landlock: Simplify initially denied access rights

/*

 * All access rights that are denied by default whether they are handled or not

 * by a ruleset/layer.  This must be ORed with all ruleset->access_masks[]

 * entries when we need to get the absolute handled access masks.

 * entries when we need to get the absolute handled access masks, see

 * landlock_upgrade_handled_access_masks().

 */

/* clang-format off */

#define _LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \

/* Makes sure all layers can be checked. */

static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);

/* Upgrades with all initially denied by default access rights. */

static inline struct access_masks

landlock_upgrade_handled_access_masks(struct access_masks access_masks)

{

	/*

	 * All access rights that are denied by default whether they are

	 * explicitly handled or not.

	 */

	if (access_masks.fs)

		access_masks.fs |= _LANDLOCK_ACCESS_FS_INITIALLY_DENIED;

	return access_masks;

}

#endif /* _SECURITY_LANDLOCK_ACCESS_H */

		unlikely(IS_PRIVATE(d_backing_inode(dentry))));

}

static access_mask_t

get_handled_fs_accesses(const struct landlock_ruleset *const domain)

{

	/* Handles all initially denied by default access rights. */

	return landlock_union_access_masks(domain).fs |

	       _LANDLOCK_ACCESS_FS_INITIALLY_DENIED;

}

static const struct access_masks any_fs = {

	.fs = ~0,

};

		 * a superset of the meaningful requested accesses).

		 */

		access_masked_parent1 = access_masked_parent2 =

			get_handled_fs_accesses(domain);

			landlock_union_access_masks(domain).fs;

		is_dom_check = true;

	} else {

		if (WARN_ON_ONCE(dentry_child1 || dentry_child2))

		err = -EINVAL;

		goto out_unlock;

	}

	dst->access_masks[dst->num_layers - 1] = src->access_masks[0];

	dst->access_masks[dst->num_layers - 1] =

		landlock_upgrade_handled_access_masks(src->access_masks[0]);

	/* Merges the @src inode tree. */

	err = merge_tree(dst, src, LANDLOCK_KEY_INODE);