On Mon, Jan 06, 2025 at 05:33:07PM -0500, Paul Moore wrote:

On Mon, Jan 6, 2025 at 9:51 AM Mickaël Salaün [off-list ref] wrote:

quoted

On Sat, Jan 04, 2025 at 08:23:53PM -0500, Paul Moore wrote:

quoted

On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= [off-list ref] wrote:

quoted

Add audit support for unix_stream_connect, unix_may_send, task_kill, and
file_send_sigiotask hooks.

Audit event sample:

  type=LL_DENY [...]: domain=195ba459b blockers=scope_abstract_unix_socket path=00666F6F

Similar to 17/23, I believe the SOCKADDR record should already capture
the socket address information.

This might not be the case, which is why SELinux and others explicitly
log it I guess.

I think I may be misunderstanding you, can you point to the section of
SELinux code that you are referring to in your comment?

I'm refering to struct lsm_network_audit, and the related information
ending in the logs with LSM_AUDIT_DATA_NET.  Landlock follows the
current implementations, hence the generalization brought by the second
patch with audit_log_lsm_data().