www.infradead.org Git - users/willy/xarray.git/commit

author	Mickaël Salaün <mic@digikod.net>
	Thu, 20 Mar 2025 19:07:05 +0000 (20:07 +0100)
committer	Mickaël Salaün <mic@digikod.net>
	Wed, 26 Mar 2025 12:59:42 +0000 (13:59 +0100)
commit	1176a15b5ec02925ea89bae05b5c860ddcce1e2e
tree	5e291e10e1008628322c561a17f45feb5bf22a73	tree
parent	9f74411a40cecc6faca2a3e3bbb7c1834276d4a2	commit \| diff

landlock: Log scoped denials

Add audit support for unix_stream_connect, unix_may_send, task_kill, and
file_send_sigiotask hooks.

The related blockers are:
- scope.abstract_unix_socket
- scope.signal

Audit event sample for abstract unix socket:

  type=LANDLOCK_DENY msg=audit(1729738800.268:30): domain=195ba459b blockers=scope.abstract_unix_socket path=00666F6F

Audit event sample for signal:

  type=LANDLOCK_DENY msg=audit(1729738800.291:31): domain=195ba459b blockers=scope.signal opid=1 ocomm="systemd"

Refactor and simplify error handling in LSM hooks.

Extend struct landlock_file_security with fown_layer and use it to log
the blocking domain.  The struct aligned size is still 16 bytes.

Cc: Günther Noack <gnoack@google.com>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-17-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

security/landlock/audit.c		diff \| blob \| history
security/landlock/audit.h		diff \| blob \| history
security/landlock/fs.c		diff \| blob \| history
security/landlock/fs.h		diff \| blob \| history
security/landlock/task.c		diff \| blob \| history