security/landlock/ruleset.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Landlock LSM - Ruleset management
   4  *
   5  * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
   6  * Copyright © 2018-2020 ANSSI
   7  */
   8
   9 #include <linux/bits.h>
  10 #include <linux/bug.h>
  11 #include <linux/cleanup.h>
  12 #include <linux/compiler_types.h>
  13 #include <linux/err.h>
  14 #include <linux/errno.h>
  15 #include <linux/kernel.h>
  16 #include <linux/lockdep.h>
  17 #include <linux/mutex.h>
  18 #include <linux/overflow.h>
  19 #include <linux/rbtree.h>
  20 #include <linux/refcount.h>
  21 #include <linux/slab.h>
  22 #include <linux/spinlock.h>
  23 #include <linux/workqueue.h>
  24
  25 #include "access.h"
  26 #include "limits.h"
  27 #include "object.h"
  28 #include "ruleset.h"
  29
  30 static struct landlock_ruleset *create_ruleset(const u32 num_layers)
  31 {
  32         struct landlock_ruleset *new_ruleset;
  33
  34         new_ruleset =
  35                 kzalloc(struct_size(new_ruleset, access_masks, num_layers),
  36                         GFP_KERNEL_ACCOUNT);
  37         if (!new_ruleset)
  38                 return ERR_PTR(-ENOMEM);
  39         refcount_set(&new_ruleset->usage, 1);
  40         mutex_init(&new_ruleset->lock);
  41         new_ruleset->root_inode = RB_ROOT;
  42
  43 #if IS_ENABLED(CONFIG_INET)
  44         new_ruleset->root_net_port = RB_ROOT;
  45 #endif /* IS_ENABLED(CONFIG_INET) */
  46
  47         new_ruleset->num_layers = num_layers;
  48         /*
  49          * hierarchy = NULL
  50          * num_rules = 0
  51          * access_masks[] = 0
  52          */
  53         return new_ruleset;
  54 }
  55
  56 struct landlock_ruleset *
  57 landlock_create_ruleset(const access_mask_t fs_access_mask,
  58                         const access_mask_t net_access_mask,
  59                         const access_mask_t scope_mask)
  60 {
  61         struct landlock_ruleset *new_ruleset;
  62
  63         /* Informs about useless ruleset. */
  64         if (!fs_access_mask && !net_access_mask && !scope_mask)
  65                 return ERR_PTR(-ENOMSG);
  66         new_ruleset = create_ruleset(1);
  67         if (IS_ERR(new_ruleset))
  68                 return new_ruleset;
  69         if (fs_access_mask)
  70                 landlock_add_fs_access_mask(new_ruleset, fs_access_mask, 0);
  71         if (net_access_mask)
  72                 landlock_add_net_access_mask(new_ruleset, net_access_mask, 0);
  73         if (scope_mask)
  74                 landlock_add_scope_mask(new_ruleset, scope_mask, 0);
  75         return new_ruleset;
  76 }
  77
  78 static void build_check_rule(void)
  79 {
  80         const struct landlock_rule rule = {
  81                 .num_layers = ~0,
  82         };
  83
  84         BUILD_BUG_ON(rule.num_layers < LANDLOCK_MAX_NUM_LAYERS);
  85 }
  86
  87 static bool is_object_pointer(const enum landlock_key_type key_type)
  88 {
  89         switch (key_type) {
  90         case LANDLOCK_KEY_INODE:
  91                 return true;
  92
  93 #if IS_ENABLED(CONFIG_INET)
  94         case LANDLOCK_KEY_NET_PORT:
  95                 return false;
  96 #endif /* IS_ENABLED(CONFIG_INET) */
  97
  98         default:
  99                 WARN_ON_ONCE(1);
 100                 return false;
 101         }
 102 }
 103
 104 static struct landlock_rule *
 105 create_rule(const struct landlock_id id,
 106             const struct landlock_layer (*const layers)[], const u32 num_layers,
 107             const struct landlock_layer *const new_layer)
 108 {
