[PATCH 0/2] landlock: Simplify path walk logic

Justin Suess utilityemal77 at gmail.com
Wed Feb 18 20:18:55 UTC 2026 

Hello,

These two patches simplify the path walk logic in fs.c.

This patch was originally included in a very basic form in my
LANDLOCK_ADD_RULE_NO_INHERIT series [1], but I think that it would be better
submitted separately, as logically it doesn't have much to do with the
feature implemented in the patch.

This patch is based on the mic/next branch.

Motivation
===

Additionally, existing path walk logic is tightly bound to the
is_access_to_paths_allowed and collect_domain_accesses, and is difficult to
read and understand.

Centralizing the path logic would more easily allow other Landlock features
that may rely on path walking, such as the proposed path walk controls, or
my LANDLOCK_ADD_RULE_NO_INHERIT patch, to reuse the same logic as
currently implemented.

Background
===

The first patch in this small series introduces a helper function
landlock_walk_path_up, which takes a pointer to a struct path, and walks it 
up through the VFS. The function returns an enum landlock_walk_result which
encodes whether the current path position is an internal mountpoint, the real
root, or neither.

The is_access_to_paths_allowed function is then altered to use this new helper,
cleaning up the traversal logic while retaining existing documentation comments
and improving readability.

The next patch in the series removes the collect_domain_accesses function. After
an initial re-implementation with the helper it was found that collect_domain_accesses
could be more succicently inlined into current_check_refer_path and there was little
benefit to keeping check_domain_accesses as a standalone function.

These changes overall reduce about 25 lines of code, including new documentation
for the return values of the landlock_walk_path_up function.

Results
===
These patches pass all existing selftests and kunit tests, and favorably influence
stack size.

Checkstack Results (CONFIG_AUDIT enabled)
===

Current Master Branch:
0xffffffff817d3f40 current_check_refer_path [vmlinux]:	608
0xffffffff817d2f80 is_access_to_paths_allowed [vmlinux]:352

This Patch Series:
0xffffffff817d3db0 current_check_refer_path [vmlinux]:	384
0xffffffff817d30c0 is_access_to_paths_allowed [vmlinux]:336

Thank you for your time.

Kind Regards,
Justin Suess

[1]: https://lore.kernel.org/linux-security-module/20251221194301.247484-2-utilityemal77@gmail.com/

Justin Suess (2):
  landlock: Add path walk helper
  landlock: Remove collect_domain_accesses

 security/landlock/fs.c | 220 ++++++++++++++++++-----------------------
 1 file changed, 98 insertions(+), 122 deletions(-)

-- 
2.51.0

More information about the Linux-security-module-archive mailing list