1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Landlock - Audit helpers 4 * 5 * Copyright © 2023-2025 Microsoft Corporation 6 */ 7 8 #include <kunit/test.h> 9 #include <linux/audit.h> 10 #include <linux/bitops.h> 11 #include <linux/lsm_audit.h> 12 #include <linux/pid.h> 13 #include <uapi/linux/landlock.h> 14 15 #include "access.h" 16 #include "audit.h" 17 #include "common.h" 18 #include "cred.h" 19 #include "domain.h" 20 #include "limits.h" 21 #include "ruleset.h" 22 23 static const char *const fs_access_strings[] = { 24 [BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = "fs.execute", 25 [BIT_INDEX(LANDLOCK_ACCESS_FS_WRITE_FILE)] = "fs.write_file", 26 [BIT_INDEX(LANDLOCK_ACCESS_FS_READ_FILE)] = "fs.read_file", 27 [BIT_INDEX(LANDLOCK_ACCESS_FS_READ_DIR)] = "fs.read_dir", 28 [BIT_INDEX(LANDLOCK_ACCESS_FS_REMOVE_DIR)] = "fs.remove_dir", 29 [BIT_INDEX(LANDLOCK_ACCESS_FS_REMOVE_FILE)] = "fs.remove_file", 30 [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_CHAR)] = "fs.make_char", 31 [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_DIR)] = "fs.make_dir", 32 [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_REG)] = "fs.make_reg", 33 [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_SOCK)] = "fs.make_sock", 34 [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_FIFO)] = "fs.make_fifo", 35 [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_BLOCK)] = "fs.make_block", 36 [BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_SYM)] = "fs.make_sym", 37 [BIT_INDEX(LANDLOCK_ACCESS_FS_REFER)] = "fs.refer", 38 [BIT_INDEX(LANDLOCK_ACCESS_FS_TRUNCATE)] = "fs.truncate", 39 [BIT_INDEX(LANDLOCK_ACCESS_FS_IOCTL_DEV)] = "fs.ioctl_dev", 40 [BIT_INDEX(LANDLOCK_ACCESS_FS_RESOLVE_UNIX)] = "fs.resolve_unix", 41 }; 42 43 static_assert(ARRAY_SIZE(fs_access_strings) == LANDLOCK_NUM_ACCESS_FS); 44 45 static const char *const net_access_strings[] = { 46 [BIT_INDEX(LANDLOCK_ACCESS_NET_BIND_TCP)] = "net.bind_tcp", 47 [BIT_INDEX(LANDLOCK_ACCESS_NET_CONNECT_TCP)] = "net.connect_tcp", 48 [BIT_INDEX(LANDLOCK_ACCESS_NET_BIND_UDP)] = "net.bind_udp", 49 [BIT_INDEX(LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP)] = 50 "net.connect_send_udp", 51 }; 52 53 static_assert(ARRAY_SIZE(net_access_strings) == LANDLOCK_NUM_ACCESS_NET); 54 55 static __attribute_const__ const char * 56 get_blocker(const enum landlock_request_type type, 57 const unsigned long access_bit) 58 { 59 switch (type) { 60 case LANDLOCK_REQUEST_PTRACE: 61 WARN_ON_ONCE(access_bit != -1); 62 return "ptrace"; 63 64 case LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY: 65 WARN_ON_ONCE(access_bit != -1); 66 return "fs.change_topology"; 67 68 case LANDLOCK_REQUEST_FS_ACCESS: 69 if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(fs_access_strings))) 70 return "unknown"; 71 return fs_access_strings[access_bit]; 72 73 case LANDLOCK_REQUEST_NET_ACCESS: 74 if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(net_access_strings))) 75 return "unknown"; 76 return net_access_strings[access_bit]; 77 78 case LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET: 79 WARN_ON_ONCE(access_bit != -1); 80 return "scope.abstract_unix_socket"; 81 82 case LANDLOCK_REQUEST_SCOPE_SIGNAL: 83 WARN_ON_ONCE(access_bit != -1); 84 return "scope.signal"; 85 } 86 87 WARN_ON_ONCE(1); 88 return "unknown"; 89 } 90 91 static void log_blockers(struct audit_buffer *const ab, 92 const enum landlock_request_type type, 93 const access_mask_t access) 94 { 95 const unsigned long access_mask = access; 96 unsigned