| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251118134639.3314803-17-ivanov.mikhail1@huawei-partners.com>
Date: Tue, 18 Nov 2025 21:46:36 +0800
From: Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>
To: <mic@...ikod.net>, <gnoack@...gle.com>
CC: <willemdebruijn.kernel@...il.com>, <matthieu@...fet.re>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<artem.kuzin@...wei.com>, <konstantin.meskhidze@...wei.com>
Subject: [RFC PATCH v4 16/19] landlock: Log socket creation denials
Add new type in landlock_requet_type related to socket access checks
auditing. Print blocker related to socket access in get_blocker() and
log socket creation denials in hook_socket_create().
Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>
---
security/landlock/audit.c | 12 ++++++++++++
security/landlock/audit.h | 1 +
security/landlock/socket.c | 15 +++++++++++++++
3 files changed, 28 insertions(+)
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index c52d079cdb77..c2c0e8fd38cb 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -48,6 +48,12 @@ static const char *const net_access_strings[] = {
static_assert(ARRAY_SIZE(net_access_strings) == LANDLOCK_NUM_ACCESS_NET);
+static const char *const socket_access_strings[] = {
+ [BIT_INDEX(LANDLOCK_ACCESS_SOCKET_CREATE)] = "socket.create",
+};
+
+static_assert(ARRAY_SIZE(socket_access_strings) == LANDLOCK_NUM_ACCESS_SOCKET);
+
static __attribute_const__ const char *
get_blocker(const enum landlock_request_type type,
const unsigned long access_bit)
@@ -71,6 +77,12 @@ get_blocker(const enum landlock_request_type type,
return "unknown";
return net_access_strings[access_bit];
+ case LANDLOCK_REQUEST_SOCKET_ACCESS:
+ if (WARN_ON_ONCE(access_bit >=
+ ARRAY_SIZE(socket_access_strings)))
+ return "unknown";
+ return socket_access_strings[access_bit];
+
case LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET:
WARN_ON_ONCE(access_bit != -1);
return "scope.abstract_unix_socket";
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 92428b7fc4d8..b78d4503b0a5 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -19,6 +19,7 @@ enum landlock_request_type {
LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
LANDLOCK_REQUEST_FS_ACCESS,
LANDLOCK_REQUEST_NET_ACCESS,
+ LANDLOCK_REQUEST_SOCKET_ACCESS,
LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
LANDLOCK_REQUEST_SCOPE_SIGNAL,
};
diff --git a/security/landlock/socket.c b/security/landlock/socket.c
index d7e6e7b92b7a..6afd5a0ac6d7 100644
--- a/security/landlock/socket.c
+++ b/security/landlock/socket.c
@@ -10,6 +10,7 @@
#include <linux/stddef.h>
#include <net/ipv6.h>
+#include "audit.h"
#include "limits.h"
#include "ruleset.h"
#include "socket.h"
@@ -132,6 +133,11 @@ static int hook_socket_create(int family, int type, int protocol, int kern)
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), masks, NULL);
uintptr_t key;
+ struct lsm_socket_audit audit_socket = {
+ .family = family,
+ .type = type,
+ .protocol = protocol,
+ };
if (!subject)
return 0;
@@ -169,6 +175,15 @@ static int hook_socket_create(int family, int type, int protocol, int kern)
handled_access) == 0)
return 0;
+ landlock_log_denial(subject,
+ &(struct landlock_request){
+ .type = LANDLOCK_REQUEST_SOCKET_ACCESS,
+ .audit.type = LSM_AUDIT_DATA_SOCKET,
+ .audit.u.socket = &audit_socket,
+ .access = LANDLOCK_ACCESS_SOCKET_CREATE,
+ .layer_masks = &layer_masks,
+ .layer_masks_size = ARRAY_SIZE(layer_masks),
+ });
return -EACCES;
}
--
2.34.1
Powered by blists - more mailing lists