Received: by 2002:a05:7412:98c1:b0:fa:551:50a7 with SMTP id kc1csp306234rdb;
        Fri, 5 Jan 2024 10:22:20 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGO/UT0SdtNjaRgf9TLPmEgOLO/8LXlLYSeRURHxFdtbZ7cQvasov6VFgYtIUVqJqOwgW3B
X-Received: by 2002:a17:902:7608:b0:1d0:7535:8b94 with SMTP id k8-20020a170902760800b001d075358b94mr2411176pll.97.1704478939730;
        Fri, 05 Jan 2024 10:22:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704478939; cv=none;
        d=google.com; s=arc-20160816;
        b=L4r66xdsvax+FNUxA7PcNNRzIU+zLwnkF1y06Z65J2RL0PadQ7uA+9blUE9NgV03/I
         joMSue1XTuuN3PmKen9nx4JJDBGMxX3cxothqI2r8fgrntLpKAZOfpYrF+q3Tb7vQEhe
         wAx4sJtOiYIQyeUqdsZim4jy++D3ddZrzQT8Y5eKj4THeYVYMxBwejon0ifFOofMo4VO
         +Bs2nzRwx5CH0S9mfnYPafp8HTL3u7cy+O+yg9GQxxp3mGLVSqZE17CMacb5L1L2QLxc
         ZW6lu/2bPM0qhpoUSjVGm/Tj4tw0FkbrWJ+DoQnpKjTSwCjct5ejjFPNJAybn8Up07Vw
         L56A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=snFMiwNjj1q8R08VAlB159S6YhFpuQ6tSfTNokxT4IU=;
        fh=4d8YPi7DyD64u8cOf/sZ4HbPzTj/5FPXeAi71rXeGP0=;
        b=EGhX7z72A6JyW0c+jlRVteSG8Vc41Rhp9xMALTWK9eEE4pskp50+Y7K1Avs9DI8mJQ
         YhA0SueK8tstiZXm2nAxMR0xUfEZqjejqKPpfy1xn6Y0gDCVRGI3YUIYrOy+rJ/np58X
         +QC4nAPIi9YJ+RzwDm3tU397yRcviPiZSI4yWXXxrv0TCHGUjodtkjQOcBzdoG+NuZJq
         9CD8yERUczSDY7TvJs9sRlvVkSj/w2Oxa+I1DQJRHsKGOprQW4WYIHU7e2D1dx+8reqO
         Ibw0rqnt866++0C28Tv7UqFvJ0JNL8zmYCbw8A4XN+W08BUiegHI/TfhwC7O+sEQ5ROa
         LVFA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=NRsoFtNP;
       spf=pass (google.com: domain of linux-kernel+bounces-18203-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-18203-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-18203-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id x9-20020a170902ec8900b001cfc46abb07si1619011plg.128.2024.01.05.10.22.19
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 05 Jan 2024 10:22:19 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-18203-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=NRsoFtNP;
       spf=pass (google.com: domain of linux-kernel+bounces-18203-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-18203-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 685D4285E1F
	for <linux.lists.archive@gmail.com>; Fri,  5 Jan 2024 18:22:19 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8B50D35285;
	Fri,  5 Jan 2024 18:22:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="NRsoFtNP"
X-Original-To: linux-kernel@vger.kernel.org
Received: from smtp-190f.mail.infomaniak.ch (smtp-190f.mail.infomaniak.ch [185.125.25.15])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3069A35EE7
	for <linux-kernel@vger.kernel.org>; Fri,  5 Jan 2024 18:21:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net
Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108])
	by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4T6BPx5Y7nzMpnh2;
	Fri,  5 Jan 2024 18:12:37 +0000 (UTC)
Received: from unknown by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4T6BPw3F4SzMpnPr;
	Fri,  5 Jan 2024 19:12:36 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net;
	s=20191114; t=1704478357;
	bh=7CcqvU+dm80k4/4DXMGXtl1qlVFCE19rwLyaDkrOPGw=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=NRsoFtNP0tf+eAvgWVGPBL9wvlbAzS0BsOsJG6+txPx08INeRo0k/42aig9fnmPAr
	 xx/z5B17Ep+nb3jljzUgdjgXyk6h2ho/sIJNFwq6gGk8Mv2L+Jrn0K4DOdDdieACd7
	 bz5uzcdlc9xJJfygY0VJw6bL9xVNBJLJ4qqVVU+w=
Date: Fri, 5 Jan 2024 19:12:35 +0100
From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>
To: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>, James Morris <jmorris@namei.org>, 
	"Serge E . Hallyn" <serge@hallyn.com>, Ben Scarlato <akhna@google.com>, 
	=?utf-8?Q?G=C3=BCnther?= Noack <gnoack@google.com>, Jeff Xu <jeffxu@google.com>, 
	Jorge Lucangeli Obes <jorgelo@google.com>, Konstantin Meskhidze <konstantin.meskhidze@huawei.com>, 
	Shervin Oloumi <enlightened@google.com>, audit@vger.kernel.org, linux-kernel@vger.kernel.org, 
	linux-security-module@vger.kernel.org
Subject: Re: Re: [RFC PATCH v1 3/7] landlock: Log ruleset creation and release
Message-ID: <20240105.aiquux9Oox7l@digikod.net>
References: <20230921061641.273654-1-mic@digikod.net>
 <20230921061641.273654-4-mic@digikod.net>
 <CAHC9VhQTvFp+i=j7t+55EnG44xg=Pmvkh=Oq=e7ddJWDZXLeSA@mail.gmail.com>
 <20231221.eij3poa3Se4b@digikod.net>
 <CAHC9VhRiUOe9enkCOko0mGehxt+2tbJNGoJm=jmauhZSPFvzRg@mail.gmail.com>
 <20231229.aex0ijae2The@digikod.net>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20231229.aex0ijae2The@digikod.net>
X-Infomaniak-Routing: alpha

