security/landlock/net.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Landlock LSM - Network management and hooks
   4  *
   5  * Copyright © 2022-2023 Huawei Tech. Co., Ltd.
   6  * Copyright © 2022-2023 Microsoft Corporation
   7  */
   8
   9 #include <linux/in.h>
  10 #include <linux/net.h>
  11 #include <linux/socket.h>
  12 #include <net/ipv6.h>
  13
  14 #include "common.h"
  15 #include "cred.h"
  16 #include "limits.h"
  17 #include "net.h"
  18 #include "ruleset.h"
  19
  20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
  21                              const u16 port, access_mask_t access_rights)
  22 {
  23         int err;
  24         const struct landlock_id id = {
  25                 .key.data = (__force uintptr_t)htons(port),
  26                 .type = LANDLOCK_KEY_NET_PORT,
  27         };
  28
  29         BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
  30
  31         /* Transforms relative access rights to absolute ones. */
  32         access_rights |= LANDLOCK_MASK_ACCESS_NET &
  33                          ~landlock_get_net_access_mask(ruleset, 0);
  34
  35         mutex_lock(&ruleset->lock);
  36         err = landlock_insert_rule(ruleset, id, access_rights);
  37         mutex_unlock(&ruleset->lock);
  38
  39         return err;
  40 }
  41
  42 static const struct access_masks any_net = {
  43         .net = ~0,
  44 };
  45
  46 static int current_check_access_socket(struct socket *const sock,
  47                                        struct sockaddr *const address,
  48                                        const int addrlen,
  49                                        access_mask_t access_request)
  50 {
  51         __be16 port;
  52         layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
  53         const struct landlock_rule *rule;
  54         struct landlock_id id = {
  55                 .type = LANDLOCK_KEY_NET_PORT,
  56         };
  57         const struct landlock_ruleset *const dom =
  58                 landlock_get_applicable_domain(landlock_get_current_domain(),
  59                                                any_net);
  60
  61         if (!dom)
  62                 return 0;
  63         if (WARN_ON_ONCE(dom->num_layers < 1))
  64                 return -EACCES;
  65
  66         /* Checks if it's a (potential) TCP socket. */
  67         if (sock->type != SOCK_STREAM)
  68                 return 0;
  69
  70         /* Checks for minimal header length to safely read sa_family. */
  71         if (addrlen < offsetofend(typeof(*address), sa_family))
  72                 return -EINVAL;
  73
  74         switch (address->sa_family) {
  75         case AF_UNSPEC:
  76         case AF_INET:
  77                 if (addrlen < sizeof(struct sockaddr_in))
  78                         return -EINVAL;
  79                 port = ((struct sockaddr_in *)address)->sin_port;
  80                 break;
  81
  82 #if IS_ENABLED(CONFIG_IPV6)
  83         case AF_INET6:
  84                 if (addrlen < SIN6_LEN_RFC2133)
  85                         return -EINVAL;
  86                 port = ((struct sockaddr_in6 *)address)->sin6_port;
  87                 break;
  88 #endif /* IS_ENABLED(CONFIG_IPV6) */
  89
  90         default:
  91                 return 0;
  92         }
  93
  94         /* Specific AF_UNSPEC handling. */
  95         if (address->sa_family == AF_UNSPEC) {
  96                 /*
  97                  * Connecting to an address with AF_UNSPEC dissolves the TCP
  98                  * association, which have the same effect as closing the
  99                  * connection while retaining the socket object (i.e., the file
 100                  * descriptor).  As for dropping privileges, closing
 101                  * connections is always allowed.
 102                  *
 103                  * For a TCP access control system, this request is legitimate.
 104                  * Let the network stack handle potential inconsistencies and
 105                  * return -EINVAL if needed.
 106                  */
 107                 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
 108                         return 0;
 109
 110                 /*
 111                  * For compatibility reason, accept AF_UNSPEC for bind
 112                  * accesses (mapped to AF_INET) only if the address is
 113                  * INADDR_ANY (cf. __inet_bind).  Checking the address is
 114                  * required to not wrongfully return -EACCES instead of
 115                  * -EAFNOSUPPORT.
 116                  *
 117                  * We could return 0 and let the network stack handle these
 118                  * checks, but it is safer to return a proper error and test
 119                  * consistency thanks to kselftest.
 120                  */
 121                 if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
 122                         /* addrlen has already been checked for AF_UNSPEC. */
 123                         const struct sockaddr_in *const sockaddr =
 124                                 (struct sockaddr_in *)address;
 125
 126                         if (sock->sk->__sk_common.skc_family != AF_INET)
 127                                 return -EINVAL;
 128
 129                         if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
 130                                 return -EAFNOSUPPORT;
 131                 }
 132         } else {
 133                 /*
 134                  * Checks sa_family consistency to not wrongfully return
 135                  * -EACCES instead of -EINVAL.  Valid sa_family changes are
 136                  * only (from AF_INET or AF_INET6) to AF_UNSPEC.
 137                  *
 138                  * We could return 0 and let the network stack handle this
 139                  * check, but it is safer to return a proper error and test
 140                  * consistency thanks to kselftest.
 141                  */
 142                 if (address->sa_family != sock->sk->__sk_common.skc_family)
 143                         return -EINVAL;
 144         }
 145
 146         id.key.data = (__force uintptr_t)port;
 147         BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
 148
 149         rule = landlock_find_rule(dom, id);
 150         access_request = landlock_init_layer_masks(
 151                 dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
 152         if (landlock_unmask_layers(rule, access_request, &layer_masks,
 153                                    ARRAY_SIZE(layer_masks)))
 154                 return 0;
 155
 156         return -EACCES;
 157 }
 158
 159 static int hook_socket_bind(struct socket *const sock,
 160                             struct sockaddr *const address, const int addrlen)
 161 {
 162         return current_check_access_socket(sock, address, addrlen,
 163                                            LANDLOCK_ACCESS_NET_BIND_TCP);
 164 }
 165
 166 static int hook_socket_connect(struct socket *const sock,
 167                                struct sockaddr *const address,
 168                                const int addrlen)
 169 {
 170         return current_check_access_socket(sock, address, addrlen,
 171                                            LANDLOCK_ACCESS_NET_CONNECT_TCP);
 172 }
 173
 174 static struct security_hook_list landlock_hooks[] __ro_after_init = {
 175         LSM_HOOK_INIT(socket_bind, hook_socket_bind),
 176         LSM_HOOK_INIT(socket_connect, hook_socket_connect),
 177 };
 178
 179 __init void landlock_add_net_hooks(void)
 180 {
 181         security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
 182                            &landlock_lsmid);
 183 }