ruleset.c 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Landlock LSM - Ruleset management
  4. *
  5. * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
  6. * Copyright © 2018-2020 ANSSI
  7. */
  8. #include <linux/bits.h>
  9. #include <linux/bug.h>
  10. #include <linux/cleanup.h>
  11. #include <linux/compiler_types.h>
  12. #include <linux/err.h>
  13. #include <linux/errno.h>
  14. #include <linux/kernel.h>
  15. #include <linux/lockdep.h>
  16. #include <linux/mutex.h>
  17. #include <linux/overflow.h>
  18. #include <linux/rbtree.h>
  19. #include <linux/refcount.h>
  20. #include <linux/slab.h>
  21. #include <linux/spinlock.h>
  22. #include <linux/workqueue.h>
  23. #include "access.h"
  24. #include "domain.h"
  25. #include "limits.h"
  26. #include "object.h"
  27. #include "ruleset.h"
  28. static struct landlock_ruleset *create_ruleset(const u32 num_layers)
  29. {
  30. struct landlock_ruleset *new_ruleset;
  31. new_ruleset = kzalloc_flex(*new_ruleset, access_masks, num_layers,
  32. GFP_KERNEL_ACCOUNT);
  33. if (!new_ruleset)
  34. return ERR_PTR(-ENOMEM);
  35. refcount_set(&new_ruleset->usage, 1);
  36. mutex_init(&new_ruleset->lock);
  37. new_ruleset->root_inode = RB_ROOT;
  38. #if IS_ENABLED(CONFIG_INET)
  39. new_ruleset->root_net_port = RB_ROOT;
  40. #endif /* IS_ENABLED(CONFIG_INET) */
  41. new_ruleset->num_layers = num_layers;
  42. /*
  43. * hierarchy = NULL
  44. * num_rules = 0
  45. * access_masks[] = 0
  46. */
  47. return new_ruleset;
  48. }
  49. struct landlock_ruleset *
  50. landlock_create_ruleset(const access_mask_t fs_access_mask,
  51. const access_mask_t net_access_mask,
  52. const access_mask_t scope_mask)
  53. {
  54. struct landlock_ruleset *new_ruleset;
  55. /* Informs about useless ruleset. */
  56. if (!fs_access_mask && !net_access_mask && !scope_mask)
  57. return ERR_PTR(-ENOMSG);
  58. new_ruleset = create_ruleset(1);
  59. if (IS_ERR(new_ruleset))
  60. return new_ruleset;
  61. if (fs_access_mask)
  62. landlock_add_fs_access_mask(new_ruleset, fs_access_mask, 0);
  63. if (net_access_mask)
  64. landlock_add_net_access_mask(new_ruleset, net_access_mask, 0);
  65. if (scope_mask)
  66. landlock_add_scope_mask(new_ruleset, scope_mask, 0);
  67. return new_ruleset;
  68. }
  69. static void build_check_rule(void)
  70. {
  71. const struct landlock_rule rule = {
  72. .num_layers = ~0,
  73. };
  74. /*
  75. * Checks that .num_layers is large enough for at least
  76. * LANDLOCK_MAX_NUM_LAYERS layers.
