Re: [PATCH v6 00/26] Landlock audit support

[Mickaël Salaün]

On Sat, Mar 08, 2025 at 07:43:56PM +0100, Mickaël Salaün wrote:
> Hi,
> 
> This patch series adds audit support to Landlock.
> 
> Logging denied requests is useful for different use cases:
> - sysadmins: to look for users' issues,
> - security experts: to detect attack attempts,
> - power users: to understand denials,
> - developers: to ease sandboxing support and get feedback from users.
> 
> Because of its unprivileged nature, Landlock can compose standalone
> security policies (i.e. domains).  To make logs useful, they need to
> contain the most relevant Landlock domain that denied an action, and the
> reason of such denial.  This translates to the latest nested domain and
> the related blockers: missing access rights or other kind of
> restrictions.
> 
> # Main changes from previous version
> 
> Renamed the landlock_restrict_self(2) flags to improve clarity and
> consistency, and slightly change the semantic of the first one:
> - LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF: do not log denied access
>   caused by a task with the same executable (i.e. before any new
>   execve(2));
> - LANDLOCK_RESTRICT_SELF_LOG_CROSS_EXEC_ON: log denied access for
>   processes resulting from an execve(2), which is not the case by
>   default.
> - LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF: do not log denied access
>   from future nested domains.
> 
> These new LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and
> LANDLOCK_RESTRICT_SELF_LOG_CROSS_EXEC_ON are not incompatible anymore.

As you can see in the patches, it's not
LANDLOCK_RESTRICT_SELF_LOG_CROSS_EXEC_ON but
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON now.  I think "new_exec" makes
more sense than "cross_exec", especially compared to "same_exec", but
I'm open to suggestions.

Anyway, this patch series should land Monday in linux-next.  In the
meantime you can find it here:
https://web.git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next