landlock: Minor comments improvements · tjh.dev/kernel@f4d3ef2

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

landlock: Minor comments improvements

This patch contains some small comment changes. The first three
comments for ruleset.c, I sort of made along the way while working on /
trying to understand Landlock, and the one from ruleset.h was from the
hashtable patch but extracted here. In fs.c, one comment which I found
would have been helpful to me when reading this.

Signed-off-by: Tingmao Wang <m@maowtm.org>
Link: https://lore.kernel.org/r/20250602134150.67189-1-m@maowtm.org
Link: https://lore.kernel.org/r/20297185fd71ffbb5ce4fec14b38e5444c719c96.1748379182.git.m@maowtm.org
[mic: Squash patches with updated description, cosmetic fixes]
Signed-off-by: Mickaël Salaün <mic@digikod.net>

authored by

Tingmao Wang and committed by

Mickaël Salaün 4 months ago f4d3ef2d ac3fd01e

+13 -4

3 changed files

expand all

security

landlock

fs.c

ruleset.c

ruleset.h

+2 -1

security/landlock/fs.c

··· 714 714 * is_access_to_paths_allowed - Check accesses for requests with a common path 715 715 * 716 716 * @domain: Domain to check against. 717 - * @path: File hierarchy to walk through. 717 + * @path: File hierarchy to walk through. For refer checks, this would be 718 + * the common mountpoint. 718 719 * @access_request_parent1: Accesses to check, once @layer_masks_parent1 is 719 720 * equal to @layer_masks_parent2 (if any). This is tied to the unique 720 721 * requested path for most actions, or the source in case of a refer action

+10 -2

security/landlock/ruleset.c

··· 83 83 .num_layers = ~0, 84 84 }; 85 85 86 + /* 87 + * Checks that .num_layers is large enough for at least 88 + * LANDLOCK_MAX_NUM_LAYERS layers. 89 + */ 86 90 BUILD_BUG_ON(rule.num_layers < LANDLOCK_MAX_NUM_LAYERS); 87 91 } 88 92 ··· 294 290 .access = ~0, 295 291 }; 296 292 293 + /* 294 + * Checks that .level and .access are large enough to contain their expected 295 + * maximum values. 296 + */ 297 297 BUILD_BUG_ON(layer.level < LANDLOCK_MAX_NUM_LAYERS); 298 298 BUILD_BUG_ON(layer.access < LANDLOCK_MASK_ACCESS_FS); 299 299 } ··· 652 644 bool is_empty; 653 645 654 646 /* 655 - * Records in @layer_masks which layer grants access to each 656 - * requested access. 647 + * Records in @layer_masks which layer grants access to each requested 648 + * access: bit cleared if the related layer grants access. 657 649 */ 658 650 is_empty = true; 659 651 for_each_set_bit(access_bit, &access_req, masks_array_size) {

+1 -1

security/landlock/ruleset.h

··· 27 27 */ 28 28 struct landlock_layer { 29 29 /** 30 - * @level: Position of this layer in the layer stack. 30 + * @level: Position of this layer in the layer stack. Starts from 1. 31 31 */ 32 32 u16 level; 33 33 /**