[PATCH v8 2/9] landlock: Add API support and docs for the quiet flags

Wed May 27 01:07:55 UTC 2026

On 5/24/26 21:35, Mickaël Salaün wrote:
> On Mon, Apr 06, 2026 at 04:52:15PM +0100, Tingmao Wang wrote:
>> [...]
>> @@ -69,6 +100,39 @@ struct landlock_ruleset_attr {
>>  #define LANDLOCK_CREATE_RULESET_ERRATA			(1U << 1)
>>  /* clang-format on */
>>  
>> +/**
>> + * DOC: landlock_add_rule_flags
>> + *
>> + * **Flags**
>> + *
>> + * %LANDLOCK_ADD_RULE_QUIET
>> + *     Together with the quiet_* fields in struct landlock_ruleset_attr,
>> + *     this flag controls whether Landlock will log audit messages when
>> + *     access to the objects covered by this rule is denied by this layer.
>> + *
>> + *     If audit logging is enabled, when Landlock denies an access, it will
>> + *     suppress the audit log if all of the following are true:
>> + *
>> + *     - this layer is the innermost layer that denied the access;
>> + *     - all accesses denied by this layer are part of the quiet_* fields
>> + *       in the related struct landlock_ruleset_attr;
>> + *     - the object (or one of its parents, for filesystem rules) is
>> + *       marked as "quiet" via %LANDLOCK_ADD_RULE_QUIET.
>> + *
>> + *     Because logging is only suppressed by a layer if the layer denies
>> + *     access, a sandboxed program cannot use this flag to "hide" access
>> + *     denials, without denying itself the access in the first place.
> 
> This is not 100% correct: if a domain only handles/denies/quiet read, and a
> parent domain denies write, open(, O_RDwR) would not generate a log,
> which is OK.

open(, O_RDWR) as one access request is denied by the child domain because
it also needs read.  For a open(, O_WRONLY), we will correctly generate a
log.

> 
>> + *
>> + *     The effect of this flag does not depend on the value of
>> + *     allowed_access in the passed in rule_attr.  When this flag is
>> + *     present, the caller is also allowed to pass in an empty
>> + *     allowed_access.
> 
> The audit/log part in Documentation/userspace-api/landlock.rst and
> Documentation/security/landlock.rst should be updated to take this quiet
> flags into account.
> 
>> + */
>> +
>> +/* clang-format off */
>> +#define LANDLOCK_ADD_RULE_QUIET			(1U << 0)
> 
> I think this name is correct because this flag will be used by the
> supervisor feature, but otherwise it should be named something like
> LANDLOCK_ADD_RULE_LOG_QUIET.  Tingmao, do you think that makes sense?
> If yes, it should be explained in the commit message that this quiet
> flag may be used for some kind of notification...

Makes sense, will do.