1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Landlock - Domain management 4 * 5 * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net> 6 * Copyright © 2018-2020 ANSSI 7 * Copyright © 2024-2025 Microsoft Corporation 8 */ 9 10 #include <kunit/test.h> 11 #include <linux/bitops.h> 12 #include <linux/bits.h> 13 #include <linux/cred.h> 14 #include <linux/file.h> 15 #include <linux/mm.h> 16 #include <linux/path.h> 17 #include <linux/pid.h> 18 #include <linux/sched.h> 19 #include <linux/signal.h> 20 #include <linux/uidgid.h> 21 22 #include "access.h" 23 #include "common.h" 24 #include "domain.h" 25 #include "id.h" 26 27 #ifdef CONFIG_AUDIT 28 29 /** 30 * get_current_exe - Get the current's executable path, if any 31 * 32 * @exe_str: Returned pointer to a path string with a lifetime tied to the 33 * returned buffer, if any. 34 * @exe_size: Returned size of @exe_str (including the trailing null 35 * character), if any. 36 * 37 * Return: A pointer to an allocated buffer where @exe_str point to, %NULL if 38 * there is no executable path, or an error otherwise. 39 */ 40 static const void *get_current_exe(const char **const exe_str, 41 size_t *const exe_size) 42 { 43 const size_t buffer_size = LANDLOCK_PATH_MAX_SIZE; 44 struct mm_struct *mm = current->mm; 45 struct file *file __free(fput) = NULL; 46 char *buffer __free(kfree) = NULL; 47 const char *exe; 48 ssize_t size; 49 50 if (!mm) 51 return NULL; 52 53 file = get_mm_exe_file(mm); 54 if (!file) 55 return NULL; 56 57 buffer = kmalloc(buffer_size, GFP_KERNEL); 58 if (!buffer) 59 return ERR_PTR(-ENOMEM); 60 61 exe = d_path(&file->f_path, buffer, buffer_size); 62 if (WARN_ON_ONCE(IS_ERR(exe))) 63 /* Should never happen according to LANDLOCK_PATH_MAX_SIZE. */ 64 return ERR_CAST(exe); 65 66 size = buffer + buffer_size - exe; 67 if (WARN_ON_ONCE(size <= 0)) 68 return ERR_PTR(-ENAMETOOLONG); 69 70 *exe_size = size; 71 *exe_str = exe; 72 return no_free_ptr(buffer); 73 } 74 75 /* 76 * Return: A newly allocated object describing a domain, or an error 77 * otherwise. 78 */ 79 static struct landlock_details *get_current_details(void) 80 { 81 /* Cf. audit_log_d_path_exe() */ 82 static const char null_path[] = "(null)"; 83 const char *path_str = null_path; 84 size_t path_size = sizeof(null_path); 85 const void *buffer __free(kfree) = NULL; 86 struct landlock_details *details; 87 88 buffer = get_current_exe(&path_str, &path_size); 89 if (IS_ERR(buffer)) 90 return ERR_CAST(buffer); 91 92 /* 93 * Create the new details according to the path's length. Account to 94 * the calling task's memcg, like the other Landlock per-domain 95 * allocations, even if it may not control the related size. 96 */ 97 details = 98 kzalloc_flex(*details, exe_path, path_size, GFP_KERNEL_ACCOUNT); 99 if (!details) 100 return ERR_PTR(-ENOMEM); 101 102 memcpy(details->exe_path, path_str, path_size); 103 details->pid = get_pid(task_tgid(current)); 104 details->uid = from_kuid(&init_user_ns, current_uid()); 105 get_task_comm(details->comm, current); 106 return details; 107 } 108 109 /** 110 * landlock_init_hierarchy_log - Partially initialize landlock_hierarchy 111 * 112 * @hierarchy: The hierarchy to initialize. 113 * 114 * The current task is referenced as the domain that is enforcing the 115 * restriction. The subjective credentials must not be in an overridden state. 116 * 117 * @hierarchy->parent and @hierarchy->usage should already be set. 118 * 119 * Return: 0 on success, -errno on failure. 120 */ 121 int landlock_init_hierarchy_log(struct landlock_hierarchy *const hierarchy) 122 { 123 struct landlock_details *details; 124 125 details = get_current_details(); 126 if (IS_ERR(details)) 127 return PTR_ERR(details); 128 129 hierarchy->details = details; 130 hierarchy->id = landlock_get_id_range(1); 131 hierarchy->log_status = LANDLOCK_LOG_PENDING; 132 hierarchy->log_same_exec = true; 133 hierarchy->log_new_exec = false; 134 atomic64_set(&hierarchy->num_denials, 0); 135 return 0; 136 } 137 138 static deny_masks_t 139 get_layer_deny_mask(const access_mask_t all_existing_optional_access, 140 const unsigned long access_bit, const size_t layer) 141 { 142 unsigned long access_weight; 143 144 /* This may require change with new object types. */ 145 WARN_ON_ONCE(all_existing_optional_access != 146 _LANDLOCK_ACCESS_FS_OPTIONAL); 147 148 if (WARN_ON_ONCE(layer >= LANDLOCK_MAX_NUM_LAYERS)) 149 return 0; 150 151 access_weight = hweight_long(all_existing_optional_access & 152 GENMASK(access_bit, 0)); 153 if (WARN_ON_ONCE(access_weight < 1)) 154 return 0; 155 156 return layer 157 << ((access_weight - 1) * HWEIGHT(LANDLOCK_MAX_NUM_LAYERS - 1)); 158 } 159 160 /** 161 * landlock_get_quiet_optional_accesses - Get optional accesses which are 162 * covered by quiet rule flags. 