Google Git
Sign in
gbmc / linux / refs/heads/linux-rolling-stable / . / tools / testing / selftests / landlock / audit_test.c
blob: 46d02d49835aaefe09edd869aab76cd3fdd98eb1 [file] [log] [blame] [edit]
// SPDX-License-Identifier: GPL-2.0
/*
* Landlock tests - Audit
*
* Copyright © 2024-2025 Microsoft Corporation
*/
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <linux/landlock.h>
#include <pthread.h>
#include <stdlib.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include "audit.h"
#include "common.h"
static int matches_log_signal(struct __test_metadata *const _metadata,
int audit_fd, const pid_t opid, __u64 *domain_id)
{
static const char log_template[] = REGEX_LANDLOCK_PREFIX
" blockers=scope\\.signal opid=%d ocomm=\"audit_test\"$";
char log_match[sizeof(log_template) + 10];
int log_match_len;
log_match_len =
snprintf(log_match, sizeof(log_match), log_template, opid);
if (log_match_len > sizeof(log_match))
return -E2BIG;
return audit_match_record(audit_fd, AUDIT_LANDLOCK_ACCESS, log_match,
domain_id);
}
FIXTURE(audit)
{
struct audit_filter audit_filter;
int audit_fd;
};
FIXTURE_SETUP(audit)
{
disable_caps(_metadata);
set_cap(_metadata, CAP_AUDIT_CONTROL);
self->audit_fd = audit_init_with_exe_filter(&self->audit_filter);
EXPECT_LE(0, self->audit_fd)
{
const char *error_msg;
/* kill "$(auditctl -s | sed -ne 's/^pid \([0-9]\+\)$/\1/p')" */
if (self->audit_fd == -EEXIST)
error_msg = "socket already in use (e.g. auditd)";
else
error_msg = strerror(-self->audit_fd);
TH_LOG("Failed to initialize audit: %s", error_msg);
}
clear_cap(_metadata, CAP_AUDIT_CONTROL);
}
FIXTURE_TEARDOWN(audit)
{
set_cap(_metadata, CAP_AUDIT_CONTROL);
EXPECT_EQ(0, audit_cleanup(self->audit_fd, &self->audit_filter));
clear_cap(_metadata, CAP_AUDIT_CONTROL);
}
TEST_F(audit, layers)
{
const struct landlock_ruleset_attr ruleset_attr = {
.scoped = LANDLOCK_SCOPE_SIGNAL,
};
int status, ruleset_fd, i;
__u64(*domain_stack)[16];
__u64 prev_dom = 3;
pid_t child;
domain_stack = mmap(NULL, sizeof(*domain_stack), PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
ASSERT_NE(MAP_FAILED, domain_stack);
memset(domain_stack, 0, sizeof(*domain_stack));
ruleset_fd =
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
ASSERT_LE(0, ruleset_fd);
EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
child = fork();
ASSERT_LE(0, child);
if (child == 0) {
for (i = 0; i < ARRAY_SIZE(*domain_stack); i++) {
__u64 denial_dom = 1;
__u64 allocated_dom = 2;
EXPECT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
/* Creates a denial to get the domain ID. */
EXPECT_EQ(-1, kill(getppid(), 0));
EXPECT_EQ(EPERM, errno);
EXPECT_EQ(0,
matches_log_signal(_metadata, self->audit_fd,
getppid(), &denial_dom));
EXPECT_EQ(0, matches_log_domain_allocated(
self->audit_fd, getpid(),
&allocated_dom));
EXPECT_NE(denial_dom, 1);
EXPECT_NE(denial_dom, 0);
EXPECT_EQ(denial_dom, allocated_dom);
/* Checks that the new domain is younger than the previous one. */
EXPECT_GT(allocated_dom, prev_dom);
prev_dom = allocated_dom;
(*domain_stack)[i] = allocated_dom;
}
/* Checks that we reached the maximum number of layers. */
EXPECT_EQ(-1, landlock_restrict_self(ruleset_fd, 0));
EXPECT_EQ(E2BIG, errno);
/* Updates filter rules to match the drop record. */
set_cap(_metadata, CAP_AUDIT_CONTROL);
EXPECT_EQ(0, audit_filter_drop(self->audit_fd, AUDIT_ADD_RULE));
EXPECT_EQ(0,
audit_filter_exe(self->audit_fd, &self->audit_filter,
AUDIT_DEL_RULE));
clear_cap(_metadata, CAP_AUDIT_CONTROL);
