https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-6.6.y.git;a=summary
RSBAC for Linux 6.6 (Long Term)
Current version: 6.6.43
commit 19e528dc52bbbf0d390bd82238d09d6a549c74d4 Author: Amon Ott ao@rsbac.org Date: Mon Jul 29 12:56:30 2024 +0200
Add feature CAP filesystem object hiding If enabled, you can hide filesystem objects from users without Linux read rights on them, set with the kernel command line switch rsbac_cap_fd_hiding or through the RSBAC proc interface. There are two possible values: 0 / off: no hiding. 1 / on: only processes with Linux read right to a filesystem object, Linux capability DAC_OVERRIDE or DAC_READ_SEARCH or with CAP role security officer or system admin may see this object. Hiding works with many, but not all types of file system object access.
While at it, reduce overhead with CAP process hiding: only use global variable rsbac_cap_process_hiding instead of per-process attribute, which does not get set individually anyway. Since rsbac_get_owner() never returns an error, change it to not return a result and remove all result checks. Add some type casts to rc_main.c.
fs/locks.c | 12 + fs/namei.c | 37 ++ fs/open.c | 34 ++ fs/readdir.c | 50 +-- fs/stat.c | 31 ++ include/rsbac/aci_data_structures.h | 10 +- include/rsbac/adf.h | 10 +- include/rsbac/debug.h | 7 +- include/rsbac/helpers.h | 6 +- include/rsbac/types.h | 11 +- rsbac/Kconfig | 23 +- rsbac/adf/acl/acl_syscalls.c | 26 +- rsbac/adf/adf_main.c | 91 ++--- rsbac/adf/cap/cap_main.c | 45 +-- rsbac/adf/rc/rc_main.c | 30 +- rsbac/adf/rc/rc_syscalls.c | 562 ++++++++++++---------------- rsbac/data_structures/aci_data_structures.c | 14 +- rsbac/help/debug.c | 124 +++++- rsbac/help/getname.c | 8 +- rsbac/help/helpers.c | 91 ++++- rsbac/help/syscalls.c | 10 +- 21 files changed, 702 insertions(+), 530 deletions(-)