[RFC PATCH 05/10] Add hlist_node member to struct landlock_rule
Tingmao Wang
m at maowtm.org
Wed May 21 19:32:01 UTC 2025
This is to prepare for the new domain. Since a rule can only be in either
a ruleset (rbtree based) or a landlock_domain (hashtable based), we can
make the node/hlist member of a union. For now let create_rule initialize
is as before.
(Alternatively, if we use hashtable for both cases, then we save 8 bytes
per each rule, but then we will need some kind of resizable hashtable)
(Maybe we should use the relativistic hash tables after all?)
Signed-off-by: Tingmao Wang <m at maowtm.org>
---
security/landlock/ruleset.h | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 215578ad82f7..07823771b402 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -87,10 +87,16 @@ struct landlock_id {
* struct landlock_rule - Access rights tied to an object
*/
struct landlock_rule {
- /**
- * @node: Node in the ruleset's red-black tree.
- */
- struct rb_node node;
+ union {
+ /**
+ * @node: Node in the ruleset's red-black tree.
+ */
+ struct rb_node node;
+ /**
+ * @hlist: Node in the domain's hash table.
+ */
+ struct hlist_node hlist;
+ };
/**
* @key: A union to identify either a kernel object (e.g. an inode) or
* a raw data value (e.g. a network socket port). This is used as a key
@@ -248,7 +254,13 @@ landlock_create_rule(const struct landlock_id id,
GFP_KERNEL_ACCOUNT);
if (!new_rule)
return ERR_PTR(-ENOMEM);
+
+ /*
+ * We assume the rule will be in a rbtree for now - in the
+ * landlock_domain case caller can init the hlist afterward
+ */
RB_CLEAR_NODE(&new_rule->node);
+
if (is_object_pointer(id.type)) {
/* This should have been caught by insert_rule(). */
WARN_ON_ONCE(!id.key.object);
--
2.49.0
More information about the Linux-security-module-archive
mailing list