mirror of
https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git
synced 2025-10-30 22:47:06 +10:00
1176a15b5e
Add audit support for unix_stream_connect, unix_may_send, task_kill, and file_send_sigiotask hooks. The related blockers are: - scope.abstract_unix_socket - scope.signal Audit event sample for abstract unix socket: type=LANDLOCK_DENY msg=audit(1729738800.268:30): domain=195ba459b blockers=scope.abstract_unix_socket path=00666F6F Audit event sample for signal: type=LANDLOCK_DENY msg=audit(1729738800.291:31): domain=195ba459b blockers=scope.signal opid=1 ocomm="systemd" Refactor and simplify error handling in LSM hooks. Extend struct landlock_file_security with fown_layer and use it to log the blocking domain. The struct aligned size is still 16 bytes. Cc: Günther Noack <gnoack@google.com> Cc: Tahera Fahimi <fahimitahera@gmail.com> Link: https://lore.kernel.org/r/20250320190717.2287696-17-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
77 lines
1.8 KiB
C
77 lines
1.8 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* Landlock - Audit helpers
|
|
*
|
|
* Copyright © 2023-2025 Microsoft Corporation
|
|
*/
|
|
|
|
#ifndef _SECURITY_LANDLOCK_AUDIT_H
|
|
#define _SECURITY_LANDLOCK_AUDIT_H
|
|
|
|
#include <linux/audit.h>
|
|
#include <linux/lsm_audit.h>
|
|
|
|
#include "access.h"
|
|
#include "cred.h"
|
|
|
|
enum landlock_request_type {
|
|
LANDLOCK_REQUEST_PTRACE = 1,
|
|
LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
|
|
LANDLOCK_REQUEST_FS_ACCESS,
|
|
LANDLOCK_REQUEST_NET_ACCESS,
|
|
LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
|
|
LANDLOCK_REQUEST_SCOPE_SIGNAL,
|
|
};
|
|
|
|
/*
|
|
* We should be careful to only use a variable of this type for
|
|
* landlock_log_denial(). This way, the compiler can remove it entirely if
|
|
* CONFIG_AUDIT is not set.
|
|
*/
|
|
struct landlock_request {
|
|
/* Mandatory fields. */
|
|
enum landlock_request_type type;
|
|
struct common_audit_data audit;
|
|
|
|
/**
|
|
* layer_plus_one: First layer level that denies the request + 1. The
|
|
* extra one is useful to detect uninitialized field.
|
|
*/
|
|
size_t layer_plus_one;
|
|
|
|
/* Required field for configurable access control. */
|
|
access_mask_t access;
|
|
|
|
/* Required fields for requests with layer masks. */
|
|
const layer_mask_t (*layer_masks)[];
|
|
size_t layer_masks_size;
|
|
|
|
/* Required fields for requests with deny masks. */
|
|
const access_mask_t all_existing_optional_access;
|
|
deny_masks_t deny_masks;
|
|
};
|
|
|
|
#ifdef CONFIG_AUDIT
|
|
|
|
void landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy);
|
|
|
|
void landlock_log_denial(const struct landlock_cred_security *const subject,
|
|
const struct landlock_request *const request);
|
|
|
|
#else /* CONFIG_AUDIT */
|
|
|
|
static inline void
|
|
landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy)
|
|
{
|
|
}
|
|
|
|
static inline void
|
|
landlock_log_denial(const struct landlock_cred_security *const subject,
|
|
const struct landlock_request *const request)
|
|
{
|
|
}
|
|
|
|
#endif /* CONFIG_AUDIT */
|
|
|
|
#endif /* _SECURITY_LANDLOCK_AUDIT_H */
|