 109         struct landlock_rule *new_rule;
 110         u32 new_num_layers;
 111
 112         build_check_rule();
 113         if (new_layer) {
 114                 /* Should already be checked by landlock_merge_ruleset(). */
 115                 if (WARN_ON_ONCE(num_layers >= LANDLOCK_MAX_NUM_LAYERS))
 116                         return ERR_PTR(-E2BIG);
 117                 new_num_layers = num_layers + 1;
 118         } else {
 119                 new_num_layers = num_layers;
 120         }
 121         new_rule = kzalloc(struct_size(new_rule, layers, new_num_layers),
 122                            GFP_KERNEL_ACCOUNT);
 123         if (!new_rule)
 124                 return ERR_PTR(-ENOMEM);
 125         RB_CLEAR_NODE(&new_rule->node);
 126         if (is_object_pointer(id.type)) {
 127                 /* This should be catched by insert_rule(). */
 128                 WARN_ON_ONCE(!id.key.object);
 129                 landlock_get_object(id.key.object);
 130         }
 131
 132         new_rule->key = id.key;
 133         new_rule->num_layers = new_num_layers;
 134         /* Copies the original layer stack. */
 135         memcpy(new_rule->layers, layers,
 136                flex_array_size(new_rule, layers, num_layers));
 137         if (new_layer)
 138                 /* Adds a copy of @new_layer on the layer stack. */
 139                 new_rule->layers[new_rule->num_layers - 1] = *new_layer;
 140         return new_rule;
 141 }
 142
 143 static struct rb_root *get_root(struct landlock_ruleset *const ruleset,
 144                                 const enum landlock_key_type key_type)
 145 {
 146         switch (key_type) {
 147         case LANDLOCK_KEY_INODE:
 148                 return &ruleset->root_inode;
 149
 150 #if IS_ENABLED(CONFIG_INET)
 151         case LANDLOCK_KEY_NET_PORT:
 152                 return &ruleset->root_net_port;
 153 #endif /* IS_ENABLED(CONFIG_INET) */
 154
 155         default:
 156                 WARN_ON_ONCE(1);
 157                 return ERR_PTR(-EINVAL);
 158         }
 159 }
 160
 161 static void free_rule(struct landlock_rule *const rule,
 162                       const enum landlock_key_type key_type)
 163 {
 164         might_sleep();
 165         if (!rule)
 166                 return;
 167         if (is_object_pointer(key_type))
 168                 landlock_put_object(rule->key.object);
 169         kfree(rule);
 170 }
 171
 172 static void build_check_ruleset(void)
 173 {
 174         const struct landlock_ruleset ruleset = {
 175                 .num_rules = ~0,
 176                 .num_layers = ~0,
 177         };
 178
 179         BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES);
 180         BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS);
 181 }
 182
 183 /**
 184  * insert_rule - Create and insert a rule in a ruleset
 185  *
 186  * @ruleset: The ruleset to be updated.
 187  * @id: The ID to build the new rule with.  The underlying kernel object, if
 188  *      any, must be held by the caller.
 189  * @layers: One or multiple layers to be copied into the new rule.
 190  * @num_layers: The number of @layers entries.
 191  *
 192  * When user space requests to add a new rule to a ruleset, @layers only
 193  * contains one entry and this entry is not assigned to any level.  In this
 194  * case, the new rule will extend @ruleset, similarly to a boolean OR between
 195  * access rights.
 196  *
 197  * When merging a ruleset in a domain, or copying a domain, @layers will be
 198  * added to @ruleset as new constraints, similarly to a boolean AND between
 199  * access rights.
