[PATCH v7 05/28] landlock: Prepare to use credential instead of domain for network

Fri, 04 Apr 2025 14:00:34 -0700 

This cosmetic change that is needed for audit support, specifically to
be able to filter according to cross-execution boundaries.

Optimize current_check_access_socket() to only handle the access
request.

Remove explicit domain->num_layers check which is now part of the
landlock_get_applicable_subject() call.

Cc: Günther Noack <gno...@google.com>
Signed-off-by: Mickaël Salaün <m...@digikod.net>
---

Changes since v4:
- New patch.
---
 security/landlock/net.c | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/security/landlock/net.c b/security/landlock/net.c
index 104b6c01fe50..6fb3e60bc5ff 100644
--- a/security/landlock/net.c
+++ b/security/landlock/net.c
@@ -39,10 +39,6 @@ int landlock_append_net_rule(struct landlock_ruleset *const 
ruleset,
        return err;
 }
 
-static const struct access_masks any_net = {
-       .net = ~0,
-};
-
 static int current_check_access_socket(struct socket *const sock,
                                       struct sockaddr *const address,
                                       const int addrlen,
@@ -54,14 +50,14 @@ static int current_check_access_socket(struct socket *const 
sock,
        struct landlock_id id = {
                .type = LANDLOCK_KEY_NET_PORT,
        };
-       const struct landlock_ruleset *const dom =
-               landlock_get_applicable_domain(landlock_get_current_domain(),
-                                              any_net);
+       const struct access_masks masks = {
+               .net = access_request,
+       };
+       const struct landlock_cred_security *const subject =
+               landlock_get_applicable_subject(current_cred(), masks, NULL);
 
-       if (!dom)
+       if (!subject)
                return 0;
-       if (WARN_ON_ONCE(dom->num_layers < 1))
-               return -EACCES;
 
        if (!sk_is_tcp(sock->sk))
                return 0;
@@ -145,9 +141,10 @@ static int current_check_access_socket(struct socket 
*const sock,
        id.key.data = (__force uintptr_t)port;
        BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
 
-       rule = landlock_find_rule(dom, id);
-       access_request = landlock_init_layer_masks(
-               dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
+       rule = landlock_find_rule(subject->domain, id);
+       access_request = landlock_init_layer_masks(subject->domain,
+                                                  access_request, &layer_masks,
+                                                  LANDLOCK_KEY_NET_PORT);
        if (landlock_unmask_layers(rule, access_request, &layer_masks,
                                   ARRAY_SIZE(layer_masks)))
                return 0;
-- 
2.49.0

Reply via email to