| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250 |
- // SPDX-License-Identifier: GPL-2.0-only
- /*
- * Landlock - Network management and hooks
- *
- * Copyright © 2022-2023 Huawei Tech. Co., Ltd.
- * Copyright © 2022-2025 Microsoft Corporation
- */
- #include <linux/in.h>
- #include <linux/lsm_audit.h>
- #include <linux/net.h>
- #include <linux/socket.h>
- #include <net/ipv6.h>
- #include "audit.h"
- #include "common.h"
- #include "cred.h"
- #include "limits.h"
- #include "net.h"
- #include "ruleset.h"
- int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
- const u16 port, access_mask_t access_rights)
- {
- int err;
- const struct landlock_id id = {
- .key.data = (__force uintptr_t)htons(port),
- .type = LANDLOCK_KEY_NET_PORT,
- };
- BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
- /* Transforms relative access rights to absolute ones. */
- access_rights |= LANDLOCK_MASK_ACCESS_NET &
- ~landlock_get_net_access_mask(ruleset, 0);
- mutex_lock(&ruleset->lock);
- err = landlock_insert_rule(ruleset, id, access_rights);
- mutex_unlock(&ruleset->lock);
- return err;
- }
- static int current_check_access_socket(struct socket *const sock,
- struct sockaddr *const address,
- const int addrlen,
- access_mask_t access_request)
- {
- __be16 port;
- struct layer_access_masks layer_masks = {};
- const struct landlock_rule *rule;
- struct landlock_id id = {
- .type = LANDLOCK_KEY_NET_PORT,
- };
- const struct access_masks masks = {
- .net = access_request,
- };
- const struct landlock_cred_security *const subject =
- landlock_get_applicable_subject(current_cred(), masks, NULL);
- struct lsm_network_audit audit_net = {};
- if (!subject)
- return 0;
- /* Checks for minimal header length to safely read sa_family. */
- if (addrlen < offsetofend(typeof(*address), sa_family))
- return -EINVAL;
- switch (address->sa_family) {
- case AF_UNSPEC:
- if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
- /*
- * Connecting to an address with AF_UNSPEC dissolves
- * the TCP association, which have the same effect as
- * closing the connection while retaining the socket
- * object (i.e., the file descriptor). As for dropping
- * privileges, closing connections is always allowed.
- *
- * For a TCP access control system, this request is
- * legitimate. Let the network stack handle potential
- * inconsistencies and return -EINVAL if needed.
- */
- return 0;
- } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
- /*
- * Binding to an AF_UNSPEC address is treated
- * differently by IPv4 and IPv6 sockets. The socket's
- * family may change under our feet due to
- * setsockopt(IPV6_ADDRFORM), but that's ok: we either
- * reject entirely or require
- * %LANDLOCK_ACCESS_NET_BIND_TCP for the given port, so
- * it cannot be used to bypass the policy.
- *
- * IPv4 sockets map AF_UNSPEC to AF_INET for
- * retrocompatibility for bind accesses, only if the
- * address is INADDR_ANY (cf. __inet_bind). IPv6
- * sockets always reject it.
- *
- * Checking the address is required to not wrongfully
- * return -EACCES instead of -EAFNOSUPPORT or -EINVAL.
- * We could return 0 and let the network stack handle
- * these checks, but it is safer to return a proper
- * error and test consistency thanks to kselftest.
- */
- if (sock->sk->__sk_common.skc_family == AF_INET) {
- const struct sockaddr_in *const sockaddr =
- (struct sockaddr_in *)address;
- if (addrlen < sizeof(struct sockaddr_in))
- return -EINVAL;
- if (sockaddr->sin_addr.s_addr !=
- htonl(INADDR_ANY))
- return -EAFNOSUPPORT;
- } else {
- if (addrlen < SIN6_LEN_RFC2133)
- return -EINVAL;
- else
- return -EAFNOSUPPORT;
- }
- } else {
- WARN_ON_ONCE(1);
- }
- /* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */
- fallthrough;
- case AF_INET: {
- const struct sockaddr_in *addr4;
- if (addrlen < sizeof(struct sockaddr_in))
- return -EINVAL;
- addr4 = (struct sockaddr_in *)address;
- port = addr4->sin_port;
- if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
- audit_net.dport = port;
- audit_net.v4info.daddr = addr4->sin_addr.s_addr;
- } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
- audit_net.sport = port;
- audit_net.v4info.saddr = addr4->sin_addr.s_addr;
- } else {
- WARN_ON_ONCE(1);
- }
- break;
- }
- #if IS_ENABLED(CONFIG_IPV6)
- case AF_INET6: {
- const struct sockaddr_in6 *addr6;
- if (addrlen < SIN6_LEN_RFC2133)
- return -EINVAL;
- addr6 = (struct sockaddr_in6 *)address;
- port = addr6->sin6_port;
- if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
- audit_net.dport = port;
- audit_net.v6info.daddr = addr6->sin6_addr;
- } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
- audit_net.sport = port;
- audit_net.v6info.saddr = addr6->sin6_addr;
- } else {
- WARN_ON_ONCE(1);
- }
- break;
- }
- #endif /* IS_ENABLED(CONFIG_IPV6) */
- default:
- return 0;
- }
- /*
- * Checks sa_family consistency to not wrongfully return
- * -EACCES instead of -EINVAL. Valid sa_family changes are
- * only (from AF_INET or AF_INET6) to AF_UNSPEC.
- *
- * We could return 0 and let the network stack handle this
- * check, but it is safer to return a proper error and test
- * consistency thanks to kselftest.
- */
- if (address->sa_family != sock->sk->__sk_common.skc_family &&
- address->sa_family != AF_UNSPEC)
- return -EINVAL;
- id.key.data = (__force uintptr_t)port;
- BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
- rule = landlock_find_rule(subject->domain, id);
- access_request = landlock_init_layer_masks(subject->domain,
- access_request, &layer_masks,
- LANDLOCK_KEY_NET_PORT);
- if (!access_request)
- return 0;
- if (landlock_unmask_layers(rule, &layer_masks))
- return 0;
- audit_net.family = address->sa_family;
- landlock_log_denial(subject,
- &(struct landlock_request){
- .type = LANDLOCK_REQUEST_NET_ACCESS,
- .audit.type = LSM_AUDIT_DATA_NET,
- .audit.u.net = &audit_net,
- .access = access_request,
- .layer_masks = &layer_masks,
- });
- return -EACCES;
- }
- static int hook_socket_bind(struct socket *const sock,
- struct sockaddr *const address, const int addrlen)
- {
- access_mask_t access_request;
- if (sk_is_tcp(sock->sk))
- access_request = LANDLOCK_ACCESS_NET_BIND_TCP;
- else
- return 0;
- return current_check_access_socket(sock, address, addrlen,
- access_request);
- }
- static int hook_socket_connect(struct socket *const sock,
- struct sockaddr *const address,
- const int addrlen)
- {
- access_mask_t access_request;
- if (sk_is_tcp(sock->sk))
- access_request = LANDLOCK_ACCESS_NET_CONNECT_TCP;
- else
- return 0;
- return current_check_access_socket(sock, address, addrlen,
- access_request);
- }
- static struct security_hook_list landlock_hooks[] __ro_after_init = {
- LSM_HOOK_INIT(socket_bind, hook_socket_bind),
- LSM_HOOK_INIT(socket_connect, hook_socket_connect),
- };
- __init void landlock_add_net_hooks(void)
- {
- security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
- &landlock_lsmid);
- }
|