163 * 164 * @all_existing_optional_access: Bitmask of valid optional accesses. 165 * @deny_masks: Domain layer levels that denied each optional access (the 166 * deny_masks field on struct landlock_file_security). 167 * @masks: The struct layer_masks collected during the path walk. 168 * 169 * Return: a bitmask of which optional accesses are denied by layers for which 170 * the quiet flag was collected during the path walk. 171 */ 172 optional_access_t landlock_get_quiet_optional_accesses( 173 const access_mask_t all_existing_optional_access, 174 const deny_masks_t deny_masks, const struct layer_masks *const masks) 175 { 176 const unsigned long access_opt = all_existing_optional_access; 177 size_t access_index = 0; 178 unsigned long access_bit; 179 optional_access_t quiet_optional_accesses = 0; 180 181 /* This will require change with new object types. */ 182 WARN_ON_ONCE(access_opt != _LANDLOCK_ACCESS_FS_OPTIONAL); 183 184 for_each_set_bit(access_bit, &access_opt, 185 BITS_PER_TYPE(access_mask_t)) { 186 const u8 layer = 187 (deny_masks >> (access_index * 188 HWEIGHT(LANDLOCK_MAX_NUM_LAYERS - 1))) & 189 (LANDLOCK_MAX_NUM_LAYERS - 1); 190 191 if (masks->layers[layer].quiet) 192 quiet_optional_accesses |= BIT(access_index); 193 access_index++; 194 } 195 return quiet_optional_accesses; 196 } 197 198 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 199 200 static void test_get_layer_deny_mask(struct kunit *const test) 201 { 202 const unsigned long truncate = BIT_INDEX(LANDLOCK_ACCESS_FS_TRUNCATE); 203 const unsigned long ioctl_dev = BIT_INDEX(LANDLOCK_ACCESS_FS_IOCTL_DEV); 204 205 KUNIT_EXPECT_EQ(test, 0, 206 get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL, 207 truncate, 0)); 208 KUNIT_EXPECT_EQ(test, 0x3, 209 get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL, 210 truncate, 3)); 211 212 KUNIT_EXPECT_EQ(test, 0, 213 get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL, 214 ioctl_dev, 0)); 215 KUNIT_EXPECT_EQ(test, 0xf0, 216 get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL, 217 ioctl_dev, 15)); 218 } 219 220 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 221 222 deny_masks_t 223 landlock_get_deny_masks(const access_mask_t all_existing_optional_access, 224 const access_mask_t optional_access, 225 const struct layer_masks *const masks) 226 { 227 const unsigned long access_opt = optional_access; 228 unsigned long access_bit; 229 deny_masks_t deny_masks = 0; 230 access_mask_t all_denied = 0; 231 232 /* This may require change with new object types. */ 233 WARN_ON_ONCE(!access_mask_subset(optional_access, 234 all_existing_optional_access)); 235 236 if (WARN_ON_ONCE(!masks)) 237 return 0; 238 239 if (WARN_ON_ONCE(!access_opt)) 240 return 0; 241 242 for (ssize_t i = ARRAY_SIZE(masks->layers) - 1; i >= 0; i--) { 243 const access_mask_t denied = masks->layers[i].access & 244 optional_access; 245 const unsigned long newly_denied = denied & ~all_denied; 246 247 if (!newly_denied) 248 continue; 249 250 for_each_set_bit(access_bit, &newly_denied, 251 8 * sizeof(access_mask_t)) { 252 deny_masks |= get_layer_deny_mask( 253 all_existing_optional_access, access_bit, i); 254 } 255 all_denied |= denied; 256 } 257 return deny_masks; 258 } 259 260 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 261 262 static void test_landlock_get_deny_masks(struct kunit *const test) 263 { 264 const struct layer_masks layers1 = { 265 .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE | 266 LANDLOCK_ACCESS_FS_IOCTL_DEV, 267 .layers[1].access = LANDLOCK_ACCESS_FS_TRUNCATE, 268 .layers[2].access = LANDLOCK_ACCESS_FS_IOCTL_DEV, 269 .layers[9].access = LANDLOCK_ACCESS_FS_EXECUTE, 270 }; 271 272 KUNIT_EXPECT_EQ(test, 0x1, 273 landlock_get_deny_masks(_LANDLOCK_ACCESS_FS_OPTIONAL, 274 LANDLOCK_ACCESS_FS_TRUNCATE, 275 &layers1)); 276 KUNIT_EXPECT_EQ(test, 0x20, 277 landlock_get_deny_masks(_LANDLOCK_ACCESS_FS_OPTIONAL, 278 LANDLOCK_ACCESS_FS_IOCTL_DEV, 279 &layers1)); 280 KUNIT_EXPECT_EQ( 281 test, 0x21, 282 landlock_get_deny_masks(_LANDLOCK_ACCESS_FS_OPTIONAL, 283 LANDLOCK_ACCESS_FS_TRUNCATE | 284 LANDLOCK_ACCESS_FS_IOCTL_DEV, 285 &layers1)); 286 } 287 288 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 289 290 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 291 292 static struct kunit_case test_cases[] = { 293 /* clang-format off */ 294 KUNIT_CASE(test_get_layer_deny_mask), 295 KUNIT_CASE(test_landlock_get_deny_masks), 296 {} 297 /* clang-format on */ 298 }; 299 300 static struct kunit_suite test_suite = { 301 .name = "landlock_domain", 302 .test_cases = test_cases, 303 }; 304 305 kunit_test_suite(test_suite); 306 307 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 308 309 #endif /* CONFIG_AUDIT */ 310