mirror of https://github.com/torvalds/linux.git
60 lines
1.3 KiB
C
60 lines
1.3 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* Landlock - Audit helpers
|
|
*
|
|
* Copyright © 2023-2025 Microsoft Corporation
|
|
*/
|
|
|
|
#ifndef _SECURITY_LANDLOCK_AUDIT_H
|
|
#define _SECURITY_LANDLOCK_AUDIT_H
|
|
|
|
#include <linux/audit.h>
|
|
#include <linux/lsm_audit.h>
|
|
|
|
#include "cred.h"
|
|
|
|
enum landlock_request_type {
|
|
LANDLOCK_REQUEST_PTRACE = 1,
|
|
};
|
|
|
|
/*
|
|
* We should be careful to only use a variable of this type for
|
|
* landlock_log_denial(). This way, the compiler can remove it entirely if
|
|
* CONFIG_AUDIT is not set.
|
|
*/
|
|
struct landlock_request {
|
|
/* Mandatory fields. */
|
|
enum landlock_request_type type;
|
|
struct common_audit_data audit;
|
|
|
|
/**
|
|
* layer_plus_one: First layer level that denies the request + 1. The
|
|
* extra one is useful to detect uninitialized field.
|
|
*/
|
|
size_t layer_plus_one;
|
|
};
|
|
|
|
#ifdef CONFIG_AUDIT
|
|
|
|
void landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy);
|
|
|
|
void landlock_log_denial(const struct landlock_cred_security *const subject,
|
|
const struct landlock_request *const request);
|
|
|
|
#else /* CONFIG_AUDIT */
|
|
|
|
static inline void
|
|
landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy)
|
|
{
|
|
}
|
|
|
|
static inline void
|
|
landlock_log_denial(const struct landlock_cred_security *const subject,
|
|
const struct landlock_request *const request)
|
|
{
|
|
}
|
|
|
|
#endif /* CONFIG_AUDIT */
|
|
|
|
#endif /* _SECURITY_LANDLOCK_AUDIT_H */
|