Changes in Makefile

33e65b0d - landlock: Add AUDIT_LANDLOCK_ACCESS and log ptrace denials

Thu, 20 Mar 2025 19:06:58 +0000

landlock: Add AUDIT_LANDLOCK_ACCESS and log ptrace denialsAdd a new AUDIT_LANDLOCK_ACCESS record type dedicated to an accessrequest denied by a Landlock domain. AUDIT_LANDLOCK_ACCESS indicatesthat something unexpected happened.For now, only denied access are logged, which means that anyAUDIT_LANDLOCK_ACCESS record is always followed by a SYSCALL record with"success=no". However, log parsers should check this syscall propertybecause this is the only sign that a request was denied. Indeed, wecould have "success=yes" if Landlock would support a "permissive" mode.We could also add a new field to AUDIT_LANDLOCK_DOMAIN for this mode(see following commit).By default, the only logged access requests are those coming from thesame executed program that enforced the Landlock restriction on itself.In other words, no audit record are created for a task after it calledexecve(2). This is required to avoid log spam because programs may onlybe aware of their own restrictions, but not the inherited ones.Following commits will allow to conditionally generateAUDIT_LANDLOCK_ACCESS records according to dedicatedlandlock_restrict_self(2)'s flags.The AUDIT_LANDLOCK_ACCESS message contains:- the "domain" ID restricting the action on an object,- the "blockers" that are missing to allow the requested access,- a set of fields identifying the related object (e.g. task identified with "opid" and "ocomm").The blockers are implicit restrictions (e.g. ptrace), or explicit accessrights (e.g. filesystem), or explicit scopes (e.g. signal). This fieldcontains a list of at least one element, each separated with a comma.The initial blocker is "ptrace", which describe all implicit Landlockrestrictions related to ptrace (e.g. deny tracing of tasks outside asandbox).Add audit support to ptrace_access_check and ptrace_traceme hooks. Forthe ptrace_access_check case, we log the current/parent domain and thechild task. For the ptrace_traceme case, we log the parent domain andthe current/child task. Indeed, the requester and the target are thecurrent task, but the action would be performed by the parent task.Audit event sample: type=LANDLOCK_ACCESS msg=audit(1729738800.349:44): domain=195ba459b blockers=ptrace opid=1 ocomm="systemd" type=SYSCALL msg=audit(1729738800.349:44): arch=c000003e syscall=101 success=no [...] pid=300 auid=0A following commit adds user documentation.Add KUnit tests to check reading of domain ID relative to layer level.The quick return for non-landlocked tasks is moved from task_ptrace() toeach LSM hooks.It is not useful to inline the audit_enabled check because othercomputation are performed by landlock_log_denial().Use scoped guards for RCU read-side critical sections.Cc: Günther Noack Acked-by: Paul Moore Link: https://lore.kernel.org/r/20250320190717.2287696-10-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux-6.15/security/landlock/Makefile

d9d2a68e - landlock: Add unique ID generator

Thu, 20 Mar 2025 19:06:51 +0000

landlock: Add unique ID generatorLandlock IDs can be generated to uniquely identify Landlock objects.For now, only Landlock domains get an ID at creation time. These IDsmap to immutable domain hierarchies.Landlock IDs have important properties:- They are unique during the lifetime of the running system thanks to the 64-bit values: at worse, 2^60 - 2*2^32 useful IDs.- They are always greater than 2^32 and must then be stored in 64-bit integer types.- The initial ID (at boot time) is randomly picked between 2^32 and 2^33, which limits collisions in logs across different boots.- IDs are sequential, which enables users to order them.- IDs may not be consecutive but increase with a random 2^4 step, which limits side channels.Such IDs can be exposed to unprivileged processes, even if it is not thecase with this audit patch series. The domain IDs will be useful foruser space to identify sandboxes and get their properties.These Landlock IDs are more secure that other absolute kernel IDs suchas pipe's inodes which rely on a shared global counter.For checkpoint/restore features (i.e. CRIU), we could easily implement aprivileged interface (e.g. sysfs) to set the next ID counter.IDR/IDA are not used because we only need a bijection from Landlockobjects to Landlock IDs, and we must not recycle IDs. This enables usto identify all Landlock objects during the lifetime of the system (e.g.in logs), but not to access an object from an ID nor know if an ID isassigned. Using a counter is simpler, it scales (i.e. avoids growingmemory footprint), and it does not require locking. We'll use properfile descriptors (with IDs used as inode numbers) to access Landlockobjects.Cc: Günther Noack Cc: Paul Moore Link: https://lore.kernel.org/r/20250320190717.2287696-3-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux-6.15/security/landlock/Makefile

e3e37fe0 - landlock: Rename "ptrace" files to "task"

