From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>,
<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
<anton.sirazetdinov@huawei.com>
Subject: [PATCH v5 03/15] landlock: merge and inherit function refactoring
Date: Mon, 16 May 2022 23:20:26 +0800 [thread overview]
Message-ID: <20220516152038.39594-4-konstantin.meskhidze@huawei.com> (raw)
In-Reply-To: <20220516152038.39594-1-konstantin.meskhidze@huawei.com>
Merge_ruleset() and inherit_ruleset() functions were
refactored to support new rule types. This patch adds
tree_merge() and tree_copy() helpers. Each has
rule_type argument to choose a particular rb_tree
structure in a ruleset.
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
---
Changes since v3:
* Split commit.
* Refactoring functions:
-insert_rule.
-merge_ruleset.
-tree_merge.
-inherit_ruleset.
-tree_copy.
-free_rule.
Changes since v4:
* None
---
security/landlock/ruleset.c | 144 ++++++++++++++++++++++++------------
1 file changed, 98 insertions(+), 46 deletions(-)
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index f079a2a320f1..4b4c9953bb32 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -112,12 +112,16 @@ static struct landlock_rule *create_rule(
return new_rule;
}
-static void free_rule(struct landlock_rule *const rule)
+static void free_rule(struct landlock_rule *const rule, const u16 rule_type)
{
might_sleep();
if (!rule)
return;
- landlock_put_object(rule->object.ptr);
+ switch (rule_type) {
+ case LANDLOCK_RULE_PATH_BENEATH:
+ landlock_put_object(rule->object.ptr);
+ break;
+ }
kfree(rule);
}
@@ -227,12 +231,12 @@ static int insert_rule(struct landlock_ruleset *const ruleset,
new_rule = create_rule(object_ptr, 0, &this->layers,
this->num_layers,
&(*layers)[0]);
+ if (IS_ERR(new_rule))
+ return PTR_ERR(new_rule);
+ rb_replace_node(&this->node, &new_rule->node, &ruleset->root_inode);
+ free_rule(this, rule_type);
break;
}
- if (IS_ERR(new_rule))
- return PTR_ERR(new_rule);
- rb_replace_node(&this->node, &new_rule->node, &ruleset->root_inode);
- free_rule(this);
return 0;
}
@@ -243,13 +247,12 @@ static int insert_rule(struct landlock_ruleset *const ruleset,
switch (rule_type) {
case LANDLOCK_RULE_PATH_BENEATH:
new_rule = create_rule(object_ptr, 0, layers, num_layers, NULL);
+ if (IS_ERR(new_rule))
+ return PTR_ERR(new_rule);
+ rb_link_node(&new_rule->node, parent_node, walker_node);
+ rb_insert_color(&new_rule->node, &ruleset->root_inode);
break;
}
- if (IS_ERR(new_rule))
- return PTR_ERR(new_rule);
- rb_link_node(&new_rule->node, parent_node, walker_node);
- rb_insert_color(&new_rule->node, &ruleset->root_inode);
- ruleset->num_rules++;
return 0;
}
@@ -298,10 +301,53 @@ static void put_hierarchy(struct landlock_hierarchy *hierarchy)
}
}
+static int tree_merge(struct landlock_ruleset *const src,
+ struct landlock_ruleset *const dst, u16 rule_type)
+{
+ struct landlock_rule *walker_rule, *next_rule;
+ struct rb_root *src_root;
+ int err = 0;
+
+ /* Choose rb_tree structure depending on a rule type */
+ switch (rule_type) {
+ case LANDLOCK_RULE_PATH_BENEATH:
+ src_root = &src->root_inode;
+ break;
+ default:
+ return -EINVAL;
+ }
+ /* Merges the @src tree. */
+ rbtree_postorder_for_each_entry_safe(walker_rule, next_rule,
+ src_root, node) {
+ struct landlock_layer layers[] = {{
+ .level = dst->num_layers,
+ }};
+
+ if (WARN_ON_ONCE(walker_rule->num_layers != 1)) {
+ err = -EINVAL;
+ return err;
+ }
+ if (WARN_ON_ONCE(walker_rule->layers[0].level != 0)) {
