landlock: Update various code to use landlock_domain

- Replace domain in landlock_cred with landlock_domain.
- Replace landlock_merge_ruleset with landlock_domain_merge_ruleset.
- Pull landlock_put_hierarchy out of domain.h.
  This allows domain.h to not depend on audit.h, as audit.h -> cred.h will
  need to depend on domain.h instead of ruleset.h after changing it to use
  the new domain struct.
- Update uses of landlock_ruleset-domains to landlock_domain

checkpath seems to not like the `layer_mask_t (*const layer_masks)[]` argument:

	WARNING: function definition argument 'layer_mask_t' should also have an identifier name
	torvalds#171: FILE: security/landlock/domain.h:397:
	+bool landlock_unmask_layers(const struct landlock_found_rule rule,

	WARNING: function definition argument 'layer_mask_t' should also have an identifier name
	torvalds#176: FILE: security/landlock/domain.h:402:
	+access_mask_t

Signed-off-by: Tingmao Wang <m@maowtm.org>

Author: micromaomao

security/landlock/audit.c

@@ -134,7 +134,7 @@ static void log_domain(struct landlock_hierarchy *const hierarchy)
 }
 
 static struct landlock_hierarchy *
-get_hierarchy(const struct landlock_ruleset *const domain, const size_t layer)
+get_hierarchy(const struct landlock_domain *const domain, const size_t layer)
 {
 	struct landlock_hierarchy *hierarchy = domain->hierarchy;
 	ssize_t i;
@@ -167,7 +167,7 @@ static void test_get_hierarchy(struct kunit *const test)
 		.parent = &dom1_hierarchy,
 		.id = 30,
 	};
-	struct landlock_ruleset dom2 = {
+	struct landlock_domain dom2 = {
 		.hierarchy = &dom2_hierarchy,
 		.num_layers = 3,
 	};
@@ -180,7 +180,7 @@ static void test_get_hierarchy(struct kunit *const test)
 
 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
 
-static size_t get_denied_layer(const struct landlock_ruleset *const domain,
+static size_t get_denied_layer(const struct landlock_domain *const domain,
 			       access_mask_t *const access_request,
 			       const layer_mask_t (*const layer_masks)[],
 			       const size_t layer_masks_size)
@@ -218,7 +218,7 @@ static size_t get_denied_layer(const struct landlock_ruleset *const domain,
 
 static void test_get_denied_layer(struct kunit *const test)
 {
-	const struct landlock_ruleset dom = {
+	const struct landlock_domain dom = {
 		.num_layers = 5,
 	};
 	const layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {

security/landlock/cred.c

@@ -13,7 +13,7 @@
 
 #include "common.h"
 #include "cred.h"
-#include "ruleset.h"
+#include "domain.h"
 #include "setup.h"
 
 static void hook_cred_transfer(struct cred *const new,
@@ -23,7 +23,7 @@ static void hook_cred_transfer(struct cred *const new,
 		landlock_cred(old);
 
 	if (old_llcred->domain) {
-		landlock_get_ruleset(old_llcred->domain);
+		landlock_get_domain(old_llcred->domain);
 		*landlock_cred(new) = *old_llcred;
 	}
 }
@@ -37,10 +37,10 @@ static int hook_cred_prepare(struct cred *const new,
 
 static void hook_cred_free(struct cred *const cred)
 {
-	struct landlock_ruleset *const dom = landlock_cred(cred)->domain;
-
-	if (dom)
-		landlock_put_ruleset_deferred(dom);
+	/*
+	 * landlock_put_domain_deferred does nothing if domain is NULL
+	 */
+	landlock_put_domain_deferred(landlock_cred(cred)->domain);
 }
 
 #ifdef CONFIG_AUDIT

security/landlock/cred.h

@@ -17,7 +17,7 @@
 
 #include "access.h"
 #include "limits.h"
-#include "ruleset.h"
+#include "domain.h"
 #include "setup.h"
 
