1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 /* 3 * Landlock - User space API 4 * 5 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> 6 * Copyright © 2018-2020 ANSSI 7 * Copyright © 2021-2025 Microsoft Corporation 8 */ 9 10 #ifndef _UAPI_LINUX_LANDLOCK_H 11 #define _UAPI_LINUX_LANDLOCK_H 12 13 #include <linux/types.h> 14 15 /** 16 * struct landlock_ruleset_attr - Ruleset definition. 17 * 18 * Argument of sys_landlock_create_ruleset(). 19 * 20 * This structure defines a set of *handled access rights*, a set of actions on 21 * different object types, which should be denied by default when the ruleset is 22 * enacted. Vice versa, access rights that are not specifically listed here are 23 * not going to be denied by this ruleset when it is enacted. 24 * 25 * For historical reasons, the %LANDLOCK_ACCESS_FS_REFER right is always denied 26 * by default, even when its bit is not set in @handled_access_fs. In order to 27 * add new rules with this access right, the bit must still be set explicitly 28 * (cf. `Filesystem flags`_). 29 * 30 * The explicit listing of *handled access rights* is required for backwards 31 * compatibility reasons. In most use cases, processes that use Landlock will 32 * *handle* a wide range or all access rights that they know about at build time 33 * (and that they have tested with a kernel that supported them all). 34 * 35 * This structure can grow in future Landlock versions. 36 */ 37 struct landlock_ruleset_attr { 38 /** 39 * @handled_access_fs: Bitmask of handled filesystem actions 40 * (cf. `Filesystem flags`_). 41 */ 42 __u64 handled_access_fs; 43 /** 44 * @handled_access_net: Bitmask of handled network actions (cf. `Network 45 * flags`_). 46 */ 47 __u64 handled_access_net; 48 /** 49 * @scoped: Bitmask of scopes (cf. `Scope flags`_) 50 * restricting a Landlock domain from accessing outside 51 * resources (e.g. IPCs). 52 */ 53 __u64 scoped; 54 }; 55 56 /** 57 * DOC: landlock_create_ruleset_flags 58 * 59 * **Flags** 60 * 61 * %LANDLOCK_CREATE_RULESET_VERSION 62 * Get the highest supported Landlock ABI version (starting at 1). 63 * 64 * %LANDLOCK_CREATE_RULESET_ERRATA 65 * Get a bitmask of fixed issues for the current Landlock ABI version. 66 */ 67 /* clang-format off */ 68 #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) 69 #define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1) 70 /* clang-format on */ 71 72 /** 73 * DOC: landlock_restrict_self_flags 74 * 75 * **Flags** 76 * 77 * By default, denied accesses originating from programs that sandbox themselves 78 * are logged via the audit subsystem. Such events typically indicate unexpected 79 * behavior, such as bugs or exploitation attempts. However, to avoid excessive 80 * logging, access requests denied by a domain not created by the originating 81 * program are not logged by default. The rationale is that programs should know 82 * their own behavior, but not necessarily the behavior of other programs. This 83 * default configuration is suitable for most programs that sandbox themselves. 84 * For specific use cases, the following flags allow programs to modify this 85 * default logging behavior. 86 * 87 * The %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and 88 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON flags apply to the newly created 89 * Landlock domain. 90 * 91 * %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF 92 * Disables logging of denied accesses originating from the thread creating 93 * the Landlock domain, as well as its children, as long as they continue 94 * running the same executable code (i.e., without an intervening 95 * :manpage:`execve(2)` call). This is intended for programs that execute 96 * unknown code without invoking :manpage:`execve(2)`, such as script 97 * interpreters. Programs that only sandbox themselves should not set this 98 * flag, so users can be notified of unauthorized access attempts via system 99 * logs. 100 * 101 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON 102 * Enables logging of denied accesses after an :manpage:`execve(2)` call, 103 * providing visibility into unauthorized access attempts by newly executed 104 * programs within the created Landlock domain. This flag is recommended 105 * only when all potential executables in the domain are expected to comply 106 * with the access restrictions, as excessive audit log entries could make 107 * it more difficult to identify critical events. 108 * 109 * %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF 110 * Disables logging of denied accesses originating from nested Landlock 111 * domains created by the caller or its descendants. This flag should be set 112 * according to runtime configuration, not hardcoded, to avoid suppressing 113 * important security events. It is useful for container runtimes or 114 * sandboxing tools that may launch programs which themselves create 115 * Landlock domains and could otherwise generate excessive logs. Unlike 116 * ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects 117 * future nested domains, not the one being created. It can also be used 118 * with a @ruleset_fd value of -1 to mute subdomain logs without creating a 119 * domain. 120 * 121 * The following flag supports policy enforcement in multithreaded processes: 122 * 123 * %LANDLOCK_RESTRICT_SELF_TSYNC 124 * Applies the new Landlock configuration atomically to all threads of the 125 * current process, including the Landlock domain and logging 126 * configuration. This overrides the Landlock configuration of sibling 127 * threads, irrespective of previously established Landlock domains and 128 * logging configurations on these threads. 