1. Patchew
  2. linux
  3. [RFC PATCH v1 00/11] Landlock: Namespace and capability control
  4. View patch

[RFC PATCH v1 02/11] security: Add LSM_AUDIT_DATA_NS for namespace audit records

Mickaël Salaün posted 11 patches 3 weeks, 5 days ago
[RFC PATCH v1 02/11] security: Add LSM_AUDIT_DATA_NS for namespace audit records
Posted by Mickaël Salaün 3 weeks, 5 days ago 
Add a new LSM audit data type LSM_AUDIT_DATA_NS that logs namespace
information in audit records.  Two fields are provided, matching the
field names of struct ns_common:

- ns_type: the CLONE_NEW* flag identifying the namespace type, logged in
  hexadecimal.

- inum: the proc inode number identifying a specific namespace instance.
  Namespace inode numbers are allocated by proc_alloc_inum() via
  ida_alloc_max() bounded to UINT_MAX, so the value always fits in 32
  bits.

A new audit data type is needed because no existing LSM_AUDIT_DATA_*
type carries namespace information.  The closest alternatives (e.g.
LSM_AUDIT_DATA_TASK or LSM_AUDIT_DATA_NONE with custom strings) would
either lose the namespace type or require ad-hoc formatting that
bypasses the structured audit data union.

Cc: Christian Brauner <brauner@kernel.org>
Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 include/linux/lsm_audit.h | 5 +++++
 security/lsm_audit.c      | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 382c56a97bba..6e20a56b8c22 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -78,6 +78,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_NOTIFICATION 16
 #define LSM_AUDIT_DATA_ANONINODE	17
 #define LSM_AUDIT_DATA_NLMSGTYPE	18
+#define LSM_AUDIT_DATA_NS		19
 	union 	{
 		struct path path;
 		struct dentry *dentry;
@@ -100,6 +101,10 @@ struct common_audit_data {
 		int reason;
 		const char *anonclass;
 		u16 nlmsg_type;
+		struct {
+			u32 ns_type;
+			unsigned int inum;
+		} ns;
 	} u;
 	/* this union contains LSM specific data */
 	union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 7d623b00495c..7f71a77c1c12 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -403,6 +403,10 @@ void audit_log_lsm_data(struct audit_buffer *ab,
 	case LSM_AUDIT_DATA_NLMSGTYPE:
 		audit_log_format(ab, " nl-msgtype=%hu", a->u.nlmsg_type);
 		break;
+	case LSM_AUDIT_DATA_NS:
+		audit_log_format(ab, " namespace_type=0x%x namespace_inum=%u",
+				 a->u.ns.ns_type, a->u.ns.inum);
+		break;
 	} /* switch (a->type) */
 }
 
-- 
2.53.0
Re: [RFC PATCH v1 02/11] security: Add LSM_AUDIT_DATA_NS for namespace audit records
Posted by Christian Brauner 1 week, 6 days ago 
On Thu, Mar 12, 2026 at 11:04:35AM +0100, Mickaël Salaün wrote:
> Add a new LSM audit data type LSM_AUDIT_DATA_NS that logs namespace
> information in audit records.  Two fields are provided, matching the
> field names of struct ns_common:
> 
> - ns_type: the CLONE_NEW* flag identifying the namespace type, logged in
>   hexadecimal.
> 
> - inum: the proc inode number identifying a specific namespace instance.
>   Namespace inode numbers are allocated by proc_alloc_inum() via
>   ida_alloc_max() bounded to UINT_MAX, so the value always fits in 32
>   bits.
> 
> A new audit data type is needed because no existing LSM_AUDIT_DATA_*
> type carries namespace information.  The closest alternatives (e.g.
> LSM_AUDIT_DATA_TASK or LSM_AUDIT_DATA_NONE with custom strings) would
> either lose the namespace type or require ad-hoc formatting that
> bypasses the structured audit data union.
> 
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: Günther Noack <gnoack@google.com>
> Cc: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> ---
>  include/linux/lsm_audit.h | 5 +++++
>  security/lsm_audit.c      | 4 ++++
>  2 files changed, 9 insertions(+)
> 
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 382c56a97bba..6e20a56b8c22 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -78,6 +78,7 @@ struct common_audit_data {
>  #define LSM_AUDIT_DATA_NOTIFICATION 16
>  #define LSM_AUDIT_DATA_ANONINODE	17
>  #define LSM_AUDIT_DATA_NLMSGTYPE	18
> +#define LSM_AUDIT_DATA_NS		19
>  	union 	{
>  		struct path path;
>  		struct dentry *dentry;
> @@ -100,6 +101,10 @@ struct common_audit_data {
>  		int reason;
>  		const char *anonclass;
>  		u16 nlmsg_type;
> +		struct {
> +			u32 ns_type;
> +			unsigned int inum;

fwiw, you might want to start the 64-bit namespace id as well.
But either way:

