Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.0.10 2026-02-10T15:46:50+00:00 2026-02-10T15:46:50+00:00 Günther Noack gnoack3000@gmail.com 2026-02-06T15:11:55+00:00 urn:sha1:65b691f84dba54a446518c51b25d3d4f1739dec5 The layer masks data structure tracks the requested but unfulfilled access rights during an operation's security check. It stores one bit for each combination of access right and layer index. If the bit is set, that access right is not granted (yet) in the given layer and we have to traverse the path further upwards to grant it. Previously, the layer masks were stored as arrays mapping from access right indices to layer_mask_t. The layer_mask_t value then indicates all layers in which the given access right is still (tentatively) denied. This patch introduces struct layer_access_masks instead: This struct contains an array with the access_mask_t of each (tentatively) denied access right in that layer. The hypothesis of this patch is that this simplifies the code enough so that the resulting code will run faster: * We can use bitwise operations in multiple places where we previously looped over bits individually with macros. (Should require less branch speculation and lends itself to better loop unrolling.) * Code is ~75 lines smaller. Other noteworthy changes: * In no_more_access(), call a new helper function may_refer(), which only solves the asymmetric case. Previously, the code interleaved the checks for the two symmetric cases in RENAME_EXCHANGE. It feels that the code is clearer when renames without RENAME_EXCHANGE are more obviously the normal case. Tradeoffs: This change improves performance, at a slight size increase to the layer masks data structure. This fixes the size of the data structure at 32 bytes for all types of access rights. (64, once we introduce a 17th filesystem access right). For filesystem access rights, at the moment, the data structure has the same size as before, but once we introduce the 17th filesystem access right, it will double in size (from 32 to 64 bytes), as access_mask_t grows from 16 to 32 bit [1]. Link: https://lore.kernel.org/all/20260120.haeCh4li9Vae@digikod.net/ [1] Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260206151154.97915-5-gnoack3000@gmail.com [mic: Cosmetic fixes, moved struct layer_access_masks definition] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-02-10T15:46:48+00:00 Günther Noack gnoack3000@gmail.com 2026-02-06T15:11:54+00:00 urn:sha1:45f2a2926b2187d1b08132d2728af50785b007a7 This helper function checks whether an access_mask_t has a subset of the bits enabled than another one. This expresses the intent a bit smoother in the code and does not cost us anything when it gets inlined. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260206151154.97915-4-gnoack3000@gmail.com [mic: Improve subject] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:41+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:03+00:00 urn:sha1:20fd2954945458c1b04060d1ce6320f897b3a701 Add audit support to the file_truncate and file_ioctl hooks. Add a deny_masks_t type and related helpers to store the domain's layer level per optional access rights (i.e. LANDLOCK_ACCESS_FS_TRUNCATE and LANDLOCK_ACCESS_FS_IOCTL_DEV) when opening a file, which cannot be inferred later. In practice, the landlock_file_security aligned blob size is still 16 bytes because this new one-byte deny_masks field follows the existing two-bytes allowed_access field and precede the packed fown_subject. Implementing deny_masks_t with a bitfield instead of a struct enables a generic implementation to store and extract layer levels. Add KUnit tests to check the identification of a layer level from a deny_masks_t, and the computation of a deny_masks_t from an access right with its layer level or a layer_mask_t array. Audit event sample: type=LANDLOCK_DENY msg=audit(1729738800.349:44): domain=195ba459b blockers=fs.ioctl_dev path="/dev/tty" dev="devtmpfs" ino=9 ioctlcmd=0x5401 Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250320190717.2287696-15-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-01-17T18:05:35+00:00 Mickaël Salaün mic@digikod.net 2025-01-08T15:43:14+00:00 urn:sha1:d6c7cf84a24fff332ff65ffe236302216474b834 Upgrade domain's handled access masks when creating a domain from a ruleset, instead of converting them at runtime. This is more consistent and helps with audit support. Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250108154338.1129069-7-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-01-17T18:05:34+00:00 Mickaël Salaün mic@digikod.net 2025-01-08T15:43:13+00:00 urn:sha1:622e2f5954763385c4fa1f9a11a11366952a9b60 Move LANDLOCK_ACCESS_FS_INITIALLY_DENIED, access_mask_t, struct access_mask, and struct access_masks_all to a dedicated access.h file. Rename LANDLOCK_ACCESS_FS_INITIALLY_DENIED to _LANDLOCK_ACCESS_FS_INITIALLY_DENIED to make it clear that it's not part of UAPI. Add some newlines when appropriate. This file will be extended with following commits, and it will help to avoid dependency loops. Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250108154338.1129069-6-mic@digikod.net [mic: Fix rebase conflict because of the new cleanup headers] Signed-off-by: Mickaël Salaün <mic@digikod.net>