1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * Landlock - Audit helpers 4 * 5 * Copyright © 2023-2025 Microsoft Corporation 6 */ 7 8 #ifndef _SECURITY_LANDLOCK_AUDIT_H 9 #define _SECURITY_LANDLOCK_AUDIT_H 10 11 #include <linux/audit.h> 12 #include <linux/lsm_audit.h> 13 14 #include "access.h" 15 #include "cred.h" 16 17 enum landlock_request_type { 18 LANDLOCK_REQUEST_PTRACE = 1, 19 LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY, 20 LANDLOCK_REQUEST_FS_ACCESS, 21 LANDLOCK_REQUEST_NET_ACCESS, 22 LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET, 23 LANDLOCK_REQUEST_SCOPE_SIGNAL, 24 }; 25 26 /* 27 * We should be careful to only use a variable of this type for 28 * landlock_log_denial(). This way, the compiler can remove it entirely if 29 * CONFIG_AUDIT is not set. 30 */ 31 struct landlock_request { 32 /* Mandatory fields. */ 33 enum landlock_request_type type; 34 struct common_audit_data audit; 35 36 /** 37 * layer_plus_one: First layer level that denies the request + 1. The 38 * extra one is useful to detect uninitialized field. 39 */ 40 size_t layer_plus_one; 41 42 /* Required field for configurable access control. */ 43 access_mask_t access; 44 45 /* Required fields for requests with layer masks. */ 46 const layer_mask_t (*layer_masks)[]; 47 size_t layer_masks_size; 48 49 /* Required fields for requests with deny masks. */ 50 const access_mask_t all_existing_optional_access; 51 deny_masks_t deny_masks; 52 }; 53 54 #ifdef CONFIG_AUDIT 55 56 void landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy); 57 58 void landlock_log_denial(const struct landlock_cred_security *const subject, 59 const struct landlock_request *const request); 60 61 #else /* CONFIG_AUDIT */ 62 63 static inline void 64 landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy) 65 { 66 } 67 68 static inline void 69 landlock_log_denial(const struct landlock_cred_security *const subject, 70 const struct landlock_request *const request) 71 { 72 } 73 74 #endif /* CONFIG_AUDIT */ 75 76 #endif /* _SECURITY_LANDLOCK_AUDIT_H */ 77