landlock: Identify domain execution crossing

Extend struct landlock_cred_security with a domain_exec bitmask to
identify which Landlock domain were created by the current task's bprm.
The whole bitmask is reset on each execve(2) call.

Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-9-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/security/landlock/cred.c b/security/landlock/cred.c
index db9fe7d906ba665f35dc0e63c4551ea79a866a27..0cb3edde4d18aba271bf236343d007ecd02c03b2 100644 (file)
--- a/security/landlock/cred.c
+++ b/security/landlock/cred.c
@@ -1,11 +1,13 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * Landlock LSM - Credential hooks
+ * Landlock - Credential hooks
  *
  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
  * Copyright © 2018-2020 ANSSI
+ * Copyright © 2024-2025 Microsoft Corporation
  */
 
+#include <linux/binfmts.h>
 #include <linux/cred.h>
 #include <linux/lsm_hooks.h>
 
@@ -17,11 +19,12 @@
 static void hook_cred_transfer(struct cred *const new,
                               const struct cred *const old)
 {
-       struct landlock_ruleset *const old_dom = landlock_cred(old)->domain;
+       const struct landlock_cred_security *const old_llcred =
+               landlock_cred(old);
 
-       if (old_dom) {
-               landlock_get_ruleset(old_dom);
-               landlock_cred(new)->domain = old_dom;
+       if (old_llcred->domain) {
+               landlock_get_ruleset(old_llcred->domain);
+               *landlock_cred(new) = *old_llcred;
        }
 }
 
@@ -40,10 +43,25 @@ static void hook_cred_free(struct cred *const cred)
                landlock_put_ruleset_deferred(dom);
 }
 
+#ifdef CONFIG_AUDIT
+
+static int hook_bprm_creds_for_exec(struct linux_binprm *const bprm)
+{
+       /* Resets for each execution. */
+       landlock_cred(bprm->cred)->domain_exec = 0;
+       return 0;
+}
+
+#endif /* CONFIG_AUDIT */
+
 static struct security_hook_list landlock_hooks[] __ro_after_init = {
        LSM_HOOK_INIT(cred_prepare, hook_cred_prepare),
        LSM_HOOK_INIT(cred_transfer, hook_cred_transfer),
        LSM_HOOK_INIT(cred_free, hook_cred_free),
+
+#ifdef CONFIG_AUDIT
+       LSM_HOOK_INIT(bprm_creds_for_exec, hook_bprm_creds_for_exec),
+#endif /* CONFIG_AUDIT */
 };
 
 __init void landlock_add_cred_hooks(void)

diff --git a/security/landlock/cred.h b/security/landlock/cred.h
index eb691130dd6766797fb236fc0c54a444f7b0bc5e..3bf18551d7b8619ccab1f2f02b1aeef6e6c5f673 100644 (file)
--- a/security/landlock/cred.h
+++ b/security/landlock/cred.h
@@ -10,17 +10,47 @@
 #ifndef _SECURITY_LANDLOCK_CRED_H
 #define _SECURITY_LANDLOCK_CRED_H
 
+#include <linux/container_of.h>
 #include <linux/cred.h>
 #include <linux/init.h>
 #include <linux/rcupdate.h>
 
 #include "access.h"
+#include "limits.h"
 #include "ruleset.h"
 #include "setup.h"
 
+/**
+ * struct landlock_cred_security - Credential security blob
+ *
+ * This structure is packed to minimize the size of struct
+ * landlock_file_security.  However, it is always aligned in the LSM cred blob,
+ * see lsm_set_blob_size().
+ */
 struct landlock_cred_security {
+       /**
+        * @domain: Immutable ruleset enforced on a task.
+        */
        struct landlock_ruleset *domain;
-};
+
+#ifdef CONFIG_AUDIT
+       /**
+        * @domain_exec: Bitmask identifying the domain layers that were enforced by
+        * the current task's executed file (i.e. no new execve(2) since
+        * landlock_restrict_self(2)).
+        */
+       u16 domain_exec;
+#endif /* CONFIG_AUDIT */
+} __packed;
+
+#ifdef CONFIG_AUDIT
+
+/* Makes sure all layer executions can be stored. */
+static_assert(BITS_PER_TYPE(typeof_member(struct landlock_cred_security,
+                                         domain_exec)) >=
+             LANDLOCK_MAX_NUM_LAYERS);
+
+#endif /* CONFIG_AUDIT */
 
 static inline struct landlock_cred_security *
 landlock_cred(const struct cred *cred)

diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index cf9e0483e5429af07cbaf13b700557fee4ea5758..b7b268f43a3b06a9040396565d7f642865a6e5cc 100644 (file)
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -510,5 +510,10 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
        /* Replaces the old (prepared) domain. */
        landlock_put_ruleset(new_llcred->domain);
        new_llcred->domain = new_dom;
+
+#ifdef CONFIG_AUDIT
+       new_llcred->domain_exec |= 1 << (new_dom->num_layers - 1);
+#endif /* CONFIG_AUDIT */
+
        return commit_creds(new_cred);
 }