[RFC PATCH v1 1/5] landlock: Rename landlock_id to landlock_rule_ref
Mickaël Salaün
mic at digikod.net
Fri May 23 16:57:37 UTC 2025
This avoids confusion with the new Landlock IDs.
TODO: Split in several commits to ease potential backports according to
stable branches
Cc: Günther Noack <gnoack at google.com>
Signed-off-by: Mickaël Salaün <mic at digikod.net>
---
security/landlock/fs.c | 18 ++++++-------
security/landlock/net.c | 14 +++++-----
security/landlock/ruleset.c | 52 ++++++++++++++++++-------------------
security/landlock/ruleset.h | 8 +++---
4 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 6fee7c20f64d..f5087688190a 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -325,7 +325,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
access_mask_t access_rights)
{
int err;
- struct landlock_id id = {
+ struct landlock_rule_ref ref = {
.type = LANDLOCK_KEY_INODE,
};
@@ -339,17 +339,17 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
/* Transforms relative access rights to absolute ones. */
access_rights |= LANDLOCK_MASK_ACCESS_FS &
~landlock_get_fs_access_mask(ruleset, 0);
- id.key.object = get_inode_object(d_backing_inode(path->dentry));
- if (IS_ERR(id.key.object))
- return PTR_ERR(id.key.object);
+ ref.key.object = get_inode_object(d_backing_inode(path->dentry));
+ if (IS_ERR(ref.key.object))
+ return PTR_ERR(ref.key.object);
mutex_lock(&ruleset->lock);
- err = landlock_insert_rule(ruleset, id, access_rights);
+ err = landlock_insert_rule(ruleset, ref, access_rights);
mutex_unlock(&ruleset->lock);
/*
* No need to check for an error because landlock_insert_rule()
* increments the refcount for the new object if needed.
*/
- landlock_put_object(id.key.object);
+ landlock_put_object(ref.key.object);
return err;
}
@@ -366,7 +366,7 @@ find_rule(const struct landlock_ruleset *const domain,
{
const struct landlock_rule *rule;
const struct inode *inode;
- struct landlock_id id = {
+ struct landlock_rule_ref ref = {
.type = LANDLOCK_KEY_INODE,
};
@@ -376,8 +376,8 @@ find_rule(const struct landlock_ruleset *const domain,
inode = d_backing_inode(dentry);
rcu_read_lock();
- id.key.object = rcu_dereference(landlock_inode(inode)->object);
- rule = landlock_find_rule(domain, id);
+ ref.key.object = rcu_dereference(landlock_inode(inode)->object);
+ rule = landlock_find_rule(domain, ref);
rcu_read_unlock();
return rule;
}
diff --git a/security/landlock/net.c b/security/landlock/net.c
index 1f3915a90a80..cd7327b5f43e 100644
--- a/security/landlock/net.c
+++ b/security/landlock/net.c
@@ -23,19 +23,19 @@ int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
const u16 port, access_mask_t access_rights)
{
int err;
- const struct landlock_id id = {
+ const struct landlock_rule_ref ref = {
.key.data = (__force uintptr_t)htons(port),
.type = LANDLOCK_KEY_NET_PORT,
};
- BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
+ BUILD_BUG_ON(sizeof(port) > sizeof(ref.key.data));
/* Transforms relative access rights to absolute ones. */
access_rights |= LANDLOCK_MASK_ACCESS_NET &
~landlock_get_net_access_mask(ruleset, 0);
mutex_lock(&ruleset->lock);
- err = landlock_insert_rule(ruleset, id, access_rights);
+ err = landlock_insert_rule(ruleset, ref, access_rights);
mutex_unlock(&ruleset->lock);
return err;
@@ -49,7 +49,7 @@ static int current_check_access_socket(struct socket *const sock,
__be16 port;
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
const struct landlock_rule *rule;
