landlock: Log scoped denials

Add audit support for unix_stream_connect, unix_may_send, task_kill, and
file_send_sigiotask hooks.

The related blockers are:
- scope.abstract_unix_socket
- scope.signal

Audit event sample for abstract unix socket:

  type=LANDLOCK_DENY msg=audit(1729738800.268:30): domain=195ba459b blockers=scope.abstract_unix_socket path=00666F6F

Audit event sample for signal:

  type=LANDLOCK_DENY msg=audit(1729738800.291:31): domain=195ba459b blockers=scope.signal opid=1 ocomm="systemd"

Refactor and simplify error handling in LSM hooks.

Extend struct landlock_file_security with fown_layer and use it to log
the blocking domain.  The struct aligned size is still 16 bytes.

Cc: Günther Noack <gnoack@google.com>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-17-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

5 files changed, 97 insertions, 18 deletions

diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index ed8fa129178d..77d11355f6ed 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -70,6 +70,14 @@ get_blocker(const enum landlock_request_type type,
 		if (WARN_ON_ONCE(access_bit >= ARRAY_SIZE(net_access_strings)))
 			return "unknown";
 		return net_access_strings[access_bit];
+
+	case LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET:
+		WARN_ON_ONCE(access_bit != -1);
+		return "scope.abstract_unix_socket";
+
+	case LANDLOCK_REQUEST_SCOPE_SIGNAL:
+		WARN_ON_ONCE(access_bit != -1);
+		return "scope.signal";
 	}
 
 	WARN_ON_ONCE(1);
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 486b4e7050d3..92428b7fc4d8 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -19,6 +19,8 @@ enum landlock_request_type {
 	LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
 	LANDLOCK_REQUEST_FS_ACCESS,
 	LANDLOCK_REQUEST_NET_ACCESS,
+	LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+	LANDLOCK_REQUEST_SCOPE_SIGNAL,
 };
 
 /*
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 0a58962cf61d..3e98b748033c 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1798,14 +1798,15 @@ static void hook_file_set_fowner(struct file *file)
 {
 	struct landlock_ruleset *prev_dom;
 	struct landlock_cred_security fown_subject = {};
+	size_t fown_layer = 0;
 
 	if (control_current_fowner(file_f_owner(file))) {
 		static const struct access_masks signal_scope = {
 			.scope = LANDLOCK_SCOPE_SIGNAL,
 		};
 		const struct landlock_cred_security *new_subject =
-			landlock_get_applicable_subject(current_cred(),
-							signal_scope, NULL);
+			landlock_get_applicable_subject(
+				current_cred(), signal_scope, &fown_layer);
 		if (new_subject) {
 			landlock_get_ruleset(new_subject->domain);
 			fown_subject = *new_subject;
@@ -1814,6 +1815,9 @@ static void hook_file_set_fowner(struct file *file)
 
 	prev_dom = landlock_file(file)->fown_subject.domain;
 	landlock_file(file)->fown_subject = fown_subject;
+#ifdef CONFIG_AUDIT
+	landlock_file(file)->fown_layer = fown_layer;
+#endif /* CONFIG_AUDIT*/
 
 	/* May be called in an RCU read-side critical section. */
 	landlock_put_ruleset_deferred(prev_dom);
diff --git a/security/landlock/fs.h b/security/landlock/fs.h
index 8c48fad4e123..bf9948941f2f 100644
--- a/security/landlock/fs.h
+++ b/security/landlock/fs.h
@@ -10,6 +10,7 @@
 #ifndef _SECURITY_LANDLOCK_FS_H
 #define _SECURITY_LANDLOCK_FS_H
 
+#include <linux/build_bug.h>
 #include <linux/fs.h>
 #include <linux/init.h>
 #include <linux/rcupdate.h>
@@ -62,6 +63,11 @@ struct landlock_file_security {
 	 * _LANDLOCK_ACCESS_FS_OPTIONAL).
 	 */
 	deny_masks_t deny_masks;
+	/**
+	 * @fown_layer: Layer level of @fown_subject->domain with
+	 * LANDLOCK_SCOPE_SIGNAL.
+	 */
+	u8 fown_layer;
 #endif /* CONFIG_AUDIT */
 
 	/**
@@ -74,6 +80,16 @@ struct landlock_file_security {
 	struct landlock_cred_security fown_subject;
 };
 
