security/landlock/ruleset.h

   1 /* SPDX-License-Identifier: GPL-2.0-only */
   2 /*
   3  * Landlock LSM - Ruleset management
   4  *
   5  * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
   6  * Copyright © 2018-2020 ANSSI
   7  */
   8
   9 #ifndef _SECURITY_LANDLOCK_RULESET_H
  10 #define _SECURITY_LANDLOCK_RULESET_H
  11
  12 #include <linux/bitops.h>
  13 #include <linux/build_bug.h>
  14 #include <linux/kernel.h>
  15 #include <linux/mutex.h>
  16 #include <linux/rbtree.h>
  17 #include <linux/refcount.h>
  18 #include <linux/workqueue.h>
  19 #include <uapi/linux/landlock.h>
  20
  21 #include "limits.h"
  22 #include "object.h"
  23
  24 /*
  25  * All access rights that are denied by default whether they are handled or not
  26  * by a ruleset/layer.  This must be ORed with all ruleset->access_masks[]
  27  * entries when we need to get the absolute handled access masks.
  28  */
  29 /* clang-format off */
  30 #define LANDLOCK_ACCESS_FS_INITIALLY_DENIED ( \
  31         LANDLOCK_ACCESS_FS_REFER)
  32 /* clang-format on */
  33
  34 typedef u16 access_mask_t;
  35 /* Makes sure all filesystem access rights can be stored. */
  36 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
  37 /* Makes sure all network access rights can be stored. */
  38 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
  39 /* Makes sure all scoped rights can be stored. */
  40 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);
  41 /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */
  42 static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
  43
  44 /* Ruleset access masks. */
  45 struct access_masks {
  46         access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
  47         access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
  48         access_mask_t scope : LANDLOCK_NUM_SCOPE;
  49 };
  50
  51 union access_masks_all {
  52         struct access_masks masks;
  53         u32 all;
  54 };
  55
  56 /* Makes sure all fields are covered. */
  57 static_assert(sizeof(typeof_member(union access_masks_all, masks)) ==
  58               sizeof(typeof_member(union access_masks_all, all)));
  59
  60 typedef u16 layer_mask_t;
  61 /* Makes sure all layers can be checked. */
  62 static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
  63
  64 /**
  65  * struct landlock_layer - Access rights for a given layer
  66  */
  67 struct landlock_layer {
  68         /**
  69          * @level: Position of this layer in the layer stack.
  70          */
  71         u16 level;
  72         /**
  73          * @access: Bitfield of allowed actions on the kernel object.  They are
  74          * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ).
  75          */
  76         access_mask_t access;
  77 };
  78
  79 /**
  80  * union landlock_key - Key of a ruleset's red-black tree
  81  */
  82 union landlock_key {
  83         /**
  84          * @object: Pointer to identify a kernel object (e.g. an inode).
  85          */
  86         struct landlock_object *object;
  87         /**
  88          * @data: Raw data to identify an arbitrary 32-bit value
  89          * (e.g. a TCP port).
  90          */
  91         uintptr_t data;
  92 };
  93
  94 /**
  95  * enum landlock_key_type - Type of &union landlock_key
  96  */
  97 enum landlock_key_type {
  98         /**
  99          * @LANDLOCK_KEY_INODE: Type of &landlock_ruleset.root_inode's node
 100          * keys.
 101          */
 102         LANDLOCK_KEY_INODE = 1,
 103         /**
 104          * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's
 105          * node keys.
 106          */
 107         LANDLOCK_KEY_NET_PORT,
 108 };
 109
 110 /**
 111  * struct landlock_id - Unique rule identifier for a ruleset
 112  */
 113 struct landlock_id {
 114         /**
 115          * @key: Identifies either a kernel object (e.g. an inode) or
 116          * a raw value (e.g. a TCP port).
 117          */
 118         union landlock_key key;
 119         /**
 120          * @type: Type of a landlock_ruleset's root tree.
 121          */
 122         const enum landlock_key_type type;
 123 };
 124
 125 /**
 126  * struct landlock_rule - Access rights tied to an object
 127  */
 128 struct landlock_rule {
 129         /**
 130          * @node: Node in the ruleset's red-black tree.
 131          */
 132         struct rb_node node;
 133         /**
 134          * @key: A union to identify either a kernel object (e.g. an inode) or
 135          * a raw data value (e.g. a network socket port). This is used as a key
 136          * for this ruleset element.  The pointer is set once and never
 137          * modified.  It always points to an allocated object because each rule
 138          * increments the refcount of its object.
