lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHC9VhQhUJO-yNz795TP-DqP8d+qNDeD8fJzUg_QO365r_J17g@mail.gmail.com>
Date: Thu, 16 Jan 2025 15:00:45 -0500
From: Paul Moore <paul@...l-moore.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Eric Paris <eparis@...hat.com>, Günther Noack <gnoack@...gle.com>, 
	"Serge E . Hallyn" <serge@...lyn.com>, Ben Scarlato <akhna@...gle.com>, 
	Casey Schaufler <casey@...aufler-ca.com>, Charles Zaffery <czaffery@...lox.com>, 
	Daniel Burgener <dburgener@...ux.microsoft.com>, 
	Francis Laniel <flaniel@...ux.microsoft.com>, James Morris <jmorris@...ei.org>, 
	Jann Horn <jannh@...gle.com>, Jeff Xu <jeffxu@...gle.com>, 
	Jorge Lucangeli Obes <jorgelo@...gle.com>, Kees Cook <kees@...nel.org>, 
	Konstantin Meskhidze <konstantin.meskhidze@...wei.com>, Matt Bobrowski <mattbobrowski@...gle.com>, 
	Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>, Phil Sutter <phil@....cc>, 
	Praveen K Paladugu <prapal@...ux.microsoft.com>, Robert Salvet <robert.salvet@...lox.com>, 
	Shervin Oloumi <enlightened@...gle.com>, Song Liu <song@...nel.org>, 
	Tahera Fahimi <fahimitahera@...il.com>, Tyler Hicks <code@...icks.com>, audit@...r.kernel.org, 
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v4 8/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials

On Thu, Jan 16, 2025 at 5:49 AM Mickaël Salaün <mic@...ikod.net> wrote:
> On Wed, Jan 15, 2025 at 06:53:06PM -0500, Paul Moore wrote:
> > On Jan  8, 2025 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@...ikod.net> wrote:

...

> > > The next patch
> > > series will also contain a new kind of audit rule to specifically
> > > identify the origin of the policy that created this denied event, which
> > > should make more sense.
> >
> > Generally speaking audit only wants to support a small number of message
> > types dedicated to a specific LSM.  If you're aware of additional message
> > types that you plan to propose in a future patchset, it's probably a
> > time to discuss those now.
>
> The only other audit record type I'm thinking about would be one
> dedicated to "potentially denied access", something similar to SELinux's
> permissive mode.

In this case the "audit way" to handle this would be to add a
"permissive=[0|1]" field, or similar, to the AUDIT_LANDLOCK_ACCESS
message.  If this is something you are definitely going to add to
Landlock, I might suggest adding the "permissive=" field now so it is
present from the start.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