landlock: Prepare to use credential instead of domain for network

This cosmetic change that is needed for audit support, specifically to
be able to filter according to cross-execution boundaries.

Optimize current_check_access_socket() to only handle the access
request.

Remove explicit domain->num_layers check which is now part of the
landlock_get_applicable_subject() call.

Cc: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-6-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/security/landlock/net.c b/security/landlock/net.c
index 104b6c01fe503b21073701de29ff592e2924bac3..c6ba42f3529ca224dd32fa84d8a397586aed0728 100644 (file)
--- a/security/landlock/net.c
+++ b/security/landlock/net.c
@@ -1,9 +1,9 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * Landlock LSM - Network management and hooks
+ * Landlock - Network management and hooks
  *
  * Copyright © 2022-2023 Huawei Tech. Co., Ltd.
- * Copyright © 2022-2023 Microsoft Corporation
+ * Copyright © 2022-2025 Microsoft Corporation
  */
 
 #include <linux/in.h>
@@ -39,10 +39,6 @@ int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
        return err;
 }
 
-static const struct access_masks any_net = {
-       .net = ~0,
-};
-
 static int current_check_access_socket(struct socket *const sock,
                                       struct sockaddr *const address,
                                       const int addrlen,
@@ -54,14 +50,14 @@ static int current_check_access_socket(struct socket *const sock,
        struct landlock_id id = {
                .type = LANDLOCK_KEY_NET_PORT,
        };
-       const struct landlock_ruleset *const dom =
-               landlock_get_applicable_domain(landlock_get_current_domain(),
-                                              any_net);
+       const struct access_masks masks = {
+               .net = access_request,
+       };
+       const struct landlock_cred_security *const subject =
+               landlock_get_applicable_subject(current_cred(), masks, NULL);
 
-       if (!dom)
+       if (!subject)
                return 0;
-       if (WARN_ON_ONCE(dom->num_layers < 1))
-               return -EACCES;
 
        if (!sk_is_tcp(sock->sk))
                return 0;
@@ -145,9 +141,10 @@ static int current_check_access_socket(struct socket *const sock,
        id.key.data = (__force uintptr_t)port;
        BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
 
-       rule = landlock_find_rule(dom, id);
-       access_request = landlock_init_layer_masks(
-               dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
+       rule = landlock_find_rule(subject->domain, id);
+       access_request = landlock_init_layer_masks(subject->domain,
+                                                  access_request, &layer_masks,
+                                                  LANDLOCK_KEY_NET_PORT);
        if (landlock_unmask_layers(rule, access_request, &layer_masks,
                                   ARRAY_SIZE(layer_masks)))
                return 0;