On Thu, Sep 21, 2023 at 2:17 AM Mickaël Salaün <[email protected]> wrote: > > Add audit support for domain creation, i.e. task self-restriction. > > Signed-off-by: Mickaël Salaün <[email protected]> > --- > security/landlock/audit.c | 24 ++++++++++++++++++++++++ > security/landlock/audit.h | 8 ++++++++ > security/landlock/syscalls.c | 4 ++++ > 3 files changed, 36 insertions(+) > > diff --git a/security/landlock/audit.c b/security/landlock/audit.c > index f58bd529784a..d9589d07e126 100644 > --- a/security/landlock/audit.c > +++ b/security/landlock/audit.c > @@ -84,6 +84,30 @@ void landlock_log_create_ruleset(struct landlock_ruleset > *const ruleset) > audit_log_end(ab); > } > > +void landlock_log_restrict_self(struct landlock_ruleset *const domain, > + struct landlock_ruleset *const ruleset) > +{ > + struct audit_buffer *ab; > + > + WARN_ON_ONCE(domain->id); > + WARN_ON_ONCE(!ruleset->id); > + > + ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_LANDLOCK); > + if (!ab) > + /* audit_log_lost() call */ > + return; > + > + domain->hierarchy->id = > + atomic64_inc_return(&ruleset_and_domain_counter); > + log_task(ab); > + audit_log_format(ab, " op=restrict-self domain=%llu ruleset=%llu", > + domain->hierarchy->id, ruleset->id);
If domain creation and self restriction are the same, I would suggest going with "op=create-domain" so it better matches "op=release-domain" in patch 3/7. Also see my previous comment about consistency between AUDIT_LANDLOCK records. > + audit_log_format( > + ab, " parent=%llu", > + domain->hierarchy->parent ? domain->hierarchy->parent->id : > 0); > + audit_log_end(ab); > +} -- paul-moore.com