long access_bit; 97 bool is_first = true; 98 99 for_each_set_bit(access_bit, &access_mask, BITS_PER_TYPE(access)) { 100 audit_log_format(ab, "%s%s", is_first ? "" : ",", 101 get_blocker(type, access_bit)); 102 is_first = false; 103 } 104 if (is_first) 105 audit_log_format(ab, "%s", get_blocker(type, -1)); 106 } 107 108 static void log_domain(struct landlock_hierarchy *const hierarchy) 109 { 110 struct audit_buffer *ab; 111 112 /* Ignores already logged domains. */ 113 if (READ_ONCE(hierarchy->log_status) == LANDLOCK_LOG_RECORDED) 114 return; 115 116 /* Uses consistent allocation flags wrt common_lsm_audit(). */ 117 ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN, 118 AUDIT_LANDLOCK_DOMAIN); 119 if (!ab) 120 return; 121 122 WARN_ON_ONCE(hierarchy->id == 0); 123 audit_log_format( 124 ab, 125 "domain=%llx status=allocated mode=enforcing pid=%d uid=%u exe=", 126 hierarchy->id, pid_nr(hierarchy->details->pid), 127 hierarchy->details->uid); 128 audit_log_untrustedstring(ab, hierarchy->details->exe_path); 129 audit_log_format(ab, " comm="); 130 audit_log_untrustedstring(ab, hierarchy->details->comm); 131 audit_log_end(ab); 132 133 /* 134 * There may be race condition leading to logging of the same domain 135 * several times but that is OK. 136 */ 137 WRITE_ONCE(hierarchy->log_status, LANDLOCK_LOG_RECORDED); 138 } 139 140 static struct landlock_hierarchy * 141 get_hierarchy(const struct landlock_ruleset *const domain, const size_t layer) 142 { 143 struct landlock_hierarchy *hierarchy = domain->hierarchy; 144 ssize_t i; 145 146 if (WARN_ON_ONCE(layer >= domain->num_layers)) 147 return hierarchy; 148 149 for (i = domain->num_layers - 1; i > layer; i--) { 150 if (WARN_ON_ONCE(!hierarchy->parent)) 151 break; 152 153 hierarchy = hierarchy->parent; 154 } 155 156 return hierarchy; 157 } 158 159 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 160 161 static void test_get_hierarchy(struct kunit *const test) 162 { 163 struct landlock_hierarchy dom0_hierarchy = { 164 .id = 10, 165 }; 166 struct landlock_hierarchy dom1_hierarchy = { 167 .parent = &dom0_hierarchy, 168 .id = 20, 169 }; 170 struct landlock_hierarchy dom2_hierarchy = { 171 .parent = &dom1_hierarchy, 172 .id = 30, 173 }; 174 struct landlock_ruleset dom2 = { 175 .hierarchy = &dom2_hierarchy, 176 .num_layers = 3, 177 }; 178 179 KUNIT_EXPECT_EQ(test, 10, get_hierarchy(&dom2, 0)->id); 180 KUNIT_EXPECT_EQ(test, 20, get_hierarchy(&dom2, 1)->id); 181 KUNIT_EXPECT_EQ(test, 30, get_hierarchy(&dom2, 2)->id); 182 /* KUNIT_EXPECT_EQ(test, 30, get_hierarchy(&dom2, -1)->id); */ 183 } 184 185 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 186 187 /* Get the youngest layer that denied the access_request. */ 188 static size_t get_denied_layer(const struct landlock_ruleset *const domain, 189 access_mask_t *const access_request, 190 const struct layer_masks *masks) 191 { 192 for (ssize_t i = ARRAY_SIZE(masks->layers) - 1; i >= 0; i--) { 193 if (masks->layers[i].access & *access_request) { 194 *access_request &= masks->layers[i].access; 195 return i; 196 } 197 } 198 199 /* Not found - fall back to default values */ 200 *access_request = 0; 201 return domain->num_layers - 1; 202 } 203 204 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 205 206 static void test_get_denied_layer(struct kunit *const test) 207 { 208 const struct landlock_ruleset dom = { 209 .num_layers = 5, 210 }; 211 const struct layer_masks masks = { 212 .