xref: /linux/security/landlock/fs.h (revision 5f12f8effb5acb38a8b554ea39bd30d43d54f9f0) 
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * Landlock - Filesystem management and hooks
4  *
5  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2018-2020 ANSSI
7  * Copyright © 2024-2025 Microsoft Corporation
8  */
9 
10 #ifndef _SECURITY_LANDLOCK_FS_H
11 #define _SECURITY_LANDLOCK_FS_H
12 
13 #include <linux/build_bug.h>
14 #include <linux/fs.h>
15 #include <linux/init.h>
16 #include <linux/rcupdate.h>
17 
18 #include "access.h"
19 #include "cred.h"
20 #include "ruleset.h"
21 #include "setup.h"
22 
23 /**
24  * struct landlock_inode_security - Inode security blob
25  *
26  * Enable to reference a &struct landlock_object tied to an inode (i.e.
27  * underlying object).
28  */
29 struct landlock_inode_security {
30 	/**
31 	 * @object: Weak pointer to an allocated object.  All assignments of a
32 	 * new object are protected by the underlying inode->i_lock.  However,
33 	 * atomically disassociating @object from the inode is only protected
34 	 * by @object->lock, from the time @object's usage refcount drops to
35 	 * zero to the time this pointer is nulled out (cf. release_inode() and
36 	 * hook_sb_delete()).  Indeed, such disassociation doesn't require
37 	 * inode->i_lock thanks to the careful rcu_access_pointer() check
38 	 * performed by get_inode_object().
39 	 */
40 	struct landlock_object __rcu *object;
41 };
42 
43 /**
44  * struct landlock_file_security - File security blob
45  *
46  * This information is populated when opening a file in hook_file_open, and
47  * tracks the relevant Landlock access rights that were available at the time
48  * of opening the file. Other LSM hooks use these rights in order to authorize
49  * operations on already opened files.
50  */
51 struct landlock_file_security {
52 	/**
53 	 * @allowed_access: Access rights that were available at the time of
54 	 * opening the file. This is not necessarily the full set of access
55 	 * rights available at that time, but it's the necessary subset as
56 	 * needed to authorize later operations on the open file.
57 	 */
58 	access_mask_t allowed_access;
59 
60 #ifdef CONFIG_AUDIT
61 	/**
62 	 * @deny_masks: Domain layer levels that deny an optional access (see
63 	 * _LANDLOCK_ACCESS_FS_OPTIONAL).
64 	 */
65 	deny_masks_t deny_masks;
66 	/**
67 	 * @quiet_optional_accesses: Stores which optional accesses are covered
68 	 * by quiet rules within the layer referred to in deny_masks, one access
69 	 * per bit.  Does not take into account whether the quiet access bits
70 	 * are actually set in the layer's corresponding landlock_hierarchy.
71 	 */
72 	optional_access_t quiet_optional_accesses;
73 	/**
74 	 * @fown_layer: Layer level of @fown_subject->domain with
75 	 * LANDLOCK_SCOPE_SIGNAL.
76 	 */
77 	u8 fown_layer;
78 #endif /* CONFIG_AUDIT */
79 
80 	/**
81 	 * @fown_subject: Landlock credential of the task that set the PID that
82 	 * may receive a signal e.g., SIGURG when writing MSG_OOB to the
83 	 * related socket.  This pointer is protected by the related
84 	 * file->f_owner->lock, as for fown_struct's members: pid, uid, and
85 	 * euid.
86 	 */
87 	struct landlock_cred_security fown_subject;
88 	/**
89 	 * @fown_tg: Thread group of the task that set the file owner, pinned
90 	 * while @fown_subject holds a domain.  It lets
91 	 * hook_file_send_sigiotask() always allow a SIGIO delivered to the
92 	 * owner's own process -- e.g. the thread-group leader reached through a
93 	 * process-group owner -- matching the same-process exemption of
94 	 * hook_task_kill().  NULL when no domain is recorded.  Protected by
95 	 * file->f_owner->lock, like @fown_subject.
96 	 */
97 	struct pid *fown_tg;
98 };
99 
100 #ifdef CONFIG_AUDIT
101 
102 /* Makes sure all layers can be identified. */
103 /* clang-format off */
104 static_assert((typeof_member(struct landlock_file_security, fown_layer))~0 >=
105 	      LANDLOCK_MAX_NUM_LAYERS);
106 /* clang-format on */
107 
108 /*
109  * Make sure quiet_optional_accesses has enough bits to cover all optional
110  * accesses.
111  */
112 static_assert(BITS_PER_TYPE(typeof_member(struct landlock_file_security,
113 					  quiet_optional_accesses)) >=
114 	      HWEIGHT(_LANDLOCK_ACCESS_FS_OPTIONAL));
115 
116 #endif /* CONFIG_AUDIT */
117 
118 /**
119  * struct landlock_superblock_security - Superblock security blob
120  *
121  * Enable hook_sb_delete() to wait for concurrent calls to release_inode().
122  */
123 struct landlock_superblock_security {
124 	/**
125 	 * @inode_refs: Number of pending inodes (from this superblock) that
126 	 * are being released by release_inode().
127 	 * Cf. struct super_block->s_fsnotify_inode_refs .
128 	 */
129 	atomic_long_t inode_refs;
130 };
131 
132 static inline struct landlock_file_security *
133 landlock_file(const struct file *const file)
134 {
135 	return file->f_security + landlock_blob_sizes.lbs_file;
136 }
137 
138 static inline struct landlock_inode_security *
139 landlock_inode(const struct inode *const inode)
140 {
141 	return inode->i_security + landlock_blob_sizes.lbs_inode;
142 }
143 
144 static inline struct landlock_superblock_security *
145 landlock_superblock(const struct super_block *const superblock)
146 {
147 	return superblock->s_security + landlock_blob_sizes.lbs_superblock;
148 }
149 
150 __init void landlock_add_fs_hooks(void);
151 
152 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
153 			    const struct path *const path,
154 			    access_mask_t access_hierarchy, const u32 flags);
155 
156 #endif /* _SECURITY_LANDLOCK_FS_H */
157