]>
Commit | Line | Data |
---|---|---|
265885da MS |
1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* | |
3 | * Landlock LSM - System call implementations and user space interfaces | |
4 | * | |
5 | * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net> | |
6 | * Copyright © 2018-2020 ANSSI | |
7 | */ | |
8 | ||
9 | #include <asm/current.h> | |
10 | #include <linux/anon_inodes.h> | |
11 | #include <linux/build_bug.h> | |
12 | #include <linux/capability.h> | |
13 | #include <linux/compiler_types.h> | |
14 | #include <linux/dcache.h> | |
15 | #include <linux/err.h> | |
16 | #include <linux/errno.h> | |
17 | #include <linux/fs.h> | |
18 | #include <linux/limits.h> | |
19 | #include <linux/mount.h> | |
20 | #include <linux/path.h> | |
21 | #include <linux/sched.h> | |
22 | #include <linux/security.h> | |
23 | #include <linux/stddef.h> | |
24 | #include <linux/syscalls.h> | |
25 | #include <linux/types.h> | |
26 | #include <linux/uaccess.h> | |
27 | #include <uapi/linux/landlock.h> | |
28 | ||
29 | #include "cred.h" | |
30 | #include "fs.h" | |
31 | #include "limits.h" | |
fff69fb0 | 32 | #include "net.h" |
265885da MS |
33 | #include "ruleset.h" |
34 | #include "setup.h" | |
35 | ||
782191c7 MS |
36 | static bool is_initialized(void) |
37 | { | |
38 | if (likely(landlock_initialized)) | |
39 | return true; | |
40 | ||
41 | pr_warn_once( | |
42 | "Disabled but requested by user space. " | |
43 | "You should enable Landlock at boot time: " | |
44 | "https://docs.kernel.org/userspace-api/landlock.html#boot-time-configuration\n"); | |
45 | return false; | |
46 | } | |
47 | ||
265885da MS |
48 | /** |
49 | * copy_min_struct_from_user - Safe future-proof argument copying | |
50 | * | |
51 | * Extend copy_struct_from_user() to check for consistent user buffer. | |
52 | * | |
53 | * @dst: Kernel space pointer or NULL. | |
54 | * @ksize: Actual size of the data pointed to by @dst. | |
55 | * @ksize_min: Minimal required size to be copied. | |
56 | * @src: User space pointer or NULL. | |
57 | * @usize: (Alleged) size of the data pointed to by @src. | |
58 | */ | |
06a1c40a MS |
59 | static __always_inline int |
60 | copy_min_struct_from_user(void *const dst, const size_t ksize, | |
61 | const size_t ksize_min, const void __user *const src, | |
62 | const size_t usize) | |
265885da MS |
63 | { |
64 | /* Checks buffer inconsistencies. */ | |
65 | BUILD_BUG_ON(!dst); | |
66 | if (!src) | |
67 | return -EFAULT; | |
68 | ||
69 | /* Checks size ranges. */ | |
70 | BUILD_BUG_ON(ksize <= 0); | |
71 | BUILD_BUG_ON(ksize < ksize_min); | |
72 | if (usize < ksize_min) | |
73 | return -EINVAL; | |
74 | if (usize > PAGE_SIZE) | |
75 | return -E2BIG; | |
76 | ||
77 | /* Copies user buffer and fills with zeros. */ | |
78 | return copy_struct_from_user(dst, ksize, src, usize); | |
79 | } | |
80 | ||
81 | /* | |
82 | * This function only contains arithmetic operations with constants, leading to | |
83 | * BUILD_BUG_ON(). The related code is evaluated and checked at build time, | |
84 | * but it is then ignored thanks to compiler optimizations. | |
85 | */ | |
86 | static void build_check_abi(void) | |
87 | { | |
88 | struct landlock_ruleset_attr ruleset_attr; | |
89 | struct landlock_path_beneath_attr path_beneath_attr; | |
fff69fb0 KM |
90 | struct landlock_net_port_attr net_port_attr; |
91 | size_t ruleset_size, path_beneath_size, net_port_size; | |
265885da MS |
92 | |
93 | /* | |