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE | 213 LANDLOCK_ACCESS_FS_READ_DIR, 214 .layers[1].access = LANDLOCK_ACCESS_FS_READ_FILE | 215 LANDLOCK_ACCESS_FS_READ_DIR, 216 .layers[2].access = LANDLOCK_ACCESS_FS_REMOVE_DIR, 217 }; 218 access_mask_t access; 219 220 access = LANDLOCK_ACCESS_FS_EXECUTE; 221 KUNIT_EXPECT_EQ(test, 0, get_denied_layer(&dom, &access, &masks)); 222 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_EXECUTE); 223 224 access = LANDLOCK_ACCESS_FS_READ_FILE; 225 KUNIT_EXPECT_EQ(test, 1, get_denied_layer(&dom, &access, &masks)); 226 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_READ_FILE); 227 228 access = LANDLOCK_ACCESS_FS_READ_DIR; 229 KUNIT_EXPECT_EQ(test, 1, get_denied_layer(&dom, &access, &masks)); 230 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_READ_DIR); 231 232 access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; 233 KUNIT_EXPECT_EQ(test, 1, get_denied_layer(&dom, &access, &masks)); 234 KUNIT_EXPECT_EQ(test, access, 235 LANDLOCK_ACCESS_FS_READ_FILE | 236 LANDLOCK_ACCESS_FS_READ_DIR); 237 238 access = LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_READ_DIR; 239 KUNIT_EXPECT_EQ(test, 1, get_denied_layer(&dom, &access, &masks)); 240 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_READ_DIR); 241 242 access = LANDLOCK_ACCESS_FS_WRITE_FILE; 243 KUNIT_EXPECT_EQ(test, 4, get_denied_layer(&dom, &access, &masks)); 244 KUNIT_EXPECT_EQ(test, access, 0); 245 } 246 247 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 248 249 static size_t 250 get_layer_from_deny_masks(access_mask_t *const access_request, 251 const access_mask_t all_existing_optional_access, 252 const deny_masks_t deny_masks, 253 optional_access_t quiet_optional_accesses, 254 bool *quiet) 255 { 256 const unsigned long access_opt = all_existing_optional_access; 257 const unsigned long access_req = *access_request; 258 access_mask_t missing = 0; 259 size_t youngest_layer = 0; 260 size_t access_index = 0; 261 unsigned long access_bit; 262 bool should_quiet = false; 263 264 /* This will require change with new object types. */ 265 WARN_ON_ONCE(access_opt != _LANDLOCK_ACCESS_FS_OPTIONAL); 266 267 for_each_set_bit(access_bit, &access_opt, 268 BITS_PER_TYPE(access_mask_t)) { 269 if (access_req & BIT(access_bit)) { 270 const size_t layer = 271 (deny_masks >> 272 (access_index * 273 HWEIGHT(LANDLOCK_MAX_NUM_LAYERS - 1))) & 274 (LANDLOCK_MAX_NUM_LAYERS - 1); 275 const bool layer_has_quiet = 276 !!(quiet_optional_accesses & BIT(access_index)); 277 278 if (layer > youngest_layer) { 279 youngest_layer = layer; 280 missing = BIT(access_bit); 281 should_quiet = layer_has_quiet; 282 } else if (layer == youngest_layer) { 283 missing |= BIT(access_bit); 284 /* 285 * Whether the layer has rules with quiet flag 286 * covering the file accessed does not depend on 287 * the access, and so the following 288 * WARN_ON_ONCE() should not fail. 289 */ 290 WARN_ON_ONCE(should_quiet && !layer_has_quiet); 291 should_quiet = layer_has_quiet; 292 } 293 } 294 access_index++; 295 } 296 297 *access_request = missing; 298 *quiet = should_quiet; 299 return youngest_layer; 300 } 301 302 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 303 304 static void test_get_layer_from_deny_masks(struct kunit *const test) 305 { 306 deny_masks_t deny_mask; 307 access_mask_t access; 308 optional_access_t quiet_optional_accesses; 309 bool quiet; 310 311 /* truncate:0 ioctl_dev:2 */ 312 deny_mask = 0x20; 313 quiet_optional_accesses = 0; 314 315 access = LANDLOCK_ACCESS_FS_TRUNCATE; 316 KUNIT_EXPECT_EQ(test, 0, 317 get_layer_from_deny_masks( 318 