Tracepoints #47
Description
Add tracepoints to Landlock:
- rule addition,
- rule checking
With these new tracepoints, we'll be able to see all steps leading to an access decision. They can be directly used with /sys/kernel/tracing/events/landlock/* or attached by eBPF programs to get a more complete view of Landlock internals.
This new feature will be useful to trouble shoot policy issues, and it should also limit the need for custom debugging kernel code when developing new Landlock features.
Landlock already has audit support (see #3), which enables us to log denied access requests. Audit is useful to identify security issues or sandbox misconfiguration. However, it might not be enough to debug Landlock policies. The main differences with audit events is that traces are disabled by default, can be very verbose, and can be filtered according to process and Landlock properties (e.g. domain ID).
RFC v1: https://lore.kernel.org/all/20250523165741.693976-1-mic@digikod.net/