landlock: Allow FS topology changes for domains without such rule type
authorMickaël Salaün <mic@digikod.net>
Thu, 26 Oct 2023 01:47:41 +0000 (09:47 +0800)
committerMickaël Salaün <mic@digikod.net>
Thu, 26 Oct 2023 19:07:10 +0000 (21:07 +0200)
commitd7220364039f6beb76f311c05f74cad89da5fad5
tree194f8b69bae8b29035d3db2045c356d44827be36
parent13fc6455fa19b0859e1b9640bf09903bec8df4f4
landlock: Allow FS topology changes for domains without such rule type

Allow mount point and root directory changes when there is no filesystem
rule tied to the current Landlock domain. This doesn't change anything
for now because a domain must have at least a (filesystem) rule, but
this will change when other rule types will come. For instance, a domain
only restricting the network should have no impact on filesystem
restrictions.

Add a new get_current_fs_domain() helper to quickly check filesystem
rule existence for all filesystem LSM hooks.

Remove unnecessary inlining.

Link: https://lore.kernel.org/r/20231026014751.414649-3-konstantin.meskhidze@huawei.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Documentation/userspace-api/landlock.rst
security/landlock/fs.c
security/landlock/ruleset.h
security/landlock/syscalls.c