}
/**
- * check_access_path_dual - Check accesses for requests with a common path
+ * is_access_to_paths_allowed - Check accesses for requests with a common path
*
* @domain: Domain to check against.
* @path: File hierarchy to walk through.
* allow the request.
*
* Returns:
- * - 0 if the access request is granted;
- * - -EACCES if it is denied because of access right other than
- * LANDLOCK_ACCESS_FS_REFER;
- * - -EXDEV if the renaming or linking would be a privileged escalation
- * (according to each layered policies), or if LANDLOCK_ACCESS_FS_REFER is
- * not allowed by the source or the destination.
+ * - true if the access request is granted;
+ * - false otherwise.
*/
-static int check_access_path_dual(
+static bool is_access_to_paths_allowed(
const struct landlock_ruleset *const domain,
const struct path *const path,
const access_mask_t access_request_parent1,
(*layer_masks_child2)[LANDLOCK_NUM_ACCESS_FS] = NULL;
if (!access_request_parent1 && !access_request_parent2)
- return 0;
+ return true;
if (WARN_ON_ONCE(!domain || !path))
- return 0;
+ return true;
if (is_nouser_or_private(path->dentry))
- return 0;
+ return true;
if (WARN_ON_ONCE(domain->num_layers < 1 || !layer_masks_parent1))
- return -EACCES;
+ return false;
if (unlikely(layer_masks_parent2)) {
if (WARN_ON_ONCE(!dentry_child1))
- return -EACCES;
+ return false;
/*
* For a double request, first check for potential privilege
* escalation by looking at domain handled accesses (which are
is_dom_check = true;
} else {
if (WARN_ON_ONCE(dentry_child1 || dentry_child2))
- return -EACCES;
+ return false;
/* For a simple request, only check for requested accesses. */
access_masked_parent1 = access_request_parent1;
access_masked_parent2 = access_request_parent2;
}
path_put(&walker_path);
- if (allowed_parent1 && allowed_parent2)
- return 0;
-
- /*
- * This prioritizes EACCES over EXDEV for all actions, including
- * renames with RENAME_EXCHANGE.
- */
- if (likely(is_eacces(layer_masks_parent1, access_request_parent1) ||
- is_eacces(layer_masks_parent2, access_request_parent2)))
- return -EACCES;
-
- /*
- * Gracefully forbids reparenting if the destination directory
- * hierarchy is not a superset of restrictions of the source directory
- * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the
- * source or the destination.
- */
- return -EXDEV;
+ return allowed_parent1 && allowed_parent2;
}
static inline int check_access_path(const struct landlock_ruleset *const domain,
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
access_request = init_layer_masks(domain, access_request, &layer_masks);
- return check_access_path_dual(domain, path, access_request,
- &layer_masks, NULL, 0, NULL, NULL);
+ if (is_access_to_paths_allowed(domain, path, access_request,
+ &layer_masks, NULL, 0, NULL, NULL))
+ return 0;
+ return -EACCES;
}
static inline int current_check_access_path(const struct path *const path,
* file. While walking from @dir to @mnt_root, we record all the domain's
* allowed accesses in @layer_masks_dom.
*
- * This is similar to check_access_path_dual() but much simpler because it only
- * handles walking on the same mount point and only checks one set of accesses.
+ * This is similar to is_access_to_paths_allowed() but much simpler because it
+ * only handles walking on the same mount point and only checks one set of
+ * accesses.
*
* Returns:
* - true if all the domain access rights are allowed for @dir;
access_request_parent1 = init_layer_masks(
dom, access_request_parent1 | access_request_parent2,
&layer_masks_parent1);
- return check_access_path_dual(dom, new_dir,
- access_request_parent1,
- &layer_masks_parent1, NULL, 0,
- NULL, NULL);
+ if (is_access_to_paths_allowed(
+ dom, new_dir, access_request_parent1,
+ &layer_masks_parent1, NULL, 0, NULL, NULL))
+ return 0;
+ return -EACCES;
}
access_request_parent1 |= LANDLOCK_ACCESS_FS_REFER;
* parent access rights. This will be useful to compare with the
* destination parent access rights.
*/
- return check_access_path_dual(dom, &mnt_dir, access_request_parent1,
- &layer_masks_parent1, old_dentry,
- access_request_parent2,
- &layer_masks_parent2,
- exchange ? new_dentry : NULL);
+ if (is_access_to_paths_allowed(
+ dom, &mnt_dir, access_request_parent1, &layer_masks_parent1,
+ old_dentry, access_request_parent2, &layer_masks_parent2,
+ exchange ? new_dentry : NULL))
+ return 0;
+
+ /*
+ * This prioritizes EACCES over EXDEV for all actions, including
+ * renames with RENAME_EXCHANGE.
+ */
+ if (likely(is_eacces(&layer_masks_parent1, access_request_parent1) ||
+ is_eacces(&layer_masks_parent2, access_request_parent2)))
+ return -EACCES;
+
+ /*
+ * Gracefully forbids reparenting if the destination directory
+ * hierarchy is not a superset of restrictions of the source directory
+ * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the
+ * source or the destination.
+ */
+ return -EXDEV;
}
/* Inode hooks */