On Fri, Dec 29, 2023 at 06:42:10PM +0100, Mickaël Salaün wrote:
> On Fri, Dec 22, 2023 at 05:42:35PM -0500, Paul Moore wrote:
> > On Thu, Dec 21, 2023 at 1:45 PM Mickaël Salaün <mic@digikod.net> wrote:
> > > On Wed, Dec 20, 2023 at 04:22:15PM -0500, Paul Moore wrote:
> > > > On Thu, Sep 21, 2023 at 2:17 AM Mickaël Salaün <mic@digikod.net> wrote:
> > > > >
> > > > > Add audit support for ruleset/domain creation and release ...
> > 
> > ...

> > > For rule addition, several records per landlock_add_rule(2) call.
> > > Example with a path_beneath rule:
> > > - AUDIT_LANDLOCK_RULESET: "id=[ruleset ID] op=add_rule"
> > > - AUDIT_LANDLOCK_PATH: "scope=beneath path=[file path] dev= ino="
> > > - AUDIT_LANDLOCK_ACCESS: "type=fs rights=[bitmask]"
> > 
> > I worry that LANDLOCK_PATH is too much of a duplicate for the existing
> > PATH record.  Assuming the "scope=" field is important, could it live
> > in the LANDLOCK_ACCESS record and then you could do away with the
> > dedicated LANDLOCK_PATH record?  Oh, wait ... this is to record the
> > policy, not a individual access request, gotcha.  If that is the case
> > and RULESET, PATH, ACCESS are all used simply to record the policy
> > information I might suggest creation of an AUDIT_LANDLOCK_POLICY
> > record that captures all of the above.  If you think that is too
> > cumbersome, then perhaps you can do the object/access-specific record
> > type, e.g. AUDIT_LANDLOCK_POLICY_FS and AUDIT_LANDLOCK_POLICY_NET.
> 
> OK, what about this records for *one* rule addition event?
> 
> - AUDIT_LANDLOCK_RULE: "ruleset=[ruleset ID] rule_type=path_beneath
>   allowed_access=[bitmask]"
> - AUDIT_PATH: "path=[file path] dev= ino= ..."
> 
> However, because struct landlock_path_beneath_attr can evolve and get
> new fields which might be differents than the landlock_net_port_attr's
> ones, wouldn't it be wiser to use a dedicated AUDIT_LANDLOCK_RULE_FS or
> AUDIT_LANDLOCK_RULE_PATH_BENEATH record type? These names are getting a
> bit long though, but types match the UAPI.

Hmm, AUDIT_PATH is used when a syscall's argument is a path, but in the
case of Landlock, the arguments are file descriptors.

I can still export audit_copy_inode() to create a synthetic audit_names
struct, and export/call audit_log_name() to create an AUDIT_PATH entry
but I'm not sure it is the best approach. What would you prefer?
Should I use AUDIT_TYPE_NORMAL or create a new one?

[...]

> > > For denied FS access:
> > > - AUDIT_LANDLOCK_DENIAL: "id=[domain ID] op=mkdir"
> > > - AUDIT_LANDLOCK_PATH: "scope=exact path=[file path] dev= ino="
> > 
> > I would use a single record type, i.e. AUDIT_LANDLOCK_ACCESS, to
> > capture both access granted and denied events.  I'd also omit the
> > dedicated LANDLOCK_PATH record here in favor of the generic PATH
> > record (see my comments above).
> 
> Makes sense for the generic PATH record. We would get this:
> 
> - AUDIT_LANDLOCK_ACCESS: "domain=[domain ID] op=mkdir result=denied"
> - AUDIT_PATH: "path=[file path] dev= ino= ..."