Received: by 2002:a05:7412:a986:b0:f9:90c9:de9f with SMTP id o6csp29133rdh; Wed, 20 Dec 2023 13:23:24 -0800 (PST) X-Google-Smtp-Source: AGHT+IGlSU35bzoak5wv3MI5Vym7cwatMXoM6n5EnjthHRTYxr7qn7Dof/gSBESU3bZh01xzbTm5 X-Received: by 2002:a05:620a:4249:b0:780:fdfc:af07 with SMTP id w9-20020a05620a424900b00780fdfcaf07mr4554670qko.1.1703107404386; Wed, 20 Dec 2023 13:23:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703107404; cv=none; d=google.com; s=arc-20160816; b=Uj0be3xiOvlWLMqAwuMq8GhsIazNmpmzEmy82DKLH96b2kZCOmemODCRt9o6GrYQIK DsUdcsQqApINKbOprCrmpiJqnY4iiIXvJ0EKHuRAulUe0jvezpupbW9Tz9XbhSzDjVpd OpTffaKlAks5h8nYVAXQjl9qypwDh6f0ZMwU5xUkRY6cLeh5am8FJoUFVpksAvlCKQVc dXoU9h+Y8qWvjohGn4+Fs36fOwxhxjlLW0YcOlq2cjNs8jzJu3Ha6Fy5fgiM6ctA4dPn mPSWFXT8koysK+TlGujRjrL5U5oJzZeLDwm62Y9W8IFNeZ1QcQrRqC8DrESprZLbrRKv nsYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=hjk2wbnJnfETqR90Vlt520Brmk0gs134nu2Nw80lVgc=; fh=0Iq/gUEH1U7Gs+WIOBr668/Eci0z9BgD0RKfLYHYz38=; b=Bpv4HRtkQVDC5V66JgJK/RBZiNj3gJt+lq8Vr+0cqZ0CPmof0lfHLb0kD91o4Tpts0 U+O9+yw1JsPfsjGPaWXqljkQs8h9fLjnVNbW0krLwFvDO7wuefuc8Wq/VkKtq7//mn59 bQdePCokyfz3f2u43A6179FzjTYqcF34r2ukx4eorxZmnh+4De7TAESZyWgAl/WIK4VE WDKwoQdwrs9P7eOTY2kR3Ybtv/O8aAI7f+QPeT7Ion7OobdNCvp8zUsbWCQwvMOkDiCW OfMkKPVoahWU9vWfLPcMxvbmwXmv5gI49eEOJZl6Kpty0nP0q2D60tDec+csSLeATgfZ Yo8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=dJTu2Vvx; spf=pass (google.com: domain of linux-kernel+bounces-7448-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7448-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id bq44-20020a05620a46ac00b007758e273104si656913qkb.334.2023.12.20.13.23.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Dec 2023 13:23:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-7448-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=dJTu2Vvx; spf=pass (google.com: domain of linux-kernel+bounces-7448-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7448-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 2761D1C22D26 for ; Wed, 20 Dec 2023 21:23:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B88CE495D1; Wed, 20 Dec 2023 21:22:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="dJTu2Vvx" X-Original-To: linux-kernel@vger.kernel.org Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com [209.85.219.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED18D4A986 for ; Wed, 20 Dec 2023 21:22:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-yb1-f175.google.com with SMTP id 3f1490d57ef6-dbd73ac40ecso117336276.1 for ; Wed, 20 Dec 2023 13:22:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1703107364; x=1703712164; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hjk2wbnJnfETqR90Vlt520Brmk0gs134nu2Nw80lVgc=; b=dJTu2VvxIAAtEoB0WMiRhItDX0KfTIDTXsO7z82dTGwnmDQO7m8zUuW9BIM1tgo/V2 Mv2VkdUMN+Jpy9wuiofbjtvlzZ+IjhkcZTA5RioJkjPpP6RyFxlzTKs6gIuEIzWHpLvA DQLvSAIDnwQWQWnKvIs6ARDQ4dQ0iHDySbBuFM8jycfMRMNUM5xHrLQCHwpi7NGXSVi5 FvecaPs8bwdwOHV6J16MAawKgD8VC/W+fC3HAa/A82iMyxg27nXpfgTev62iDdUd0+oh hd7YvtgJRDTo1xyxJUN6gB4xx3Z5kOxI40UyIs6fUTVX9zlv9xUN+If89ZoZZfXwYyec ZkGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703107364; x=1703712164; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hjk2wbnJnfETqR90Vlt520Brmk0gs134nu2Nw80lVgc=; b=eNb75WeBT7pIu8Ll4Y8xxocngTKSY1By54PEAdzL7uQ3Y6f4otK6n+ybXHtjOu+6za BzDuP5f6wigDnR2FSDW8VHAO6rPdjILJFNVGDwMJ8S0+oRic5jsIcKWyySqQP7hE9DJP