1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Landlock - Domain management
4 *
5 * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
6 * Copyright © 2018-2020 ANSSI
7 * Copyright © 2024-2025 Microsoft Corporation
8 */
9
10 #include <kunit/test.h>
11 #include <linux/bitops.h>
12 #include <linux/bits.h>
13 #include <linux/cred.h>
14 #include <linux/file.h>
15 #include <linux/mm.h>
16 #include <linux/path.h>
17 #include <linux/pid.h>
18 #include <linux/sched.h>
19 #include <linux/signal.h>
20 #include <linux/uidgid.h>
21
22 #include "access.h"
23 #include "common.h"
24 #include "domain.h"
25 #include "id.h"
26
27 #ifdef CONFIG_AUDIT
28
29 /**
30 * get_current_exe - Get the current's executable path, if any
31 *
32 * @exe_str: Returned pointer to a path string with a lifetime tied to the
33 * returned buffer, if any.
34 * @exe_size: Returned size of @exe_str (including the trailing null
35 * character), if any.
36 *
37 * Returns: A pointer to an allocated buffer where @exe_str point to, %NULL if
38 * there is no executable path, or an error otherwise.
39 */
get_current_exe(const char ** const exe_str,size_t * const exe_size)40 static const void *get_current_exe(const char **const exe_str,
41 size_t *const exe_size)
42 {
43 const size_t buffer_size = LANDLOCK_PATH_MAX_SIZE;
44 struct mm_struct *mm = current->mm;
45 struct file *file __free(fput) = NULL;
46 char *buffer __free(kfree) = NULL;
47 const char *exe;
48 ssize_t size;
49
50 if (!mm)
51 return NULL;
52
53 file = get_mm_exe_file(mm);
54 if (!file)
55 return NULL;
56
57 buffer = kmalloc(buffer_size, GFP_KERNEL);
58 if (!buffer)
59 return ERR_PTR(-ENOMEM);
60
61 exe = d_path(&file->f_path, buffer, buffer_size);
62 if (WARN_ON_ONCE(IS_ERR(exe)))
63 /* Should never happen according to LANDLOCK_PATH_MAX_SIZE. */
64 return ERR_CAST(exe);
65
66 size = buffer + buffer_size - exe;
67 if (WARN_ON_ONCE(size <= 0))
68 return ERR_PTR(-ENAMETOOLONG);
69
70 *exe_size = size;
71 *exe_str = exe;
72 return no_free_ptr(buffer);
73 }
74
75 /*
76 * Returns: A newly allocated object describing a domain, or an error
77 * otherwise.
78 */
get_current_details(void)79 static struct landlock_details *get_current_details(void)
80 {
81 /* Cf. audit_log_d_path_exe() */
82 static const char null_path[] = "(null)";
83 const char *path_str = null_path;
84 size_t path_size = sizeof(null_path);
85 const void *buffer __free(kfree) = NULL;
86 struct landlock_details *details;
87
88 buffer = get_current_exe(&path_str, &path_size);
89 if (IS_ERR(buffer))
90 return ERR_CAST(buffer);
91
92 /*
93 * Create the new details according to the path's length. Do not
94 * allocate with GFP_KERNEL_ACCOUNT because it is independent from the
95 * caller.
96 */
97 details =
98 kzalloc(struct_size(details, exe_path, path_size), GFP_KERNEL);
99 if (!details)
100 return ERR_PTR(-ENOMEM);
101
102 memcpy(details->exe_path, path_str, path_size);
103 details->pid = get_pid(task_tgid(current));
104 details->uid = from_kuid(&init_user_ns, current_uid());
105 get_task_comm(details->comm, current);
106 return details;
107 }
108
109 /**
110 * landlock_init_hierarchy_log - Partially initialize landlock_hierarchy
111 *
112 * @hierarchy: The hierarchy to initialize.
113 *
114 * The current task is referenced as the domain that is enforcing the
115 * restriction. The subjective credentials must not be in an overridden state.
116 *
117 * @hierarchy->parent and @hierarchy->usage should already be set.
