1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * Landlock LSM - Ruleset management 4 * 5 * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net> 6 * Copyright © 2018-2020 ANSSI 7 */ 8 9 #ifndef _SECURITY_LANDLOCK_RULESET_H 10 #define _SECURITY_LANDLOCK_RULESET_H 11 12 #include <linux/cleanup.h> 13 #include <linux/err.h> 14 #include <linux/mutex.h> 15 #include <linux/rbtree.h> 16 #include <linux/refcount.h> 17 #include <linux/workqueue.h> 18 19 #include "access.h" 20 #include "limits.h" 21 #include "object.h" 22 23 struct landlock_hierarchy; 24 25 /** 26 * struct landlock_layer - Access rights for a given layer 27 */ 28 struct landlock_layer { 29 /** 30 * @level: Position of this layer in the layer stack. Starts from 1. 31 */ 32 u8 level; 33 /** 34 * @flags: Bitfield for special flags attached to this rule. 35 */ 36 struct { 37 /** 38 * @quiet: Suppresses denial logs for the object covered by this 39 * rule in this domain. For filesystem rules, this inherits 40 * down the file hierarchy. 41 */ 42 u8 quiet : 1; 43 } flags; 44 /** 45 * @access: Bitfield of allowed actions on the kernel object. They are 46 * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ). 47 */ 48 access_mask_t access; 49 }; 50 51 /** 52 * union landlock_key - Key of a ruleset's red-black tree 53 */ 54 union landlock_key { 55 /** 56 * @object: Pointer to identify a kernel object (e.g. an inode). 57 */ 58 struct landlock_object *object; 59 /** 60 * @data: Raw data to identify an arbitrary 32-bit value 61 * (e.g. a TCP port). 62 */ 63 uintptr_t data; 64 }; 65 66 /** 67 * enum landlock_key_type - Type of &union landlock_key 68 */ 69 enum landlock_key_type { 70 /** 71 * @LANDLOCK_KEY_INODE: Type of &landlock_ruleset.root_inode's node 72 * keys. 73 */ 74 LANDLOCK_KEY_INODE = 1, 75 /** 76 * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's 77 * node keys. 78 */ 79 LANDLOCK_KEY_NET_PORT, 80 }; 81 82 /** 83 * struct landlock_id - Unique rule identifier for a ruleset 84 */ 85 struct landlock_id { 86 /** 87 * @key: Identifies either a kernel object (e.g. an inode) or 88 * a raw value (e.g. a TCP port). 89 */ 90 union landlock_key key; 91 /** 92 * @type: Type of a landlock_ruleset's root tree. 93 */ 94 const enum landlock_key_type type; 95 }; 96 97 /** 98 * struct landlock_rule - Access rights tied to an object 99 */ 100 struct landlock_rule { 101 /** 102 * @node: Node in the ruleset's red-black tree. 103 */ 104 struct rb_node node; 105 /** 106 * @key: A union to identify either a kernel object (e.g. an inode) or 107 * a raw data value (e.g. a network socket port). This is used as a key 108 * for this ruleset element. The pointer is set once and never 109 * modified. It always points to an allocated object because each rule 110 * increments the refcount of its object. 111 */ 112 union landlock_key key; 113 /** 114 * @num_layers: Number of entries in @layers. 115 */ 116 u32 num_layers; 117 /** 118 * @layers: Stack of layers, from the latest to the newest, implemented 119 * as a flexible array member (FAM). 120 */ 121 struct landlock_layer layers[] __counted_by(num_layers); 122 }; 123 124 /** 125 * struct landlock_ruleset - Landlock ruleset 126 * 127 * This data structure must contain unique entries, be updatable, and quick to 128 * match an object. 129 */ 130 struct landlock_ruleset { 131 /** 132 * @root_inode: Root of a red-black tree containing &struct 133 * landlock_rule nodes with inode object. Once a ruleset is tied to a 134 * process (i.e. as a domain), this tree is immutable until @usage 135 * reaches zero. 136 */ 137 struct rb_root root_inode; 138 139 #if IS_ENABLED(CONFIG_INET) 140 /** 141 * @root_net_port: Root of a red-black tree containing &struct 142 * landlock_rule nodes with network port. Once a ruleset is tied to a 143 * process (i.e. as a domain), this tree is immutable until @usage 144 * reaches zero. 145 */ 146 struct rb_root root_net_port; 147 #endif /* IS_ENABLED(CONFIG_INET) */ 148 149 /** 150 * @hierarchy: Enables hierarchy identification even when a parent 151 * domain vanishes. This is needed for the ptrace protection. 152 */ 153 struct landlock_hierarchy *hierarchy; 154 union { 155 /** 156 * @work_free: Enables to free a ruleset within a lockless 157 * section. This is only used by 158 * landlock_put_ruleset_deferred() when @usage reaches zero. 159 * The fields @lock, @usage, @num_rules, @num_layers, 160 * @quiet_masks and @access_masks are then unused. 161 */ 162 struct work_struct work_free; 163 struct { 164 /** 165 * @lock: Protects against concurrent modifications of 166 * @root, if @usage is greater than zero. 167 */ 168 struct mutex lock; 169 /** 170 * @usage: Number of processes (i.e. domains) or file 171 * descriptors referencing this ruleset. 172 */ 173 refcount_t usage; 174 /** 175 * @num_rules: Number of non-overlapping (i.e. not for 176 * the same object) rules in this ruleset. 