On 23/03/2023 09:52, Konstantin Meskhidze wrote:
From: Mickaël Salaün <mic@xxxxxxxxxxx> Allow mount point and root directory changes when there is no filesystem rule tied to the current Landlock domain. This doesn't change anything for now because a domain must have at least a (filesystem) rule, but this will change when other rule types will come. For instance, a domain only restricting the network should have no impact on filesystem restrictions. Add a new get_current_fs_domain() helper to quickly check filesystem rule existence for all filesystem LSM hooks. Remove unnecessary inlining. Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx> --- Changes since v9: * Refactors documentaion landlock.rst. * Changes ACCESS_FS_INITIALLY_DENIED constant to LANDLOCK_ACCESS_FS_INITIALLY_DENIED. * Gets rid of unnecessary masking of access_dom in get_raw_handled_fs_accesses() function. Changes since v8: * Refactors get_handled_fs_accesses(). * Adds landlock_get_raw_fs_access_mask() helper. --- Documentation/userspace-api/landlock.rst | 6 +- security/landlock/fs.c | 78 ++++++++++++------------ security/landlock/ruleset.h | 25 +++++++- security/landlock/syscalls.c | 6 +- 4 files changed, 68 insertions(+), 47 deletions(-)
[...]
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 71aca7f990bc..d35cd5d304db 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -310,6 +310,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd, struct path path; struct landlock_ruleset *ruleset; int res, err; + access_mask_t mask; if (!landlock_initialized) return -EOPNOTSUPP; @@ -348,9 +349,8 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd, * Checks that allowed_access matches the @ruleset constraints * (ruleset->access_masks[0] is automatically upgraded to 64-bits). */ - if ((path_beneath_attr.allowed_access | - landlock_get_fs_access_mask(ruleset, 0)) != - landlock_get_fs_access_mask(ruleset, 0)) { + mask = landlock_get_raw_fs_access_mask(ruleset, 0); + if ((path_beneath_attr.allowed_access | mask) != mask) {
This hunk can be moved to the previous patch (i.e. mask = …). This patch should only contains the new landlock_get_raw_fs_access_mask() call.
err = -EINVAL; goto out_put_ruleset; } -- 2.25.1