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 319 deny_mask, quiet_optional_accesses, &quiet)); 320 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 321 KUNIT_EXPECT_EQ(test, quiet, false); 322 323 access = LANDLOCK_ACCESS_FS_IOCTL_DEV; 324 KUNIT_EXPECT_EQ(test, 2, 325 get_layer_from_deny_masks( 326 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 327 deny_mask, quiet_optional_accesses, &quiet)); 328 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_IOCTL_DEV); 329 KUNIT_EXPECT_EQ(test, quiet, false); 330 331 access = LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV; 332 KUNIT_EXPECT_EQ(test, 2, 333 get_layer_from_deny_masks( 334 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 335 deny_mask, quiet_optional_accesses, &quiet)); 336 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_IOCTL_DEV); 337 KUNIT_EXPECT_EQ(test, quiet, false); 338 339 /* layer denying truncate: quiet, ioctl: not quiet */ 340 quiet_optional_accesses = 0b01; 341 342 access = LANDLOCK_ACCESS_FS_TRUNCATE; 343 KUNIT_EXPECT_EQ(test, 0, 344 get_layer_from_deny_masks( 345 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 346 deny_mask, quiet_optional_accesses, &quiet)); 347 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 348 KUNIT_EXPECT_EQ(test, quiet, true); 349 350 access = LANDLOCK_ACCESS_FS_IOCTL_DEV; 351 KUNIT_EXPECT_EQ(test, 2, 352 get_layer_from_deny_masks( 353 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 354 deny_mask, quiet_optional_accesses, &quiet)); 355 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_IOCTL_DEV); 356 KUNIT_EXPECT_EQ(test, quiet, false); 357 358 access = LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV; 359 KUNIT_EXPECT_EQ(test, 2, 360 get_layer_from_deny_masks( 361 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 362 deny_mask, quiet_optional_accesses, &quiet)); 363 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_IOCTL_DEV); 364 KUNIT_EXPECT_EQ(test, quiet, false); 365 366 /* Reverse order - truncate:2 ioctl_dev:0 */ 367 deny_mask = 0x02; 368 quiet_optional_accesses = 0; 369 370 access = LANDLOCK_ACCESS_FS_TRUNCATE; 371 KUNIT_EXPECT_EQ(test, 2, 372 get_layer_from_deny_masks( 373 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 374 deny_mask, quiet_optional_accesses, &quiet)); 375 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 376 KUNIT_EXPECT_EQ(test, quiet, false); 377 378 access = LANDLOCK_ACCESS_FS_IOCTL_DEV; 379 KUNIT_EXPECT_EQ(test, 0, 380 get_layer_from_deny_masks( 381 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 382 deny_mask, quiet_optional_accesses, &quiet)); 383 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_IOCTL_DEV); 384 KUNIT_EXPECT_EQ(test, quiet, false); 385 386 access = LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV; 387 KUNIT_EXPECT_EQ(test, 2, 388 get_layer_from_deny_masks( 389 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 390 deny_mask, quiet_optional_accesses, &quiet)); 391 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 392 KUNIT_EXPECT_EQ(test, quiet, false); 393 394 /* layer denying truncate: quiet, ioctl: not quiet */ 395 quiet_optional_accesses = 0b01; 396 397 access = LANDLOCK_ACCESS_FS_TRUNCATE; 398 KUNIT_EXPECT_EQ(test, 2, 399 get_layer_from_deny_masks( 400 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 401 deny_mask, quiet_optional_accesses, &quiet)); 402 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 403 KUNIT_EXPECT_EQ(test, quiet, true); 404 405 access = LANDLOCK_ACCESS_FS_IOCTL_DEV; 406 KUNIT_EXPECT_EQ(test, 