mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
synced 2025-08-27 06:50:37 +00:00
7288511606
-----BEGIN PGP SIGNATURE-----
iIYEABYKAC4WIQSVyBthFV4iTW/VU1/l49DojIL20gUCZ+bGgBAcbWljQGRpZ2lr
b2QubmV0AAoJEOXj0OiMgvbSKmgBAICZsmQTuKMHIXdB7kwA+BX5k++SZcyA+qHN
0hrJTSMsAP0Uv6NpiPT4CTduqBMRbuMwNhujBczRiok6yaHDbC8eCw==
=K8XL
-----END PGP SIGNATURE-----
Merge tag 'landlock-6.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
Pull landlock updates from Mickaël Salaün:
"This brings two main changes to Landlock:
- A signal scoping fix with a new interface for user space to know if
it is compatible with the running kernel.
- Audit support to give visibility on why access requests are denied,
including the origin of the security policy, missing access rights,
and description of object(s). This was designed to limit log spam
as much as possible while still alerting about unexpected blocked
access.
With these changes come new and improved documentation, and a lot of
new tests"
* tag 'landlock-6.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (36 commits)
landlock: Add audit documentation
selftests/landlock: Add audit tests for network
selftests/landlock: Add audit tests for filesystem
selftests/landlock: Add audit tests for abstract UNIX socket scoping
selftests/landlock: Add audit tests for ptrace
selftests/landlock: Test audit with restrict flags
selftests/landlock: Add tests for audit flags and domain IDs
selftests/landlock: Extend tests for landlock_restrict_self(2)'s flags
selftests/landlock: Add test for invalid ruleset file descriptor
samples/landlock: Enable users to log sandbox denials
landlock: Add LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags
landlock: Log scoped denials
landlock: Log TCP bind and connect denials
landlock: Log truncate and IOCTL denials
landlock: Factor out IOCTL hooks
landlock: Log file-related denials
landlock: Log mount-related denials
landlock: Add AUDIT_LANDLOCK_DOMAIN and log domain status
landlock: Add AUDIT_LANDLOCK_ACCESS and log ptrace denials
...
154 lines
3.4 KiB
C
154 lines
3.4 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Common LSM logging functions
|
|
* Heavily borrowed from selinux/avc.h
|
|
*
|
|
* Author : Etienne BASSET <etienne.basset@ensta.org>
|
|
*
|
|
* All credits to : Stephen Smalley
|
|
* All BUGS to : Etienne BASSET <etienne.basset@ensta.org>
|
|
*/
|
|
#ifndef _LSM_COMMON_LOGGING_
|
|
#define _LSM_COMMON_LOGGING_
|
|
|
|
#include <linux/stddef.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/kdev_t.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/init.h>
|
|
#include <linux/audit.h>
|
|
#include <linux/in6.h>
|
|
#include <linux/path.h>
|
|
#include <linux/key.h>
|
|
#include <linux/skbuff.h>
|
|
#include <rdma/ib_verbs.h>
|
|
|
|
struct lsm_network_audit {
|
|
int netif;
|
|
const struct sock *sk;
|
|
u16 family;
|
|
__be16 dport;
|
|
__be16 sport;
|
|
union {
|
|
struct {
|
|
__be32 daddr;
|
|
__be32 saddr;
|
|
} v4;
|
|
struct {
|
|
struct in6_addr daddr;
|
|