- struct landlock_id id = {
+ struct landlock_rule_ref ref = {
.type = LANDLOCK_KEY_NET_PORT,
};
const struct access_masks masks = {
@@ -171,10 +171,10 @@ static int current_check_access_socket(struct socket *const sock,
return -EINVAL;
}
- id.key.data = (__force uintptr_t)port;
- BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
+ ref.key.data = (__force uintptr_t)port;
+ BUILD_BUG_ON(sizeof(port) > sizeof(ref.key.data));
- rule = landlock_find_rule(subject->domain, id);
+ rule = landlock_find_rule(subject->domain, ref);
access_request = landlock_init_layer_masks(subject->domain,
access_request, &layer_masks,
LANDLOCK_KEY_NET_PORT);
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index ce7940efea51..647ee570475b 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -104,7 +104,7 @@ static bool is_object_pointer(const enum landlock_key_type key_type)
}
static struct landlock_rule *
-create_rule(const struct landlock_id id,
+create_rule(const struct landlock_rule_ref ref,
const struct landlock_layer (*const layers)[], const u32 num_layers,
const struct landlock_layer *const new_layer)
{
@@ -125,13 +125,13 @@ create_rule(const struct landlock_id id,
if (!new_rule)
return ERR_PTR(-ENOMEM);
RB_CLEAR_NODE(&new_rule->node);
- if (is_object_pointer(id.type)) {
+ if (is_object_pointer(ref.type)) {
/* This should have been caught by insert_rule(). */
- WARN_ON_ONCE(!id.key.object);
- landlock_get_object(id.key.object);
+ WARN_ON_ONCE(!ref.key.object);
+ landlock_get_object(ref.key.object);
}
- new_rule->key = id.key;
+ new_rule->key = ref.key;
new_rule->num_layers = new_num_layers;
/* Copies the original layer stack. */
memcpy(new_rule->layers, layers,
@@ -186,8 +186,8 @@ static void build_check_ruleset(void)
* insert_rule - Create and insert a rule in a ruleset
*
* @ruleset: The ruleset to be updated.
- * @id: The ID to build the new rule with. The underlying kernel object, if
- * any, must be held by the caller.
+ * @ref: The reference to build the new rule with. The underlying kernel
+ * object, if any, must be held by the caller.
* @layers: One or multiple layers to be copied into the new rule.
* @num_layers: The number of @layers entries.
*
@@ -201,7 +201,7 @@ static void build_check_ruleset(void)
* access rights.
*/
static int insert_rule(struct landlock_ruleset *const ruleset,
- const struct landlock_id id,
+ const struct landlock_rule_ref ref,
const struct landlock_layer (*const layers)[],
const size_t num_layers)
{
@@ -215,10 +215,10 @@ static int insert_rule(struct landlock_ruleset *const ruleset,
if (WARN_ON_ONCE(!layers))
return -ENOENT;
- if (is_object_pointer(id.type) && WARN_ON_ONCE(!id.key.object))
+ if (is_object_pointer(ref.type) && WARN_ON_ONCE(!ref.key.object))
return -ENOENT;
- root = get_root(ruleset, id.type);
+ root = get_root(ruleset, ref.type);
if (IS_ERR(root))
return PTR_ERR(root);
@@ -227,9 +227,9 @@ static int insert_rule(struct landlock_ruleset *const ruleset,
struct landlock_rule *const this =
rb_entry(*walker_node, struct landlock_rule, node);
- if (this->key.data != id.key.data) {
+ if (this->key.data != ref.key.data) {
parent_node = *walker_node;
- if (this->key.data < id.key.data)
+ if (this->key.data < ref.key.data)
walker_node = &((*walker_node)->rb_right);
else
walker_node = &((*walker_node)->rb_left);
@@ -261,20 +261,20 @@ static int insert_rule(struct landlock_ruleset *const ruleset,
* Intersects access rights when it is a merge between a
* ruleset and a domain.
