Hi, This series adds two tracepoints to Landlock, one tied to rule addition, and another to rule checking. With these new tracepoints, we can see all steps leading to an access decision. They can be directly used with /sys/kernel/tracing/events/landlock/* or attached by eBPF programs to get a more complete view of Landlock internals.
This new feature is useful to trouble shoot policy issues, and it should also limit the need for custom debugging kernel code when developing new Landlock features. Landlock already has audit support, which enables us to log denied access requests. Audit is useful to identify security issues or sandbox misconfiguration. However, it might not be enough to debug Landlock policies. The main differences with audit events is that traces are disabled by default, can be very verbose, and can be filtered according to process and Landlock properties (e.g. domain ID). As for audit, this tracing feature may expose sensitive information and must then only be accessible to the system administrator. This RFC only fully supports filesystem rules but the next series will also support network rules. Tests are also missing for now. Regards, Mickaël Salaün (5): landlock: Rename landlock_id to landlock_rule_ref landlock: Merge landlock_find_rule() into landlock_unmask_layers() tracing: Add __print_untrusted_str() landlock: Add landlock_add_rule_fs tracepoint landlock: Add landlock_check_rule tracepoint MAINTAINERS | 1 + include/linux/trace_events.h | 3 + include/trace/events/landlock.h | 124 ++++++++++++++ include/trace/stages/stage3_trace_output.h | 4 + include/trace/stages/stage7_class_define.h | 1 + kernel/trace/trace_output.c | 40 +++++ security/landlock/Makefile | 11 +- security/landlock/fs.c | 178 +++++++++++++-------- security/landlock/fs.h | 3 + security/landlock/net.c | 18 +-- security/landlock/ruleset.c | 65 ++++---- security/landlock/ruleset.h | 15 +- security/landlock/trace.c | 15 ++ 13 files changed, 365 insertions(+), 113 deletions(-) create mode 100644 include/trace/events/landlock.h create mode 100644 security/landlock/trace.c base-commit: a5806cd506af5a7c19bcd596e4708b5c464bfd21 -- 2.49.0
