summaryrefslogtreecommitdiffstats
path: root/security/landlock
diff options
context:
space:
mode:
authorMickaël Salaün <mic@digikod.net>2023-06-12 21:14:25 +0200
committerMickaël Salaün <mic@digikod.net>2023-06-12 21:26:19 +0200
commit74ce793bcbde5cef0f82d6ccb3c47cb651295a9a (patch)
treeaf52b942aba6e0539e65ebfced7d46f8bb770cfd /security/landlock
parent858fd168a95c5b9669aac8db6c14a9aeab446375 (diff)
downloadlinux-74ce793bcbde5cef0f82d6ccb3c47cb651295a9a.tar.gz
linux-74ce793bcbde5cef0f82d6ccb3c47cb651295a9a.tar.bz2
linux-74ce793bcbde5cef0f82d6ccb3c47cb651295a9a.zip
hostfs: Fix ephemeral inodes
hostfs creates a new inode for each opened or created file, which created useless inode allocations and forbade identifying a host file with a kernel inode. Fix this uncommon filesystem behavior by tying kernel inodes to host file's inode and device IDs. Even if the host filesystem inodes may be recycled, this cannot happen while a file referencing it is opened, which is the case with hostfs. It should be noted that hostfs inode IDs may not be unique for the same hostfs superblock because multiple host's (backed) superblocks may be used. Delete inodes when dropping them to force backed host's file descriptors closing. This enables to entirely remove ARCH_EPHEMERAL_INODES, and then makes Landlock fully supported by UML. This is very useful for testing changes. These changes also factor out and simplify some helpers thanks to the new hostfs_inode_update() and the hostfs_iget() revamp: read_name(), hostfs_create(), hostfs_lookup(), hostfs_mknod(), and hostfs_fill_sb_common(). A following commit with new Landlock tests check this new hostfs inode consistency. Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com> Cc: Johannes Berg <johannes@sipsolutions.net> Acked-by: Richard Weinberger <richard@nod.at> Link: https://lore.kernel.org/r/20230612191430.339153-2-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'security/landlock')
-rw-r--r--security/landlock/Kconfig2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig
index 8e33c4e8ffb8..c1e862a38410 100644
--- a/security/landlock/Kconfig
+++ b/security/landlock/Kconfig
@@ -2,7 +2,7 @@
config SECURITY_LANDLOCK
bool "Landlock support"
- depends on SECURITY && !ARCH_EPHEMERAL_INODES
+ depends on SECURITY
select SECURITY_PATH
help
Landlock is a sandboxing mechanism that enables processes to restrict