Skip to content

Commit 602acfb

Browse files
committed
landlock: Optimize stack usage when !CONFIG_AUDIT
Until now, each landlock_request struct were allocated on the stack, even if not really used, because is_access_to_paths_allowed() unconditionally modified the passed references. Even if the changed landlock_request variables are not used, the compiler is not smart enough to detect this case. To avoid this issue, explicitly disable the related code when CONFIG_AUDIT is not set, which enables elision of log_request_parent* and associated caller's stack variables thanks to dead code elimination. This makes it possible to reduce the stack frame by 32 bytes for the path_link and path_rename hooks, and by 20 bytes for most other filesystem hooks. Here is a summary of scripts/stackdelta before and after this change when CONFIG_AUDIT is disabled: current_check_refer_path 560 320 -240 current_check_access_path 328 184 -144 hook_file_open 328 184 -144 is_access_to_paths_allowed 376 360 -16 Also, add extra pointer checks to be more future-proof. Cc: Günther Noack <gnoack@google.com> Reported-by: Tingmao Wang <m@maowtm.org> Closes: https://lore.kernel.org/r/eb86863b-53b0-460b-b223-84dd31d765b9@maowtm.org Fixes: 2fc80c6 ("landlock: Log file-related denials") Link: https://lore.kernel.org/r/20251219142302.744917-2-mic@digikod.net Reviewed-by: Günther Noack <gnoack3000@gmail.com> [mic: Improve stack usage measurement accuracy with scripts/stackdelta] Signed-off-by: Mickaël Salaün <mic@digikod.net>
1 parent 6548fb5 commit 602acfb

1 file changed

Lines changed: 9 additions & 2 deletions

File tree

  • security/landlock

security/landlock/fs.c

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -939,7 +939,12 @@ static bool is_access_to_paths_allowed(
939939
}
940940
path_put(&walker_path);
941941

942-
if (!allowed_parent1) {
942+
/*
943+
* Check CONFIG_AUDIT to enable elision of log_request_parent* and
944+
* associated caller's stack variables thanks to dead code elimination.
945+
*/
946+
#ifdef CONFIG_AUDIT
947+
if (!allowed_parent1 && log_request_parent1) {
943948
log_request_parent1->type = LANDLOCK_REQUEST_FS_ACCESS;
944949
log_request_parent1->audit.type = LSM_AUDIT_DATA_PATH;
945950
log_request_parent1->audit.u.path = *path;
@@ -949,7 +954,7 @@ static bool is_access_to_paths_allowed(
949954
ARRAY_SIZE(*layer_masks_parent1);
950955
}
951956

952-
if (!allowed_parent2) {
957+
if (!allowed_parent2 && log_request_parent2) {
953958
log_request_parent2->type = LANDLOCK_REQUEST_FS_ACCESS;
954959
log_request_parent2->audit.type = LSM_AUDIT_DATA_PATH;
955960
log_request_parent2->audit.u.path = *path;
@@ -958,6 +963,8 @@ static bool is_access_to_paths_allowed(
958963
log_request_parent2->layer_masks_size =
959964
ARRAY_SIZE(*layer_masks_parent2);
960965
}
966+
#endif /* CONFIG_AUDIT */
967+
961968
return allowed_parent1 && allowed_parent2;
962969
}
963970

0 commit comments

Comments
 (0)