diff options
| author | Mickaël Salaün <mic@digikod.net> | 2023-10-26 04:47:41 +0300 |
|---|---|---|
| committer | Mickaël Salaün <mic@digikod.net> | 2023-10-26 22:07:10 +0300 |
| commit | d7220364039f6beb76f311c05f74cad89da5fad5 (patch) | |
| tree | 194f8b69bae8b29035d3db2045c356d44827be36 /security/landlock/ruleset.h | |
| parent | 13fc6455fa19b0859e1b9640bf09903bec8df4f4 (diff) | |
| download | linux-d7220364039f6beb76f311c05f74cad89da5fad5.tar.xz | |
landlock: Allow FS topology changes for domains without such rule type
Allow mount point and root directory changes when there is no filesystem
rule tied to the current Landlock domain. This doesn't change anything
for now because a domain must have at least a (filesystem) rule, but
this will change when other rule types will come. For instance, a domain
only restricting the network should have no impact on filesystem
restrictions.
Add a new get_current_fs_domain() helper to quickly check filesystem
rule existence for all filesystem LSM hooks.
Remove unnecessary inlining.
Link: https://lore.kernel.org/r/20231026014751.414649-3-konstantin.meskhidze@huawei.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'security/landlock/ruleset.h')
| -rw-r--r-- | security/landlock/ruleset.h | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h index 8c99c323b06c..6e2ad1546ab3 100644 --- a/security/landlock/ruleset.h +++ b/security/landlock/ruleset.h @@ -15,10 +15,21 @@ #include <linux/rbtree.h> #include <linux/refcount.h> #include <linux/workqueue.h> +#include <uapi/linux/landlock.h> #include "limits.h" #include "object.h" +/* + * All access rights that are denied by default whether they are handled or not + * by a ruleset/layer. This must be ORed with all ruleset->access_masks[] + * entries when we need to get the absolute handled access masks. + */ +/* clang-format off */ +#define LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \ + LANDLOCK_ACCESS_FS_REFER) +/* clang-format on */ + typedef u16 access_mask_t; /* Makes sure all filesystem access rights can be stored. */ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS); @@ -196,12 +207,21 @@ landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, } static inline access_mask_t -landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset, - const u16 layer_level) +landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset, + const u16 layer_level) { return (ruleset->access_masks[layer_level] >> LANDLOCK_SHIFT_ACCESS_FS) & LANDLOCK_MASK_ACCESS_FS; } +static inline access_mask_t +landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset, + const u16 layer_level) +{ + /* Handles all initially denied by default access rights. */ + return landlock_get_raw_fs_access_mask(ruleset, layer_level) | + LANDLOCK_ACCESS_FS_INITIALLY_DENIED; +} + #endif /* _SECURITY_LANDLOCK_RULESET_H */ |