xref: /kernel/linux/linux-6.6/security/landlock/ruleset.c

25 #include "ruleset.h"
53 	/* Informs about useless ruleset. */
116 	const struct landlock_ruleset ruleset = {
120 	typeof(ruleset.fs_access_masks[0]) fs_access_mask = ~0;
122 	BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES);
123 	BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS);
128  * insert_rule - Create and insert a rule in a ruleset
130  * @ruleset: The ruleset to be updated.
136  * When user space requests to add a new rule to a ruleset, @layers only
138  * case, the new rule will extend @ruleset, similarly to a boolean OR between
141  * When merging a ruleset in a domain, or copying a domain, @layers will be
142  * added to @ruleset as new constraints, similarly to a boolean AND between
145 static int insert_rule(struct landlock_ruleset *const ruleset,
155 	lockdep_assert_held(&ruleset->lock);
158 	walker_node = &(ruleset->root.rb_node);
180 			 * landlock_add_rule(2), i.e. @ruleset is not a domain.
195 		 * ruleset and a domain.
201 		rb_replace_node(&this->node, &new_rule->node, &ruleset->root);
208 	if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES)
214 	rb_insert_color(&new_rule->node, &ruleset->root);
215 	ruleset->num_rules++;
230 /* @ruleset must be locked by the caller. */
231 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
237 		/* When @level is zero, insert_rule() extends @ruleset. */
242 	return insert_rule(ruleset, object, &layers, ARRAY_SIZE(layers));
359 static void free_ruleset(struct landlock_ruleset *const ruleset)
364 	rbtree_postorder_for_each_entry_safe(freeme, next, &ruleset->root, node)
366 	put_hierarchy(ruleset->hierarchy);
367 	kfree(ruleset);
370 void landlock_put_ruleset(struct landlock_ruleset *const ruleset)
373 	if (ruleset && refcount_dec_and_test(&ruleset->usage))
374 		free_ruleset(ruleset);
379 	struct landlock_ruleset *ruleset;
381 	ruleset = container_of(work, struct landlock_ruleset, work_free);
382 	free_ruleset(ruleset);
385 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset)
387 	if (ruleset && refcount_dec_and_test(&ruleset->usage)) {
388 		INIT_WORK(&ruleset->work_free, free_ruleset_work);
389 		schedule_work(&ruleset->work_free);
394  * landlock_merge_ruleset - Merge a ruleset with a domain
397  * @ruleset: New ruleset to be merged.
399  * Returns the intersection of @parent and @ruleset, or returns @parent if
400  * @ruleset is empty, or returns a duplicate of @ruleset if @parent is empty.
404 		       struct landlock_ruleset *const ruleset)
411 	if (WARN_ON_ONCE(!ruleset || parent == ruleset))
439 	/* ...and including @ruleset. */
440 	err = merge_ruleset(new_dom, ruleset);
452  * The returned access has the same lifetime as @ruleset.
455 landlock_find_rule(const struct landlock_ruleset *const ruleset,
462 	node = ruleset->root.rb_node;

Indexes created Thu Nov 07 10:32:03 CST 2024