[PATCH v4 02/10] landlock: Add API support and docs for the quiet flags

Tingmao Wang m at maowtm.org
Sun Nov 23 21:00:15 UTC 2025 

On 11/21/25 15:27, Mickaël Salaün wrote:
> On Sun, Nov 16, 2025 at 09:59:32PM +0000, Tingmao Wang wrote:
>> [...]
>> @@ -69,6 +100,39 @@ struct landlock_ruleset_attr {
>>  #define LANDLOCK_CREATE_RULESET_ERRATA			(1U << 1)
>>  /* clang-format on */
>>
>> +/**
>> + * DOC: landlock_add_rule_flags
>> + *
>> + * **Flags**
>> + *
>> + * %LANDLOCK_ADD_RULE_QUIET
>> + *     Together with the quiet_* fields in struct landlock_ruleset_attr,
>> + *     this flag controls whether Landlock will log audit messages when
>> + *     access to the objects covered by this rule is denied by this layer.
>> + *
>> + *     If audit logging is enabled, when Landlock denies an access, it will
>> + *     suppress the audit log if all of the following are true:
>> + *
>> + *     - This layer is the innermost layer that denied the access;
>
> Because these items follows ":" they should not start with a capital
> letter (e.g. "- this layer ...").
>
>> + *     - All requested accesses are part of the quiet_* fields in the
>> + *       related struct landlock_ruleset_attr;
>
> This should be updated to reflect my comment in the next patch about
> landlock_log_denial().

Not sure I completely understand what needs to be changed - are you
suggesting clarifying that only the accesses denied by this layer (which
naturally has to be handled by this layer) needs to be in quiet_*?  So
basically:

 *     - all accesses denied by this layer are part of the quiet_* fields
 *       in the related struct landlock_ruleset_attr;

or something else?

Note that quiet_* already has to be a subset of handled_access_*.

>
>> + *     - The object (or one of its parents, for filesystem rules) is
>> + *       marked as "quiet" via %LANDLOCK_ADD_RULE_QUIET.
>> + *
>> + *     Because logging is only suppressed by a layer if the layer denies
>> + *     access, a sandboxed program cannot use this flag to "hide" access
>> + *     denials, without denying itself the access in the first place.
>> + *
>> + *     The effect of this flag does not depend on the value of
>> + *     allowed_access in the passed in rule_attr.  When this flag is
>> + *     present, the caller is also allowed to pass in an empty
>> + *     allowed_access.
>> + */
>> +
>> +/* clang-format off */
>> +#define LANDLOCK_ADD_RULE_QUIET			(1U << 0)
>> +/* clang-format on */
>> +
>>  /**
>>   * DOC: landlock_restrict_self_flags
>>   *
>> diff --git a/security/landlock/domain.h b/security/landlock/domain.h
>> index 7fb70b25f85a..aadbf53505c0 100644
>> --- a/security/landlock/domain.h
>> +++ b/security/landlock/domain.h
>> @@ -114,6 +114,11 @@ struct landlock_hierarchy {
>>  		 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON.  Set to false by default.
>>  		 */
>>  		log_new_exec : 1;
>> +	/**
>> +	 * @quiet_masks: Bitmasks of access that should be quieted (i.e. not
>> +	 * logged) if the related object is marked as quiet.
>> +	 */
>> +	struct access_masks quiet_masks;
>
> Please update the above @work_free doc.

I assume you meant the one in struct landlock_ruleset, not here.  Will update.

>
>>  #endif /* CONFIG_AUDIT */
>>  };
>>

More information about the Linux-security-module-archive mailing list