Reviewed-by: Christian Brauner <brauner@kernel.org>
Re: [RFC PATCH v1 02/11] security: Add LSM_AUDIT_DATA_NS for namespace audit records
Posted by Mickaël Salaün 5 days, 23 hours ago 
On Wed, Mar 25, 2026 at 01:32:42PM +0100, Christian Brauner wrote:
> On Thu, Mar 12, 2026 at 11:04:35AM +0100, Mickaël Salaün wrote:
> > Add a new LSM audit data type LSM_AUDIT_DATA_NS that logs namespace
> > information in audit records.  Two fields are provided, matching the
> > field names of struct ns_common:
> > 
> > - ns_type: the CLONE_NEW* flag identifying the namespace type, logged in
> >   hexadecimal.
> > 
> > - inum: the proc inode number identifying a specific namespace instance.
> >   Namespace inode numbers are allocated by proc_alloc_inum() via
> >   ida_alloc_max() bounded to UINT_MAX, so the value always fits in 32
> >   bits.
> > 
> > A new audit data type is needed because no existing LSM_AUDIT_DATA_*
> > type carries namespace information.  The closest alternatives (e.g.
> > LSM_AUDIT_DATA_TASK or LSM_AUDIT_DATA_NONE with custom strings) would
> > either lose the namespace type or require ad-hoc formatting that
> > bypasses the structured audit data union.
> > 
> > Cc: Christian Brauner <brauner@kernel.org>
> > Cc: Günther Noack <gnoack@google.com>
> > Cc: Paul Moore <paul@paul-moore.com>
> > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > ---
> >  include/linux/lsm_audit.h | 5 +++++
> >  security/lsm_audit.c      | 4 ++++
> >  2 files changed, 9 insertions(+)
> > 
> > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > index 382c56a97bba..6e20a56b8c22 100644
> > --- a/include/linux/lsm_audit.h
> > +++ b/include/linux/lsm_audit.h
> > @@ -78,6 +78,7 @@ struct common_audit_data {
> >  #define LSM_AUDIT_DATA_NOTIFICATION 16
> >  #define LSM_AUDIT_DATA_ANONINODE	17
> >  #define LSM_AUDIT_DATA_NLMSGTYPE	18
> > +#define LSM_AUDIT_DATA_NS		19
> >  	union 	{
> >  		struct path path;
> >  		struct dentry *dentry;
> > @@ -100,6 +101,10 @@ struct common_audit_data {
> >  		int reason;
> >  		const char *anonclass;
> >  		u16 nlmsg_type;
> > +		struct {
> > +			u32 ns_type;
> > +			unsigned int inum;
> 
> fwiw, you might want to start the 64-bit namespace id as well.
> But either way:

Right now these numbers are generated by ida_alloc_max(), which return
an int.  Is there an ongoing patch series for this change?

> 
> Reviewed-by: Christian Brauner <brauner@kernel.org>
>
Re: [RFC PATCH v1 02/11] security: Add LSM_AUDIT_DATA_NS for namespace audit records
Posted by Mickaël Salaün 5 days, 21 hours ago 
On Wed, Apr 01, 2026 at 06:38:34PM +0200, Mickaël Salaün wrote:
> On Wed, Mar 25, 2026 at 01:32:42PM +0100, Christian Brauner wrote:
> > On Thu, Mar 12, 2026 at 11:04:35AM +0100, Mickaël Salaün wrote:
> > > Add a new LSM audit data type LSM_AUDIT_DATA_NS that logs namespace
> > > information in audit records.  Two fields are provided, matching the
> > > field names of struct ns_common:
> > > 
> > > - ns_type: the CLONE_NEW* flag identifying the namespace type, logged in
> > >   hexadecimal.
> > > 
> > > - inum: the proc inode number identifying a specific namespace instance.
> > >   Namespace inode numbers are allocated by proc_alloc_inum() via
> > >   ida_alloc_max() bounded to UINT_MAX, so the value always fits in 32
> > >   bits.
> > > 
> > > A new audit data type is needed because no existing LSM_AUDIT_DATA_*
> > > type carries namespace information.  The closest alternatives (e.g.
> > > LSM_AUDIT_DATA_TASK or LSM_AUDIT_DATA_NONE with custom strings) would
> > > either lose the namespace type or require ad-hoc formatting that
> > > bypasses the structured audit data union.
> > > 
> > > Cc: Christian Brauner <brauner@kernel.org>
> > > Cc: Günther Noack <gnoack@google.com>
> > > Cc: Paul Moore <paul@paul-moore.com>
> > > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > > ---
> > >  include/linux/lsm_audit.h | 5 +++++
> > >  security/lsm_audit.c      | 4 ++++
> > >  2 files changed, 9 insertions(+)
> > > 
> > > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > > index 382c56a97bba..6e20a56b8c22 100644
> > > --- a/include/linux/lsm_audit.h
> > > +++ b/include/linux/lsm_audit.h
> > > @@ -78,6 +78,7 @@ struct common_audit_data {
> > >  #define LSM_AUDIT_DATA_NOTIFICATION 16
> > >  #define LSM_AUDIT_DATA_ANONINODE	17
> > >  #define LSM_AUDIT_DATA_NLMSGTYPE	18
> > > +#define LSM_AUDIT_DATA_NS		19
> > >  	union 	{
> > >  		struct path path;
> > >  		struct dentry *dentry;
> > > @@ -100,6 +101,10 @@ struct common_audit_data {
> > >  		int reason;
> > >  		const char *anonclass;
> > >  		u16 nlmsg_type;
> > > +		struct {
> > > +			u32 ns_type;
> > > +			unsigned int inum;
> > 
> > fwiw, you might want to start the 64-bit namespace id as well.
> > But either way:
> 
> Right now these numbers are generated by ida_alloc_max(), which return
> an int.  Is there an ongoing patch series for this change?

OK, we should not use the inode's number (32-bit) but the namespace ID
(64-bit) which is readable with the NS_GET_ID IOCTL on the namespace
FDs.  I'll use that with ns_id instead of inum.  I'll also update the
Landlock code and tests accordingly.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.