Commit | Line | Data |
---|---|---|
cb2c7d1a MS |
1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
2 | /* | |
3 | * Landlock - User space API | |
4 | * | |
5 | * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> | |
6 | * Copyright © 2018-2020 ANSSI | |
7 | */ | |
8 | ||
9 | #ifndef _UAPI_LINUX_LANDLOCK_H | |
10 | #define _UAPI_LINUX_LANDLOCK_H | |
11 | ||
265885da MS |
12 | #include <linux/types.h> |
13 | ||
14 | /** | |
15 | * struct landlock_ruleset_attr - Ruleset definition | |
16 | * | |
17 | * Argument of sys_landlock_create_ruleset(). This structure can grow in | |
18 | * future versions. | |
19 | */ | |
20 | struct landlock_ruleset_attr { | |
21 | /** | |
22 | * @handled_access_fs: Bitmask of actions (cf. `Filesystem flags`_) | |
23 | * that is handled by this ruleset and should then be forbidden if no | |
b91c3e4e MS |
24 | * rule explicitly allow them: it is a deny-by-default list that should |
25 | * contain as much Landlock access rights as possible. Indeed, all | |
26 | * Landlock filesystem access rights that are not part of | |
27 | * handled_access_fs are allowed. This is needed for backward | |
28 | * compatibility reasons. One exception is the | |
29 | * LANDLOCK_ACCESS_FS_REFER access right, which is always implicitly | |
30 | * handled, but must still be explicitly handled to add new rules with | |
31 | * this access right. | |
265885da MS |
32 | */ |
33 | __u64 handled_access_fs; | |
34 | }; | |
35 | ||
3532b0b4 MS |
36 | /* |
37 | * sys_landlock_create_ruleset() flags: | |
38 | * | |
39 | * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI | |
40 | * version. | |
41 | */ | |
6cc2df8e | 42 | /* clang-format off */ |
3532b0b4 | 43 | #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) |
6cc2df8e | 44 | /* clang-format on */ |
3532b0b4 | 45 | |
265885da MS |
46 | /** |
47 | * enum landlock_rule_type - Landlock rule type | |
48 | * | |
49 | * Argument of sys_landlock_add_rule(). | |
50 | */ | |
51 | enum landlock_rule_type { | |
52 | /** | |
53 | * @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct | |
54 | * landlock_path_beneath_attr . | |
55 | */ | |
56 | LANDLOCK_RULE_PATH_BENEATH = 1, | |
57 | }; | |
58 | ||
59 | /** | |
60 | * struct landlock_path_beneath_attr - Path hierarchy definition | |
61 | * | |
62 | * Argument of sys_landlock_add_rule(). | |
63 | */ | |
64 | struct landlock_path_beneath_attr { | |
65 | /** | |
66 | * @allowed_access: Bitmask of allowed actions for this file hierarchy | |
67 | * (cf. `Filesystem flags`_). | |
68 | */ | |
69 | __u64 allowed_access; | |
70 | /** | |
a13e248f MS |
71 | * @parent_fd: File descriptor, preferably opened with ``O_PATH``, |
72 | * which identifies the parent directory of a file hierarchy, or just a | |
73 | * file. | |
265885da MS |
74 | */ |
75 | __s32 parent_fd; | |
76 | /* | |
77 | * This struct is packed to avoid trailing reserved members. | |
78 | * Cf. security/landlock/syscalls.c:build_check_abi() | |
79 | */ | |
80 | } __attribute__((packed)); | |
81 | ||
cb2c7d1a MS |
82 | /** |
83 | * DOC: fs_access | |
84 | * | |
85 | * A set of actions on kernel objects may be defined by an attribute (e.g. | |
86 | * &struct landlock_path_beneath_attr) including a bitmask of access. | |
87 | * | |
88 | * Filesystem flags | |
89 | * ~~~~~~~~~~~~~~~~ | |
90 | * | |
91 | * These flags enable to restrict a sandboxed process to a set of actions on | |
92 | * files and directories. Files or directories opened before the sandboxing | |
93 | * are not subject to these restrictions. | |
94 | * | |
95 | * A file can only receive these access rights: | |
96 | * | |
97 | * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. | |
98 | * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. | |
99 | * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. | |
100 | * | |
101 | * A directory can receive access rights related to files or directories. The | |
102 | * following access right is applied to the directory itself, and the | |
103 | * directories beneath it: | |
104 | * | |
105 | * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content. | |
106 | * | |
107 | * However, the following access rights only apply to the content of a | |
108 | * directory, not the directory itself: | |
109 | * | |
110 | * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one. | |
111 | * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file. | |
112 | * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character | |
113 | * device. | |
114 | * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory. | |
115 | * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file. | |
116 | * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain | |
117 | * socket. | |
118 | * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe. | |
119 | * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device. | |
120 | * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link. | |
b91c3e4e MS |
121 | * - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different |
122 | * directory (i.e. reparent a file hierarchy). This access right is | |
123 | * available since the second version of the Landlock ABI. This is also the | |
124 | * only access right which is always considered handled by any ruleset in | |
125 | * such a way that reparenting a file hierarchy is always denied by default. | |
126 | * To avoid privilege escalation, it is not enough to add a rule with this | |
127 | * access right. When linking or renaming a file, the destination directory | |
128 | * hierarchy must also always have the same or a superset of restrictions of | |
129 | * the source hierarchy. If it is not the case, or if the domain doesn't | |
130 | * handle this access right, such actions are denied by default with errno | |
131 | * set to EXDEV. Linking also requires a LANDLOCK_ACCESS_FS_MAKE_* access | |
132 | * right on the destination directory, and renaming also requires a | |
133 | * LANDLOCK_ACCESS_FS_REMOVE_* access right on the source's (file or | |
134 | * directory) parent. Otherwise, such actions are denied with errno set to | |
135 | * EACCES. The EACCES errno prevails over EXDEV to let user space | |
136 | * efficiently deal with an unrecoverable error. | |
cb2c7d1a MS |
137 | * |
138 | * .. warning:: | |
139 | * | |
140 | * It is currently not possible to restrict some file-related actions | |
141 | * accessible through these syscall families: :manpage:`chdir(2)`, | |
142 | * :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`, | |
143 | * :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`, | |
144 | * :manpage:`utime(2)`, :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, | |
145 | * :manpage:`access(2)`. | |
146 | * Future Landlock evolutions will enable to restrict them. | |
147 | */ | |
6cc2df8e | 148 | /* clang-format off */ |
cb2c7d1a MS |
149 | #define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0) |
150 | #define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1) | |
151 | #define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2) | |
152 | #define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3) | |
153 | #define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4) | |
154 | #define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5) | |
155 | #define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6) | |
156 | #define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7) | |
157 | #define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8) | |
158 | #define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9) | |
159 | #define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10) | |
160 | #define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11) | |
161 | #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) | |
b91c3e4e | 162 | #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) |
6cc2df8e | 163 | /* clang-format on */ |
cb2c7d1a MS |
164 | |
165 | #endif /* _UAPI_LINUX_LANDLOCK_H */ |