177 */ 178 u32 num_rules; 179 /** 180 * @num_layers: Number of layers that are used in this 181 * ruleset. This enables to check that all the layers 182 * allow an access request. A value of 0 identifies a 183 * non-merged ruleset (i.e. not a domain). 184 */ 185 u32 num_layers; 186 /** 187 * @quiet_masks: Stores the quiet flags for an unmerged 188 * ruleset. For a merged domain, this is stored in each 189 * layer's struct landlock_hierarchy instead. 190 */ 191 struct access_masks quiet_masks; 192 /** 193 * @access_masks: Contains the subset of filesystem and 194 * network actions that are restricted by a ruleset. 195 * A domain saves all layers of merged rulesets in a 196 * stack (FAM), starting from the first layer to the 197 * last one. These layers are used when merging 198 * rulesets, for user space backward compatibility 199 * (i.e. future-proof), and to properly handle merged 200 * rulesets without overlapping access rights. These 201 * layers are set once and never changed for the 202 * lifetime of the ruleset. 203 */ 204 struct access_masks access_masks[]; 205 }; 206 }; 207 }; 208 209 struct landlock_ruleset * 210 landlock_create_ruleset(const access_mask_t access_mask_fs, 211 const access_mask_t access_mask_net, 212 const access_mask_t scope_mask); 213 214 void landlock_put_ruleset(struct landlock_ruleset *const ruleset); 215 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset); 216 217 DEFINE_FREE(landlock_put_ruleset, struct landlock_ruleset *, 218 if (!IS_ERR_OR_NULL(_T)) landlock_put_ruleset(_T)) 219 220 int landlock_insert_rule(struct landlock_ruleset *const ruleset, 221 const struct landlock_id id, 222 const access_mask_t access, const u32 flags); 223 224 struct landlock_ruleset * 225 landlock_merge_ruleset(struct landlock_ruleset *const parent, 226 struct landlock_ruleset *const ruleset); 227 228 const struct landlock_rule * 229 landlock_find_rule(const struct landlock_ruleset *const ruleset, 230 const struct landlock_id id); 231 232 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) 233 { 234 if (ruleset) 235 refcount_inc(&ruleset->usage); 236 } 237 238 /** 239 * landlock_union_access_masks - Return all access rights handled in the 240 * domain 241 * 242 * @domain: Landlock ruleset (used as a domain) 243 * 244 * Return: An access_masks result of the OR of all the domain's access masks. 245 */ 246 static inline struct access_masks 247 landlock_union_access_masks(const struct landlock_ruleset *const domain) 248 { 249 union access_masks_all matches = {}; 250 size_t layer_level; 251 252 for (layer_level = 0; layer_level < domain->num_layers; layer_level++) { 253 union access_masks_all layer = { 254 .masks = domain->access_masks[layer_level], 255 }; 256 257 matches.all |= layer.all; 258 } 259 260 return matches.masks; 261 } 262 263 static inline void 264 landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, 265 const access_mask_t fs_access_mask, 266 const u16 layer_level) 267 { 268 access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS; 269 270 /* Should already be checked in sys_landlock_create_ruleset(). */ 271 WARN_ON_ONCE(fs_access_mask != fs_mask); 272 ruleset->access_masks[layer_level].fs |= fs_mask; 273 } 274 275 static inline void 276 landlock_add_net_access_mask(struct landlock_ruleset *const ruleset, 277 const access_mask_t net_access_mask, 278 const u16 layer_level) 279 { 280 access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET; 281 282 /* Should already be checked in sys_landlock_create_ruleset(). */ 283 WARN_ON_ONCE(net_access_mask != net_mask); 284 ruleset->access_masks[layer_level].net |= net_mask; 285 } 286 287 static inline void 288 landlock_add_scope_mask(struct landlock_ruleset *const ruleset, 289 const access_mask_t scope_mask, const u16 layer_level) 290 { 291 access_mask_t mask = scope_mask & LANDLOCK_MASK_SCOPE; 292 293 /* Should already be checked in sys_landlock_create_ruleset(). */ 294 WARN_ON_ONCE(scope_mask != mask); 295 ruleset->access_masks[layer_level].scope |= mask; 296 } 297 298 static inline access_mask_t 299 landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset, 300 const u16 layer_level) 301 { 302 /* Handles all initially denied by default access rights. */ 303 return ruleset->access_masks[layer_level].fs | 304 _LANDLOCK_ACCESS_FS_INITIALLY_DENIED; 305 } 306 307 static inline access_mask_t 308 landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset, 309 const u16 layer_level) 310 { 311 return ruleset->access_masks[layer_level].net; 312 } 313 314 static inline access_mask_t 315 landlock_get_scope_mask(const struct landlock_ruleset *const ruleset, 316 const u16 layer_level) 317 { 318 return ruleset->access_masks[layer_level].scope; 319 } 320 321 bool landlock_unmask_layers(const struct landlock_rule *const rule, 322 struct layer_masks *masks); 323 324 access_mask_t 325 landlock_init_layer_masks(const struct landlock_ruleset *const domain, 326 const access_mask_t access_request, 327 struct layer_masks *masks, 328 const enum landlock_key_type key_type); 329 330 #endif /* _SECURITY_LANDLOCK_RULESET_H */ 331