+#ifdef CONFIG_AUDIT
+
+/* Makes sure all layers can be identified. */
+/* clang-format off */
+static_assert((typeof_member(struct landlock_file_security, fown_layer))~0 >=
+	      LANDLOCK_MAX_NUM_LAYERS);
+/* clang-format off */
+
+#endif /* CONFIG_AUDIT */
+
 /**
  * struct landlock_superblock_security - Superblock security blob
  *
diff --git a/security/landlock/task.c b/security/landlock/task.c
index 30ac4340c62e..2385017418ca 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -266,26 +266,41 @@ static int hook_unix_stream_connect(struct sock *const sock,
 				    struct sock *const other,
 				    struct sock *const newsk)
 {
+	size_t handle_layer;
 	const struct landlock_cred_security *const subject =
 		landlock_get_applicable_subject(current_cred(), unix_scope,
-						NULL);
+						&handle_layer);
 
 	/* Quick return for non-landlocked tasks. */
 	if (!subject)
 		return 0;
 
-	if (is_abstract_socket(other) && sock_is_scoped(other, subject->domain))
-		return -EPERM;
+	if (!is_abstract_socket(other))
+		return 0;
+
+	if (!sock_is_scoped(other, subject->domain))
+		return 0;
 
-	return 0;
+	landlock_log_denial(subject, &(struct landlock_request) {
+		.type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+		.audit = {
+			.type = LSM_AUDIT_DATA_NET,
+			.u.net = &(struct lsm_network_audit) {
+				.sk = other,
+			},
+		},
+		.layer_plus_one = handle_layer + 1,
+	});
+	return -EPERM;
 }
 
 static int hook_unix_may_send(struct socket *const sock,
 			      struct socket *const other)
 {
+	size_t handle_layer;
 	const struct landlock_cred_security *const subject =
 		landlock_get_applicable_subject(current_cred(), unix_scope,
-						NULL);
+						&handle_layer);
 
 	if (!subject)
 		return 0;
@@ -297,11 +312,23 @@ static int hook_unix_may_send(struct socket *const sock,
 	if (unix_peer(sock->sk) == other->sk)
 		return 0;
 
-	if (is_abstract_socket(other->sk) &&
-	    sock_is_scoped(other->sk, subject->domain))
-		return -EPERM;
+	if (!is_abstract_socket(other->sk))
+		return 0;
+
+	if (!sock_is_scoped(other->sk, subject->domain))
+		return 0;
 
-	return 0;
+	landlock_log_denial(subject, &(struct landlock_request) {
+		.type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
+		.audit = {
+			.type = LSM_AUDIT_DATA_NET,
+			.u.net = &(struct lsm_network_audit) {
+				.sk = other->sk,
+			},
+		},
+		.layer_plus_one = handle_layer + 1,
+	});
+	return -EPERM;
 }
 
 static const struct access_masks signal_scope = {
@@ -313,6 +340,7 @@ static int hook_task_kill(struct task_struct *const p,
 			  const struct cred *cred)
 {
 	bool is_scoped;
+	size_t handle_layer;
 	const struct landlock_cred_security *subject;
 
 	if (!cred) {
@@ -331,7 +359,8 @@ static int hook_task_kill(struct task_struct *const p,
 		cred = current_cred();
 	}
 
-	subject = landlock_get_applicable_subject(cred, signal_scope, NULL);
+	subject = landlock_get_applicable_subject(cred, signal_scope,
+						  &handle_layer);
 
 	/* Quick return for non-landlocked tasks. */
 	if (!subject)
@@ -343,10 +372,19 @@ static int hook_task_kill(struct task_struct *const p,
 					     landlock_get_task_domain(p),
 					     signal_scope.scope);
 	}
-	if (is_scoped)
-		return -EPERM;
 
-	return 0;
+	if (!is_scoped)
+		return 0;
+
+	landlock_log_denial(subject, &(struct landlock_request) {
+		.type = LANDLOCK_REQUEST_SCOPE_SIGNAL,
+		.audit = {
+			.type = LSM_AUDIT_DATA_TASK,
+			.u.tsk = p,
+		},
+		.layer_plus_one = handle_layer + 1,
+	});
+	return -EPERM;
 }
 
 static int hook_file_send_sigiotask(struct task_struct *tsk,
@@ -375,10 +413,21 @@ static int hook_file_send_sigiotask(struct task_struct *tsk,
 					     landlock_get_task_domain(tsk),
 					     signal_scope.scope);
 	}
-	if (is_scoped)
-		return -EPERM;
 
-	return 0;
+	if (!is_scoped)
+		return 0;
+
+	landlock_log_denial(subject, &(struct landlock_request) {
+		.type = LANDLOCK_REQUEST_SCOPE_SIGNAL,
+		.audit = {
+			.type = LSM_AUDIT_DATA_TASK,
+			.u.tsk = tsk,
+		},
+#ifdef CONFIG_AUDIT
+		.layer_plus_one = landlock_file(fown->file)->fown_layer + 1,
+#endif /* CONFIG_AUDIT */
+	});
+	return -EPERM;
 }
 
 static struct security_hook_list landlock_hooks[] __ro_after_init = {