1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3 * Landlock LSM - Ruleset management
4 *
5 * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
6 * Copyright © 2018-2020 ANSSI
7 */
8
9 #ifndef _SECURITY_LANDLOCK_RULESET_H
10 #define _SECURITY_LANDLOCK_RULESET_H
11
12 #include <linux/bitops.h>
13 #include <linux/build_bug.h>
14 #include <linux/mutex.h>
15 #include <linux/rbtree.h>
16 #include <linux/refcount.h>
17 #include <linux/workqueue.h>
18 #include <uapi/linux/landlock.h>
19
20 #include "limits.h"
21 #include "object.h"
22
23 /*
24 * All access rights that are denied by default whether they are handled or not
25 * by a ruleset/layer. This must be ORed with all ruleset->access_masks[]
26 * entries when we need to get the absolute handled access masks.
27 */
28 /* clang-format off */
29 #define LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \
30 LANDLOCK_ACCESS_FS_REFER)
31 /* clang-format on */
32
33 typedef u16 access_mask_t;
34 /* Makes sure all filesystem access rights can be stored. */
35 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
36 /* Makes sure all network access rights can be stored. */
37 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
38 /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */
39 static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
40
41 /* Ruleset access masks. */
42 typedef u32 access_masks_t;
43 /* Makes sure all ruleset access rights can be stored. */
44 static_assert(BITS_PER_TYPE(access_masks_t) >=
45 LANDLOCK_NUM_ACCESS_FS + LANDLOCK_NUM_ACCESS_NET);
46
47 typedef u16 layer_mask_t;
48 /* Makes sure all layers can be checked. */
49 static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
50
51 /**
52 * struct landlock_layer - Access rights for a given layer
53 */
54 struct landlock_layer {
55 /**
56 * @level: Position of this layer in the layer stack.
57 */
58 u16 level;
59 /**
60 * @access: Bitfield of allowed actions on the kernel object. They are
61 * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ).
62 */
63 access_mask_t access;
64 };
65
66 /**
67 * union landlock_key - Key of a ruleset's red-black tree
68 */
69 union landlock_key {
70 /**
71 * @object: Pointer to identify a kernel object (e.g. an inode).
72 */
73 struct landlock_object *object;
74 /**
75 * @data: Raw data to identify an arbitrary 32-bit value
76 * (e.g. a TCP port).
77 */
78 uintptr_t data;
79 };
80
81 /**
82 * enum landlock_key_type - Type of &union landlock_key
83 */
84 enum landlock_key_type {
85 /**
86 * @LANDLOCK_KEY_INODE: Type of &landlock_ruleset.root_inode's node
87 * keys.
88 */
89 LANDLOCK_KEY_INODE = 1,
90 /**
91 * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's
92 * node keys.
93 */
94 LANDLOCK_KEY_NET_PORT,
95 };
96
97 /**
98 * struct landlock_id - Unique rule identifier for a ruleset
99 */
100 struct landlock_id {
101 /**
102 * @key: Identifies either a kernel object (e.g. an inode) or
103 * a raw value (e.g. a TCP port).
104 */
105 union landlock_key key;
106 /**
107 * @type: Type of a landlock_ruleset's root tree.
108 */
109 const enum landlock_key_type type;
110 };
111
112 /**
113 * struct landlock_rule - Access rights tied to an object
114 */
115 struct landlock_rule {
116 /**
117 * @node: Node in the ruleset's red-black tree.
118 */
119 struct rb_node node;
120 /**
121 * @key: A union to identify either a kernel object (e.g. an inode) or
122 * a raw data value (e.g. a network socket port). This is used as a key
123 * for this ruleset element. The pointer is set once and never
124 * modified. It always points to an allocated object because each rule
125 * increments the refcount of its object.
126 */
127 union landlock_key key;
128 /**
129 * @num_layers: Number of entries in @layers.
130 */
131 u32 num_layers;
132 /**
133 * @layers: Stack of layers, from the latest to the newest, implemented
134 * as a flexible array member (FAM).
135 */
136 struct landlock_layer layers[] __counted_by(num_layers);
137 };
138
139 /**
140 * struct landlock_hierarchy - Node in a ruleset hierarchy
141 */
142 struct landlock_hierarchy {
143 /**
144 * @parent: Pointer to the parent node, or NULL if it is a root
145 * Landlock domain.
146 */
147 struct landlock_hierarchy *parent;
148 /**
149 * @usage: Number of potential children domains plus their parent
150 * domain.
151 */
152 refcount_t usage;
153 };
154
155 /**
156 * struct landlock_ruleset - Landlock ruleset
157 *
158 * This data structure must contain unique entries, be updatable, and quick to
159 * match an object.
160 */
161 struct landlock_ruleset {
162 /**
163 * @root_inode: Root of a red-black tree containing &struct
164 * landlock_rule nodes with inode object. Once a ruleset is tied to a
165 * process (i.e. as a domain), this tree is immutable until @usage
166 * reaches zero.
167 */
168 struct rb_root root_inode;
169
170 #if IS_ENABLED(CONFIG_INET)
171 /**
172 * @root_net_port: Root of a red-black tree containing &struct
173 * landlock_rule nodes with network port. Once a ruleset is tied to a
174 * process (i.e. as a domain), this tree is immutable until @usage
175 * reaches zero.
