Re: [PATCH v4 8/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials

[PATCH v4 00/30] Landlock audit support · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 01/30] lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 02/30] lsm: Add audit_log_lsm_data() helper · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 04/30] landlock: Add unique ID generator · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 05/30] landlock: Move access types · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 05/30] landlock: Move access types · Mickaël Salaün <mic@digikod.net> · 2025-01-10
[PATCH v4 06/30] landlock: Simplify initially denied access rights · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 06/30] landlock: Simplify initially denied access rights · Mickaël Salaün <mic@digikod.net> · 2025-01-10
[PATCH v4 10/30] landlock: Log mount-related denials · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 07/30] landlock: Move domain hierarchy management and export helpers · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 08/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 8/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials · Paul Moore <paul@paul-moore.com> · 2025-01-15
Re: [PATCH v4 8/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials · Mickaël Salaün <mic@digikod.net> · 2025-01-16
Re: [PATCH v4 8/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials · Paul Moore <paul@paul-moore.com> · 2025-01-16
[PATCH v4 13/30] landlock: Optimize file path walks and prepare for audit support · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 13/30] landlock: Optimize file path walks and prepare for audit support · Mickaël Salaün <mic@digikod.net> · 2025-01-10
[PATCH v4 09/30] landlock: Add AUDIT_LANDLOCK_DOM_{INFO,DROP} and log domain properties · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 9/30] landlock: Add AUDIT_LANDLOCK_DOM_{INFO,DROP} and log domain properties · Paul Moore <paul@paul-moore.com> · 2025-01-15
Re: [PATCH v4 9/30] landlock: Add AUDIT_LANDLOCK_DOM_{INFO,DROP} and log domain properties · Mickaël Salaün <mic@digikod.net> · 2025-01-16
Re: [PATCH v4 9/30] landlock: Add AUDIT_LANDLOCK_DOM_{INFO,DROP} and log domain properties · Paul Moore <paul@paul-moore.com> · 2025-01-16
[PATCH v4 14/30] landlock: Log file-related denials · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 11/30] landlock: Align partial refer access checks with final ones · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 11/30] landlock: Align partial refer access checks with final ones · Mickaël Salaün <mic@digikod.net> · 2025-01-10
[PATCH v4 15/30] landlock: Log truncate and IOCTL denials · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 12/30] selftests/landlock: Add test to check partial access in a mount tree · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 12/30] selftests/landlock: Add test to check partial access in a mount tree · Mickaël Salaün <mic@digikod.net> · 2025-01-10
[PATCH v4 16/30] landlock: Log TCP bind and connect denials · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 17/30] landlock: Log scoped denials · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 18/30] landlock: Control log events with LANDLOCK_RESTRICT_SELF_QUIET · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 20/30] selftests/landlock: Fix error message · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 20/30] selftests/landlock: Fix error message · Mickaël Salaün <mic@digikod.net> · 2025-01-10
[PATCH v4 21/30] selftests/landlock: Add wrappers.h · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 21/30] selftests/landlock: Add wrappers.h · Mickaël Salaün <mic@digikod.net> · 2025-01-10
[PATCH v4 23/30] selftests/landlock: Extend tests for landlock_restrict_self()'s flags · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 24/30] selftests/landlock: Add tests for audit and LANDLOCK_RESTRICT_SELF_QUIET · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 25/30] selftests/landlock: Add audit tests for ptrace · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 26/30] landlock: Export and rename landlock_get_inode_object() · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 22/30] selftests/landlock: Add layout1.umount_sandboxer tests · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 22/30] selftests/landlock: Add layout1.umount_sandboxer tests · Mickaël Salaün <mic@digikod.net> · 2025-01-10
[PATCH v4 27/30] fs: Add iput() cleanup helper · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 27/30] fs: Add iput() cleanup helper · Mickaël Salaün <mic@digikod.net> · 2025-01-13
Re: [PATCH v4 27/30] fs: Add iput() cleanup helper · Al Viro <viro@zeniv.linux.org.uk> · 2025-01-13
Re: [PATCH v4 27/30] fs: Add iput() cleanup helper · Jann Horn <jannh@google.com> · 2025-01-13
Re: [PATCH v4 27/30] fs: Add iput() cleanup helper · Christian Brauner <brauner@kernel.org> · 2025-01-13
Re: [PATCH v4 27/30] fs: Add iput() cleanup helper · Mickaël Salaün <mic@digikod.net> · 2025-01-13
Re: (subset) [PATCH v4 27/30] fs: Add iput() cleanup helper · Christian Brauner <brauner@kernel.org> · 2025-01-13
[PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type · Jann Horn <jannh@google.com> · 2025-01-13
Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type · Christian Brauner <brauner@kernel.org> · 2025-01-13
Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type · Mickaël Salaün <mic@digikod.net> · 2025-01-13
Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type · Paul Moore <paul@paul-moore.com> · 2025-01-15
Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type · Mickaël Salaün <mic@digikod.net> · 2025-01-16
Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type · Paul Moore <paul@paul-moore.com> · 2025-01-16
[PATCH v4 29/30] selftests/landlock: Test audit rule with AUDIT_EXE_LANDLOCK_DOM · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 30/30] selftests/landlock: Test compatibility with audit rule lists · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 19/30] samples/landlock: Do not log denials from the sandboxer by default · Mickaël Salaün <mic@digikod.net> · 2025-01-08
[PATCH v4 03/30] landlock: Factor out check_access_path() · Mickaël Salaün <mic@digikod.net> · 2025-01-08
Re: [PATCH v4 03/30] landlock: Factor out check_access_path() · Mickaël Salaün <mic@digikod.net> · 2025-01-10

From: Paul Moore <paul@paul-moore.com>
Date: 2025-01-16 20:00:58
Also in: lkml

On Thu, Jan 16, 2025 at 5:49 AM Mickaël Salaün [off-list ref] wrote:

On Wed, Jan 15, 2025 at 06:53:06PM -0500, Paul Moore wrote:

quoted

On Jan  8, 2025 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= [off-list ref] wrote:

...

quoted

The next patch
series will also contain a new kind of audit rule to specifically
identify the origin of the policy that created this denied event, which
should make more sense.

Generally speaking audit only wants to support a small number of message
types dedicated to a specific LSM.  If you're aware of additional message
types that you plan to propose in a future patchset, it's probably a
time to discuss those now.

The only other audit record type I'm thinking about would be one
dedicated to "potentially denied access", something similar to SELinux's
permissive mode.

In this case the "audit way" to handle this would be to add a
"permissive=[0|1]" field, or similar, to the AUDIT_LANDLOCK_ACCESS
message.  If this is something you are definitely going to add to
Landlock, I might suggest adding the "permissive=" field now so it is
present from the start.

-- 
paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help