On Mon, Jan 06, 2025 at 05:33:07PM -0500, Paul Moore wrote: > On Mon, Jan 6, 2025 at 9:51 AM Mickaël Salaün <[email protected]> wrote: > > On Sat, Jan 04, 2025 at 08:23:53PM -0500, Paul Moore wrote: > > > On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <[email protected]> > > > wrote: > > > > > > > > Add audit support for unix_stream_connect, unix_may_send, task_kill, and > > > > file_send_sigiotask hooks. > > > > > > > > Audit event sample: > > > > > > > > type=LL_DENY [...]: domain=195ba459b > > > > blockers=scope_abstract_unix_socket path=00666F6F > > > > > > Similar to 17/23, I believe the SOCKADDR record should already capture > > > the socket address information. > > > > This might not be the case, which is why SELinux and others explicitly > > log it I guess. > > I think I may be misunderstanding you, can you point to the section of > SELinux code that you are referring to in your comment?
I'm refering to struct lsm_network_audit, and the related information ending in the logs with LSM_AUDIT_DATA_NET. Landlock follows the current implementations, hence the generalization brought by the second patch with audit_log_lsm_data().
