xref: /linux/security/landlock/access.h (revision bba2c3615bd6cfee7456d1130f2e6b01b3f4e9ba) 
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * Landlock - Access types and helpers
4  *
5  * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2018-2020 ANSSI
7  * Copyright © 2024-2025 Microsoft Corporation
8  */
9 
10 #ifndef _SECURITY_LANDLOCK_ACCESS_H
11 #define _SECURITY_LANDLOCK_ACCESS_H
12 
13 #include <linux/bitops.h>
14 #include <linux/build_bug.h>
15 #include <linux/kernel.h>
16 #include <uapi/linux/landlock.h>
17 
18 #include "limits.h"
19 
20 /*
21  * All access rights that are denied by default whether they are handled or not
22  * by a ruleset/layer.  This must be ORed with all ruleset->access_masks[]
23  * entries when we need to get the absolute handled access masks, see
24  * landlock_upgrade_handled_access_masks().
25  */
26 /* clang-format off */
27 #define _LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \
28 	LANDLOCK_ACCESS_FS_REFER)
29 /* clang-format on */
30 
31 /* clang-format off */
32 #define _LANDLOCK_ACCESS_FS_OPTIONAL ( \
33 	LANDLOCK_ACCESS_FS_TRUNCATE | \
34 	LANDLOCK_ACCESS_FS_IOCTL_DEV)
35 /* clang-format on */
36 
37 typedef u32 access_mask_t;
38 
39 /* Makes sure all filesystem access rights can be stored. */
40 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
41 /* Makes sure all network access rights can be stored. */
42 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
43 /* Makes sure all scoped rights can be stored. */
44 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);
45 /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */
46 static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
47 
48 /* Ruleset access masks. */
49 struct access_masks {
50 	access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
51 	access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
52 	access_mask_t scope : LANDLOCK_NUM_SCOPE;
53 } __packed __aligned(sizeof(u32));
54 
55 union access_masks_all {
56 	struct access_masks masks;
57 	u32 all;
58 };
59 
60 /* Makes sure all fields are covered. */
61 static_assert(sizeof(typeof_member(union access_masks_all, masks)) ==
62 	      sizeof(typeof_member(union access_masks_all, all)));
63 
64 /**
65  * struct layer_mask - The access rights and rule flags for a layer.
66  *
67  * This has a bit for each access rights and rule flags.  During access checks,
68  * it is used to represent the access rights for each layer which still need to
69  * be fulfilled.  When all bits are 0, the access request is considered to be
70  * fulfilled.
71  */
72 struct layer_mask {
73 	/**
74 	 * @access: The unfulfilled access rights for this layer.
75 	 */
76 	access_mask_t access : LANDLOCK_NUM_ACCESS_MAX;
77 #ifdef CONFIG_AUDIT
78 	/**
79 	 * @quiet: Whether we have encountered a rule with the quiet flag for
80 	 * this layer.  Used to control logging.
81 	 */
82 	access_mask_t quiet : 1;
83 #endif /* CONFIG_AUDIT */
84 } __packed __aligned(sizeof(access_mask_t));
85 
86 /*
87  * Make sure that we don't increase the size of struct layer_mask when storing
88  * rule flags.
89  */
90 static_assert(sizeof(struct layer_mask) == sizeof(access_mask_t));
91 
92 /**
93  * struct layer_masks - An array of struct layer_mask, one per layer.
94  */
95 struct layer_masks {
96 	/**
97 	 * @layers: The unfulfilled access rights for each layer.
98 	 */
99 	struct layer_mask layers[LANDLOCK_MAX_NUM_LAYERS];
100 };
101 
102 /*
103  * Tracks domains responsible of a denied access.  This avoids storing in each
104  * object the full matrix of per-layer unfulfilled access rights, which is
105  * required by update_request().
106  *
107  * Each nibble represents the layer index of the newest layer which denied a
108  * certain access right.  For file system access rights, the upper four bits are
109  * the index of the layer which denies LANDLOCK_ACCESS_FS_IOCTL_DEV and the
110  * lower nibble represents LANDLOCK_ACCESS_FS_TRUNCATE.
111  */
112 typedef u8 deny_masks_t;
113 
114 /*
115  * Makes sure all optional access rights can be tied to a layer index (cf.
116  * get_deny_mask).
117  */
118 static_assert(BITS_PER_TYPE(deny_masks_t) >=
119 	      (HWEIGHT(LANDLOCK_MAX_NUM_LAYERS - 1) *
120 	       HWEIGHT(_LANDLOCK_ACCESS_FS_OPTIONAL)));
121 
122 /* LANDLOCK_MAX_NUM_LAYERS must be a power of two (cf. deny_masks_t assert). */
123 static_assert(HWEIGHT(LANDLOCK_MAX_NUM_LAYERS) == 1);
124 
125 /* Upgrades with all initially denied by default access rights. */
126 static inline struct access_masks
127 landlock_upgrade_handled_access_masks(struct access_masks access_masks)
128 {
129 	/*
130 	 * All access rights that are denied by default whether they are
131 	 * explicitly handled or not.
132 	 */
133 	if (access_masks.fs)
134 		access_masks.fs |= _LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
135 
136 	return access_masks;
137 }
138 
139 /* Checks the subset relation between access masks. */
140 static inline bool access_mask_subset(access_mask_t subset,
141 				      access_mask_t superset)
142 {
143 	return (subset | superset) == superset;
144 }
145 
146 /* A bitmask that is large enough to hold set of optional accesses. */
147 typedef u8 optional_access_t;
148 static_assert(BITS_PER_TYPE(optional_access_t) >=
149 	      HWEIGHT(_LANDLOCK_ACCESS_FS_OPTIONAL));
150 
151 #endif /* _SECURITY_LANDLOCK_ACCESS_H */
152