]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9adbe89)
landlock: Add access_mask_subset() helper
authorGünther Noack <gnoack3000@gmail.com>
Fri, 6 Feb 2026 15:11:54 +0000 (16:11 +0100)
committerMickaël Salaün <mic@digikod.net>
Tue, 10 Feb 2026 15:46:48 +0000 (16:46 +0100)
This helper function checks whether an access_mask_t has a subset of the
bits enabled than another one.  This expresses the intent a bit smoother
in the code and does not cost us anything when it gets inlined.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20260206151154.97915-4-gnoack3000@gmail.com
[mic: Improve subject]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
security/landlock/access.h patch | blob | blame | history
security/landlock/fs.c patch | blob | blame | history

diff --git a/security/landlock/access.h b/security/landlock/access.h
index 7961c6630a2d7f5c277eff42d49b9ebc1f561ee2..bab403470a6c2cbd0ffe95703a3c3199769b2868 100644 (file)
--- a/security/landlock/access.h
+++ b/security/landlock/access.h
@@ -97,4 +97,11 @@ landlock_upgrade_handled_access_masks(struct access_masks access_masks)
        return access_masks;
 }
 
+/* Checks the subset relation between access masks. */
+static inline bool access_mask_subset(access_mask_t subset,
+                                     access_mask_t superset)
+{
+       return (subset | superset) == superset;
+}
+
 #endif /* _SECURITY_LANDLOCK_ACCESS_H */
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 8205673c8b1c41fe52ee9cd1d87d80cce884c82d..aa8e7cddb929ea54095d22df5258904083570517 100644 (file)
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -331,7 +331,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
 
        /* Files only get access rights that make sense. */
        if (!d_is_dir(path->dentry) &&
-           (access_rights | ACCESS_FILE) != ACCESS_FILE)
+           !access_mask_subset(access_rights, ACCESS_FILE))
                return -EINVAL;
        if (WARN_ON_ONCE(ruleset->num_layers != 1))
                return -EINVAL;
@@ -1704,7 +1704,7 @@ static int hook_file_open(struct file *const file)
                ARRAY_SIZE(layer_masks));
 #endif /* CONFIG_AUDIT */
 
-       if ((open_access_request & allowed_access) == open_access_request)
+       if (access_mask_subset(open_access_request, allowed_access))
                return 0;
 
        /* Sets access to reflect the actual request. */
A mirror of Linus' kernel repository