[PATCH v2 6/6] Implement quiet for optional accesses

Sun Oct 26 20:50:33 UTC 2025

On 10/15/25 20:09, Mickaël Salaün wrote:
> This extra patch makes the review easier, but it should be squashed into
> the others if possible.

Done in v3.

> 
> On Sun, Oct 05, 2025 at 06:55:29PM +0100, Tingmao Wang wrote:
>> [...]
>> diff --git a/security/landlock/audit.c b/security/landlock/audit.c
>> index 4ba44fb1dccb..f183124755a4 100644
>> --- a/security/landlock/audit.c
>> +++ b/security/landlock/audit.c
>> @@ -273,7 +273,7 @@ static void test_get_denied_layer(struct kunit *const test)
>>  static size_t
>>  get_layer_from_deny_masks(access_mask_t *const access_request,
>>  			  const access_mask_t all_existing_optional_access,
>> -			  const deny_masks_t deny_masks)
>> +			  const deny_masks_t deny_masks, u8 quiet_optional_accesses, bool *quiet)
>>  {
>>  	const unsigned long access_opt = all_existing_optional_access;
>>  	const unsigned long access_req = *access_request;
>> @@ -285,6 +285,7 @@ get_layer_from_deny_masks(access_mask_t *const access_request,
>>  	/* This will require change with new object types. */
>>  	WARN_ON_ONCE(access_opt != _LANDLOCK_ACCESS_FS_OPTIONAL);
>>  
>> +	*quiet = false;
>>  	for_each_set_bit(access_bit, &access_opt,
>>  			 BITS_PER_TYPE(access_mask_t)) {
>>  		if (access_req & BIT(access_bit)) {
>> @@ -298,6 +299,11 @@ get_layer_from_deny_masks(access_mask_t *const access_request,
>>  			} else if (layer == youngest_layer) {
>>  				missing |= BIT(access_bit);
>>  			}
>> +
>> +			/* Make sure we set *quiet even if this is the first layer */
> 
> Missing final dot.
> 
>> +			if (layer >= youngest_layer)
>> +				*quiet = !!(quiet_optional_accesses &
>> +					    BIT(access_index));
> 
> This code is good but a bit confusing at first, especially without more
> context than this patch provides, where we don't see the relation
> between layer and youngest_layer.  Anyway, please extend the comment to
> say that quiet is always overridden for the youngest layer.

TBH I didn't really like it either.  I've moved this around a bit in the
latest version - can you check if that is clearer?