superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

landlock: Prepare to use credential instead of domain for network 

This cosmetic change that is needed for audit support, specifically to
be able to filter according to cross-execution boundaries.

Optimize current_check_access_socket() to only handle the access
request.

Remove explicit domain->num_layers check which is now part of the
landlock_get_applicable_subject() call.

Cc: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-6-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
pull/1188/head
Mickaël Salaün 2025-03-20 20:06:54 +01:00
parent ae2483a260
commit 93f33f0cb2
No known key found for this signature in database
GPG Key ID: E5E3D0E88C82F6D2
1 changed files with 12 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
security/landlock/net.c
View File

@ -1,9 +1,9 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
* Landlock LSM - Network management and hooks
* Landlock - Network management and hooks
*
* Copyright © 2022-2023 Huawei Tech. Co., Ltd.
* Copyright © 2022-2023 Microsoft Corporation
* Copyright © 2022-2025 Microsoft Corporation
*/
#include <linux/in.h>
@ -39,10 +39,6 @@ int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
return err;
}
static const struct access_masks any_net = {
.net = ~0,
};
static int current_check_access_socket(struct socket *const sock,
struct sockaddr *const address,
const int addrlen,
@ -54,14 +50,14 @@ static int current_check_access_socket(struct socket *const sock,
struct landlock_id id = {
.type = LANDLOCK_KEY_NET_PORT,
};
const struct landlock_ruleset *const dom =
landlock_get_applicable_domain(landlock_get_current_domain(),
any_net);
const struct access_masks masks = {
.net = access_request,
};
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), masks, NULL);
if (!dom)
if (!subject)
return 0;
if (WARN_ON_ONCE(dom->num_layers < 1))
return -EACCES;
if (!sk_is_tcp(sock->sk))
return 0;
@ -145,9 +141,10 @@ static int current_check_access_socket(struct socket *const sock,
id.key.data = (__force uintptr_t)port;
BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
rule = landlock_find_rule(dom, id);
access_request = landlock_init_layer_masks(
dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
rule = landlock_find_rule(subject->domain, id);
access_request = landlock_init_layer_masks(subject->domain,
access_request, &layer_masks,
LANDLOCK_KEY_NET_PORT);
if (landlock_unmask_layers(rule, access_request, &layer_masks,
ARRAY_SIZE(layer_masks)))
return 0;