xref: /linux/security/landlock/ruleset.h (revision 92dda329e337b7ab9cb63f4563dd7a21d001e47c) 
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * Landlock LSM - Ruleset management
4  *
5  * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2018-2020 ANSSI
7  */
8 
9 #ifndef _SECURITY_LANDLOCK_RULESET_H
10 #define _SECURITY_LANDLOCK_RULESET_H
11 
12 #include <linux/bitops.h>
13 #include <linux/build_bug.h>
14 #include <linux/kernel.h>
15 #include <linux/mutex.h>
16 #include <linux/rbtree.h>
17 #include <linux/refcount.h>
18 #include <linux/workqueue.h>
19 #include <uapi/linux/landlock.h>
20 
21 #include "limits.h"
22 #include "object.h"
23 
24 /*
25  * All access rights that are denied by default whether they are handled or not
26  * by a ruleset/layer.  This must be ORed with all ruleset->access_masks[]
27  * entries when we need to get the absolute handled access masks.
28  */
29 /* clang-format off */
30 #define LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \
31 	LANDLOCK_ACCESS_FS_REFER)
32 /* clang-format on */
33 
34 typedef u16 access_mask_t;
35 /* Makes sure all filesystem access rights can be stored. */
36 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
37 /* Makes sure all network access rights can be stored. */
38 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
39 /* Makes sure all scoped rights can be stored. */
40 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);
41 /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */
42 static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
43 
44 /* Ruleset access masks. */
45 struct access_masks {
46 	access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
47 	access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
48 	access_mask_t scope : LANDLOCK_NUM_SCOPE;
49 };
50 
51 union access_masks_all {
52 	struct access_masks masks;
53 	u32 all;
54 };
55 
56 /* Makes sure all fields are covered. */
57 static_assert(sizeof(typeof_member(union access_masks_all, masks)) ==
58 	      sizeof(typeof_member(union access_masks_all, all)));
59 
60 typedef u16 layer_mask_t;
61 /* Makes sure all layers can be checked. */
62 static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
63 
64 /**
65  * struct landlock_layer - Access rights for a given layer
66  */
67 struct landlock_layer {
68 	/**
69 	 * @level: Position of this layer in the layer stack.
70 	 */
71 	u16 level;
72 	/**
73 	 * @access: Bitfield of allowed actions on the kernel object.  They are
74 	 * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ).
75 	 */
76 	access_mask_t access;
77 };
78 
79 /**
80  * union landlock_key - Key of a ruleset's red-black tree
81  */
82 union landlock_key {
83 	/**
84 	 * @object: Pointer to identify a kernel object (e.g. an inode).
85 	 */
86 	struct landlock_object *object;
87 	/**
88 	 * @data: Raw data to identify an arbitrary 32-bit value
89 	 * (e.g. a TCP port).
90 	 */
91 	uintptr_t data;
92 };
93 
94 /**
95  * enum landlock_key_type - Type of &union landlock_key
96  */
97 enum landlock_key_type {
98 	/**
99 	 * @LANDLOCK_KEY_INODE: Type of &landlock_ruleset.root_inode's node
100 	 * keys.
101 	 */
102 	LANDLOCK_KEY_INODE = 1,
103 	/**
104 	 * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's
105 	 * node keys.
106 	 */
107 	LANDLOCK_KEY_NET_PORT,
108 };
109 
110 /**
111  * struct landlock_id - Unique rule identifier for a ruleset
112  */
113 struct landlock_id {
114 	/**
115 	 * @key: Identifies either a kernel object (e.g. an inode) or
116 	 * a raw value (e.g. a TCP port).
117 	 */
118 	union landlock_key key;
119 	/**
120 	 * @type: Type of a landlock_ruleset's root tree.
121 	 */
122 	const enum landlock_key_type type;
123 };
124 
125 /**
126  * struct landlock_rule - Access rights tied to an object
127  */
128 struct landlock_rule {
129 	/**
130 	 * @node: Node in the ruleset's red-black tree.
131 	 */
132 	struct rb_node node;
133 	/**
134 	 * @key: A union to identify either a kernel object (e.g. an inode) or
135 	 * a raw data value (e.g. a network socket port). This is used as a key
136 	 * for this ruleset element.  The pointer is set once and never
137 	 * modified.  It always points to an allocated object because each rule
138 	 * increments the refcount of its object.
139 	 */
140 	union landlock_key key;
141 	/**
142 	 * @num_layers: Number of entries in @layers.
143 	 */
144 	u32 num_layers;
145 	/**
146 	 * @layers: Stack of layers, from the latest to the newest, implemented
147 	 * as a flexible array member (FAM).
