Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type

From: Paul Moore
Date: Wed Jan 15 2025 - 18:53:31 EST

Next message: Kees Cook: "[GIT PULL] execve updates for v6.14-rc1"
Previous message: Paul Moore: "Re: [PATCH v4 9/30] landlock: Add AUDIT_LANDLOCK_DOM_{INFO,DROP} and log domain properties"
In reply to: Mickaël Salaün: "Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type"
Next in thread: Mickaël Salaün: "[PATCH v4 29/30] selftests/landlock: Test audit rule with AUDIT_EXE_LANDLOCK_DOM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 8, 2025 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@xxxxxxxxxxx> wrote:
>
> Landlock manages a set of standalone security policies, which can be
> loaded by any process. Because a sandbox policy may contain errors and
> can lead to log spam, we need a way to exclude some of them. It is
> simple and it makes sense to identify Landlock domains (i.e. security
> policies) per binary path that loaded such policy.
>
> Add a new AUDIT_EXE_LANDLOCK_DENY rule type to enables system
> administrator to filter logs according to the origin or the security
> policy responsible for a denial.

For reasons similar to why I didn't want to expose the audit timestamp
to users outside of audit, I'm not very enthusiastic about expanding
the audit filtering code at this point in time.

I'm not saying "no" exactly, just "not right now".

--
paul-moore.com

Next message: Kees Cook: "[GIT PULL] execve updates for v6.14-rc1"
Previous message: Paul Moore: "Re: [PATCH v4 9/30] landlock: Add AUDIT_LANDLOCK_DOM_{INFO,DROP} and log domain properties"
In reply to: Mickaël Salaün: "Re: [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type"
Next in thread: Mickaël Salaün: "[PATCH v4 29/30] selftests/landlock: Test audit rule with AUDIT_EXE_LANDLOCK_DOM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]