landlock: Log mount-related denials (c56f6496) · Commits · git / linux-net

security/landlock/audit.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -21,6 +21,9 @@ static const char *get_blocker(const enum landlock_request_type type)
		switch (type) {
		case LANDLOCK_REQUEST_PTRACE:
		return "ptrace";

		case LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY:
		return "fs.change_topology";
		}

		WARN_ON_ONCE(1);

security/landlock/audit.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -15,6 +15,7 @@

		enum landlock_request_type {
		LANDLOCK_REQUEST_PTRACE = 1,
		LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
		};

		/*

security/landlock/fs.c

+70 −11

Original line number	Diff line number	Diff line
		@@ -23,6 +23,7 @@
		#include <linux/kernel.h>
		#include <linux/limits.h>
		#include <linux/list.h>
		#include <linux/lsm_audit.h>
		#include <linux/lsm_hooks.h>
		#include <linux/mount.h>
		#include <linux/namei.h>
		@@ -39,6 +40,7 @@
		#include <uapi/linux/landlock.h>

		#include "access.h"
		#include "audit.h"
		#include "common.h"
		#include "cred.h"
		#include "fs.h"
		@@ -395,12 +397,6 @@ static const struct access_masks any_fs = {
		.fs = ~0,
		};

		static const struct landlock_ruleset *get_current_fs_domain(void)
		{
		return landlock_get_applicable_domain(landlock_get_current_domain(),
		any_fs);
		}

		/*
		* Check that a destination file hierarchy has more restrictions than a source
		* file hierarchy. This is only used for link and rename actions.
		@@ -1335,6 +1331,34 @@ static void hook_sb_delete(struct super_block *const sb)
		!atomic_long_read(&landlock_superblock(sb)->inode_refs));
		}

		static void
		log_fs_change_topology_path(const struct landlock_cred_security *const subject,
		size_t handle_layer, const struct path *const path)
		{
		landlock_log_denial(subject, &(struct landlock_request) {
		.type = LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
		.audit = {
		.type = LSM_AUDIT_DATA_PATH,
		.u.path = *path,
		},
		.layer_plus_one = handle_layer + 1,
		});
		}

		static void log_fs_change_topology_dentry(
		const struct landlock_cred_security *const subject, size_t handle_layer,
		struct dentry *const dentry)
		{
		landlock_log_denial(subject, &(struct landlock_request) {
		.type = LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
		.audit = {
		.type = LSM_AUDIT_DATA_DENTRY,
		.u.dentry = dentry,
		},
		.layer_plus_one = handle_layer + 1,
		});
		}

		/*
		* Because a Landlock security policy is defined according to the filesystem
		* topology (i.e. the mount namespace), changing it may grant access to files
		@@ -1357,16 +1381,30 @@ static int hook_sb_mount(const char *const dev_name,
		const struct path const path, const char const type,
		const unsigned long flags, void *const data)
		{
		if (!get_current_fs_domain())
		size_t handle_layer;
		const struct landlock_cred_security *const subject =
		landlock_get_applicable_subject(current_cred(), any_fs,
		&handle_layer);

		if (!subject)
		return 0;

		log_fs_change_topology_path(subject, handle_layer, path);
		return -EPERM;
		}

		static int hook_move_mount(const struct path *const from_path,
		const struct path *const to_path)
		{
		if (!get_current_fs_domain())
		size_t handle_layer;
		const struct landlock_cred_security *const subject =
		landlock_get_applicable_subject(current_cred(), any_fs,
		&handle_layer);

		if (!subject)
		return 0;

		log_fs_change_topology_path(subject, handle_layer, to_path);
		return -EPERM;
		}

		@@ -1376,15 +1414,29 @@ static int hook_move_mount(const struct path *const from_path,
		*/
		static int hook_sb_umount(struct vfsmount *const mnt, const int flags)
		{
		if (!get_current_fs_domain())
		size_t handle_layer;
		const struct landlock_cred_security *const subject =
		landlock_get_applicable_subject(current_cred(), any_fs,
		&handle_layer);

		if (!subject)
		return 0;

		log_fs_change_topology_dentry(subject, handle_layer, mnt->mnt_root);
		return -EPERM;
		}

		static int hook_sb_remount(struct super_block const sb, void const mnt_opts)
		{
		if (!get_current_fs_domain())
		size_t handle_layer;
		const struct landlock_cred_security *const subject =
		landlock_get_applicable_subject(current_cred(), any_fs,
		&handle_layer);

		if (!subject)
		return 0;

		log_fs_change_topology_dentry(subject, handle_layer, sb->s_root);
		return -EPERM;
		}

		@@ -1399,8 +1451,15 @@ static int hook_sb_remount(struct super_block const sb, void const mnt_opts)
		static int hook_sb_pivotroot(const struct path *const old_path,
		const struct path *const new_path)
		{
		if (!get_current_fs_domain())
		size_t handle_layer;
		const struct landlock_cred_security *const subject =
		landlock_get_applicable_subject(current_cred(), any_fs,
		&handle_layer);

		if (!subject)
		return 0;

		log_fs_change_topology_path(subject, handle_layer, new_path);
		return -EPERM;
		}

security/landlock/ruleset.h

+0 −30

Original line number	Diff line number	Diff line
		@@ -243,36 +243,6 @@ landlock_union_access_masks(const struct landlock_ruleset *const domain)
		return matches.masks;
		}

		/**
		* landlock_get_applicable_domain - Return @domain if it applies to (handles)
		* at least one of the access rights specified
		* in @masks
		*
		* @domain: Landlock ruleset (used as a domain)
		* @masks: access masks
		*
		* Returns: @domain if any access rights specified in @masks is handled, or
		* NULL otherwise.
		*/
		static inline const struct landlock_ruleset *
		landlock_get_applicable_domain(const struct landlock_ruleset *const domain,
		const struct access_masks masks)
		{
		const union access_masks_all masks_all = {
		.masks = masks,
		};
		union access_masks_all merge = {};

		if (!domain)
		return NULL;

		merge.masks = landlock_union_access_masks(domain);
		if (merge.all & masks_all.all)
		return domain;

		return NULL;
		}

		static inline void
		landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
		const access_mask_t fs_access_mask,