[PATCH v3 18/23] landlock: Log scoped denials
Paul Moore
paul at paul-moore.com
Sun Jan 5 01:23:53 UTC 2025
On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic at digikod.net> wrote:
>
> Add audit support for unix_stream_connect, unix_may_send, task_kill, and
> file_send_sigiotask hooks.
>
> Audit event sample:
>
> type=LL_DENY [...]: domain=195ba459b blockers=scope_abstract_unix_socket path=00666F6F
Similar to 17/23, I believe the SOCKADDR record should already capture
the socket address information.
It would also be nice to see an example record on a signal event.
> Cc: Günther Noack <gnoack at google.com>
> Cc: Tahera Fahimi <fahimitahera at gmail.com>
> Signed-off-by: Mickaël Salaün <mic at digikod.net>
> Link: https://lore.kernel.org/r/20241122143353.59367-19-mic@digikod.net
> ---
> Changes since v1:
> - New patch.
> ---
> security/landlock/audit.c | 8 ++++++
> security/landlock/audit.h | 2 ++
> security/landlock/task.c | 58 ++++++++++++++++++++++++++++++++++++---
> 3 files changed, 64 insertions(+), 4 deletions(-)
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list