landlock: Create find_rule() from unmask_layers()
commit 2cd7cd6eed upstream.
This refactoring will be useful in a following commit.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20220506161102.525323-4-mic@digikod.net
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Mickaël Salaün
Greg Kroah-Hartman
Родитель
f7d62cb59f
Коммит
f859580c27
|
|
@ -183,23 +183,36 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
|
||||||
|
|
||||||
/* Access-control management */
|
/* Access-control management */
|
||||||
|
|
||||||
static inline layer_mask_t
|
/*
|
||||||
unmask_layers(const struct landlock_ruleset *const domain,
|
* The lifetime of the returned rule is tied to @domain.
|
||||||
const struct path *const path, const access_mask_t access_request,
|
*
|
||||||
layer_mask_t layer_mask)
|
* Returns NULL if no rule is found or if @dentry is negative.
|
||||||
|
*/
|
||||||
|
static inline const struct landlock_rule *
|
||||||
|
find_rule(const struct landlock_ruleset *const domain,
|
||||||
|
const struct dentry *const dentry)
|
||||||
{
|
{
|
||||||
const struct landlock_rule *rule;
|
const struct landlock_rule *rule;
|
||||||
const struct inode *inode;
|
const struct inode *inode;
|
||||||
size_t i;
|
|
||||||
|
|
||||||
if (d_is_negative(path->dentry))
|
/* Ignores nonexistent leafs. */
|
||||||
/* Ignore nonexistent leafs. */
|
if (d_is_negative(dentry))
|
||||||
return layer_mask;
|
return NULL;
|
||||||
inode = d_backing_inode(path->dentry);
|
|
||||||
|
inode = d_backing_inode(dentry);
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
rule = landlock_find_rule(
|
rule = landlock_find_rule(
|
||||||
domain, rcu_dereference(landlock_inode(inode)->object));
|
domain, rcu_dereference(landlock_inode(inode)->object));
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
return rule;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline layer_mask_t unmask_layers(const struct landlock_rule *const rule,
|
||||||
|
const access_mask_t access_request,
|
||||||
|
layer_mask_t layer_mask)
|
||||||
|
{
|
||||||
|
size_t layer_level;
|
||||||
|
|
||||||
if (!rule)
|
if (!rule)
|
||||||
return layer_mask;
|
return layer_mask;
|
||||||
|
|
||||||
|
|
@ -210,8 +223,9 @@ unmask_layers(const struct landlock_ruleset *const domain,
|
||||||
* the remaining layers for each inode, from the first added layer to
|
* the remaining layers for each inode, from the first added layer to
|
||||||
* the last one.
|
* the last one.
|
||||||
*/
|
*/
|
||||||
for (i = 0; i < rule->num_layers; i++) {
|
for (layer_level = 0; layer_level < rule->num_layers; layer_level++) {
|
||||||
const struct landlock_layer *const layer = &rule->layers[i];
|
const struct landlock_layer *const layer =
|
||||||
|
&rule->layers[layer_level];
|
||||||
const layer_mask_t layer_bit = BIT_ULL(layer->level - 1);
|
const layer_mask_t layer_bit = BIT_ULL(layer->level - 1);
|
||||||
|
|
||||||
/* Checks that the layer grants access to the full request. */
|
/* Checks that the layer grants access to the full request. */
|
||||||
|
|
@ -269,8 +283,9 @@ static int check_access_path(const struct landlock_ruleset *const domain,
|
||||||
while (true) {
|
while (true) {
|
||||||
struct dentry *parent_dentry;
|
struct dentry *parent_dentry;
|
||||||
|
|
||||||
layer_mask = unmask_layers(domain, &walker_path, access_request,
|
layer_mask =
|
||||||
layer_mask);
|
unmask_layers(find_rule(domain, walker_path.dentry),
|
||||||
|
access_request, layer_mask);
|
||||||
if (layer_mask == 0) {
|
if (layer_mask == 0) {
|
||||||
/* Stops when a rule from each layer grants access. */
|
/* Stops when a rule from each layer grants access. */
|
||||||
allowed = true;
|
allowed = true;
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче