On 5/23/25 17:57, Mickaël Salaün wrote:
To be able to have useful traces, let's consolidate rule finding into
unmask checking. landlock_unmask_layers() now gets a landlock_rule_ref
instead of a rule pointer.
This enables us to not deal with Landlock rule pointers outside of
ruleset.c, to avoid two calls, and to get all required information
available to landlock_unmask_layers().
We could make struct landlock_rule private because it is now only used
in the ruleset.c file.
Cc: Günther Noack <gno...@google.com>
Signed-off-by: Mickaël Salaün <m...@digikod.net>
---
security/landlock/fs.c | 144 ++++++++++++++++++++++--------------
security/landlock/net.c | 6 +-
security/landlock/ruleset.c | 12 ++-
security/landlock/ruleset.h | 9 +--
4 files changed, 100 insertions(+), 71 deletions(-)
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index f5087688190a..73a20a501c3c 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -356,30 +356,27 @@ int landlock_append_fs_rule(struct landlock_ruleset
*const ruleset,
/* Access-control management */
/*
- * The lifetime of the returned rule is tied to @domain.
- *
- * Returns NULL if no rule is found or if @dentry is negative.
+ * Returns true if an object is tied to @dentry, and updates @ref accordingly.
*/
-static const struct landlock_rule *
-find_rule(const struct landlock_ruleset *const domain,
- const struct dentry *const dentry)
+static bool find_rule_ref(const struct dentry *const dentry,
+ struct landlock_rule_ref *ref)
I think a better name would be something like "get_rule_ref"? Since it's
not really _finding_ anything (like doing a search in a rbtree).
(If you take the rename suggestion, then it would be "get_rule_target")
[...]
