Message-ID: <5a229249-fd4a-76ee-ec94-5f29ca3a245c@huawei.com>
Date:   Tue, 12 Apr 2022 11:38:33 +0300
From:   Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
To:     Mickaël Salaün <mic@...ikod.net>
CC:     <willemdebruijn.kernel@...il.com>,
        <linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
        <netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
        <artem.kuzin@...wei.com>, <anton.sirazetdinov@...wei.com>
Subject: Re: [RFC PATCH v4 08/15] landlock: add support network rules



4/11/2022 7:20 PM, Mickaël Salaün пишет:
> 
> On 11/04/2022 15:44, Konstantin Meskhidze wrote:
>>
>>
>> 4/8/2022 7:30 PM, Mickaël Salaün пишет:
> 
> [...]
> 
> 
>>>>   struct landlock_ruleset *landlock_create_ruleset(const struct 
>>>> landlock_access_mask *access_mask_set)
>>>>   {
>>>>       struct landlock_ruleset *new_ruleset;
>>>>
>>>>       /* Informs about useless ruleset. */
>>>> -    if (!access_mask_set->fs)
>>>> +    if (!access_mask_set->fs && !access_mask_set->net)
>>>>           return ERR_PTR(-ENOMSG);
>>>>       new_ruleset = create_ruleset(1);
>>>> -    if (!IS_ERR(new_ruleset))
>>>
>>> This is better:
>>>
>>> if (IS_ERR(new_ruleset))
>>>      return new_ruleset;
>>> if (access_mask_set->fs)
>>> ...
>>
>>    I dont get this condition. Do you mean that we return new_ruleset
>> anyway no matter what the masks's values are? So its possible to have 
>> 0 masks values, is't it?
> 
> No, the logic is correct but it would be simpler to exit as soon as 
> there is a ruleset error, you don't need to duplicate 
> "IS_ERR(new_ruleset) &&":
> 
> if (IS_ERR(new_ruleset))
>      return new_ruleset;
> if (access_mask_set->fs)
>      landlock_set_fs_access_mask(new_ruleset, access_mask_set, 0);
> if (access_mask_set->net)
>      landlock_set_net_access_mask(new_ruleset, access_mask_set, 0);
> return new_ruleset;
> 
   Ok. I got it. Thank you.
> .

Powered by blists - more mailing lists