ruleset.h 8.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313
  1. /* SPDX-License-Identifier: GPL-2.0-only */
  2. /*
  3. * Landlock LSM - Ruleset management
  4. *
  5. * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
  6. * Copyright © 2018-2020 ANSSI
  7. */
  8. #ifndef _SECURITY_LANDLOCK_RULESET_H
  9. #define _SECURITY_LANDLOCK_RULESET_H
  10. #include <linux/cleanup.h>
  11. #include <linux/err.h>
  12. #include <linux/mutex.h>
  13. #include <linux/rbtree.h>
  14. #include <linux/refcount.h>
  15. #include <linux/workqueue.h>
  16. #include "access.h"
  17. #include "limits.h"
  18. #include "object.h"
  19. struct landlock_hierarchy;
  20. /**
  21. * struct landlock_layer - Access rights for a given layer
  22. */
  23. struct landlock_layer {
  24. /**
  25. * @level: Position of this layer in the layer stack. Starts from 1.
  26. */
  27. u16 level;
  28. /**
  29. * @access: Bitfield of allowed actions on the kernel object. They are
  30. * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ).
  31. */
  32. access_mask_t access;
  33. };
  34. /**
  35. * union landlock_key - Key of a ruleset's red-black tree
  36. */
  37. union landlock_key {
  38. /**
  39. * @object: Pointer to identify a kernel object (e.g. an inode).
  40. */
  41. struct landlock_object *object;
  42. /**
  43. * @data: Raw data to identify an arbitrary 32-bit value
  44. * (e.g. a TCP port).
  45. */
  46. uintptr_t data;
  47. };
  48. /**
  49. * enum landlock_key_type - Type of &union landlock_key
  50. */
  51. enum landlock_key_type {
  52. /**
  53. * @LANDLOCK_KEY_INODE: Type of &landlock_ruleset.root_inode's node
  54. * keys.
  55. */
  56. LANDLOCK_KEY_INODE = 1,
  57. /**
  58. * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's
  59. * node keys.
  60. */
  61. LANDLOCK_KEY_NET_PORT,
  62. };
  63. /**
  64. * struct landlock_id - Unique rule identifier for a ruleset
  65. */
  66. struct landlock_id {
  67. /**
  68. * @key: Identifies either a kernel object (e.g. an inode) or
  69. * a raw value (e.g. a TCP port).
  70. */
  71. union landlock_key key;
  72. /**
  73. * @type: Type of a landlock_ruleset's root tree.
  74. */
  75. const enum landlock_key_type type;
  76. };
  77. /**
  78. * struct landlock_rule - Access rights tied to an object
  79. */
  80. struct landlock_rule {
  81. /**
  82. * @node: Node in the ruleset's red-black tree.
  83. */
  84. struct rb_node node;
  85. /**
  86. * @key: A union to identify either a kernel object (e.g. an inode) or
  87. * a raw data value (e.g. a network socket port). This is used as a key
  88. * for this ruleset element. The pointer is set once and never
  89. * modified. It always points to an allocated object because each rule
  90. * increments the refcount of its object.
  91. */
  92. union landlock_key key;
  93. /**
  94. * @num_layers: Number of entries in @layers.
  95. */
  96. u32 num_layers;
  97. /**
  98. * @layers: Stack of layers, from the latest to the newest, implemented
  99. * as a flexible array member (FAM).
  100. */
  101. struct landlock_layer layers[] __counted_by(num_layers);
  102. };
  103. /**
  104. * struct landlock_ruleset - Landlock ruleset
  105. *
  106. * This data structure must contain unique entries, be updatable, and quick to
  107. * match an object.
  108. */
  109. struct landlock_ruleset {
  110. /**
  111. * @root_inode: Root of a red-black tree containing &struct
  112. * landlock_rule nodes with inode object. Once a ruleset is tied to a
  113. * process (i.e. as a domain), this tree is immutable until @usage
  114. * reaches zero.
  115. */
  116. struct rb_root root_inode;
  117. #if IS_ENABLED(CONFIG_INET)
  118. /**
  119. * @root_net_port: Root of a red-black tree containing &struct
  120. * landlock_rule nodes with network port. Once a ruleset is tied to a
  121. * process (i.e. as a domain), this tree is immutable until @usage
  122. * reaches zero.
  123. */
  124. struct rb_root root_net_port;
  125. #endif /* IS_ENABLED(CONFIG_INET) */
  126. /**
  127. * @hierarchy: Enables hierarchy identification even when a parent
  128. * domain vanishes. This is needed for the ptrace protection.
  129. */
  130. struct landlock_hierarchy *hierarchy;
  131. union {
  132. /**
  133. * @work_free: Enables to free a ruleset within a lockless
  134. * section. This is only used by
  135. * landlock_put_ruleset_deferred() when @usage reaches zero.
  136. * The fields @lock, @usage, @num_rules, @num_layers and
  137. * @access_masks are then unused.
  138. */
  139. struct work_struct work_free;
  140. struct {
  141. /**
  142. * @lock: Protects against concurrent modifications of
  143. * @root, if @usage is greater than zero.
  144. */
  145. struct mutex lock;
  146. /**
  147. * @usage: Number of processes (i.e. domains) or file
  148. * descriptors referencing this ruleset.
