Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp2335469rdb;
        Thu, 21 Sep 2023 16:00:37 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHUkIM0gtZ4pYfDlSGWJA2wUYJs+6tZ4oVcjH8kv7k8SrPKBcbmZQ1v58veEW5njAzqZe4w
X-Received: by 2002:a17:903:120b:b0:1c3:411c:9b98 with SMTP id l11-20020a170903120b00b001c3411c9b98mr7014906plh.3.1695337236833;
        Thu, 21 Sep 2023 16:00:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695337236; cv=none;
        d=google.com; s=arc-20160816;
        b=qaw/d4UogLDlSJ/x+IO+m9ZVP3O5CkJwM8V12dMU0Zgx2gM6pqmFdYscVyL0+OVusT
         PEaEErAP7o6YzM7S3Gh4apbQ53RoW2vUhx89PjYxQh8eOVc0JEOvCicbfGv6nj1OG4QZ
         B7MYX+dEuCU/7qhY1UBi4XuTRqdNDdirhTZ3ETRm59hStYd6gwbmXxBGgOULlDUdaCXr
         yuR1bIn7r/tdohOBTBFIqm/rbE4J4r+cw0Xp+dnvO03Lb0ykKHB7GRn+NrbJe+6RjPAB
         WDlFLqBbNIpvg3cbB4UizendmgPZH9qtKfV/Q39jG50MMrhCqcUAc093hHNLIYr6R6k3
         ZkZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=Kr8H7Y+Y8MNbCv0R5X2DhHsvX7hy7GpQZ9CwGBtbO64=;
        fh=dumNNbCJCjvHrFPBOgtHY87pJHoJgAB5Wq5oWhKArCo=;
        b=br18oxxfkFMy9I5sF5295aa2lsGOWYllTz1TgBR6Gs6KNlPVCP2d2gclKb75y6XXF7
         MWj6i9X8GEXdYM4tkth59luNbnfFkZkXTMkqUtwz6KnmdveGpCUEUFTJeSjr32nTcGMM
         ytQ3QWXxeeC2eKpp/5LZK+Sf2FmKmc6OrrT1kdWIcGtDbSZ7q9Vh0k//KIOWPwgUHkei
         mLrXKagNrbaeomWeFSh4dagNtuh7m9VITnzN4O58UEPPVVheY+pCA0VbNGs3iJv/2kbu
         LRpZ0mlKhG8E9k07kGYHbpL2kRAhGHEd37l/ek5ZXDHjLFm+C7ijF9oDY8Hy6jGIQejQ
         f+bA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=up0um0B1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
        by mx.google.com with ESMTPS id n14-20020a170903110e00b001bbcb3d9265si2556263plh.68.2023.09.21.16.00.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 21 Sep 2023 16:00:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=up0um0B1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id 5DFE0836D60E;
	Thu, 21 Sep 2023 12:30:02 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230273AbjIUT3z (ORCPT <rfc822;bh1scw@gmail.com> + 99 others);
        Thu, 21 Sep 2023 15:29:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43516 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229716AbjIUT3Z (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Sep 2023 15:29:25 -0400
Received: from smtp-bc09.mail.infomaniak.ch (smtp-bc09.mail.infomaniak.ch [IPv6:2001:1600:3:17::bc09])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 63A9812463
        for <linux-kernel@vger.kernel.org>; Thu, 21 Sep 2023 10:06:56 -0700 (PDT)
Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108])
        by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4RrlYF10fszMpnvZ;
        Thu, 21 Sep 2023 06:17:05 +0000 (UTC)
Received: from unknown by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4RrlYD43PYzMppDY;
        Thu, 21 Sep 2023 08:17:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net;
        s=20191114; t=1695277025;
        bh=cinTwRA+WcJIbifJHzOy8LJVvQYuI7/JZgdtZ57GtzM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=up0um0B1XHsyeQkuudhIT3U+5pTFTjDV0n7klWUvkP46xo+7VG6DPTYrZ+EB1ewzb
         pkHEEkMfvi0v0Vu+/YLb64C0x9i3a9Hm07og2eq4jJz/7pVdStNskZGiAewR1Py4Ye
         hPTIYrcmWLdYpcX3yAH37Zz0KL/duU1m/sFGabHE=
From:   =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
To:     Eric Paris <eparis@redhat.com>, James Morris <jmorris@namei.org>,
        Paul Moore <paul@paul-moore.com>,
        "Serge E . Hallyn" <serge@hallyn.com>
Cc:     =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>,
        Ben Scarlato <akhna@google.com>,
        =?UTF-8?q?G=C3=BCnther=20Noack?= <gnoack@google.com>,
        Jeff Xu <jeffxu@google.com>,
        Jorge Lucangeli Obes <jorgelo@google.com>,
        Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
        Shervin Oloumi <enlightened@google.com>, audit@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: [RFC PATCH v1 7/7] landlock: Log ptrace requests
Date:   Thu, 21 Sep 2023 08:16:41 +0200
Message-ID: <20230921061641.273654-8-mic@digikod.net>
In-Reply-To: <20230921061641.273654-1-mic@digikod.net>
References: <20230921061641.273654-1-mic@digikod.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Infomaniak-Routing: alpha
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Thu, 21 Sep 2023 12:30:02 -0700 (PDT)

