Linux Kernel Landlock LOG_SUBDOMAINS_OFF Fork Inheritance Vulnerability

A vulnerability in the Linux kernel's Landlock security module affects the inheritance of the LOG_SUBDOMAINS_OFF setting across fork operations. This issue arises because the hook_cred_transfer function only copies the Landlock security blob when the source credential has an associated domain. As a result, when a process mutes subdomain logs and then forks a child process, the child loses the muting, leading to unexpected audit records. The vulnerability is present in the Linux kernel stable tree.

Impact

The vulnerability disrupts the intended functionality of muting subdomain logs, causing child processes to generate unexpected audit records related to subdomain activities.

Reproduction

The vulnerability can be reproduced by first forking a child process that creates a domain and triggers a denial, which is logged. Then, mute the subdomain logs in the parent process before forking another child. The second child will create a domain and trigger a denial, but this time, the denial will not be logged, demonstrating the issue.

Remediation

The vulnerability has been addressed by modifying the hook_cred_transfer function to unconditionally copy the Landlock credential blob, ensuring that the LOG_SUBDOMAINS_OFF setting is preserved across fork operations.