1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * Landlock LSM - Ruleset management 4 * 5 * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net> 6 * Copyright © 2018-2020 ANSSI 7 */ 8 9 #ifndef _SECURITY_LANDLOCK_RULESET_H 10 #define _SECURITY_LANDLOCK_RULESET_H 11 12 #include <linux/bitops.h> 13 #include <linux/build_bug.h> 14 #include <linux/kernel.h> 15 #include <linux/mutex.h> 16 #include <linux/rbtree.h> 17 #include <linux/refcount.h> 18 #include <linux/workqueue.h> 19 #include <uapi/linux/landlock.h> 20 21 #include "limits.h" 22 #include "object.h" 23 24 /* 25 * All access rights that are denied by default whether they are handled or not 26 * by a ruleset/layer. This must be ORed with all ruleset->access_masks[] 27 * entries when we need to get the absolute handled access masks. 28 */ 29 /* clang-format off */ 30 #define LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \ 31 LANDLOCK_ACCESS_FS_REFER) 32 /* clang-format on */ 33 34 typedef u16 access_mask_t; 35 /* Makes sure all filesystem access rights can be stored. */ 36 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS); 37 /* Makes sure all network access rights can be stored. */ 38 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET); 39 /* Makes sure all scoped rights can be stored. */ 40 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE); 41 /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */ 42 static_assert(sizeof(unsigned long) >= sizeof(access_mask_t)); 43 44 /* Ruleset access masks. */ 45 struct access_masks { 46 access_mask_t fs : LANDLOCK_NUM_ACCESS_FS; 47 access_mask_t net : LANDLOCK_NUM_ACCESS_NET; 48 access_mask_t scope : LANDLOCK_NUM_SCOPE; 49 }; 50 51 union access_masks_all { 52 struct access_masks masks; 53 u32 all; 54 }; 55 56 /* Makes sure all fields are covered. */ 57 static_assert(sizeof(typeof_member(union access_masks_all, masks)) == 58 sizeof(typeof_member(union access_masks_all, all))); 59 60 typedef u16 layer_mask_t; 61 /* Makes sure all layers can be checked. */ 62 static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS); 63 64 /** 65 * struct landlock_layer - Access rights for a given layer 66 */ 67 struct landlock_layer { 68 /** 69 * @level: Position of this layer in the layer stack. 70 */ 71 u16 level; 72 /** 73 * @access: Bitfield of allowed actions on the kernel object. They are 74 * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ). 75 */ 76 access_mask_t access; 77 }; 78 79 /** 80 * union landlock_key - Key of a ruleset's red-black tree 81 */ 82 union landlock_key { 83 /** 84 * @object: Pointer to identify a kernel object (e.g. an inode). 85 */ 86 struct landlock_object *object; 87 /** 88 * @data: Raw data to identify an arbitrary 32-bit value 89 * (e.g. a TCP port). 90 */ 91 uintptr_t data; 92 }; 93 94 /** 95 * enum landlock_key_type - Type of &union landlock_key 96 */ 97 enum landlock_key_type { 98 /** 99 * @LANDLOCK_KEY_INODE: Type of &landlock_ruleset.root_inode's node 100 * keys. 101 */ 102 LANDLOCK_KEY_INODE = 1, 103 /** 104 * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's 105 * node keys. 106 */ 107 LANDLOCK_KEY_NET_PORT, 108 }; 109 110 /** 111 * struct landlock_id - Unique rule identifier for a ruleset 112 */ 113 struct landlock_id { 114 /** 115 * @key: Identifies either a kernel object (e.g. an inode) or 116 * a raw value (e.g. a TCP port). 117 */ 118 union landlock_key key; 119 /** 120 * @type: Type of a landlock_ruleset's root tree. 121 */ 122 const enum landlock_key_type type; 123 }; 124 125 /** 126 * struct landlock_rule - Access rights tied to an object 127 */ 128 struct landlock_rule { 129 /** 130 * @node: Node in the ruleset's red-black tree. 131 */ 132 struct rb_node node; 133 /** 134 * @key: A union to identify either a kernel object (e.g. an inode) or 135 * a raw data value (e.g. a network socket port). This is used as a key 136 * for this ruleset element. The pointer is set once and never 137 * modified. It always points to an allocated object because each rule 138 * increments the refcount of its object. 