  77. */
  78. BUILD_BUG_ON(rule.num_layers < LANDLOCK_MAX_NUM_LAYERS);
  79. }
  80. static bool is_object_pointer(const enum landlock_key_type key_type)
  81. {
  82. switch (key_type) {
  83. case LANDLOCK_KEY_INODE:
  84. return true;
  85. #if IS_ENABLED(CONFIG_INET)
  86. case LANDLOCK_KEY_NET_PORT:
  87. return false;
  88. #endif /* IS_ENABLED(CONFIG_INET) */
  89. default:
  90. WARN_ON_ONCE(1);
  91. return false;
  92. }
  93. }
  94. static struct landlock_rule *
  95. create_rule(const struct landlock_id id,
  96. const struct landlock_layer (*const layers)[], const u32 num_layers,
  97. const struct landlock_layer *const new_layer)
  98. {
  99. struct landlock_rule *new_rule;
  100. u32 new_num_layers;
  101. build_check_rule();
  102. if (new_layer) {
  103. /* Should already be checked by landlock_merge_ruleset(). */
  104. if (WARN_ON_ONCE(num_layers >= LANDLOCK_MAX_NUM_LAYERS))
  105. return ERR_PTR(-E2BIG);
  106. new_num_layers = num_layers + 1;
  107. } else {
  108. new_num_layers = num_layers;
  109. }
  110. new_rule = kzalloc_flex(*new_rule, layers, new_num_layers,
  111. GFP_KERNEL_ACCOUNT);
  112. if (!new_rule)
  113. return ERR_PTR(-ENOMEM);
  114. RB_CLEAR_NODE(&new_rule->node);
  115. if (is_object_pointer(id.type)) {
  116. /* This should have been caught by insert_rule(). */
  117. WARN_ON_ONCE(!id.key.object);
  118. landlock_get_object(id.key.object);
  119. }
  120. new_rule->key = id.key;
  121. new_rule->num_layers = new_num_layers;
  122. /* Copies the original layer stack. */
  123. memcpy(new_rule->layers, layers,
  124. flex_array_size(new_rule, layers, num_layers));
  125. if (new_layer)
  126. /* Adds a copy of @new_layer on the layer stack. */
  127. new_rule->layers[new_rule->num_layers - 1] = *new_layer;
  128. return new_rule;
  129. }
  130. static struct rb_root *get_root(struct landlock_ruleset *const ruleset,
  131. const enum landlock_key_type key_type)
  132. {
  133. switch (key_type) {
  134. case LANDLOCK_KEY_INODE:
  135. return &ruleset->root_inode;
  136. #if IS_ENABLED(CONFIG_INET)
  137. case LANDLOCK_KEY_NET_PORT:
  138. return &ruleset->root_net_port;
  139. #endif /* IS_ENABLED(CONFIG_INET) */
  140. default:
  141. WARN_ON_ONCE(1);
  142. return ERR_PTR(-EINVAL);
  143. }
  144. }
  145. static void free_rule(struct landlock_rule *const rule,
  146. const enum landlock_key_type key_type)
  147. {
  148. might_sleep();
  149. if (!rule)
  150. return;
  151. if (is_object_pointer(key_type))
  152. landlock_put_object(rule->key.object);
  153. kfree(rule);
  154. }
  155. static void build_check_ruleset(void)
  156. {
  157. const struct landlock_ruleset ruleset = {
  158. .num_rules = ~0,
  159. .num_layers = ~0,
  160. };
  161. BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES);
  162. BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS);
  163. }
  164. /**
  165. * insert_rule - Create and insert a rule in a ruleset
  166. *
  167. * @ruleset: The ruleset to be updated.
  168. * @id: The ID to build the new rule with. The underlying kernel object, if
  169. * any, must be held by the caller.
  170. * @layers: One or multiple layers to be copied into the new rule.
  171. * @num_layers: The number of @layers entries.
  172. *
  173. * When user space requests to add a new rule to a ruleset, @layers only
  174. * contains one entry and this entry is not assigned to any level. In this
  175. * case, the new rule will extend @ruleset, similarly to a boolean OR between
  176. * access rights.
  177. *
  178. * When merging a ruleset in a domain, or copying a domain, @layers will be
  179. * added to @ruleset as new constraints, similarly to a boolean AND between
  180. * access rights.
  181. */
  182. static int insert_rule(struct landlock_ruleset *const ruleset,
  183. const struct landlock_id id,
  184. const struct landlock_layer (*const layers)[],
  185. const size_t num_layers)
  186. {
  187. struct rb_node **walker_node;
  188. struct rb_node *parent_node = NULL;
  189. struct landlock_rule *new_rule;
  190. struct rb_root *root;
  191. might_sleep();
  192. lockdep_assert_held(&ruleset->lock);
  193. if (WARN_ON_ONCE(!layers))
  194. return -ENOENT;
  195. if (is_object_pointer(id.type) && WARN_ON_ONCE(!id.key.object))
  196. return -ENOENT;
  197. root = get_root(ruleset, id.type);
  198. if (IS_ERR(root))
  199. return PTR_ERR(root);
  200. walker_node = &root->rb_node;
  201. while (*walker_node) {
  202. struct landlock_rule *const this =
  203. rb_entry(*walker_node, struct landlock_rule, node);
  204. if (this->key.data != id.key.data) {
  205. parent_node = *walker_node;
  206. if (this->key.data < id.key.data)
  207. walker_node = &((*walker_node)->rb_right);
  208. else
  209. walker_node = &((*walker_node)->rb_left);
  210. continue;
  211. }
  212. /* Only a single-level layer should match an existing rule. */
  213. if (WARN_ON_ONCE(num_layers != 1))
  214. return -EINVAL;
  215. /* If there is a matching rule, updates it. */
  216. if ((*layers)[0].level == 0) {
  217. /*
  218. * Extends access rights when the request comes from
  219. * landlock_add_rule(2), i.e. @ruleset is not a domain.
