diff options
author | Mickaël Salaün <mic@digikod.net> | 2023-10-26 04:47:41 +0300 |
---|---|---|
committer | Mickaël Salaün <mic@digikod.net> | 2023-10-26 22:07:10 +0300 |
commit | d7220364039f6beb76f311c05f74cad89da5fad5 (patch) | |
tree | 194f8b69bae8b29035d3db2045c356d44827be36 /security/landlock/syscalls.c | |
parent | 13fc6455fa19b0859e1b9640bf09903bec8df4f4 (diff) | |
download | linux-d7220364039f6beb76f311c05f74cad89da5fad5.tar.xz |
landlock: Allow FS topology changes for domains without such rule type
Allow mount point and root directory changes when there is no filesystem
rule tied to the current Landlock domain. This doesn't change anything
for now because a domain must have at least a (filesystem) rule, but
this will change when other rule types will come. For instance, a domain
only restricting the network should have no impact on filesystem
restrictions.
Add a new get_current_fs_domain() helper to quickly check filesystem
rule existence for all filesystem LSM hooks.
Remove unnecessary inlining.
Link: https://lore.kernel.org/r/20231026014751.414649-3-konstantin.meskhidze@huawei.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'security/landlock/syscalls.c')
-rw-r--r-- | security/landlock/syscalls.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 7ec6bbed7117..d35cd5d304db 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -349,7 +349,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd, * Checks that allowed_access matches the @ruleset constraints * (ruleset->access_masks[0] is automatically upgraded to 64-bits). */ - mask = landlock_get_fs_access_mask(ruleset, 0); + mask = landlock_get_raw_fs_access_mask(ruleset, 0); if ((path_beneath_attr.allowed_access | mask) != mask) { err = -EINVAL; goto out_put_ruleset; |