+ err = -EINVAL;
+ return err;
+ }
+ layers[0].access = walker_rule->layers[0].access;
+
+ switch (rule_type) {
+ case LANDLOCK_RULE_PATH_BENEATH:
+ err = insert_rule(dst, walker_rule->object.ptr, 0, rule_type,
+ &layers, ARRAY_SIZE(layers));
+ break;
+ }
+ if (err)
+ return err;
+ }
+ return err;
+}
+
static int merge_ruleset(struct landlock_ruleset *const dst,
struct landlock_ruleset *const src)
{
- struct landlock_rule *walker_rule, *next_rule;
int err = 0;
might_sleep();
@@ -323,29 +369,10 @@ static int merge_ruleset(struct landlock_ruleset *const dst,
}
dst->access_masks[dst->num_layers - 1] = src->access_masks[0];
- /* Merges the @src tree. */
- rbtree_postorder_for_each_entry_safe(walker_rule, next_rule,
- &src->root_inode, node) {
- struct landlock_layer layers[] = {{
- .level = dst->num_layers,
- } };
-
- if (WARN_ON_ONCE(walker_rule->num_layers != 1)) {
- err = -EINVAL;
- goto out_unlock;
- }
- if (WARN_ON_ONCE(walker_rule->layers[0].level != 0)) {
- err = -EINVAL;
- goto out_unlock;
- }
- layers[0].access = walker_rule->layers[0].access;
-
- err = insert_rule(dst, walker_rule->object.ptr, 0,
- LANDLOCK_RULE_PATH_BENEATH, &layers,
- ARRAY_SIZE(layers));
- if (err)
- goto out_unlock;
- }
+ /* Merges the @src inode tree. */
+ err = tree_merge(src, dst, LANDLOCK_RULE_PATH_BENEATH);
+ if (err)
+ goto out_unlock;
out_unlock:
mutex_unlock(&src->lock);
@@ -353,10 +380,40 @@ static int merge_ruleset(struct landlock_ruleset *const dst,
return err;
}
+static int tree_copy(struct landlock_ruleset *const parent,
+ struct landlock_ruleset *const child, u16 rule_type)
+{
+ struct landlock_rule *walker_rule, *next_rule;
+ struct rb_root *parent_root;
+ int err = 0;
+
+ /* Choose rb_tree structure depending on a rule type */
+ switch (rule_type) {
+ case LANDLOCK_RULE_PATH_BENEATH:
+ parent_root = &parent->root_inode;
+ break;
+ default:
+ return -EINVAL;
+ }
+ /* Copies the @parent inode tree. */
+ rbtree_postorder_for_each_entry_safe(walker_rule, next_rule,
+ parent_root, node) {
+ switch (rule_type) {
+ case LANDLOCK_RULE_PATH_BENEATH:
+ err = insert_rule(child, walker_rule->object.ptr, 0,
+ rule_type, &walker_rule->layers,
+ walker_rule->num_layers);
+ break;
+ }
+ if (err)
+ return err;
+ }
+ return err;
+}
+
static int inherit_ruleset(struct landlock_ruleset *const parent,
struct landlock_ruleset *const child)
{
- struct landlock_rule *walker_rule, *next_rule;
int err = 0;
might_sleep();
@@ -367,15 +424,10 @@ static int inherit_ruleset(struct landlock_ruleset *const parent,
mutex_lock(&child->lock);
mutex_lock_nested(&parent->lock, SINGLE_DEPTH_NESTING);
- /* Copies the @parent tree. */
- rbtree_postorder_for_each_entry_safe(walker_rule, next_rule,
- &parent->root_inode, node) {
- err = insert_rule(child, walker_rule->object.ptr, 0,
- LANDLOCK_RULE_PATH_BENEATH, &walker_rule->layers,
- walker_rule->num_layers);
- if (err)
- goto out_unlock;
- }
+ /* Copies the @parent inode tree. */
+ err = tree_copy(parent, child, LANDLOCK_RULE_PATH_BENEATH);
+ if (err)
+ goto out_unlock;
if (WARN_ON_ONCE(child->num_layers <= parent->num_layers)) {
err = -EINVAL;
@@ -405,7 +457,7 @@ static void free_ruleset(struct landlock_ruleset *const ruleset)
might_sleep();
rbtree_postorder_for_each_entry_safe(freeme, next, &ruleset->root_inode,
node)
- free_rule(freeme);
+ free_rule(freeme, LANDLOCK_RULE_PATH_BENEATH);
put_hierarchy(ruleset->hierarchy);
kfree(ruleset);
}
--
2.25.1