 200  */
 201 static int insert_rule(struct landlock_ruleset *const ruleset,
 202                        const struct landlock_id id,
 203                        const struct landlock_layer (*const layers)[],
 204                        const size_t num_layers)
 205 {
 206         struct rb_node **walker_node;
 207         struct rb_node *parent_node = NULL;
 208         struct landlock_rule *new_rule;
 209         struct rb_root *root;
 210
 211         might_sleep();
 212         lockdep_assert_held(&ruleset->lock);
 213         if (WARN_ON_ONCE(!layers))
 214                 return -ENOENT;
 215
 216         if (is_object_pointer(id.type) && WARN_ON_ONCE(!id.key.object))
 217                 return -ENOENT;
 218
 219         root = get_root(ruleset, id.type);
 220         if (IS_ERR(root))
 221                 return PTR_ERR(root);
 222
 223         walker_node = &root->rb_node;
 224         while (*walker_node) {
 225                 struct landlock_rule *const this =
 226                         rb_entry(*walker_node, struct landlock_rule, node);
 227
 228                 if (this->key.data != id.key.data) {
 229                         parent_node = *walker_node;
 230                         if (this->key.data < id.key.data)
 231                                 walker_node = &((*walker_node)->rb_right);
 232                         else
 233                                 walker_node = &((*walker_node)->rb_left);
 234                         continue;
 235                 }
 236
 237                 /* Only a single-level layer should match an existing rule. */
 238                 if (WARN_ON_ONCE(num_layers != 1))
 239                         return -EINVAL;
 240
 241                 /* If there is a matching rule, updates it. */
 242                 if ((*layers)[0].level == 0) {
 243                         /*
 244                          * Extends access rights when the request comes from
 245                          * landlock_add_rule(2), i.e. @ruleset is not a domain.
 246                          */
 247                         if (WARN_ON_ONCE(this->num_layers != 1))
 248                                 return -EINVAL;
 249                         if (WARN_ON_ONCE(this->layers[0].level != 0))
 250                                 return -EINVAL;
 251                         this->layers[0].access |= (*layers)[0].access;
 252                         return 0;
 253                 }
 254
 255                 if (WARN_ON_ONCE(this->layers[0].level == 0))
 256                         return -EINVAL;
 257
 258                 /*
 259                  * Intersects access rights when it is a merge between a
 260                  * ruleset and a domain.
 261                  */
 262                 new_rule = create_rule(id, &this->layers, this->num_layers,
 263                                        &(*layers)[0]);
 264                 if (IS_ERR(new_rule))
 265                         return PTR_ERR(new_rule);
 266                 rb_replace_node(&this->node, &new_rule->node, root);
 267                 free_rule(this, id.type);
 268                 return 0;
 269         }
 270
 271         /* There is no match for @id. */
 272         build_check_ruleset();
 273         if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES)
 274                 return -E2BIG;
 275         new_rule = create_rule(id, layers, num_layers, NULL);
 276         if (IS_ERR(new_rule))
 277                 return PTR_ERR(new_rule);
 278         rb_link_node(&new_rule->node, parent_node, walker_node);
 279         rb_insert_color(&new_rule->node, root);
 280         ruleset->num_rules++;
 281         return 0;
 282 }
 283
 284 static void build_check_layer(void)
 285 {
 286         const struct landlock_layer layer = {
 287                 .level = ~0,
 288                 .access = ~0,
 289         };
 290
 291         BUILD_BUG_ON(layer.level < LANDLOCK_MAX_NUM_LAYERS);
 292         BUILD_BUG_ON(layer.access < LANDLOCK_MASK_ACCESS_FS);
 293 }
 294
 295 /* @ruleset must be locked by the caller. */
 296 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
 297                          const struct landlock_id id,
 298                          const access_mask_t access)
 299 {
 300         struct landlock_layer layers[] = { {