118 */
landlock_init_hierarchy_log(struct landlock_hierarchy * const hierarchy)119 int landlock_init_hierarchy_log(struct landlock_hierarchy *const hierarchy)
120 {
121 struct landlock_details *details;
122
123 details = get_current_details();
124 if (IS_ERR(details))
125 return PTR_ERR(details);
126
127 hierarchy->details = details;
128 hierarchy->id = landlock_get_id_range(1);
129 hierarchy->log_status = LANDLOCK_LOG_PENDING;
130 hierarchy->log_same_exec = true;
131 hierarchy->log_new_exec = false;
132 atomic64_set(&hierarchy->num_denials, 0);
133 return 0;
134 }
135
136 static deny_masks_t
get_layer_deny_mask(const access_mask_t all_existing_optional_access,const unsigned long access_bit,const size_t layer)137 get_layer_deny_mask(const access_mask_t all_existing_optional_access,
138 const unsigned long access_bit, const size_t layer)
139 {
140 unsigned long access_weight;
141
142 /* This may require change with new object types. */
143 WARN_ON_ONCE(all_existing_optional_access !=
144 _LANDLOCK_ACCESS_FS_OPTIONAL);
145
146 if (WARN_ON_ONCE(layer >= LANDLOCK_MAX_NUM_LAYERS))
147 return 0;
148
149 access_weight = hweight_long(all_existing_optional_access &
150 GENMASK(access_bit, 0));
151 if (WARN_ON_ONCE(access_weight < 1))
152 return 0;
153
154 return layer
155 << ((access_weight - 1) * HWEIGHT(LANDLOCK_MAX_NUM_LAYERS - 1));
156 }
157
158 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
159
test_get_layer_deny_mask(struct kunit * const test)160 static void test_get_layer_deny_mask(struct kunit *const test)
161 {
162 const unsigned long truncate = BIT_INDEX(LANDLOCK_ACCESS_FS_TRUNCATE);
163 const unsigned long ioctl_dev = BIT_INDEX(LANDLOCK_ACCESS_FS_IOCTL_DEV);
164
165 KUNIT_EXPECT_EQ(test, 0,
166 get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL,
167 truncate, 0));
168 KUNIT_EXPECT_EQ(test, 0x3,
169 get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL,
170 truncate, 3));
171
172 KUNIT_EXPECT_EQ(test, 0,
173 get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL,
174 ioctl_dev, 0));
175 KUNIT_EXPECT_EQ(test, 0xf0,
176 get_layer_deny_mask(_LANDLOCK_ACCESS_FS_OPTIONAL,
177 ioctl_dev, 15));
178 }
179
180 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
181
182 deny_masks_t
landlock_get_deny_masks(const access_mask_t all_existing_optional_access,const access_mask_t optional_access,const layer_mask_t (* const layer_masks)[],const size_t layer_masks_size)183 landlock_get_deny_masks(const access_mask_t all_existing_optional_access,
184 const access_mask_t optional_access,
185 const layer_mask_t (*const layer_masks)[],
186 const size_t layer_masks_size)
187 {
188 const unsigned long access_opt = optional_access;
189 unsigned long access_bit;
190 deny_masks_t deny_masks = 0;
191
192 /* This may require change with new object types. */
193 WARN_ON_ONCE(access_opt !=
194 (optional_access & all_existing_optional_access));
195
196 if (WARN_ON_ONCE(!layer_masks))
197 return 0;
198
199 if (WARN_ON_ONCE(!access_opt))
200 return 0;
201
202 for_each_set_bit(access_bit, &access_opt, layer_masks_size) {
203 const layer_mask_t mask = (*layer_masks)[access_bit];
204
205 if (!mask)
206 continue;
207
208 /* __fls(1) == 0 */
209 deny_masks |= get_layer_deny_mask(all_existing_optional_access,
210 access_bit, __fls(mask));
211 }
212 return deny_masks;
213 }
214
215 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
216
test_landlock_get_deny_masks(struct kunit * const test)217 static void test_landlock_get_deny_masks(struct kunit *const test)
218 {
219 const layer_mask_t layers1[BITS_PER_TYPE(access_mask_t)] = {
220 [BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT_ULL(0) |
221 BIT_ULL(9),
222 [BIT_INDEX(LANDLOCK_ACCESS_FS_TRUNCATE)] = BIT_ULL(1),
223 [BIT_INDEX(LANDLOCK_ACCESS_FS_IOCTL_DEV)] = BIT_ULL(2) |
224 BIT_ULL(0),
225 };
226
227 KUNIT_EXPECT_EQ(test, 0x1,
228 landlock_get_deny_masks(_LANDLOCK_ACCESS_FS_OPTIONAL,
229 LANDLOCK_ACCESS_FS_TRUNCATE,
230 &layers1, ARRAY_SIZE(layers1)));
231 KUNIT_EXPECT_EQ(test, 0x20,
232 landlock_get_deny_masks(_LANDLOCK_ACCESS_FS_OPTIONAL,
233 LANDLOCK_ACCESS_FS_IOCTL_DEV,
234 &layers1, ARRAY_SIZE(layers1)));
235 KUNIT_EXPECT_EQ(
236 test, 0x21,
237 landlock_get_deny_masks(_LANDLOCK_ACCESS_FS_OPTIONAL,
238 LANDLOCK_ACCESS_FS_TRUNCATE |
239 LANDLOCK_ACCESS_FS_IOCTL_DEV,
240 &layers1, ARRAY_SIZE(layers1)));
241 }
242
243 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
244
245 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
246
247 static struct kunit_case test_cases[] = {
248 /* clang-format off */
249 KUNIT_CASE(test_get_layer_deny_mask),
250 KUNIT_CASE(test_landlock_get_deny_masks),
251 {}
252 /* clang-format on */
253 };
254
255 static struct kunit_suite test_suite = {
256 .name = "landlock_domain",
257 .test_cases = test_cases,
258 };
259
260 kunit_test_suite(test_suite);
261
262 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
263
264 #endif /* CONFIG_AUDIT */
265