xref: /linux/security/landlock/ruleset.h (revision add452d09a38c7a7c44aea55c1015392cebf9fa7)
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * Landlock LSM - Ruleset management
4  *
5  * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2018-2020 ANSSI
7  */
8 
9 #ifndef _SECURITY_LANDLOCK_RULESET_H
10 #define _SECURITY_LANDLOCK_RULESET_H
11 
12 #include <linux/bitops.h>
13 #include <linux/build_bug.h>
14 #include <linux/mutex.h>
15 #include <linux/rbtree.h>
16 #include <linux/refcount.h>
17 #include <linux/workqueue.h>
18 #include <uapi/linux/landlock.h>
19 
20 #include "limits.h"
21 #include "object.h"
22 
23 /*
24  * All access rights that are denied by default whether they are handled or not
25  * by a ruleset/layer.  This must be ORed with all ruleset->access_masks[]
26  * entries when we need to get the absolute handled access masks.
27  */
28 /* clang-format off */
29 #define LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \
30 	LANDLOCK_ACCESS_FS_REFER)
31 /* clang-format on */
32 
33 typedef u16 access_mask_t;
34 /* Makes sure all filesystem access rights can be stored. */
35 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
36 /* Makes sure all network access rights can be stored. */
37 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
38 /* Makes sure all scoped rights can be stored. */
39 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);
40 /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */
41 static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
42 
43 /* Ruleset access masks. */
44 struct access_masks {
45 	access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
46 	access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
47 	access_mask_t scope : LANDLOCK_NUM_SCOPE;
48 };
49 
50 typedef u16 layer_mask_t;
51 /* Makes sure all layers can be checked. */
52 static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
53 
54 /**
55  * struct landlock_layer - Access rights for a given layer
56  */
57 struct landlock_layer {
58 	/**
59 	 * @level: Position of this layer in the layer stack.
60 	 */
61 	u16 level;
62 	/**
63 	 * @access: Bitfield of allowed actions on the kernel object.  They are
64 	 * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ).
65 	 */
66 	access_mask_t access;
67 };
68 
69 /**
70  * union landlock_key - Key of a ruleset's red-black tree
71  */
72 union landlock_key {
73 	/**
74 	 * @object: Pointer to identify a kernel object (e.g. an inode).
75 	 */
76 	struct landlock_object *object;
77 	/**
78 	 * @data: Raw data to identify an arbitrary 32-bit value
79 	 * (e.g. a TCP port).
80 	 */
81 	uintptr_t data;
82 };
83 
84 /**
85  * enum landlock_key_type - Type of &union landlock_key
86  */
87 enum landlock_key_type {
88 	/**
89 	 * @LANDLOCK_KEY_INODE: Type of &landlock_ruleset.root_inode's node
90 	 * keys.
91 	 */
92 	LANDLOCK_KEY_INODE = 1,
93 	/**
94 	 * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's
95 	 * node keys.
96 	 */
97 	LANDLOCK_KEY_NET_PORT,
98 };
99 
100 /**
101  * struct landlock_id - Unique rule identifier for a ruleset
102  */
103 struct landlock_id {
104 	/**
105 	 * @key: Identifies either a kernel object (e.g. an inode) or
106 	 * a raw value (e.g. a TCP port).
107 	 */
108 	union landlock_key key;
109 	/**
110 	 * @type: Type of a landlock_ruleset's root tree.
111 	 */
112 	const enum landlock_key_type type;
113 };
114 
115 /**
116  * struct landlock_rule - Access rights tied to an object
117  */
118 struct landlock_rule {
119 	/**
120 	 * @node: Node in the ruleset's red-black tree.
121 	 */
122 	struct rb_node node;
123 	/**
124 	 * @key: A union to identify either a kernel object (e.g. an inode) or
125 	 * a raw data value (e.g. a network socket port). This is used as a key
126 	 * for this ruleset element.  The pointer is set once and never
127 	 * modified.  It always points to an allocated object because each rule
128 	 * increments the refcount of its object.
129 	 */
130 	union landlock_key key;
131 	/**
132 	 * @num_layers: Number of entries in @layers.
133 	 */
134 	u32 num_layers;
135 	/**
136 	 * @layers: Stack of layers, from the latest to the newest, implemented
137 	 * as a flexible array member (FAM).
138 	 */
139 	struct landlock_layer layers[] __counted_by(num_layers);
140 };
141 
142 /**
143  * struct landlock_hierarchy - Node in a ruleset hierarchy
144  */
145 struct landlock_hierarchy {
146 	/**
147 	 * @parent: Pointer to the parent node, or NULL if it is a root
148 	 * Landlock domain.
149 	 */
150 	struct landlock_hierarchy *parent;
151 	/**
152 	 * @usage: Number of potential children domains plus their parent
153 	 * domain.
154 	 */
155 	refcount_t usage;
156 };
157 
158 /**
159  * struct landlock_ruleset - Landlock ruleset
160  *
161  * This data structure must contain unique entries, be updatable, and quick to
162  * match an object.
163  */
164 struct landlock_ruleset {
165 	/**
166 	 * @root_inode: Root of a red-black tree containing &struct
167 	 * landlock_rule nodes with inode object.  Once a ruleset is tied to a
168 	 * process (i.e. as a domain), this tree is immutable until @usage
169 	 * reaches zero.
170 	 */
171 	struct rb_root root_inode;
172 
173 #if IS_ENABLED(CONFIG_INET)
174 	/**
175 	 * @root_net_port: Root of a red-black tree containing &struct
176 	 * landlock_rule nodes with network port. Once a ruleset is tied to a
177 	 * process (i.e. as a domain), this tree is immutable until @usage
178 	 * reaches zero.