94 | * For each user space ABI structures, first checks that there is no | |
95 | * hole in them, then checks that all architectures have the same | |
96 | * struct size. | |
97 | */ | |
98 | ruleset_size = sizeof(ruleset_attr.handled_access_fs); | |
fff69fb0 | 99 | ruleset_size += sizeof(ruleset_attr.handled_access_net); |
265885da | 100 | BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size); |
fff69fb0 | 101 | BUILD_BUG_ON(sizeof(ruleset_attr) != 16); |
265885da MS |
102 | |
103 | path_beneath_size = sizeof(path_beneath_attr.allowed_access); | |
104 | path_beneath_size += sizeof(path_beneath_attr.parent_fd); | |
105 | BUILD_BUG_ON(sizeof(path_beneath_attr) != path_beneath_size); | |
106 | BUILD_BUG_ON(sizeof(path_beneath_attr) != 12); | |
fff69fb0 KM |
107 | |
108 | net_port_size = sizeof(net_port_attr.allowed_access); | |
109 | net_port_size += sizeof(net_port_attr.port); | |
110 | BUILD_BUG_ON(sizeof(net_port_attr) != net_port_size); | |
111 | BUILD_BUG_ON(sizeof(net_port_attr) != 16); | |
265885da MS |
112 | } |
113 | ||
114 | /* Ruleset handling */ | |
115 | ||
116 | static int fop_ruleset_release(struct inode *const inode, | |
06a1c40a | 117 | struct file *const filp) |
265885da MS |
118 | { |
119 | struct landlock_ruleset *ruleset = filp->private_data; | |
120 | ||
121 | landlock_put_ruleset(ruleset); | |
122 | return 0; | |
123 | } | |
124 | ||
125 | static ssize_t fop_dummy_read(struct file *const filp, char __user *const buf, | |
06a1c40a | 126 | const size_t size, loff_t *const ppos) |
265885da MS |
127 | { |
128 | /* Dummy handler to enable FMODE_CAN_READ. */ | |
129 | return -EINVAL; | |
130 | } | |
131 | ||
132 | static ssize_t fop_dummy_write(struct file *const filp, | |
06a1c40a MS |
133 | const char __user *const buf, const size_t size, |
134 | loff_t *const ppos) | |
265885da MS |
135 | { |
136 | /* Dummy handler to enable FMODE_CAN_WRITE. */ | |
137 | return -EINVAL; | |
138 | } | |
139 | ||
140 | /* | |
141 | * A ruleset file descriptor enables to build a ruleset by adding (i.e. | |
142 | * writing) rule after rule, without relying on the task's context. This | |
143 | * reentrant design is also used in a read way to enforce the ruleset on the | |
144 | * current task. | |
145 | */ | |
146 | static const struct file_operations ruleset_fops = { | |
147 | .release = fop_ruleset_release, | |
148 | .read = fop_dummy_read, | |
149 | .write = fop_dummy_write, | |
150 | }; | |
151 | ||
b25f7415 | 152 | #define LANDLOCK_ABI_VERSION 5 |
3532b0b4 | 153 | |
265885da MS |
154 | /** |
155 | * sys_landlock_create_ruleset - Create a new ruleset | |
156 | * | |
157 | * @attr: Pointer to a &struct landlock_ruleset_attr identifying the scope of | |
158 | * the new ruleset. | |
159 | * @size: Size of the pointed &struct landlock_ruleset_attr (needed for | |
160 | * backward and forward compatibility). | |
3532b0b4 | 161 | * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION. |
265885da MS |
162 | * |
163 | * This system call enables to create a new Landlock ruleset, and returns the | |
164 | * related file descriptor on success. | |
165 | * | |
3532b0b4 MS |
166 | * If @flags is %LANDLOCK_CREATE_RULESET_VERSION and @attr is NULL and @size is |
167 | * 0, then the returned value is the highest supported Landlock ABI version | |
168 | * (starting at 1). | |
169 | * | |
265885da MS |
170 | * Possible returned errors are: |
171 | * | |
2fff00c8 MS |
