https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.15.y.git;a=summary
RSBAC for Linux 5.15 (Long Term)
Current version: 5.15.164
commit 0b8bc945a7edf756f4d55243c4569a887c514362 Author: Amon Ott ao@rsbac.org Date: Wed Jul 31 09:19:16 2024 +0200
Add feature CAP filesystem object hiding If enabled, you can hide filesystem objects from users without Linux read rights on them, set with the kernel command line switch rsbac_cap_fd_hiding or through the RSBAC proc interface. There are two possible values: 0 / off: no hiding. 1 / on: only processes with Linux read right to a filesystem object, Linux capability DAC_OVERRIDE or DAC_READ_SEARCH or with CAP role security officer or system admin may see this object. Hiding works with many, but not all types of file system object access.
While at it, reduce overhead with CAP process hiding: only use global variable rsbac_cap_process_hiding instead of per-process attribute, which does not get set individually anyway. Since rsbac_get_owner() never returns an error, change it to not return a result and remove all result checks. Add some type casts to rc_main.c. vfs_getattr(): with RSBAC_FSOBJ_HIDE, avoid SEARCH request on IPC targets.
fs/locks.c | 12 + fs/namei.c | 37 ++ fs/open.c | 34 ++ fs/readdir.c | 43 ++- fs/stat.c | 31 ++ include/rsbac/aci_data_structures.h | 10 +- include/rsbac/adf.h | 10 +- include/rsbac/debug.h | 7 +- include/rsbac/helpers.h | 6 +- include/rsbac/types.h | 11 +- rsbac/Kconfig | 23 +- rsbac/adf/acl/acl_syscalls.c | 28 +- rsbac/adf/adf_main.c | 91 ++--- rsbac/adf/cap/cap_main.c | 45 +-- rsbac/adf/rc/rc_main.c | 30 +- rsbac/adf/rc/rc_syscalls.c | 564 ++++++++++++---------------- rsbac/data_structures/aci_data_structures.c | 14 +- rsbac/help/debug.c | 124 +++++- rsbac/help/getname.c | 8 +- rsbac/help/helpers.c | 91 ++++- rsbac/help/syscalls.c | 10 +- 21 files changed, 699 insertions(+), 530 deletions(-)