_exit(_metadata->exit_code);
return;
}
ASSERT_EQ(child, waitpid(child, &status, 0));
if (WIFSIGNALED(status) || !WIFEXITED(status) ||
WEXITSTATUS(status) != EXIT_SUCCESS)
_metadata->exit_code = KSFT_FAIL;
/* Purges log from deallocated domains. */
EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
&audit_tv_dom_drop, sizeof(audit_tv_dom_drop)));
for (i = ARRAY_SIZE(*domain_stack) - 1; i >= 0; i--) {
__u64 deallocated_dom = 2;
EXPECT_EQ(0, matches_log_domain_deallocated(self->audit_fd, 1,
&deallocated_dom));
EXPECT_EQ((*domain_stack)[i], deallocated_dom)
{
TH_LOG("Failed to match domain %llx (#%d)",
(*domain_stack)[i], i);
}
}
EXPECT_EQ(0, munmap(domain_stack, sizeof(*domain_stack)));
EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
&audit_tv_default, sizeof(audit_tv_default)));
EXPECT_EQ(0, close(ruleset_fd));
}
struct thread_data {
pid_t parent_pid;
int ruleset_fd, pipe_child, pipe_parent;
};
static void *thread_audit_test(void *arg)
{
const struct thread_data *data = (struct thread_data *)arg;
uintptr_t err = 0;
char buffer;
/* TGID and TID are different for a second thread. */
if (getpid() == gettid()) {
err = 1;
goto out;
}
if (landlock_restrict_self(data->ruleset_fd, 0)) {
err = 2;
goto out;
}
if (close(data->ruleset_fd)) {
err = 3;
goto out;
}
/* Creates a denial to get the domain ID. */
if (kill(data->parent_pid, 0) != -1) {
err = 4;
goto out;
}
if (EPERM != errno) {
err = 5;
goto out;
}
/* Signals the parent to read denial logs. */
if (write(data->pipe_child, ".", 1) != 1) {
err = 6;
goto out;
}
/* Waits for the parent to update audit filters. */
if (read(data->pipe_parent, &buffer, 1) != 1) {
err = 7;
goto out;
}
out:
close(data->pipe_child);
close(data->pipe_parent);
return (void *)err;
}
/* Checks that the PID tied to a domain is not a TID but the TGID. */
TEST_F(audit, thread)
{
const struct landlock_ruleset_attr ruleset_attr = {
.scoped = LANDLOCK_SCOPE_SIGNAL,
};
__u64 denial_dom = 1;
__u64 allocated_dom = 2;
__u64 deallocated_dom = 3;
pthread_t thread;
int pipe_child[2], pipe_parent[2];
char buffer;
struct thread_data child_data;
child_data.parent_pid = getppid();
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
child_data.pipe_child = pipe_child[1];
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
child_data.pipe_parent = pipe_parent[0];
child_data.ruleset_fd =
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
ASSERT_LE(0, child_data.ruleset_fd);
/* TGID and TID are the same for the initial thread . */
EXPECT_EQ(getpid(), gettid());
EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
ASSERT_EQ(0, pthread_create(&thread, NULL, thread_audit_test,
&child_data));
/* Waits for the child to generate a denial. */
ASSERT_EQ(1, read(pipe_child[0], &buffer, 1));
EXPECT_EQ(0, close(pipe_child[0]));
/* Matches the signal log to get the domain ID. */
EXPECT_EQ(0, matches_log_signal(_metadata, self->audit_fd,
child_data.parent_pid, &denial_dom));
EXPECT_NE(denial_dom, 1);
EXPECT_NE(denial_dom, 0);
EXPECT_EQ(0, matches_log_domain_allocated(self->audit_fd, getpid(),
&allocated_dom));
EXPECT_EQ(denial_dom, allocated_dom);
/* Updates filter rules to match the drop record. */
set_cap(_metadata, CAP_AUDIT_CONTROL);
EXPECT_EQ(0, audit_filter_drop(self->audit_fd, AUDIT_ADD_RULE));
EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter,
AUDIT_DEL_RULE));
clear_cap(_metadata, CAP_AUDIT_CONTROL);
/* Signals the thread to exit, which will generate a domain deallocation. */
