domain.h 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173
  1. /* SPDX-License-Identifier: GPL-2.0-only */
  2. /*
  3. * Landlock - Domain management
  4. *
  5. * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
  6. * Copyright © 2018-2020 ANSSI
  7. * Copyright © 2024-2025 Microsoft Corporation
  8. */
  9. #ifndef _SECURITY_LANDLOCK_DOMAIN_H
  10. #define _SECURITY_LANDLOCK_DOMAIN_H
  11. #include <linux/limits.h>
  12. #include <linux/mm.h>
  13. #include <linux/path.h>
  14. #include <linux/pid.h>
  15. #include <linux/refcount.h>
  16. #include <linux/sched.h>
  17. #include <linux/slab.h>
  18. #include "access.h"
  19. #include "audit.h"
  20. enum landlock_log_status {
  21. LANDLOCK_LOG_PENDING = 0,
  22. LANDLOCK_LOG_RECORDED,
  23. LANDLOCK_LOG_DISABLED,
  24. };
  25. /**
  26. * struct landlock_details - Domain's creation information
  27. *
  28. * Rarely accessed, mainly when logging the first domain's denial.
  29. *
  30. * The contained pointers are initialized at the domain creation time and never
  31. * changed again. Contrary to most other Landlock object types, this one is
  32. * not allocated with GFP_KERNEL_ACCOUNT because its size may not be under the
  33. * caller's control (e.g. unknown exe_path) and the data is not explicitly
  34. * requested nor used by tasks.
  35. */
  36. struct landlock_details {
  37. /**
  38. * @pid: PID of the task that initially restricted itself. It still
  39. * identifies the same task. Keeping a reference to this PID ensures that
  40. * it will not be recycled.
  41. */
  42. struct pid *pid;
  43. /**
  44. * @uid: UID of the task that initially restricted itself, at creation time.
  45. */
  46. uid_t uid;
  47. /**
  48. * @comm: Command line of the task that initially restricted itself, at
  49. * creation time. Always NULL terminated.
  50. */
  51. char comm[TASK_COMM_LEN];
  52. /**
  53. * @exe_path: Executable path of the task that initially restricted
  54. * itself, at creation time. Always NULL terminated, and never greater
  55. * than LANDLOCK_PATH_MAX_SIZE.
  56. */
  57. char exe_path[];
  58. };
  59. /* Adds 11 extra characters for the potential " (deleted)" suffix. */
  60. #define LANDLOCK_PATH_MAX_SIZE (PATH_MAX + 11)
  61. /* Makes sure the greatest landlock_details can be allocated. */
  62. static_assert(struct_size_t(struct landlock_details, exe_path,
  63. LANDLOCK_PATH_MAX_SIZE) <= KMALLOC_MAX_SIZE);
  64. /**
  65. * struct landlock_hierarchy - Node in a domain hierarchy
  66. */
  67. struct landlock_hierarchy {
  68. /**
  69. * @parent: Pointer to the parent node, or NULL if it is a root
  70. * Landlock domain.
  71. */
  72. struct landlock_hierarchy *parent;
  73. /**
  74. * @usage: Number of potential children domains plus their parent
  75. * domain.
  76. */
  77. refcount_t usage;
  78. #ifdef CONFIG_AUDIT
  79. /**
  80. * @log_status: Whether this domain should be logged or not. Because
  81. * concurrent log entries may be created at the same time, it is still
  82. * possible to have several domain records of the same domain.
  83. */
  84. enum landlock_log_status log_status;
  85. /**
  86. * @num_denials: Number of access requests denied by this domain.
  87. * Masked (i.e. never logged) denials are still counted.
  88. */
  89. atomic64_t num_denials;
  90. /**
  91. * @id: Landlock domain ID, set once at domain creation time.
  92. */
  93. u64 id;
  94. /**
  95. * @details: Information about the related domain.
  96. */
  97. const struct landlock_details *details;
  98. /**
  99. * @log_same_exec: Set if the domain is *not* configured with
  100. * %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF. Set to true by default.
  101. */
  102. u32 log_same_exec : 1,
  103. /**
  104. * @log_new_exec: Set if the domain is configured with
  105. * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON. Set to false by default.
  106. */
  107. log_new_exec : 1;
  108. #endif /* CONFIG_AUDIT */
  109. };
  110. #ifdef CONFIG_AUDIT
  111. deny_masks_t
  112. landlock_get_deny_masks(const access_mask_t all_existing_optional_access,
  113. const access_mask_t optional_access,
  114. const struct layer_access_masks *const masks);
  115. int landlock_init_hierarchy_log(struct landlock_hierarchy *const hierarchy);
  116. static inline void
  117. landlock_free_hierarchy_details(struct landlock_hierarchy *const hierarchy)
  118. {
  119. if (!hierarchy || !hierarchy->details)
  120. return;
  121. put_pid(hierarchy->details->pid);
  122. kfree(hierarchy->details);
  123. }
  124. #else /* CONFIG_AUDIT */
  125. static inline int
  126. landlock_init_hierarchy_log(struct landlock_hierarchy *const hierarchy)
  127. {
  128. return 0;
  129. }
  130. static inline void
  131. landlock_free_hierarchy_details(struct landlock_hierarchy *const hierarchy)
  132. {
  133. }
  134. #endif /* CONFIG_AUDIT */
  135. static inline void
  136. landlock_get_hierarchy(struct landlock_hierarchy *const hierarchy)
  137. {
  138. if (hierarchy)
  139. refcount_inc(&hierarchy->usage);
  140. }
  141. static inline void landlock_put_hierarchy(struct landlock_hierarchy *hierarchy)
  142. {
  143. while (hierarchy && refcount_dec_and_test(&hierarchy->usage)) {
  144. const struct landlock_hierarchy *const freeme = hierarchy;
  145. landlock_log_drop_domain(hierarchy);
  146. landlock_free_hierarchy_details(hierarchy);
  147. hierarchy = hierarchy->parent;
  148. kfree(freeme);
  149. }
  150. }
  151. #endif /* _SECURITY_LANDLOCK_DOMAIN_H */