1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Landlock LSM - Network management and hooks 4 * 5 * Copyright © 2022-2023 Huawei Tech. Co., Ltd. 6 * Copyright © 2022-2023 Microsoft Corporation 7 */ 8 9 #include <linux/in.h> 10 #include <linux/net.h> 11 #include <linux/socket.h> 12 #include <net/ipv6.h> 13 14 #include "common.h" 15 #include "cred.h" 16 #include "limits.h" 17 #include "net.h" 18 #include "ruleset.h" 19 20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset, 21 const u16 port, access_mask_t access_rights) 22 { 23 int err; 24 const struct landlock_id id = { 25 .key.data = (__force uintptr_t)htons(port), 26 .type = LANDLOCK_KEY_NET_PORT, 27 }; 28 29 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); 30 31 /* Transforms relative access rights to absolute ones. */ 32 access_rights |= LANDLOCK_MASK_ACCESS_NET & 33 ~landlock_get_net_access_mask(ruleset, 0); 34 35 mutex_lock(&ruleset->lock); 36 err = landlock_insert_rule(ruleset, id, access_rights); 37 mutex_unlock(&ruleset->lock); 38 39 return err; 40 } 41 42 static access_mask_t 43 get_raw_handled_net_accesses(const struct landlock_ruleset *const domain) 44 { 45 access_mask_t access_dom = 0; 46 size_t layer_level; 47 48 for (layer_level = 0; layer_level < domain->num_layers; layer_level++) 49 access_dom |= landlock_get_net_access_mask(domain, layer_level); 50 return access_dom; 51 } 52 53 static const struct landlock_ruleset *get_current_net_domain(void) 54 { 55 const struct landlock_ruleset *const dom = 56 landlock_get_current_domain(); 57 58 if (!dom || !get_raw_handled_net_accesses(dom)) 59 return NULL; 60 61 return dom; 62 } 63 64 static int current_check_access_socket(struct socket *const sock, 65 struct sockaddr *const address, 66 const int addrlen, 67 const access_mask_t access_request) 68 { 69 __be16 port; 70 layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {}; 71 const struct landlock_rule *rule; 72 access_mask_t handled_access; 73 struct landlock_id id = { 74 .type = LANDLOCK_KEY_NET_PORT, 75 }; 76 const struct landlock_ruleset *const dom = get_current_net_domain(); 77 78 if (!dom) 79 return 0; 80 if (WARN_ON_ONCE(dom->num_layers < 1)) 81 return -EACCES; 82 83 /* Checks if it's a (potential) TCP socket. */ 84 if (sock->type != SOCK_STREAM) 85 return 0; 86 87 /* Checks for minimal header length to safely read sa_family. */ 88 if (addrlen < offsetofend(typeof(*address), sa_family)) 89 return -EINVAL; 90 91 switch (address->sa_family) { 92 case AF_UNSPEC: 93 case AF_INET: 94 if (addrlen < sizeof(struct sockaddr_in)) 95 return -EINVAL; 96 port = ((struct sockaddr_in *)address)->sin_port; 97 break; 98 99 #if IS_ENABLED(CONFIG_IPV6) 100 case AF_INET6: 101 if (addrlen < SIN6_LEN_RFC2133) 102 return -EINVAL; 103 port = ((struct sockaddr_in6 *)address)->sin6_port; 104 break; 105 #endif /* IS_ENABLED(CONFIG_IPV6) */ 106 107 default: 108 return 0; 109 } 110 111 /* Specific AF_UNSPEC handling. */ 112 if (address->sa_family == AF_UNSPEC) { 113 /* 114 * Connecting to an address with AF_UNSPEC dissolves the TCP 115 * association, which have the same effect as closing the 116 * connection while retaining the socket object (i.e., the file 117 * descriptor). As for dropping privileges, closing 118 * connections is always allowed. 119 * 120 * For a TCP access control system, this request is legitimate. 121 * Let the network stack handle potential inconsistencies and 122 * return -EINVAL if needed. 123 */ 124 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) 125 return 0; 126 127 /* 128 * For compatibility reason, accept AF_UNSPEC for bind 129 * accesses (mapped to AF_INET) only if the address is 130 * INADDR_ANY (cf. __inet_bind). Checking the address is 131 * required to not wrongfully return -EACCES instead of 132 * -EAFNOSUPPORT. 133 * 134 * We could return 0 and let the network stack handle these 135 * checks, but it is safer to return a proper error and test 136 * consistency thanks to kselftest. 137 */ 138 if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { 139 /* addrlen has already been checked for AF_UNSPEC. */ 140 const struct sockaddr_in *const sockaddr = 141 (struct sockaddr_in *)address; 142 143 if (sock->sk->__sk_common.skc_family != AF_INET) 144 return -EINVAL; 145 146 if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY)) 147 return -EAFNOSUPPORT; 148 } 149 } else { 150 /* 151 * Checks sa_family consistency to not wrongfully return 152 * -EACCES instead of -EINVAL. Valid sa_family changes are 153 * only (from AF_INET or AF_INET6) to AF_UNSPEC. 154 * 155 * We could return 0 and let the network stack handle this 156 * check, but it is safer to return a proper error and test 157 * consistency thanks to kselftest. 158 */ 159 if (address->sa_family != sock->sk->__sk_common.skc_family) 160 return -EINVAL; 161 } 162 163 id.key.data = (__force uintptr_t)port; 164 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); 165 166 rule = landlock_find_rule(dom, id); 167 handled_access = landlock_init_layer_masks( 168 dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT); 169 if (landlock_unmask_layers(rule, handled_access, &layer_masks, 170 ARRAY_SIZE(layer_masks))) 171 return 0; 172 173 return -EACCES; 174 } 175 176 static int hook_socket_bind(struct socket *const sock, 177 struct sockaddr *const address, const int addrlen) 178 { 179 return current_check_access_socket(sock, address, addrlen, 180 LANDLOCK_ACCESS_NET_BIND_TCP); 181 } 182 183 static int hook_socket_connect(struct socket *const sock, 184 struct sockaddr *const address, 185 const int addrlen) 186 { 187 return current_check_access_socket(sock, address, addrlen, 188 LANDLOCK_ACCESS_NET_CONNECT_TCP); 189 } 190 191 static struct security_hook_list landlock_hooks[] __ro_after_init = { 192 LSM_HOOK_INIT(socket_bind, hook_socket_bind), 193 LSM_HOOK_INIT(socket_connect, hook_socket_connect), 194 }; 195 196 __init void landlock_add_net_hooks(void) 197 { 198 security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), 199 LANDLOCK_NAME); 200 } 201