[linux-block.git] / include / uapi / linux / landlock.h

/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
/*
 * Landlock - User space API
 *
 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
 * Copyright © 2018-2020 ANSSI
 */

#ifndef _UAPI_LINUX_LANDLOCK_H
#define _UAPI_LINUX_LANDLOCK_H

#include <linux/types.h>

/**
 * struct landlock_ruleset_attr - Ruleset definition
 *
 * Argument of sys_landlock_create_ruleset().  This structure can grow in
 * future versions.
 */
struct landlock_ruleset_attr {
	/**
	 * @handled_access_fs: Bitmask of actions (cf. `Filesystem flags`_)
	 * that is handled by this ruleset and should then be forbidden if no
	 * rule explicitly allow them: it is a deny-by-default list that should
	 * contain as much Landlock access rights as possible. Indeed, all
	 * Landlock filesystem access rights that are not part of
	 * handled_access_fs are allowed.  This is needed for backward
	 * compatibility reasons.  One exception is the
	 * LANDLOCK_ACCESS_FS_REFER access right, which is always implicitly
	 * handled, but must still be explicitly handled to add new rules with
	 * this access right.
	 */
	__u64 handled_access_fs;
};

/*
 * sys_landlock_create_ruleset() flags:
 *
 * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
 *   version.
 */
/* clang-format off */
#define LANDLOCK_CREATE_RULESET_VERSION			(1U << 0)
/* clang-format on */

/**
 * enum landlock_rule_type - Landlock rule type
 *
 * Argument of sys_landlock_add_rule().
 */
enum landlock_rule_type {
	/**
	 * @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct
	 * landlock_path_beneath_attr .
	 */
	LANDLOCK_RULE_PATH_BENEATH = 1,
};

/**
 * struct landlock_path_beneath_attr - Path hierarchy definition
 *
 * Argument of sys_landlock_add_rule().
 */
struct landlock_path_beneath_attr {
	/**
	 * @allowed_access: Bitmask of allowed actions for this file hierarchy
	 * (cf. `Filesystem flags`_).
	 */
	__u64 allowed_access;
	/**
	 * @parent_fd: File descriptor, preferably opened with ``O_PATH``,
	 * which identifies the parent directory of a file hierarchy, or just a
	 * file.
	 */
	__s32 parent_fd;
	/*
	 * This struct is packed to avoid trailing reserved members.
	 * Cf. security/landlock/syscalls.c:build_check_abi()
	 */
} __attribute__((packed));

