access.h 3.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
  1. /* SPDX-License-Identifier: GPL-2.0-only */
  2. /*
  3. * Landlock - Access types and helpers
  4. *
  5. * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
  6. * Copyright © 2018-2020 ANSSI
  7. * Copyright © 2024-2025 Microsoft Corporation
  8. */
  9. #ifndef _SECURITY_LANDLOCK_ACCESS_H
  10. #define _SECURITY_LANDLOCK_ACCESS_H
  11. #include <linux/bitops.h>
  12. #include <linux/build_bug.h>
  13. #include <linux/kernel.h>
  14. #include <uapi/linux/landlock.h>
  15. #include "limits.h"
  16. /*
  17. * All access rights that are denied by default whether they are handled or not
  18. * by a ruleset/layer. This must be ORed with all ruleset->access_masks[]
  19. * entries when we need to get the absolute handled access masks, see
  20. * landlock_upgrade_handled_access_masks().
  21. */
  22. /* clang-format off */
  23. #define _LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \
  24. LANDLOCK_ACCESS_FS_REFER)
  25. /* clang-format on */
  26. /* clang-format off */
  27. #define _LANDLOCK_ACCESS_FS_OPTIONAL ( \
  28. LANDLOCK_ACCESS_FS_TRUNCATE | \
  29. LANDLOCK_ACCESS_FS_IOCTL_DEV)
  30. /* clang-format on */
  31. typedef u16 access_mask_t;
  32. /* Makes sure all filesystem access rights can be stored. */
  33. static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
  34. /* Makes sure all network access rights can be stored. */
  35. static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
  36. /* Makes sure all scoped rights can be stored. */
  37. static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);
  38. /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */
  39. static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
  40. /* Ruleset access masks. */
  41. struct access_masks {
  42. access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
  43. access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
  44. access_mask_t scope : LANDLOCK_NUM_SCOPE;
  45. };
  46. union access_masks_all {
  47. struct access_masks masks;
  48. u32 all;
  49. };
  50. /* Makes sure all fields are covered. */
  51. static_assert(sizeof(typeof_member(union access_masks_all, masks)) ==
  52. sizeof(typeof_member(union access_masks_all, all)));
  53. /**
  54. * struct layer_access_masks - A boolean matrix of layers and access rights
  55. *
  56. * This has a bit for each combination of layer numbers and access rights.
  57. * During access checks, it is used to represent the access rights for each
  58. * layer which still need to be fulfilled. When all bits are 0, the access
  59. * request is considered to be fulfilled.
  60. */
  61. struct layer_access_masks {
  62. /**
  63. * @access: The unfulfilled access rights for each layer.
  64. */
  65. access_mask_t access[LANDLOCK_MAX_NUM_LAYERS];
  66. };
  67. /*
  68. * Tracks domains responsible of a denied access. This avoids storing in each
  69. * object the full matrix of per-layer unfulfilled access rights, which is
  70. * required by update_request().
  71. *
  72. * Each nibble represents the layer index of the newest layer which denied a
  73. * certain access right. For file system access rights, the upper four bits are
  74. * the index of the layer which denies LANDLOCK_ACCESS_FS_IOCTL_DEV and the
  75. * lower nibble represents LANDLOCK_ACCESS_FS_TRUNCATE.
  76. */
  77. typedef u8 deny_masks_t;
  78. /*
  79. * Makes sure all optional access rights can be tied to a layer index (cf.
  80. * get_deny_mask).
  81. */
  82. static_assert(BITS_PER_TYPE(deny_masks_t) >=
  83. (HWEIGHT(LANDLOCK_MAX_NUM_LAYERS - 1) *
  84. HWEIGHT(_LANDLOCK_ACCESS_FS_OPTIONAL)));
  85. /* LANDLOCK_MAX_NUM_LAYERS must be a power of two (cf. deny_masks_t assert). */
  86. static_assert(HWEIGHT(LANDLOCK_MAX_NUM_LAYERS) == 1);
  87. /* Upgrades with all initially denied by default access rights. */
  88. static inline struct access_masks
  89. landlock_upgrade_handled_access_masks(struct access_masks access_masks)
  90. {
  91. /*
  92. * All access rights that are denied by default whether they are
  93. * explicitly handled or not.
  94. */
  95. if (access_masks.fs)
  96. access_masks.fs |= _LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
  97. return access_masks;
  98. }
  99. /* Checks the subset relation between access masks. */
  100. static inline bool access_mask_subset(access_mask_t subset,
  101. access_mask_t superset)
  102. {
  103. return (subset | superset) == superset;
  104. }
  105. #endif /* _SECURITY_LANDLOCK_ACCESS_H */