fixup! landlock/audit: Check for quiet flag in landlock_log_denial

Author: micromaomao

security/landlock/audit.c

@@ -386,12 +386,12 @@ static bool is_valid_request(const struct landlock_request *const request)
  *
  * @subject: The Landlock subject's credential denying an action.
  * @request: Detail of the user space request.
- * @rule_flags: The flags for the matched rule, or NULL if this is a
- * scope request (no particular object involved).
+ * @rule_flags: The flags for the matched rule, or no_rule_flags (zero) if
+ * this is a scope request (no particular object involved).
  */
 void landlock_log_denial(const struct landlock_cred_security *const subject,
 			 const struct landlock_request *const request,
-			 const struct collected_rule_flags *const rule_flags)
+			 const struct collected_rule_flags rule_flags)
 {
 	struct audit_buffer *ab;
 	struct landlock_hierarchy *youngest_denied;
@@ -440,13 +440,12 @@ void landlock_log_denial(const struct landlock_cred_security *const subject,
 		return;
 
 	/*
-	 * Check if the object is marked quiet by the layer that denied the
-	 * request.  (If it's a different layer that marked it as quiet, but
+	 * Checks if the object is marked quiet by the layer that denied the
+	 * request.  If it's a different layer that marked it as quiet, but
 	 * that layer is not the one that denied the request, we should still
-	 * audit log the denial)
+	 * audit log the denial.
 	 */
-	if (rule_flags &&
-	    rule_flags->quiet_masks & BIT(youngest_layer)) {
+	if (rule_flags.quiet_masks & BIT(youngest_layer)) {
 		return;
 	}
 

security/landlock/audit.h

@@ -57,7 +57,7 @@ void landlock_log_drop_domain(const struct landlock_hierarchy *const hierarchy);
 
 void landlock_log_denial(const struct landlock_cred_security *const subject,
 			 const struct landlock_request *const request,
-			 const struct collected_rule_flags *const rule_flags);
+			 const struct collected_rule_flags rule_flags);
 
 #else /* CONFIG_AUDIT */
 

security/landlock/fs.c

@@ -984,7 +984,7 @@ static int current_check_access_path(const struct path *const path,
 				       NULL, 0, NULL, NULL, NULL, NULL))
 		return 0;
 
-	landlock_log_denial(subject, &request, &rule_flags);
+	landlock_log_denial(subject, &request, rule_flags);
 	return -EACCES;
 }
 
@@ -1194,7 +1194,7 @@ static int current_check_refer_path(struct dentry *const old_dentry,
 			    &request1, NULL, 0, NULL, NULL, NULL, NULL))
 			return 0;
 
-		landlock_log_denial(subject, &request1, &rule_flags_parent1);
+		landlock_log_denial(subject, &request1, rule_flags_parent1);
 		return -EACCES;
 	}
 
@@ -1243,13 +1243,11 @@ static int current_check_refer_path(struct dentry *const old_dentry,
 
 	if (request1.access) {
 		request1.audit.u.path.dentry = old_parent;
-		landlock_log_denial(subject, &request1,
-				    &rule_flags_parent1);
+		landlock_log_denial(subject, &request1, rule_flags_parent1);
 	}
 	if (request2.access) {
 		request2.audit.u.path.dentry = new_dir->dentry;
-		landlock_log_denial(subject, &request2,
-				    &rule_flags_parent2);
+		landlock_log_denial(subject, &request2, rule_flags_parent2);
 	}
 
 	/*
@@ -1405,7 +1403,7 @@ log_fs_change_topology_path(const struct landlock_cred_security *const subject,
 			.u.path = *path,
 		},
 		.layer_plus_one = handle_layer + 1,
-	}, NULL);
+	}, no_rule_flags);
 }
 
 static void log_fs_change_topology_dentry(
@@ -1419,7 +1417,7 @@ static void log_fs_change_topology_dentry(
 			.u.dentry = dentry,
 		},
 		.layer_plus_one = handle_layer + 1,
-	}, NULL);
+	}, no_rule_flags);
 }
 
 /*
@@ -1707,7 +1705,7 @@ static int hook_file_open(struct file *const file)
 
 	/* Sets access to reflect the actual request. */
 	request.access = open_access_request;
-	landlock_log_denial(subject, &request, &rule_flags);
+	landlock_log_denial(subject, &request, rule_flags);
 	return -EACCES;
 }
 
@@ -1737,7 +1735,7 @@ static int hook_file_truncate(struct file *const file)
 #ifdef CONFIG_AUDIT
 		.deny_masks = landlock_file(file)->deny_masks,
 #endif /* CONFIG_AUDIT */
-	}, NULL);
+	}, no_rule_flags);
 	return -EACCES;
 }
 
@@ -1776,7 +1774,7 @@ static int hook_file_ioctl_common(const struct file *const file,
 #ifdef CONFIG_AUDIT
 		.deny_masks = landlock_file(file)->deny_masks,
 #endif /* CONFIG_AUDIT */
-	}, NULL);
+	}, no_rule_flags);
 	return -EACCES;
 }
 

security/landlock/net.c

@@ -194,7 +194,7 @@ static int current_check_access_socket(struct socket *const sock,
 				    .layer_masks = &layer_masks,
 				    .layer_masks_size = ARRAY_SIZE(layer_masks),
 			    },
-			    &rule_flags);
+			    rule_flags);
 	return -EACCES;
 }
 

security/landlock/ruleset.h

@@ -58,6 +58,11 @@ struct collected_rule_flags {
 	layer_mask_t quiet_masks;
 };
 
+/**
+ * no_rule_flags - Convenience constant for an empty collected_rule_flags
+ */
+static const struct collected_rule_flags no_rule_flags = { 0 };
+
 /**
  * union landlock_key - Key of a ruleset's red-black tree
  */

security/landlock/task.c

@@ -115,7 +115,7 @@ static int hook_ptrace_access_check(struct task_struct *const child,
 				.u.tsk = child,
 			},
 			.layer_plus_one = parent_subject->domain->num_layers,
-		}, NULL);
+		}, no_rule_flags);
 
 	return err;
 }
@@ -161,7 +161,7 @@ static int hook_ptrace_traceme(struct task_struct *const parent)
 			.u.tsk = current,
 		},
 		.layer_plus_one = parent_subject->domain->num_layers,
-	}, NULL);
+	}, no_rule_flags);
 	return err;
 }
 
@@ -290,7 +290,7 @@ static int hook_unix_stream_connect(struct sock *const sock,
 			},
 		},
 		.layer_plus_one = handle_layer + 1,
-	}, NULL);
+	}, no_rule_flags);
 	return -EPERM;
 }
 
@@ -327,7 +327,7 @@ static int hook_unix_may_send(struct socket *const sock,
 			},
 		},
 		.layer_plus_one = handle_layer + 1,
-	}, NULL);
+	}, no_rule_flags);
 	return -EPERM;
 }
 
@@ -383,7 +383,7 @@ static int hook_task_kill(struct task_struct *const p,
 			.u.tsk = p,
 		},
 		.layer_plus_one = handle_layer + 1,
-	}, NULL);
+	}, no_rule_flags);
 	return -EPERM;
 }
 
@@ -426,7 +426,7 @@ static int hook_file_send_sigiotask(struct task_struct *tsk,
 #ifdef CONFIG_AUDIT
 		.layer_plus_one = landlock_file(fown->file)->fown_layer + 1,
 #endif /* CONFIG_AUDIT */
-	}, NULL);
+	}, no_rule_flags);
 	return -EPERM;
 }