0, 407 get_layer_from_deny_masks( 408 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 409 deny_mask, quiet_optional_accesses, &quiet)); 410 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_IOCTL_DEV); 411 KUNIT_EXPECT_EQ(test, quiet, false); 412 413 access = LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV; 414 KUNIT_EXPECT_EQ(test, 2, 415 get_layer_from_deny_masks( 416 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 417 deny_mask, quiet_optional_accesses, &quiet)); 418 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 419 KUNIT_EXPECT_EQ(test, quiet, true); 420 421 /* layer denying truncate: not quiet, ioctl: quiet */ 422 quiet_optional_accesses = 0b10; 423 424 access = LANDLOCK_ACCESS_FS_TRUNCATE; 425 KUNIT_EXPECT_EQ(test, 2, 426 get_layer_from_deny_masks( 427 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 428 deny_mask, quiet_optional_accesses, &quiet)); 429 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 430 KUNIT_EXPECT_EQ(test, quiet, false); 431 432 access = LANDLOCK_ACCESS_FS_IOCTL_DEV; 433 KUNIT_EXPECT_EQ(test, 0, 434 get_layer_from_deny_masks( 435 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 436 deny_mask, quiet_optional_accesses, &quiet)); 437 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_IOCTL_DEV); 438 KUNIT_EXPECT_EQ(test, quiet, true); 439 440 access = LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV; 441 KUNIT_EXPECT_EQ(test, 2, 442 get_layer_from_deny_masks( 443 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 444 deny_mask, quiet_optional_accesses, &quiet)); 445 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 446 KUNIT_EXPECT_EQ(test, quiet, false); 447 448 /* truncate:15 ioctl_dev:15 */ 449 deny_mask = 0xff; 450 quiet_optional_accesses = 0; 451 452 access = LANDLOCK_ACCESS_FS_TRUNCATE; 453 KUNIT_EXPECT_EQ(test, 15, 454 get_layer_from_deny_masks( 455 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 456 deny_mask, quiet_optional_accesses, &quiet)); 457 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 458 KUNIT_EXPECT_EQ(test, quiet, false); 459 460 access = LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV; 461 KUNIT_EXPECT_EQ(test, 15, 462 get_layer_from_deny_masks( 463 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 464 deny_mask, quiet_optional_accesses, &quiet)); 465 KUNIT_EXPECT_EQ(test, access, 466 LANDLOCK_ACCESS_FS_TRUNCATE | 467 LANDLOCK_ACCESS_FS_IOCTL_DEV); 468 KUNIT_EXPECT_EQ(test, quiet, false); 469 470 /* Both quiet (same layer so quietness must be the same) */ 471 quiet_optional_accesses = 0b11; 472 473 access = LANDLOCK_ACCESS_FS_TRUNCATE; 474 KUNIT_EXPECT_EQ(test, 15, 475 get_layer_from_deny_masks( 476 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 477 deny_mask, quiet_optional_accesses, &quiet)); 478 KUNIT_EXPECT_EQ(test, access, LANDLOCK_ACCESS_FS_TRUNCATE); 479 KUNIT_EXPECT_EQ(test, quiet, true); 480 481 access = LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV; 482 KUNIT_EXPECT_EQ(test, 15, 483 get_layer_from_deny_masks( 484 &access, _LANDLOCK_ACCESS_FS_OPTIONAL, 485 deny_mask, quiet_optional_accesses, &quiet)); 486 KUNIT_EXPECT_EQ(test, access, 487 LANDLOCK_ACCESS_FS_TRUNCATE | 488 LANDLOCK_ACCESS_FS_IOCTL_DEV); 489 KUNIT_EXPECT_EQ(test, quiet, true); 490 } 491 492 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 493 494 static bool is_valid_request(const struct landlock_request *const request) 495 { 496 if (WARN_ON_ONCE(request->layer_plus_one > LANDLOCK_MAX_NUM_LAYERS)) 497 return false; 498 499 if (WARN_ON_ONCE(!