diff options
| author | Mickaël Salaün <mic@digikod.net> | 2025-03-20 22:07:03 +0300 |
|---|---|---|
| committer | Mickaël Salaün <mic@digikod.net> | 2025-03-26 15:59:41 +0300 |
| commit | 20fd2954945458c1b04060d1ce6320f897b3a701 (patch) | |
| tree | ec54448c18937629bacd6d71111474bcc8d81cd9 /scripts/generate_rust_analyzer.py | |
| parent | e120b3c29302532aba2f46c0544ad728c56c11f5 (diff) | |
| download | linux-20fd2954945458c1b04060d1ce6320f897b3a701.tar.xz | |
landlock: Log truncate and IOCTL denials
Add audit support to the file_truncate and file_ioctl hooks.
Add a deny_masks_t type and related helpers to store the domain's layer
level per optional access rights (i.e. LANDLOCK_ACCESS_FS_TRUNCATE and
LANDLOCK_ACCESS_FS_IOCTL_DEV) when opening a file, which cannot be
inferred later. In practice, the landlock_file_security aligned blob size is
still 16 bytes because this new one-byte deny_masks field follows the
existing two-bytes allowed_access field and precede the packed
fown_subject.
Implementing deny_masks_t with a bitfield instead of a struct enables a
generic implementation to store and extract layer levels.
Add KUnit tests to check the identification of a layer level from a
deny_masks_t, and the computation of a deny_masks_t from an access right
with its layer level or a layer_mask_t array.
Audit event sample:
type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.ioctl_dev path="/dev/tty" dev="devtmpfs" ino=9 ioctlcmd=0x5401
Cc: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-15-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'scripts/generate_rust_analyzer.py')
0 files changed, 0 insertions, 0 deletions