diff options
| author | Mickaël Salaün <mic@digikod.net> | 2025-01-08 16:43:21 +0100 |
|---|---|---|
| committer | Mickaël Salaün <mic@digikod.net> | 2025-01-17 19:05:37 +0100 |
| commit | d617f0d72d8041c7099fd04a62db0f0fa5331c1a (patch) | |
| tree | 0c3d66d1bfa91698e80fdcfb0d96df65716a22d8 /lib/net_utils.c | |
| parent | 12264f721f64a235f81e845e2cf95ad4a267613a (diff) | |
| download | linux-d617f0d72d8041c7099fd04a62db0f0fa5331c1a.tar.gz linux-d617f0d72d8041c7099fd04a62db0f0fa5331c1a.tar.bz2 linux-d617f0d72d8041c7099fd04a62db0f0fa5331c1a.zip | |
landlock: Optimize file path walks and prepare for audit support
Always synchronize access_masked_parent* with access_request_parent*
according to allowed_parent*. This is required for audit support to be
able to get back to the reason of denial.
In a rename/link action, instead of always checking a rule two times for
the same parent directory of the source and the destination files, only
check it when an action on a child was not already allowed. This also
enables us to keep consistent allowed_parent* status, which is required
to get back to the reason of denial.
For internal mount points, only upgrade allowed_parent* to true but do
not wrongfully set both of them to false otherwise. This is also
required to get back to the reason of denial.
This does not impact the current behavior but slightly optimize code and
prepare for audit support that needs to know the exact reason why an
access was denied.
Cc: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20250108154338.1129069-14-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'lib/net_utils.c')
0 files changed, 0 insertions, 0 deletions