From: Tingmao Wang <m@maowtm.org>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Tingmao Wang" <m@maowtm.org>,
"Günther Noack" <gnoack@google.com>, "Jan Kara" <jack@suse.cz>,
linux-security-module@vger.kernel.org
Subject: [PATCH v2 0/6] Implement LANDLOCK_ADD_RULE_QUIET
Date: Sun, 5 Oct 2025 18:55:23 +0100 [thread overview]
Message-ID: <cover.1759686613.git.m@maowtm.org> (raw)
Hi,
This is the v2 of the "quiet flag" series, implementing the feature as
proposed in [1].
v1: https://lore.kernel.org/all/cover.1757376311.git.m@maowtm.org/
The quiet flag allows a sandboxer to suppress audit logs for uninteresting
denials. The flag can be set on objects and inherits downward in the
filesystem hierarchy. On a denial, the youngest denying layer's quiet
flag setting decides whether to audit. The motivation for this feature is
to reduce audit noise, and also prepare for a future supervisor feature
which will use this bit to suppress supervisor notifications.
In this version, the most significant change is that we now have a quiet
access mask in the ruleset_attr, which gets eventually stored in the
hierarchy. This allows the user to specify which access should be affected
by quiet bits. One can then, for example, make it such that read accesses
to certain files are not audited (but still denied), but all writes are
still audited, regardless of location.
This version also implements quiet support for optional accesses (truncate
and ioctl), scope denials (signal, abstract unix socket), addresses
suggestions from v1 review, and further enhances sandboxer to allow full
customization of which access to quiet. Network and scope access quieting
are now also supported by the sandboxer via additional environment
variables.
I still haven't added any selftests yet but did some testing with
sandboxer. I would like this to be reviewed as it stands, before
finishing up the tests which I will hopefully add in v3.
Patches removed since v1:
- landlock/access: Improve explanation on the deny_masks_t
Demo:
/# LL_FS_RO=/usr LL_FS_RW= LL_FORCE_LOG=1 LL_FS_QUIET=/dev:/tmp:/etc LL_FS_QUIET_ACCESS=r ./sandboxer bash
...
audit: type=1423 audit(1759680175.562:195): domain=15bb25f6b blockers=fs.write_file,fs.read_file path="/dev/tty" dev="devtmpfs" ino=11
^^^^^^^^
# note: because write is not quieted, we see the above line. blockers
# contains read as well since that's the originally requested access.
audit: type=1424 audit(1759680175.562:195): domain=15bb25f6b status=allocated mode=enforcing pid=616 uid=0 exe="/sandboxer" comm="sandboxer"
audit: type=1300 audit(1759680175.562:195): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=5565c86113d1 a2=802 a3=0 items=0 ppid=605 pid=616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)
audit: type=1327 audit(1759680175.562:195): proctitle="bash"
bash: cannot set terminal process group (605): Inappropriate ioctl for device
bash: no job control in this shell
bash: /etc/bash.bashrc: Permission denied
audit: type=1423 audit(1759680175.570:196): domain=15bb25f6b blockers=fs.read_file path="/.bash_history" dev="virtiofs" ino=36963
^^^^^^^^
# read outside /dev:/tmp:/etc - not quieted
audit: type=1300 audit(1759680175.570:196): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=5565c868e400 a2=0 a3=0 items=0 ppid=605 pid=616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)
audit: type=1327 audit(1759680175.570:196): proctitle="bash"
audit: type=1423 audit(1759680175.570:197): domain=15bb25f6b blockers=fs.read_file path="/.bash_history" dev="virtiofs" ino=36963
audit: type=1300 audit(1759680175.570:197): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=5565c868e400 a2=0 a3=0 items=0 ppid=605 pid=616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)
audit: type=1327 audit(1759680175.570:197): proctitle="bash"
bash-5.2# head /etc/passwd
head: cannot open '/etc/passwd' for reading: Permission denied
^^^^^^^^
# reads to /etc are quieted
bash-5.2# echo evil >> /etc/passwd
bash: /etc/passwd: Permission denied
audit: type=1423 audit(1759680227.030:198): domain=15bb25f6b blockers=fs.write_file path="/etc/passwd" dev="virtiofs" ino=790
^^^^^^^^
# writes are not quieted
audit: type=1300 audit(1759680227.030:198): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=5565c86ab030 a2=441 a3=1b6 items=0 ppid=605 pid=616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)
audit: type=1327 audit(1759680227.030:198): proctitle="bash"
Design:
- The user can set the quiet flag for a layer on any part of the fs
hierarchy (whether it allows any access on it or not), and the flag
inherits down (no support for "cancelling" the inheritance of the flag
in specific subdirectories).
