[PATCH v4 00/10] Implement LANDLOCK_ADD_RULE_QUIET
Tingmao Wang
m at maowtm.org
Sun Nov 23 21:03:38 UTC 2025
On 11/23/25 17:01, Justin Suess wrote:
> I had a question in regards to the quiet flag in how it
> should interact with my proposed flag LANDLOCK_ADD_RULE_NO_INHERIT.
>
> Should this flag block inheritence of the LANDLOCK_ADD_RULE_QUIET flag?
> It seems to me it should block inheritence of this flag, so you can
> create more fine grained audit-suppression rules.
I think it probably should, given that inheriting the quiet flag is also a
form of "inheritance", right?
Also, if no_inherit inhibits all form of inheritance, then there is
opportunity for an optimization in which we stop the pathwalk altogether
if all layers has stopped inheritance (after verifying path_connected).
>
> So for example you could quiet logs on /a/b with the exception of /a/b/c
> by setting LANDLOCK_ADD_RULE_NO_INHERIT on /a/b/c.
>
> If so, as we add more flags, should this be a general policy that
> LANDLOCK_ADD_RULE_NO_INHERIT blocks access right inheritence AND flag
> inheritence? With the obvious exception of LANDLOCK_ADD_RULE_NO_INHERIT
> itself.
In fact, I don't see why LANDLOCK_ADD_RULE_NO_INHERIT itself would be an
"exception". It doesn't matter whether this flag inherits down, since it
is set on the rule that stops inheritance itself.
Kind regards,
Tingmao
More information about the Linux-security-module-archive
mailing list