landlock: Prepare to use credential instead of domain for network (93f33f0c) · Commits · git / linux-net

security/landlock/net.c

+12 −15

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Landlock LSM - Network management and hooks
		* Landlock - Network management and hooks
		*
		* Copyright © 2022-2023 Huawei Tech. Co., Ltd.
		* Copyright © 2022-2023 Microsoft Corporation
		* Copyright © 2022-2025 Microsoft Corporation
		*/

		#include <linux/in.h>
		@@ -39,10 +39,6 @@ int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
		return err;
		}

		static const struct access_masks any_net = {
		.net = ~0,
		};

		static int current_check_access_socket(struct socket *const sock,
		struct sockaddr *const address,
		const int addrlen,
		@@ -54,14 +50,14 @@ static int current_check_access_socket(struct socket *const sock,
		struct landlock_id id = {
		.type = LANDLOCK_KEY_NET_PORT,
		};
		const struct landlock_ruleset *const dom =
		landlock_get_applicable_domain(landlock_get_current_domain(),
		any_net);
		const struct access_masks masks = {
		.net = access_request,
		};
		const struct landlock_cred_security *const subject =
		landlock_get_applicable_subject(current_cred(), masks, NULL);

		if (!dom)
		if (!subject)
		return 0;
		if (WARN_ON_ONCE(dom->num_layers < 1))
		return -EACCES;

		if (!sk_is_tcp(sock->sk))
		return 0;
		@@ -145,9 +141,10 @@ static int current_check_access_socket(struct socket *const sock,
		id.key.data = (__force uintptr_t)port;
		BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));

		rule = landlock_find_rule(dom, id);
		access_request = landlock_init_layer_masks(
		dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
		rule = landlock_find_rule(subject->domain, id);
		access_request = landlock_init_layer_masks(subject->domain,
		access_request, &layer_masks,
		LANDLOCK_KEY_NET_PORT);
		if (landlock_unmask_layers(rule, access_request, &layer_masks,
		ARRAY_SIZE(layer_masks)))
		return 0;