https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-6.1.y.git;a=summary
RSBAC for Linux 6.1 (Long Term)
Current version: 6.1.106
commit 0f27ea44429b4e2124e2e11636423a3a0d1033fc Author: Amon Ott ao@rsbac.org Date: Tue Jul 30 14:43:22 2024 +0200
Add feature CAP filesystem object hiding If enabled, you can hide filesystem objects from users without Linux read rights on them, set with the kernel command line switch rsbac_cap_fd_hiding or through the RSBAC proc interface. There are two possible values: 0 / off: no hiding. 1 / on: only processes with Linux read right to a filesystem object, Linux capability DAC_OVERRIDE or DAC_READ_SEARCH or with CAP role security officer or system admin may see this object. Hiding works with many, but not all types of file system object access.
While at it, reduce overhead with CAP process hiding: only use global variable rsbac_cap_process_hiding instead of per-process attribute, which does not get set individually anyway. Since rsbac_get_owner() never returns an error, change it to not return a result and remove all result checks. Add some type casts to rc_main.c. vfs_getattr(): with RSBAC_FSOBJ_HIDE, avoid SEARCH request on IPC targets.
fs/locks.c | 12 + fs/namei.c | 37 ++ fs/open.c | 34 ++ fs/readdir.c | 50 +-- fs/stat.c | 31 ++ include/rsbac/aci_data_structures.h | 10 +- include/rsbac/adf.h | 10 +- include/rsbac/debug.h | 7 +- include/rsbac/helpers.h | 6 +- include/rsbac/types.h | 11 +- rsbac/Kconfig | 23 +- rsbac/adf/acl/acl_syscalls.c | 28 +- rsbac/adf/adf_main.c | 91 ++--- rsbac/adf/cap/cap_main.c | 45 +-- rsbac/adf/rc/rc_main.c | 30 +- rsbac/adf/rc/rc_syscalls.c | 564 ++++++++++++---------------- rsbac/data_structures/aci_data_structures.c | 14 +- rsbac/help/debug.c | 124 +++++- rsbac/help/getname.c | 8 +- rsbac/help/helpers.c | 91 ++++- rsbac/help/syscalls.c | 10 +- 21 files changed, 704 insertions(+), 532 deletions(-)