/**
 * DOC: fs_access
 *
 * A set of actions on kernel objects may be defined by an attribute (e.g.
 * &struct landlock_path_beneath_attr) including a bitmask of access.
 *
 * Filesystem flags
 * ~~~~~~~~~~~~~~~~
 *
 * These flags enable to restrict a sandboxed process to a set of actions on
 * files and directories.  Files or directories opened before the sandboxing
 * are not subject to these restrictions.
 *
 * A file can only receive these access rights:
 *
 * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
 * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access.
 * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
 *
 * A directory can receive access rights related to files or directories.  The
 * following access right is applied to the directory itself, and the
 * directories beneath it:
 *
 * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content.
 *
 * However, the following access rights only apply to the content of a
 * directory, not the directory itself:
 *
 * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one.
 * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file.
 * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character
 *   device.
 * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory.
 * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file.
 * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain
 *   socket.
 * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe.
 * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device.
 * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link.
 * - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different
 *   directory (i.e. reparent a file hierarchy).  This access right is
 *   available since the second version of the Landlock ABI.  This is also the
 *   only access right which is always considered handled by any ruleset in
 *   such a way that reparenting a file hierarchy is always denied by default.
 *   To avoid privilege escalation, it is not enough to add a rule with this
 *   access right.  When linking or renaming a file, the destination directory
 *   hierarchy must also always have the same or a superset of restrictions of
 *   the source hierarchy.  If it is not the case, or if the domain doesn't
 *   handle this access right, such actions are denied by default with errno
 *   set to EXDEV.  Linking also requires a LANDLOCK_ACCESS_FS_MAKE_* access
 *   right on the destination directory, and renaming also requires a
 *   LANDLOCK_ACCESS_FS_REMOVE_* access right on the source's (file or
 *   directory) parent.  Otherwise, such actions are denied with errno set to
 *   EACCES.  The EACCES errno prevails over EXDEV to let user space
 *   efficiently deal with an unrecoverable error.
 *
 * .. warning::
 *
 *   It is currently not possible to restrict some file-related actions
 *   accessible through these syscall families: :manpage:`chdir(2)`,
 *   :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
 *   :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
 *   :manpage:`utime(2)`, :manpage:`ioctl(2)`, :manpage:`fcntl(2)`,
 *   :manpage:`access(2)`.
 *   Future Landlock evolutions will enable to restrict them.
 */
/* clang-format off */
#define LANDLOCK_ACCESS_FS_EXECUTE			(1ULL << 0)
#define LANDLOCK_ACCESS_FS_WRITE_FILE			(1ULL << 1)
#define LANDLOCK_ACCESS_FS_READ_FILE			(1ULL << 2)
#define LANDLOCK_ACCESS_FS_READ_DIR			(1ULL << 3)
#define LANDLOCK_ACCESS_FS_REMOVE_DIR			(1ULL << 4)
#define LANDLOCK_ACCESS_FS_REMOVE_FILE			(1ULL << 5)
#define LANDLOCK_ACCESS_FS_MAKE_CHAR			(1ULL << 6)
#define LANDLOCK_ACCESS_FS_MAKE_DIR			(1ULL << 7)
#define LANDLOCK_ACCESS_FS_MAKE_REG			(1ULL << 8)
#define LANDLOCK_ACCESS_FS_MAKE_SOCK			(1ULL << 9)
#define LANDLOCK_ACCESS_FS_MAKE_FIFO			(1ULL << 10)
#define LANDLOCK_ACCESS_FS_MAKE_BLOCK			(1ULL << 11)
#define LANDLOCK_ACCESS_FS_MAKE_SYM			(1ULL << 12)
#define LANDLOCK_ACCESS_FS_REFER			(1ULL << 13)
/* clang-format on */

#endif /* _UAPI_LINUX_LANDLOCK_H */
Commit	Line	Data
cb2c7d1a MS	1	/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
	2	/*
	3	* Landlock - User space API
	4	*
	5	* Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
	6	* Copyright © 2018-2020 ANSSI
	7	*/
	8
	9	#ifndef _UAPI_LINUX_LANDLOCK_H
	10	#define _UAPI_LINUX_LANDLOCK_H
	11
265885da MS	12	#include <linux/types.h>
	13
	14	/**
	15	* struct landlock_ruleset_attr - Ruleset definition
	16	*
	17	* Argument of sys_landlock_create_ruleset(). This structure can grow in
	18	* future versions.
	19	*/
	20	struct landlock_ruleset_attr {
	21	/**
	22	* @handled_access_fs: Bitmask of actions (cf. `Filesystem flags`_)
	23	* that is handled by this ruleset and should then be forbidden if no
b91c3e4e MS	24	* rule explicitly allow them: it is a deny-by-default list that should
	25	* contain as much Landlock access rights as possible. Indeed, all
	26	* Landlock filesystem access rights that are not part of
	27	* handled_access_fs are allowed. This is needed for backward
	28	* compatibility reasons. One exception is the
	29	* LANDLOCK_ACCESS_FS_REFER access right, which is always implicitly
	30	* handled, but must still be explicitly handled to add new rules with
	31	* this access right.
265885da MS	32	*/
	33	__u64 handled_access_fs;
	34	};
	35
3532b0b4 MS	36	/*
	37	* sys_landlock_create_ruleset() flags:
	38	*
	39	* - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
	40	* version.
	41	*/
6cc2df8e	42	/* clang-format off */
3532b0b4	43	#define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
6cc2df8e	44	/* clang-format on */
3532b0b4	45