176 */
177 struct rb_root root_net_port;
178 #endif /* IS_ENABLED(CONFIG_INET) */
179
180 /**
181 * @hierarchy: Enables hierarchy identification even when a parent
182 * domain vanishes. This is needed for the ptrace protection.
183 */
184 struct landlock_hierarchy *hierarchy;
185 union {
186 /**
187 * @work_free: Enables to free a ruleset within a lockless
188 * section. This is only used by
189 * landlock_put_ruleset_deferred() when @usage reaches zero.
190 * The fields @lock, @usage, @num_rules, @num_layers and
191 * @access_masks are then unused.
192 */
193 struct work_struct work_free;
194 struct {
195 /**
196 * @lock: Protects against concurrent modifications of
197 * @root, if @usage is greater than zero.
198 */
199 struct mutex lock;
200 /**
201 * @usage: Number of processes (i.e. domains) or file
202 * descriptors referencing this ruleset.
203 */
204 refcount_t usage;
205 /**
206 * @num_rules: Number of non-overlapping (i.e. not for
207 * the same object) rules in this ruleset.
208 */
209 u32 num_rules;
210 /**
211 * @num_layers: Number of layers that are used in this
212 * ruleset. This enables to check that all the layers
213 * allow an access request. A value of 0 identifies a
214 * non-merged ruleset (i.e. not a domain).
215 */
216 u32 num_layers;
217 /**
218 * @access_masks: Contains the subset of filesystem and
219 * network actions that are restricted by a ruleset.
220 * A domain saves all layers of merged rulesets in a
221 * stack (FAM), starting from the first layer to the
222 * last one. These layers are used when merging
223 * rulesets, for user space backward compatibility
224 * (i.e. future-proof), and to properly handle merged
225 * rulesets without overlapping access rights. These
226 * layers are set once and never changed for the
227 * lifetime of the ruleset.
228 */
229 access_masks_t access_masks[];
230 };
231 };
232 };
233
234 struct landlock_ruleset *
235 landlock_create_ruleset(const access_mask_t access_mask_fs,
236 const access_mask_t access_mask_net);
237
238 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
239 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
240
241 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
242 const struct landlock_id id,
243 const access_mask_t access);
244
245 struct landlock_ruleset *
246 landlock_merge_ruleset(struct landlock_ruleset *const parent,
247 struct landlock_ruleset *const ruleset);
248
249 const struct landlock_rule *
250 landlock_find_rule(const struct landlock_ruleset *const ruleset,
251 const struct landlock_id id);
252
landlock_get_ruleset(struct landlock_ruleset * const ruleset)253 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
254 {
255 if (ruleset)
256 refcount_inc(&ruleset->usage);
257 }
258
259 static inline void
landlock_add_fs_access_mask(struct landlock_ruleset * const ruleset,const access_mask_t fs_access_mask,const u16 layer_level)260 landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
261 const access_mask_t fs_access_mask,
262 const u16 layer_level)
263 {
264 access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS;
265
266 /* Should already be checked in sys_landlock_create_ruleset(). */
267 WARN_ON_ONCE(fs_access_mask != fs_mask);
268 ruleset->access_masks[layer_level] |=
269 (fs_mask << LANDLOCK_SHIFT_ACCESS_FS);
270 }
271
272 static inline void
landlock_add_net_access_mask(struct landlock_ruleset * const ruleset,const access_mask_t net_access_mask,const u16 layer_level)273 landlock_add_net_access_mask(struct landlock_ruleset *const ruleset,
274 const access_mask_t net_access_mask,
275 const u16 layer_level)
276 {
277 access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET;
278
279 /* Should already be checked in sys_landlock_create_ruleset(). */
280 WARN_ON_ONCE(net_access_mask != net_mask);
281 ruleset->access_masks[layer_level] |=
282 (net_mask << LANDLOCK_SHIFT_ACCESS_NET);
283 }
284
285 static inline access_mask_t
landlock_get_raw_fs_access_mask(const struct landlock_ruleset * const ruleset,const u16 layer_level)286 landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset,
287 const u16 layer_level)
288 {
289 return (ruleset->access_masks[layer_level] >>
290 LANDLOCK_SHIFT_ACCESS_FS) &
291 LANDLOCK_MASK_ACCESS_FS;
292 }
293
294 static inline access_mask_t
landlock_get_fs_access_mask(const struct landlock_ruleset * const ruleset,const u16 layer_level)295 landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
296 const u16 layer_level)
297 {
298 /* Handles all initially denied by default access rights. */
299 return landlock_get_raw_fs_access_mask(ruleset, layer_level) |
300 LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
301 }
302
303 static inline access_mask_t
landlock_get_net_access_mask(const struct landlock_ruleset * const ruleset,const u16 layer_level)304 landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset,
305 const u16 layer_level)
306 {
307 return (ruleset->access_masks[layer_level] >>
308 LANDLOCK_SHIFT_ACCESS_NET) &
309 LANDLOCK_MASK_ACCESS_NET;
310 }
311
312 bool landlock_unmask_layers(const struct landlock_rule *const rule,
313 const access_mask_t access_request,
314 layer_mask_t (*const layer_masks)[],
315 const size_t masks_array_size);
316
317 access_mask_t
318 landlock_init_layer_masks(const struct landlock_ruleset *const domain,
319 const access_mask_t access_request,
320 layer_mask_t (*const layer_masks)[],
321 const enum landlock_key_type key_type);
322
323 #endif /* _SECURITY_LANDLOCK_RULESET_H */
324