[no subject]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>                 }
> +               if (is_empty)
> +                       return true;
>         }
> -       return layer_mask;
> +       return false;
>  }
>
>  static int check_access_path(const struct landlock_ruleset *const domain,
>                 const struct path *const path,
>                 const access_mask_t access_request)
>  {
> -       bool allowed = false;
> +       layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
> +       bool allowed = false, has_access = false;
>         struct path walker_path;
> -       layer_mask_t layer_mask;
>         size_t i;
>
>         if (!access_request)
> @@ -262,13 +283,20 @@ static int check_access_path(const struct landlock_ruleset *const domain,
>                 return -EACCES;
>
>         /* Saves all layers handling a subset of requested accesses. */
> -       layer_mask = 0;
>         for (i = 0; i < domain->num_layers; i++) {
> -               if (domain->fs_access_masks[i] & access_request)
> -                       layer_mask |= BIT_ULL(i);
> +               const unsigned long access_req = access_request;
> +               unsigned long access_bit;
> +
> +               for_each_set_bit(access_bit, &access_req,
> +                               ARRAY_SIZE(layer_masks)) {
> +                       if (domain->fs_access_masks[i] & BIT_ULL(access_bit)) {
> +                               layer_masks[access_bit] |= BIT_ULL(i);
> +                               has_access = true;
> +                       }
> +               }
>         }
>         /* An access request not handled by the domain is allowed. */
> -       if (layer_mask == 0)
> +       if (!has_access)
>                 return 0;
>
>         walker_path = *path;
> @@ -280,14 +308,11 @@ static int check_access_path(const struct landlock_ruleset *const domain,
>         while (true) {
>                 struct dentry *parent_dentry;
>
> -               layer_mask = unmask_layers(find_rule(domain,
> -                                       walker_path.dentry), access_request,
> -                               layer_mask);
> -               if (layer_mask == 0) {
> +               allowed = unmask_layers(find_rule(domain, walker_path.dentry),
> +                               access_request, &layer_masks);
> +               if (allowed)
>                         /* Stops when a rule from each layer grants access. */
> -                       allowed = true;
>                         break;
> -               }
>
>  jump_up:
>                 if (walker_path.dentry == walker_path.mnt->mnt_root) {

--
paul-moore.com




[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux