Unverified Commit 14f6c14e authored by Mickaël Salaün's avatar Mickaël Salaün
Browse files

landlock: Identify domain execution crossing 

Extend struct landlock_cred_security with a domain_exec bitmask to
identify which Landlock domain were created by the current task's bprm.
The whole bitmask is reset on each execve(2) call.

Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-9-mic@digikod.net


Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
parent 79625f1b

security/landlock/cred.c

+23 −5
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Landlock LSM - Credential hooks

 * Landlock - Credential hooks

 *

 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>

 * Copyright © 2018-2020 ANSSI

 * Copyright © 2024-2025 Microsoft Corporation

 */



#include <linux/binfmts.h>

#include <linux/cred.h>

#include <linux/lsm_hooks.h>
@@ -17,11 +19,12 @@ 
static void hook_cred_transfer(struct cred *const new,

			       const struct cred *const old)

{

	struct landlock_ruleset *const old_dom = landlock_cred(old)->domain;

	const struct landlock_cred_security *const old_llcred =

		landlock_cred(old);



	if (old_dom) {

		landlock_get_ruleset(old_dom);

		landlock_cred(new)->domain = old_dom;

	if (old_llcred->domain) {

		landlock_get_ruleset(old_llcred->domain);

		*landlock_cred(new) = *old_llcred;

	}

}
@@ -40,10 +43,25 @@ static void hook_cred_free(struct cred *const cred) 
		landlock_put_ruleset_deferred(dom);

}



#ifdef CONFIG_AUDIT



static int hook_bprm_creds_for_exec(struct linux_binprm *const bprm)

{

	/* Resets for each execution. */

	landlock_cred(bprm->cred)->domain_exec = 0;

	return 0;

}



#endif /* CONFIG_AUDIT */



static struct security_hook_list landlock_hooks[] __ro_after_init = {

	LSM_HOOK_INIT(cred_prepare, hook_cred_prepare),

	LSM_HOOK_INIT(cred_transfer, hook_cred_transfer),

	LSM_HOOK_INIT(cred_free, hook_cred_free),



#ifdef CONFIG_AUDIT

	LSM_HOOK_INIT(bprm_creds_for_exec, hook_bprm_creds_for_exec),

#endif /* CONFIG_AUDIT */

};



__init void landlock_add_cred_hooks(void)

security/landlock/cred.h

+31 −1
Original line number Diff line number Diff line
@@ -10,17 +10,47 @@ 
#ifndef _SECURITY_LANDLOCK_CRED_H

#define _SECURITY_LANDLOCK_CRED_H



#include <linux/container_of.h>

#include <linux/cred.h>

#include <linux/init.h>

#include <linux/rcupdate.h>



#include "access.h"

#include "limits.h"

#include "ruleset.h"

#include "setup.h"



/**

 * struct landlock_cred_security - Credential security blob

 *

 * This structure is packed to minimize the size of struct

 * landlock_file_security.  However, it is always aligned in the LSM cred blob,

 * see lsm_set_blob_size().

 */

struct landlock_cred_security {

	/**

	 * @domain: Immutable ruleset enforced on a task.

	 */

	struct landlock_ruleset *domain;

};



#ifdef CONFIG_AUDIT

	/**

	 * @domain_exec: Bitmask identifying the domain layers that were enforced by

	 * the current task's executed file (i.e. no new execve(2) since

	 * landlock_restrict_self(2)).

	 */

	u16 domain_exec;

#endif /* CONFIG_AUDIT */

} __packed;



#ifdef CONFIG_AUDIT



/* Makes sure all layer executions can be stored. */

static_assert(BITS_PER_TYPE(typeof_member(struct landlock_cred_security,

					  domain_exec)) >=

	      LANDLOCK_MAX_NUM_LAYERS);



#endif /* CONFIG_AUDIT */



static inline struct landlock_cred_security *

landlock_cred(const struct cred *cred)

security/landlock/syscalls.c

+5 −0
Original line number Diff line number Diff line
@@ -510,5 +510,10 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32, 
	/* Replaces the old (prepared) domain. */

	landlock_put_ruleset(new_llcred->domain);

	new_llcred->domain = new_dom;



#ifdef CONFIG_AUDIT

	new_llcred->domain_exec |= 1 << (new_dom->num_layers - 1);

#endif /* CONFIG_AUDIT */



	return commit_creds(new_cred);

}