[RFC PATCH 04/10] landlock/ruleset: Rename and extract create_rule
Tingmao Wang
m at maowtm.org
Wed May 21 19:32:00 UTC 2025
To be used in domain.h in a later patch
Signed-off-by: Tingmao Wang <m at maowtm.org>
---
security/landlock/ruleset.c | 80 +------------------------------------
security/landlock/ruleset.h | 77 +++++++++++++++++++++++++++++++++++
2 files changed, 79 insertions(+), 78 deletions(-)
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index ce7940efea51..37f25f8f27f2 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -77,71 +77,6 @@ landlock_create_ruleset(const access_mask_t fs_access_mask,
return new_ruleset;
}
-static void build_check_rule(void)
-{
- const struct landlock_rule rule = {
- .num_layers = ~0,
- };
-
- BUILD_BUG_ON(rule.num_layers < LANDLOCK_MAX_NUM_LAYERS);
-}
-
-static bool is_object_pointer(const enum landlock_key_type key_type)
-{
- switch (key_type) {
- case LANDLOCK_KEY_INODE:
- return true;
-
-#if IS_ENABLED(CONFIG_INET)
- case LANDLOCK_KEY_NET_PORT:
- return false;
-#endif /* IS_ENABLED(CONFIG_INET) */
-
- default:
- WARN_ON_ONCE(1);
- return false;
- }
-}
-
-static struct landlock_rule *
-create_rule(const struct landlock_id id,
- const struct landlock_layer (*const layers)[], const u32 num_layers,
- const struct landlock_layer *const new_layer)
-{
- struct landlock_rule *new_rule;
- u32 new_num_layers;
-
- build_check_rule();
- if (new_layer) {
- /* Should already be checked by landlock_merge_ruleset(). */
- if (WARN_ON_ONCE(num_layers >= LANDLOCK_MAX_NUM_LAYERS))
- return ERR_PTR(-E2BIG);
- new_num_layers = num_layers + 1;
- } else {
- new_num_layers = num_layers;
- }
- new_rule = kzalloc(struct_size(new_rule, layers, new_num_layers),
- GFP_KERNEL_ACCOUNT);
- if (!new_rule)
- return ERR_PTR(-ENOMEM);
- RB_CLEAR_NODE(&new_rule->node);
- if (is_object_pointer(id.type)) {
- /* This should have been caught by insert_rule(). */
- WARN_ON_ONCE(!id.key.object);
- landlock_get_object(id.key.object);
- }
-
- new_rule->key = id.key;
- new_rule->num_layers = new_num_layers;
- /* Copies the original layer stack. */
- memcpy(new_rule->layers, layers,
- flex_array_size(new_rule, layers, num_layers));
- if (new_layer)
- /* Adds a copy of @new_layer on the layer stack. */
- new_rule->layers[new_rule->num_layers - 1] = *new_layer;
- return new_rule;
-}
-
static struct rb_root *get_root(struct landlock_ruleset *const ruleset,
const enum landlock_key_type key_type)
{
@@ -160,17 +95,6 @@ static struct rb_root *get_root(struct landlock_ruleset *const ruleset,
}
}
-static void free_rule(struct landlock_rule *const rule,
- const enum landlock_key_type key_type)
-{
- might_sleep();
- if (!rule)
- return;
- if (is_object_pointer(key_type))
- landlock_put_object(rule->key.object);
- kfree(rule);
-}
-
static void build_check_ruleset(void)
{
const struct landlock_ruleset ruleset = {
@@ -261,7 +185,7 @@ static int insert_rule(struct landlock_ruleset *const ruleset,
* Intersects access rights when it is a merge between a
* ruleset and a domain.
*/
- new_rule = create_rule(id, &this->layers, this->num_layers,
+ new_rule = landlock_create_rule(id, &this->layers, this->num_layers,
&(*layers)[0]);
if (IS_ERR(new_rule))
return PTR_ERR(new_rule);
@@ -274,7 +198,7 @@ static int insert_rule(struct landlock_ruleset *const ruleset,
build_check_ruleset();
if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES)
return -E2BIG;
- new_rule = create_rule(id, layers, num_layers, NULL);
+ new_rule = landlock_create_rule(id, layers, num_layers, NULL);
if (IS_ERR(new_rule))
return PTR_ERR(new_rule);
rb_link_node(&new_rule->node, parent_node, walker_node);
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 5da9a64f5af7..215578ad82f7 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -200,6 +200,83 @@ void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
DEFINE_FREE(landlock_put_ruleset, struct landlock_ruleset *,
if (!IS_ERR_OR_NULL(_T)) landlock_put_ruleset(_T))
+static void build_check_rule(void)
+{
+ const struct landlock_rule rule = {
+ .num_layers = ~0,
+ };
+
+ BUILD_BUG_ON(rule.num_layers < LANDLOCK_MAX_NUM_LAYERS);
+}
+
+static bool is_object_pointer(const enum landlock_key_type key_type)
+{
+ switch (key_type) {
+ case LANDLOCK_KEY_INODE:
+ return true;
+
+#if IS_ENABLED(CONFIG_INET)
+ case LANDLOCK_KEY_NET_PORT:
+ return false;
+#endif /* IS_ENABLED(CONFIG_INET) */
+
+ default:
+ WARN_ON_ONCE(1);
+ return false;
+ }
+}
+
+static inline struct landlock_rule *
+landlock_create_rule(const struct landlock_id id,
+ const struct landlock_layer (*const layers)[],
+ const u32 num_layers,
+ const struct landlock_layer *const new_layer)
+{
+ struct landlock_rule *new_rule;
+ u32 new_num_layers;
+
+ build_check_rule();
+ if (new_layer) {
+ /* Should already be checked by landlock_merge_ruleset(). */
+ if (WARN_ON_ONCE(num_layers >= LANDLOCK_MAX_NUM_LAYERS))
+ return ERR_PTR(-E2BIG);
+ new_num_layers = num_layers + 1;
+ } else {
+ new_num_layers = num_layers;
+ }
+ new_rule = kzalloc(struct_size(new_rule, layers, new_num_layers),
+ GFP_KERNEL_ACCOUNT);
+ if (!new_rule)
+ return ERR_PTR(-ENOMEM);
+ RB_CLEAR_NODE(&new_rule->node);
+ if (is_object_pointer(id.type)) {
+ /* This should have been caught by insert_rule(). */
+ WARN_ON_ONCE(!id.key.object);
+ landlock_get_object(id.key.object);
+ }
+
+ new_rule->key = id.key;
+ new_rule->num_layers = new_num_layers;
+ /* Copies the original layer stack. */
+ memcpy(new_rule->layers, layers,
+ flex_array_size(new_rule, layers, num_layers));
+ if (new_layer)
+ /* Adds a copy of @new_layer on the layer stack. */
+ new_rule->layers[new_rule->num_layers - 1] = *new_layer;
+ return new_rule;
+}
+
+static inline void free_rule(struct landlock_rule *const rule,
+ const enum landlock_key_type key_type)
+{
+ might_sleep();
+ if (!rule)
+ return;
+ if (is_object_pointer(key_type))
+ landlock_put_object(rule->key.object);
+ kfree(rule);
+}
+
int landlock_insert_rule(struct landlock_ruleset *const ruleset,
const struct landlock_id id,
const access_mask_t access);
--
2.49.0
More information about the Linux-security-module-archive
mailing list