[RFC PATCH 05/10] Add hlist_node member to struct landlock_rule

Tingmao Wang m at maowtm.org
Wed May 21 19:32:01 UTC 2025


This is to prepare for the new domain. Since a rule can only be in either
a ruleset (rbtree based) or a landlock_domain (hashtable based), we can
make the node/hlist member of a union.  For now let create_rule initialize
is as before.

(Alternatively, if we use hashtable for both cases, then we save 8 bytes
per each rule, but then we will need some kind of resizable hashtable)

(Maybe we should use the relativistic hash tables after all?)

Signed-off-by: Tingmao Wang <m at maowtm.org>
---
 security/landlock/ruleset.h | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 215578ad82f7..07823771b402 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -87,10 +87,16 @@ struct landlock_id {
  * struct landlock_rule - Access rights tied to an object
  */
 struct landlock_rule {
-	/**
-	 * @node: Node in the ruleset's red-black tree.
-	 */
-	struct rb_node node;
+	union {
+		/**
+		 * @node: Node in the ruleset's red-black tree.
+		 */
+		struct rb_node node;
+		/**
+		 * @hlist: Node in the domain's hash table.
+		 */
+		struct hlist_node hlist;
+	};
 	/**
 	 * @key: A union to identify either a kernel object (e.g. an inode) or
 	 * a raw data value (e.g. a network socket port). This is used as a key
@@ -248,7 +254,13 @@ landlock_create_rule(const struct landlock_id id,
 			   GFP_KERNEL_ACCOUNT);
 	if (!new_rule)
 		return ERR_PTR(-ENOMEM);
+
+	/*
+	 * We assume the rule will be in a rbtree for now - in the
+	 * landlock_domain case caller can init the hlist afterward
+	 */
 	RB_CLEAR_NODE(&new_rule->node);
+
 	if (is_object_pointer(id.type)) {
 		/* This should have been caught by insert_rule(). */
 		WARN_ON_ONCE(!id.key.object);
-- 
2.49.0




More information about the Linux-security-module-archive mailing list