[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5a229249-fd4a-76ee-ec94-5f29ca3a245c@huawei.com>
Date: Tue, 12 Apr 2022 11:38:33 +0300
From: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
To: Mickaël Salaün <mic@...ikod.net>
CC: <willemdebruijn.kernel@...il.com>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<artem.kuzin@...wei.com>, <anton.sirazetdinov@...wei.com>
Subject: Re: [RFC PATCH v4 08/15] landlock: add support network rules
4/11/2022 7:20 PM, Mickaël Salaün пишет:
>
> On 11/04/2022 15:44, Konstantin Meskhidze wrote:
>>
>>
>> 4/8/2022 7:30 PM, Mickaël Salaün пишет:
>
> [...]
>
>
>>>> struct landlock_ruleset *landlock_create_ruleset(const struct
>>>> landlock_access_mask *access_mask_set)
>>>> {
>>>> struct landlock_ruleset *new_ruleset;
>>>>
>>>> /* Informs about useless ruleset. */
>>>> - if (!access_mask_set->fs)
>>>> + if (!access_mask_set->fs && !access_mask_set->net)
>>>> return ERR_PTR(-ENOMSG);
>>>> new_ruleset = create_ruleset(1);
>>>> - if (!IS_ERR(new_ruleset))
>>>
>>> This is better:
>>>
>>> if (IS_ERR(new_ruleset))
>>> return new_ruleset;
>>> if (access_mask_set->fs)
>>> ...
>>
>> I dont get this condition. Do you mean that we return new_ruleset
>> anyway no matter what the masks's values are? So its possible to have
>> 0 masks values, is't it?
>
> No, the logic is correct but it would be simpler to exit as soon as
> there is a ruleset error, you don't need to duplicate
> "IS_ERR(new_ruleset) &&":
>
> if (IS_ERR(new_ruleset))
> return new_ruleset;
> if (access_mask_set->fs)
> landlock_set_fs_access_mask(new_ruleset, access_mask_set, 0);
> if (access_mask_set->net)
> landlock_set_net_access_mask(new_ruleset, access_mask_set, 0);
> return new_ruleset;
>
Ok. I got it. Thank you.
> .
Powered by blists - more mailing lists