1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Landlock LSM - Network management and hooks
4 *
5 * Copyright © 2022-2023 Huawei Tech. Co., Ltd.
6 * Copyright © 2022-2023 Microsoft Corporation
7 */
8
9 #include <linux/in.h>
10 #include <linux/net.h>
11 #include <linux/socket.h>
12 #include <net/ipv6.h>
13
14 #include "common.h"
15 #include "cred.h"
16 #include "limits.h"
17 #include "net.h"
18 #include "ruleset.h"
19
landlock_append_net_rule(struct landlock_ruleset * const ruleset,const u16 port,access_mask_t access_rights)20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
21 const u16 port, access_mask_t access_rights)
22 {
23 int err;
24 const struct landlock_id id = {
25 .key.data = (__force uintptr_t)htons(port),
26 .type = LANDLOCK_KEY_NET_PORT,
27 };
28
29 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
30
31 /* Transforms relative access rights to absolute ones. */
32 access_rights |= LANDLOCK_MASK_ACCESS_NET &
33 ~landlock_get_net_access_mask(ruleset, 0);
34
35 mutex_lock(&ruleset->lock);
36 err = landlock_insert_rule(ruleset, id, access_rights);
37 mutex_unlock(&ruleset->lock);
38
39 return err;
40 }
41
42 static const struct access_masks any_net = {
43 .net = ~0,
44 };
45
current_check_access_socket(struct socket * const sock,struct sockaddr * const address,const int addrlen,access_mask_t access_request)46 static int current_check_access_socket(struct socket *const sock,
47 struct sockaddr *const address,
48 const int addrlen,
49 access_mask_t access_request)
50 {
51 __be16 port;
52 layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
53 const struct landlock_rule *rule;
54 struct landlock_id id = {
55 .type = LANDLOCK_KEY_NET_PORT,
56 };
57 const struct landlock_ruleset *const dom =
58 landlock_get_applicable_domain(landlock_get_current_domain(),
59 any_net);
60
61 if (!dom)
62 return 0;
63 if (WARN_ON_ONCE(dom->num_layers < 1))
64 return -EACCES;
65
66 /* Checks if it's a (potential) TCP socket. */
67 if (sock->type != SOCK_STREAM)
68 return 0;
69
70 /* Checks for minimal header length to safely read sa_family. */
71 if (addrlen < offsetofend(typeof(*address), sa_family))
72 return -EINVAL;
73
74 switch (address->sa_family) {
75 case AF_UNSPEC:
76 case AF_INET:
77 if (addrlen < sizeof(struct sockaddr_in))
78 return -EINVAL;
79 port = ((struct sockaddr_in *)address)->sin_port;
80 break;
81
82 #if IS_ENABLED(CONFIG_IPV6)
83 case AF_INET6:
84 if (addrlen < SIN6_LEN_RFC2133)
85 return -EINVAL;
86 port = ((struct sockaddr_in6 *)address)->sin6_port;
87 break;
88 #endif /* IS_ENABLED(CONFIG_IPV6) */
89
90 default:
91 return 0;
92 }
93
94 /* Specific AF_UNSPEC handling. */
95 if (address->sa_family == AF_UNSPEC) {
96 /*
97 * Connecting to an address with AF_UNSPEC dissolves the TCP
98 * association, which have the same effect as closing the
99 * connection while retaining the socket object (i.e., the file
100 * descriptor). As for dropping privileges, closing
101 * connections is always allowed.
102 *
103 * For a TCP access control system, this request is legitimate.
104 * Let the network stack handle potential inconsistencies and
105 * return -EINVAL if needed.
106 */
107 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
108 return 0;
109
110 /*
111 * For compatibility reason, accept AF_UNSPEC for bind
112 * accesses (mapped to AF_INET) only if the address is
113 * INADDR_ANY (cf. __inet_bind). Checking the address is
114 * required to not wrongfully return -EACCES instead of
115 * -EAFNOSUPPORT.
116 *
117 * We could return 0 and let the network stack handle these
118 * checks, but it is safer to return a proper error and test
119 * consistency thanks to kselftest.
120 */
121 if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
122 /* addrlen has already been checked for AF_UNSPEC. */
123 const struct sockaddr_in *const sockaddr =
124 (struct sockaddr_in *)address;
125
126 if (sock->sk->__sk_common.skc_family != AF_INET)
127 return -EINVAL;
128
129 if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
130 return -EAFNOSUPPORT;
131 }
132 } else {
133 /*
134 * Checks sa_family consistency to not wrongfully return
135 * -EACCES instead of -EINVAL. Valid sa_family changes are
136 * only (from AF_INET or AF_INET6) to AF_UNSPEC.
137 *
138 * We could return 0 and let the network stack handle this
139 * check, but it is safer to return a proper error and test
140 * consistency thanks to kselftest.
141 */
142 if (address->sa_family != sock->sk->__sk_common.skc_family)
143 return -EINVAL;
144 }
145
146 id.key.data = (__force uintptr_t)port;
147 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
148
149 rule = landlock_find_rule(dom, id);
150 access_request = landlock_init_layer_masks(
151 dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
152 if (landlock_unmask_layers(rule, access_request, &layer_masks,
153 ARRAY_SIZE(layer_masks)))
154 return 0;
155
156 return -EACCES;
157 }
158
hook_socket_bind(struct socket * const sock,struct sockaddr * const address,const int addrlen)159 static int hook_socket_bind(struct socket *const sock,
160 struct sockaddr *const address, const int addrlen)
161 {
162 return current_check_access_socket(sock, address, addrlen,
163 LANDLOCK_ACCESS_NET_BIND_TCP);
164 }
165
hook_socket_connect(struct socket * const sock,struct sockaddr * const address,const int addrlen)166 static int hook_socket_connect(struct socket *const sock,
167 struct sockaddr *const address,
168 const int addrlen)
169 {
170 return current_check_access_socket(sock, address, addrlen,
171 LANDLOCK_ACCESS_NET_CONNECT_TCP);
172 }
173
174 static struct security_hook_list landlock_hooks[] __ro_after_init = {
175 LSM_HOOK_INIT(socket_bind, hook_socket_bind),
176 LSM_HOOK_INIT(socket_connect, hook_socket_connect),
177 };
178
landlock_add_net_hooks(void)179 __init void landlock_add_net_hooks(void)
180 {
181 security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
182 &landlock_lsmid);
183 }
184