landlock: Add LANDLOCK_ADD_RULE_QUIET #13
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
micromaomao
force-pushed
the
landlock-quiet-flag
branch
from
52a5b61 to
de15882
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
5 times, most recently
from
ee7bedc to
434a24b
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
2 times, most recently
from
af4c481 to
92db84c
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
4 times, most recently
from
fcbc967 to
de94a09
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
from
de94a09 to
135d51a
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
5 times, most recently
from
0f12d29 to
c0cd55c
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| * is there to hold a quiet flag | ||
| */ | ||
| if (!path_beneath_attr.allowed_access) | ||
| if (!flags && !path_beneath_attr.allowed_access) |
There was a problem hiding this comment.
The logic here is unclear. The condition !flags should specifically check for the absence of LANDLOCK_ADD_RULE_QUIET rather than the absence of any flags, for better maintainability and clarity.
Suggested change
| if (!flags && !path_beneath_attr.allowed_access) | |
| if (!(flags & LANDLOCK_ADD_RULE_QUIET) && !path_beneath_attr.allowed_access) |
| * if it is there to hold a quiet flag | ||
| */ | ||
| if (!net_port_attr.allowed_access) | ||
| if (!flags && !net_port_attr.allowed_access) |
There was a problem hiding this comment.
Same issue as with filesystem rules: the condition !flags should specifically check for the absence of LANDLOCK_ADD_RULE_QUIET rather than the absence of any flags.
Suggested change
| if (!flags && !net_port_attr.allowed_access) | |
| if (!(flags & LANDLOCK_ADD_RULE_QUIET) && !net_port_attr.allowed_access) |
micromaomao
force-pushed
the
landlock-quiet-flag
branch
from
c0cd55c to
ab6bfc6
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
from
0eaec7f to
6c68cf1
Compare
micromaomao
force-pushed
the
landlock-quiet-flag-base
branch
from
72fb017 to
00f1413
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
from
6c68cf1 to
3b82b36
Compare
micromaomao
force-pushed
the
landlock-quiet-flag-base
branch
from
00f1413 to
82df083
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
from
3b82b36 to
67c5e24
Compare
micromaomao
force-pushed
the
landlock-quiet-flag-base
branch
from
82df083 to
0df88b3
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
from
67c5e24 to
0abf8bc
Compare
To avoid unnecessarily increasing the size of struct landlock_layer, we make the layer level a u8 and use the space to store the flags struct. Signed-off-by: Tingmao Wang <[email protected]> --- Changes since v2: - Comment changes, move local variables, simplify if branch Changes since v1: - Comment changes - Rebased to include disconnected directory handling changes on mic/next and add backing up of collected_rule_flags.
micromaomao
force-pushed
the
landlock-quiet-flag-base
branch
from
0df88b3 to
0f29956
Compare
micromaomao
force-pushed
the
landlock-quiet-flag
branch
2 times, most recently
from
b046839 to
3751092
Compare
Copilot finished reviewing on behalf of
micromaomao
November 16, 2025 21:19
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| .quiet_scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, | ||
| }; | ||
|
|
||
| FIXTURE_VARIANT_ADD(scoped_audit, quiet_abstract_socket_2){ |
There was a problem hiding this comment.
Missing space after closing brace in the struct initializer. Should be:
const struct a_layer layer1 = {
// ... fields ...
};
Suggested change
| FIXTURE_VARIANT_ADD(scoped_audit, quiet_abstract_socket_2){ | |
| FIXTURE_VARIANT_ADD(scoped_audit, quiet_abstract_socket_2) { |
security/landlock/ruleset.c
Outdated
| .level = 0, | ||
| .flags = { | ||
| .quiet = !!(flags & LANDLOCK_ADD_RULE_QUIET), | ||
| } |
There was a problem hiding this comment.
Missing space after closing brace. The line should be:
.flags = {
.quiet = !!(flags & LANDLOCK_ADD_RULE_QUIET),
},
Suggested change
| } | |
| } |
Adds the UAPI for the quiet flags feature (but not the implementation yet). According to pahole, even after adding the struct access_masks quiet_masks in struct landlock_hierarchy, the u32 log_* bitfield still only has a size of 2 bytes, so there's minimal wasted space. Signed-off-by: Tingmao Wang <[email protected]> --- Changes since v3: - Minor update to this commit message. - Fix minor formatting Changes since v2: - Updated docs from Mickaël's suggestions. Changes since v1: - Per suggestion, added support for quieting only certain access bits, controlled by extra quiet_access_* fields in the ruleset_attr. - Added docs for the extra fields and made updates to doc changes in v1. In particular, call out that the effect of LANDLOCK_ADD_RULE_QUIET is independent from the access bits passed in rule_attr - landlock_add_rule will return -EINVAL when LANDLOCK_ADD_RULE_QUIET is used but the ruleset does not have any quiet access bits set for the given rule type. - ABI version bump to v8 - Syntactic and comment changes per suggestion.