 /**
@@ -29,9 +29,9 @@
  */
 struct landlock_cred_security {
 	/**
-	 * @domain: Immutable ruleset enforced on a task.
+	 * @domain: Immutable domain enforced on a task.
 	 */
-	struct landlock_ruleset *domain;
+	struct landlock_domain *domain;
 
 #ifdef CONFIG_AUDIT
 	/**
@@ -65,15 +65,15 @@ landlock_cred(const struct cred *cred)
 	return cred->security + landlock_blob_sizes.lbs_cred;
 }
 
-static inline struct landlock_ruleset *landlock_get_current_domain(void)
+static inline struct landlock_domain *landlock_get_current_domain(void)
 {
 	return landlock_cred(current_cred())->domain;
 }
 
 /*
  * The call needs to come from an RCU read-side critical section.
  */
-static inline const struct landlock_ruleset *
+static inline const struct landlock_domain *
 landlock_get_task_domain(const struct task_struct *const task)
 {
 	return landlock_cred(__task_cred(task))->domain;
@@ -114,7 +114,7 @@ landlock_get_applicable_subject(const struct cred *const cred,
 	const union access_masks_all masks_all = {
 		.masks = masks,
 	};
-	const struct landlock_ruleset *domain;
+	const struct landlock_domain *domain;
 	ssize_t layer_level;
 
 	if (!cred)
@@ -127,7 +127,7 @@ landlock_get_applicable_subject(const struct cred *const cred,
 	for (layer_level = domain->num_layers - 1; layer_level >= 0;
 	     layer_level--) {
 		union access_masks_all layer = {
-			.masks = domain->access_masks[layer_level],
+			.masks = dom_access_masks(domain)[layer_level],
 		};
 
 		if (layer.all & masks_all.all) {

security/landlock/domain.c

@@ -21,6 +21,7 @@
 #include <linux/uidgid.h>
 
 #include "access.h"
+#include "audit.h"
 #include "common.h"
 #include "domain.h"
 #include "id.h"
@@ -788,6 +789,79 @@ landlock_get_deny_masks(const access_mask_t all_existing_optional_access,
 	return deny_masks;
 }
 
+void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy)
+{
+	while (hierarchy && refcount_dec_and_test(&hierarchy->usage)) {
+		const struct landlock_hierarchy *const freeme = hierarchy;
+
+		landlock_log_drop_domain(hierarchy);
+		landlock_free_hierarchy_details(hierarchy);
+		hierarchy = hierarchy->parent;
+		kfree(freeme);
+	}
+}
+
+/*
+ * @layer_masks is read and may be updated according to the access request and
+ * the matching rule.
+ * @masks_array_size must be equal to ARRAY_SIZE(*layer_masks).
+ *
+ * Returns true if the request is allowed (i.e. relevant layer masks for the
+ * request are empty).
+ */
+bool landlock_unmask_layers(const struct landlock_found_rule rule,
+			    const access_mask_t access_request,
+			    layer_mask_t (*const layer_masks)[],
+			    const size_t masks_array_size)
+{
+	const struct landlock_layer *layer;
+
+	if (!access_request || !layer_masks)
+		return true;
+
+	if (rule.layers_start == rule.layers_end)
+		return false;
+
+	if (WARN_ON_ONCE(rule.layers_start > rule.layers_end))
+		return false;
+
+	/* We should not have layers_start being NULL but layers_end not */
+	if (WARN_ON_ONCE(rule.layers_start == NULL))
+		return false;
+
+	/*
+	 * An access is granted if, for each policy layer, at least one rule
+	 * encountered on the pathwalk grants the requested access,
+	 * regardless of its position in the layer stack.  We must then check
+	 * the remaining layers for each inode, from the first added layer to
+	 * the last one.  When there is multiple requested accesses, for each
+	 * policy layer, the full set of requested accesses may not be granted
+	 * by only one rule, but by the union (binary OR) of multiple rules.
+	 * E.g. /a/b <execute> + /a <read> => /a/b <execute + read>
+	 */
+	dom_rule_for_each_layer(rule, layer)
+	{
+		const layer_mask_t layer_bit = BIT_ULL(layer->level - 1);
+		const unsigned long access_req = access_request;
+		unsigned long access_bit;
+		bool is_empty;
+
+		/*
+		 * Records in @layer_masks which layer grants access to each requested
+		 * access: bit cleared if the related layer grants access.
+		 */
+		is_empty = true;
+		for_each_set_bit(access_bit, &access_req, masks_array_size) {
+			if (layer->access & BIT_ULL(access_bit))
+				(*layer_masks)[access_bit] &= ~layer_bit;
+			is_empty = is_empty && !(*layer_masks)[access_bit];
+		}
+		if (is_empty)
+			return true;
+	}
+	return false;
+}
+
 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
 