179 	 */
180 	struct rb_root root_net_port;
181 #endif /* IS_ENABLED(CONFIG_INET) */
182 
183 	/**
184 	 * @hierarchy: Enables hierarchy identification even when a parent
185 	 * domain vanishes.  This is needed for the ptrace protection.
186 	 */
187 	struct landlock_hierarchy *hierarchy;
188 	union {
189 		/**
190 		 * @work_free: Enables to free a ruleset within a lockless
191 		 * section.  This is only used by
192 		 * landlock_put_ruleset_deferred() when @usage reaches zero.
193 		 * The fields @lock, @usage, @num_rules, @num_layers and
194 		 * @access_masks are then unused.
195 		 */
196 		struct work_struct work_free;
197 		struct {
198 			/**
199 			 * @lock: Protects against concurrent modifications of
200 			 * @root, if @usage is greater than zero.
201 			 */
202 			struct mutex lock;
203 			/**
204 			 * @usage: Number of processes (i.e. domains) or file
205 			 * descriptors referencing this ruleset.
206 			 */
207 			refcount_t usage;
208 			/**
209 			 * @num_rules: Number of non-overlapping (i.e. not for
210 			 * the same object) rules in this ruleset.
211 			 */
212 			u32 num_rules;
213 			/**
214 			 * @num_layers: Number of layers that are used in this
215 			 * ruleset.  This enables to check that all the layers
216 			 * allow an access request.  A value of 0 identifies a
217 			 * non-merged ruleset (i.e. not a domain).
218 			 */
219 			u32 num_layers;
220 			/**
221 			 * @access_masks: Contains the subset of filesystem and
222 			 * network actions that are restricted by a ruleset.
223 			 * A domain saves all layers of merged rulesets in a
224 			 * stack (FAM), starting from the first layer to the
225 			 * last one.  These layers are used when merging
226 			 * rulesets, for user space backward compatibility
227 			 * (i.e. future-proof), and to properly handle merged
228 			 * rulesets without overlapping access rights.  These
229 			 * layers are set once and never changed for the
230 			 * lifetime of the ruleset.
231 			 */
232 			struct access_masks access_masks[];
233 		};
234 	};
235 };
236 
237 struct landlock_ruleset *
238 landlock_create_ruleset(const access_mask_t access_mask_fs,
239 			const access_mask_t access_mask_net,
240 			const access_mask_t scope_mask);
241 
242 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
243 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
244 
245 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
246 			 const struct landlock_id id,
247 			 const access_mask_t access);
248 
249 struct landlock_ruleset *
250 landlock_merge_ruleset(struct landlock_ruleset *const parent,
251 		       struct landlock_ruleset *const ruleset);
252 
253 const struct landlock_rule *
254 landlock_find_rule(const struct landlock_ruleset *const ruleset,
255 		   const struct landlock_id id);
256 
257 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
258 {
259 	if (ruleset)
260 		refcount_inc(&ruleset->usage);
261 }
262 
263 static inline void
264 landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
265 			    const access_mask_t fs_access_mask,
266 			    const u16 layer_level)
267 {
268 	access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS;
269 
270 	/* Should already be checked in sys_landlock_create_ruleset(). */
271 	WARN_ON_ONCE(fs_access_mask != fs_mask);
272 	ruleset->access_masks[layer_level].fs |= fs_mask;
273 }
274 
275 static inline void
276 landlock_add_net_access_mask(struct landlock_ruleset *const ruleset,
277 			     const access_mask_t net_access_mask,
278 			     const u16 layer_level)
279 {
280 	access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET;
281 
282 	/* Should already be checked in sys_landlock_create_ruleset(). */
283 	WARN_ON_ONCE(net_access_mask != net_mask);
284 	ruleset->access_masks[layer_level].net |= net_mask;
285 }
286 
287 static inline void
288 landlock_add_scope_mask(struct landlock_ruleset *const ruleset,
289 			const access_mask_t scope_mask, const u16 layer_level)
290 {
291 	access_mask_t mask = scope_mask & LANDLOCK_MASK_SCOPE;
292 
293 	/* Should already be checked in sys_landlock_create_ruleset(). */
294 	WARN_ON_ONCE(scope_mask != mask);
295 	ruleset->access_masks[layer_level].scope |= mask;
296 }
297 
298 static inline access_mask_t
299 landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset,
300 				const u16 layer_level)
301 {
302 	return ruleset->access_masks[layer_level].fs;
303 }
304 
305 static inline access_mask_t
306 landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
307 			    const u16 layer_level)
308 {
309 	/* Handles all initially denied by default access rights. */
310 	return landlock_get_raw_fs_access_mask(ruleset, layer_level) |
311 	       LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
312 }
313 
314 static inline access_mask_t
315 landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset,
316 			     const u16 layer_level)
317 {
318 	return ruleset->access_masks[layer_level].net;
319 }
320 
321 static inline access_mask_t
322 landlock_get_scope_mask(const struct landlock_ruleset *const ruleset,
323 			const u16 layer_level)
324 {
325 	return ruleset->access_masks[layer_level].scope;
326 }
327 
328 bool landlock_unmask_layers(const struct landlock_rule *const rule,
329 			    const access_mask_t access_request,
330 			    layer_mask_t (*const layer_masks)[],
331 			    const size_t masks_array_size);
332 
333 access_mask_t
334 landlock_init_layer_masks(const struct landlock_ruleset *const domain,
335 			  const access_mask_t access_request,
336 			  layer_mask_t (*const layer_masks)[],
337 			  const enum landlock_key_type key_type);
338 
339 #endif /* _SECURITY_LANDLOCK_RULESET_H */
340