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
EXPECT_EQ(0, close(pipe_parent[1]));
ASSERT_EQ(0, pthread_join(thread, NULL));
EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
&audit_tv_dom_drop, sizeof(audit_tv_dom_drop)));
EXPECT_EQ(0, matches_log_domain_deallocated(self->audit_fd, 1,
&deallocated_dom));
EXPECT_EQ(denial_dom, deallocated_dom);
EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
&audit_tv_default, sizeof(audit_tv_default)));
}
FIXTURE(audit_flags)
{
struct audit_filter audit_filter;
int audit_fd;
__u64 *domain_id;
};
FIXTURE_VARIANT(audit_flags)
{
const int restrict_flags;
};
/* clang-format off */
FIXTURE_VARIANT_ADD(audit_flags, default) {
/* clang-format on */
.restrict_flags = 0,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(audit_flags, same_exec_off) {
/* clang-format on */
.restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(audit_flags, subdomains_off) {
/* clang-format on */
.restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(audit_flags, cross_exec_on) {
/* clang-format on */
.restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON,
};
FIXTURE_SETUP(audit_flags)
{
disable_caps(_metadata);
set_cap(_metadata, CAP_AUDIT_CONTROL);
self->audit_fd = audit_init_with_exe_filter(&self->audit_filter);
EXPECT_LE(0, self->audit_fd)
{
const char *error_msg;
/* kill "$(auditctl -s | sed -ne 's/^pid \([0-9]\+\)$/\1/p')" */
if (self->audit_fd == -EEXIST)
error_msg = "socket already in use (e.g. auditd)";
else
error_msg = strerror(-self->audit_fd);
TH_LOG("Failed to initialize audit: %s", error_msg);
}
clear_cap(_metadata, CAP_AUDIT_CONTROL);
self->domain_id = mmap(NULL, sizeof(*self->domain_id),
PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
ASSERT_NE(MAP_FAILED, self->domain_id);
/* Domain IDs are greater or equal to 2^32. */
*self->domain_id = 1;
}
FIXTURE_TEARDOWN(audit_flags)
{
EXPECT_EQ(0, munmap(self->domain_id, sizeof(*self->domain_id)));
set_cap(_metadata, CAP_AUDIT_CONTROL);
EXPECT_EQ(0, audit_cleanup(self->audit_fd, &self->audit_filter));
clear_cap(_metadata, CAP_AUDIT_CONTROL);
}
TEST_F(audit_flags, signal)
{
int status;
pid_t child;
struct audit_records records;
__u64 deallocated_dom = 2;
child = fork();
ASSERT_LE(0, child);
if (child == 0) {
const struct landlock_ruleset_attr ruleset_attr = {
.scoped = LANDLOCK_SCOPE_SIGNAL,
};
int ruleset_fd;
/* Add filesystem restrictions. */
ruleset_fd = landlock_create_ruleset(&ruleset_attr,
sizeof(ruleset_attr), 0);
ASSERT_LE(0, ruleset_fd);
EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
ASSERT_EQ(0, landlock_restrict_self(ruleset_fd,
variant->restrict_flags));
EXPECT_EQ(0, close(ruleset_fd));
/* First signal checks to test log entries. */
EXPECT_EQ(-1, kill(getppid(), 0));
EXPECT_EQ(EPERM, errno);
if (variant->restrict_flags &
LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF) {
EXPECT_EQ(-EAGAIN, matches_log_signal(
_metadata, self->audit_fd,
getppid(), self->domain_id));
EXPECT_EQ(*self->domain_id, 1);
} else {
__u64 allocated_dom = 3;
EXPECT_EQ(0, matches_log_signal(
_metadata, self->audit_fd,
getppid(), self->domain_id));
/* Checks domain information records. */
EXPECT_EQ(0, matches_log_domain_allocated(
self->audit_fd, getpid(),
&allocated_dom));
EXPECT_NE(*self->domain_id, 1);
EXPECT_NE(*self->domain_id, 0);
EXPECT_EQ(*self->domain_id, allocated_dom);
}
/* Second signal checks to test audit_count_records(). */
EXPECT_EQ(-1, kill(getppid(), 0));
EXPECT_EQ(EPERM, errno);