  220. */
  221. if (WARN_ON_ONCE(this->num_layers != 1))
  222. return -EINVAL;
  223. if (WARN_ON_ONCE(this->layers[0].level != 0))
  224. return -EINVAL;
  225. this->layers[0].access |= (*layers)[0].access;
  226. return 0;
  227. }
  228. if (WARN_ON_ONCE(this->layers[0].level == 0))
  229. return -EINVAL;
  230. /*
  231. * Intersects access rights when it is a merge between a
  232. * ruleset and a domain.
  233. */
  234. new_rule = create_rule(id, &this->layers, this->num_layers,
  235. &(*layers)[0]);
  236. if (IS_ERR(new_rule))
  237. return PTR_ERR(new_rule);
  238. rb_replace_node(&this->node, &new_rule->node, root);
  239. free_rule(this, id.type);
  240. return 0;
  241. }
  242. /* There is no match for @id. */
  243. build_check_ruleset();
  244. if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES)
  245. return -E2BIG;
  246. new_rule = create_rule(id, layers, num_layers, NULL);
  247. if (IS_ERR(new_rule))
  248. return PTR_ERR(new_rule);
  249. rb_link_node(&new_rule->node, parent_node, walker_node);
  250. rb_insert_color(&new_rule->node, root);
  251. ruleset->num_rules++;
  252. return 0;
  253. }
  254. static void build_check_layer(void)
  255. {
  256. const struct landlock_layer layer = {
  257. .level = ~0,
  258. .access = ~0,
  259. };
  260. /*
  261. * Checks that .level and .access are large enough to contain their expected
  262. * maximum values.
  263. */
  264. BUILD_BUG_ON(layer.level < LANDLOCK_MAX_NUM_LAYERS);
  265. BUILD_BUG_ON(layer.access < LANDLOCK_MASK_ACCESS_FS);
  266. }
  267. /* @ruleset must be locked by the caller. */
  268. int landlock_insert_rule(struct landlock_ruleset *const ruleset,
  269. const struct landlock_id id,
  270. const access_mask_t access)
  271. {
  272. struct landlock_layer layers[] = { {
  273. .access = access,
  274. /* When @level is zero, insert_rule() extends @ruleset. */
  275. .level = 0,
  276. } };
  277. build_check_layer();
  278. return insert_rule(ruleset, id, &layers, ARRAY_SIZE(layers));
  279. }
  280. static int merge_tree(struct landlock_ruleset *const dst,
  281. struct landlock_ruleset *const src,
  282. const enum landlock_key_type key_type)
  283. {
  284. struct landlock_rule *walker_rule, *next_rule;
  285. struct rb_root *src_root;
  286. int err = 0;
  287. might_sleep();
  288. lockdep_assert_held(&dst->lock);
  289. lockdep_assert_held(&src->lock);
  290. src_root = get_root(src, key_type);
  291. if (IS_ERR(src_root))
  292. return PTR_ERR(src_root);
  293. /* Merges the @src tree. */
  294. rbtree_postorder_for_each_entry_safe(walker_rule, next_rule, src_root,
  295. node) {
  296. struct landlock_layer layers[] = { {
  297. .level = dst->num_layers,
  298. } };
  299. const struct landlock_id id = {
  300. .key = walker_rule->key,
  301. .type = key_type,
  302. };
  303. if (WARN_ON_ONCE(walker_rule->num_layers != 1))
  304. return -EINVAL;
  305. if (WARN_ON_ONCE(walker_rule->layers[0].level != 0))
  306. return -EINVAL;
  307. layers[0].access = walker_rule->layers[0].access;
  308. err = insert_rule(dst, id, &layers, ARRAY_SIZE(layers));
  309. if (err)
  310. return err;
  311. }
  312. return err;
  313. }
  314. static int merge_ruleset(struct landlock_ruleset *const dst,
  315. struct landlock_ruleset *const src)
  316. {
  317. int err = 0;
  318. might_sleep();