129 * 130 * If the calling thread is running with no_new_privs, this operation 131 * enables no_new_privs on the sibling threads as well. 132 */ 133 /* clang-format off */ 134 #define LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF (1U << 0) 135 #define LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON (1U << 1) 136 #define LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF (1U << 2) 137 #define LANDLOCK_RESTRICT_SELF_TSYNC (1U << 3) 138 /* clang-format on */ 139 140 /** 141 * enum landlock_rule_type - Landlock rule type 142 * 143 * Argument of sys_landlock_add_rule(). 144 */ 145 enum landlock_rule_type { 146 /** 147 * @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct 148 * landlock_path_beneath_attr . 149 */ 150 LANDLOCK_RULE_PATH_BENEATH = 1, 151 /** 152 * @LANDLOCK_RULE_NET_PORT: Type of a &struct 153 * landlock_net_port_attr . 154 */ 155 LANDLOCK_RULE_NET_PORT, 156 }; 157 158 /** 159 * struct landlock_path_beneath_attr - Path hierarchy definition 160 * 161 * Argument of sys_landlock_add_rule(). 162 */ 163 struct landlock_path_beneath_attr { 164 /** 165 * @allowed_access: Bitmask of allowed actions for this file hierarchy 166 * (cf. `Filesystem flags`_). 167 */ 168 __u64 allowed_access; 169 /** 170 * @parent_fd: File descriptor, preferably opened with ``O_PATH``, 171 * which identifies the parent directory of a file hierarchy, or just a 172 * file. 173 */ 174 __s32 parent_fd; 175 /* 176 * This struct is packed to avoid trailing reserved members. 177 * Cf. security/landlock/syscalls.c:build_check_abi() 178 */ 179 } __attribute__((packed)); 180 181 /** 182 * struct landlock_net_port_attr - Network port definition 183 * 184 * Argument of sys_landlock_add_rule(). 185 */ 186 struct landlock_net_port_attr { 187 /** 188 * @allowed_access: Bitmask of allowed network actions for a port 189 * (cf. `Network flags`_). 190 */ 191 __u64 allowed_access; 192 /** 193 * @port: Network port in host endianness. 194 * 195 * It should be noted that port 0 passed to :manpage:`bind(2)` will bind 196 * to an available port from the ephemeral port range. This can be 197 * configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl 198 * (also used for IPv6), and within that range, on a per-socket basis 199 * with ``setsockopt(IP_LOCAL_PORT_RANGE)``. 200 * 201 * A Landlock rule with port 0 and the %LANDLOCK_ACCESS_NET_BIND_TCP 202 * right means that requesting to bind on port 0 is allowed and it will 203 * automatically translate to binding on a kernel-assigned ephemeral 204 * port. 205 */ 206 __u64 port; 207 }; 208 209 /** 210 * DOC: fs_access 211 * 212 * A set of actions on kernel objects may be defined by an attribute (e.g. 213 * &struct landlock_path_beneath_attr) including a bitmask of access. 214 * 215 * Filesystem flags 216 * ~~~~~~~~~~~~~~~~ 217 * 218 * These flags enable to restrict a sandboxed process to a set of actions on 219 * files and directories. Files or directories opened before the sandboxing 220 * are not subject to these restrictions. 221 * 222 * The following access rights apply only to files: 223 * 224 * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. 225 * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. When 226 * opening files for writing, you will often additionally need the 227 * %LANDLOCK_ACCESS_FS_TRUNCATE right. In many cases, these system calls 228 * truncate existing files when overwriting them (e.g., :manpage:`creat(2)`). 229 * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. 230 * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`, 231 * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with 232 * ``O_TRUNC``. This access right is available since the third version of the 233 * Landlock ABI. 234 * - %LANDLOCK_ACCESS_FS_IOCTL_DEV: Invoke :manpage:`ioctl(2)` commands on an opened 235 * character or block device. 236 * 237 * This access right applies to all `ioctl(2)` commands implemented by device 238 * drivers. However, the following common IOCTL commands continue to be 239 * invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL_DEV right: 240 * 241 * * IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``), 242 * * IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``), 243 * * IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``, 244 * ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``) 245 * * Some IOCTL commands which do not make sense when used with devices, but 246 * whose implementations are safe and return the right error codes 247 * (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``) 248 * 249 * This access right is available since the fifth version of the Landlock 250 * ABI. 251 * 252 * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used 253 * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as 254 * read and write permissions are checked during :manpage:`open(2)` using 255 * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE. 256 * 257 * A directory can receive access rights related to files or directories. The 258 * following access right is applied to the directory itself, and the 259 * directories beneath it: 260 * 261 * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content. 