Skip to content

Landlock flat array domains #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 15 commits into
base: landlock-arraydomain-base
Choose a base branch
from
Open

Landlock flat array domains #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
b31be6f
landlock: Set the max rules limit in a domain to U16_MAX.
micromaomao Jun 29, 2025
ad81292
landlock/domain: Define structure and macros for flat-array domains
micromaomao Jul 5, 2025
30dc8fa
landlock: Define coalesced hashtable and implement finding
micromaomao Jul 5, 2025
9c6e45f
landlock/domain: Implement finding rules
micromaomao Jul 6, 2025
8cc7453
landlock/coalesced_hash: Implement insert
micromaomao Jul 5, 2025
cd78dce
landlock/domain: Implement merging of a parent domain and a ruleset
micromaomao Jul 5, 2025
14af55b
landlock/domain: Define alloc and free
micromaomao Jun 28, 2025
0f9d71b
landlock/domain: Add landlock_domain_merge_ruleset
micromaomao Jun 28, 2025
adc6e61
landlock: Update various code to use landlock_domain
micromaomao Jun 29, 2025
7684304
landlock: Remove unused code
micromaomao Jun 29, 2025
3d11e94
landlock/task: Fix incorrect BUILD_BUG_ON() in domain_is_scoped
micromaomao Jul 6, 2025
617b9d8
landlock: Use a hash function that does not involve division
micromaomao Jul 6, 2025
36d1b60
landlock/domain: use power of 2 size hashtables
micromaomao Jul 12, 2025
2f73952
fixup! landlock: Define coalesced hashtable and implement finding
micromaomao Jul 12, 2025
edb052b
tracing collisions
micromaomao Jul 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions include/trace/events/landlock.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright © 2025 Microsoft Corporation
*/

#undef TRACE_SYSTEM
#define TRACE_SYSTEM landlock

#if !defined(_TRACE_LANDLOCK_H) || defined(TRACE_HEADER_MULTI_READ)
#define _TRACE_LANDLOCK_H

#include <linux/tracepoint.h>

struct landlock_domain_index;

TRACE_EVENT(
landlock_domain_hash_find,
TP_PROTO(
const struct landlock_domain_index* indices_arr,
u32 num_indices,
int hash_bits,
const struct landlock_domain_index* elem_to_find,
u32 collisions_followed
),

TP_ARGS(indices_arr, num_indices, hash_bits, elem_to_find, collisions_followed),
TP_STRUCT__entry(
__field(const struct landlock_domain_index *, indices_arr)
__field(u32, num_indices)
__field(u32, hash_bits)
__field(uintptr_t, key)
__field(u32, collisions_followed)
),

TP_fast_assign(
__entry->indices_arr = indices_arr;
__entry->num_indices = num_indices;
__entry->hash_bits = hash_bits;
__entry->key = *(uintptr_t *)elem_to_find;
__entry->collisions_followed = collisions_followed;
),

TP_printk(
"indices_arr=%p num_indices=%u hash_bits=%u, key=%lx collisions_followed=%u",
__entry->indices_arr,
__entry->num_indices,
__entry->hash_bits,
__entry->key,
__entry->collisions_followed
)
);

#endif /* _TRACE_LANDLOCK_H */

/* This part must be outside protection */
#include <trace/define_trace.h>
2 changes: 1 addition & 1 deletion security/landlock/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o

landlock-y := setup.o syscalls.o object.o ruleset.o \
cred.o task.o fs.o
cred.o task.o trace.o fs.o

landlock-$(CONFIG_INET) += net.o

Expand Down
8 changes: 4 additions & 4 deletions security/landlock/audit.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ static void log_domain(struct landlock_hierarchy *const hierarchy)
}

static struct landlock_hierarchy *
get_hierarchy(const struct landlock_ruleset *const domain, const size_t layer)
get_hierarchy(const struct landlock_domain *const domain, const size_t layer)
{
struct landlock_hierarchy *hierarchy = domain->hierarchy;
ssize_t i;
Expand Down Expand Up @@ -167,7 +167,7 @@ static void test_get_hierarchy(struct kunit *const test)
.parent = &dom1_hierarchy,
.id = 30,
};
struct landlock_ruleset dom2 = {
struct landlock_domain dom2 = {
.hierarchy = &dom2_hierarchy,
.num_layers = 3,
};
Expand All @@ -180,7 +180,7 @@ static void test_get_hierarchy(struct kunit *const test)

#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */

static size_t get_denied_layer(const struct landlock_ruleset *const domain,
static size_t get_denied_layer(const struct landlock_domain *const domain,
access_mask_t *const access_request,
const layer_mask_t (*const layer_masks)[],
const size_t layer_masks_size)
Expand Down Expand Up @@ -218,7 +218,7 @@ static size_t get_denied_layer(const struct landlock_ruleset *const domain,

static void test_get_denied_layer(struct kunit *const test)
{
const struct landlock_ruleset dom = {
const struct landlock_domain dom = {
.num_layers = 5,
};
const layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {
Expand Down
Loading