 301                 .access = access,
 302                 /* When @level is zero, insert_rule() extends @ruleset. */
 303                 .level = 0,
 304         } };
 305
 306         build_check_layer();
 307         return insert_rule(ruleset, id, &layers, ARRAY_SIZE(layers));
 308 }
 309
 310 static void get_hierarchy(struct landlock_hierarchy *const hierarchy)
 311 {
 312         if (hierarchy)
 313                 refcount_inc(&hierarchy->usage);
 314 }
 315
 316 static void put_hierarchy(struct landlock_hierarchy *hierarchy)
 317 {
 318         while (hierarchy && refcount_dec_and_test(&hierarchy->usage)) {
 319                 const struct landlock_hierarchy *const freeme = hierarchy;
 320
 321                 hierarchy = hierarchy->parent;
 322                 kfree(freeme);
 323         }
 324 }
 325
 326 static int merge_tree(struct landlock_ruleset *const dst,
 327                       struct landlock_ruleset *const src,
 328                       const enum landlock_key_type key_type)
 329 {
 330         struct landlock_rule *walker_rule, *next_rule;
 331         struct rb_root *src_root;
 332         int err = 0;
 333
 334         might_sleep();
 335         lockdep_assert_held(&dst->lock);
 336         lockdep_assert_held(&src->lock);
 337
 338         src_root = get_root(src, key_type);
 339         if (IS_ERR(src_root))
 340                 return PTR_ERR(src_root);
 341
 342         /* Merges the @src tree. */
 343         rbtree_postorder_for_each_entry_safe(walker_rule, next_rule, src_root,
 344                                              node) {
 345                 struct landlock_layer layers[] = { {
 346                         .level = dst->num_layers,
 347                 } };
 348                 const struct landlock_id id = {
 349                         .key = walker_rule->key,
 350                         .type = key_type,
 351                 };
 352
 353                 if (WARN_ON_ONCE(walker_rule->num_layers != 1))
 354                         return -EINVAL;
 355
 356                 if (WARN_ON_ONCE(walker_rule->layers[0].level != 0))
 357                         return -EINVAL;
 358
 359                 layers[0].access = walker_rule->layers[0].access;
 360
 361                 err = insert_rule(dst, id, &layers, ARRAY_SIZE(layers));
 362                 if (err)
 363                         return err;
 364         }
 365         return err;
 366 }
 367
 368 static int merge_ruleset(struct landlock_ruleset *const dst,
 369                          struct landlock_ruleset *const src)
 370 {
 371         int err = 0;
 372
 373         might_sleep();
 374         /* Should already be checked by landlock_merge_ruleset() */
 375         if (WARN_ON_ONCE(!src))
 376                 return 0;
 377         /* Only merge into a domain. */
 378         if (WARN_ON_ONCE(!dst || !dst->hierarchy))
 379                 return -EINVAL;
 380
 381         /* Locks @dst first because we are its only owner. */
 382         mutex_lock(&dst->lock);
 383         mutex_lock_nested(&src->lock, SINGLE_DEPTH_NESTING);
 384
 385         /* Stacks the new layer. */
 386         if (WARN_ON_ONCE(src->num_layers != 1 || dst->num_layers < 1)) {
 387                 err = -EINVAL;
 388                 goto out_unlock;
 389         }
 390         dst->access_masks[dst->num_layers - 1] =
 391                 landlock_upgrade_handled_access_masks(src->access_masks[0]);
 392
 393         /* Merges the @src inode tree. */
 394         err = merge_tree(dst, src, LANDLOCK_KEY_INODE);
 395         if (err)
 396                 goto out_unlock;
 397
 398 #if IS_ENABLED(CONFIG_INET)
 399         /* Merges the @src network port tree. */
 400         err = merge_tree(dst, src, LANDLOCK_KEY_NET_PORT);
 401         if (err)
 402                 goto out_unlock;
 403 #endif /* IS_ENABLED(CONFIG_INET) */
 404
 405 out_unlock:
 406         mutex_unlock(&src->lock);
 407         mutex_unlock(&dst->lock);
 408         return err;
 409 }
 410
 411 static int inherit_tree(struct landlock_ruleset *const parent,
 412                         struct landlock_ruleset *const child,
 413                         const enum landlock_key_type key_type)
 414 {
 415         struct landlock_rule *walker_rule, *next_rule;
 416         struct rb_root *parent_root;