172 | * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; |
173 | * - %EINVAL: unknown @flags, or unknown access, or too small @size; | |
174 | * - %E2BIG or %EFAULT: @attr or @size inconsistencies; | |
175 | * - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs. | |
265885da MS |
176 | */ |
177 | SYSCALL_DEFINE3(landlock_create_ruleset, | |
178 | const struct landlock_ruleset_attr __user *const, attr, | |
179 | const size_t, size, const __u32, flags) | |
180 | { | |
181 | struct landlock_ruleset_attr ruleset_attr; | |
182 | struct landlock_ruleset *ruleset; | |
183 | int err, ruleset_fd; | |
184 | ||
185 | /* Build-time checks. */ | |
186 | build_check_abi(); | |
187 | ||
782191c7 | 188 | if (!is_initialized()) |
265885da MS |
189 | return -EOPNOTSUPP; |
190 | ||
3532b0b4 | 191 | if (flags) { |
06a1c40a MS |
192 | if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr && |
193 | !size) | |
3532b0b4 | 194 | return LANDLOCK_ABI_VERSION; |
265885da | 195 | return -EINVAL; |
3532b0b4 | 196 | } |
265885da MS |
197 | |
198 | /* Copies raw user space buffer. */ | |
199 | err = copy_min_struct_from_user(&ruleset_attr, sizeof(ruleset_attr), | |
06a1c40a MS |
200 | offsetofend(typeof(ruleset_attr), |
201 | handled_access_fs), | |
202 | attr, size); | |
265885da MS |
203 | if (err) |
204 | return err; | |
205 | ||
206 | /* Checks content (and 32-bits cast). */ | |
207 | if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_ACCESS_FS) != | |
06a1c40a | 208 | LANDLOCK_MASK_ACCESS_FS) |
265885da MS |
209 | return -EINVAL; |
210 | ||
fff69fb0 KM |
211 | /* Checks network content (and 32-bits cast). */ |
212 | if ((ruleset_attr.handled_access_net | LANDLOCK_MASK_ACCESS_NET) != | |
213 | LANDLOCK_MASK_ACCESS_NET) | |
214 | return -EINVAL; | |
215 | ||
265885da | 216 | /* Checks arguments and transforms to kernel struct. */ |
fff69fb0 KM |
217 | ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs, |
218 | ruleset_attr.handled_access_net); | |
265885da MS |
219 | if (IS_ERR(ruleset)) |
220 | return PTR_ERR(ruleset); | |
221 | ||
222 | /* Creates anonymous FD referring to the ruleset. */ | |
aea0b9f2 | 223 | ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops, |
06a1c40a | 224 | ruleset, O_RDWR | O_CLOEXEC); |
265885da MS |
225 | if (ruleset_fd < 0) |
226 | landlock_put_ruleset(ruleset); | |
227 | return ruleset_fd; | |
228 | } | |
229 | ||
230 | /* | |
231 | * Returns an owned ruleset from a FD. It is thus needed to call | |
232 | * landlock_put_ruleset() on the return value. | |
233 | */ | |
234 | static struct landlock_ruleset *get_ruleset_from_fd(const int fd, | |
06a1c40a | 235 | const fmode_t mode) |
265885da MS |
236 | { |
237 | struct fd ruleset_f; | |
238 | struct landlock_ruleset *ruleset; | |
239 | ||
240 | ruleset_f = fdget(fd); | |
241 | if (!ruleset_f.file) | |
242 | return ERR_PTR(-EBADF); | |
243 | ||
244 | /* Checks FD type and access right. */ | |
245 | if (ruleset_f.file->f_op != &ruleset_fops) { | |
246 | ruleset = ERR_PTR(-EBADFD); | |
247 | goto out_fdput; | |
248 | } | |
249 | if (!(ruleset_f.file->f_mode & mode)) { | |
250 | ruleset = ERR_PTR(-EPERM); | |
251 | goto out_fdput; | |
252 | } | |
253 | ruleset = ruleset_f.file->private_data; | |
254 | if (WARN_ON_ONCE(ruleset->num_layers != 1)) { | |
255 | ruleset = ERR_PTR(-EINVAL); | |
256 | goto out_fdput; | |
257 | } | |
258 | landlock_get_ruleset(ruleset); | |
259 | ||
260 | out_fdput: | |