 static void test_landlock_get_deny_masks(struct kunit *const test)

security/landlock/domain.h

@@ -20,7 +20,6 @@
 #include <linux/slab.h>
 
 #include "access.h"
-#include "audit.h"
 #include "ruleset.h"
 #include "coalesced_hash.h"
 
@@ -393,16 +392,65 @@ landlock_get_hierarchy(struct landlock_hierarchy *const hierarchy)
 		refcount_inc(&hierarchy->usage);
 }
 
-static inline void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy)
+void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy);
+
+bool landlock_unmask_layers(const struct landlock_found_rule rule,
+			    const access_mask_t access_request,
+			    layer_mask_t (*const layer_masks)[],
+			    const size_t masks_array_size);
+
+access_mask_t
+landlock_init_layer_masks(const struct landlock_domain *const domain,
+			  const access_mask_t access_request,
+			  layer_mask_t (*const layer_masks)[],
+			  const enum landlock_key_type key_type);
+
+static inline access_mask_t
+landlock_dom_get_fs_access_mask(const struct landlock_domain *const domain,
+				const u16 layer_level)
+{
+	/* Handles all initially denied by default access rights. */
+	return dom_access_masks(domain)[layer_level].fs |
+	       _LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
+}
+
+static inline access_mask_t
+landlock_dom_get_net_access_mask(const struct landlock_domain *const domain,
+				 const u16 layer_level)
+{
+	return dom_access_masks(domain)[layer_level].net;
+}
+
+static inline access_mask_t
+landlock_dom_get_scope_mask(const struct landlock_domain *const domain,
+			    const u16 layer_level)
 {
-	while (hierarchy && refcount_dec_and_test(&hierarchy->usage)) {
-		const struct landlock_hierarchy *const freeme = hierarchy;
+	return dom_access_masks(domain)[layer_level].scope;
+}
 
-		landlock_log_drop_domain(hierarchy);
-		landlock_free_hierarchy_details(hierarchy);
-		hierarchy = hierarchy->parent;
-		kfree(freeme);
+/**
+ * landlock_dom_union_access_masks - Return all access rights handled in
+ * the domain
+ *
+ * @domain: Landlock domain
+ *
+ * Returns: an access_masks result of the OR of all the domain's access masks.
+ */
+static inline struct access_masks
+landlock_dom_union_access_masks(const struct landlock_domain *const domain)
+{
+	union access_masks_all matches = {};
+	size_t layer_level;
+
+	for (layer_level = 0; layer_level < domain->num_layers; layer_level++) {
+		union access_masks_all layer = {
+			.masks = dom_access_masks(domain)[layer_level],
+		};
+
+		matches.all |= layer.all;
 	}
+
+	return matches.masks;
 }
 
 #endif /* _SECURITY_LANDLOCK_DOMAIN_H */

security/landlock/fs.c

@@ -360,26 +360,24 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
  *
  * Returns NULL if no rule is found or if @dentry is negative.
  */
-static const struct landlock_rule *
-find_rule(const struct landlock_ruleset *const domain,
+static struct landlock_found_rule
+find_rule(const struct landlock_domain *const domain,
 	  const struct dentry *const dentry)
 {
-	const struct landlock_rule *rule;
 	const struct inode *inode;
-	struct landlock_id id = {
-		.type = LANDLOCK_KEY_INODE,
-	};
+	union landlock_key key;
+	struct landlock_found_rule found_rule = {};
 