139 */ 140 union landlock_key key; 141 /** 142 * @num_layers: Number of entries in @layers. 143 */ 144 u32 num_layers; 145 /** 146 * @layers: Stack of layers, from the latest to the newest, implemented 147 * as a flexible array member (FAM). 148 */ 149 struct landlock_layer layers[] __counted_by(num_layers); 150 }; 151 152 /** 153 * struct landlock_hierarchy - Node in a ruleset hierarchy 154 */ 155 struct landlock_hierarchy { 156 /** 157 * @parent: Pointer to the parent node, or NULL if it is a root 158 * Landlock domain. 159 */ 160 struct landlock_hierarchy *parent; 161 /** 162 * @usage: Number of potential children domains plus their parent 163 * domain. 164 */ 165 refcount_t usage; 166 }; 167 168 /** 169 * struct landlock_ruleset - Landlock ruleset 170 * 171 * This data structure must contain unique entries, be updatable, and quick to 172 * match an object. 173 */ 174 struct landlock_ruleset { 175 /** 176 * @root_inode: Root of a red-black tree containing &struct 177 * landlock_rule nodes with inode object. Once a ruleset is tied to a 178 * process (i.e. as a domain), this tree is immutable until @usage 179 * reaches zero. 180 */ 181 struct rb_root root_inode; 182 183 #if IS_ENABLED(CONFIG_INET) 184 /** 185 * @root_net_port: Root of a red-black tree containing &struct 186 * landlock_rule nodes with network port. Once a ruleset is tied to a 187 * process (i.e. as a domain), this tree is immutable until @usage 188 * reaches zero. 189 */ 190 struct rb_root root_net_port; 191 #endif /* IS_ENABLED(CONFIG_INET) */ 192 193 /** 194 * @hierarchy: Enables hierarchy identification even when a parent 195 * domain vanishes. This is needed for the ptrace protection. 196 */ 197 struct landlock_hierarchy *hierarchy; 198 union { 199 /** 200 * @work_free: Enables to free a ruleset within a lockless 201 * section. This is only used by 202 * landlock_put_ruleset_deferred() when @usage reaches zero. 203 * The fields @lock, @usage, @num_rules, @num_layers and 204 * @access_masks are then unused. 205 */ 206 struct work_struct work_free; 207 struct { 208 /** 209 * @lock: Protects against concurrent modifications of 210 * @root, if @usage is greater than zero. 211 */ 212 struct mutex lock; 213 /** 214 * @usage: Number of processes (i.e. domains) or file 215 * descriptors referencing this ruleset. 216 */ 217 refcount_t usage; 218 /** 219 * @num_rules: Number of non-overlapping (i.e. not for 220 * the same object) rules in this ruleset. 221 */ 222 u32 num_rules; 223 /** 224 * @num_layers: Number of layers that are used in this 225 * ruleset. This enables to check that all the layers 226 * allow an access request. A value of 0 identifies a 227 * non-merged ruleset (i.e. not a domain). 228 */ 229 u32 num_layers; 230 /** 231 * @access_masks: Contains the subset of filesystem and 232 * network actions that are restricted by a ruleset. 233 * A domain saves all layers of merged rulesets in a 234 * stack (FAM), starting from the first layer to the 235 * last one. These layers are used when merging 236 * rulesets, for user space backward compatibility 237 * (i.e. future-proof), and to properly handle merged 238 * rulesets without overlapping access rights. These 239 * layers are set once and never changed for the 240 * lifetime of the ruleset. 241 */ 242 struct access_masks access_masks[]; 243 }; 244 }; 245 }; 246 247 struct landlock_ruleset * 248 landlock_create_ruleset(const access_mask_t access_mask_fs, 249 const access_mask_t access_mask_net, 250 const access_mask_t scope_mask); 251 252 void landlock_put_ruleset(struct landlock_ruleset *const ruleset); 253 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset); 254 255 int landlock_insert_rule(struct landlock_ruleset *const ruleset, 256 const struct landlock_id id, 257 const access_mask_t access); 258 259 struct landlock_ruleset * 260 landlock_merge_ruleset(struct landlock_ruleset *const parent, 261 struct landlock_ruleset *const ruleset); 262 263 const struct landlock_rule * 264 landlock_find_rule(const struct landlock_ruleset *const ruleset, 265 const struct landlock_id id); 266 267 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) 268 { 269 if (ruleset) 270 refcount_inc(&ruleset->usage); 271 } 272 273 /** 274 * landlock_union_access_masks - Return all access rights handled in the 275 * domain 276 * 277 * @domain: Landlock ruleset (used as a domain) 278 * 279 * Returns: an access_masks result of the OR of all the domain's access masks. 