type
  selftests/landlock: Test audit rule with AUDIT_EXE_LANDLOCK_DOM
  selftests/landlock: Test compatibility with audit rule lists

 Documentation/userspace-api/landlock.rst      |   2 +-
 MAINTAINERS                                   |   1 +
 include/linux/audit.h                         |  11 +
 include/linux/fs.h                            |   6 +-
 include/linux/landlock.h                      |  41 ++
 include/linux/lsm_audit.h                     |  22 +
 include/uapi/linux/audit.h                    |   6 +-
 include/uapi/linux/landlock.h                 |  14 +
 kernel/audit.c                                |   4 +-
 kernel/audit.h                                |   5 +-
 kernel/auditfilter.c                          |  30 +-
 kernel/auditsc.c                              |  31 ++
 samples/landlock/sandboxer.c                  |  35 +-
 security/Kconfig                              |   5 +
 security/Makefile                             |   2 +-
 security/landlock/.kunitconfig                |   2 +
 security/landlock/Makefile                    |  15 +-
 security/landlock/access.h                    | 100 ++++
 security/landlock/audit.c                     | 510 ++++++++++++++++++
 security/landlock/audit.h                     |  76 +++
 security/landlock/domain.c                    | 339 ++++++++++++
 security/landlock/domain.h                    | 145 +++++
 security/landlock/fs.c                        | 305 ++++++++---
 security/landlock/fs.h                        |  12 +
 security/landlock/id.c                        | 249 +++++++++
 security/landlock/id.h                        |  25 +
 security/landlock/net.c                       |  51 +-
 security/landlock/object.h                    |   4 +-
 security/landlock/ruleset.c                   |  38 +-
 security/landlock/ruleset.h                   |  95 ++--
 security/landlock/setup.c                     |   2 +
 security/landlock/syscalls.c                  |  28 +-
 security/landlock/task.c                      | 152 +++++-
 security/lsm_audit.c                          |  27 +-
 tools/testing/kunit/configs/all_tests.config  |   2 +
 tools/testing/selftests/landlock/Makefile     |   2 +-
 tools/testing/selftests/landlock/audit.h      | 371 +++++++++++++
 tools/testing/selftests/landlock/audit_test.c | 389 +++++++++++++
 tools/testing/selftests/landlock/base_test.c  |  19 +-
 tools/testing/selftests/landlock/common.h     |  40 +-
 tools/testing/selftests/landlock/config       |   1 +
 tools/testing/selftests/landlock/fs_test.c    | 151 +++++-
 .../testing/selftests/landlock/ptrace_test.c  |  67 ++-
 .../selftests/landlock/sandbox-and-launch.c   |  82 +++
 tools/testing/selftests/landlock/wait-pipe.c  |  70 +++
 tools/testing/selftests/landlock/wrappers.h   |  47 ++
 46 files changed, 3360 insertions(+), 271 deletions(-)
 create mode 100644 include/linux/landlock.h
 create mode 100644 security/landlock/access.h
 create mode 100644 security/landlock/audit.c
 create mode 100644 security/landlock/audit.h
 create mode 100644 security/landlock/domain.c
 create mode 100644 security/landlock/domain.h
 create mode 100644 security/landlock/id.c
 create mode 100644 security/landlock/id.h
 create mode 100644 tools/testing/selftests/landlock/audit.h
 create mode 100644 tools/testing/selftests/landlock/audit_test.c
 create mode 100644 tools/testing/selftests/landlock/sandbox-and-launch.c
 create mode 100644 tools/testing/selftests/landlock/wait-pipe.c
 create mode 100644 tools/testing/selftests/landlock/wrappers.h


base-commit: 9d89551994a430b50c4fffcb1e617a057fa76e20
-- 
2.47.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