diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-01-10 00:22:15 +0300 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-01-10 00:22:15 +0300 |
commit | e9b4c5890858015bfe2089b7573319bcf4a92907 (patch) | |
tree | d80172d3b6a012623d79f5d9607a328cb1eb5ce3 /security | |
parent | 063a7ce32ddc2c4f2404b0dfd29e60e3dbcdffac (diff) | |
parent | 0daaa610c8e033cdfb420db728c2b40eb3a75134 (diff) | |
download | linux-e9b4c5890858015bfe2089b7573319bcf4a92907.tar.xz |
Merge tag 'landlock-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
Pull Landlock updates from Mickaël Salaün:
"New tests, a slight optimization, and some cosmetic changes"
* tag 'landlock-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
landlock: Optimize the number of calls to get_access_mask slightly
selftests/landlock: Rename "permitted" to "allowed" in ftruncate tests
landlock: Remove remaining "inline" modifiers in .c files [v6.6]
landlock: Remove remaining "inline" modifiers in .c files [v6.1]
landlock: Remove remaining "inline" modifiers in .c files [v5.15]
selftests/landlock: Add tests to check unhandled rule's access rights
selftests/landlock: Add tests to check unknown rule's access rights
Diffstat (limited to 'security')
-rw-r--r-- | security/landlock/fs.c | 26 | ||||
-rw-r--r-- | security/landlock/ruleset.c | 7 |
2 files changed, 17 insertions, 16 deletions
diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 490655d09b43..fc520a06f9af 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -193,7 +193,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, * * Returns NULL if no rule is found or if @dentry is negative. */ -static inline const struct landlock_rule * +static const struct landlock_rule * find_rule(const struct landlock_ruleset *const domain, const struct dentry *const dentry) { @@ -220,7 +220,7 @@ find_rule(const struct landlock_ruleset *const domain, * sockfs, pipefs), but can still be reachable through * /proc/<pid>/fd/<file-descriptor> */ -static inline bool is_nouser_or_private(const struct dentry *dentry) +static bool is_nouser_or_private(const struct dentry *dentry) { return (dentry->d_sb->s_flags & SB_NOUSER) || (d_is_positive(dentry) && @@ -264,7 +264,7 @@ static const struct landlock_ruleset *get_current_fs_domain(void) * * @layer_masks_child2: Optional child masks. */ -static inline bool no_more_access( +static bool no_more_access( const layer_mask_t (*const layer_masks_parent1)[LANDLOCK_NUM_ACCESS_FS], const layer_mask_t (*const layer_masks_child1)[LANDLOCK_NUM_ACCESS_FS], const bool child1_is_directory, @@ -316,7 +316,7 @@ static inline bool no_more_access( * * Returns true if the request is allowed, false otherwise. */ -static inline bool +static bool scope_to_request(const access_mask_t access_request, layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS]) { @@ -335,7 +335,7 @@ scope_to_request(const access_mask_t access_request, * Returns true if there is at least one access right different than * LANDLOCK_ACCESS_FS_REFER. */ -static inline bool +static bool is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS], const access_mask_t access_request) { @@ -551,9 +551,9 @@ jump_up: return allowed_parent1 && allowed_parent2; } -static inline int check_access_path(const struct landlock_ruleset *const domain, - const struct path *const path, - access_mask_t access_request) +static int check_access_path(const struct landlock_ruleset *const domain, + const struct path *const path, + access_mask_t access_request) { layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; @@ -565,8 +565,8 @@ static inline int check_access_path(const struct landlock_ruleset *const domain, return -EACCES; } -static inline int current_check_access_path(const struct path *const path, - const access_mask_t access_request) +static int current_check_access_path(const struct path *const path, + const access_mask_t access_request) { const struct landlock_ruleset *const dom = get_current_fs_domain(); @@ -575,7 +575,7 @@ static inline int current_check_access_path(const struct path *const path, return check_access_path(dom, path, access_request); } -static inline access_mask_t get_mode_access(const umode_t mode) +static access_mask_t get_mode_access(const umode_t mode) { switch (mode & S_IFMT) { case S_IFLNK: @@ -600,7 +600,7 @@ static inline access_mask_t get_mode_access(const umode_t mode) } } -static inline access_mask_t maybe_remove(const struct dentry *const dentry) +static access_mask_t maybe_remove(const struct dentry *const dentry) { if (d_is_negative(dentry)) return 0; @@ -1086,7 +1086,7 @@ static int hook_path_truncate(const struct path *const path) * Returns the access rights that are required for opening the given file, * depending on the file type and open mode. */ -static inline access_mask_t +static access_mask_t get_required_file_open_access(const struct file *const file) { access_mask_t access = 0; diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index ffedc99f2b68..e0a5fbf9201a 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -305,7 +305,7 @@ int landlock_insert_rule(struct landlock_ruleset *const ruleset, return insert_rule(ruleset, id, &layers, ARRAY_SIZE(layers)); } -static inline void get_hierarchy(struct landlock_hierarchy *const hierarchy) +static void get_hierarchy(struct landlock_hierarchy *const hierarchy) { if (hierarchy) refcount_inc(&hierarchy->usage); @@ -723,11 +723,12 @@ landlock_init_layer_masks(const struct landlock_ruleset *const domain, /* Saves all handled accesses per layer. */ for (layer_level = 0; layer_level < domain->num_layers; layer_level++) { const unsigned long access_req = access_request; + const access_mask_t access_mask = + get_access_mask(domain, layer_level); unsigned long access_bit; for_each_set_bit(access_bit, &access_req, num_access) { - if (BIT_ULL(access_bit) & - get_access_mask(domain, layer_level)) { + if (BIT_ULL(access_bit) & access_mask) { (*layer_masks)[access_bit] |= BIT_ULL(layer_level); handled_accesses |= BIT_ULL(access_bit); |