Hi Mickaël On Wed, Sep 20, 2023 at 11:16 PM Mickaël Salaün <[email protected]> wrote: > > Hi, > > This patch series adds basic audit support to Landlock for most actions. > Logging denied requests is useful for different use cases: > * app developers: to ease and speed up sandboxing support > * power users: to understand denials > * sysadmins: to look for users' issues > * tailored distro maintainers: to get usage metrics from their fleet > * security experts: to detect attack attempts > This is a highly desired feature, I think this will save dev's time when developing Landlock rule sets. Thanks for adding this patch set!
-Jeff > To make logs useful, they need to contain the most relevant Landlock > domain that denied an action, and the reason. This translates to the > latest nested domain and the related missing access rights. > > Two "Landlock permissions" are used to describe mandatory restrictions > enforced on all domains: > * fs_layout: change the view of filesystem with mount operations. > * ptrace: tamper with a process. > > Here is an example of logs, result of the sandboxer activity: > tid=267 comm="sandboxer" op=create-ruleset ruleset=1 > handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate > tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0 > op=release-ruleset ruleset=1 > tid=267 comm="bash" domain=2 op=open errno=13 > missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" > dev="devtmpfs" ino=9 > tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir > missing-permission= path="/" dev="vda2" ino=256 > tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg > missing-permission= path="/" dev="vda2" ino=256 > tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= > missing-permission=fs_layout name="/" dev="tmpfs" ino=1 > tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= > missing-permission=ptrace opid=1 ocomm="systemd" > > As highlighted in comments, support for audit is not complete yet with > this series: some actions are not logged (e.g. file reparenting), and > rule additions are not logged neither. > > I'm also not sure if we need to have seccomp-like features such as > SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and > /proc/sys/kernel/seccomp/actions_logged > > I'd like to get some early feedback on this proposal. > > This series is based on v6.6-rc2 > > Regards, > > Mickaël Salaün (7): > lsm: Add audit_log_lsm_data() helper > landlock: Factor out check_access_path() > landlock: Log ruleset creation and release > landlock: Log domain creation and enforcement > landlock: Log file-related requests > landlock: Log mount-related requests > landlock: Log ptrace requests > > include/linux/lsm_audit.h | 2 + > include/uapi/linux/audit.h | 1 + > security/landlock/Makefile | 2 + > security/landlock/audit.c | 283 +++++++++++++++++++++++++++++++++++ > security/landlock/audit.h | 88 +++++++++++ > security/landlock/fs.c | 169 ++++++++++++++++----- > security/landlock/ptrace.c | 47 +++++- > security/landlock/ruleset.c | 6 + > security/landlock/ruleset.h | 10 ++ > security/landlock/syscalls.c | 12 ++ > security/lsm_audit.c | 26 ++-- > 11 files changed, 595 insertions(+), 51 deletions(-) > create mode 100644 security/landlock/audit.c > create mode 100644 security/landlock/audit.h > > > base-commit: ce9ecca0238b140b88f43859b211c9fdfd8e5b70 > -- > 2.42.0 >
