diff options
| author | Mickaël Salaün <mic@digikod.net> | 2025-03-20 20:07:17 +0100 |
|---|---|---|
| committer | Mickaël Salaün <mic@digikod.net> | 2025-03-26 13:59:49 +0100 |
| commit | 8e2dd47b10e77452733eae23cc83078fa29c1e9a (patch) | |
| tree | 7e3a78d4d03b9b5842a424947b361f88ac4020fa /Documentation/security | |
| parent | a5c369e45b3e066c8defee149fad9f25dbcdaa11 (diff) | |
landlock: Add audit documentation
Because audit is dedicated to the system administrator, create a new
entry in Documentation/admin-guide/LSM . Extend other Landlock
documentation's pages with this new one.
Extend UAPI with the new log flags.
Extend the guiding principles with logs.
Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-29-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'Documentation/security')
| -rw-r--r-- | Documentation/security/landlock.rst | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/Documentation/security/landlock.rst b/Documentation/security/landlock.rst index 59ecdb1c0d4d..e0fc54aff09e 100644 --- a/Documentation/security/landlock.rst +++ b/Documentation/security/landlock.rst @@ -7,7 +7,7 @@ Landlock LSM: kernel documentation ================================== :Author: Mickaël Salaün -:Date: December 2022 +:Date: March 2025 Landlock's goal is to create scoped access-control (i.e. sandboxing). To harden a whole system, this feature should be available to any process, @@ -45,6 +45,10 @@ Guiding principles for safe access controls sandboxed process shall retain their scoped accesses (at the time of resource acquisition) whatever process uses them. Cf. `File descriptor access rights`_. +* Access denials shall be logged according to system and Landlock domain + configurations. Log entries must contain information about the cause of the + denial and the owner of the related security policy. Such log generation + should have a negligible performance and memory impact on allowed requests. Design choices ============== @@ -124,6 +128,13 @@ makes the reasoning much easier and helps avoid pitfalls. .. kernel-doc:: security/landlock/ruleset.h :identifiers: +Additional documentation +======================== + +* Documentation/userspace-api/landlock.rst +* Documentation/admin-guide/LSM/landlock.rst +* https://landlock.io + .. Links .. _tools/testing/selftests/landlock/: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/testing/selftests/landlock/ |