landlock: Log mount-related denials

Add audit support for sb_mount, move_mount, sb_umount, sb_remount, and sb_pivot_root hooks. The new related blocker is "fs.change_topology". Audit event sample: type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.change_topology name="/" dev="tmpfs" ino=1 Remove landlock_get_applicable_domain() and get_current_fs_domain() which are now fully replaced with landlock_get_applicable_subject(). Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250320190717.2287696-12-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
author: Mickaël Salaün <mic@digikod.net> 2025-03-20 20:07:00 +0100
committer: Mickaël Salaün <mic@digikod.net> 2025-03-26 13:59:39 +0100
commit: c56f649646ecec3dd1a2e400e6e5ec83439d940f (patch)
tree: 3a3523fd3d5748cc111f37ba3f900db99ac4e153 /security/landlock/audit.h
parent: 1d636984e088b17e8587eb5ed9d9d7a80b656c4c (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 40ff230316c4..9ebe8766bbfd 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -15,6 +15,7 @@
 
 enum landlock_request_type {
 	LANDLOCK_REQUEST_PTRACE = 1,
+	LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY,
 };
 
 /*
author	Mickaël Salaün <mic@digikod.net>	2025-03-20 20:07:00 +0100
committer	Mickaël Salaün <mic@digikod.net>	2025-03-26 13:59:39 +0100
commit	c56f649646ecec3dd1a2e400e6e5ec83439d940f (patch)
tree	3a3523fd3d5748cc111f37ba3f900db99ac4e153 /security/landlock/audit.h
parent	1d636984e088b17e8587eb5ed9d9d7a80b656c4c (diff)