280 */ 281 static inline struct access_masks 282 landlock_union_access_masks(const struct landlock_ruleset *const domain) 283 { 284 union access_masks_all matches = {}; 285 size_t layer_level; 286 287 for (layer_level = 0; layer_level < domain->num_layers; layer_level++) { 288 union access_masks_all layer = { 289 .masks = domain->access_masks[layer_level], 290 }; 291 292 matches.all |= layer.all; 293 } 294 295 return matches.masks; 296 } 297 298 /** 299 * landlock_get_applicable_domain - Return @domain if it applies to (handles) 300 * at least one of the access rights specified 301 * in @masks 302 * 303 * @domain: Landlock ruleset (used as a domain) 304 * @masks: access masks 305 * 306 * Returns: @domain if any access rights specified in @masks is handled, or 307 * NULL otherwise. 308 */ 309 static inline const struct landlock_ruleset * 310 landlock_get_applicable_domain(const struct landlock_ruleset *const domain, 311 const struct access_masks masks) 312 { 313 const union access_masks_all masks_all = { 314 .masks = masks, 315 }; 316 union access_masks_all merge = {}; 317 318 if (!domain) 319 return NULL; 320 321 merge.masks = landlock_union_access_masks(domain); 322 if (merge.all & masks_all.all) 323 return domain; 324 325 return NULL; 326 } 327 328 static inline void 329 landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, 330 const access_mask_t fs_access_mask, 331 const u16 layer_level) 332 { 333 access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS; 334 335 /* Should already be checked in sys_landlock_create_ruleset(). */ 336 WARN_ON_ONCE(fs_access_mask != fs_mask); 337 ruleset->access_masks[layer_level].fs |= fs_mask; 338 } 339 340 static inline void 341 landlock_add_net_access_mask(struct landlock_ruleset *const ruleset, 342 const access_mask_t net_access_mask, 343 const u16 layer_level) 344 { 345 access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET; 346 347 /* Should already be checked in sys_landlock_create_ruleset(). */ 348 WARN_ON_ONCE(net_access_mask != net_mask); 349 ruleset->access_masks[layer_level].net |= net_mask; 350 } 351 352 static inline void 353 landlock_add_scope_mask(struct landlock_ruleset *const ruleset, 354 const access_mask_t scope_mask, const u16 layer_level) 355 { 356 access_mask_t mask = scope_mask & LANDLOCK_MASK_SCOPE; 357 358 /* Should already be checked in sys_landlock_create_ruleset(). */ 359 WARN_ON_ONCE(scope_mask != mask); 360 ruleset->access_masks[layer_level].scope |= mask; 361 } 362 363 static inline access_mask_t 364 landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset, 365 const u16 layer_level) 366 { 367 /* Handles all initially denied by default access rights. */ 368 return ruleset->access_masks[layer_level].fs | 369 LANDLOCK_ACCESS_FS_INITIALLY_DENIED; 370 } 371 372 static inline access_mask_t 373 landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset, 374 const u16 layer_level) 375 { 376 return ruleset->access_masks[layer_level].net; 377 } 378 379 static inline access_mask_t 380 landlock_get_scope_mask(const struct landlock_ruleset *const ruleset, 381 const u16 layer_level) 382 { 383 return ruleset->access_masks[layer_level].scope; 384 } 385 386 bool landlock_unmask_layers(const struct landlock_rule *const rule, 387 const access_mask_t access_request, 388 layer_mask_t (*const layer_masks)[], 389 const size_t masks_array_size); 390 391 access_mask_t 392 landlock_init_layer_masks(const struct landlock_ruleset *const domain, 393 const access_mask_t access_request, 394 layer_mask_t (*const layer_masks)[], 395 const enum landlock_key_type key_type); 396 397 #endif /* _SECURITY_LANDLOCK_RULESET_H */ 398