  319. /* Should already be checked by landlock_merge_ruleset() */
  320. if (WARN_ON_ONCE(!src))
  321. return 0;
  322. /* Only merge into a domain. */
  323. if (WARN_ON_ONCE(!dst || !dst->hierarchy))
  324. return -EINVAL;
  325. /* Locks @dst first because we are its only owner. */
  326. mutex_lock(&dst->lock);
  327. mutex_lock_nested(&src->lock, SINGLE_DEPTH_NESTING);
  328. /* Stacks the new layer. */
  329. if (WARN_ON_ONCE(src->num_layers != 1 || dst->num_layers < 1)) {
  330. err = -EINVAL;
  331. goto out_unlock;
  332. }
  333. dst->access_masks[dst->num_layers - 1] =
  334. landlock_upgrade_handled_access_masks(src->access_masks[0]);
  335. /* Merges the @src inode tree. */
  336. err = merge_tree(dst, src, LANDLOCK_KEY_INODE);
  337. if (err)
  338. goto out_unlock;
  339. #if IS_ENABLED(CONFIG_INET)
  340. /* Merges the @src network port tree. */
  341. err = merge_tree(dst, src, LANDLOCK_KEY_NET_PORT);
  342. if (err)
  343. goto out_unlock;
  344. #endif /* IS_ENABLED(CONFIG_INET) */
  345. out_unlock:
  346. mutex_unlock(&src->lock);
  347. mutex_unlock(&dst->lock);
  348. return err;
  349. }
  350. static int inherit_tree(struct landlock_ruleset *const parent,
  351. struct landlock_ruleset *const child,
  352. const enum landlock_key_type key_type)
  353. {
  354. struct landlock_rule *walker_rule, *next_rule;
  355. struct rb_root *parent_root;
  356. int err = 0;
  357. might_sleep();
  358. lockdep_assert_held(&parent->lock);
  359. lockdep_assert_held(&child->lock);
  360. parent_root = get_root(parent, key_type);
  361. if (IS_ERR(parent_root))
  362. return PTR_ERR(parent_root);
  363. /* Copies the @parent inode or network tree. */
  364. rbtree_postorder_for_each_entry_safe(walker_rule, next_rule,
  365. parent_root, node) {
  366. const struct landlock_id id = {
  367. .key = walker_rule->key,
  368. .type = key_type,
  369. };
  370. err = insert_rule(child, id, &walker_rule->layers,
  371. walker_rule->num_layers);
  372. if (err)
  373. return err;
  374. }
  375. return err;
  376. }
  377. static int inherit_ruleset(struct landlock_ruleset *const parent,
  378. struct landlock_ruleset *const child)
  379. {
  380. int err = 0;
  381. might_sleep();
  382. if (!parent)
  383. return 0;
  384. /* Locks @child first because we are its only owner. */
  385. mutex_lock(&child->lock);
  386. mutex_lock_nested(&parent->lock, SINGLE_DEPTH_NESTING);
  387. /* Copies the @parent inode tree. */
  388. err = inherit_tree(parent, child, LANDLOCK_KEY_INODE);
  389. if (err)
  390. goto out_unlock;
  391. #if IS_ENABLED(CONFIG_INET)
  392. /* Copies the @parent network port tree. */
  393. err = inherit_tree(parent, child, LANDLOCK_KEY_NET_PORT);
  394. if (err)
  395. goto out_unlock;
  396. #endif /* IS_ENABLED(CONFIG_INET) */
  397. if (WARN_ON_ONCE(child->num_layers <= parent->num_layers)) {
  398. err = -EINVAL;
  399. goto out_unlock;
  400. }
  401. /* Copies the parent layer stack and leaves a space for the new layer. */
  402. memcpy(child->access_masks, parent->access_masks,
  403. flex_array_size(parent, access_masks, parent->num_layers));
  404. if (WARN_ON_ONCE(!parent->hierarchy)) {
  405. err = -EINVAL;
  406. goto out_unlock;
  407. }
  408. landlock_get_hierarchy(parent->hierarchy);
  409. child->hierarchy->parent = parent->hierarchy;
  410. out_unlock:
