1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * Landlock LSM - Ruleset management 4 * 5 * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net> 6 * Copyright © 2018-2020 ANSSI 7 */ 8 9 #ifndef _SECURITY_LANDLOCK_RULESET_H 10 #define _SECURITY_LANDLOCK_RULESET_H 11 12 #include <linux/bitops.h> 13 #include <linux/build_bug.h> 14 #include <linux/mutex.h> 15 #include <linux/rbtree.h> 16 #include <linux/refcount.h> 17 #include <linux/workqueue.h> 18 #include <uapi/linux/landlock.h> 19 20 #include "limits.h" 21 #include "object.h" 22 23 /* 24 * All access rights that are denied by default whether they are handled or not 25 * by a ruleset/layer. This must be ORed with all ruleset->access_masks[] 26 * entries when we need to get the absolute handled access masks. 27 */ 28 /* clang-format off */ 29 #define LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \ 30 LANDLOCK_ACCESS_FS_REFER) 31 /* clang-format on */ 32 33 typedef u16 access_mask_t; 34 /* Makes sure all filesystem access rights can be stored. */ 35 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS); 36 /* Makes sure all network access rights can be stored. */ 37 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET); 38 /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */ 39 static_assert(sizeof(unsigned long) >= sizeof(access_mask_t)); 40 41 /* Ruleset access masks. */ 42 typedef u32 access_masks_t; 43 /* Makes sure all ruleset access rights can be stored. */ 44 static_assert(BITS_PER_TYPE(access_masks_t) >= 45 LANDLOCK_NUM_ACCESS_FS + LANDLOCK_NUM_ACCESS_NET); 46 47 typedef u16 layer_mask_t; 48 /* Makes sure all layers can be checked. */ 49 static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS); 50 51 /** 52 * struct landlock_layer - Access rights for a given layer 53 */ 54 struct landlock_layer { 55 /** 56 * @level: Position of this layer in the layer stack. 57 */ 58 u16 level; 59 /** 60 * @access: Bitfield of allowed actions on the kernel object. They are 61 * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ). 62 */ 63 access_mask_t access; 64 }; 65 66 /** 67 * union landlock_key - Key of a ruleset's red-black tree 68 */ 69 union landlock_key { 70 /** 71 * @object: Pointer to identify a kernel object (e.g. an inode). 72 */ 73 struct landlock_object *object; 74 /** 75 * @data: Raw data to identify an arbitrary 32-bit value 76 * (e.g. a TCP port). 77 */ 78 uintptr_t data; 79 }; 80 81 /** 82 * enum landlock_key_type - Type of &union landlock_key 83 */ 84 enum landlock_key_type { 85 /** 86 * @LANDLOCK_KEY_INODE: Type of &landlock_ruleset.root_inode's node 87 * keys. 88 */ 89 LANDLOCK_KEY_INODE = 1, 90 /** 91 * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's 92 * node keys. 93 */ 94 LANDLOCK_KEY_NET_PORT, 95 }; 96 97 /** 98 * struct landlock_id - Unique rule identifier for a ruleset 99 */ 100 struct landlock_id { 101 /** 102 * @key: Identifies either a kernel object (e.g. an inode) or 103 * a raw value (e.g. a TCP port). 104 */ 105 union landlock_key key; 106 /** 107 * @type: Type of a landlock_ruleset's root tree. 108 */ 109 const enum landlock_key_type type; 110 }; 111 112 /** 113 * struct landlock_rule - Access rights tied to an object 114 */ 115 struct landlock_rule { 116 /** 117 * @node: Node in the ruleset's red-black tree. 118 */ 119 struct rb_node node; 120 /** 121 * @key: A union to identify either a kernel object (e.g. an inode) or 122 * a raw data value (e.g. a network socket port). This is used as a key 123 * for this ruleset element. The pointer is set once and never 124 * modified. It always points to an allocated object because each rule 125 * increments the refcount of its object. 126 */ 127 union landlock_key key; 128 /** 129 * @num_layers: Number of entries in @layers. 130 */ 131 u32 num_layers; 132 /** 133 * @layers: Stack of layers, from the latest to the newest, implemented 134 * as a flexible array member (FAM). 135 */ 136 struct landlock_layer layers[] __counted_by(num_layers); 137 }; 138 139 /** 140 * struct landlock_hierarchy - Node in a ruleset hierarchy 141 */ 142 struct landlock_hierarchy { 143 /** 144 * @parent: Pointer to the parent node, or NULL if it is a root 145 * Landlock domain. 146 */ 147 struct landlock_hierarchy *parent; 148 /** 149 * @usage: Number of potential children domains plus their parent 150 * domain. 151 */ 152 refcount_t usage; 153 }; 154 155 /** 156 * struct landlock_ruleset - Landlock ruleset 157 * 158 * This data structure must contain unique entries, be updatable, and quick to 159 * match an object. 160 */ 161 struct landlock_ruleset { 162 /** 163 * @root_inode: Root of a red-black tree containing &struct 164 * landlock_rule nodes with inode object. Once a ruleset is tied to a 165 * process (i.e. as a domain), this tree is immutable until @usage 166 * reaches zero. 167 */ 168 struct rb_root root_inode; 169 170 #if IS_ENABLED(CONFIG_INET) 171 /** 172 * @root_net_port: Root of a red-black tree containing &struct 173 * landlock_rule nodes with network port. Once a ruleset is tied to a 174 * process (i.e. as a domain), this tree is immutable until @usage 175 * reaches zero. 176 */ 177 struct rb_root root_net_port; 178 #endif /* IS_ENABLED(CONFIG_INET) */ 179 180 /** 181 * @hierarchy: Enables hierarchy identification even when a parent 182 * domain vanishes. This is needed for the ptrace protection. 