  149. */
  150. refcount_t usage;
  151. /**
  152. * @num_rules: Number of non-overlapping (i.e. not for
  153. * the same object) rules in this ruleset.
  154. */
  155. u32 num_rules;
  156. /**
  157. * @num_layers: Number of layers that are used in this
  158. * ruleset. This enables to check that all the layers
  159. * allow an access request. A value of 0 identifies a
  160. * non-merged ruleset (i.e. not a domain).
  161. */
  162. u32 num_layers;
  163. /**
  164. * @access_masks: Contains the subset of filesystem and
  165. * network actions that are restricted by a ruleset.
  166. * A domain saves all layers of merged rulesets in a
  167. * stack (FAM), starting from the first layer to the
  168. * last one. These layers are used when merging
  169. * rulesets, for user space backward compatibility
  170. * (i.e. future-proof), and to properly handle merged
  171. * rulesets without overlapping access rights. These
  172. * layers are set once and never changed for the
  173. * lifetime of the ruleset.
  174. */
  175. struct access_masks access_masks[];
  176. };
  177. };
  178. };
  179. struct landlock_ruleset *
  180. landlock_create_ruleset(const access_mask_t access_mask_fs,
  181. const access_mask_t access_mask_net,
  182. const access_mask_t scope_mask);
  183. void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
  184. void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
  185. DEFINE_FREE(landlock_put_ruleset, struct landlock_ruleset *,
  186. if (!IS_ERR_OR_NULL(_T)) landlock_put_ruleset(_T))
  187. int landlock_insert_rule(struct landlock_ruleset *const ruleset,
  188. const struct landlock_id id,
  189. const access_mask_t access);
  190. struct landlock_ruleset *
  191. landlock_merge_ruleset(struct landlock_ruleset *const parent,
  192. struct landlock_ruleset *const ruleset);
  193. const struct landlock_rule *
  194. landlock_find_rule(const struct landlock_ruleset *const ruleset,
  195. const struct landlock_id id);
  196. static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
  197. {
  198. if (ruleset)
  199. refcount_inc(&ruleset->usage);
  200. }
  201. /**
  202. * landlock_union_access_masks - Return all access rights handled in the
  203. * domain
  204. *
  205. * @domain: Landlock ruleset (used as a domain)
  206. *
  207. * Returns: an access_masks result of the OR of all the domain's access masks.
  208. */
  209. static inline struct access_masks
  210. landlock_union_access_masks(const struct landlock_ruleset *const domain)
  211. {
  212. union access_masks_all matches = {};
  213. size_t layer_level;
  214. for (layer_level = 0; layer_level < domain->num_layers; layer_level++) {
  215. union access_masks_all layer = {
  216. .masks = domain->access_masks[layer_level],
  217. };
  218. matches.all |= layer.all;
  219. }
  220. return matches.masks;
  221. }
  222. static inline void
  223. landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
  224. const access_mask_t fs_access_mask,
  225. const u16 layer_level)
  226. {
  227. access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS;
  228. /* Should already be checked in sys_landlock_create_ruleset(). */
  229. WARN_ON_ONCE(fs_access_mask != fs_mask);
  230. ruleset->access_masks[layer_level].fs |= fs_mask;
  231. }
  232. static inline void
  233. landlock_add_net_access_mask(struct landlock_ruleset *const ruleset,
  234. const access_mask_t net_access_mask,
  235. const u16 layer_level)
  236. {
  237. access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET;
  238. /* Should already be checked in sys_landlock_create_ruleset(). */
  239. WARN_ON_ONCE(net_access_mask != net_mask);
  240. ruleset->access_masks[layer_level].net |= net_mask;
  241. }
  242. static inline void
  243. landlock_add_scope_mask(struct landlock_ruleset *const ruleset,
  244. const access_mask_t scope_mask, const u16 layer_level)
  245. {
  246. access_mask_t mask = scope_mask & LANDLOCK_MASK_SCOPE;
  247. /* Should already be checked in sys_landlock_create_ruleset(). */
  248. WARN_ON_ONCE(scope_mask != mask);
  249. ruleset->access_masks[layer_level].scope |= mask;
  250. }
  251. static inline access_mask_t
  252. landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
  253. const u16 layer_level)
  254. {
  255. /* Handles all initially denied by default access rights. */
  256. return ruleset->access_masks[layer_level].fs |
  257. _LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
  258. }
  259. static inline access_mask_t
  260. landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset,
  261. const u16 layer_level)
  262. {
  263. return ruleset->access_masks[layer_level].net;
  264. }
  265. static inline access_mask_t
  266. landlock_get_scope_mask(const struct landlock_ruleset *const ruleset,
  267. const u16 layer_level)
  268. {
  269. return ruleset->access_masks[layer_level].scope;
  270. }
  271. bool landlock_unmask_layers(const struct landlock_rule *const rule,
  272. struct layer_access_masks *masks);
  273. access_mask_t
  274. landlock_init_layer_masks(const struct landlock_ruleset *const domain,
  275. const access_mask_t access_request,
  276. struct layer_access_masks *masks,
  277. const enum landlock_key_type key_type);
  278. #endif /* _SECURITY_LANDLOCK_RULESET_H */