261 | fdput(ruleset_f); | |
262 | return ruleset; | |
263 | } | |
264 | ||
265 | /* Path handling */ | |
266 | ||
267 | /* | |
268 | * @path: Must call put_path(@path) after the call if it succeeded. | |
269 | */ | |
270 | static int get_path_from_fd(const s32 fd, struct path *const path) | |
271 | { | |
272 | struct fd f; | |
273 | int err = 0; | |
274 | ||
06a1c40a MS |
275 | BUILD_BUG_ON(!__same_type( |
276 | fd, ((struct landlock_path_beneath_attr *)NULL)->parent_fd)); | |
265885da MS |
277 | |
278 | /* Handles O_PATH. */ | |
279 | f = fdget_raw(fd); | |
280 | if (!f.file) | |
281 | return -EBADF; | |
282 | /* | |
283 | * Forbids ruleset FDs, internal filesystems (e.g. nsfs), including | |
284 | * pseudo filesystems that will never be mountable (e.g. sockfs, | |
285 | * pipefs). | |
286 | */ | |
287 | if ((f.file->f_op == &ruleset_fops) || | |
06a1c40a MS |
288 | (f.file->f_path.mnt->mnt_flags & MNT_INTERNAL) || |
289 | (f.file->f_path.dentry->d_sb->s_flags & SB_NOUSER) || | |
290 | d_is_negative(f.file->f_path.dentry) || | |
291 | IS_PRIVATE(d_backing_inode(f.file->f_path.dentry))) { | |
265885da MS |
292 | err = -EBADFD; |
293 | goto out_fdput; | |
294 | } | |
295 | *path = f.file->f_path; | |
296 | path_get(path); | |
297 | ||
298 | out_fdput: | |
299 | fdput(f); | |
300 | return err; | |
301 | } | |
302 | ||
0e0fc7e8 KM |
303 | static int add_rule_path_beneath(struct landlock_ruleset *const ruleset, |
304 | const void __user *const rule_attr) | |
305 | { | |
306 | struct landlock_path_beneath_attr path_beneath_attr; | |
307 | struct path path; | |
308 | int res, err; | |
309 | access_mask_t mask; | |
310 | ||
fff69fb0 | 311 | /* Copies raw user space buffer. */ |
0e0fc7e8 KM |
312 | res = copy_from_user(&path_beneath_attr, rule_attr, |
313 | sizeof(path_beneath_attr)); | |
314 | if (res) | |
315 | return -EFAULT; | |
316 | ||
317 | /* | |
318 | * Informs about useless rule: empty allowed_access (i.e. deny rules) | |
319 | * are ignored in path walks. | |
320 | */ | |
321 | if (!path_beneath_attr.allowed_access) | |
322 | return -ENOMSG; | |
323 | ||
324 | /* Checks that allowed_access matches the @ruleset constraints. */ | |
325 | mask = landlock_get_raw_fs_access_mask(ruleset, 0); | |
326 | if ((path_beneath_attr.allowed_access | mask) != mask) | |
327 | return -EINVAL; | |
328 | ||
329 | /* Gets and checks the new rule. */ | |
330 | err = get_path_from_fd(path_beneath_attr.parent_fd, &path); | |
331 | if (err) | |
332 | return err; | |
333 | ||
334 | /* Imports the new rule. */ | |
335 | err = landlock_append_fs_rule(ruleset, &path, | |
336 | path_beneath_attr.allowed_access); | |
337 | path_put(&path); | |
338 | return err; | |
339 | } | |
340 | ||
fff69fb0 KM |
341 | static int add_rule_net_port(struct landlock_ruleset *ruleset, |
342 | const void __user *const rule_attr) | |
343 | { | |
344 | struct landlock_net_port_attr net_port_attr; | |
345 | int res; | |
346 | access_mask_t mask; | |
347 | ||
348 | /* Copies raw user space buffer. */ | |
349 | res = copy_from_user(&net_port_attr, rule_attr, sizeof(net_port_attr)); | |
350 | if (res) | |
351 | return -EFAULT; | |
352 | ||
353 | /* | |
354 | * Informs about useless rule: empty allowed_access (i.e. deny rules) | |
355 | * are ignored by network actions. | |
356 | */ | |
357 | if (!net_port_attr.allowed_access) | |
358 | return -ENOMSG; | |
359 | ||
360 | /* Checks that allowed_access matches the @ruleset constraints. */ | |
