On 11/04/2022 15:44, Konstantin Meskhidze wrote:
4/8/2022 7:30 PM, Mickaël Salaün пишет:
[...]
struct landlock_ruleset *landlock_create_ruleset(const struct
landlock_access_mask *access_mask_set)
{
struct landlock_ruleset *new_ruleset;
/* Informs about useless ruleset. */
- if (!access_mask_set->fs)
+ if (!access_mask_set->fs && !access_mask_set->net)
return ERR_PTR(-ENOMSG);
new_ruleset = create_ruleset(1);
- if (!IS_ERR(new_ruleset))
This is better:
if (IS_ERR(new_ruleset))
return new_ruleset;
if (access_mask_set->fs)
...
I dont get this condition. Do you mean that we return new_ruleset
anyway no matter what the masks's values are? So its possible to have 0
masks values, is't it?
No, the logic is correct but it would be simpler to exit as soon as
there is a ruleset error, you don't need to duplicate
"IS_ERR(new_ruleset) &&":
if (IS_ERR(new_ruleset))
return new_ruleset;
if (access_mask_set->fs)
landlock_set_fs_access_mask(new_ruleset, access_mask_set, 0);
if (access_mask_set->net)
landlock_set_net_access_mask(new_ruleset, access_mask_set, 0);
return new_ruleset;