Re: [PATCH v4 05/30] landlock: Move access types

["Mickaël Salaün" <mic@digikod.net>]

On Wed, Jan 08, 2025 at 04:43:13PM +0100, Mickaël Salaün wrote:
> Move LANDLOCK_ACCESS_FS_INITIALLY_DENIED, access_mask_t, struct
> access_mask, and struct access_masks_all to a dedicated access.h file.
> 
> Rename LANDLOCK_ACCESS_FS_INITIALLY_DENIED to
> _LANDLOCK_ACCESS_FS_INITIALLY_DENIED to make it clear that it's not part
> of UAPI.  Add some newlines when appropriate.
> 
> This file will be extended with following commits, and it will help to
> avoid dependency loops.
> 
> Cc: Günther Noack <gnoack@google.com>
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> Link: https://lore.kernel.org/r/20250108154338.1129069-6-mic@digikod.net

Pushed in my next tree to simplify next patch series.

> ---
> 
> Changes since v2:
> - Rebased on the (now merged) masks improvement patches.
> - Move ACCESS_FS_OPTIONAL to a following patch introducing deny_masks_t,
>   spotted by Francis Laniel.
> - Move and rename LANDLOCK_ACCESS_FS_INITIALLY_DENIED to
>   _LANDLOCK_ACCESS_FS_INITIALLY_DENIED.
> 
> Changes since v1:
> - New patch
> ---
>  security/landlock/access.h  | 62 +++++++++++++++++++++++++++++++++++++
>  security/landlock/fs.c      |  3 +-
>  security/landlock/fs.h      |  1 +
>  security/landlock/ruleset.c |  1 +
>  security/landlock/ruleset.h | 47 ++--------------------------
>  5 files changed, 68 insertions(+), 46 deletions(-)
>  create mode 100644 security/landlock/access.h
> 
> diff --git a/security/landlock/access.h b/security/landlock/access.h
> new file mode 100644
> index 000000000000..9ee4b30a87e6
> --- /dev/null
> +++ b/security/landlock/access.h
> @@ -0,0 +1,62 @@
> +/* SPDX-License-Identifier: GPL-2.0-only */
> +/*
> + * Landlock LSM - Access types and helpers
> + *
> + * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
> + * Copyright © 2018-2020 ANSSI
> + * Copyright © 2024-2025 Microsoft Corporation
> + */
> +
> +#ifndef _SECURITY_LANDLOCK_ACCESS_H
> +#define _SECURITY_LANDLOCK_ACCESS_H
> +
> +#include <linux/bitops.h>
> +#include <linux/build_bug.h>
> +#include <linux/kernel.h>
> +#include <uapi/linux/landlock.h>
> +
> +#include "limits.h"
> +
> +/*
> + * All access rights that are denied by default whether they are handled or not
> + * by a ruleset/layer.  This must be ORed with all ruleset->access_masks[]
> + * entries when we need to get the absolute handled access masks.
> + */
> +/* clang-format off */
> +#define _LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \
> +	LANDLOCK_ACCESS_FS_REFER)
> +/* clang-format on */
> +
> +typedef u16 access_mask_t;
> +
> +/* Makes sure all filesystem access rights can be stored. */
> +static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
> +/* Makes sure all network access rights can be stored. */
> +static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
> +/* Makes sure all scoped rights can be stored. */
> +static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);
> +/* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */
> +static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
> +
> +/* Ruleset access masks. */
> +struct access_masks {
> +	access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
> +	access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
> +	access_mask_t scope : LANDLOCK_NUM_SCOPE;
> +};
> +
> +union access_masks_all {
> +	struct access_masks masks;
> +	u32 all;
> +};
> +
> +/* Makes sure all fields are covered. */
> +static_assert(sizeof(typeof_member(union access_masks_all, masks)) ==
> +	      sizeof(typeof_member(union access_masks_all, all)));
> +
> +typedef u16 layer_mask_t;
> +
> +/* Makes sure all layers can be checked. */
> +static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
> +
> +#endif /* _SECURITY_LANDLOCK_ACCESS_H */
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index d911c924843f..3da5f1945158 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -36,6 +36,7 @@