361 | mask = landlock_get_net_access_mask(ruleset, 0); | |
362 | if ((net_port_attr.allowed_access | mask) != mask) | |
363 | return -EINVAL; | |
364 | ||
365 | /* Denies inserting a rule with port greater than 65535. */ | |
366 | if (net_port_attr.port > U16_MAX) | |
367 | return -EINVAL; | |
368 | ||
369 | /* Imports the new rule. */ | |
370 | return landlock_append_net_rule(ruleset, net_port_attr.port, | |
371 | net_port_attr.allowed_access); | |
372 | } | |
373 | ||
265885da MS |
374 | /** |
375 | * sys_landlock_add_rule - Add a new rule to a ruleset | |
376 | * | |
377 | * @ruleset_fd: File descriptor tied to the ruleset that should be extended | |
378 | * with the new rule. | |
fff69fb0 KM |
379 | * @rule_type: Identify the structure type pointed to by @rule_attr: |
380 | * %LANDLOCK_RULE_PATH_BENEATH or %LANDLOCK_RULE_NET_PORT. | |
265885da MS |
381 | * @rule_attr: Pointer to a rule (only of type &struct |
382 | * landlock_path_beneath_attr for now). | |
383 | * @flags: Must be 0. | |
384 | * | |
385 | * This system call enables to define a new rule and add it to an existing | |
386 | * ruleset. | |
387 | * | |
388 | * Possible returned errors are: | |
389 | * | |
2fff00c8 | 390 | * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; |
fff69fb0 KM |
391 | * - %EAFNOSUPPORT: @rule_type is %LANDLOCK_RULE_NET_PORT but TCP/IP is not |
392 | * supported by the running kernel; | |
2fff00c8 | 393 | * - %EINVAL: @flags is not 0, or inconsistent access in the rule (i.e. |
fff69fb0 KM |
394 | * &landlock_path_beneath_attr.allowed_access or |
395 | * &landlock_net_port_attr.allowed_access is not a subset of the | |
396 | * ruleset handled accesses), or &landlock_net_port_attr.port is | |
397 | * greater than 65535; | |
2fff00c8 MS |
398 | * - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access); |
399 | * - %EBADF: @ruleset_fd is not a file descriptor for the current thread, or a | |
265885da | 400 | * member of @rule_attr is not a file descriptor as expected; |
2fff00c8 | 401 | * - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of |
a13e248f | 402 | * @rule_attr is not the expected file descriptor type; |
2fff00c8 MS |
403 | * - %EPERM: @ruleset_fd has no write access to the underlying ruleset; |
404 | * - %EFAULT: @rule_attr inconsistency. | |
265885da | 405 | */ |
06a1c40a MS |
406 | SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd, |
407 | const enum landlock_rule_type, rule_type, | |
265885da MS |
408 | const void __user *const, rule_attr, const __u32, flags) |
409 | { | |
265885da | 410 | struct landlock_ruleset *ruleset; |
0e0fc7e8 | 411 | int err; |
265885da | 412 | |
782191c7 | 413 | if (!is_initialized()) |
265885da MS |
414 | return -EOPNOTSUPP; |
415 | ||
416 | /* No flag for now. */ | |
417 | if (flags) | |
418 | return -EINVAL; | |
419 | ||
265885da MS |
420 | /* Gets and checks the ruleset. */ |
421 | ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE); | |
422 | if (IS_ERR(ruleset)) | |
423 | return PTR_ERR(ruleset); | |
424 | ||
0e0fc7e8 KM |
425 | switch (rule_type) { |
426 | case LANDLOCK_RULE_PATH_BENEATH: | |
427 | err = add_rule_path_beneath(ruleset, rule_attr); | |
428 | break; | |
fff69fb0 KM |
429 | case LANDLOCK_RULE_NET_PORT: |
430 | err = add_rule_net_port(ruleset, rule_attr); | |
431 | break; | |
0e0fc7e8 | 432 | default: |
265885da | 433 | err = -EINVAL; |
0e0fc7e8 | 434 | break; |