148 	 */
149 	struct landlock_layer layers[] __counted_by(num_layers);
150 };
151 
152 /**
153  * struct landlock_hierarchy - Node in a ruleset hierarchy
154  */
155 struct landlock_hierarchy {
156 	/**
157 	 * @parent: Pointer to the parent node, or NULL if it is a root
158 	 * Landlock domain.
159 	 */
160 	struct landlock_hierarchy *parent;
161 	/**
162 	 * @usage: Number of potential children domains plus their parent
163 	 * domain.
164 	 */
165 	refcount_t usage;
166 };
167 
168 /**
169  * struct landlock_ruleset - Landlock ruleset
170  *
171  * This data structure must contain unique entries, be updatable, and quick to
172  * match an object.
173  */
174 struct landlock_ruleset {
175 	/**
176 	 * @root_inode: Root of a red-black tree containing &struct
177 	 * landlock_rule nodes with inode object.  Once a ruleset is tied to a
178 	 * process (i.e. as a domain), this tree is immutable until @usage
179 	 * reaches zero.
180 	 */
181 	struct rb_root root_inode;
182 
183 #if IS_ENABLED(CONFIG_INET)
184 	/**
185 	 * @root_net_port: Root of a red-black tree containing &struct
186 	 * landlock_rule nodes with network port. Once a ruleset is tied to a
187 	 * process (i.e. as a domain), this tree is immutable until @usage
188 	 * reaches zero.
189 	 */
190 	struct rb_root root_net_port;
191 #endif /* IS_ENABLED(CONFIG_INET) */
192 
193 	/**
194 	 * @hierarchy: Enables hierarchy identification even when a parent
195 	 * domain vanishes.  This is needed for the ptrace protection.
196 	 */
197 	struct landlock_hierarchy *hierarchy;
198 	union {
199 		/**
200 		 * @work_free: Enables to free a ruleset within a lockless
201 		 * section.  This is only used by
202 		 * landlock_put_ruleset_deferred() when @usage reaches zero.
203 		 * The fields @lock, @usage, @num_rules, @num_layers and
204 		 * @access_masks are then unused.
205 		 */
206 		struct work_struct work_free;
207 		struct {
208 			/**
209 			 * @lock: Protects against concurrent modifications of
210 			 * @root, if @usage is greater than zero.
211 			 */
212 			struct mutex lock;
213 			/**
214 			 * @usage: Number of processes (i.e. domains) or file
215 			 * descriptors referencing this ruleset.
216 			 */
217 			refcount_t usage;
218 			/**
219 			 * @num_rules: Number of non-overlapping (i.e. not for
220 			 * the same object) rules in this ruleset.
221 			 */
222 			u32 num_rules;
223 			/**
224 			 * @num_layers: Number of layers that are used in this
225 			 * ruleset.  This enables to check that all the layers
226 			 * allow an access request.  A value of 0 identifies a
227 			 * non-merged ruleset (i.e. not a domain).
228 			 */
229 			u32 num_layers;
230 			/**
231 			 * @access_masks: Contains the subset of filesystem and
232 			 * network actions that are restricted by a ruleset.
233 			 * A domain saves all layers of merged rulesets in a
234 			 * stack (FAM), starting from the first layer to the
235 			 * last one.  These layers are used when merging
236 			 * rulesets, for user space backward compatibility
237 			 * (i.e. future-proof), and to properly handle merged
238 			 * rulesets without overlapping access rights.  These
239 			 * layers are set once and never changed for the
240 			 * lifetime of the ruleset.
241 			 */
242 			struct access_masks access_masks[];
243 		};
244 	};
245 };
246 
247 struct landlock_ruleset *
248 landlock_create_ruleset(const access_mask_t access_mask_fs,
249 			const access_mask_t access_mask_net,
250 			const access_mask_t scope_mask);
251 
252 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
253 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
254 
255 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
256 			 const struct landlock_id id,
257 			 const access_mask_t access);
258 
259 struct landlock_ruleset *
260 landlock_merge_ruleset(struct landlock_ruleset *const parent,
261 		       struct landlock_ruleset *const ruleset);
262 
263 const struct landlock_rule *
264 landlock_find_rule(const struct landlock_ruleset *const ruleset,
265 		   const struct landlock_id id);
266 
landlock_get_ruleset(struct landlock_ruleset * const ruleset)267 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
268 {
269 	if (ruleset)
270 		refcount_inc(&ruleset->usage);
271 }
272 
273 /**
274  * landlock_union_access_masks - Return all access rights handled in the
275  *				 domain
276  *
277  * @domain: Landlock ruleset (used as a domain)
278  *
279  * Returns: an access_masks result of the OR of all the domain's access masks.