Thu, 07 Mar 2024 09:39:23 +0000

landlock: Rename "ptrace" files to "task"ptrace.[ch] are currently only used for the ptrace LSM hooks but theirscope will expand with IPCs and audit support. Rename ptrace.[ch] totask.[ch], which better reflect their content. Similarly, renamelandlock_add_ptrace_hooks() to landlock_add_task_hooks(). Keep headerfiles for now.Cc: Günther Noack Cc: Paul Moore Link: https://lore.kernel.org/r/20240307093923.1466071-2-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux-6.15/security/landlock/Makefile

fff69fb0 - landlock: Support network rules with TCP bind and connect

Thu, 26 Oct 2023 01:47:47 +0000

landlock: Support network rules with TCP bind and connectAdd network rules support in the ruleset management helpers and thelandlock_create_ruleset() syscall. Extend user space API to supportnetwork actions:* Add new network access rights: LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP.* Add a new network rule type: LANDLOCK_RULE_NET_PORT tied to struct landlock_net_port_attr. The allowed_access field contains the network access rights, and the port field contains the port value according to the controlled protocol. This field can take up to a 64-bit value but the maximum value depends on the related protocol (e.g. 16-bit value for TCP). Network port is in host endianness [1].* Add a new handled_access_net field to struct landlock_ruleset_attr that contains network access rights.* Increment the Landlock ABI version to 4.Implement socket_bind() and socket_connect() LSM hooks, which enableto control TCP socket binding and connection to specific ports.Expand access_masks_t from u16 to u32 to be able to store network accessrights alongside filesystem access rights for rulesets' handled accessrights.Access rights are not tied to socket file descriptors but checked atbind() or connect() call time against the caller's Landlock domain. Forthe filesystem, a file descriptor is a direct access to a file/data.However, for network sockets, we cannot identify for which data or peera newly created socket will give access to. Indeed, we need to wait fora connect or bind request to identify the use case for this socket.Likewise a directory file descriptor may enable to open another file(i.e. a new data item), but this opening is also restricted by thecaller's domain, not the file descriptor's access rights [2].[1] https://lore.kernel.org/r/278ab07f-7583-a4e0-3d37-1bacd091531d@digikod.net[2] https://lore.kernel.org/r/263c1eb3-602f-57fe-8450-3f138581bee7@digikod.netSigned-off-by: Konstantin Meskhidze Link: https://lore.kernel.org/r/20231026014751.414649-9-konstantin.meskhidze@huawei.com[mic: Extend commit message, fix typo in comments, and specifyendianness in the documentation]Co-developed-by: Mickaël Salaün Signed-off-by: Mickaël Salaün List of files: /linux-6.15/security/landlock/Makefile

265885da - landlock: Add syscall implementations

Thu, 22 Apr 2021 15:41:18 +0000

landlock: Add syscall implementationsThese 3 system calls are designed to be used by unprivileged processesto sandbox themselves:* landlock_create_ruleset(2): Creates a ruleset and returns its file descriptor.* landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a ruleset, identified by the dedicated file descriptor.* landlock_restrict_self(2): Enforces a ruleset on the calling thread and its future children (similar to seccomp). This syscall has the same usage restrictions as seccomp(2): the caller must have the no_new_privs attribute set or have CAP_SYS_ADMIN in the current user namespace.All these syscalls have a "flags" argument (not currently used) toenable extensibility.Here are the motivations for these new syscalls:* A sandboxed process may not have access to file systems, including /dev, /sys or /proc, but it should still be able to add more restrictions to itself.* Neither prctl(2) nor seccomp(2) (which was used in a previous version) fit well with the current definition of a Landlock security policy.All passed structs (attributes) are checked at build time to ensure thatthey don't contain holes and that they are aligned the same way for eacharchitecture.See the user and kernel documentation for more details (provided by afollowing commit):* Documentation/userspace-api/landlock.rst* Documentation/security/landlock.rstCc: Arnd Bergmann Cc: James Morris Cc: Jann Horn Cc: Kees Cook Signed-off-by: Mickaël Salaün Acked-by: Serge Hallyn Link: https://lore.kernel.org/r/20210422154123.13086-9-mic@digikod.netSigned-off-by: James Morris List of files: /linux-6.15/security/landlock/Makefile

