landlock: Reduce the maximum number of layers to 16

[platform/kernel/linux-rpi.git] / security / landlock / ruleset.h

diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 2d3ed7e..521af28 100644 (file)
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -9,13 +9,24 @@
 #ifndef _SECURITY_LANDLOCK_RULESET_H
 #define _SECURITY_LANDLOCK_RULESET_H
 
+#include <linux/bitops.h>
+#include <linux/build_bug.h>
 #include <linux/mutex.h>
 #include <linux/rbtree.h>
 #include <linux/refcount.h>
 #include <linux/workqueue.h>
 
+#include "limits.h"
 #include "object.h"
 
+typedef u16 access_mask_t;
+/* Makes sure all filesystem access rights can be stored. */
+static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
+
+typedef u16 layer_mask_t;
+/* Makes sure all layers can be checked. */
+static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
+
 /**
  * struct landlock_layer - Access rights for a given layer
  */
@@ -28,7 +39,7 @@ struct landlock_layer {
         * @access: Bitfield of allowed actions on the kernel object.  They are
         * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ).
         */
-       u16 access;
+       access_mask_t access;
 };
 
 /**
@@ -135,26 +146,28 @@ struct landlock_ruleset {
                         * layers are set once and never changed for the
                         * lifetime of the ruleset.
                         */
-                       u16 fs_access_masks[];
+                       access_mask_t fs_access_masks[];
                };
        };
 };
 
-struct landlock_ruleset *landlock_create_ruleset(const u32 fs_access_mask);
+struct landlock_ruleset *
+landlock_create_ruleset(const access_mask_t fs_access_mask);
 
 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
 
 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
-               struct landlock_object *const object, const u32 access);
+                        struct landlock_object *const object,
+                        const access_mask_t access);
 
-struct landlock_ruleset *landlock_merge_ruleset(
-               struct landlock_ruleset *const parent,
-               struct landlock_ruleset *const ruleset);
+struct landlock_ruleset *
+landlock_merge_ruleset(struct landlock_ruleset *const parent,
+                      struct landlock_ruleset *const ruleset);
 
-const struct landlock_rule *landlock_find_rule(
-               const struct landlock_ruleset *const ruleset,
-               const struct landlock_object *const object);
+const struct landlock_rule *
+landlock_find_rule(const struct landlock_ruleset *const ruleset,
+                  const struct landlock_object *const object);
 
 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
 {