tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

landlock: Factor out IOCTL hooks

Compat and non-compat IOCTL hooks are almost the same, except to compare
the IOCTL command. Factor out these two IOCTL hooks to highlight the
difference and minimize audit changes (see next commit).

Cc: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-14-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

Mickaël Salaün e120b3c2 2fc80c69

+11 -21
+11 -21
security/landlock/fs.c
··· 1698 1698 return -EACCES; 1699 1699 } 1700 1700 1701 - static int hook_file_ioctl(struct file *file, unsigned int cmd, 1702 - unsigned long arg) 1701 + static int hook_file_ioctl_common(const struct file *const file, 1702 + const unsigned int cmd, const bool is_compat) 1703 1703 { 1704 1704 access_mask_t allowed_access = landlock_file(file)->allowed_access; 1705 1705 ··· 1715 1715 if (!is_device(file)) 1716 1716 return 0; 1717 1717 1718 - if (is_masked_device_ioctl(cmd)) 1718 + if (unlikely(is_compat) ? is_masked_device_ioctl_compat(cmd) : 1719 + is_masked_device_ioctl(cmd)) 1719 1720 return 0; 1720 1721 1721 1722 return -EACCES; 1722 1723 } 1723 1724 1725 + static int hook_file_ioctl(struct file *file, unsigned int cmd, 1726 + unsigned long arg) 1727 + { 1728 + return hook_file_ioctl_common(file, cmd, false); 1729 + } 1730 + 1724 1731 static int hook_file_ioctl_compat(struct file *file, unsigned int cmd, 1725 1732 unsigned long arg) 1726 1733 { 1727 - access_mask_t allowed_access = landlock_file(file)->allowed_access; 1728 - 1729 - /* 1730 - * It is the access rights at the time of opening the file which 1731 - * determine whether IOCTL can be used on the opened file later. 1732 - * 1733 - * The access right is attached to the opened file in hook_file_open(). 1734 - */ 1735 - if (allowed_access & LANDLOCK_ACCESS_FS_IOCTL_DEV) 1736 - return 0; 1737 - 1738 - if (!is_device(file)) 1739 - return 0; 1740 - 1741 - if (is_masked_device_ioctl_compat(cmd)) 1742 - return 0; 1743 - 1744 - return -EACCES; 1734 + return hook_file_ioctl_common(file, cmd, true); 1745 1735 } 1746 1736 1747 1737 /*