183 */ 184 struct landlock_hierarchy *hierarchy; 185 union { 186 /** 187 * @work_free: Enables to free a ruleset within a lockless 188 * section. This is only used by 189 * landlock_put_ruleset_deferred() when @usage reaches zero. 190 * The fields @lock, @usage, @num_rules, @num_layers and 191 * @access_masks are then unused. 192 */ 193 struct work_struct work_free; 194 struct { 195 /** 196 * @lock: Protects against concurrent modifications of 197 * @root, if @usage is greater than zero. 198 */ 199 struct mutex lock; 200 /** 201 * @usage: Number of processes (i.e. domains) or file 202 * descriptors referencing this ruleset. 203 */ 204 refcount_t usage; 205 /** 206 * @num_rules: Number of non-overlapping (i.e. not for 207 * the same object) rules in this ruleset. 208 */ 209 u32 num_rules; 210 /** 211 * @num_layers: Number of layers that are used in this 212 * ruleset. This enables to check that all the layers 213 * allow an access request. A value of 0 identifies a 214 * non-merged ruleset (i.e. not a domain). 215 */ 216 u32 num_layers; 217 /** 218 * @access_masks: Contains the subset of filesystem and 219 * network actions that are restricted by a ruleset. 220 * A domain saves all layers of merged rulesets in a 221 * stack (FAM), starting from the first layer to the 222 * last one. These layers are used when merging 223 * rulesets, for user space backward compatibility 224 * (i.e. future-proof), and to properly handle merged 225 * rulesets without overlapping access rights. These 226 * layers are set once and never changed for the 227 * lifetime of the ruleset. 228 */ 229 access_masks_t access_masks[]; 230 }; 231 }; 232 }; 233 234 struct landlock_ruleset * 235 landlock_create_ruleset(const access_mask_t access_mask_fs, 236 const access_mask_t access_mask_net); 237 238 void landlock_put_ruleset(struct landlock_ruleset *const ruleset); 239 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset); 240 241 int landlock_insert_rule(struct landlock_ruleset *const ruleset, 242 const struct landlock_id id, 243 const access_mask_t access); 244 245 struct landlock_ruleset * 246 landlock_merge_ruleset(struct landlock_ruleset *const parent, 247 struct landlock_ruleset *const ruleset); 248 249 const struct landlock_rule * 250 landlock_find_rule(const struct landlock_ruleset *const ruleset, 251 const struct landlock_id id); 252 253 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) 254 { 255 if (ruleset) 256 refcount_inc(&ruleset->usage); 257 } 258 259 static inline void 260 landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, 261 const access_mask_t fs_access_mask, 262 const u16 layer_level) 263 { 264 access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS; 265 266 /* Should already be checked in sys_landlock_create_ruleset(). */ 267 WARN_ON_ONCE(fs_access_mask != fs_mask); 268 ruleset->access_masks[layer_level] |= 269 (fs_mask << LANDLOCK_SHIFT_ACCESS_FS); 270 } 271 272 static inline void 273 landlock_add_net_access_mask(struct landlock_ruleset *const ruleset, 274 const access_mask_t net_access_mask, 275 const u16 layer_level) 276 { 277 access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET; 278 279 /* Should already be checked in sys_landlock_create_ruleset(). */ 280 WARN_ON_ONCE(net_access_mask != net_mask); 281 ruleset->access_masks[layer_level] |= 282 (net_mask << LANDLOCK_SHIFT_ACCESS_NET); 283 } 284 285 static inline access_mask_t 286 landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset, 287 const u16 layer_level) 288 { 289 return (ruleset->access_masks[layer_level] >> 290 LANDLOCK_SHIFT_ACCESS_FS) & 291 LANDLOCK_MASK_ACCESS_FS; 292 } 293 294 static inline access_mask_t 295 landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset, 296 const u16 layer_level) 297 { 298 /* Handles all initially denied by default access rights. */ 299 return landlock_get_raw_fs_access_mask(ruleset, layer_level) | 300 LANDLOCK_ACCESS_FS_INITIALLY_DENIED; 301 } 302 303 static inline access_mask_t 304 landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset, 305 const u16 layer_level) 306 { 307 return (ruleset->access_masks[layer_level] >> 308 LANDLOCK_SHIFT_ACCESS_NET) & 309 LANDLOCK_MASK_ACCESS_NET; 310 } 311 312 bool landlock_unmask_layers(const struct landlock_rule *const rule, 313 const access_mask_t access_request, 314 layer_mask_t (*const layer_masks)[], 315 const size_t masks_array_size); 316 317 access_mask_t 318 landlock_init_layer_masks(const struct landlock_ruleset *const domain, 319 const access_mask_t access_request, 320 layer_mask_t (*const layer_masks)[], 321 const enum landlock_key_type key_type); 322 323 #endif /* _SECURITY_LANDLOCK_RULESET_H */ 324