 417         int err = 0;
 418
 419         might_sleep();
 420         lockdep_assert_held(&parent->lock);
 421         lockdep_assert_held(&child->lock);
 422
 423         parent_root = get_root(parent, key_type);
 424         if (IS_ERR(parent_root))
 425                 return PTR_ERR(parent_root);
 426
 427         /* Copies the @parent inode or network tree. */
 428         rbtree_postorder_for_each_entry_safe(walker_rule, next_rule,
 429                                              parent_root, node) {
 430                 const struct landlock_id id = {
 431                         .key = walker_rule->key,
 432                         .type = key_type,
 433                 };
 434
 435                 err = insert_rule(child, id, &walker_rule->layers,
 436                                   walker_rule->num_layers);
 437                 if (err)
 438                         return err;
 439         }
 440         return err;
 441 }
 442
 443 static int inherit_ruleset(struct landlock_ruleset *const parent,
 444                            struct landlock_ruleset *const child)
 445 {
 446         int err = 0;
 447
 448         might_sleep();
 449         if (!parent)
 450                 return 0;
 451
 452         /* Locks @child first because we are its only owner. */
 453         mutex_lock(&child->lock);
 454         mutex_lock_nested(&parent->lock, SINGLE_DEPTH_NESTING);
 455
 456         /* Copies the @parent inode tree. */
 457         err = inherit_tree(parent, child, LANDLOCK_KEY_INODE);
 458         if (err)
 459                 goto out_unlock;
 460
 461 #if IS_ENABLED(CONFIG_INET)
 462         /* Copies the @parent network port tree. */
 463         err = inherit_tree(parent, child, LANDLOCK_KEY_NET_PORT);
 464         if (err)
 465                 goto out_unlock;
 466 #endif /* IS_ENABLED(CONFIG_INET) */
 467
 468         if (WARN_ON_ONCE(child->num_layers <= parent->num_layers)) {
 469                 err = -EINVAL;
 470                 goto out_unlock;
 471         }
 472         /* Copies the parent layer stack and leaves a space for the new layer. */
 473         memcpy(child->access_masks, parent->access_masks,
 474                flex_array_size(parent, access_masks, parent->num_layers));
 475
 476         if (WARN_ON_ONCE(!parent->hierarchy)) {
 477                 err = -EINVAL;
 478                 goto out_unlock;
 479         }
 480         get_hierarchy(parent->hierarchy);
 481         child->hierarchy->parent = parent->hierarchy;
 482
 483 out_unlock:
 484         mutex_unlock(&parent->lock);
 485         mutex_unlock(&child->lock);
 486         return err;
 487 }
 488
 489 static void free_ruleset(struct landlock_ruleset *const ruleset)
 490 {
 491         struct landlock_rule *freeme, *next;
 492
 493         might_sleep();
 494         rbtree_postorder_for_each_entry_safe(freeme, next, &ruleset->root_inode,
 495                                              node)
 496                 free_rule(freeme, LANDLOCK_KEY_INODE);
 497
 498 #if IS_ENABLED(CONFIG_INET)
 499         rbtree_postorder_for_each_entry_safe(freeme, next,
 500                                              &ruleset->root_net_port, node)
 501                 free_rule(freeme, LANDLOCK_KEY_NET_PORT);
 502 #endif /* IS_ENABLED(CONFIG_INET) */
 503
 504         put_hierarchy(ruleset->hierarchy);
 505         kfree(ruleset);
 506 }
 507
 508 void landlock_put_ruleset(struct landlock_ruleset *const ruleset)
 509 {
 510         might_sleep();
 511         if (ruleset && refcount_dec_and_test(&ruleset->usage))
 512                 free_ruleset(ruleset);
 513 }
 514
 515 static void free_ruleset_work(struct work_struct *const work)
 516 {
 517         struct landlock_ruleset *ruleset;
 518
 519         ruleset = container_of(work, struct landlock_ruleset, work_free);
 520         free_ruleset(ruleset);
 521 }
 522
 523 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset)
 524 {
 525         if (ruleset && refcount_dec_and_test(&ruleset->usage)) {
 526                 INIT_WORK(&ruleset->work_free, free_ruleset_work);
 527                 schedule_work(&ruleset->work_free);
 528         }
 529 }
 530
 531 /**
 532  * landlock_merge_ruleset - Merge a ruleset with a domain
 533  *
 534  * @parent: Parent domain.