265885da MS	46	/**
	47	* enum landlock_rule_type - Landlock rule type
	48	*
	49	* Argument of sys_landlock_add_rule().
	50	*/
	51	enum landlock_rule_type {
	52	/**
	53	* @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct
	54	* landlock_path_beneath_attr .
	55	*/
	56	LANDLOCK_RULE_PATH_BENEATH = 1,
	57	};
	58
	59	/**
	60	* struct landlock_path_beneath_attr - Path hierarchy definition
	61	*
	62	* Argument of sys_landlock_add_rule().
	63	*/
	64	struct landlock_path_beneath_attr {
	65	/**
	66	* @allowed_access: Bitmask of allowed actions for this file hierarchy
	67	* (cf. `Filesystem flags`_).
	68	*/
	69	__u64 allowed_access;
	70	/**
a13e248f MS	71	* @parent_fd: File descriptor, preferably opened with ``O_PATH``,
	72	* which identifies the parent directory of a file hierarchy, or just a
	73	* file.
265885da MS	74	*/
	75	__s32 parent_fd;
	76	/*
	77	* This struct is packed to avoid trailing reserved members.
	78	* Cf. security/landlock/syscalls.c:build_check_abi()
	79	*/
	80	} __attribute__((packed));
	81
cb2c7d1a MS	82	/**
	83	* DOC: fs_access
	84	*
	85	* A set of actions on kernel objects may be defined by an attribute (e.g.
	86	* &struct landlock_path_beneath_attr) including a bitmask of access.
	87	*
	88	* Filesystem flags
	89	* ~~~~~~~~~~~~~~~~
	90	*
	91	* These flags enable to restrict a sandboxed process to a set of actions on
	92	* files and directories. Files or directories opened before the sandboxing
	93	* are not subject to these restrictions.
	94	*
	95	* A file can only receive these access rights:
	96	*
	97	* - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
	98	* - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access.
	99	* - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
	100	*
	101	* A directory can receive access rights related to files or directories. The
	102	* following access right is applied to the directory itself, and the
	103	* directories beneath it:
	104	*
	105	* - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content.
	106	*
	107	* However, the following access rights only apply to the content of a
	108	* directory, not the directory itself:
	109	*
	110	* - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one.
	111	* - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file.
	112	* - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character
	113	* device.
	114	* - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory.
	115	* - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file.
	116	* - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain
	117	* socket.
	118	* - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe.
	119	* - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device.
	120	* - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link.
b91c3e4e MS	121	* - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different
	122	* directory (i.e. reparent a file hierarchy). This access right is
	123	* available since the second version of the Landlock ABI. This is also the
	124	* only access right which is always considered handled by any ruleset in
	125	* such a way that reparenting a file hierarchy is always denied by default.
	126	* To avoid privilege escalation, it is not enough to add a rule with this
	127	* access right. When linking or renaming a file, the destination directory
	128	* hierarchy must also always have the same or a superset of restrictions of
	129	* the source hierarchy. If it is not the case, or if the domain doesn't
	130	* handle this access right, such actions are denied by default with errno
	131	* set to EXDEV. Linking also requires a LANDLOCK_ACCESS_FS_MAKE_* access
	132	* right on the destination directory, and renaming also requires a
	133	* LANDLOCK_ACCESS_FS_REMOVE_* access right on the source's (file or
	134	* directory) parent. Otherwise, such actions are denied with errno set to
	135	* EACCES. The EACCES errno prevails over EXDEV to let user space
	136	* efficiently deal with an unrecoverable error.
cb2c7d1a MS	137	*
	138	* .. warning::
	139	*
	140	* It is currently not possible to restrict some file-related actions
	141	* accessible through these syscall families: :manpage:`chdir(2)`,
	142	* :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
	143	* :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
	144	* :manpage:`utime(2)`, :manpage:`ioctl(2)`, :manpage:`fcntl(2)`,
	145	* :manpage:`access(2)`.
	146	* Future Landlock evolutions will enable to restrict them.
	147	*/
6cc2df8e	148	/* clang-format off */
cb2c7d1a MS	149	#define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0)
	150	#define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)
	151	#define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2)
	152	#define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3)
	153	#define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4)
	154	#define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5)
	155	#define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6)
	156	#define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7)
	157	#define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8)
	158	#define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9)
	159	#define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10)
	160	#define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
	161	#define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
b91c3e4e	162	#define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
6cc2df8e	163	/* clang-format on */
cb2c7d1a MS	164
cb2c7d1a MS	165	#endif /* _UAPI_LINUX_LANDLOCK_H */