[RFC PATCH 1/6] landlock: Add a place for flags to layer rules
Tingmao Wang
m at maowtm.org
Sat Sep 27 23:12:00 UTC 2025
On 9/27/25 20:00, Mickaël Salaün wrote:
> On Sat, Sep 27, 2025 at 04:43:50PM +0100, Tingmao Wang wrote:
>> [..]
>>
>> Also, do we want to consider calling this something else instead, like
>> "suppress_audit"?
>
> Quiet is simpler (similar to the LANDLOCK_RESTRICT_SELF_LOG_* flags) and
> if we get other ways to log actions this will also be used. For the
> supervisor case, that would be useful to not forward a request to the
> supervisor. The *_LOG_* flags could be used the same way too (even if
> "LOG" may be a subset of the supervisor capabilities). Do you think
> that would be OK? Dedicated flags would be more flexible but also a bit
> more complex. Is it worth it? In any case, the semantic and need
> should be quite similar.
I don't think we need a dedicated flag, I was just wondering if "QUIET" is
the right name, but I guess I don't have a better suggestion either. On
second thought SUPPRESS_AUDIT would no longer be accurate if we later use
it to control supervisor forwarding (it would be doing more than just
suppressing audit logs).
More information about the Linux-security-module-archive
mailing list