lSAWPTdtM5EQfF0YvpZIfWUjaE5ZsjZNVcLF42tC7ttm1xp535pLjK1EkUmxVn6JvYSz 59vxjT0dB95UpsLBhKW+YYoPrf1xID84MuYcm8W5ExXbM2P6Yz0WGADecfKFFdrMNhop 5ylLap+XECK8jpaiewPBmfDR+OKNQFaHcHpiqvg2LmF3ZbXa2qJFdd/mBspaa8qgke2S XaYA== X-Gm-Message-State: AOJu0YyZLhsSf6UUYgGe5SbVVXfzIRI9RlCZxQ5eWMHJp288NrFHIYv/ Lt77OiKiOmc73PIakhMWxRTQDV2MqtwZZ37f9kSY X-Received: by 2002:a25:1054:0:b0:dbc:bd3f:9fa1 with SMTP id 81-20020a251054000000b00dbcbd3f9fa1mr341878ybq.44.1703107363914; Wed, 20 Dec 2023 13:22:43 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20230921061641.273654-1-mic@digikod.net> <20230921061641.273654-6-mic@digikod.net> In-Reply-To: <20230921061641.273654-6-mic@digikod.net> From: Paul Moore Date: Wed, 20 Dec 2023 16:22:33 -0500 Message-ID: Subject: Re: [RFC PATCH v1 5/7] landlock: Log file-related requests To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: Eric Paris , James Morris , "Serge E . Hallyn" , Ben Scarlato , =?UTF-8?Q?G=C3=BCnther_Noack?= , Jeff Xu , Jorge Lucangeli Obes , Konstantin Meskhidze , Shervin Oloumi , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Sep 21, 2023 at 2:17=E2=80=AFAM Micka=C3=ABl Sala=C3=BCn wrote: > > Add audit support for mkdir, mknod, symlink, unlink, rmdir, truncate, > and open requests. > > Signed-off-by: Micka=C3=ABl Sala=C3=BCn > --- > security/landlock/audit.c | 114 ++++++++++++++++++++++++++++++++++++++ > security/landlock/audit.h | 32 +++++++++++ > security/landlock/fs.c | 62 ++++++++++++++++++--- > 3 files changed, 199 insertions(+), 9 deletions(-) > > diff --git a/security/landlock/audit.c b/security/landlock/audit.c > index d9589d07e126..148fc0fafef4 100644 > --- a/security/landlock/audit.c > +++ b/security/landlock/audit.c > @@ -14,6 +14,25 @@ > > atomic64_t ruleset_and_domain_counter =3D ATOMIC64_INIT(0); > > +static const char *op_to_string(enum landlock_operation operation) > +{ > + const char *const desc[] =3D { > + [0] =3D "", > + [LANDLOCK_OP_MKDIR] =3D "mkdir", > + [LANDLOCK_OP_MKNOD] =3D "mknod", > + [LANDLOCK_OP_SYMLINK] =3D "symlink", > + [LANDLOCK_OP_UNLINK] =3D "unlink", > + [LANDLOCK_OP_RMDIR] =3D "rmdir", > + [LANDLOCK_OP_TRUNCATE] =3D "truncate", > + [LANDLOCK_OP_OPEN] =3D "open", > + }; If you're going to be using a single AUDIT_LANDLOCK record type, do you want to somehow encode that the above are access/permission requests in the "op=3D" field name? > +static void > +log_request(const int error, struct landlock_request *const request, > + const struct landlock_ruleset *const domain, > + const access_mask_t access_request, > + const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_F= S]) > +{ > + struct audit_buffer *ab; > + > + if (WARN_ON_ONCE(!error)) > + return; > + if (WARN_ON_ONCE(!request)) > + return; > + if (WARN_ON_ONCE(!domain || !domain->hierarchy)) > + return; > + > + /* Uses GFP_ATOMIC to not sleep. */ > + ab =3D audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN= , > + AUDIT_LANDLOCK); > + if (!ab) > + return; > + > + update_request(request, domain, access_request, layer_masks); > + > + log_task(ab); > + audit_log_format(ab, " domain=3D%llu op=3D%s errno=3D%d missing-f= s-accesses=3D", > + request->youngest_domain, > + op_to_string(request->operation), -error); > + log_accesses(ab, request->missing_access); > + audit_log_lsm_data(ab, &request->audit); > + audit_log_end(ab); > +} See my previous comments about record format consistency. -- paul-moore.com