- The youngest layer that denies a request gets to decide whether the
denial is audited or not. This means that a compromised binary, for
example, cannot "turn off" Landlock auditing when it tries to access
files, unless it denies access to the files itself. There is some
debate to be had on whether, if a parent layer sets the quiet flag, but
the request is denied by a deeper layer, whether Landlock should still
audit anyway (since the rule author of the child layer likely did not
expect the denial, so it would be good diagnostic). The current
approach is to ignore the quiet on the parent layer and audit anyway.
All existing kselftests pass.
[1]: https://github.com/landlock-lsm/linux/issues/44#issuecomment-2876500918
Kind regards,
Tingmao
Tingmao Wang (6):
landlock: Add a place for flags to layer rules
landlock: Add API support and docs for the quiet flags
landlock/audit: Check for quiet flag in landlock_log_denial
landlock/audit: Fix wrong type usage
samples/landlock: Add quiet flag support to sandboxer
Implement quiet for optional accesses
include/uapi/linux/landlock.h | 64 +++++++++
samples/landlock/sandboxer.c | 133 +++++++++++++++++--
security/landlock/audit.c | 113 +++++++++++++---
security/landlock/audit.h | 4 +-
security/landlock/domain.c | 23 ++++
security/landlock/domain.h | 10 ++
security/landlock/fs.c | 103 ++++++++------
security/landlock/fs.h | 36 +++--
security/landlock/net.c | 11 +-
security/landlock/net.h | 3 +-
security/landlock/ruleset.c | 19 ++-
security/landlock/ruleset.h | 39 +++++-
security/landlock/syscalls.c | 72 +++++++---
security/landlock/task.c | 12 +-
tools/testing/selftests/landlock/base_test.c | 4 +-
15 files changed, 538 insertions(+), 108 deletions(-)
base-commit: e5f0a698b34ed76002dc5cff3804a61c80233a7a
--
2.51.0
next reply other threads:[~2025-10-05 17:56 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-05 17:55 Tingmao Wang [this message]
2025-10-05 17:55 ` [PATCH v2 1/6] landlock: Add a place for flags to layer rules Tingmao Wang
2025-10-15 19:07 ` Mickaël Salaün
2025-10-05 17:55 ` [PATCH v2 2/6] landlock: Add API support and docs for the quiet flags Tingmao Wang
2025-10-15 19:08 ` Mickaël Salaün
2025-10-05 17:55 ` [PATCH v2 3/6] landlock/audit: Check for quiet flag in landlock_log_denial Tingmao Wang
2025-10-15 19:09 ` Mickaël Salaün
2025-10-19 17:39 ` Tingmao Wang
2025-10-20 20:12 ` Mickaël Salaün
2025-10-26 20:48 ` Tingmao Wang
2025-10-05 17:55 ` [PATCH v2 4/6] landlock/audit: Fix wrong type usage Tingmao Wang
2025-10-05 17:55 ` [PATCH v2 5/6] samples/landlock: Add quiet flag support to sandboxer Tingmao Wang
2025-10-05 17:55 ` [PATCH v2 6/6] Implement quiet for optional accesses Tingmao Wang
2025-10-15 19:09 ` Mickaël Salaün
2025-10-19 17:45 ` Tingmao Wang
2025-10-20 20:11 ` Mickaël Salaün
2025-10-26 20:50 ` Tingmao Wang
2025-10-15 19:06 ` [PATCH v2 0/6] Implement LANDLOCK_ADD_RULE_QUIET Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1759686613.git.m@maowtm.org \
--to=m@maowtm.org \
--cc=gnoack@google.com \
--cc=jack@suse.cz \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).