1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 /* 3 * Landlock - User space API 4 * 5 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> 6 * Copyright © 2018-2020 ANSSI 7 * Copyright © 2021-2025 Microsoft Corporation 8 */ 9 10 #ifndef _UAPI_LINUX_LANDLOCK_H 11 #define _UAPI_LINUX_LANDLOCK_H 12 13 #include <linux/types.h> 14 15 /** 16 * struct landlock_ruleset_attr - Ruleset definition. 17 * 18 * Argument of sys_landlock_create_ruleset(). 19 * 20 * This structure defines a set of *handled access rights*, a set of actions on 21 * different object types, which should be denied by default when the ruleset is 22 * enacted. Vice versa, access rights that are not specifically listed here are 23 * not going to be denied by this ruleset when it is enacted. 24 * 25 * For historical reasons, the %LANDLOCK_ACCESS_FS_REFER right is always denied 26 * by default, even when its bit is not set in @handled_access_fs. In order to 27 * add new rules with this access right, the bit must still be set explicitly 28 * (cf. `Filesystem flags`_). 29 * 30 * The explicit listing of *handled access rights* is required for backwards 31 * compatibility reasons. In most use cases, processes that use Landlock will 32 * *handle* a wide range or all access rights that they know about at build time 33 * (and that they have tested with a kernel that supported them all). 34 * 35 * This structure can grow in future Landlock versions. 36 */ 37 struct landlock_ruleset_attr { 38 /** 39 * @handled_access_fs: Bitmask of handled filesystem actions 40 * (cf. `Filesystem flags`_). 41 */ 42 __u64 handled_access_fs; 43 /** 44 * @handled_access_net: Bitmask of handled network actions (cf. `Network 45 * flags`_). 46 */ 47 __u64 handled_access_net; 48 /** 49 * @scoped: Bitmask of scopes (cf. `Scope flags`_) 50 * restricting a Landlock domain from accessing outside 51 * resources (e.g. IPCs). 52 */ 53 __u64 scoped; 54 }; 55 56 /** 57 * DOC: landlock_create_ruleset_flags 58 * 59 * **Flags** 60 * 61 * %LANDLOCK_CREATE_RULESET_VERSION 62 * Get the highest supported Landlock ABI version (starting at 1). 63 * 64 * %LANDLOCK_CREATE_RULESET_ERRATA 65 * Get a bitmask of fixed issues for the current Landlock ABI version. 66 */ 67 /* clang-format off */ 68 #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) 69 #define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1) 70 /* clang-format on */ 71 72 /** 73 * DOC: landlock_restrict_self_flags 74 * 75 * **Flags** 76 * 77 * By default, denied accesses originating from programs that sandbox themselves 78 * are logged via the audit subsystem. Such events typically indicate unexpected 79 * behavior, such as bugs or exploitation attempts. However, to avoid excessive 80 * logging, access requests denied by a domain not created by the originating 81 * program are not logged by default. The rationale is that programs should know 82 * their own behavior, but not necessarily the behavior of other programs. This 83 * default configuration is suitable for most programs that sandbox themselves. 84 * For specific use cases, the following flags allow programs to modify this 85 * default logging behavior. 86 * 87 * The %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and 88 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON flags apply to the newly created 89 * Landlock domain. 90 * 91 * %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF 92 * Disables logging of denied accesses originating from the thread creating 93 * the Landlock domain, as well as its children, as long as they continue 94 * running the same executable code (i.e., without an intervening 95 * :manpage:`execve(2)` call). This is intended for programs that execute 96 * unknown code without invoking :manpage:`execve(2)`, such as script 97 * interpreters. Programs that only sandbox themselves should not set this 98 * flag, so users can be notified of unauthorized access attempts via system 99 * logs. 100 * 101 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON 102 * Enables logging of denied accesses after an :manpage:`execve(2)` call, 103 * providing visibility into unauthorized access attempts by newly executed 104 * programs within the created Landlock domain. This flag is recommended 105 * only when all potential executables in the domain are expected to comply 106 * with the access restrictions, as excessive audit log entries could make 107 * it more difficult to identify critical events. 108 * 109 * %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF 110 * Disables logging of denied accesses originating from nested Landlock 111 * domains created by the caller or its descendants. This flag should be set 112 * according to runtime configuration, not hardcoded, to avoid suppressing 113 * important security events. It is useful for container runtimes or 114 * sandboxing tools that may launch programs which themselves create 115 * Landlock domains and could otherwise generate excessive logs. Unlike 116 * ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects 117 * future nested domains, not the one being created. It can also be used 118 * with a @ruleset_fd value of -1 to mute subdomain logs without creating a 119 * domain. 