Summary
Add debug-level logging for Landlock FS access denials to improve troubleshooting and observability.
Context
Per Landlock kernel documentation:
Access denials shall be logged according to system and Landlock domain configurations. Log entries must contain information about the cause of the denial and the owner of the related security policy.
Currently, the Landlock implementation relies on kernel audit logging (when enabled) but provides no application-level debug logging for troubleshooting.
Implementation Notes
Where to add logging:
-
landlock.rs - Log when restrict_self() returns NotEnforced or Err
- Include: allowed paths, rejection reason, enforcement status
- Use
tracing::debug! or tracing::warn! gated by feature flag
-
platform.rs - Log LandlockResult after apply_to_command()
- Current:
tracing::debug!(enforced = result.enforced, %result.message, "landlock")
- Enhance: Add path list, ABI version, failure details
-
router.rs - Clarify log message to distinguish config vs. actual enforcement
- Current: claims "landlock FS isolation" based only on
fs_allow_paths.is_empty()
- Fix: Check actual
LandlockResult.enforced and platform support
Suggested approach:
- Add optional
LANDLOCK_DEBUG=1 env var or --features landlock-debug
- Log denied paths with reason (e.g.,
execve("/bin/sh") denied: not in allowlist)
- Include sandbox ID/context in log entries
- Consider async-safe logging in
pre_exec context (stderr only)
Acceptance Criteria
Related
Priority
P3 - Feature enhancement (not blocking merge)
Summary
Add debug-level logging for Landlock FS access denials to improve troubleshooting and observability.
Context
Per Landlock kernel documentation:
Currently, the Landlock implementation relies on kernel audit logging (when enabled) but provides no application-level debug logging for troubleshooting.
Implementation Notes
Where to add logging:
landlock.rs - Log when
restrict_self()returnsNotEnforcedorErrtracing::debug!ortracing::warn!gated by feature flagplatform.rs - Log LandlockResult after
apply_to_command()tracing::debug!(enforced = result.enforced, %result.message, "landlock")router.rs - Clarify log message to distinguish config vs. actual enforcement
fs_allow_paths.is_empty()LandlockResult.enforcedand platform supportSuggested approach:
LANDLOCK_DEBUG=1env var or--features landlock-debugexecve("/bin/sh") denied: not in allowlist)pre_execcontext (stderr only)Acceptance Criteria
restrict_self()failure pathsplatform.rswith actual enforcement statuslandlock.rsmodule docsRelated
Priority
P3 - Feature enhancement (not blocking merge)