[PATCH] landlock: Use bit-fields for storing handled layer access masks

Mickaël Salaün mic at digikod.net
Sat Jun 15 15:08:12 UTC 2024


On Fri, Jun 14, 2024 at 02:06:54PM +0200, Günther Noack wrote:
> On Thu, Jun 13, 2024 at 11:20:38PM +0200, Mickaël Salaün wrote:
> > Great!  Looking at the generated data structures with pahole, it doesn't
> > increase the whole size, and it should be fine with other (small) fields
> > too.
> > 
> > With this new struct, we don't need the landlock_get_* helpers anymore.
> > We might want to keep the landlock_add_*() helpers as safeguards
> > (because of the WARN_ON_ONCE) though.
> 
> I am unsure about removing these helper functions, due to the following reasons:
> 
>  * landlock_get_fs_access_mask is the place where we transparently add the
>    "refer" access right.  If we remove landlock_get_net_access_mask, it would be
>    assymetric with keeping the same function for the file system restrictions.
> 
>  * landlock_init_layer_masks() is using landlock_get_fs_access_mask and
>    landlock_get_net_access_mask through a function pointer.  When these
>    functions are gone, we would have to redefine them locally anyway.
> 
>    Options to refactor this function include:
>     * split it in two separate functions landlock_init_fs_layer_masks and
>       landlock_init_net_layer_masks.  It would end up duplicating some of the
>       bit manipulation code.
>     * add another #if further down in the function
> 
>    Both variants seem not nice.
> 
> Do you think this is worth doing?

No, I agree with you.  It's applied to my next branch. Thanks!

Mikhail, Tahera, please base your next patch series on this branch:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/



More information about the Linux-security-module-archive mailing list