120 */ 121 /* clang-format off */ 122 #define LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF (1U << 0) 123 #define LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON (1U << 1) 124 #define LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF (1U << 2) 125 /* clang-format on */ 126 127 /** 128 * enum landlock_rule_type - Landlock rule type 129 * 130 * Argument of sys_landlock_add_rule(). 131 */ 132 enum landlock_rule_type { 133 /** 134 * @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct 135 * landlock_path_beneath_attr . 136 */ 137 LANDLOCK_RULE_PATH_BENEATH = 1, 138 /** 139 * @LANDLOCK_RULE_NET_PORT: Type of a &struct 140 * landlock_net_port_attr . 141 */ 142 LANDLOCK_RULE_NET_PORT, 143 }; 144 145 /** 146 * struct landlock_path_beneath_attr - Path hierarchy definition 147 * 148 * Argument of sys_landlock_add_rule(). 149 */ 150 struct landlock_path_beneath_attr { 151 /** 152 * @allowed_access: Bitmask of allowed actions for this file hierarchy 153 * (cf. `Filesystem flags`_). 154 */ 155 __u64 allowed_access; 156 /** 157 * @parent_fd: File descriptor, preferably opened with ``O_PATH``, 158 * which identifies the parent directory of a file hierarchy, or just a 159 * file. 160 */ 161 __s32 parent_fd; 162 /* 163 * This struct is packed to avoid trailing reserved members. 164 * Cf. security/landlock/syscalls.c:build_check_abi() 165 */ 166 } __attribute__((packed)); 167 168 /** 169 * struct landlock_net_port_attr - Network port definition 170 * 171 * Argument of sys_landlock_add_rule(). 172 */ 173 struct landlock_net_port_attr { 174 /** 175 * @allowed_access: Bitmask of allowed network actions for a port 176 * (cf. `Network flags`_). 177 */ 178 __u64 allowed_access; 179 /** 180 * @port: Network port in host endianness. 181 * 182 * It should be noted that port 0 passed to :manpage:`bind(2)` will bind 183 * to an available port from the ephemeral port range. This can be 184 * configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl 185 * (also used for IPv6). 186 * 187 * A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP`` 188 * right means that requesting to bind on port 0 is allowed and it will 189 * automatically translate to binding on the related port range. 190 */ 191 __u64 port; 192 }; 193 194 /** 195 * DOC: fs_access 196 * 197 * A set of actions on kernel objects may be defined by an attribute (e.g. 198 * &struct landlock_path_beneath_attr) including a bitmask of access. 199 * 200 * Filesystem flags 201 * ~~~~~~~~~~~~~~~~ 202 * 203 * These flags enable to restrict a sandboxed process to a set of actions on 204 * files and directories. Files or directories opened before the sandboxing 205 * are not subject to these restrictions. 206 * 207 * The following access rights apply only to files: 208 * 209 * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. 210 * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. When 211 * opening files for writing, you will often additionally need the 212 * %LANDLOCK_ACCESS_FS_TRUNCATE right. In many cases, these system calls 213 * truncate existing files when overwriting them (e.g., :manpage:`creat(2)`). 214 * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. 215 * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`, 216 * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with 217 * ``O_TRUNC``. This access right is available since the third version of the 218 * Landlock ABI. 219 * 220 * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used 221 * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as 222 * read and write permissions are checked during :manpage:`open(2)` using 223 * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE. 224 * 225 * A directory can receive access rights related to files or directories. The 226 * following access right is applied to the directory itself, and the 227 * directories beneath it: 228 * 229 * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content. 230 * 231 * However, the following access rights only apply to the content of a 232 * directory, not the directory itself: 233 * 234 * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one. 235 * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file. 236 * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character 237 * device. 238 * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory. 239 * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file. 240 * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain 241 * socket. 242 * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe. 243 * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device. 244 * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link. 245 * - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different 246 * directory (i.e. reparent a file hierarchy). 247 * 248 * This access right is available since the second version of the Landlock 249 * ABI. 250 * 251 * This is the only access right which is denied by default by any ruleset, 252 * even if the right is not specified as handled at ruleset creation time. 253 * The only way to make a ruleset grant this right is to explicitly allow it 254 * for a specific directory by adding a matching rule to the ruleset. 255 * 256 * In particular, when using the first Landlock ABI version, Landlock will 257 * always deny attempts to reparent files between different directories. 