Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

landlock: Log mount-related denials 

Add audit support for sb_mount, move_mount, sb_umount, sb_remount, and
sb_pivot_root hooks.

The new related blocker is "fs.change_topology".

Audit event sample:

  type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.change_topology name="/" dev="tmpfs" ino=1

Remove landlock_get_applicable_domain() and get_current_fs_domain()
which are now fully replaced with landlock_get_applicable_subject().

Cc: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-12-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
This commit is contained in:
Mickaël Salaün 2025-03-20 20:07:00 +01:00
parent 1d636984e0
commit c56f649646
No known key found for this signature in database
GPG Key ID: E5E3D0E88C82F6D2
4 changed files with 74 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
security/landlock/audit.c
View File

@ -21,6 +21,9 @@ static const char *get_blocker(const enum landlock_request_type type)
switch (type) { switch (type) {
case LANDLOCK_REQUEST_PTRACE: case LANDLOCK_REQUEST_PTRACE:
return "ptrace"; return "ptrace";
case LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY:
return "fs.change_topology";
} }
WARN_ON_ONCE(1); WARN_ON_ONCE(1);

1
security/landlock/audit.h
View File

@ -15,6 +15,7 @@
enum landlock_request_type { enum landlock_request_type {
LANDLOCK_REQUEST_PTRACE = 1, LANDLOCK_REQUEST_PTRACE = 1,
LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
}; };
/* /*

81
security/landlock/fs.c
View File

@ -23,6 +23,7 @@
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/limits.h> #include <linux/limits.h>
#include <linux/list.h> #include <linux/list.h>
#include <linux/lsm_audit.h>
#include <linux/lsm_hooks.h> #include <linux/lsm_hooks.h>
#include <linux/mount.h> #include <linux/mount.h>
#include <linux/namei.h> #include <linux/namei.h>
@ -39,6 +40,7 @@
#include <uapi/linux/landlock.h> #include <uapi/linux/landlock.h>
#include "access.h" #include "access.h"
#include "audit.h"
#include "common.h" #include "common.h"
#include "cred.h" #include "cred.h"
#include "fs.h" #include "fs.h"
@ -395,12 +397,6 @@ static const struct access_masks any_fs = {
.fs = ~0, .fs = ~0,
}; };
static const struct landlock_ruleset *get_current_fs_domain(void)
{
return landlock_get_applicable_domain(landlock_get_current_domain(),
any_fs);
}
/* /*
* Check that a destination file hierarchy has more restrictions than a source * Check that a destination file hierarchy has more restrictions than a source
* file hierarchy. This is only used for link and rename actions. * file hierarchy. This is only used for link and rename actions.
@ -1335,6 +1331,34 @@ static void hook_sb_delete(struct super_block *const sb)
!atomic_long_read(&landlock_superblock(sb)->inode_refs)); !atomic_long_read(&landlock_superblock(sb)->inode_refs));
} }
static void
log_fs_change_topology_path(const struct landlock_cred_security *const subject,
size_t handle_layer, const struct path *const path)
{
landlock_log_denial(subject, &(struct landlock_request) {
.type = LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
.audit = {
.type = LSM_AUDIT_DATA_PATH,
.u.path = *path,
},
.layer_plus_one = handle_layer + 1,
});
}
static void log_fs_change_topology_dentry(
const struct landlock_cred_security *const subject, size_t handle_layer,
struct dentry *const dentry)
{
landlock_log_denial(subject, &(struct landlock_request) {
.type = LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
.audit = {
.type = LSM_AUDIT_DATA_DENTRY,
.u.dentry = dentry,
},
.layer_plus_one = handle_layer + 1,
});
}
/* /*
* Because a Landlock security policy is defined according to the filesystem * Because a Landlock security policy is defined according to the filesystem
* topology (i.e. the mount namespace), changing it may grant access to files * topology (i.e. the mount namespace), changing it may grant access to files
@ -1357,16 +1381,30 @@ static int hook_sb_mount(const char *const dev_name,
const struct path *const path, const char *const type, const struct path *const path, const char *const type,
const unsigned long flags, void *const data) const unsigned long flags, void *const data)
{ {
if (!get_current_fs_domain()) size_t handle_layer;
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), any_fs,
&handle_layer);
if (!subject)
return 0; return 0;
log_fs_change_topology_path(subject, handle_layer, path);
return -EPERM; return -EPERM;
} }
static int hook_move_mount(const struct path *const from_path, static int hook_move_mount(const struct path *const from_path,
const struct path *const to_path) const struct path *const to_path)
{ {
if (!get_current_fs_domain()) size_t handle_layer;
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), any_fs,
&handle_layer);
if (!subject)
return 0; return 0;
log_fs_change_topology_path(subject, handle_layer, to_path);
return -EPERM; return -EPERM;
} }
@ -1376,15 +1414,29 @@ static int hook_move_mount(const struct path *const from_path,
*/ */
static int hook_sb_umount(struct vfsmount *const mnt, const int flags) static int hook_sb_umount(struct vfsmount *const mnt, const int flags)
{ {
if (!get_current_fs_domain()) size_t handle_layer;
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), any_fs,
&handle_layer);
if (!subject)
return 0; return 0;
log_fs_change_topology_dentry(subject, handle_layer, mnt->mnt_root);
return -EPERM; return -EPERM;
} }
static int hook_sb_remount(struct super_block *const sb, void *const mnt_opts) static int hook_sb_remount(struct super_block *const sb, void *const mnt_opts)
{ {
if (!get_current_fs_domain()) size_t handle_layer;
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), any_fs,
&handle_layer);
if (!subject)
return 0; return 0;
log_fs_change_topology_dentry(subject, handle_layer, sb->s_root);
return -EPERM; return -EPERM;
} }
@ -1399,8 +1451,15 @@ static int hook_sb_remount(struct super_block *const sb, void *const mnt_opts)
static int hook_sb_pivotroot(const struct path *const old_path, static int hook_sb_pivotroot(const struct path *const old_path,
const struct path *const new_path) const struct path *const new_path)
{ {
if (!get_current_fs_domain()) size_t handle_layer;
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), any_fs,
&handle_layer);
if (!subject)
return 0; return 0;
log_fs_change_topology_path(subject, handle_layer, new_path);
return -EPERM; return -EPERM;
} }

30
security/landlock/ruleset.h
View File

@ -243,36 +243,6 @@ landlock_union_access_masks(const struct landlock_ruleset *const domain)
return matches.masks; return matches.masks;
} }
/**
* landlock_get_applicable_domain - Return @domain if it applies to (handles)
* at least one of the access rights specified
* in @masks
*
* @domain: Landlock ruleset (used as a domain)
* @masks: access masks
*
* Returns: @domain if any access rights specified in @masks is handled, or
* NULL otherwise.
*/
static inline const struct landlock_ruleset *
landlock_get_applicable_domain(const struct landlock_ruleset *const domain,
const struct access_masks masks)
{
const union access_masks_all masks_all = {
.masks = masks,
};
union access_masks_all merge = {};
if (!domain)
return NULL;
merge.masks = landlock_union_access_masks(domain);
if (merge.all & masks_all.all)
return domain;
return NULL;
}
static inline void static inline void
landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
const access_mask_t fs_access_mask, const access_mask_t fs_access_mask,