Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/landlock/audit.h
29265 views
1
/* SPDX-License-Identifier: GPL-2.0-only */

2
/*

3
 * Landlock - Audit helpers

4
 *

5
 * Copyright © 2023-2025 Microsoft Corporation

6
 */

7


8
#ifndef _SECURITY_LANDLOCK_AUDIT_H

9
#define _SECURITY_LANDLOCK_AUDIT_H

10


11
#include <linux/audit.h>

12
#include <linux/lsm_audit.h>

13


14
#include "access.h"

15
#include "cred.h"

16


17
enum landlock_request_type {

18
	LANDLOCK_REQUEST_PTRACE = 1,

19
	LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,

20
	LANDLOCK_REQUEST_FS_ACCESS,

21
	LANDLOCK_REQUEST_NET_ACCESS,

22
	LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,

23
	LANDLOCK_REQUEST_SCOPE_SIGNAL,

24
};

25


26
/*

27
 * We should be careful to only use a variable of this type for

28
 * landlock_log_denial().  This way, the compiler can remove it entirely if

29
 * CONFIG_AUDIT is not set.

30
 */

31
struct landlock_request {

32
	/* Mandatory fields. */

33
	enum landlock_request_type type;

34
	struct common_audit_data audit;

35


36
	/**

37
	 * layer_plus_one: First layer level that denies the request + 1.  The

38
	 * extra one is useful to detect uninitialized field.

39
	 */

40
	size_t layer_plus_one;

41


42
	/* Required field for configurable access control. */

43
	access_mask_t access;

44


45
	/* Required fields for requests with layer masks. */

46
	const layer_mask_t (*layer_masks)[];

47
	size_t layer_masks_size;

48


49
	/* Required fields for requests with deny masks. */

50
	const access_mask_t all_existing_optional_access;

51
	deny_masks_t deny_masks;

52
};

53


54
#ifdef CONFIG_AUDIT

55


56
void landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy);

57


58
void landlock_log_denial(const struct landlock_cred_security *const subject,

59
			 const struct landlock_request *const request);

60


61
#else /* CONFIG_AUDIT */

62


63
static inline void

64
landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy)

65
{

66
}

67


68
static inline void

69
landlock_log_denial(const struct landlock_cred_security *const subject,

70
		    const struct landlock_request *const request)

71
{

72
}

73


74
#endif /* CONFIG_AUDIT */

75


76
#endif /* _SECURITY_LANDLOCK_AUDIT_H */

77


78