280  */
281 static inline struct access_masks
landlock_union_access_masks(const struct landlock_ruleset * const domain)282 landlock_union_access_masks(const struct landlock_ruleset *const domain)
283 {
284 	union access_masks_all matches = {};
285 	size_t layer_level;
286 
287 	for (layer_level = 0; layer_level < domain->num_layers; layer_level++) {
288 		union access_masks_all layer = {
289 			.masks = domain->access_masks[layer_level],
290 		};
291 
292 		matches.all |= layer.all;
293 	}
294 
295 	return matches.masks;
296 }
297 
298 /**
299  * landlock_get_applicable_domain - Return @domain if it applies to (handles)
300  *				    at least one of the access rights specified
301  *				    in @masks
302  *
303  * @domain: Landlock ruleset (used as a domain)
304  * @masks: access masks
305  *
306  * Returns: @domain if any access rights specified in @masks is handled, or
307  * NULL otherwise.
308  */
309 static inline const struct landlock_ruleset *
landlock_get_applicable_domain(const struct landlock_ruleset * const domain,const struct access_masks masks)310 landlock_get_applicable_domain(const struct landlock_ruleset *const domain,
311 			       const struct access_masks masks)
312 {
313 	const union access_masks_all masks_all = {
314 		.masks = masks,
315 	};
316 	union access_masks_all merge = {};
317 
318 	if (!domain)
319 		return NULL;
320 
321 	merge.masks = landlock_union_access_masks(domain);
322 	if (merge.all & masks_all.all)
323 		return domain;
324 
325 	return NULL;
326 }
327 
328 static inline void
landlock_add_fs_access_mask(struct landlock_ruleset * const ruleset,const access_mask_t fs_access_mask,const u16 layer_level)329 landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
330 			    const access_mask_t fs_access_mask,
331 			    const u16 layer_level)
332 {
333 	access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS;
334 
335 	/* Should already be checked in sys_landlock_create_ruleset(). */
336 	WARN_ON_ONCE(fs_access_mask != fs_mask);
337 	ruleset->access_masks[layer_level].fs |= fs_mask;
338 }
339 
340 static inline void
landlock_add_net_access_mask(struct landlock_ruleset * const ruleset,const access_mask_t net_access_mask,const u16 layer_level)341 landlock_add_net_access_mask(struct landlock_ruleset *const ruleset,
342 			     const access_mask_t net_access_mask,
343 			     const u16 layer_level)
344 {
345 	access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET;
346 
347 	/* Should already be checked in sys_landlock_create_ruleset(). */
348 	WARN_ON_ONCE(net_access_mask != net_mask);
349 	ruleset->access_masks[layer_level].net |= net_mask;
350 }
351 
352 static inline void
landlock_add_scope_mask(struct landlock_ruleset * const ruleset,const access_mask_t scope_mask,const u16 layer_level)353 landlock_add_scope_mask(struct landlock_ruleset *const ruleset,
354 			const access_mask_t scope_mask, const u16 layer_level)
355 {
356 	access_mask_t mask = scope_mask & LANDLOCK_MASK_SCOPE;
357 
358 	/* Should already be checked in sys_landlock_create_ruleset(). */
359 	WARN_ON_ONCE(scope_mask != mask);
360 	ruleset->access_masks[layer_level].scope |= mask;
361 }
362 
363 static inline access_mask_t
landlock_get_fs_access_mask(const struct landlock_ruleset * const ruleset,const u16 layer_level)364 landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
365 			    const u16 layer_level)
366 {
367 	/* Handles all initially denied by default access rights. */
368 	return ruleset->access_masks[layer_level].fs |
369 	       LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
370 }
371 
372 static inline access_mask_t
landlock_get_net_access_mask(const struct landlock_ruleset * const ruleset,const u16 layer_level)373 landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset,
374 			     const u16 layer_level)
375 {
376 	return ruleset->access_masks[layer_level].net;
377 }
378 
379 static inline access_mask_t
landlock_get_scope_mask(const struct landlock_ruleset * const ruleset,const u16 layer_level)380 landlock_get_scope_mask(const struct landlock_ruleset *const ruleset,
381 			const u16 layer_level)
382 {
383 	return ruleset->access_masks[layer_level].scope;
384 }
385 
386 bool landlock_unmask_layers(const struct landlock_rule *const rule,
387 			    const access_mask_t access_request,
388 			    layer_mask_t (*const layer_masks)[],
389 			    const size_t masks_array_size);
390 
391 access_mask_t
392 landlock_init_layer_masks(const struct landlock_ruleset *const domain,
393 			  const access_mask_t access_request,
394 			  layer_mask_t (*const layer_masks)[],
395 			  const enum landlock_key_type key_type);
396 
397 #endif /* _SECURITY_LANDLOCK_RULESET_H */
398