/* Makes sure there is no superfluous logged records. */
EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
if (variant->restrict_flags &
LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF) {
EXPECT_EQ(0, records.access);
} else {
EXPECT_EQ(1, records.access);
}
EXPECT_EQ(0, records.domain);
/* Updates filter rules to match the drop record. */
set_cap(_metadata, CAP_AUDIT_CONTROL);
EXPECT_EQ(0, audit_filter_drop(self->audit_fd, AUDIT_ADD_RULE));
EXPECT_EQ(0,
audit_filter_exe(self->audit_fd, &self->audit_filter,
AUDIT_DEL_RULE));
clear_cap(_metadata, CAP_AUDIT_CONTROL);
_exit(_metadata->exit_code);
return;
}
ASSERT_EQ(child, waitpid(child, &status, 0));
if (WIFSIGNALED(status) || !WIFEXITED(status) ||
WEXITSTATUS(status) != EXIT_SUCCESS)
_metadata->exit_code = KSFT_FAIL;
if (variant->restrict_flags &
LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF) {
EXPECT_EQ(-EAGAIN,
matches_log_domain_deallocated(self->audit_fd, 0,
&deallocated_dom));
EXPECT_EQ(deallocated_dom, 2);
} else {
EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
&audit_tv_dom_drop,
sizeof(audit_tv_dom_drop)));
EXPECT_EQ(0, matches_log_domain_deallocated(self->audit_fd, 2,
&deallocated_dom));
EXPECT_NE(deallocated_dom, 2);
EXPECT_NE(deallocated_dom, 0);
EXPECT_EQ(deallocated_dom, *self->domain_id);
EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
&audit_tv_default,
sizeof(audit_tv_default)));
}
}
static int matches_log_fs_read_root(int audit_fd)
{
return audit_match_record(
audit_fd, AUDIT_LANDLOCK_ACCESS,
REGEX_LANDLOCK_PREFIX
" blockers=fs\\.read_dir path=\"/\" dev=\"[^\"]\\+\" ino=[0-9]\\+$",
NULL);
}
FIXTURE(audit_exec)
{
struct audit_filter audit_filter;
int audit_fd;
};
FIXTURE_VARIANT(audit_exec)
{
const int restrict_flags;
};
/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, default) {
/* clang-format on */
.restrict_flags = 0,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, same_exec_off) {
/* clang-format on */
.restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, subdomains_off) {
/* clang-format on */
.restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, cross_exec_on) {
/* clang-format on */
.restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, subdomains_off_and_cross_exec_on) {
/* clang-format on */
.restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF |
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON,
};
FIXTURE_SETUP(audit_exec)
{
disable_caps(_metadata);
set_cap(_metadata, CAP_AUDIT_CONTROL);
self->audit_fd = audit_init();
EXPECT_LE(0, self->audit_fd)
{
const char *error_msg;
/* kill "$(auditctl -s | sed -ne 's/^pid \([0-9]\+\)$/\1/p')" */
if (self->audit_fd == -EEXIST)
error_msg = "socket already in use (e.g. auditd)";
else
error_msg = strerror(-self->audit_fd);
TH_LOG("Failed to initialize audit: %s", error_msg);
}
/* Applies test filter for the bin_wait_pipe_sandbox program. */
EXPECT_EQ(0, audit_init_filter_exe(&self->audit_filter,
bin_wait_pipe_sandbox));
EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter,
AUDIT_ADD_RULE));
clear_cap(_metadata, CAP_AUDIT_CONTROL);
}
FIXTURE_TEARDOWN(audit_exec)
{
set_cap(_metadata, CAP_AUDIT_CONTROL);
EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter,
AUDIT_DEL_RULE));
clear_cap(_metadata, CAP_AUDIT_CONTROL);
EXPECT_EQ(0, close(self->audit_fd));
}
TEST_F(audit_exec, signal_and_open)
{
struct audit_records records;
int pipe_child[2], pipe_parent[2];
char buf_parent;
pid_t child;
int status;