258 * 259 * In addition to the source and destination directories having the 260 * %LANDLOCK_ACCESS_FS_REFER access right, the attempted link or rename 261 * operation must meet the following constraints: 262 * 263 * * The reparented file may not gain more access rights in the destination 264 * directory than it previously had in the source directory. If this is 265 * attempted, the operation results in an ``EXDEV`` error. 266 * 267 * * When linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the 268 * respective file type must be granted for the destination directory. 269 * Otherwise, the operation results in an ``EACCES`` error. 270 * 271 * * When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the 272 * respective file type must be granted for the source directory. Otherwise, 273 * the operation results in an ``EACCES`` error. 274 * 275 * If multiple requirements are not met, the ``EACCES`` error code takes 276 * precedence over ``EXDEV``. 277 * 278 * The following access right applies both to files and directories: 279 * 280 * - %LANDLOCK_ACCESS_FS_IOCTL_DEV: Invoke :manpage:`ioctl(2)` commands on an opened 281 * character or block device. 282 * 283 * This access right applies to all `ioctl(2)` commands implemented by device 284 * drivers. However, the following common IOCTL commands continue to be 285 * invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL_DEV right: 286 * 287 * * IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``), 288 * * IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``), 289 * * IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``, 290 * ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``) 291 * * Some IOCTL commands which do not make sense when used with devices, but 292 * whose implementations are safe and return the right error codes 293 * (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``) 294 * 295 * This access right is available since the fifth version of the Landlock 296 * ABI. 297 * 298 * .. warning:: 299 * 300 * It is currently not possible to restrict some file-related actions 301 * accessible through these syscall families: :manpage:`chdir(2)`, 302 * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, 303 * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, 304 * :manpage:`fcntl(2)`, :manpage:`access(2)`. 305 * Future Landlock evolutions will enable to restrict them. 306 */ 307 /* clang-format off */ 308 #define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0) 309 #define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1) 310 #define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2) 311 #define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3) 312 #define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4) 313 #define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5) 314 #define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6) 315 #define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7) 316 #define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8) 317 #define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9) 318 #define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10) 319 #define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11) 320 #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) 321 #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) 322 #define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) 323 #define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) 324 /* clang-format on */ 325 326 /** 327 * DOC: net_access 328 * 329 * Network flags 330 * ~~~~~~~~~~~~~~~~ 331 * 332 * These flags enable to restrict a sandboxed process to a set of network 333 * actions. 334 * 335 * This is supported since Landlock ABI version 4. 336 * 337 * The following access rights apply to TCP port numbers: 338 * 339 * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind a TCP socket to a local port. 340 * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect an active TCP socket to 341 * a remote port. 342 */ 343 /* clang-format off */ 344 #define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0) 345 #define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1) 346 /* clang-format on */ 347 348 /** 349 * DOC: scope 350 * 351 * Scope flags 352 * ~~~~~~~~~~~ 353 * 354 * These flags enable to isolate a sandboxed process from a set of IPC actions. 355 * Setting a flag for a ruleset will isolate the Landlock domain to forbid 356 * connections to resources outside the domain. 357 * 358 * This is supported since Landlock ABI version 6. 359 * 360 * Scopes: 361 * 362 * - %LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET: Restrict a sandboxed process from 363 * connecting to an abstract UNIX socket created by a process outside the 364 * related Landlock domain (e.g., a parent domain or a non-sandboxed process). 365 * - %LANDLOCK_SCOPE_SIGNAL: Restrict a sandboxed process from sending a signal 366 * to another process outside the domain. 367 */ 368 /* clang-format off */ 369 #define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0) 370 #define LANDLOCK_SCOPE_SIGNAL (1ULL << 1) 371 /* clang-format on*/ 372 373 #endif /* _UAPI_LINUX_LANDLOCK_H */ 374