tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

landlock: Document audit blocker field format

Add comprehensive documentation for the ``blockers`` field format
in AUDIT_LANDLOCK_ACCESS records, including all possible prefixes
(fs., net., scope.) and their meanings.

Also fix a typo and update the documentation date to reflect these
changes.

Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Link: https://lore.kernel.org/r/20260128031814.2945394-4-samasth.norway.ananda@oracle.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>

authored by

Samasth Norway Ananda and committed by
Mickaël Salaün de4b09ab fe72ce67

+33 -2
+33 -2
Documentation/admin-guide/LSM/landlock.rst
··· 6 6 ================================ 7 7 8 8 :Author: Mickaël Salaün 9 - :Date: March 2025 9 + :Date: January 2026 10 10 11 11 Landlock can leverage the audit framework to log events. 12 12 ··· 37 37 38 38 domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351 39 39 domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365 40 + 41 + 42 + The ``blockers`` field uses dot-separated prefixes to indicate the type of 43 + restriction that caused the denial: 44 + 45 + **fs.*** - Filesystem access rights (ABI 1+): 46 + - fs.execute, fs.write_file, fs.read_file, fs.read_dir 47 + - fs.remove_dir, fs.remove_file 48 + - fs.make_char, fs.make_dir, fs.make_reg, fs.make_sock 49 + - fs.make_fifo, fs.make_block, fs.make_sym 50 + - fs.refer (ABI 2+) 51 + - fs.truncate (ABI 3+) 52 + - fs.ioctl_dev (ABI 5+) 53 + 54 + **net.*** - Network access rights (ABI 4+): 55 + - net.bind_tcp - TCP port binding was denied 56 + - net.connect_tcp - TCP connection was denied 57 + 58 + **scope.*** - IPC scoping restrictions (ABI 6+): 59 + - scope.abstract_unix_socket - Abstract UNIX socket connection denied 60 + - scope.signal - Signal sending denied 61 + 62 + Multiple blockers can appear in a single event (comma-separated) when 63 + multiple access rights are missing. For example, creating a regular file 64 + in a directory that lacks both ``make_reg`` and ``refer`` rights would show 65 + ``blockers=fs.make_reg,fs.refer``. 66 + 67 + The object identification fields (path, dev, ino for filesystem; opid, 68 + ocomm for signals) depend on the type of access being blocked and provide 69 + context about what resource was involved in the denial. 70 + 40 71 41 72 AUDIT_LANDLOCK_DOMAIN 42 73 This record type describes the status of a Landlock domain. The ``status`` ··· 117 86 number following a timestamp (``msg=audit(1729738800.268:30)``). The first 118 87 event (serial ``30``) contains 4 records. The first record 119 88 (``type=LANDLOCK_ACCESS``) shows an access denied by the domain `1a6fdc66f`. 120 - The cause of this denial is signal scopping restriction 89 + The cause of this denial is signal scoping restriction 121 90 (``blockers=scope.signal``). The process that would have receive this signal 122 91 is the init process (``opid=1 ocomm="systemd"``). 123 92