[PATCH v3 18/23] landlock: Log scoped denials
Mickaël Salaün
mic at digikod.net
Tue Jan 7 14:23:05 UTC 2025
On Mon, Jan 06, 2025 at 05:33:07PM -0500, Paul Moore wrote:
> On Mon, Jan 6, 2025 at 9:51 AM Mickaël Salaün <mic at digikod.net> wrote:
> > On Sat, Jan 04, 2025 at 08:23:53PM -0500, Paul Moore wrote:
> > > On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic at digikod.net> wrote:
> > > >
> > > > Add audit support for unix_stream_connect, unix_may_send, task_kill, and
> > > > file_send_sigiotask hooks.
> > > >
> > > > Audit event sample:
> > > >
> > > > type=LL_DENY [...]: domain=195ba459b blockers=scope_abstract_unix_socket path=00666F6F
> > >
> > > Similar to 17/23, I believe the SOCKADDR record should already capture
> > > the socket address information.
> >
> > This might not be the case, which is why SELinux and others explicitly
> > log it I guess.
>
> I think I may be misunderstanding you, can you point to the section of
> SELinux code that you are referring to in your comment?
I'm refering to struct lsm_network_audit, and the related information
ending in the logs with LSM_AUDIT_DATA_NET. Landlock follows the
current implementations, hence the generalization brought by the second
patch with audit_log_lsm_data().
More information about the Linux-security-module-archive
mailing list