 139          */
 140         union landlock_key key;
 141         /**
 142          * @num_layers: Number of entries in @layers.
 143          */
 144         u32 num_layers;
 145         /**
 146          * @layers: Stack of layers, from the latest to the newest, implemented
 147          * as a flexible array member (FAM).
 148          */
 149         struct landlock_layer layers[] __counted_by(num_layers);
 150 };
 151
 152 /**
 153  * struct landlock_hierarchy - Node in a ruleset hierarchy
 154  */
 155 struct landlock_hierarchy {
 156         /**
 157          * @parent: Pointer to the parent node, or NULL if it is a root
 158          * Landlock domain.
 159          */
 160         struct landlock_hierarchy *parent;
 161         /**
 162          * @usage: Number of potential children domains plus their parent
 163          * domain.
 164          */
 165         refcount_t usage;
 166 };
 167
 168 /**
 169  * struct landlock_ruleset - Landlock ruleset
 170  *
 171  * This data structure must contain unique entries, be updatable, and quick to
 172  * match an object.
 173  */
 174 struct landlock_ruleset {
 175         /**
 176          * @root_inode: Root of a red-black tree containing &struct
 177          * landlock_rule nodes with inode object.  Once a ruleset is tied to a
 178          * process (i.e. as a domain), this tree is immutable until @usage
 179          * reaches zero.
 180          */
 181         struct rb_root root_inode;
 182
 183 #if IS_ENABLED(CONFIG_INET)
 184         /**
 185          * @root_net_port: Root of a red-black tree containing &struct
 186          * landlock_rule nodes with network port. Once a ruleset is tied to a
 187          * process (i.e. as a domain), this tree is immutable until @usage
 188          * reaches zero.
 189          */
 190         struct rb_root root_net_port;
 191 #endif /* IS_ENABLED(CONFIG_INET) */
 192
 193         /**
 194          * @hierarchy: Enables hierarchy identification even when a parent
 195          * domain vanishes.  This is needed for the ptrace protection.
 196          */
 197         struct landlock_hierarchy *hierarchy;
 198         union {
 199                 /**
 200                  * @work_free: Enables to free a ruleset within a lockless
 201                  * section.  This is only used by
 202                  * landlock_put_ruleset_deferred() when @usage reaches zero.
 203                  * The fields @lock, @usage, @num_rules, @num_layers and
 204                  * @access_masks are then unused.
 205                  */
 206                 struct work_struct work_free;
 207                 struct {
 208                         /**
 209                          * @lock: Protects against concurrent modifications of
 210                          * @root, if @usage is greater than zero.
 211                          */
 212                         struct mutex lock;
 213                         /**
 214                          * @usage: Number of processes (i.e. domains) or file
 215                          * descriptors referencing this ruleset.
 216                          */
 217                         refcount_t usage;
 218                         /**
 219                          * @num_rules: Number of non-overlapping (i.e. not for
 220                          * the same object) rules in this ruleset.
 221                          */
 222                         u32 num_rules;
 223                         /**
 224                          * @num_layers: Number of layers that are used in this
 225                          * ruleset.  This enables to check that all the layers
 226                          * allow an access request.  A value of 0 identifies a
 227                          * non-merged ruleset (i.e. not a domain).
 228                          */
 229                         u32 num_layers;
 230                         /**
 231                          * @access_masks: Contains the subset of filesystem and
 232                          * network actions that are restricted by a ruleset.
 233                          * A domain saves all layers of merged rulesets in a
 234                          * stack (FAM), starting from the first layer to the
 235                          * last one.  These layers are used when merging
 236                          * rulesets, for user space backward compatibility
 237                          * (i.e. future-proof), and to properly handle merged
 238                          * rulesets without overlapping access rights.  These
 239                          * layers are set once and never changed for the
 240                          * lifetime of the ruleset.
 241                          */
 242                         struct access_masks access_masks[];
 243                 };
 244         };
 245 };
 246
 247 struct landlock_ruleset *
 248 landlock_create_ruleset(const access_mask_t access_mask_fs,
 249                         const access_mask_t access_mask_net,
 250                         const access_mask_t scope_mask);
 251
 252 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
 253 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
 254
 255 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
 256                          const struct landlock_id id,
 257                          const access_mask_t access);
 258
 259 struct landlock_ruleset *
 260 landlock_merge_ruleset(struct landlock_ruleset *const parent,
 261                        struct landlock_ruleset *const ruleset);
 262
 263 const struct landlock_rule *
 264 landlock_find_rule(const struct landlock_ruleset *const ruleset,
 265                    const struct landlock_id id);
 266
 267 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
 268 {
 269         if (ruleset)
 270                 refcount_inc(&ruleset->usage);
 271 }
 272
 273 /**
 274  * landlock_union_access_masks - Return all access rights handled in the
 275  *                               domain
 276  *
 277  * @domain: Landlock ruleset (used as a domain)
 278  *
 279  * Returns: an access_masks result of the OR of all the domain's access masks.
