From 45f2a2926b2187d1b08132d2728af50785b007a7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?G=C3=BCnther=20Noack?= Date: Fri, 6 Feb 2026 16:11:54 +0100 Subject: [PATCH] landlock: Add access_mask_subset() helper MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This helper function checks whether an access_mask_t has a subset of the bits enabled than another one. This expresses the intent a bit smoother in the code and does not cost us anything when it gets inlined. Signed-off-by: Günther Noack Link: https://lore.kernel.org/r/20260206151154.97915-4-gnoack3000@gmail.com [mic: Improve subject] Signed-off-by: Mickaël Salaün --- security/landlock/access.h | 7 +++++++ security/landlock/fs.c | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/security/landlock/access.h b/security/landlock/access.h index 7961c6630a2d7..bab403470a6c2 100644 --- a/security/landlock/access.h +++ b/security/landlock/access.h @@ -97,4 +97,11 @@ landlock_upgrade_handled_access_masks(struct access_masks access_masks) return access_masks; } +/* Checks the subset relation between access masks. */ +static inline bool access_mask_subset(access_mask_t subset, + access_mask_t superset) +{ + return (subset | superset) == superset; +} + #endif /* _SECURITY_LANDLOCK_ACCESS_H */ diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 8205673c8b1c4..aa8e7cddb929e 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -331,7 +331,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, /* Files only get access rights that make sense. */ if (!d_is_dir(path->dentry) && - (access_rights | ACCESS_FILE) != ACCESS_FILE) + !access_mask_subset(access_rights, ACCESS_FILE)) return -EINVAL; if (WARN_ON_ONCE(ruleset->num_layers != 1)) return -EINVAL; @@ -1704,7 +1704,7 @@ static int hook_file_open(struct file *const file) ARRAY_SIZE(layer_masks)); #endif /* CONFIG_AUDIT */ - if ((open_access_request & allowed_access) == open_access_request) + if (access_mask_subset(open_access_request, allowed_access)) return 0; /* Sets access to reflect the actual request. */ -- 2.47.3