262 * 263 * However, the following access rights only apply to the content of a 264 * directory, not the directory itself: 265 * 266 * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one. 267 * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file. 268 * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character 269 * device. 270 * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory. 271 * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file. 272 * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain 273 * socket. 274 * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe. 275 * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device. 276 * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link. 277 * - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different 278 * directory (i.e. reparent a file hierarchy). 279 * 280 * This access right is available since the second version of the Landlock 281 * ABI. 282 * 283 * This is the only access right which is denied by default by any ruleset, 284 * even if the right is not specified as handled at ruleset creation time. 285 * The only way to make a ruleset grant this right is to explicitly allow it 286 * for a specific directory by adding a matching rule to the ruleset. 287 * 288 * In particular, when using the first Landlock ABI version, Landlock will 289 * always deny attempts to reparent files between different directories. 290 * 291 * In addition to the source and destination directories having the 292 * %LANDLOCK_ACCESS_FS_REFER access right, the attempted link or rename 293 * operation must meet the following constraints: 294 * 295 * * The reparented file may not gain more access rights in the destination 296 * directory than it previously had in the source directory. If this is 297 * attempted, the operation results in an ``EXDEV`` error. 298 * 299 * * When linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the 300 * respective file type must be granted for the destination directory. 301 * Otherwise, the operation results in an ``EACCES`` error. 302 * 303 * * When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the 304 * respective file type must be granted for the source directory. Otherwise, 305 * the operation results in an ``EACCES`` error. 306 * 307 * If multiple requirements are not met, the ``EACCES`` error code takes 308 * precedence over ``EXDEV``. 309 * 310 * .. warning:: 311 * 312 * It is currently not possible to restrict some file-related actions 313 * accessible through these syscall families: :manpage:`chdir(2)`, 314 * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, 315 * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, 316 * :manpage:`fcntl(2)`, :manpage:`access(2)`. 317 * Future Landlock evolutions will enable to restrict them. 318 */ 319 /* clang-format off */ 320 #define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0) 321 #define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1) 322 #define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2) 323 #define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3) 324 #define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4) 325 #define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5) 326 #define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6) 327 #define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7) 328 #define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8) 329 #define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9) 330 #define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10) 331 #define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11) 332 #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) 333 #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) 334 #define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) 335 #define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) 336 /* clang-format on */ 337 338 /** 339 * DOC: net_access 340 * 341 * Network flags 342 * ~~~~~~~~~~~~~~~~ 343 * 344 * These flags enable to restrict a sandboxed process to a set of network 345 * actions. 346 * 347 * The following access rights apply to TCP port numbers: 348 * 349 * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind TCP sockets to the given local 350 * port. Support added in Landlock ABI version 4. 351 * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect TCP sockets to the given 352 * remote port. Support added in Landlock ABI version 4. 353 */ 354 /* clang-format off */ 355 #define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0) 356 #define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1) 357 /* clang-format on */ 358 359 /** 360 * DOC: scope 361 * 362 * Scope flags 363 * ~~~~~~~~~~~ 364 * 365 * These flags enable to isolate a sandboxed process from a set of IPC actions. 366 * Setting a flag for a ruleset will isolate the Landlock domain to forbid 367 * connections to resources outside the domain. 368 * 369 * This is supported since Landlock ABI version 6. 370 * 371 * Scopes: 372 * 373 * - %LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET: Restrict a sandboxed process from 374 * connecting to an abstract UNIX socket created by a process outside the 375 * related Landlock domain (e.g., a parent domain or a non-sandboxed process). 376 * - %LANDLOCK_SCOPE_SIGNAL: Restrict a sandboxed process from sending a signal 377 * to another process outside the domain. 378 */ 379 /* clang-format off */ 380 #define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0) 381 #define LANDLOCK_SCOPE_SIGNAL (1ULL << 1) 382 /* clang-format on*/ 383 384 #endif /* _UAPI_LINUX_LANDLOCK_H */ 385