next prev parent reply other threads:[~2022-05-16 15:21 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 15:20 [PATCH v5 00/15] Network support for Landlock Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 01/15] landlock: access mask renaming Konstantin Meskhidze
2022-05-17 8:12 ` Mickaël Salaün
2022-05-18 9:16 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 02/15] landlock: landlock_find/insert_rule refactoring Konstantin Meskhidze
2022-05-16 15:20 ` Konstantin Meskhidze [this message]
2022-05-17 8:14 ` [PATCH v5 03/15] landlock: merge and inherit function refactoring Mickaël Salaün
2022-05-18 9:18 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 04/15] landlock: helper functions refactoring Konstantin Meskhidze
2022-05-16 17:14 ` Mickaël Salaün
2022-05-16 17:43 ` Konstantin Meskhidze
2022-05-16 18:28 ` Mickaël Salaün
2022-05-18 9:14 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 05/15] landlock: landlock_add_rule syscall refactoring Konstantin Meskhidze
2022-05-17 8:04 ` Mickaël Salaün
2022-05-17 8:10 ` Mickaël Salaün
2022-05-19 9:24 ` Konstantin Meskhidze
2022-05-19 9:23 ` Konstantin Meskhidze
2022-05-19 14:37 ` Mickaël Salaün
2022-05-24 8:35 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 06/15] landlock: user space API network support Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 07/15] landlock: add support network rules Konstantin Meskhidze
2022-05-17 8:27 ` Mickaël Salaün
2022-05-19 9:27 ` Konstantin Meskhidze
2022-05-19 14:42 ` Mickaël Salaün
2022-05-24 8:36 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 08/15] landlock: TCP network hooks implementation Konstantin Meskhidze
2022-05-17 8:51 ` Mickaël Salaün
2022-05-19 11:40 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 09/15] seltests/landlock: add tests for bind() hooks Konstantin Meskhidze
2022-05-16 21:11 ` Mickaël Salaün
2022-05-19 12:10 ` Konstantin Meskhidze
2022-05-19 14:29 ` Mickaël Salaün
2022-05-24 8:34 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 10/15] seltests/landlock: add tests for connect() hooks Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 11/15] seltests/landlock: connect() with AF_UNSPEC tests Konstantin Meskhidze
2022-05-17 8:55 ` Mickaël Salaün
2022-05-19 12:31 ` Konstantin Meskhidze
2022-05-19 15:00 ` Mickaël Salaün
2022-05-24 8:40 ` Konstantin Meskhidze
2022-05-19 15:02 ` Mickaël Salaün
2022-05-24 8:42 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 12/15] seltests/landlock: rules overlapping test Konstantin Meskhidze
2022-05-16 17:41 ` Mickaël Salaün
2022-05-19 12:24 ` Konstantin Meskhidze
2022-05-19 15:04 ` Mickaël Salaün
2022-05-24 8:55 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 13/15] seltests/landlock: ruleset expanding test Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 14/15] seltests/landlock: invalid user input data test Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 15/15] samples/landlock: adds network demo Konstantin Meskhidze
2022-05-17 9:19 ` Mickaël Salaün
2022-05-19 13:33 ` Konstantin Meskhidze
2022-05-19 15:09 ` Mickaël Salaün
2022-05-24 8:41 ` Konstantin Meskhidze
2022-05-20 10:48 ` [PATCH v5 00/15] Network support for Landlock - UDP discussion Mickaël Salaün
2022-05-25 9:41 ` Konstantin Meskhidze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220516152038.39594-4-konstantin.meskhidze@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=anton.sirazetdinov@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.