audit.h 1.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475
  1. /* SPDX-License-Identifier: GPL-2.0-only */
  2. /*
  3. * Landlock - Audit helpers
  4. *
  5. * Copyright © 2023-2025 Microsoft Corporation
  6. */
  7. #ifndef _SECURITY_LANDLOCK_AUDIT_H
  8. #define _SECURITY_LANDLOCK_AUDIT_H
  9. #include <linux/audit.h>
  10. #include <linux/lsm_audit.h>
  11. #include "access.h"
  12. #include "cred.h"
  13. enum landlock_request_type {
  14. LANDLOCK_REQUEST_PTRACE = 1,
  15. LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
  16. LANDLOCK_REQUEST_FS_ACCESS,
  17. LANDLOCK_REQUEST_NET_ACCESS,
  18. LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
  19. LANDLOCK_REQUEST_SCOPE_SIGNAL,
  20. };
  21. /*
  22. * We should be careful to only use a variable of this type for
  23. * landlock_log_denial(). This way, the compiler can remove it entirely if
  24. * CONFIG_AUDIT is not set.
  25. */
  26. struct landlock_request {
  27. /* Mandatory fields. */
  28. enum landlock_request_type type;
  29. struct common_audit_data audit;
  30. /**
  31. * layer_plus_one: First layer level that denies the request + 1. The
  32. * extra one is useful to detect uninitialized field.
  33. */
  34. size_t layer_plus_one;
  35. /* Required field for configurable access control. */
  36. access_mask_t access;
  37. /* Required fields for requests with layer masks. */
  38. const struct layer_access_masks *layer_masks;
  39. /* Required fields for requests with deny masks. */
  40. const access_mask_t all_existing_optional_access;
  41. deny_masks_t deny_masks;
  42. };
  43. #ifdef CONFIG_AUDIT
  44. void landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy);
  45. void landlock_log_denial(const struct landlock_cred_security *const subject,
  46. const struct landlock_request *const request);
  47. #else /* CONFIG_AUDIT */
  48. static inline void
  49. landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy)
  50. {
  51. }
  52. static inline void
  53. landlock_log_denial(const struct landlock_cred_security *const subject,
  54. const struct landlock_request *const request)
  55. {
  56. }
  57. #endif /* CONFIG_AUDIT */
  58. #endif /* _SECURITY_LANDLOCK_AUDIT_H */