[PATCH] landlock/ruleset: Minor comments improvements
Tingmao Wang
m at maowtm.org
Tue May 27 20:54:48 UTC 2025
Hi Mickaël,
This patch contains some small comment changes. The first three I sort of
made along the way while working on / trying to understand landlock, and
the last one was from the hashtable patch but extracted here.
Signed-off-by: Tingmao Wang <m at maowtm.org>
---
security/landlock/ruleset.c | 11 ++++++++++-
security/landlock/ruleset.h | 2 +-
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index ce7940efea51..2ed7043ed2f2 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -83,6 +83,10 @@ static void build_check_rule(void)
.num_layers = ~0,
};
+ /*
+ * Check that .num_layers is large enough for at least
+ * LANDLOCK_MAX_NUM_LAYERS layers
+ */
BUILD_BUG_ON(rule.num_layers < LANDLOCK_MAX_NUM_LAYERS);
}
@@ -290,6 +294,10 @@ static void build_check_layer(void)
.access = ~0,
};
+ /*
+ * Check that .level and .access are large enough to contain their
+ * expected max values.
+ */
BUILD_BUG_ON(layer.level < LANDLOCK_MAX_NUM_LAYERS);
BUILD_BUG_ON(layer.access < LANDLOCK_MASK_ACCESS_FS);
}
@@ -645,7 +653,8 @@ bool landlock_unmask_layers(const struct landlock_rule *const rule,
/*
* Records in @layer_masks which layer grants access to each
- * requested access.
+ * requested access (bit in layer mask cleared if layer grants
+ * access).
*/
is_empty = true;
for_each_set_bit(access_bit, &access_req, masks_array_size) {
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 5da9a64f5af7..dfd883a9a52a 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -27,7 +27,7 @@ struct landlock_hierarchy;
*/
struct landlock_layer {
/**
- * @level: Position of this layer in the layer stack.
+ * @level: Position of this layer in the layer stack. Starts from 1.
*/
u16 level;
/**
base-commit: a5806cd506af5a7c19bcd596e4708b5c464bfd21
--
2.49.0
More information about the Linux-security-module-archive
mailing list