[RFC PATCH v1 4/7] landlock: Log domain creation and enforcement
From: Mickaël Salaün <mic@digikod.net>
Date: 2023-09-21 19:28:23
Also in:
lkml
Subsystem:
landlock security module, security subsystem, the rest · Maintainers:
Mickaël Salaün, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds
Add audit support for domain creation, i.e. task self-restriction. Signed-off-by: Mickaël Salaün <mic@digikod.net> --- security/landlock/audit.c | 24 ++++++++++++++++++++++++ security/landlock/audit.h | 8 ++++++++ security/landlock/syscalls.c | 4 ++++ 3 files changed, 36 insertions(+)
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index f58bd529784a..d9589d07e126 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c@@ -84,6 +84,30 @@ void landlock_log_create_ruleset(struct landlock_ruleset *const ruleset) audit_log_end(ab); } +void landlock_log_restrict_self(struct landlock_ruleset *const domain, + struct landlock_ruleset *const ruleset) +{ + struct audit_buffer *ab; + + WARN_ON_ONCE(domain->id); + WARN_ON_ONCE(!ruleset->id); + + ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_LANDLOCK); + if (!ab) + /* audit_log_lost() call */ + return; + + domain->hierarchy->id = + atomic64_inc_return(&ruleset_and_domain_counter); + log_task(ab); + audit_log_format(ab, " op=restrict-self domain=%llu ruleset=%llu", + domain->hierarchy->id, ruleset->id); + audit_log_format( + ab, " parent=%llu", + domain->hierarchy->parent ? domain->hierarchy->parent->id : 0); + audit_log_end(ab); +} + /* * This is useful to know when a domain or a ruleset will never show again in * the audit log.
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 2666e9151627..bc17dc8ca6f1 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h@@ -16,6 +16,8 @@ #ifdef CONFIG_AUDIT void landlock_log_create_ruleset(struct landlock_ruleset *const ruleset); +void landlock_log_restrict_self(struct landlock_ruleset *const domain, + struct landlock_ruleset *const ruleset); void landlock_log_release_ruleset(const struct landlock_ruleset *const ruleset); #else /* CONFIG_AUDIT */
@@ -25,6 +27,12 @@ landlock_log_create_ruleset(struct landlock_ruleset *const ruleset) { } +static inline void +landlock_log_restrict_self(struct landlock_ruleset *const domain, + struct landlock_ruleset *const ruleset) +{ +} + static inline void landlock_log_release_ruleset(const struct landlock_ruleset *const ruleset) {
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 373997a356e7..bfe5417a06c3 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c@@ -452,6 +452,10 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32, landlock_put_ruleset(new_llcred->domain); new_llcred->domain = new_dom; + // FIXME: Must be atomic between the ruleset merge and the audit log to + // be sure about the content of the domain. + // -> move mutex_lock() from merge_ruleset() into this function + landlock_log_restrict_self(new_dom, ruleset); landlock_put_ruleset(ruleset); return commit_creds(new_cred);
--
2.42.0