(!!request->layer_plus_one ^ !!request->access))) 500 return false; 501 502 if (request->access) { 503 if (WARN_ON_ONCE(!(!!request->layer_masks ^ 504 !!request->all_existing_optional_access))) 505 return false; 506 } else { 507 if (WARN_ON_ONCE(request->layer_masks || 508 request->all_existing_optional_access)) 509 return false; 510 } 511 512 if (request->deny_masks) { 513 if (WARN_ON_ONCE(!request->all_existing_optional_access)) 514 return false; 515 static_assert(sizeof(request->all_existing_optional_access) == 516 sizeof(u32)); 517 if (WARN_ON_ONCE( 518 request->quiet_optional_accesses >= 519 BIT(hweight32( 520 request->all_existing_optional_access)))) 521 return false; 522 } 523 524 return true; 525 } 526 527 static access_mask_t 528 pick_access_mask_for_request_type(const enum landlock_request_type type, 529 const struct access_masks access_masks) 530 { 531 switch (type) { 532 case LANDLOCK_REQUEST_FS_ACCESS: 533 return access_masks.fs; 534 case LANDLOCK_REQUEST_NET_ACCESS: 535 return access_masks.net; 536 default: 537 WARN_ONCE(1, "Invalid request type %d passed to %s", type, 538 __func__); 539 return 0; 540 } 541 } 542 543 /** 544 * landlock_log_denial - Create audit records related to a denial 545 * 546 * @subject: The Landlock subject's credential denying an action. 547 * @request: Detail of the user space request. 548 */ 549 void landlock_log_denial(const struct landlock_cred_security *const subject, 550 const struct landlock_request *const request) 551 { 552 struct audit_buffer *ab; 553 struct landlock_hierarchy *youngest_denied; 554 size_t youngest_layer; 555 access_mask_t missing; 556 bool object_quiet_flag = false, quiet_applicable_to_access = false; 557 558 if (WARN_ON_ONCE(!subject || !subject->domain || 559 !subject->domain->hierarchy || !request)) 560 return; 561 562 if (!is_valid_request(request)) 563 return; 564 565 missing = request->access; 566 if (missing) { 567 /* Gets the nearest domain that denies the request. */ 568 if (request->layer_masks) { 569 youngest_layer = get_denied_layer(subject->domain, 570 &missing, 571 request->layer_masks); 572 object_quiet_flag = 573 request->layer_masks->layers[youngest_layer] 574 .quiet; 575 } else { 576 youngest_layer = get_layer_from_deny_masks( 577 &missing, _LANDLOCK_ACCESS_FS_OPTIONAL, 578 request->deny_masks, 579 request->quiet_optional_accesses, 580 &object_quiet_flag); 581 } 582 youngest_denied = 583 get_hierarchy(subject->domain, youngest_layer); 584 } else { 585 youngest_layer = request->layer_plus_one - 1; 586 youngest_denied = 587 get_hierarchy(subject->domain, youngest_layer); 588 } 589 590 if (READ_ONCE(youngest_denied->log_status) == LANDLOCK_LOG_DISABLED) 591 return; 592 593 /* 594 * Consistently keeps track of the number of denied access requests 595 * even if audit is currently disabled, or if audit rules currently 596 * exclude this record type, or if landlock_restrict_self(2)'s flags 597 * quiet logs. 598 */ 599 atomic64_inc(&youngest_denied->num_denials); 600 601 if (!audit_enabled) 602 return; 603 604 /* Checks if the current exec was restricting itself. */ 605 if (subject->domain_exec & BIT(youngest_layer)) { 606 /* Ignores denials for the same execution. */ 607 if (!youngest_denied->log_same_exec) 608 return; 609 } else { 610 /* Ignores denials after a new execution. */ 611 if (!youngest_denied->log_new_exec) 612 return; 613 } 614 615 /* 616 * Checks if the object is marked quiet by the layer that denied the 617 * request. If it's a different layer that marked it as quiet, but that 618 * layer is not the one that denied the request, we should still audit 619 * log the denial. 