 	/* Ignores nonexistent leafs. */
 	if (d_is_negative(dentry))
-		return NULL;
+		return found_rule;
 
 	inode = d_backing_inode(dentry);
 	rcu_read_lock();
-	id.key.object = rcu_dereference(landlock_inode(inode)->object);
-	rule = landlock_find_rule(domain, id);
+	key.object = rcu_dereference(landlock_inode(inode)->object);
+	found_rule = dom_find_index_fs(domain, key);
 	rcu_read_unlock();
-	return rule;
+	return found_rule;
 }
 
 /*
@@ -753,7 +751,7 @@ static void test_is_eacces_with_write(struct kunit *const test)
  * - false otherwise.
  */
 static bool is_access_to_paths_allowed(
-	const struct landlock_ruleset *const domain,
+	const struct landlock_domain *const domain,
 	const struct path *const path,
 	const access_mask_t access_request_parent1,
 	layer_mask_t (*const layer_masks_parent1)[LANDLOCK_NUM_ACCESS_FS],
@@ -799,7 +797,7 @@ static bool is_access_to_paths_allowed(
 		 * a superset of the meaningful requested accesses).
 		 */
 		access_masked_parent1 = access_masked_parent2 =
-			landlock_union_access_masks(domain).fs;
+			landlock_dom_union_access_masks(domain).fs;
 		is_dom_check = true;
 	} else {
 		if (WARN_ON_ONCE(dentry_child1 || dentry_child2))
@@ -838,7 +836,7 @@ static bool is_access_to_paths_allowed(
 	 * restriction.
 	 */
 	while (true) {
-		const struct landlock_rule *rule;
+		struct landlock_found_rule rule;
 
 		/*
 		 * If at least all accesses allowed on the destination are
@@ -1045,7 +1043,7 @@ static access_mask_t maybe_remove(const struct dentry *const dentry)
  * - false if the walk reached @mnt_root.
  */
 static bool collect_domain_accesses(
-	const struct landlock_ruleset *const domain,
+	const struct landlock_domain *const domain,
 	const struct dentry *const mnt_root, struct dentry *dir,
 	layer_mask_t (*const layer_masks_dom)[LANDLOCK_NUM_ACCESS_FS])
 {
@@ -1814,7 +1812,7 @@ static bool control_current_fowner(struct fown_struct *const fown)
 
 static void hook_file_set_fowner(struct file *file)
 {
-	struct landlock_ruleset *prev_dom;
+	struct landlock_domain *prev_dom;
 	struct landlock_cred_security fown_subject = {};
 	size_t fown_layer = 0;
 
@@ -1826,7 +1824,7 @@ static void hook_file_set_fowner(struct file *file)
 			landlock_get_applicable_subject(
 				current_cred(), signal_scope, &fown_layer);
 		if (new_subject) {
-			landlock_get_ruleset(new_subject->domain);
+			landlock_get_domain(new_subject->domain);
 			fown_subject = *new_subject;
 		}
 	}
@@ -1838,12 +1836,12 @@ static void hook_file_set_fowner(struct file *file)
 #endif /* CONFIG_AUDIT*/
 
 	/* May be called in an RCU read-side critical section. */
-	landlock_put_ruleset_deferred(prev_dom);
+	landlock_put_domain_deferred(prev_dom);
 }
 
 static void hook_file_free_security(struct file *file)
 {
-	landlock_put_ruleset_deferred(landlock_file(file)->fown_subject.domain);
+	landlock_put_domain_deferred(landlock_file(file)->fown_subject.domain);
 }
 
 static struct security_hook_list landlock_hooks[] __ro_after_init = {