| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251216210248.4150777-3-samasth.norway.ananda@oracle.com>
Date: Tue, 16 Dec 2025 13:02:44 -0800
From: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
To: mic@...ikod.net, gnoack@...gle.com
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 3/3] landlock: Document audit blocker field format
Add comprehensive documentation for the ``blockers`` field format
in AUDIT_LANDLOCK_ACCESS records, including all possible prefixes
(fs., net., scope.) and their meanings.
Also fix a typo and update the documentation date to reflect these
changes.
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
---
Documentation/admin-guide/LSM/landlock.rst | 34 ++++++++++++++++++++--
1 file changed, 32 insertions(+), 2 deletions(-)
diff --git a/Documentation/admin-guide/LSM/landlock.rst b/Documentation/admin-guide/LSM/landlock.rst
index 9e61607def08..f1ea67cff9da 100644
--- a/Documentation/admin-guide/LSM/landlock.rst
+++ b/Documentation/admin-guide/LSM/landlock.rst
@@ -6,7 +6,7 @@ Landlock: system-wide management
================================
:Author: Mickaël Salaün
-:Date: March 2025
+:Date: December 2025
Landlock can leverage the audit framework to log events.
@@ -38,6 +38,36 @@ AUDIT_LANDLOCK_ACCESS
domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351
domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365
+ The ``blockers`` field uses dot-separated prefixes to indicate the type of
+ restriction that caused the denial:
+
+ **fs.*** - Filesystem access rights (ABI 1+):
+ - fs.execute, fs.write_file, fs.read_file, fs.read_dir
+ - fs.remove_dir, fs.remove_file
+ - fs.make_char, fs.make_dir, fs.make_reg, fs.make_sock
+ - fs.make_fifo, fs.make_block, fs.make_sym
+ - fs.refer (ABI 2+)
+ - fs.truncate (ABI 3+)
+ - fs.ioctl_dev (ABI 5+)
+
+ **net.*** - Network access rights (ABI 4+):
+ - net.bind_tcp - TCP port binding was denied
+ - net.connect_tcp - TCP connection was denied
+
+ **scope.*** - IPC scoping restrictions (ABI 6+):
+ - scope.abstract_unix_socket - Abstract UNIX socket connection denied
+ - scope.signal - Signal sending denied
+
+ Multiple blockers can appear in a single event (comma-separated) when
+ multiple access rights are missing. For example, creating a regular file
+ in a directory that lacks both ``make_reg`` and ``refer`` rights would show
+ ``blockers=fs.make_reg,fs.refer``.
+
+ The object identification fields (path, dev, ino for filesystem; opid,
+ ocomm for signals) depend on the type of access being blocked and provide
+ context about what resource was involved in the denial.
+
+
AUDIT_LANDLOCK_DOMAIN
This record type describes the status of a Landlock domain. The ``status``
field can be either ``allocated`` or ``deallocated``.
@@ -86,7 +116,7 @@ This command generates two events, each identified with a unique serial
number following a timestamp (``msg=audit(1729738800.268:30)``). The first
event (serial ``30``) contains 4 records. The first record
(``type=LANDLOCK_ACCESS``) shows an access denied by the domain `1a6fdc66f`.
-The cause of this denial is signal scopping restriction
+The cause of this denial is signal scoping restriction
(``blockers=scope.signal``). The process that would have receive this signal
is the init process (``opid=1 ocomm="systemd"``).
--
2.50.1
Powered by blists - more mailing lists