landlock: Optimize scope enforcement
Do not walk through the domain hierarchy when the required scope is not supported by this domain. This is the same approach as for filesystem and network restrictions. Cc: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com> Cc: Tahera Fahimi <fahimitahera@gmail.com> Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20241109110856.222842-4-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
This commit is contained in:
parent
8376226e5f
commit
03197e40a2
@ -204,12 +204,17 @@ static bool is_abstract_socket(struct sock *const sock)
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static const struct access_masks unix_scope = {
|
||||||
|
.scope = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
|
||||||
|
};
|
||||||
|
|
||||||
static int hook_unix_stream_connect(struct sock *const sock,
|
static int hook_unix_stream_connect(struct sock *const sock,
|
||||||
struct sock *const other,
|
struct sock *const other,
|
||||||
struct sock *const newsk)
|
struct sock *const newsk)
|
||||||
{
|
{
|
||||||
const struct landlock_ruleset *const dom =
|
const struct landlock_ruleset *const dom =
|
||||||
landlock_get_current_domain();
|
landlock_get_applicable_domain(landlock_get_current_domain(),
|
||||||
|
unix_scope);
|
||||||
|
|
||||||
/* Quick return for non-landlocked tasks. */
|
/* Quick return for non-landlocked tasks. */
|
||||||
if (!dom)
|
if (!dom)
|
||||||
@ -225,7 +230,8 @@ static int hook_unix_may_send(struct socket *const sock,
|
|||||||
struct socket *const other)
|
struct socket *const other)
|
||||||
{
|
{
|
||||||
const struct landlock_ruleset *const dom =
|
const struct landlock_ruleset *const dom =
|
||||||
landlock_get_current_domain();
|
landlock_get_applicable_domain(landlock_get_current_domain(),
|
||||||
|
unix_scope);
|
||||||
|
|
||||||
if (!dom)
|
if (!dom)
|
||||||
return 0;
|
return 0;
|
||||||
@ -243,6 +249,10 @@ static int hook_unix_may_send(struct socket *const sock,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static const struct access_masks signal_scope = {
|
||||||
|
.scope = LANDLOCK_SCOPE_SIGNAL,
|
||||||
|
};
|
||||||
|
|
||||||
static int hook_task_kill(struct task_struct *const p,
|
static int hook_task_kill(struct task_struct *const p,
|
||||||
struct kernel_siginfo *const info, const int sig,
|
struct kernel_siginfo *const info, const int sig,
|
||||||
const struct cred *const cred)
|
const struct cred *const cred)
|
||||||
@ -256,6 +266,7 @@ static int hook_task_kill(struct task_struct *const p,
|
|||||||
} else {
|
} else {
|
||||||
dom = landlock_get_current_domain();
|
dom = landlock_get_current_domain();
|
||||||
}
|
}
|
||||||
|
dom = landlock_get_applicable_domain(dom, signal_scope);
|
||||||
|
|
||||||
/* Quick return for non-landlocked tasks. */
|
/* Quick return for non-landlocked tasks. */
|
||||||
if (!dom)
|
if (!dom)
|
||||||
@ -279,7 +290,8 @@ static int hook_file_send_sigiotask(struct task_struct *tsk,
|
|||||||
|
|
||||||
/* Lock already held by send_sigio() and send_sigurg(). */
|
/* Lock already held by send_sigio() and send_sigurg(). */
|
||||||
lockdep_assert_held(&fown->lock);
|
lockdep_assert_held(&fown->lock);
|
||||||
dom = landlock_file(fown->file)->fown_domain;
|
dom = landlock_get_applicable_domain(
|
||||||
|
landlock_file(fown->file)->fown_domain, signal_scope);
|
||||||
|
|
||||||
/* Quick return for unowned socket. */
|
/* Quick return for unowned socket. */
|
||||||
if (!dom)
|
if (!dom)
|
||||||
|
Loading…
Reference in New Issue
Block a user