On Thu, Jan 16, 2025 at 5:49 AM Mickaël Salaün <[email protected]> wrote: > On Wed, Jan 15, 2025 at 06:53:06PM -0500, Paul Moore wrote: > > On Jan 8, 2025 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <[email protected]> > > wrote:
... > > > The next patch > > > series will also contain a new kind of audit rule to specifically > > > identify the origin of the policy that created this denied event, which > > > should make more sense. > > > > Generally speaking audit only wants to support a small number of message > > types dedicated to a specific LSM. If you're aware of additional message > > types that you plan to propose in a future patchset, it's probably a > > time to discuss those now. > > The only other audit record type I'm thinking about would be one > dedicated to "potentially denied access", something similar to SELinux's > permissive mode. In this case the "audit way" to handle this would be to add a "permissive=[0|1]" field, or similar, to the AUDIT_LANDLOCK_ACCESS message. If this is something you are definitely going to add to Landlock, I might suggest adding the "permissive=" field now so it is present from the start. -- paul-moore.com
