[PATCH] landlock: Use bit-fields for storing handled layer access masks
Mickaël Salaün
mic at digikod.net
Sat Jun 15 15:08:12 UTC 2024
On Fri, Jun 14, 2024 at 02:06:54PM +0200, Günther Noack wrote:
> On Thu, Jun 13, 2024 at 11:20:38PM +0200, Mickaël Salaün wrote:
> > Great! Looking at the generated data structures with pahole, it doesn't
> > increase the whole size, and it should be fine with other (small) fields
> > too.
> >
> > With this new struct, we don't need the landlock_get_* helpers anymore.
> > We might want to keep the landlock_add_*() helpers as safeguards
> > (because of the WARN_ON_ONCE) though.
>
> I am unsure about removing these helper functions, due to the following reasons:
>
> * landlock_get_fs_access_mask is the place where we transparently add the
> "refer" access right. If we remove landlock_get_net_access_mask, it would be
> assymetric with keeping the same function for the file system restrictions.
>
> * landlock_init_layer_masks() is using landlock_get_fs_access_mask and
> landlock_get_net_access_mask through a function pointer. When these
> functions are gone, we would have to redefine them locally anyway.
>
> Options to refactor this function include:
> * split it in two separate functions landlock_init_fs_layer_masks and
> landlock_init_net_layer_masks. It would end up duplicating some of the
> bit manipulation code.
> * add another #if further down in the function
>
> Both variants seem not nice.
>
> Do you think this is worth doing?
No, I agree with you. It's applied to my next branch. Thanks!
Mikhail, Tahera, please base your next patch series on this branch:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/
More information about the Linux-security-module-archive
mailing list