620 */ 621 if (object_quiet_flag) { 622 /* 623 * We now check if the denied requests are all covered by the 624 * layer's quiet access bits. 625 */ 626 const access_mask_t quiet_mask = 627 pick_access_mask_for_request_type( 628 request->type, youngest_denied->quiet_masks); 629 630 quiet_applicable_to_access = (quiet_mask & missing) == missing; 631 } else { 632 /* 633 * Either the object is not quiet, or this is a scope request. 634 * We check request->type to distinguish between the two cases. 635 */ 636 const access_mask_t quiet_mask = 637 youngest_denied->quiet_masks.scope; 638 639 switch (request->type) { 640 case LANDLOCK_REQUEST_SCOPE_SIGNAL: 641 quiet_applicable_to_access = 642 !!(quiet_mask & LANDLOCK_SCOPE_SIGNAL); 643 break; 644 case LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET: 645 quiet_applicable_to_access = 646 !!(quiet_mask & 647 LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); 648 break; 649 /* 650 * Leave LANDLOCK_REQUEST_PTRACE and 651 * LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY unhandled for now - they 652 * are never quiet. 653 */ 654 default: 655 break; 656 } 657 } 658 659 if (quiet_applicable_to_access) 660 return; 661 662 /* Uses consistent allocation flags wrt common_lsm_audit(). */ 663 ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN, 664 AUDIT_LANDLOCK_ACCESS); 665 if (!ab) 666 return; 667 668 audit_log_format(ab, "domain=%llx blockers=", youngest_denied->id); 669 log_blockers(ab, request->type, missing); 670 audit_log_lsm_data(ab, &request->audit); 671 audit_log_end(ab); 672 673 /* Logs this domain the first time it shows in log. */ 674 log_domain(youngest_denied); 675 } 676 677 /** 678 * landlock_log_drop_domain - Create an audit record on domain deallocation 679 * 680 * @hierarchy: The domain's hierarchy being deallocated. 681 * 682 * Only domains which previously appeared in the audit logs are logged again. 683 * This is useful to know when a domain will never show again in the audit log. 684 * 685 * Called in a work queue scheduled by landlock_put_ruleset_deferred() called 686 * by hook_cred_free(). 687 */ 688 void landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy) 689 { 690 struct audit_buffer *ab; 691 692 if (WARN_ON_ONCE(!hierarchy)) 693 return; 694 695 if (!audit_enabled) 696 return; 697 698 /* Ignores domains that were not logged. */ 699 if (READ_ONCE(hierarchy->log_status) != LANDLOCK_LOG_RECORDED) 700 return; 701 702 /* 703 * If logging of domain allocation succeeded, warns about failure to log 704 * domain deallocation to highlight unbalanced domain lifetime logs. 705 */ 706 ab = audit_log_start(audit_context(), GFP_KERNEL, 707 AUDIT_LANDLOCK_DOMAIN); 708 if (!ab) 709 return; 710 711 audit_log_format(ab, "domain=%llx status=deallocated denials=%llu", 712 hierarchy->id, atomic64_read(&hierarchy->num_denials)); 713 audit_log_end(ab); 714 } 715 716 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 717 718 static struct kunit_case test_cases[] = { 719 /* clang-format off */ 720 KUNIT_CASE(test_get_hierarchy), 721 KUNIT_CASE(test_get_denied_layer), 722 KUNIT_CASE(test_get_layer_from_deny_masks), 723 {} 724 /* clang-format on */ 725 }; 726 727 static struct kunit_suite test_suite = { 728 .name = "landlock_audit", 729 .test_cases = test_cases, 730 }; 731 732 kunit_test_suite(test_suite); 733 734 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 735