landlock: Identify domain execution crossing

Extend struct landlock_cred_security with a domain_exec bitmask to
identify which Landlock domain were created by the current task's bprm.
The whole bitmask is reset on each execve(2) call.

Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-9-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

security/landlock/cred.c

@@ -1,11 +1,13 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * Landlock LSM - Credential hooks
+ * Landlock - Credential hooks
  *
  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
  * Copyright © 2018-2020 ANSSI
+ * Copyright © 2024-2025 Microsoft Corporation
  */
 
+#include <linux/binfmts.h>
 #include <linux/cred.h>
 #include <linux/lsm_hooks.h>
 
@@ -17,11 +19,12 @@
 static void hook_cred_transfer(struct cred *const new,
 			       const struct cred *const old)
 {
-	struct landlock_ruleset *const old_dom = landlock_cred(old)->domain;
+	const struct landlock_cred_security *const old_llcred =
+		landlock_cred(old);
 
-	if (old_dom) {
+	if (old_llcred->domain) {
-		landlock_get_ruleset(old_dom);
+		landlock_get_ruleset(old_llcred->domain);
-		landlock_cred(new)->domain = old_dom;
+		*landlock_cred(new) = *old_llcred;
 	}
 }
 
@@ -40,10 +43,25 @@ static void hook_cred_free(struct cred *const cred)
 		landlock_put_ruleset_deferred(dom);
 }
 
+#ifdef CONFIG_AUDIT
+
+static int hook_bprm_creds_for_exec(struct linux_binprm *const bprm)
+{
+	/* Resets for each execution. */
+	landlock_cred(bprm->cred)->domain_exec = 0;
+	return 0;
+}
+
+#endif /* CONFIG_AUDIT */
+
 static struct security_hook_list landlock_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(cred_prepare, hook_cred_prepare),
 	LSM_HOOK_INIT(cred_transfer, hook_cred_transfer),
 	LSM_HOOK_INIT(cred_free, hook_cred_free),
+
+#ifdef CONFIG_AUDIT
+	LSM_HOOK_INIT(bprm_creds_for_exec, hook_bprm_creds_for_exec),
+#endif /* CONFIG_AUDIT */
 };
 
 __init void landlock_add_cred_hooks(void)

security/landlock/cred.h

@@ -10,17 +10,47 @@
 #ifndef _SECURITY_LANDLOCK_CRED_H
 #define _SECURITY_LANDLOCK_CRED_H
 
+#include <linux/container_of.h>
 #include <linux/cred.h>
 #include <linux/init.h>
 #include <linux/rcupdate.h>
 
 #include "access.h"
+#include "limits.h"
 #include "ruleset.h"
 #include "setup.h"
 
+/**
+ * struct landlock_cred_security - Credential security blob
+ *
+ * This structure is packed to minimize the size of struct
+ * landlock_file_security.  However, it is always aligned in the LSM cred blob,
+ * see lsm_set_blob_size().
+ */
 struct landlock_cred_security {
+	/**
+	 * @domain: Immutable ruleset enforced on a task.
+	 */
 	struct landlock_ruleset *domain;
-};
+
+#ifdef CONFIG_AUDIT
+	/**
+	 * @domain_exec: Bitmask identifying the domain layers that were enforced by
+	 * the current task's executed file (i.e. no new execve(2) since
+	 * landlock_restrict_self(2)).
+	 */
+	u16 domain_exec;
+#endif /* CONFIG_AUDIT */
+} __packed;
+
+#ifdef CONFIG_AUDIT
+
+/* Makes sure all layer executions can be stored. */
+static_assert(BITS_PER_TYPE(typeof_member(struct landlock_cred_security,
+					  domain_exec)) >=
+	      LANDLOCK_MAX_NUM_LAYERS);
+
+#endif /* CONFIG_AUDIT */
 
 static inline struct landlock_cred_security *
 landlock_cred(const struct cred *cred)

security/landlock/syscalls.c

@@ -510,5 +510,10 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
 	/* Replaces the old (prepared) domain. */
 	landlock_put_ruleset(new_llcred->domain);
 	new_llcred->domain = new_dom;
+
+#ifdef CONFIG_AUDIT
+	new_llcred->domain_exec |= 1 << (new_dom->num_layers - 1);
+#endif /* CONFIG_AUDIT */
+
 	return commit_creds(new_cred);
 }