 535  * @ruleset: New ruleset to be merged.
 536  *
 537  * Returns the intersection of @parent and @ruleset, or returns @parent if
 538  * @ruleset is empty, or returns a duplicate of @ruleset if @parent is empty.
 539  */
 540 struct landlock_ruleset *
 541 landlock_merge_ruleset(struct landlock_ruleset *const parent,
 542                        struct landlock_ruleset *const ruleset)
 543 {
 544         struct landlock_ruleset *new_dom __free(landlock_put_ruleset) = NULL;
 545         u32 num_layers;
 546         int err;
 547
 548         might_sleep();
 549         if (WARN_ON_ONCE(!ruleset || parent == ruleset))
 550                 return ERR_PTR(-EINVAL);
 551
 552         if (parent) {
 553                 if (parent->num_layers >= LANDLOCK_MAX_NUM_LAYERS)
 554                         return ERR_PTR(-E2BIG);
 555                 num_layers = parent->num_layers + 1;
 556         } else {
 557                 num_layers = 1;
 558         }
 559
 560         /* Creates a new domain... */
 561         new_dom = create_ruleset(num_layers);
 562         if (IS_ERR(new_dom))
 563                 return new_dom;
 564
 565         new_dom->hierarchy =
 566                 kzalloc(sizeof(*new_dom->hierarchy), GFP_KERNEL_ACCOUNT);
 567         if (!new_dom->hierarchy)
 568                 return ERR_PTR(-ENOMEM);
 569
 570         refcount_set(&new_dom->hierarchy->usage, 1);
 571
 572         /* ...as a child of @parent... */
 573         err = inherit_ruleset(parent, new_dom);
 574         if (err)
 575                 return ERR_PTR(err);
 576
 577         /* ...and including @ruleset. */
 578         err = merge_ruleset(new_dom, ruleset);
 579         if (err)
 580                 return ERR_PTR(err);
 581
 582         return no_free_ptr(new_dom);
 583 }
 584
 585 /*
 586  * The returned access has the same lifetime as @ruleset.
 587  */
 588 const struct landlock_rule *
 589 landlock_find_rule(const struct landlock_ruleset *const ruleset,
 590                    const struct landlock_id id)
 591 {
 592         const struct rb_root *root;
 593         const struct rb_node *node;
 594
 595         root = get_root((struct landlock_ruleset *)ruleset, id.type);
 596         if (IS_ERR(root))
 597                 return NULL;
 598         node = root->rb_node;
 599
 600         while (node) {
 601                 struct landlock_rule *this =
 602                         rb_entry(node, struct landlock_rule, node);
 603
 604                 if (this->key.data == id.key.data)
 605                         return this;
 606                 if (this->key.data < id.key.data)
 607                         node = node->rb_right;
 608                 else
 609                         node = node->rb_left;
 610         }
 611         return NULL;
 612 }
 613
 614 /*
 615  * @layer_masks is read and may be updated according to the access request and
 616  * the matching rule.
 617  * @masks_array_size must be equal to ARRAY_SIZE(*layer_masks).
 618  *
 619  * Returns true if the request is allowed (i.e. relevant layer masks for the
 620  * request are empty).
 621  */
 622 bool landlock_unmask_layers(const struct landlock_rule *const rule,
 623                             const access_mask_t access_request,
 624                             layer_mask_t (*const layer_masks)[],
 625                             const size_t masks_array_size)
 626 {
 627         size_t layer_level;
 628
 629         if (!access_request || !layer_masks)
 630                 return true;
 631         if (!rule)
 632                 return false;
 633
 634         /*
 635          * An access is granted if, for each policy layer, at least one rule
 636          * encountered on the pathwalk grants the requested access,
 637          * regardless of its position in the layer stack.  We must then check
 638          * the remaining layers for each inode, from the first added layer to
 639          * the last one.  When there is multiple requested accesses, for each
 640          * policy layer, the full set of requested accesses may not be granted
 641          * by only one rule, but by the union (binary OR) of multiple rules.
