xref: /linux/security/landlock/domain.h (revision bba2c3615bd6cfee7456d1130f2e6b01b3f4e9ba) 
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * Landlock - Domain management
4  *
5  * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2018-2020 ANSSI
7  * Copyright © 2024-2025 Microsoft Corporation
8  */
9 
10 #ifndef _SECURITY_LANDLOCK_DOMAIN_H
11 #define _SECURITY_LANDLOCK_DOMAIN_H
12 
13 #include <linux/limits.h>
14 #include <linux/mm.h>
15 #include <linux/path.h>
16 #include <linux/pid.h>
17 #include <linux/refcount.h>
18 #include <linux/sched.h>
19 #include <linux/slab.h>
20 
21 #include "access.h"
22 #include "audit.h"
23 
24 enum landlock_log_status {
25 	LANDLOCK_LOG_PENDING = 0,
26 	LANDLOCK_LOG_RECORDED,
27 	LANDLOCK_LOG_DISABLED,
28 };
29 
30 /**
31  * struct landlock_details - Domain's creation information
32  *
33  * Rarely accessed, mainly when logging the first domain's denial.
34  *
35  * The contained pointers are initialized at the domain creation time and never
36  * changed again.
37  */
38 struct landlock_details {
39 	/**
40 	 * @pid: PID of the task that initially restricted itself.  It still
41 	 * identifies the same task.  Keeping a reference to this PID ensures that
42 	 * it will not be recycled.
43 	 */
44 	struct pid *pid;
45 	/**
46 	 * @uid: UID of the task that initially restricted itself, at creation time.
47 	 */
48 	uid_t uid;
49 	/**
50 	 * @comm: Command line of the task that initially restricted itself, at
51 	 * creation time.  Always NULL terminated.
52 	 */
53 	char comm[TASK_COMM_LEN];
54 	/**
55 	 * @exe_path: Executable path of the task that initially restricted
56 	 * itself, at creation time.  Always NULL terminated, and never greater
57 	 * than LANDLOCK_PATH_MAX_SIZE.
58 	 */
59 	char exe_path[];
60 };
61 
62 /* Adds 11 extra characters for the potential " (deleted)" suffix. */
63 #define LANDLOCK_PATH_MAX_SIZE (PATH_MAX + 11)
64 
65 /* Makes sure the greatest landlock_details can be allocated. */
66 static_assert(struct_size_t(struct landlock_details, exe_path,
67 			    LANDLOCK_PATH_MAX_SIZE) <= KMALLOC_MAX_SIZE);
68 
69 /**
70  * struct landlock_hierarchy - Node in a domain hierarchy
71  */
72 struct landlock_hierarchy {
73 	/**
74 	 * @parent: Pointer to the parent node, or NULL if it is a root
75 	 * Landlock domain.
76 	 */
77 	struct landlock_hierarchy *parent;
78 	/**
79 	 * @usage: Number of potential children domains plus their parent
80 	 * domain.
81 	 */
82 	refcount_t usage;
83 
84 #ifdef CONFIG_AUDIT
85 	/**
86 	 * @log_status: Whether this domain should be logged or not.  Because
87 	 * concurrent log entries may be created at the same time, it is still
88 	 * possible to have several domain records of the same domain.
89 	 */
90 	enum landlock_log_status log_status;
91 	/**
92 	 * @num_denials: Number of access requests denied by this domain.
93 	 * Masked (i.e. never logged) denials are still counted.
94 	 */
95 	atomic64_t num_denials;
96 	/**
97 	 * @id: Landlock domain ID, set once at domain creation time.
98 	 */
99 	u64 id;
100 	/**
101 	 * @details: Information about the related domain.
102 	 */
103 	const struct landlock_details *details;
104 	/**
105 	 * @log_same_exec: Set if the domain is *not* configured with
106 	 * %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF.  Set to true by default.
107 	 */
108 	u32 log_same_exec : 1,
109 		/**
110 		 * @log_new_exec: Set if the domain is configured with
111 		 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON.  Set to false by default.
112 		 */
113 		log_new_exec : 1;
114 	/**
115 	 * @quiet_masks: Bitmasks of access that should be quieted (i.e. not
116 	 * logged) if the related object is marked as quiet.
117 	 */
118 	struct access_masks quiet_masks;
119 #endif /* CONFIG_AUDIT */
120 };
121 
122 #ifdef CONFIG_AUDIT
123 
124 deny_masks_t
125 landlock_get_deny_masks(const access_mask_t all_existing_optional_access,
126 			const access_mask_t optional_access,
127 			const struct layer_masks *const masks);
128 
129 optional_access_t landlock_get_quiet_optional_accesses(
130 	const access_mask_t all_existing_optional_access,
131 	const deny_masks_t deny_masks, const struct layer_masks *const masks);
132 
133 int landlock_init_hierarchy_log(struct landlock_hierarchy *const hierarchy);
134 
135 static inline void
136 landlock_free_hierarchy_details(struct landlock_hierarchy *const hierarchy)
137 {
138 	if (!hierarchy || !hierarchy->details)
139 		return;
140 
141 	put_pid(hierarchy->details->pid);
142 	kfree(hierarchy->details);
143 }
144 
145 #else /* CONFIG_AUDIT */
146 
147 static inline int
148 landlock_init_hierarchy_log(struct landlock_hierarchy *const hierarchy)
149 {
150 	return 0;
151 }
152 
153 static inline void
154 landlock_free_hierarchy_details(struct landlock_hierarchy *const hierarchy)
155 {
156 }
157 
158 #endif /* CONFIG_AUDIT */
159 
160 static inline void
161 landlock_get_hierarchy(struct landlock_hierarchy *const hierarchy)
162 {
163 	if (hierarchy)
164 		refcount_inc(&hierarchy->usage);
165 }
166 
167 static inline void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy)
168 {
169 	while (hierarchy && refcount_dec_and_test(&hierarchy->usage)) {
170 		const struct landlock_hierarchy *const freeme = hierarchy;
171 
172 		landlock_log_drop_domain(hierarchy);
173 		landlock_free_hierarchy_details(hierarchy);
174 		hierarchy = hierarchy->parent;
175 		kfree(freeme);
176 	}
177 }
178 
179 #endif /* _SECURITY_LANDLOCK_DOMAIN_H */
180