summaryrefslogtreecommitdiffstats
path: root/security/landlock/ruleset.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/landlock/ruleset.h')
-rw-r--r--security/landlock/ruleset.h24
1 files changed, 9 insertions, 15 deletions
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index c7f1526784fd..0f1b5b4c8f6b 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -39,10 +39,10 @@ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
/* Ruleset access masks. */
-typedef u32 access_masks_t;
-/* Makes sure all ruleset access rights can be stored. */
-static_assert(BITS_PER_TYPE(access_masks_t) >=
- LANDLOCK_NUM_ACCESS_FS + LANDLOCK_NUM_ACCESS_NET);
+struct access_masks {
+ access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
+ access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
+};
typedef u16 layer_mask_t;
/* Makes sure all layers can be checked. */
@@ -226,7 +226,7 @@ struct landlock_ruleset {
* layers are set once and never changed for the
* lifetime of the ruleset.
*/
- access_masks_t access_masks[];
+ struct access_masks access_masks[];
};
};
};
@@ -265,8 +265,7 @@ landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
/* Should already be checked in sys_landlock_create_ruleset(). */
WARN_ON_ONCE(fs_access_mask != fs_mask);
- ruleset->access_masks[layer_level] |=
- (fs_mask << LANDLOCK_SHIFT_ACCESS_FS);
+ ruleset->access_masks[layer_level].fs |= fs_mask;
}
static inline void
@@ -278,17 +277,14 @@ landlock_add_net_access_mask(struct landlock_ruleset *const ruleset,
/* Should already be checked in sys_landlock_create_ruleset(). */
WARN_ON_ONCE(net_access_mask != net_mask);
- ruleset->access_masks[layer_level] |=
- (net_mask << LANDLOCK_SHIFT_ACCESS_NET);
+ ruleset->access_masks[layer_level].net |= net_mask;
}
static inline access_mask_t
landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset,
const u16 layer_level)
{
- return (ruleset->access_masks[layer_level] >>
- LANDLOCK_SHIFT_ACCESS_FS) &
- LANDLOCK_MASK_ACCESS_FS;
+ return ruleset->access_masks[layer_level].fs;
}
static inline access_mask_t
@@ -304,9 +300,7 @@ static inline access_mask_t
landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset,
const u16 layer_level)
{
- return (ruleset->access_masks[layer_level] >>
- LANDLOCK_SHIFT_ACCESS_NET) &
- LANDLOCK_MASK_ACCESS_NET;
+ return ruleset->access_masks[layer_level].net;
}
bool landlock_unmask_layers(const struct landlock_rule *const rule,
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-21 16:15:45 +0100