struct in6_addr saddr;
|
|
} v6;
|
|
} fam;
|
|
};
|
|
|
|
struct lsm_ioctlop_audit {
|
|
struct path path;
|
|
u16 cmd;
|
|
};
|
|
|
|
struct lsm_ibpkey_audit {
|
|
u64 subnet_prefix;
|
|
u16 pkey;
|
|
};
|
|
|
|
struct lsm_ibendport_audit {
|
|
const char *dev_name;
|
|
u8 port;
|
|
};
|
|
|
|
/* Auxiliary data to use in generating the audit record. */
|
|
struct common_audit_data {
|
|
char type;
|
|
#define LSM_AUDIT_DATA_PATH 1
|
|
#define LSM_AUDIT_DATA_NET 2
|
|
#define LSM_AUDIT_DATA_CAP 3
|
|
#define LSM_AUDIT_DATA_IPC 4
|
|
#define LSM_AUDIT_DATA_TASK 5
|
|
#define LSM_AUDIT_DATA_KEY 6
|
|
#define LSM_AUDIT_DATA_NONE 7
|
|
#define LSM_AUDIT_DATA_KMOD 8
|
|
#define LSM_AUDIT_DATA_INODE 9
|
|
#define LSM_AUDIT_DATA_DENTRY 10
|
|
#define LSM_AUDIT_DATA_IOCTL_OP 11
|
|
#define LSM_AUDIT_DATA_FILE 12
|
|
#define LSM_AUDIT_DATA_IBPKEY 13
|
|
#define LSM_AUDIT_DATA_IBENDPORT 14
|
|
#define LSM_AUDIT_DATA_LOCKDOWN 15
|
|
#define LSM_AUDIT_DATA_NOTIFICATION 16
|
|
#define LSM_AUDIT_DATA_ANONINODE 17
|
|
#define LSM_AUDIT_DATA_NLMSGTYPE 18
|
|
union {
|
|
struct path path;
|
|
struct dentry *dentry;
|
|
struct inode *inode;
|
|
struct lsm_network_audit *net;
|
|
int cap;
|
|
int ipc_id;
|
|
struct task_struct *tsk;
|
|
#ifdef CONFIG_KEYS
|
|
struct {
|
|
key_serial_t key;
|
|
char *key_desc;
|
|
} key_struct;
|
|
#endif
|
|
char *kmod_name;
|
|
struct lsm_ioctlop_audit *op;
|
|
struct file *file;
|
|
struct lsm_ibpkey_audit *ibpkey;
|
|
struct lsm_ibendport_audit *ibendport;
|
|
int reason;
|
|
const char *anonclass;
|
|
u16 nlmsg_type;
|
|
} u;
|
|
/* this union contains LSM specific data */
|
|
union {
|
|
#ifdef CONFIG_SECURITY_SMACK
|
|
struct smack_audit_data *smack_audit_data;
|
|
#endif
|
|
#ifdef CONFIG_SECURITY_SELINUX
|
|
struct selinux_audit_data *selinux_audit_data;
|
|
#endif
|
|
#ifdef CONFIG_SECURITY_APPARMOR
|
|
struct apparmor_audit_data *apparmor_audit_data;
|
|
#endif
|
|
}; /* per LSM data pointer union */
|
|
};
|
|
|
|
#define v4info fam.v4
|
|
#define v6info fam.v6
|
|
|
|
#ifdef CONFIG_AUDIT
|
|
|
|
int ipv4_skb_to_auditdata(struct sk_buff *skb,
|
|
struct common_audit_data *ad, u8 *proto);
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
int ipv6_skb_to_auditdata(struct sk_buff *skb,
|
|
struct common_audit_data *ad, u8 *proto);
|
|
#endif /* IS_ENABLED(CONFIG_IPV6) */
|
|
|
|
void common_lsm_audit(struct common_audit_data *a,
|
|
void (*pre_audit)(struct audit_buffer *, void *),
|
|
void (*post_audit)(struct audit_buffer *, void *));
|
|
|
|
void audit_log_lsm_data(struct audit_buffer *ab,
|
|
const struct common_audit_data *a);
|
|
|
|
#else /* CONFIG_AUDIT */
|
|
|
|
static inline void common_lsm_audit(struct common_audit_data *a,
|
|
void (*pre_audit)(struct audit_buffer *, void *),
|
|
void (*post_audit)(struct audit_buffer *, void *))
|
|
{
|
|
}
|
|
|
|
static inline void audit_log_lsm_data(struct audit_buffer *ab,
|
|
const struct common_audit_data *a)
|
|
{
|
|
}
|
|
|
|
#endif /* CONFIG_AUDIT */
|
|
|
|
#endif
|