Message ID | 20250308184422.2159360-1-mic@digikod.net (mailing list archive) |
---|---|
Headers | show |
Series | Landlock audit support | expand |
On Sat, Mar 08, 2025 at 07:43:56PM +0100, Mickaël Salaün wrote: > Hi, > > This patch series adds audit support to Landlock. > > Logging denied requests is useful for different use cases: > - sysadmins: to look for users' issues, > - security experts: to detect attack attempts, > - power users: to understand denials, > - developers: to ease sandboxing support and get feedback from users. > > Because of its unprivileged nature, Landlock can compose standalone > security policies (i.e. domains). To make logs useful, they need to > contain the most relevant Landlock domain that denied an action, and the > reason of such denial. This translates to the latest nested domain and > the related blockers: missing access rights or other kind of > restrictions. > > # Main changes from previous version > > Renamed the landlock_restrict_self(2) flags to improve clarity and > consistency, and slightly change the semantic of the first one: > - LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF: do not log denied access > caused by a task with the same executable (i.e. before any new > execve(2)); > - LANDLOCK_RESTRICT_SELF_LOG_CROSS_EXEC_ON: log denied access for > processes resulting from an execve(2), which is not the case by > default. > - LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF: do not log denied access > from future nested domains. > > These new LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and > LANDLOCK_RESTRICT_SELF_LOG_CROSS_EXEC_ON are not incompatible anymore. As you can see in the patches, it's not LANDLOCK_RESTRICT_SELF_LOG_CROSS_EXEC_ON but LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON now. I think "new_exec" makes more sense than "cross_exec", especially compared to "same_exec", but I'm open to suggestions. Anyway, this patch series should land Monday in linux-next. In the meantime you can find it here: https://web.git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next