ASSERT_EQ(0, pipe2(pipe_child, 0));
ASSERT_EQ(0, pipe2(pipe_parent, 0));
child = fork();
ASSERT_LE(0, child);
if (child == 0) {
const struct landlock_ruleset_attr layer1 = {
.scoped = LANDLOCK_SCOPE_SIGNAL,
};
char pipe_child_str[12], pipe_parent_str[12];
char *const argv[] = { (char *)bin_wait_pipe_sandbox,
pipe_child_str, pipe_parent_str, NULL };
int ruleset_fd;
/* Passes the pipe FDs to the executed binary. */
EXPECT_EQ(0, close(pipe_child[0]));
EXPECT_EQ(0, close(pipe_parent[1]));
snprintf(pipe_child_str, sizeof(pipe_child_str), "%d",
pipe_child[1]);
snprintf(pipe_parent_str, sizeof(pipe_parent_str), "%d",
pipe_parent[0]);
ruleset_fd =
landlock_create_ruleset(&layer1, sizeof(layer1), 0);
if (ruleset_fd < 0) {
perror("Failed to create a ruleset");
_exit(1);
}
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
if (landlock_restrict_self(ruleset_fd,
variant->restrict_flags)) {
perror("Failed to restrict self");
_exit(1);
}
close(ruleset_fd);
ASSERT_EQ(0, execve(argv[0], argv, NULL))
{
TH_LOG("Failed to execute \"%s\": %s", argv[0],
strerror(errno));
};
_exit(1);
return;
}
EXPECT_EQ(0, close(pipe_child[1]));
EXPECT_EQ(0, close(pipe_parent[0]));
/* Waits for the child. */
EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));
/* Tests that there was no denial until now. */
EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
EXPECT_EQ(0, records.access);
EXPECT_EQ(0, records.domain);
/*
* Wait for the child to do a first denied action by layer1 and
* sandbox itself with layer2.
*/
EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));
/* Tests that the audit record only matches the child. */
if (variant->restrict_flags & LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON) {
/* Matches the current domain. */
EXPECT_EQ(0, matches_log_signal(_metadata, self->audit_fd,
getpid(), NULL));
}
/* Checks that we didn't miss anything. */
EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
EXPECT_EQ(0, records.access);
/*
* Wait for the child to do a second denied action by layer1 and
* layer2, and sandbox itself with layer3.
*/
EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));
/* Tests that the audit record only matches the child. */
if (variant->restrict_flags & LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON) {
/* Matches the current domain. */
EXPECT_EQ(0, matches_log_signal(_metadata, self->audit_fd,
getpid(), NULL));
}
if (!(variant->restrict_flags &
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF)) {
/* Matches the child domain. */
EXPECT_EQ(0, matches_log_fs_read_root(self->audit_fd));
}
/* Checks that we didn't miss anything. */
EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
EXPECT_EQ(0, records.access);
/* Waits for the child to terminate. */
EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
ASSERT_EQ(child, waitpid(child, &status, 0));
ASSERT_EQ(1, WIFEXITED(status));
ASSERT_EQ(0, WEXITSTATUS(status));
/* Tests that the audit record only matches the child. */
if (!(variant->restrict_flags &
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF)) {
/*
* Matches the child domains, which tests that the
* llcred->domain_exec bitmask is correctly updated with a new
* domain.
*/
EXPECT_EQ(0, matches_log_fs_read_root(self->audit_fd));
EXPECT_EQ(0, matches_log_signal(_metadata, self->audit_fd,
getpid(), NULL));
}
/* Checks that we didn't miss anything. */
EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
EXPECT_EQ(0, records.access);
}
TEST_HARNESS_MAIN