landlock: Minor comments improvements

This patch contains some small comment changes.  The first three
comments for ruleset.c, I sort of made along the way while working on /
trying to understand Landlock, and the one from ruleset.h was from the
hashtable patch but extracted here.  In fs.c, one comment which I found
would have been helpful to me when reading this.

Signed-off-by: Tingmao Wang <m@maowtm.org>
Link: https://lore.kernel.org/r/20250602134150.67189-1-m@maowtm.org
Link: https://lore.kernel.org/r/20297185fd71ffbb5ce4fec14b38e5444c719c96.1748379182.git.m@maowtm.org
[mic: Squash patches with updated description, cosmetic fixes]
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index d9c12b993fa7dd7e27d4a6df509e69b29367fa62..97cb7ba4eea461cffd1d7be5f1f5feaf4da58b3c 100644 (file)
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -714,7 +714,8 @@ static void test_is_eacces_with_write(struct kunit *const test)
  * is_access_to_paths_allowed - Check accesses for requests with a common path
  *
  * @domain: Domain to check against.
- * @path: File hierarchy to walk through.
+ * @path: File hierarchy to walk through.  For refer checks, this would be
+ *     the common mountpoint.
  * @access_request_parent1: Accesses to check, once @layer_masks_parent1 is
  *     equal to @layer_masks_parent2 (if any).  This is tied to the unique
  *     requested path for most actions, or the source in case of a refer action

diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index ce7940efea516ced7dccc45744839f70e89dd011..dfcdc19ea2683f10d19303f89d59373f7b3cc633 100644 (file)
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -83,6 +83,10 @@ static void build_check_rule(void)
                .num_layers = ~0,
        };
 
+       /*
+        * Checks that .num_layers is large enough for at least
+        * LANDLOCK_MAX_NUM_LAYERS layers.
+        */
        BUILD_BUG_ON(rule.num_layers < LANDLOCK_MAX_NUM_LAYERS);
 }
 
@@ -290,6 +294,10 @@ static void build_check_layer(void)
                .access = ~0,
        };
 
+       /*
+        * Checks that .level and .access are large enough to contain their expected
+        * maximum values.
+        */
        BUILD_BUG_ON(layer.level < LANDLOCK_MAX_NUM_LAYERS);
        BUILD_BUG_ON(layer.access < LANDLOCK_MASK_ACCESS_FS);
 }
@@ -644,8 +652,8 @@ bool landlock_unmask_layers(const struct landlock_rule *const rule,
                bool is_empty;
 
                /*
-                * Records in @layer_masks which layer grants access to each
-                * requested access.
+                * Records in @layer_masks which layer grants access to each requested
+                * access: bit cleared if the related layer grants access.
                 */
                is_empty = true;
                for_each_set_bit(access_bit, &access_req, masks_array_size) {

diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 5da9a64f5af7d1ab5c4f1cfe98b84afc782bcdc4..1a78cba662b24829933778635b42e9e95598b0b1 100644 (file)
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -27,7 +27,7 @@ struct landlock_hierarchy;
  */
 struct landlock_layer {
        /**
-        * @level: Position of this layer in the layer stack.
+        * @level: Position of this layer in the layer stack.  Starts from 1.
         */
        u16 level;
        /**