Unverified Commit 602acfb5 authored Dec 19, 2025 by Mickaël Salaün

landlock: Optimize stack usage when !CONFIG_AUDIT



Until now, each landlock_request struct were allocated on the stack, even
if not really used, because is_access_to_paths_allowed() unconditionally
modified the passed references.  Even if the changed landlock_request
variables are not used, the compiler is not smart enough to detect this
case.

To avoid this issue, explicitly disable the related code when
CONFIG_AUDIT is not set, which enables elision of log_request_parent*
and associated caller's stack variables thanks to dead code elimination.
This makes it possible to reduce the stack frame by 32 bytes for the
path_link and path_rename hooks, and by 20 bytes for most other
filesystem hooks.

Here is a summary of scripts/stackdelta before and after this change
when CONFIG_AUDIT is disabled:

  current_check_refer_path    560  320  -240
  current_check_access_path   328  184  -144
  hook_file_open              328  184  -144
  is_access_to_paths_allowed  376  360  -16

Also, add extra pointer checks to be more future-proof.

Cc: Günther Noack <gnoack@google.com>
Reported-by: Tingmao Wang <m@maowtm.org>
Closes: https://lore.kernel.org/r/eb86863b-53b0-460b-b223-84dd31d765b9@maowtm.org
Fixes: 2fc80c69 ("landlock: Log file-related denials")
Link: https://lore.kernel.org/r/20251219142302.744917-2-mic@digikod.net


Reviewed-by: Günther Noack <gnoack3000@gmail.com>
[mic: Improve stack usage measurement accuracy with scripts/stackdelta]
Signed-off-by: Mickaël Salaün <mic@digikod.net>

parent 6548fb52

security/landlock/fs.c

+9 −2

Original line number	Diff line number	Diff line
		@@ -939,7 +939,12 @@ static bool is_access_to_paths_allowed(
		}
		path_put(&walker_path);

		if (!allowed_parent1) {
		/*
		* Check CONFIG_AUDIT to enable elision of log_request_parent* and
		* associated caller's stack variables thanks to dead code elimination.
		*/
		#ifdef CONFIG_AUDIT
		if (!allowed_parent1 && log_request_parent1) {
		log_request_parent1->type = LANDLOCK_REQUEST_FS_ACCESS;
		log_request_parent1->audit.type = LSM_AUDIT_DATA_PATH;
		log_request_parent1->audit.u.path = *path;
		@@ -949,7 +954,7 @@ static bool is_access_to_paths_allowed(
		ARRAY_SIZE(*layer_masks_parent1);
		}

		if (!allowed_parent2) {
		if (!allowed_parent2 && log_request_parent2) {
		log_request_parent2->type = LANDLOCK_REQUEST_FS_ACCESS;
		log_request_parent2->audit.type = LSM_AUDIT_DATA_PATH;
		log_request_parent2->audit.u.path = *path;
		@@ -958,6 +963,8 @@ static bool is_access_to_paths_allowed(
		log_request_parent2->layer_masks_size =
		ARRAY_SIZE(*layer_masks_parent2);
		}
		#endif /* CONFIG_AUDIT */

		return allowed_parent1 && allowed_parent2;
		}