lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250116.tie4PhauzooC@digikod.net>
Date: Thu, 16 Jan 2025 11:57:17 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Paul Moore <paul@...l-moore.com>
Cc: Eric Paris <eparis@...hat.com>, 
	Günther Noack <gnoack@...gle.com>, "Serge E . Hallyn" <serge@...lyn.com>, 
	Ben Scarlato <akhna@...gle.com>, Casey Schaufler <casey@...aufler-ca.com>, 
	Charles Zaffery <czaffery@...lox.com>, Daniel Burgener <dburgener@...ux.microsoft.com>, 
	Francis Laniel <flaniel@...ux.microsoft.com>, James Morris <jmorris@...ei.org>, Jann Horn <jannh@...gle.com>, 
	Jeff Xu <jeffxu@...gle.com>, Jorge Lucangeli Obes <jorgelo@...gle.com>, 
	Kees Cook <kees@...nel.org>, Konstantin Meskhidze <konstantin.meskhidze@...wei.com>, 
	Matt Bobrowski <mattbobrowski@...gle.com>, Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>, 
	Phil Sutter <phil@....cc>, Praveen K Paladugu <prapal@...ux.microsoft.com>, 
	Robert Salvet <robert.salvet@...lox.com>, Shervin Oloumi <enlightened@...gle.com>, 
	Song Liu <song@...nel.org>, Tahera Fahimi <fahimitahera@...il.com>, 
	Tyler Hicks <code@...icks.com>, audit@...r.kernel.org, linux-kernel@...r.kernel.org, 
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY
 rule  type

On Wed, Jan 15, 2025 at 06:53:08PM -0500, Paul Moore wrote:
> On Jan  8, 2025 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@...ikod.net> wrote:
> > 
> > Landlock manages a set of standalone security policies, which can be
> > loaded by any process.  Because a sandbox policy may contain errors and
> > can lead to log spam, we need a way to exclude some of them.  It is
> > simple and it makes sense to identify Landlock domains (i.e. security
> > policies) per binary path that loaded such policy.
> > 
> > Add a new AUDIT_EXE_LANDLOCK_DENY rule type to enables system
> > administrator to filter logs according to the origin or the security
> > policy responsible for a denial.
> 
> For reasons similar to why I didn't want to expose the audit timestamp
> to users outside of audit, I'm not very enthusiastic about expanding
> the audit filtering code at this point in time.
> 
> I'm not saying "no" exactly, just "not right now".

Contrary to MAC systems which are configured and tuned by one entity
(e.g. the sysadmin), Landlock security policies can be configured by a
lot of different entities (e.g. sysadmin, app developers, users).  One
noisy policy (e.g. a buggy sandboxed tar called in a loop by maintenance
scripts) could easily flood the audit logs without the ability for
sysadmins to filter such policy.  They will only be able to filter all
users that *may* trigger such log (by executing the buggy sandboxed
app), which would mean almost all users, which would mask all other
legitimate Landlock events, then nullifying the entire audit support for
Landlock.

My plan was to extend these new kind of filter types to PID, UID, GID,
and LOGINUID (a subset of the audit filter exclude list) to give the
necessary flexibility to filter policy creators.

We really need a way to filter policy creators, and that needs to be
part of the (initial) Landlock audit support for it to be viable.
What do you propose?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