[PATCH v3 18/23] landlock: Log scoped denials
Mickaël Salaün
mic at digikod.net
Mon Jan 6 14:51:53 UTC 2025
On Sat, Jan 04, 2025 at 08:23:53PM -0500, Paul Moore wrote:
> On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic at digikod.net> wrote:
> >
> > Add audit support for unix_stream_connect, unix_may_send, task_kill, and
> > file_send_sigiotask hooks.
> >
> > Audit event sample:
> >
> > type=LL_DENY [...]: domain=195ba459b blockers=scope_abstract_unix_socket path=00666F6F
>
> Similar to 17/23, I believe the SOCKADDR record should already capture
> the socket address information.
This might not be the case, which is why SELinux and others explicitly
log it I guess.
>
> It would also be nice to see an example record on a signal event.
Yes, I'll add such example.
>
> > Cc: Günther Noack <gnoack at google.com>
> > Cc: Tahera Fahimi <fahimitahera at gmail.com>
> > Signed-off-by: Mickaël Salaün <mic at digikod.net>
> > Link: https://lore.kernel.org/r/20241122143353.59367-19-mic@digikod.net
> > ---
> > Changes since v1:
> > - New patch.
> > ---
> > security/landlock/audit.c | 8 ++++++
> > security/landlock/audit.h | 2 ++
> > security/landlock/task.c | 58 ++++++++++++++++++++++++++++++++++++---
> > 3 files changed, 64 insertions(+), 4 deletions(-)
>
> --
> paul-moore.com
More information about the Linux-security-module-archive
mailing list