landlock: Clarify BUILD_BUG_ON check in scoping logic

The BUILD_BUG_ON check in domain_is_scoped() and
unmask_scoped_access() should check that the loop that counts down
client_layer finishes.  We therefore check that the numbers
LANDLOCK_MAX_NUM_LAYERS-1 and -1 are both representable by that
integer.  If they are representable, the numbers in between are
representable too, and the loop finishes.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20260327164838.38231-6-gnoack3000@gmail.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index fcf69b3d734d6b262316f7700918a1587fde2fdb..c1ecfe239032618f1983cb2a3f6072c6e334cc22 100644 (file)
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1595,10 +1595,13 @@ static void unmask_scoped_access(const struct landlock_ruleset *const client,
                return;
 
        /*
-        * client_layer must be a signed integer with greater capacity
-        * than client->num_layers to ensure the following loop stops.
+        * client_layer must be able to represent all numbers from
+        * LANDLOCK_MAX_NUM_LAYERS - 1 to -1 for the loop below to terminate.
+        * (It must be large enough, and it must be signed.)
         */
-       BUILD_BUG_ON(sizeof(client_layer) > sizeof(client->num_layers));
+       BUILD_BUG_ON(!is_signed_type(typeof(client_layer)));
+       BUILD_BUG_ON(LANDLOCK_MAX_NUM_LAYERS - 1 >
+                    type_max(typeof(client_layer)));
 
        client_layer = client->num_layers - 1;
        client_walker = client->hierarchy;

diff --git a/security/landlock/task.c b/security/landlock/task.c
index f2dbdebf2770a5e313391e276486da04528f4082..6d46042132ce12102924c18846240bdfe0bdc6b1 100644 (file)
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -191,10 +191,13 @@ static bool domain_is_scoped(const struct landlock_ruleset *const client,
        client_layer = client->num_layers - 1;
        client_walker = client->hierarchy;
        /*
-        * client_layer must be a signed integer with greater capacity
-        * than client->num_layers to ensure the following loop stops.
+        * client_layer must be able to represent all numbers from
+        * LANDLOCK_MAX_NUM_LAYERS - 1 to -1 for the loop below to terminate.
+        * (It must be large enough, and it must be signed.)
         */
-       BUILD_BUG_ON(sizeof(client_layer) > sizeof(client->num_layers));
+       BUILD_BUG_ON(!is_signed_type(typeof(client_layer)));
+       BUILD_BUG_ON(LANDLOCK_MAX_NUM_LAYERS - 1 >
+                    type_max(typeof(client_layer)));
 
        server_layer = server ? (server->num_layers - 1) : -1;
        server_walker = server ? server->hierarchy : NULL;