summaryrefslogtreecommitdiff
path: root/security/landlock/audit.c
diff options
context:
space:
mode:
authorMickaël Salaün <mic@digikod.net>2025-03-20 20:07:00 +0100
committerMickaël Salaün <mic@digikod.net>2025-03-26 13:59:39 +0100
commitc56f649646ecec3dd1a2e400e6e5ec83439d940f (patch)
tree3a3523fd3d5748cc111f37ba3f900db99ac4e153 /security/landlock/audit.c
parent1d636984e088b17e8587eb5ed9d9d7a80b656c4c (diff)
landlock: Log mount-related denials
Add audit support for sb_mount, move_mount, sb_umount, sb_remount, and sb_pivot_root hooks. The new related blocker is "fs.change_topology". Audit event sample: type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.change_topology name="/" dev="tmpfs" ino=1 Remove landlock_get_applicable_domain() and get_current_fs_domain() which are now fully replaced with landlock_get_applicable_subject(). Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250320190717.2287696-12-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'security/landlock/audit.c')
-rw-r--r--security/landlock/audit.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index 39118f7ff990..b33bc7cfa687 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -21,6 +21,9 @@ static const char *get_blocker(const enum landlock_request_type type)
switch (type) {
case LANDLOCK_REQUEST_PTRACE:
return "ptrace";
+
+ case LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY:
+ return "fs.change_topology";
}
WARN_ON_ONCE(1);
generated by cgit (git 2.34.1) at 2025-05-10 02:59:05 +0000