*/
- new_rule = create_rule(id, &this->layers, this->num_layers,
+ new_rule = create_rule(ref, &this->layers, this->num_layers,
&(*layers)[0]);
if (IS_ERR(new_rule))
return PTR_ERR(new_rule);
rb_replace_node(&this->node, &new_rule->node, root);
- free_rule(this, id.type);
+ free_rule(this, ref.type);
return 0;
}
- /* There is no match for @id. */
+ /* There is no match for @ref. */
build_check_ruleset();
if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES)
return -E2BIG;
- new_rule = create_rule(id, layers, num_layers, NULL);
+ new_rule = create_rule(ref, layers, num_layers, NULL);
if (IS_ERR(new_rule))
return PTR_ERR(new_rule);
rb_link_node(&new_rule->node, parent_node, walker_node);
@@ -296,7 +296,7 @@ static void build_check_layer(void)
/* @ruleset must be locked by the caller. */
int landlock_insert_rule(struct landlock_ruleset *const ruleset,
- const struct landlock_id id,
+ const struct landlock_rule_ref ref,
const access_mask_t access)
{
struct landlock_layer layers[] = { {
@@ -306,7 +306,7 @@ int landlock_insert_rule(struct landlock_ruleset *const ruleset,
} };
build_check_layer();
- return insert_rule(ruleset, id, &layers, ARRAY_SIZE(layers));
+ return insert_rule(ruleset, ref, &layers, ARRAY_SIZE(layers));
}
static int merge_tree(struct landlock_ruleset *const dst,
@@ -331,7 +331,7 @@ static int merge_tree(struct landlock_ruleset *const dst,
struct landlock_layer layers[] = { {
.level = dst->num_layers,
} };
- const struct landlock_id id = {
+ const struct landlock_rule_ref ref = {
.key = walker_rule->key,
.type = key_type,
};
@@ -344,7 +344,7 @@ static int merge_tree(struct landlock_ruleset *const dst,
layers[0].access = walker_rule->layers[0].access;
- err = insert_rule(dst, id, &layers, ARRAY_SIZE(layers));
+ err = insert_rule(dst, ref, &layers, ARRAY_SIZE(layers));
if (err)
return err;
}
@@ -413,12 +413,12 @@ static int inherit_tree(struct landlock_ruleset *const parent,
/* Copies the @parent inode or network tree. */
rbtree_postorder_for_each_entry_safe(walker_rule, next_rule,
parent_root, node) {
- const struct landlock_id id = {
+ const struct landlock_rule_ref ref = {
.key = walker_rule->key,
.type = key_type,
};
- err = insert_rule(child, id, &walker_rule->layers,
+ err = insert_rule(child, ref, &walker_rule->layers,
walker_rule->num_layers);
if (err)
return err;
@@ -581,12 +581,12 @@ landlock_merge_ruleset(struct landlock_ruleset *const parent,
*/
const struct landlock_rule *
landlock_find_rule(const struct landlock_ruleset *const ruleset,
- const struct landlock_id id)
+ const struct landlock_rule_ref ref)
{
const struct rb_root *root;
const struct rb_node *node;
- root = get_root((struct landlock_ruleset *)ruleset, id.type);
+ root = get_root((struct landlock_ruleset *)ruleset, ref.type);
if (IS_ERR(root))
return NULL;
node = root->rb_node;
@@ -595,9 +595,9 @@ landlock_find_rule(const struct landlock_ruleset *const ruleset,
struct landlock_rule *this =
rb_entry(node, struct landlock_rule, node);
- if (this->key.data == id.key.data)
+ if (this->key.data == ref.key.data)
return this;
- if (this->key.data < id.key.data)
+ if (this->key.data < ref.key.data)
node = node->rb_right;
else
node = node->rb_left;
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 5da9a64f5af7..967d0123cb73 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -69,9 +69,9 @@ enum landlock_key_type {
};
/**
- * struct landlock_id - Unique rule identifier for a ruleset
+ * struct landlock_rule_ref - Rule reference for a ruleset
*/
-struct landlock_id {
+struct landlock_rule_ref {
/**
* @key: Identifies either a kernel object (e.g. an inode) or
* a raw value (e.g. a TCP port).
@@ -201,7 +201,7 @@ DEFINE_FREE(landlock_put_ruleset, struct landlock_ruleset *,
if (!IS_ERR_OR_NULL(_T)) landlock_put_ruleset(_T))
int landlock_insert_rule(struct landlock_ruleset *const ruleset,
- const struct landlock_id id,
+ const struct landlock_rule_ref ref,
const access_mask_t access);
struct landlock_ruleset *
@@ -210,7 +210,7 @@ landlock_merge_ruleset(struct landlock_ruleset *const parent,
const struct landlock_rule *
landlock_find_rule(const struct landlock_ruleset *const ruleset,
- const struct landlock_id id);
+ const struct landlock_rule_ref ref);
static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
{
--
2.49.0
More information about the Linux-security-module-archive
mailing list