[RFC PATCH v1 0/5] Landlock tracepoints

Mickaël Salaün mic at digikod.net
Fri May 23 16:57:36 UTC 2025 

Hi,

This series adds two tracepoints to Landlock, one tied to rule addition,
and another to rule checking.  With these new tracepoints, we can see
all steps leading to an access decision.  They can be directly used with
/sys/kernel/tracing/events/landlock/* or attached by eBPF programs to
get a more complete view of Landlock internals.

This new feature is useful to trouble shoot policy issues, and it should
also limit the need for custom debugging kernel code when developing new
Landlock features.

Landlock already has audit support, which enables us to log denied
access requests.  Audit is useful to identify security issues or sandbox
misconfiguration.  However, it might not be enough to debug Landlock
policies.  The main differences with audit events is that traces are
disabled by default, can be very verbose, and can be filtered according
to process and Landlock properties (e.g. domain ID).

As for audit, this tracing feature may expose sensitive information and
must then only be accessible to the system administrator.

This RFC only fully supports filesystem rules but the next series will
also support network rules.  Tests are also missing for now.

Regards,

Mickaël Salaün (5):
  landlock: Rename landlock_id to landlock_rule_ref
  landlock: Merge landlock_find_rule() into landlock_unmask_layers()
  tracing: Add __print_untrusted_str()
  landlock: Add landlock_add_rule_fs tracepoint
  landlock: Add landlock_check_rule tracepoint

 MAINTAINERS                                |   1 +
 include/linux/trace_events.h               |   3 +
 include/trace/events/landlock.h            | 124 ++++++++++++++
 include/trace/stages/stage3_trace_output.h |   4 +
 include/trace/stages/stage7_class_define.h |   1 +
 kernel/trace/trace_output.c                |  40 +++++
 security/landlock/Makefile                 |  11 +-
 security/landlock/fs.c                     | 178 +++++++++++++--------
 security/landlock/fs.h                     |   3 +
 security/landlock/net.c                    |  18 +--
 security/landlock/ruleset.c                |  65 ++++----
 security/landlock/ruleset.h                |  15 +-
 security/landlock/trace.c                  |  15 ++
 13 files changed, 365 insertions(+), 113 deletions(-)
 create mode 100644 include/trace/events/landlock.h
 create mode 100644 security/landlock/trace.c


base-commit: a5806cd506af5a7c19bcd596e4708b5c464bfd21
-- 
2.49.0

More information about the Linux-security-module-archive mailing list