>  #include <uapi/linux/fiemap.h>
>  #include <uapi/linux/landlock.h>
>  
> +#include "access.h"
>  #include "common.h"
>  #include "cred.h"
>  #include "fs.h"
> @@ -393,7 +394,7 @@ get_handled_fs_accesses(const struct landlock_ruleset *const domain)
>  {
>  	/* Handles all initially denied by default access rights. */
>  	return landlock_union_access_masks(domain).fs |
> -	       LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
> +	       _LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
>  }
>  
>  static const struct access_masks any_fs = {
> diff --git a/security/landlock/fs.h b/security/landlock/fs.h
> index 1487e1f023a1..d445f411c26a 100644
> --- a/security/landlock/fs.h
> +++ b/security/landlock/fs.h
> @@ -13,6 +13,7 @@
>  #include <linux/init.h>
>  #include <linux/rcupdate.h>
>  
> +#include "access.h"
>  #include "ruleset.h"
>  #include "setup.h"
>  
> diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
> index a93bdbf52fff..cae69f2f01d9 100644
> --- a/security/landlock/ruleset.c
> +++ b/security/landlock/ruleset.c
> @@ -20,6 +20,7 @@
>  #include <linux/spinlock.h>
>  #include <linux/workqueue.h>
>  
> +#include "access.h"
>  #include "limits.h"
>  #include "object.h"
>  #include "ruleset.h"
> diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
> index 631e24d4ffe9..2f29b9f40392 100644
> --- a/security/landlock/ruleset.h
> +++ b/security/landlock/ruleset.h
> @@ -9,58 +9,15 @@
>  #ifndef _SECURITY_LANDLOCK_RULESET_H
>  #define _SECURITY_LANDLOCK_RULESET_H
>  
> -#include <linux/bitops.h>
> -#include <linux/build_bug.h>
> -#include <linux/kernel.h>
>  #include <linux/mutex.h>
>  #include <linux/rbtree.h>
>  #include <linux/refcount.h>
>  #include <linux/workqueue.h>
> -#include <uapi/linux/landlock.h>
>  
> +#include "access.h"
>  #include "limits.h"
>  #include "object.h"
>  
> -/*
> - * All access rights that are denied by default whether they are handled or not
> - * by a ruleset/layer.  This must be ORed with all ruleset->access_masks[]
> - * entries when we need to get the absolute handled access masks.
> - */
> -/* clang-format off */
> -#define LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \
> -	LANDLOCK_ACCESS_FS_REFER)
> -/* clang-format on */
> -
> -typedef u16 access_mask_t;
> -/* Makes sure all filesystem access rights can be stored. */
> -static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
> -/* Makes sure all network access rights can be stored. */
> -static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
> -/* Makes sure all scoped rights can be stored. */
> -static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);
> -/* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */
> -static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
> -
> -/* Ruleset access masks. */
> -struct access_masks {
> -	access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
> -	access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
> -	access_mask_t scope : LANDLOCK_NUM_SCOPE;
> -};
> -
> -union access_masks_all {
> -	struct access_masks masks;
> -	u32 all;
> -};
> -
> -/* Makes sure all fields are covered. */
> -static_assert(sizeof(typeof_member(union access_masks_all, masks)) ==
> -	      sizeof(typeof_member(union access_masks_all, all)));
> -
> -typedef u16 layer_mask_t;
> -/* Makes sure all layers can be checked. */
> -static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
> -
>  /**
>   * struct landlock_layer - Access rights for a given layer
>   */
> @@ -366,7 +323,7 @@ landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
>  {
>  	/* Handles all initially denied by default access rights. */
>  	return ruleset->access_masks[layer_level].fs |
> -	       LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
> +	       _LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
>  }
>  
>  static inline access_mask_t
> -- 
> 2.47.1
> 
>