1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Landlock LSM - Network management and hooks 4 * 5 * Copyright © 2022-2023 Huawei Tech. Co., Ltd. 6 * Copyright © 2022-2023 Microsoft Corporation 7 */ 8 9 #include <linux/in.h> 10 #include <linux/net.h> 11 #include <linux/socket.h> 12 #include <net/ipv6.h> 13 14 #include "common.h" 15 #include "cred.h" 16 #include "limits.h" 17 #include "net.h" 18 #include "ruleset.h" 19 20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset, 21 const u16 port, access_mask_t access_rights) 22 { 23 int err; 24 const struct landlock_id id = { 25 .key.data = (__force uintptr_t)htons(port), 26 .type = LANDLOCK_KEY_NET_PORT, 27 }; 28 29 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); 30 31 /* Transforms relative access rights to absolute ones. */ 32 access_rights |= LANDLOCK_MASK_ACCESS_NET & 33 ~landlock_get_net_access_mask(ruleset, 0); 34 35 mutex_lock(&ruleset->lock); 36 err = landlock_insert_rule(ruleset, id, access_rights); 37 mutex_unlock(&ruleset->lock); 38 39 return err; 40 } 41 42 static const struct access_masks any_net = { 43 .net = ~0, 44 }; 45 46 static int current_check_access_socket(struct socket *const sock, 47 struct sockaddr *const address, 48 const int addrlen, 49 access_mask_t access_request) 50 { 51 __be16 port; 52 layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {}; 53 const struct landlock_rule *rule; 54 struct landlock_id id = { 55 .type = LANDLOCK_KEY_NET_PORT, 56 }; 57 const struct landlock_ruleset *const dom = 58 landlock_get_applicable_domain(landlock_get_current_domain(), 59 any_net); 60 61 if (!dom) 62 return 0; 63 if (WARN_ON_ONCE(dom->num_layers < 1)) 64 return -EACCES; 65 66 /* Checks if it's a (potential) TCP socket. */ 67 if (sock->type != SOCK_STREAM) 68 return 0; 69 70 /* Checks for minimal header length to safely read sa_family. */ 71 if (addrlen < offsetofend(typeof(*address), sa_family)) 72 return -EINVAL; 73 74 switch (address->sa_family) { 75 case AF_UNSPEC: 76 case AF_INET: 77 if (addrlen < sizeof(struct sockaddr_in)) 78 return -EINVAL; 79 port = ((struct sockaddr_in *)address)->sin_port; 80 break; 81 82 #if IS_ENABLED(CONFIG_IPV6) 83 case AF_INET6: 84 if (addrlen < SIN6_LEN_RFC2133) 85 return -EINVAL; 86 port = ((struct sockaddr_in6 *)address)->sin6_port; 87 break; 88 #endif /* IS_ENABLED(CONFIG_IPV6) */ 89 90 default: 91 return 0; 92 } 93 94 /* Specific AF_UNSPEC handling. */ 95 if (address->sa_family == AF_UNSPEC) { 96 /* 97 * Connecting to an address with AF_UNSPEC dissolves the TCP 98 * association, which have the same effect as closing the 99 * connection while retaining the socket object (i.e., the file 100 * descriptor). As for dropping privileges, closing 101 * connections is always allowed. 102 * 103 * For a TCP access control system, this request is legitimate. 104 * Let the network stack handle potential inconsistencies and 105 * return -EINVAL if needed. 106 */ 107 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) 108 return 0; 109 110 /* 111 * For compatibility reason, accept AF_UNSPEC for bind 112 * accesses (mapped to AF_INET) only if the address is 113 * INADDR_ANY (cf. __inet_bind). Checking the address is 114 * required to not wrongfully return -EACCES instead of 115 * -EAFNOSUPPORT. 116 * 117 * We could return 0 and let the network stack handle these 118 * checks, but it is safer to return a proper error and test 119 * consistency thanks to kselftest. 120 */ 121 if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { 122 /* addrlen has already been checked for AF_UNSPEC. */ 123 const struct sockaddr_in *const sockaddr = 124 (struct sockaddr_in *)address; 125 126 if (sock->sk->__sk_common.skc_family != AF_INET) 127 return -EINVAL; 128 129 if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY)) 130 return -EAFNOSUPPORT; 131 } 132 } else { 133 /* 134 * Checks sa_family consistency to not wrongfully return 135 * -EACCES instead of -EINVAL. Valid sa_family changes are 136 * only (from AF_INET or AF_INET6) to AF_UNSPEC. 137 * 138 * We could return 0 and let the network stack handle this 139 * check, but it is safer to return a proper error and test 140 * consistency thanks to kselftest. 141 */ 142 if (address->sa_family != sock->sk->__sk_common.skc_family) 143 return -EINVAL; 144 } 145 146 id.key.data = (__force uintptr_t)port; 147 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); 148 149 rule = landlock_find_rule(dom, id); 150 access_request = landlock_init_layer_masks( 151 dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT); 152 if (landlock_unmask_layers(rule, access_request, &layer_masks, 153 ARRAY_SIZE(layer_masks))) 154 return 0; 155 156 return -EACCES; 157 } 158 159 static int hook_socket_bind(struct socket *const sock, 160 struct sockaddr *const address, const int addrlen) 161 { 162 return current_check_access_socket(sock, address, addrlen, 163 LANDLOCK_ACCESS_NET_BIND_TCP); 164 } 165 166 static int hook_socket_connect(struct socket *const sock, 167 struct sockaddr *const address, 168 const int addrlen) 169 { 170 return current_check_access_socket(sock, address, addrlen, 171 LANDLOCK_ACCESS_NET_CONNECT_TCP); 172 } 173 174 static struct security_hook_list landlock_hooks[] __ro_after_init = { 175 LSM_HOOK_INIT(socket_bind, hook_socket_bind), 176 LSM_HOOK_INIT(socket_connect, hook_socket_connect), 177 }; 178 179 __init void landlock_add_net_hooks(void) 180 { 181 security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), 182 &landlock_lsmid); 183 } 184