 280  */
 281 static inline struct access_masks
 282 landlock_union_access_masks(const struct landlock_ruleset *const domain)
 283 {
 284         union access_masks_all matches = {};
 285         size_t layer_level;
 286
 287         for (layer_level = 0; layer_level < domain->num_layers; layer_level++) {
 288                 union access_masks_all layer = {
 289                         .masks = domain->access_masks[layer_level],
 290                 };
 291
 292                 matches.all |= layer.all;
 293         }
 294
 295         return matches.masks;
 296 }
 297
 298 /**
 299  * landlock_get_applicable_domain - Return @domain if it applies to (handles)
 300  *                                  at least one of the access rights specified
 301  *                                  in @masks
 302  *
 303  * @domain: Landlock ruleset (used as a domain)
 304  * @masks: access masks
 305  *
 306  * Returns: @domain if any access rights specified in @masks is handled, or
 307  * NULL otherwise.
 308  */
 309 static inline const struct landlock_ruleset *
 310 landlock_get_applicable_domain(const struct landlock_ruleset *const domain,
 311                                const struct access_masks masks)
 312 {
 313         const union access_masks_all masks_all = {
 314                 .masks = masks,
 315         };
 316         union access_masks_all merge = {};
 317
 318         if (!domain)
 319                 return NULL;
 320
 321         merge.masks = landlock_union_access_masks(domain);
 322         if (merge.all & masks_all.all)
 323                 return domain;
 324
 325         return NULL;
 326 }
 327
 328 static inline void
 329 landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
 330                             const access_mask_t fs_access_mask,
 331                             const u16 layer_level)
 332 {
 333         access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS;
 334
 335         /* Should already be checked in sys_landlock_create_ruleset(). */
 336         WARN_ON_ONCE(fs_access_mask != fs_mask);
 337         ruleset->access_masks[layer_level].fs |= fs_mask;
 338 }
 339
 340 static inline void
 341 landlock_add_net_access_mask(struct landlock_ruleset *const ruleset,
 342                              const access_mask_t net_access_mask,
 343                              const u16 layer_level)
 344 {
 345         access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET;
 346
 347         /* Should already be checked in sys_landlock_create_ruleset(). */
 348         WARN_ON_ONCE(net_access_mask != net_mask);
 349         ruleset->access_masks[layer_level].net |= net_mask;
 350 }
 351
 352 static inline void
 353 landlock_add_scope_mask(struct landlock_ruleset *const ruleset,
 354                         const access_mask_t scope_mask, const u16 layer_level)
 355 {
 356         access_mask_t mask = scope_mask & LANDLOCK_MASK_SCOPE;
 357
 358         /* Should already be checked in sys_landlock_create_ruleset(). */
 359         WARN_ON_ONCE(scope_mask != mask);
 360         ruleset->access_masks[layer_level].scope |= mask;
 361 }
 362
 363 static inline access_mask_t
 364 landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
 365                             const u16 layer_level)
 366 {
 367         /* Handles all initially denied by default access rights. */
 368         return ruleset->access_masks[layer_level].fs |
 369                LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
 370 }
 371
 372 static inline access_mask_t
 373 landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset,
 374                              const u16 layer_level)
 375 {
 376         return ruleset->access_masks[layer_level].net;
 377 }
 378
 379 static inline access_mask_t
 380 landlock_get_scope_mask(const struct landlock_ruleset *const ruleset,
 381                         const u16 layer_level)
 382 {
 383         return ruleset->access_masks[layer_level].scope;
 384 }
 385
 386 bool landlock_unmask_layers(const struct landlock_rule *const rule,
 387                             const access_mask_t access_request,
 388                             layer_mask_t (*const layer_masks)[],
 389                             const size_t masks_array_size);
 390
 391 access_mask_t
 392 landlock_init_layer_masks(const struct landlock_ruleset *const domain,
 393                           const access_mask_t access_request,
 394                           layer_mask_t (*const layer_masks)[],
 395                           const enum landlock_key_type key_type);
 396
 397 #endif /* _SECURITY_LANDLOCK_RULESET_H */