[RFC PATCH 1/2] landlock: access_mask_subset() helper
Günther Noack
gnoack3000 at gmail.com
Sun Jan 11 20:01:10 UTC 2026
On Fri, Jan 09, 2026 at 05:06:10PM +0100, Mickaël Salaün wrote:
> On Tue, Dec 30, 2025 at 11:39:19AM +0100, Günther Noack wrote:
> > This helper function checks whether an access_mask_t has a subset of the
> > bits enabled than another one. This expresses the intent a bit smoother
> > in the code and does not cost us anything when it gets inlined.
> >
> > Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
> > ---
> > security/landlock/fs.c | 11 ++++++++++-
> > 1 file changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> > index fe794875ad461..b4ce03bef4b8e 100644
> > --- a/security/landlock/fs.c
> > +++ b/security/landlock/fs.c
> > @@ -398,6 +398,15 @@ static const struct access_masks any_fs = {
> > .fs = ~0,
> > };
> >
> > +/*
> > + * Returns true iff a has a subset of the bits of b.
> > + * It helps readability and gets inlined.
> > + */
> > +static bool access_mask_subset(access_mask_t a, access_mask_t b)
> > +{
> > + return (a | b) == b;
>
> I'm curious about why this switches to a binary OR instead of the
> original AND.
It is slightly more intuitive to me, but other than that, no specific reason.
(a | b) == b has the same results as (b & a) == a.
I'm not feeling strongly about it.
We can also do it the other way around if you prefer.
–Günther
More information about the Linux-security-module-archive
mailing list