 642          * E.g. /a/b <execute> + /a <read> => /a/b <execute + read>
 643          */
 644         for (layer_level = 0; layer_level < rule->num_layers; layer_level++) {
 645                 const struct landlock_layer *const layer =
 646                         &rule->layers[layer_level];
 647                 const layer_mask_t layer_bit = BIT_ULL(layer->level - 1);
 648                 const unsigned long access_req = access_request;
 649                 unsigned long access_bit;
 650                 bool is_empty;
 651
 652                 /*
 653                  * Records in @layer_masks which layer grants access to each
 654                  * requested access.
 655                  */
 656                 is_empty = true;
 657                 for_each_set_bit(access_bit, &access_req, masks_array_size) {
 658                         if (layer->access & BIT_ULL(access_bit))
 659                                 (*layer_masks)[access_bit] &= ~layer_bit;
 660                         is_empty = is_empty && !(*layer_masks)[access_bit];
 661                 }
 662                 if (is_empty)
 663                         return true;
 664         }
 665         return false;
 666 }
 667
 668 typedef access_mask_t
 669 get_access_mask_t(const struct landlock_ruleset *const ruleset,
 670                   const u16 layer_level);
 671
 672 /**
 673  * landlock_init_layer_masks - Initialize layer masks from an access request
 674  *
 675  * Populates @layer_masks such that for each access right in @access_request,
 676  * the bits for all the layers are set where this access right is handled.
 677  *
 678  * @domain: The domain that defines the current restrictions.
 679  * @access_request: The requested access rights to check.
 680  * @layer_masks: It must contain %LANDLOCK_NUM_ACCESS_FS or
 681  * %LANDLOCK_NUM_ACCESS_NET elements according to @key_type.
 682  * @key_type: The key type to switch between access masks of different types.
 683  *
 684  * Returns: An access mask where each access right bit is set which is handled
 685  * in any of the active layers in @domain.
 686  */
 687 access_mask_t
 688 landlock_init_layer_masks(const struct landlock_ruleset *const domain,
 689                           const access_mask_t access_request,
 690                           layer_mask_t (*const layer_masks)[],
 691                           const enum landlock_key_type key_type)
 692 {
 693         access_mask_t handled_accesses = 0;
 694         size_t layer_level, num_access;
 695         get_access_mask_t *get_access_mask;
 696
 697         switch (key_type) {
 698         case LANDLOCK_KEY_INODE:
 699                 get_access_mask = landlock_get_fs_access_mask;
 700                 num_access = LANDLOCK_NUM_ACCESS_FS;
 701                 break;
 702
 703 #if IS_ENABLED(CONFIG_INET)
 704         case LANDLOCK_KEY_NET_PORT:
 705                 get_access_mask = landlock_get_net_access_mask;
 706                 num_access = LANDLOCK_NUM_ACCESS_NET;
 707                 break;
 708 #endif /* IS_ENABLED(CONFIG_INET) */
 709
 710         default:
 711                 WARN_ON_ONCE(1);
 712                 return 0;
 713         }
 714
 715         memset(layer_masks, 0,
 716                array_size(sizeof((*layer_masks)[0]), num_access));
 717
 718         /* An empty access request can happen because of O_WRONLY | O_RDWR. */
 719         if (!access_request)
 720                 return 0;
 721
 722         /* Saves all handled accesses per layer. */
 723         for (layer_level = 0; layer_level < domain->num_layers; layer_level++) {
 724                 const unsigned long access_req = access_request;
 725                 const access_mask_t access_mask =
 726                         get_access_mask(domain, layer_level);
 727                 unsigned long access_bit;
 728
 729                 for_each_set_bit(access_bit, &access_req, num_access) {
 730                         if (BIT_ULL(access_bit) & access_mask) {
 731                                 (*layer_masks)[access_bit] |=
 732                                         BIT_ULL(layer_level);
 733                                 handled_accesses |= BIT_ULL(access_bit);
 734                         }
 735                 }
 736         }
 737         return handled_accesses;
 738 }