From: Justin Suess <utilityemal77@gmail.com>
To: m@maowtm.org
Cc: gnoack@google.com, jack@suse.cz,
linux-security-module@vger.kernel.org, mic@digikod.net,
utilityemal77@gmail.com, xandfury@gmail.com
Subject: Re: [PATCH v4 00/10] Implement LANDLOCK_ADD_RULE_QUIET
Date: Sun, 23 Nov 2025 12:01:03 -0500 [thread overview]
Message-ID: <20251123170103.2640561-1-utilityemal77@gmail.com> (raw)
In-Reply-To: <5c0de8ee7e00aff1aceb3a80f5af162eeaaa06db.1763330228.git.m@maowtm.org>
I had a question in regards to the quiet flag in how it
should interact with my proposed flag LANDLOCK_ADD_RULE_NO_INHERIT.
Should this flag block inheritence of the LANDLOCK_ADD_RULE_QUIET flag?
It seems to me it should block inheritence of this flag, so you can
create more fine grained audit-suppression rules.
So for example you could quiet logs on /a/b with the exception of /a/b/c
by setting LANDLOCK_ADD_RULE_NO_INHERIT on /a/b/c.
If so, as we add more flags, should this be a general policy that
LANDLOCK_ADD_RULE_NO_INHERIT blocks access right inheritence AND flag
inheritence? With the obvious exception of LANDLOCK_ADD_RULE_NO_INHERIT
itself.
Alternatives could be a new flag to control whether NO_INHERIT also
suppresses flag inheritence.
Or simply having LANDLOCK_ADD_RULE_NO_INHERIT continue to only apply to
access masks.
The latest version of LANDLOCK_ADD_RULE_NO_INHERIT is below for
convienence.
v3:
https://lore.kernel.org/linux-security-module/20251120222346.1157004-1-utilityemal77@gmail.com/T/#t
Kind Regards,
Justin Suess
next prev parent reply other threads:[~2025-11-23 17:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-16 21:59 [PATCH v4 00/10] Implement LANDLOCK_ADD_RULE_QUIET Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 01/10] landlock: Add a place for flags to layer rules Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 02/10] landlock: Add API support and docs for the quiet flags Tingmao Wang
2025-11-21 15:27 ` Mickaël Salaün
2025-11-23 21:00 ` Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 03/10] landlock: Suppress logging when quiet flag is present Tingmao Wang
2025-11-21 15:27 ` Mickaël Salaün
2025-11-23 21:01 ` Tingmao Wang
2025-12-19 14:27 ` Mickaël Salaün
2025-11-23 17:01 ` Justin Suess [this message]
2025-11-23 21:03 ` [PATCH v4 00/10] Implement LANDLOCK_ADD_RULE_QUIET Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 04/10] landlock: Fix wrong type usage Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 05/10] samples/landlock: Add quiet flag support to sandboxer Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 06/10] selftests/landlock: Replace hard-coded 16 with a constant Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 07/10] selftests/landlock: add tests for quiet flag with fs rules Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 08/10] selftests/landlock: add tests for quiet flag with net rules Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 09/10] selftests/landlock: Add tests for quiet flag with scope Tingmao Wang
2025-11-16 21:59 ` [PATCH v4 10/10] selftests/landlock: Add tests for invalid use of quiet flag Tingmao Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251123170103.2640561-1-utilityemal77@gmail.com \
--to=utilityemal77@gmail.com \
--cc=gnoack@google.com \
--cc=jack@suse.cz \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=mic@digikod.net \
--cc=xandfury@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).