diff options
| author | Tingmao Wang <m@maowtm.org> | 2026-06-12 02:48:48 +0100 |
|---|---|---|
| committer | Mickaël Salaün <mic@digikod.net> | 2026-06-14 20:17:19 +0200 |
| commit | 29752205db5ff1793437b352c9e343b8e41fb184 (patch) | |
| tree | d3f2260164fd5c69382365b2fe5ed52c0feb938c /Documentation | |
| parent | a260c0055665fc38804400b3dbdca165d5e0aa15 (diff) | |
| download | ath-29752205db5ff1793437b352c9e343b8e41fb184.tar.gz | |
landlock: Add API support and docs for the quiet flags
Adds the UAPI for the quiet flags feature (but not the implementation
yet).
Even though currently LANDLOCK_ADD_RULE_QUIET only affects audit
logging, in the future this can also be used as part of a supervisor
mechanism, where it will also suppress denial notifications on a
per-object basis. Thus the name is deliberately generic, as opposed to
e.g. LANDLOCK_ADD_RULE_LOG_QUIET.
According to pahole, even after adding the struct access_masks
quiet_masks in struct landlock_hierarchy, the u32 log_* bitfield still
only has a size of 2 bytes, so there's minimal wasted space.
Assisted-by: GitHub-Copilot:claude-opus-4.8
Signed-off-by: Tingmao Wang <m@maowtm.org>
[mic: Update date, fix comment formatting]
Link: https://patch.msgid.link/031184748a8e74c0bb02f1fa13d7a3f10918c627.1781228815.git.m@maowtm.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/admin-guide/LSM/landlock.rst | 9 | ||||
| -rw-r--r-- | Documentation/userspace-api/landlock.rst | 14 |
2 files changed, 20 insertions, 3 deletions
diff --git a/Documentation/admin-guide/LSM/landlock.rst b/Documentation/admin-guide/LSM/landlock.rst index 2dacb381c1a90..314052bbeb0a9 100644 --- a/Documentation/admin-guide/LSM/landlock.rst +++ b/Documentation/admin-guide/LSM/landlock.rst @@ -19,8 +19,10 @@ Audit Denied access requests are logged by default for a sandboxed program if `audit` is enabled. This default behavior can be changed with the sys_landlock_restrict_self() flags (cf. -Documentation/userspace-api/landlock.rst). Landlock logs can also be masked -thanks to audit rules. Landlock can generate 2 audit record types. +Documentation/userspace-api/landlock.rst), or suppressed on a per-object +basis by using ``LANDLOCK_ADD_RULE_QUIET`` (ABI 10+). Landlock logs can +also be masked thanks to audit rules. Landlock can generate 2 audit +record types. Record types ------------ @@ -174,7 +176,8 @@ If you get spammed with audit logs related to Landlock, this is either an attack attempt or a bug in the security policy. We can put in place some filters to limit noise with two complementary ways: -- with sys_landlock_restrict_self()'s flags if we can fix the sandboxed +- with sys_landlock_restrict_self()'s flags, or + ``LANDLOCK_ADD_RULE_QUIET`` (ABI 10+) if we can fix the sandboxed programs, - or with audit rules (see :manpage:`auditctl(8)`). diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index b5a2ab6f47669..5a63d4476c1c7 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -775,6 +775,20 @@ remote port of UDP sockets (via :manpage:`connect(2)`), and sending datagrams to an explicit remote port (ignoring any destination set on UDP sockets, via e.g. :manpage:`sendto(2)`). +Quiet rule flag (ABI < 10) +-------------------------- + +Starting with the Landlock ABI version 10, it is possible to selectively +suppress logs for specific denied accesses on a per-object basis with +the ``LANDLOCK_ADD_RULE_QUIET`` flag of sys_landlock_add_rule(), in +combination with the ``quiet_access_fs`` and ``quiet_access_net`` fields +of struct landlock_ruleset_attr. It is also now possible to suppress +logs for scope accesses via the ``quiet_scoped`` field of struct +landlock_ruleset_attr. The object is marked as quiet within a ruleset +when at least one sys_landlock_add_rule() call is made for it with the +``LANDLOCK_ADD_RULE_QUIET`` flag, additional add-rule calls for the same +object without this flag do not clear it. + .. _kernel_support: Kernel support |
