diff options
| author | Mickaël Salaün <mic@digikod.net> | 2022-05-06 19:10:52 +0300 |
|---|---|---|
| committer | Mickaël Salaün <mic@digikod.net> | 2022-05-23 14:27:56 +0300 |
| commit | 75c542d6c6cc48720376862d5496d51509160dfd (patch) | |
| tree | f7411e602afa044becdad12369614e004c439fd1 /security/landlock/fs.c | |
| parent | 5f2ff33e10843ef51275c8611bdb7b49537aba5d (diff) | |
| download | linux-75c542d6c6cc48720376862d5496d51509160dfd.tar.xz | |
landlock: Reduce the maximum number of layers to 16
The maximum number of nested Landlock domains is currently 64. Because
of the following fix and to help reduce the stack size, let's reduce it
to 16. This seems large enough for a lot of use cases (e.g. sandboxed
init service, spawning a sandboxed SSH service, in nested sandboxed
containers). Reducing the number of nested domains may also help to
discover misuse of Landlock (e.g. creating a domain per rule).
Add and use a dedicated layer_mask_t typedef to fit with the number of
layers. This might be useful when changing it and to keep it consistent
with the maximum number of layers.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20220506161102.525323-3-mic@digikod.net
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'security/landlock/fs.c')
| -rw-r--r-- | security/landlock/fs.c | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/security/landlock/fs.c b/security/landlock/fs.c index d4006add8bdf..f48c0a3b1e75 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -183,10 +183,10 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, /* Access-control management */ -static inline u64 unmask_layers(const struct landlock_ruleset *const domain, - const struct path *const path, - const access_mask_t access_request, - u64 layer_mask) +static inline layer_mask_t +unmask_layers(const struct landlock_ruleset *const domain, + const struct path *const path, const access_mask_t access_request, + layer_mask_t layer_mask) { const struct landlock_rule *rule; const struct inode *inode; @@ -212,11 +212,11 @@ static inline u64 unmask_layers(const struct landlock_ruleset *const domain, */ for (i = 0; i < rule->num_layers; i++) { const struct landlock_layer *const layer = &rule->layers[i]; - const u64 layer_level = BIT_ULL(layer->level - 1); + const layer_mask_t layer_bit = BIT_ULL(layer->level - 1); /* Checks that the layer grants access to the full request. */ if ((layer->access & access_request) == access_request) { - layer_mask &= ~layer_level; + layer_mask &= ~layer_bit; if (layer_mask == 0) return layer_mask; @@ -231,12 +231,9 @@ static int check_access_path(const struct landlock_ruleset *const domain, { bool allowed = false; struct path walker_path; - u64 layer_mask; + layer_mask_t layer_mask; size_t i; - /* Make sure all layers can be checked. */ - BUILD_BUG_ON(BITS_PER_TYPE(layer_mask) < LANDLOCK_MAX_NUM_LAYERS); - if (!access_request) return 0; if (WARN_ON_ONCE(!domain || !path)) |