tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

samples/landlock: Enable users to log sandbox denials

By default, denials from within the sandbox are not logged. Indeed, the
sandboxer's security policy might not be fitted to the set of sandboxed
processes that could be spawned (e.g. from a shell).

For test purpose, parse the LL_FORCE_LOG environment variable to log
every sandbox denials, including after launching the initial sandboxed
program thanks to LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON.

Cc: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-20-mic@digikod.net
[mic: Remove inappropriate hunk]
Signed-off-by: Mickaël Salaün <mic@digikod.net>

Mickaël Salaün ec2798d8 ead9079f

+34 -3
+34 -3
samples/landlock/sandboxer.c
··· 58 58 #define ENV_TCP_BIND_NAME "LL_TCP_BIND" 59 59 #define ENV_TCP_CONNECT_NAME "LL_TCP_CONNECT" 60 60 #define ENV_SCOPED_NAME "LL_SCOPED" 61 + #define ENV_FORCE_LOG_NAME "LL_FORCE_LOG" 61 62 #define ENV_DELIMITER ":" 62 63 63 64 static int str2num(const char *numstr, __u64 *num_dst) ··· 296 295 297 296 /* clang-format on */ 298 297 299 - #define LANDLOCK_ABI_LAST 6 298 + #define LANDLOCK_ABI_LAST 7 300 299 301 300 #define XSTR(s) #s 302 301 #define STR(s) XSTR(s) ··· 323 322 " - \"a\" to restrict opening abstract unix sockets\n" 324 323 " - \"s\" to restrict sending signals\n" 325 324 "\n" 325 + "A sandboxer should not log denied access requests to avoid spamming logs, " 326 + "but to test audit we can set " ENV_FORCE_LOG_NAME "=1\n" 327 + "\n" 326 328 "Example:\n" 327 329 ENV_FS_RO_NAME "=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" " 328 330 ENV_FS_RW_NAME "=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" " ··· 344 340 const char *cmd_path; 345 341 char *const *cmd_argv; 346 342 int ruleset_fd, abi; 347 - char *env_port_name; 343 + char *env_port_name, *env_force_log; 348 344 __u64 access_fs_ro = ACCESS_FS_ROUGHLY_READ, 349 345 access_fs_rw = ACCESS_FS_ROUGHLY_READ | ACCESS_FS_ROUGHLY_WRITE; 350 346 ··· 355 351 .scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | 356 352 LANDLOCK_SCOPE_SIGNAL, 357 353 }; 354 + int supported_restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON; 355 + int set_restrict_flags = 0; 358 356 359 357 if (argc < 2) { 360 358 fprintf(stderr, help, argv[0]); ··· 428 422 /* Removes LANDLOCK_SCOPE_* for ABI < 6 */ 429 423 ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | 430 424 LANDLOCK_SCOPE_SIGNAL); 425 + __attribute__((fallthrough)); 426 + case 6: 427 + /* Removes LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON for ABI < 7 */ 428 + supported_restrict_flags &= 429 + ~LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON; 430 + 431 + /* Must be printed for any ABI < LANDLOCK_ABI_LAST. */ 431 432 fprintf(stderr, 432 433 "Hint: You should update the running kernel " 433 434 "to leverage Landlock features " ··· 469 456 if (check_ruleset_scope(ENV_SCOPED_NAME, &ruleset_attr)) 470 457 return 1; 471 458 459 + /* Enables optional logs. */ 460 + env_force_log = getenv(ENV_FORCE_LOG_NAME); 461 + if (env_force_log) { 462 + if (strcmp(env_force_log, "1") != 0) { 463 + fprintf(stderr, "Unknown value for " ENV_FORCE_LOG_NAME 464 + " (only \"1\" is handled)\n"); 465 + return 1; 466 + } 467 + if (!(supported_restrict_flags & 468 + LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON)) { 469 + fprintf(stderr, 470 + "Audit logs not supported by current kernel\n"); 471 + return 1; 472 + } 473 + set_restrict_flags |= LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON; 474 + unsetenv(ENV_FORCE_LOG_NAME); 475 + } 476 + 472 477 ruleset_fd = 473 478 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 474 479 if (ruleset_fd < 0) { ··· 514 483 perror("Failed to restrict privileges"); 515 484 goto err_close_ruleset; 516 485 } 517 - if (landlock_restrict_self(ruleset_fd, 0)) { 486 + if (landlock_restrict_self(ruleset_fd, set_restrict_flags)) { 518 487 perror("Failed to enforce ruleset"); 519 488 goto err_close_ruleset; 520 489 }