  411. mutex_unlock(&parent->lock);
  412. mutex_unlock(&child->lock);
  413. return err;
  414. }
  415. static void free_ruleset(struct landlock_ruleset *const ruleset)
  416. {
  417. struct landlock_rule *freeme, *next;
  418. might_sleep();
  419. rbtree_postorder_for_each_entry_safe(freeme, next, &ruleset->root_inode,
  420. node)
  421. free_rule(freeme, LANDLOCK_KEY_INODE);
  422. #if IS_ENABLED(CONFIG_INET)
  423. rbtree_postorder_for_each_entry_safe(freeme, next,
  424. &ruleset->root_net_port, node)
  425. free_rule(freeme, LANDLOCK_KEY_NET_PORT);
  426. #endif /* IS_ENABLED(CONFIG_INET) */
  427. landlock_put_hierarchy(ruleset->hierarchy);
  428. kfree(ruleset);
  429. }
  430. void landlock_put_ruleset(struct landlock_ruleset *const ruleset)
  431. {
  432. might_sleep();
  433. if (ruleset && refcount_dec_and_test(&ruleset->usage))
  434. free_ruleset(ruleset);
  435. }
  436. static void free_ruleset_work(struct work_struct *const work)
  437. {
  438. struct landlock_ruleset *ruleset;
  439. ruleset = container_of(work, struct landlock_ruleset, work_free);
  440. free_ruleset(ruleset);
  441. }
  442. /* Only called by hook_cred_free(). */
  443. void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset)
  444. {
  445. if (ruleset && refcount_dec_and_test(&ruleset->usage)) {
  446. INIT_WORK(&ruleset->work_free, free_ruleset_work);
  447. schedule_work(&ruleset->work_free);
  448. }
  449. }
  450. /**
  451. * landlock_merge_ruleset - Merge a ruleset with a domain
  452. *
  453. * @parent: Parent domain.
  454. * @ruleset: New ruleset to be merged.
  455. *
  456. * The current task is requesting to be restricted. The subjective credentials
  457. * must not be in an overridden state. cf. landlock_init_hierarchy_log().
  458. *
  459. * Returns the intersection of @parent and @ruleset, or returns @parent if
  460. * @ruleset is empty, or returns a duplicate of @ruleset if @parent is empty.
  461. */
  462. struct landlock_ruleset *
  463. landlock_merge_ruleset(struct landlock_ruleset *const parent,
  464. struct landlock_ruleset *const ruleset)
  465. {
  466. struct landlock_ruleset *new_dom __free(landlock_put_ruleset) = NULL;
  467. u32 num_layers;
  468. int err;
  469. might_sleep();
  470. if (WARN_ON_ONCE(!ruleset || parent == ruleset))
  471. return ERR_PTR(-EINVAL);
  472. if (parent) {
  473. if (parent->num_layers >= LANDLOCK_MAX_NUM_LAYERS)
  474. return ERR_PTR(-E2BIG);
  475. num_layers = parent->num_layers + 1;
  476. } else {
  477. num_layers = 1;
  478. }
  479. /* Creates a new domain... */
  480. new_dom = create_ruleset(num_layers);
  481. if (IS_ERR(new_dom))
  482. return new_dom;
  483. new_dom->hierarchy =
  484. kzalloc_obj(*new_dom->hierarchy, GFP_KERNEL_ACCOUNT);
  485. if (!new_dom->hierarchy)
  486. return ERR_PTR(-ENOMEM);
  487. refcount_set(&new_dom->hierarchy->usage, 1);
  488. /* ...as a child of @parent... */
  489. err = inherit_ruleset(parent, new_dom);
  490. if (err)
  491. return ERR_PTR(err);
  492. /* ...and including @ruleset. */
  493. err = merge_ruleset(new_dom, ruleset);
  494. if (err)
  495. return ERR_PTR(err);
  496. err = landlock_init_hierarchy_log(new_dom->hierarchy);
  497. if (err)
  498. return ERR_PTR(err);
  499. return no_free_ptr(new_dom);
  500. }
  501. /*
  502. * The returned access has the same lifetime as @ruleset.
