Skip to content

Commit f1f2797

Browse files
torvaldstorvalds
committed
Merge tag 'landlock-6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
Pull landlock fixes from Mickaël Salaün: "This fixes a KUnit issue, simplifies code, and adds new tests" * tag 'landlock-6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: landlock: Improve bit operations in audit code landlock: Remove KUnit test that triggers a warning
2 parents fe661d0 + 3039ed4 commit f1f2797

File tree

3 files changed

+35
-5
lines changed

3 files changed

+35
-5
lines changed

security/landlock/audit.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -175,7 +175,7 @@ static void test_get_hierarchy(struct kunit *const test)
175175
KUNIT_EXPECT_EQ(test, 10, get_hierarchy(&dom2, 0)->id);
176176
KUNIT_EXPECT_EQ(test, 20, get_hierarchy(&dom2, 1)->id);
177177
KUNIT_EXPECT_EQ(test, 30, get_hierarchy(&dom2, 2)->id);
178-
KUNIT_EXPECT_EQ(test, 30, get_hierarchy(&dom2, -1)->id);
178+
/* KUNIT_EXPECT_EQ(test, 30, get_hierarchy(&dom2, -1)->id); */
179179
}
180180

181181
#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
@@ -437,7 +437,7 @@ void landlock_log_denial(const struct landlock_cred_security *const subject,
437437
return;
438438

439439
/* Checks if the current exec was restricting itself. */
440-
if (subject->domain_exec & (1 << youngest_layer)) {
440+
if (subject->domain_exec & BIT(youngest_layer)) {
441441
/* Ignores denials for the same execution. */
442442
if (!youngest_denied->log_same_exec)
443443
return;

security/landlock/id.c

Lines changed: 31 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77

88
#include <kunit/test.h>
99
#include <linux/atomic.h>
10+
#include <linux/bitops.h>
1011
#include <linux/random.h>
1112
#include <linux/spinlock.h>
1213

@@ -25,7 +26,7 @@ static void __init init_id(atomic64_t *const counter, const u32 random_32bits)
2526
* Ensures sure 64-bit values are always used by user space (or may
2627
* fail with -EOVERFLOW), and makes this testable.
2728
*/
28-
init = 1ULL << 32;
29+
init = BIT_ULL(32);
2930

3031
/*
3132
* Makes a large (2^32) boot-time value to limit ID collision in logs
@@ -105,7 +106,7 @@ static u64 get_id_range(size_t number_of_ids, atomic64_t *const counter,
105106
* to get a new ID (e.g. a full landlock_restrict_self() call), and the
106107
* cost of draining all available IDs during the system's uptime.
107108
*/
108-
random_4bits = random_4bits % (1 << 4);
109+
random_4bits &= 0b1111;
109110
step = number_of_ids + random_4bits;
110111

111112
/* It is safe to cast a signed atomic to an unsigned value. */
@@ -144,6 +145,19 @@ static void test_range1_rand1(struct kunit *const test)
144145
init + 2);
145146
}
146147

148+
static void test_range1_rand15(struct kunit *const test)
149+
{
150+
atomic64_t counter;
151+
u64 init;
152+
153+
init = get_random_u32();
154+
atomic64_set(&counter, init);
155+
KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 15), init);
156+
KUNIT_EXPECT_EQ(
157+
test, get_id_range(get_random_u8(), &counter, get_random_u8()),
158+
init + 16);
159+
}
160+
147161
static void test_range1_rand16(struct kunit *const test)
148162
{
149163
atomic64_t counter;
@@ -196,6 +210,19 @@ static void test_range2_rand2(struct kunit *const test)
196210
init + 4);
197211
}
198212

213+
static void test_range2_rand15(struct kunit *const test)
214+
{
215+
atomic64_t counter;
216+
u64 init;
217+
218+
init = get_random_u32();
219+
atomic64_set(&counter, init);
220+
KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 15), init);
221+
KUNIT_EXPECT_EQ(
222+
test, get_id_range(get_random_u8(), &counter, get_random_u8()),
223+
init + 17);
224+
}
225+
199226
static void test_range2_rand16(struct kunit *const test)
200227
{
201228
atomic64_t counter;
@@ -232,10 +259,12 @@ static struct kunit_case __refdata test_cases[] = {
232259
KUNIT_CASE(test_init_once),
233260
KUNIT_CASE(test_range1_rand0),
234261
KUNIT_CASE(test_range1_rand1),
262+
KUNIT_CASE(test_range1_rand15),
235263
KUNIT_CASE(test_range1_rand16),
236264
KUNIT_CASE(test_range2_rand0),
237265
KUNIT_CASE(test_range2_rand1),
238266
KUNIT_CASE(test_range2_rand2),
267+
KUNIT_CASE(test_range2_rand15),
239268
KUNIT_CASE(test_range2_rand16),
240269
{}
241270
/* clang-format on */

security/landlock/syscalls.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99

1010
#include <asm/current.h>
1111
#include <linux/anon_inodes.h>
12+
#include <linux/bitops.h>
1213
#include <linux/build_bug.h>
1314
#include <linux/capability.h>
1415
#include <linux/cleanup.h>
@@ -563,7 +564,7 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
563564
new_llcred->domain = new_dom;
564565

565566
#ifdef CONFIG_AUDIT
566-
new_llcred->domain_exec |= 1 << (new_dom->num_layers - 1);
567+
new_llcred->domain_exec |= BIT(new_dom->num_layers - 1);
567568
#endif /* CONFIG_AUDIT */
568569

569570
return commit_creds(new_cred);

0 commit comments

Comments
 (0)