On Thu, Mar 13, 2025 at 10:52:39AM +0200, Andy Shevchenko wrote:
> audit_log_vformat() is using printf() type of format, and GCC compiler
> (Debian 14.2.0-17) is not happy about this:
>
> kernel/audit.c:1978:9: error: function ‘audit_log_vformat’ might be a
> candidate for ‘gnu_printf’ format att
Test all network blockers:
- net.bind_tcp
- net.connect_tcp
Test coverage for security/landlock is 94.0% of 1430 lines according to
gcc/gcov-14.
Cc: Günther Noack
Cc: Paul Moore
Signed-off-by: Mickaël Salaün
---
Changes since v6:
- New patch.
---
tools/testing/selftests/landlock/net_test.c |
On 3/17/25 20:57, Richard Guy Briggs wrote:
> The move of the module sanity check to earlier skipped the audit logging
> call in the case of failure and to a place where the previously used
> context is unavailable.
>
> Add an audit logging call for the module loading failure case and get
> the mo
The Linux audit system includes LSM based security "context" information
in its events. Historically, only one LSM that uses security contexts can
be active on a system. One of the few obsticles to allowing multiple LSM
support is the inability to report more than one security context in an
audit e
Landlock IDs can be generated to uniquely identify Landlock objects.
For now, only Landlock domains get an ID at creation time. These IDs
map to immutable domain hierarchies.
Landlock IDs have important properties:
- They are unique during the lifetime of the running system thanks to
the 64-bit
Asynchronously log domain information when it first denies an access.
This minimize the amount of generated logs, which makes it possible to
always log denials for the current execution since they should not
happen. These records are identified with the new AUDIT_LANDLOCK_DOMAIN
type.
The AUDIT_L
Add a new AUDIT_LANDLOCK_ACCESS record type dedicated to an access
request denied by a Landlock domain. AUDIT_LANDLOCK_ACCESS indicates
that something unexpected happened.
For now, only denied access are logged, which means that any
AUDIT_LANDLOCK_ACCESS record is always followed by a SYSCALL rec
Add audit support for path_mkdir, path_mknod, path_symlink, path_unlink,
path_rmdir, path_truncate, path_link, path_rename, and file_open hooks.
The dedicated blockers are:
- fs.execute
- fs.write_file
- fs.read_file
- fs.read_dir
- fs.remove_dir
- fs.remove_file
- fs.make_char
- fs.make_dir
- fs.
Add audit_test.c to check with and without LANDLOCK_RESTRICT_SELF_*
flags against the two Landlock audit record types:
AUDIT_LANDLOCK_ACCESS and AUDIT_LANDLOCK_DOMAIN.
Check consistency of domain IDs per layer in AUDIT_LANDLOCK_ACCESS and
AUDIT_LANDLOCK_DOMAIN messages: denied access, domain alloc
Add audit_exec tests to filter Landlock denials according to
cross-execution or muted subdomains.
Add a wait-pipe-sandbox.c test program to sandbox itself and send a
(denied) signals to its parent.
Cc: Günther Noack
Cc: Paul Moore
Signed-off-by: Mickaël Salaün
---
Changes since v6:
- Check au
Because audit is dedicated to the system administrator, create a new
entry in Documentation/admin-guide/LSM . Extend other Landlock
documentation's pages with this new one.
Extend UAPI with the new log flags.
Extend the guiding principles with logs.
Cc: Günther Noack
Cc: Paul Moore
Signed-off
Add audit support to the file_truncate and file_ioctl hooks.
Add a deny_masks_t type and related helpers to store the domain's layer
level per optional access rights (i.e. LANDLOCK_ACCESS_FS_TRUNCATE and
LANDLOCK_ACCESS_FS_IOCTL_DEV) when opening a file, which cannot be
inferred later. In practic
Hi,
This patch series adds audit support to Landlock.
Logging denied requests is useful for different use cases:
- sysadmins: to look for users' issues,
- security experts: to detect attack attempts,
- power users: to understand denials,
- developers: to ease sandboxing support and get feedback f
Create a new domain.h file containing the struct landlock_hierarchy
definition and helpers. This type will grow with audit support. This
also prepares for a new domain type.
Cc: Günther Noack
Signed-off-by: Mickaël Salaün
---
Changes since v6:
- Clean up headers.
Changes since v4:
- Revert v
Extend struct landlock_cred_security with a domain_exec bitmask to
identify which Landlock domain were created by the current task's bprm.
The whole bitmask is reset on each execve(2) call.
Cc: Günther Noack
Cc: Paul Moore
Signed-off-by: Mickaël Salaün
---
Changes since v5:
- Add documentation
Test all filesystem blockers, including events with several records, and
record with several blockers:
- fs.execute
- fs.write_file
- fs.read_file
- fs_read_dir
- fs.remove_dir
- fs.remove_file
- fs.make_char
- fs.make_dir
- fs.make_reg
- fs.make_sock
- fs.make_fifo
- fs.make_block
- fs.make_sym
-
Add tests for all ptrace actions checking "blockers=ptrace" records.
This also improves PTRACE_TRACEME and PTRACE_ATTACH tests by making sure
that the restrictions comes from Landlock, and with the expected
process. These extended tests are like enhanced errno checks that make
sure Landlock enfor
Compat and non-compat IOCTL hooks are almost the same, except to compare
the IOCTL command. Factor out these two IOCTL hooks to highlight the
difference and minimize audit changes (see next commit).
Cc: Günther Noack
Signed-off-by: Mickaël Salaün
---
Changes since v6:
- New patch.
---
securit
To align with fs_test's layout1.inval and layout0.proc_nsfs which test
EBADFD for landlock_add_rule(2), create a new base_test's
restrict_self_fd which test EBADFD for landlock_restrict_self(2).
Cc: Günther Noack
Cc: Paul Moore
Signed-off-by: Mickaël Salaün
---
Changes since v5:
- New standalo
19 matches
Mail list logo
