Unverified Commit 45f2a292 authored Feb 06, 2026 by Günther Noack Committed by Mickaël Salaün Feb 10, 2026

landlock: Add access_mask_subset() helper



This helper function checks whether an access_mask_t has a subset of the
bits enabled than another one.  This expresses the intent a bit smoother
in the code and does not cost us anything when it gets inlined.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20260206151154.97915-4-gnoack3000@gmail.com


[mic: Improve subject]
Signed-off-by: Mickaël Salaün <mic@digikod.net>

parent 9adbe893

security/landlock/access.h

+7 −0

Original line number	Diff line number	Diff line
		@@ -97,4 +97,11 @@ landlock_upgrade_handled_access_masks(struct access_masks access_masks)
		return access_masks;
		}

		/* Checks the subset relation between access masks. */
		static inline bool access_mask_subset(access_mask_t subset,
		access_mask_t superset)
		{
		return (subset \| superset) == superset;
		}

		#endif /* _SECURITY_LANDLOCK_ACCESS_H */

security/landlock/fs.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -331,7 +331,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,

		/* Files only get access rights that make sense. */
		if (!d_is_dir(path->dentry) &&
		(access_rights \| ACCESS_FILE) != ACCESS_FILE)
		!access_mask_subset(access_rights, ACCESS_FILE))
		return -EINVAL;
		if (WARN_ON_ONCE(ruleset->num_layers != 1))
		return -EINVAL;
		@@ -1704,7 +1704,7 @@ static int hook_file_open(struct file *const file)
		ARRAY_SIZE(layer_masks));
		#endif /* CONFIG_AUDIT */

		if ((open_access_request & allowed_access) == open_access_request)
		if (access_mask_subset(open_access_request, allowed_access))
		return 0;

		/* Sets access to reflect the actual request. */