  503. */
  504. const struct landlock_rule *
  505. landlock_find_rule(const struct landlock_ruleset *const ruleset,
  506. const struct landlock_id id)
  507. {
  508. const struct rb_root *root;
  509. const struct rb_node *node;
  510. root = get_root((struct landlock_ruleset *)ruleset, id.type);
  511. if (IS_ERR(root))
  512. return NULL;
  513. node = root->rb_node;
  514. while (node) {
  515. struct landlock_rule *this =
  516. rb_entry(node, struct landlock_rule, node);
  517. if (this->key.data == id.key.data)
  518. return this;
  519. if (this->key.data < id.key.data)
  520. node = node->rb_right;
  521. else
  522. node = node->rb_left;
  523. }
  524. return NULL;
  525. }
  526. /**
  527. * landlock_unmask_layers - Remove the access rights in @masks
  528. * which are granted in @rule
  529. *
  530. * Updates the set of (per-layer) unfulfilled access rights @masks
  531. * so that all the access rights granted in @rule are removed from it
  532. * (because they are now fulfilled).
  533. *
  534. * @rule: A rule that grants a set of access rights for each layer
  535. * @masks: A matrix of unfulfilled access rights for each layer
  536. *
  537. * Returns true if the request is allowed (i.e. the access rights granted all
  538. * remaining unfulfilled access rights and masks has no leftover set bits).
  539. */
  540. bool landlock_unmask_layers(const struct landlock_rule *const rule,
  541. struct layer_access_masks *masks)
  542. {
  543. if (!masks)
  544. return true;
  545. if (!rule)
  546. return false;
  547. /*
  548. * An access is granted if, for each policy layer, at least one rule
  549. * encountered on the pathwalk grants the requested access,
  550. * regardless of its position in the layer stack. We must then check
  551. * the remaining layers for each inode, from the first added layer to
  552. * the last one. When there is multiple requested accesses, for each
  553. * policy layer, the full set of requested accesses may not be granted
  554. * by only one rule, but by the union (binary OR) of multiple rules.
  555. * E.g. /a/b <execute> + /a <read> => /a/b <execute + read>
  556. */
  557. for (size_t i = 0; i < rule->num_layers; i++) {
  558. const struct landlock_layer *const layer = &rule->layers[i];
  559. /* Clear the bits where the layer in the rule grants access. */
  560. masks->access[layer->level - 1] &= ~layer->access;
  561. }
  562. for (size_t i = 0; i < ARRAY_SIZE(masks->access); i++) {
  563. if (masks->access[i])
  564. return false;
  565. }
  566. return true;
  567. }
  568. typedef access_mask_t
  569. get_access_mask_t(const struct landlock_ruleset *const ruleset,
  570. const u16 layer_level);
  571. /**
  572. * landlock_init_layer_masks - Initialize layer masks from an access request
  573. *
  574. * Populates @masks such that for each access right in @access_request,
  575. * the bits for all the layers are set where this access right is handled.
  576. *
  577. * @domain: The domain that defines the current restrictions.
  578. * @access_request: The requested access rights to check.
  579. * @masks: Layer access masks to populate.
  580. * @key_type: The key type to switch between access masks of different types.
  581. *
  582. * Returns: An access mask where each access right bit is set which is handled
  583. * in any of the active layers in @domain.
  584. */
  585. access_mask_t
  586. landlock_init_layer_masks(const struct landlock_ruleset *const domain,
  587. const access_mask_t access_request,
  588. struct layer_access_masks *const masks,
  589. const enum landlock_key_type key_type)
  590. {
  591. access_mask_t handled_accesses = 0;
  592. get_access_mask_t *get_access_mask;
  593. switch (key_type) {
  594. case LANDLOCK_KEY_INODE:
  595. get_access_mask = landlock_get_fs_access_mask;
  596. break;
  597. #if IS_ENABLED(CONFIG_INET)
  598. case LANDLOCK_KEY_NET_PORT:
  599. get_access_mask = landlock_get_net_access_mask;
  600. break;
  601. #endif /* IS_ENABLED(CONFIG_INET) */
  602. default:
  603. WARN_ON_ONCE(1);
  604. return 0;
  605. }
  606. /* An empty access request can happen because of O_WRONLY | O_RDWR. */
  607. if (!access_request)
  608. return 0;
  609. for (size_t i = 0; i < domain->num_layers; i++) {
  610. const access_mask_t handled = get_access_mask(domain, i);
  611. masks->access[i] = access_request & handled;
  612. handled_accesses |= masks->access[i];
  613. }
  614. for (size_t i = domain->num_layers; i < ARRAY_SIZE(masks->access); i++)
  615. masks->access[i] = 0;
  616. return handled_accesses;
  617. }