Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp526761pxb; Tue, 29 Mar 2022 07:17:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwbwUgNFc0vtg8iL2BmvMGK84Cxu0LXhVkvphWH9xVA0Png+DrNRBdiHRjuWCw7TRWpXv08 X-Received: by 2002:a63:211b:0:b0:382:6f4e:3408 with SMTP id h27-20020a63211b000000b003826f4e3408mr2185864pgh.515.1648563468076; Tue, 29 Mar 2022 07:17:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648563468; cv=none; d=google.com; s=arc-20160816; b=TF4SJhcHcIYVVJN9t+6JkO0am+HeSlZz9pwoXDr4sfKGEIm+xy9ab8lxLWPVvN7P9Q QLMNyJH3MxyCWqkTg1uvwOFvAObt5qpfXlHoavqqED6cNKf3h81B6EoHGeiebuIXwOxm QS+3DSgYTj6al7oY+dp5fPlh8Lg8pmH+m4k03p1vxMTJuUEZF3svgC0gHRopcJTVA3As T2smehyM3YSmikh6QPVnbCZV7RfdKy9NAHxr0iQVKSQ2Y3yuOlKLiMkLx+k95nYWHBGX QWRUpHWm5Z6UKA/DLxbblTPPN6np/d15WdzCeT4wQ+FAV5A+pVcEfJxZ/SkSIj2bleZw pkTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=FOCfeYeeiez3LpsEGeSCscSykPJFooJTlyF3L54OSLw=; b=m2I3GElVMJWGpDBaywvoBPT6YLvscXtr9THr2x+LhGoVA9V2Y+yyVWSn0QjnP2a6/l kD3PtWyJUsvYaiiLZJTTujHnmkz/Nm9oz+GuJjBQuv4JHoEhWrTEsiloWnwoil6Y0VTB l/smzvP2Hxzdwg+UzKQUxVZqY9gmZ38HPkZivAIGx16BsCTFiwk+oa4dEBwKvyqH2o0a A+ePMAgtWnOimxBx0pOJx1WIdUeJQwpcvEjI1iuKZdCPoJMJWlkZicbYQuDp7H8aMOHi RowfmpVBnHxjmJKuxRncbdAUXzUs553m0HjsFx2x42PF1KjOgNKSBhH7Q/a2I9SLZ73w Vnnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=BPgLnbzL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g7-20020a63b147000000b003816043ef69si17603435pgp.350.2022.03.29.07.17.27; Tue, 29 Mar 2022 07:17:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=BPgLnbzL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236778AbiC2Mxg (ORCPT + 99 others); Tue, 29 Mar 2022 08:53:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237164AbiC2MxA (ORCPT ); Tue, 29 Mar 2022 08:53:00 -0400 Received: from smtp-bc0a.mail.infomaniak.ch (smtp-bc0a.mail.infomaniak.ch [IPv6:2001:1600:4:17::bc0a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32F8311A07 for ; Tue, 29 Mar 2022 05:51:01 -0700 (PDT) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KSTvS2GXJzMq0vs; Tue, 29 Mar 2022 14:51:00 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KSTvS0TrszlhMCC; Tue, 29 Mar 2022 14:51:00 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1648558260; bh=Z7Dv4Wuaux19f4A4TfPGhRhJCwQox2If8Ghi9nfOU5U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BPgLnbzLEtVqYdu82o/LrMMKpglq4vbp4cDMZDbbpGTCK/qXfX+hN979Kzg7RSemC mqTCwSSjVy9B0hddHLSPClVb4zdiAHu2ZeynsROXlVX83Lag+EgkmPC4VbYgKCKYR1 qOY4Q9SBuD0W92d9w8ftcJ+q+ScciBbdNzmxz/RA= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Al Viro , Jann Horn , John Johansen , Kees Cook , Konstantin Meskhidze , Paul Moore , Shuah Khan , Tetsuo Handa , linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= Subject: [PATCH v2 03/12] landlock: Create find_rule() from unmask_layers() Date: Tue, 29 Mar 2022 14:51:08 +0200 Message-Id: <20220329125117.1393824-4-mic@digikod.net> In-Reply-To: <20220329125117.1393824-1-mic@digikod.net> References: <20220329125117.1393824-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mickaël Salaün This refactoring will be useful in a following commit. Reviewed-by: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20220329125117.1393824-4-mic@digikod.net --- Changes since v1: * Add Reviewed-by: Paul Moore. --- security/landlock/fs.c | 39 +++++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 4048e3c04d75..0bcb27f2360a 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -180,23 +180,36 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, /* Access-control management */ -static inline layer_mask_t unmask_layers( +/* + * The lifetime of the returned rule is tied to @domain. + * + * Returns NULL if no rule is found or if @dentry is negative. + */ +static inline const struct landlock_rule *find_rule( const struct landlock_ruleset *const domain, - const struct path *const path, - const access_mask_t access_request, layer_mask_t layer_mask) + const struct dentry *const dentry) { const struct landlock_rule *rule; const struct inode *inode; - size_t i; - if (d_is_negative(path->dentry)) - /* Ignore nonexistent leafs. */ - return layer_mask; - inode = d_backing_inode(path->dentry); + /* Ignores nonexistent leafs. */ + if (d_is_negative(dentry)) + return NULL; + + inode = d_backing_inode(dentry); rcu_read_lock(); rule = landlock_find_rule(domain, rcu_dereference(landlock_inode(inode)->object)); rcu_read_unlock(); + return rule; +} + +static inline layer_mask_t unmask_layers( + const struct landlock_rule *const rule, + const access_mask_t access_request, layer_mask_t layer_mask) +{ + size_t layer_level; + if (!rule) return layer_mask; @@ -207,8 +220,9 @@ static inline layer_mask_t unmask_layers( * the remaining layers for each inode, from the first added layer to * the last one. */ - for (i = 0; i < rule->num_layers; i++) { - const struct landlock_layer *const layer = &rule->layers[i]; + for (layer_level = 0; layer_level < rule->num_layers; layer_level++) { + const struct landlock_layer *const layer = + &rule->layers[layer_level]; const layer_mask_t layer_bit = BIT_ULL(layer->level - 1); /* Checks that the layer grants access to the full request. */ @@ -266,8 +280,9 @@ static int check_access_path(const struct landlock_ruleset *const domain, while (true) { struct dentry *parent_dentry; - layer_mask = unmask_layers(domain, &walker_path, - access_request, layer_mask); + layer_mask = unmask_layers(find_rule(domain, + walker_path.dentry), access_request, + layer_mask); if (layer_mask == 0) { /* Stops when a rule from each layer grants access. */ allowed = true; -- 2.35.1