micromaomao
force-pushed
the
landlock-quiet-flag
branch
from
3751092 to
538b5fd
Compare
The quietness behaviour is as documented in the previous patch. For optional accesses, since the existing deny_masks can only store 2x4bit of layer index, with no way to represent "no layer", we need to either expand it or have another field to correctly handle quieting of those. This commit uses the latter approach - we add another field to store which optional access (of the 2) are covered by quiet rules in their respective layers as stored in deny_masks. We can avoid making struct landlock_file_security larger by converting the existing fown_layer to a 4bit field. This commit does that, and adds test to ensure that it is large enough for LANDLOCK_MAX_NUM_LAYERS-1. Signed-off-by: Tingmao Wang <[email protected]> --- Changes since v2: - Renamed patch title from "Check for quiet flag in landlock_log_denial" to this given the growth. - Moved quiet bit check after domain_exec check - Rename, style and comment fixes suggested by Mickaël. - Squashed patch 6/6 from v2 "Implement quiet for optional accesses" into this one. Changes to that below: - Refactor the quiet flag setting in get_layer_from_deny_masks() to be more clear. - Add KUnit tests - Fix comments, add WARN_ON_ONCE, use __const_hweight64() as suggested by review - Move build_check_file_security to fs.c - Use a typedef for quiet_optional_accesses, add static_assert, and improve docs on landlock_get_quiet_optional_accesses. Changes since v1: - Supports the new quiet access masks. - Support quieting scope requests (but not ptrace and attempted mounting for now)
I think, based on my best understanding, that this type is likely a typo (even though in the end both are u16) Signed-off-by: Tingmao Wang <[email protected]> Fixes: 2fc80c6 ("landlock: Log file-related denials") --- Changes since v1: - Added Fixes tag
Adds ability to set which access bits to quiet via LL_*_QUIET_ACCESS (FS, NET or SCOPED), and attach quiet flags to individual objects via LL_*_QUIET for FS and NET. Signed-off-by: Tingmao Wang <[email protected]> --- Changes since v2: - Minor change to the above commit message. Changes since v1: - Added new environment variables to control which quiet access bits to set on the rule, and populate quiet_access_* from it. - Added support for quieting net rules and scoped access. Renamed patch title. - Increment ABI version
The next commit will reuse this number. Make it a shared constant to future-proof changes. Signed-off-by: Tingmao Wang <[email protected]> --- Changes since v2: - New patch
Test various interactions of the quiet flag with filesystem rules: - Non-optional access (tested with open and rename). - Optional access (tested with truncate and ioctl). - Behaviour around mounts matches with normal Landlock rules. - Behaviour around disconnected directories matches with normal Landlock rules (test expected behaviour of 9a868cd ("landlock: Fix handling of disconnected directories") applied to the collected quiet flag). - Multiple layers works as expected. Signed-off-by: Tingmao Wang <[email protected]> --- Changes since v2: - New patch
Tests that: - Quiet flag works on network rules - Quiet flag applied to unrelated ports has no effect - Denied access not in quiet_access_net is still logged This is not as thorough as the fs tests, but given the shared logic it should be sufficient. There is also no "optional" access for network rules. Signed-off-by: Tingmao Wang <[email protected]> --- Changes since v2: - New patch
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 21 out of 21 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| /* Checks invalid flags. */ | ||
| ASSERT_EQ(-1, landlock_add_rule(-1, 0, NULL, 1)); | ||
| ASSERT_EQ(-1, landlock_add_rule(-1, 0, NULL, 100)); |
There was a problem hiding this comment.
[nitpick] The magic number 100 is used for testing invalid flags. Consider using a named constant or adding a comment explaining why 100 specifically is chosen (e.g., "A value outside the valid flag range").
| */ | ||
| struct landlock_layer { | ||
| /** | ||
| * @level: Position of this layer in the layer stack. Starts from 1. |
There was a problem hiding this comment.
The level field is changed from u16 to u8, reducing its capacity from 65535 to 255 layers. While LANDLOCK_MAX_NUM_LAYERS is defined as 16, this change reduces the theoretical maximum. Ensure this is intentional and that 255 is sufficient for future growth, or document why this change was made.
Suggested change
| * @level: Position of this layer in the layer stack. Starts from 1. | |
| * @level: Position of this layer in the layer stack. Starts from 1. | |
| * | |
| * Note: The type of @level was changed from u16 to u8 to reduce memory usage. | |
| * While this reduces the theoretical maximum from 65535 to 255 layers, | |
| * LANDLOCK_MAX_NUM_LAYERS is currently defined as 16, and 255 is considered | |
| * sufficient for future growth. If a higher limit is ever required, this | |
| * type can be revisited. |
| get_layer_from_deny_masks(access_mask_t *const access_request, | ||
| const access_mask_t all_existing_optional_access, | ||
| const deny_masks_t deny_masks) | ||
| const deny_masks_t deny_masks, u8 quiet_optional_accesses, bool *quiet) |
There was a problem hiding this comment.
[nitpick] The function signature shows u8 quiet_optional_accesses as a parameter but the field in struct landlock_request is defined without a bit width. For consistency and to match the field definition in struct landlock_file_security (line 73), consider adding the bit width constraint here as well, or ensure the field can handle the full range of values.
Enhance scoped_audit.connect_to_child and audit_flags.signal to test interaction with various quiet flag settings. Signed-off-by: Tingmao Wang <[email protected]> --- Changes since v3: - New patch
micromaomao
force-pushed
the
landlock-quiet-flag
branch
from
538b5fd to
969ec5a
Compare
Signed-off-by: Tingmao Wang <[email protected]> --- Changes since v3: - New patch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
landlock-lsm#44
WIP
TODO:
put
struct rule_flags_masksin the audit request