[PATCH v1 05/11] landlock: Move filesystem helpers and add a new one

Mickaël Salaün mic at digikod.net
Thu Mar 17 10:42:35 UTC 2022


On 17/03/2022 02:26, Paul Moore wrote:
> On Mon, Feb 21, 2022 at 4:15 PM Mickaël Salaün <mic at digikod.net> wrote:
>>
>> From: Mickaël Salaün <mic at linux.microsoft.com>
>>
>> Move the SB_NOUSER and IS_PRIVATE dentry check to a standalone
>> is_nouser_or_private() helper.  This will be useful for a following
>> commit.
>>
>> Move get_mode_access() and maybe_remove() to make them usable by new
>> code provided by a following commit.
>>
>> Signed-off-by: Mickaël Salaün <mic at linux.microsoft.com>
>> Link: https://lore.kernel.org/r/20220221212522.320243-6-mic@digikod.net
>> ---
>>   security/landlock/fs.c | 87 ++++++++++++++++++++++--------------------
>>   1 file changed, 46 insertions(+), 41 deletions(-)
> 
> One nit-picky comment below, otherwise it looks fine to me.
> 
> Reviewed-by: Paul Moore <paul at paul-moore.com>
> 
>> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
>> index 9662f9fb3cd0..3886f9ad1a60 100644
>> --- a/security/landlock/fs.c
>> +++ b/security/landlock/fs.c
>> @@ -257,6 +257,18 @@ static inline bool unmask_layers(const struct landlock_rule *const rule,
>>          return false;
>>   }
>>
>> +static inline bool is_nouser_or_private(const struct dentry *dentry)
>> +{
>> +       /*
>> +        * Allows access to pseudo filesystems that will never be mountable
>> +        * (e.g. sockfs, pipefs), but can still be reachable through
>> +        * /proc/<pid>/fd/<file-descriptor> .
>> +        */
> 
> I might suggest moving this explanation up to a function header comment block.

Sounds good.


> 
> 
>> +       return (dentry->d_sb->s_flags & SB_NOUSER) ||
>> +                       (d_is_positive(dentry) &&
>> +                        unlikely(IS_PRIVATE(d_backing_inode(dentry))));
>> +}
>> +
>>   static int check_access_path(const struct landlock_ruleset *const domain,
>>                  const struct path *const path,
>>                  const access_mask_t access_request)
> 
> --
> paul-moore.com



More information about the Linux-security-module-archive mailing list