[PATCH v2 3/6] landlock/audit: Check for quiet flag in landlock_log_denial

Sun Oct 26 20:48:45 UTC 2025

On 10/15/25 20:09, Mickaël Salaün wrote:
> Just use "landlock: " as subject prefix.
> 
> On Sun, Oct 05, 2025 at 06:55:26PM +0100, Tingmao Wang wrote:
>> [...]
>> @@ -436,6 +456,52 @@ void landlock_log_denial(const struct landlock_cred_security *const subject,
>>  	if (!audit_enabled)
>>  		return;
>>  
>> +	/*
>> +	 * Checks if the object is marked quiet by the layer that denied the
>> +	 * request.  If it's a different layer that marked it as quiet, but
>> +	 * that layer is not the one that denied the request, we should still
>> +	 * audit log the denial.
>> +	 */
>> +	quiet_flag_on_rule = !!(rule_flags.quiet_masks & BIT(youngest_layer));
>> +
>> +	if (quiet_flag_on_rule) {
>> +		/*
>> +		 * This is not a scope request, since rule_flags is not zero.  We
>> +		 * now check if the denied requests are all covered by the layer's
>> +		 * quiet access bits.
>> +		 */
>> +		quiet_mask = pick_access_mask_for_req_type(
>> +			request->type, youngest_denied->quiet_masks);
>> +		quiet_applicable_to_access = (quiet_mask & missing) == missing;
>> +
>> +		if (quiet_applicable_to_access)
>> +			return;
>> +	} else {
>> +		quiet_mask = youngest_denied->quiet_masks.scope;
>> +		switch (request->type) {
>> +		case LANDLOCK_REQUEST_SCOPE_SIGNAL:
>> +			quiet_applicable_to_access =
>> +				!!(quiet_mask & LANDLOCK_SCOPE_SIGNAL);
>> +			break;
>> +		case LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET:
>> +			quiet_applicable_to_access =
>> +				!!(quiet_mask &
>> +				   LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
>> +			break;
>> +		/*
>> +		 * Leave LANDLOCK_REQUEST_PTRACE and
>> +		 * LANDLOCK_REQUEST_FS_CHANGE_TOPOLOGY unhandled for now - they are
>> +		 * never quiet
>> +		 */
> 
> This also covers the case where the object is not quiet.
> 
>> +		default:
>> +			break;
>> +		}

I went with adding a comment above the line
    quiet_mask = youngest_denied->quiet_masks.scope;