[PATCH v1 05/11] landlock: Move filesystem helpers and add a new one
Mickaël Salaün
mic at digikod.net
Thu Mar 17 10:42:35 UTC 2022
On 17/03/2022 02:26, Paul Moore wrote:
> On Mon, Feb 21, 2022 at 4:15 PM Mickaël Salaün <mic at digikod.net> wrote:
>>
>> From: Mickaël Salaün <mic at linux.microsoft.com>
>>
>> Move the SB_NOUSER and IS_PRIVATE dentry check to a standalone
>> is_nouser_or_private() helper. This will be useful for a following
>> commit.
>>
>> Move get_mode_access() and maybe_remove() to make them usable by new
>> code provided by a following commit.
>>
>> Signed-off-by: Mickaël Salaün <mic at linux.microsoft.com>
>> Link: https://lore.kernel.org/r/20220221212522.320243-6-mic@digikod.net
>> ---
>> security/landlock/fs.c | 87 ++++++++++++++++++++++--------------------
>> 1 file changed, 46 insertions(+), 41 deletions(-)
>
> One nit-picky comment below, otherwise it looks fine to me.
>
> Reviewed-by: Paul Moore <paul at paul-moore.com>
>
>> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
>> index 9662f9fb3cd0..3886f9ad1a60 100644
>> --- a/security/landlock/fs.c
>> +++ b/security/landlock/fs.c
>> @@ -257,6 +257,18 @@ static inline bool unmask_layers(const struct landlock_rule *const rule,
>> return false;
>> }
>>
>> +static inline bool is_nouser_or_private(const struct dentry *dentry)
>> +{
>> + /*
>> + * Allows access to pseudo filesystems that will never be mountable
>> + * (e.g. sockfs, pipefs), but can still be reachable through
>> + * /proc/<pid>/fd/<file-descriptor> .
>> + */
>
> I might suggest moving this explanation up to a function header comment block.
Sounds good.
>
>
>> + return (dentry->d_sb->s_flags & SB_NOUSER) ||
>> + (d_is_positive(dentry) &&
>> + unlikely(IS_PRIVATE(d_backing_inode(dentry))));
>> +}
>> +
>> static int check_access_path(const struct landlock_ruleset *const domain,
>> const struct path *const path,
>> const access_mask_t access_request)
>
> --
> paul-moore.com
More information about the Linux-security-module-archive
mailing list