Add audit support for ptrace and ptrace_traceme requests.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 security/landlock/audit.c  |  2 ++
 security/landlock/audit.h  |  4 +++-
 security/landlock/ptrace.c | 47 ++++++++++++++++++++++++++++++++++----
 3 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index 89bd701d124f..2ec2a00822d2 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -18,6 +18,8 @@ static const char *op_to_string(enum landlock_operation operation)
 {
 	const char *const desc[] = {
 		[0] = "",
+		[LANDLOCK_OP_PTRACE] = "ptrace",
+		[LANDLOCK_OP_PTRACE_TRACEME] = "ptrace_traceme",
 		[LANDLOCK_OP_MOUNT] = "mount",
 		[LANDLOCK_OP_MOVE_MOUNT] = "move_mount",
 		[LANDLOCK_OP_UMOUNT] = "umount",
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index e559fb6a89dd..b69bba7b908c 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -14,7 +14,9 @@
 #include "ruleset.h"
 
 enum landlock_operation {
-	LANDLOCK_OP_MOUNT = 1,
+	LANDLOCK_OP_PTRACE = 1,
+	LANDLOCK_OP_PTRACE_TRACEME,
+	LANDLOCK_OP_MOUNT,
 	LANDLOCK_OP_MOVE_MOUNT,
 	LANDLOCK_OP_UMOUNT,
 	LANDLOCK_OP_REMOUNT,
diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c
index 8a06d6c492bf..dbe219449a32 100644
--- a/security/landlock/ptrace.c
+++ b/security/landlock/ptrace.c
@@ -10,10 +10,12 @@
 #include <linux/cred.h>
 #include <linux/errno.h>
 #include <linux/kernel.h>
+#include <linux/lsm_audit.h>
 #include <linux/lsm_hooks.h>
 #include <linux/rcupdate.h>
 #include <linux/sched.h>
 
+#include "audit.h"
 #include "common.h"
 #include "cred.h"
 #include "ptrace.h"
@@ -64,11 +66,9 @@ static bool task_is_scoped(const struct task_struct *const parent,
 static int task_ptrace(const struct task_struct *const parent,
 		       const struct task_struct *const child)
 {
-	/* Quick return for non-landlocked tasks. */
-	if (!landlocked(parent))
-		return 0;
 	if (task_is_scoped(parent, child))
 		return 0;
+
 	return -EPERM;
 }
 
@@ -88,7 +88,26 @@ static int task_ptrace(const struct task_struct *const parent,
 static int hook_ptrace_access_check(struct task_struct *const child,
 				    const unsigned int mode)
 {
-	return task_ptrace(current, child);
+	const struct landlock_ruleset *const dom =
+		landlock_get_current_domain();
+	struct landlock_request request = {
+		.operation = LANDLOCK_OP_PTRACE,
+		.missing_permission = LANDLOCK_PERM_PTRACE,
+		.audit = {
+			.type = LSM_AUDIT_DATA_TASK,
+			.u.tsk = child,
+		},
+	};
+	int err;
+
+	if (!dom)
+		return 0;
+
+	err = task_ptrace(current, child);
+	if (!err)
+		return 0;
+
+	return landlock_log_request(err, &request, dom, 0, NULL);
 }
 
 /**
@@ -105,7 +124,25 @@ static int hook_ptrace_access_check(struct task_struct *const child,
  */
 static int hook_ptrace_traceme(struct task_struct *const parent)
 {
-	return task_ptrace(parent, current);
+	struct landlock_request request = {
+		.operation = LANDLOCK_OP_PTRACE_TRACEME,
+		.missing_permission = LANDLOCK_PERM_PTRACE,
+		.audit = {
+			.type = LSM_AUDIT_DATA_TASK,
+			.u.tsk = parent,
+		},
+	};
+	int err;
+
+	if (!landlock_get_task_domain(parent))
+		return 0;
+
+	err = task_ptrace(parent, current);
+	if (!err)
+		return 0;
+
+	return landlock_log_request(err, &request,
+				    landlock_get_current_domain(), 0, NULL);
 }
 
 static struct security_hook_list landlock_hooks[] __ro_after_init = {
-- 
2.42.0