Skip to content

Commit 03197e4

Browse files
l0kodl0kod
committed
landlock: Optimize scope enforcement
Do not walk through the domain hierarchy when the required scope is not supported by this domain. This is the same approach as for filesystem and network restrictions. Cc: Mikhail Ivanov <[email protected]> Cc: Tahera Fahimi <[email protected]> Reviewed-by: Günther Noack <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mickaël Salaün <[email protected]>
1 parent 8376226 commit 03197e4

File tree

1 file changed

+15
-3
lines changed

1 file changed

+15
-3
lines changed

security/landlock/task.c

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -204,12 +204,17 @@ static bool is_abstract_socket(struct sock *const sock)
204204
return false;
205205
}
206206

207+
static const struct access_masks unix_scope = {
208+
.scope = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
209+
};
210+
207211
static int hook_unix_stream_connect(struct sock *const sock,
208212
struct sock *const other,
209213
struct sock *const newsk)
210214
{
211215
const struct landlock_ruleset *const dom =
212-
landlock_get_current_domain();
216+
landlock_get_applicable_domain(landlock_get_current_domain(),
217+
unix_scope);
213218

214219
/* Quick return for non-landlocked tasks. */
215220
if (!dom)
@@ -225,7 +230,8 @@ static int hook_unix_may_send(struct socket *const sock,
225230
struct socket *const other)
226231
{
227232
const struct landlock_ruleset *const dom =
228-
landlock_get_current_domain();
233+
landlock_get_applicable_domain(landlock_get_current_domain(),
234+
unix_scope);
229235

230236
if (!dom)
231237
return 0;
@@ -243,6 +249,10 @@ static int hook_unix_may_send(struct socket *const sock,
243249
return 0;
244250
}
245251

252+
static const struct access_masks signal_scope = {
253+
.scope = LANDLOCK_SCOPE_SIGNAL,
254+
};
255+
246256
static int hook_task_kill(struct task_struct *const p,
247257
struct kernel_siginfo *const info, const int sig,
248258
const struct cred *const cred)
@@ -256,6 +266,7 @@ static int hook_task_kill(struct task_struct *const p,
256266
} else {
257267
dom = landlock_get_current_domain();
258268
}
269+
dom = landlock_get_applicable_domain(dom, signal_scope);
259270

260271
/* Quick return for non-landlocked tasks. */
261272
if (!dom)
@@ -279,7 +290,8 @@ static int hook_file_send_sigiotask(struct task_struct *tsk,
279290

280291
/* Lock already held by send_sigio() and send_sigurg(). */
281292
lockdep_assert_held(&fown->lock);
282-
dom = landlock_file(fown->file)->fown_domain;
293+
dom = landlock_get_applicable_domain(
294+
landlock_file(fown->file)->fown_domain, signal_scope);
283295

284296
/* Quick return for unowned socket. */
285297
if (!dom)

0 commit comments

Comments
 (0)