[RFC PATCH v1 02/11] security: Add LSM_AUDIT_DATA_NS for namespace audit records
Christian Brauner
brauner at kernel.org
Wed Mar 25 12:32:42 UTC 2026
On Thu, Mar 12, 2026 at 11:04:35AM +0100, Mickaël Salaün wrote:
> Add a new LSM audit data type LSM_AUDIT_DATA_NS that logs namespace
> information in audit records. Two fields are provided, matching the
> field names of struct ns_common:
>
> - ns_type: the CLONE_NEW* flag identifying the namespace type, logged in
> hexadecimal.
>
> - inum: the proc inode number identifying a specific namespace instance.
> Namespace inode numbers are allocated by proc_alloc_inum() via
> ida_alloc_max() bounded to UINT_MAX, so the value always fits in 32
> bits.
>
> A new audit data type is needed because no existing LSM_AUDIT_DATA_*
> type carries namespace information. The closest alternatives (e.g.
> LSM_AUDIT_DATA_TASK or LSM_AUDIT_DATA_NONE with custom strings) would
> either lose the namespace type or require ad-hoc formatting that
> bypasses the structured audit data union.
>
> Cc: Christian Brauner <brauner at kernel.org>
> Cc: Günther Noack <gnoack at google.com>
> Cc: Paul Moore <paul at paul-moore.com>
> Signed-off-by: Mickaël Salaün <mic at digikod.net>
> ---
> include/linux/lsm_audit.h | 5 +++++
> security/lsm_audit.c | 4 ++++
> 2 files changed, 9 insertions(+)
>
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 382c56a97bba..6e20a56b8c22 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -78,6 +78,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_NOTIFICATION 16
> #define LSM_AUDIT_DATA_ANONINODE 17
> #define LSM_AUDIT_DATA_NLMSGTYPE 18
> +#define LSM_AUDIT_DATA_NS 19
> union {
> struct path path;
> struct dentry *dentry;
> @@ -100,6 +101,10 @@ struct common_audit_data {
> int reason;
> const char *anonclass;
> u16 nlmsg_type;
> + struct {
> + u32 ns_type;
> + unsigned int inum;
fwiw, you might want to start the 64-bit namespace id as well.
But either way:
Reviewed-by: Christian Brauner <brauner at kernel.org>
More information about the Linux-security-module-archive
mailing list