diff options
| author | Mickaël Salaün <[email protected]> | 2025-03-20 19:07:03 +0000 |
|---|---|---|
| committer | Mickaël Salaün <[email protected]> | 2025-03-26 12:59:41 +0000 |
| commit | 20fd2954945458c1b04060d1ce6320f897b3a701 (patch) | |
| tree | ec54448c18937629bacd6d71111474bcc8d81cd9 /drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | |
| parent | landlock: Factor out IOCTL hooks (diff) | |
| download | kernel-20fd2954945458c1b04060d1ce6320f897b3a701.tar.gz kernel-20fd2954945458c1b04060d1ce6320f897b3a701.zip | |
landlock: Log truncate and IOCTL denials
Add audit support to the file_truncate and file_ioctl hooks.
Add a deny_masks_t type and related helpers to store the domain's layer
level per optional access rights (i.e. LANDLOCK_ACCESS_FS_TRUNCATE and
LANDLOCK_ACCESS_FS_IOCTL_DEV) when opening a file, which cannot be
inferred later. In practice, the landlock_file_security aligned blob size is
still 16 bytes because this new one-byte deny_masks field follows the
existing two-bytes allowed_access field and precede the packed
fown_subject.
Implementing deny_masks_t with a bitfield instead of a struct enables a
generic implementation to store and extract layer levels.
Add KUnit tests to check the identification of a layer level from a
deny_masks_t, and the computation of a deny_masks_t from an access right
with its layer level or a layer_mask_t array.
Audit event sample:
type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.ioctl_dev path="/dev/tty" dev="devtmpfs" ino=9 ioctlcmd=0x5401
Cc: Günther Noack <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mickaël Salaün <[email protected]>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c')
0 files changed, 0 insertions, 0 deletions