cb2c7d1a - landlock: Support filesystem access-control

Thu, 22 Apr 2021 15:41:17 +0000

landlock: Support filesystem access-controlUsing Landlock objects and ruleset, it is possible to tag inodesaccording to a process's domain. To enable an unprivileged process toexpress a file hierarchy, it first needs to open a directory (or a file)and pass this file descriptor to the kernel throughlandlock_add_rule(2). When checking if a file access request isallowed, we walk from the requested dentry to the real root, followingthe different mount layers. The access to each "tagged" inodes arecollected according to their rule layer level, and ANDed to createaccess to the requested file hierarchy. This makes possible to identifya lot of files without tagging every inodes nor modifying thefilesystem, while still following the view and understanding the userhas from the filesystem.Add a new ARCH_EPHEMERAL_INODES for UML because it currently does notkeep the same struct inodes for the same inodes whereas these inodes arein use.This commit adds a minimal set of supported filesystem access-controlwhich doesn't enable to restrict all file-related actions. This is theresult of multiple discussions to minimize the code of Landlock to easereview. Thanks to the Landlock design, extending this access-controlwithout breaking user space will not be a problem. Moreover, seccompfilters can be used to restrict the use of syscall families which maynot be currently handled by Landlock.Cc: Al Viro Cc: Anton Ivanov Cc: James Morris Cc: Jann Horn Cc: Jeff Dike Cc: Kees Cook Cc: Richard Weinberger Cc: Serge E. Hallyn Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20210422154123.13086-8-mic@digikod.netSigned-off-by: James Morris List of files: /linux-6.15/security/landlock/Makefile

afe81f75 - landlock: Add ptrace restrictions

Thu, 22 Apr 2021 15:41:14 +0000

landlock: Add ptrace restrictionsUsing ptrace(2) and related debug features on a target process can leadto a privilege escalation. Indeed, ptrace(2) can be used by an attackerto impersonate another task and to remain undetected while performingmalicious activities. Thanks to ptrace_may_access(), various part ofthe kernel can check if a tracer is more privileged than a tracee.A landlocked process has fewer privileges than a non-landlocked processand must then be subject to additional restrictions when manipulatingprocesses. To be allowed to use ptrace(2) and related syscalls on atarget process, a landlocked process must have a subset of the targetprocess's rules (i.e. the tracee must be in a sub-domain of the tracer).Cc: James Morris Signed-off-by: Mickaël Salaün Reviewed-by: Jann Horn Acked-by: Serge Hallyn Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20210422154123.13086-5-mic@digikod.netSigned-off-by: James Morris List of files: /linux-6.15/security/landlock/Makefile

385975dc - landlock: Set up the security framework and manage credentials

Thu, 22 Apr 2021 15:41:13 +0000

landlock: Set up the security framework and manage credentialsProcess's credentials point to a Landlock domain, which is underneathimplemented with a ruleset. In the following commits, this domain isused to check and enforce the ptrace and filesystem security policies.A domain is inherited from a parent to its child the same way a threadinherits a seccomp policy.Cc: James Morris Signed-off-by: Mickaël Salaün Reviewed-by: Jann Horn Acked-by: Serge Hallyn Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20210422154123.13086-4-mic@digikod.netSigned-off-by: James Morris List of files: /linux-6.15/security/landlock/Makefile

ae271c1b - landlock: Add ruleset and domain management

Thu, 22 Apr 2021 15:41:12 +0000

landlock: Add ruleset and domain managementA Landlock ruleset is mainly a red-black tree with Landlock rules asnodes. This enables quick update and lookup to match a requestedaccess, e.g. to a file. A ruleset is usable through a dedicated filedescriptor (cf. following commit implementing syscalls) which enables aprocess to create and populate a ruleset with new rules.A domain is a ruleset tied to a set of processes. This group of rulesdefines the security policy enforced on these processes and their futurechildren. A domain can transition to a new domain which is theintersection of all its constraints and those of a ruleset provided bythe current process. This modification only impact the current process.This means that a process can only gain more constraints (i.e. loseaccesses) over time.Cc: James Morris Signed-off-by: Mickaël Salaün Acked-by: Serge Hallyn Reviewed-by: Kees Cook Reviewed-by: Jann Horn Link: https://lore.kernel.org/r/20210422154123.13086-3-mic@digikod.netSigned-off-by: James Morris List of files: /linux-6.15/security/landlock/Makefile

90945448 - landlock: Add object management

Thu, 22 Apr 2021 15:41:11 +0000

landlock: Add object managementA Landlock object enables to identify a kernel object (e.g. an inode).A Landlock rule is a set of access rights allowed on an object. Rulesare grouped in rulesets that may be tied to a set of processes (i.e.subjects) to enforce a scoped access-control (i.e. a domain).Because Landlock's goal is to empower any process (especiallyunprivileged ones) to sandbox themselves, we cannot rely on asystem-wide object identification such as file extended attributes.Indeed, we need innocuous, composable and modular access-controls.The main challenge with these constraints is to identify kernel objectswhile this identification is useful (i.e. when a security policy makesuse of this object). But this identification data should be freed onceno policy is using it. This ephemeral tagging should not and may not bewritten in the filesystem. We then need to manage the lifetime of arule according to the lifetime of its objects. To avoid a global lock,this implementation make use of RCU and counters to safely referenceobjects.A following commit uses this generic object management for inodes.Cc: James Morris Signed-off-by: Mickaël Salaün Reviewed-by: Jann Horn Acked-by: Serge Hallyn Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20210422154123.13086-2-mic@digikod.netSigned-off-by: James Morris List of files: /linux-6.15/security/landlock/Makefile