265885da | 435 | } |
265885da MS |
436 | landlock_put_ruleset(ruleset); |
437 | return err; | |
438 | } | |
439 | ||
440 | /* Enforcement */ | |
441 | ||
442 | /** | |
443 | * sys_landlock_restrict_self - Enforce a ruleset on the calling thread | |
444 | * | |
445 | * @ruleset_fd: File descriptor tied to the ruleset to merge with the target. | |
446 | * @flags: Must be 0. | |
447 | * | |
448 | * This system call enables to enforce a Landlock ruleset on the current | |
2fff00c8 | 449 | * thread. Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its |
265885da MS |
450 | * namespace or is running with no_new_privs. This avoids scenarios where |
451 | * unprivileged tasks can affect the behavior of privileged children. | |
452 | * | |
453 | * Possible returned errors are: | |
454 | * | |
2fff00c8 MS |
455 | * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; |
456 | * - %EINVAL: @flags is not 0. | |
457 | * - %EBADF: @ruleset_fd is not a file descriptor for the current thread; | |
458 | * - %EBADFD: @ruleset_fd is not a ruleset file descriptor; | |
459 | * - %EPERM: @ruleset_fd has no read access to the underlying ruleset, or the | |
265885da | 460 | * current thread is not running with no_new_privs, or it doesn't have |
2fff00c8 MS |
461 | * %CAP_SYS_ADMIN in its namespace. |
462 | * - %E2BIG: The maximum number of stacked rulesets is reached for the current | |
265885da MS |
463 | * thread. |
464 | */ | |
06a1c40a MS |
465 | SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32, |
466 | flags) | |
265885da MS |
467 | { |
468 | struct landlock_ruleset *new_dom, *ruleset; | |
469 | struct cred *new_cred; | |
470 | struct landlock_cred_security *new_llcred; | |
471 | int err; | |
472 | ||
782191c7 | 473 | if (!is_initialized()) |
265885da MS |
474 | return -EOPNOTSUPP; |
475 | ||
265885da MS |
476 | /* |
477 | * Similar checks as for seccomp(2), except that an -EPERM may be | |
478 | * returned. | |
479 | */ | |
480 | if (!task_no_new_privs(current) && | |
06a1c40a | 481 | !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) |
265885da MS |
482 | return -EPERM; |
483 | ||
eba39ca4 MS |
484 | /* No flag for now. */ |
485 | if (flags) | |
486 | return -EINVAL; | |
487 | ||
265885da MS |
488 | /* Gets and checks the ruleset. */ |
489 | ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ); | |
490 | if (IS_ERR(ruleset)) | |
491 | return PTR_ERR(ruleset); | |
492 | ||
493 | /* Prepares new credentials. */ | |
494 | new_cred = prepare_creds(); | |
495 | if (!new_cred) { | |
496 | err = -ENOMEM; | |
497 | goto out_put_ruleset; | |
498 | } | |
499 | new_llcred = landlock_cred(new_cred); | |
500 | ||
501 | /* | |
502 | * There is no possible race condition while copying and manipulating | |
503 | * the current credentials because they are dedicated per thread. | |
504 | */ | |
505 | new_dom = landlock_merge_ruleset(new_llcred->domain, ruleset); | |
506 | if (IS_ERR(new_dom)) { | |
507 | err = PTR_ERR(new_dom); | |
508 | goto out_put_creds; | |
509 | } | |
510 | ||
511 | /* Replaces the old (prepared) domain. */ | |
512 | landlock_put_ruleset(new_llcred->domain); | |
513 | new_llcred->domain = new_dom; | |
514 | ||
515 | landlock_put_ruleset(ruleset); | |
516 | return commit_creds(new_cred); | |
517 | ||
518 | out_put_creds: | |
519 | abort_creds(new_cred); | |
520 | ||
521 | out_put_ruleset: | |
522 | landlock_put_ruleset(ruleset); | |
523 | return err; | |
524 | } |