Commit | Line | Data |
---|---|---|
265885da MS |
1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* | |
3 | * Landlock LSM - System call implementations and user space interfaces | |
4 | * | |
5 | * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net> | |
6 | * Copyright © 2018-2020 ANSSI | |
7 | */ | |
8 | ||
9 | #include <asm/current.h> | |
10 | #include <linux/anon_inodes.h> | |
11 | #include <linux/build_bug.h> | |
12 | #include <linux/capability.h> | |
13 | #include <linux/compiler_types.h> | |
14 | #include <linux/dcache.h> | |
15 | #include <linux/err.h> | |
16 | #include <linux/errno.h> | |
17 | #include <linux/fs.h> | |
18 | #include <linux/limits.h> | |
19 | #include <linux/mount.h> | |
20 | #include <linux/path.h> | |
21 | #include <linux/sched.h> | |
22 | #include <linux/security.h> | |
23 | #include <linux/stddef.h> | |
24 | #include <linux/syscalls.h> | |
25 | #include <linux/types.h> | |
26 | #include <linux/uaccess.h> | |
27 | #include <uapi/linux/landlock.h> | |
28 | ||
29 | #include "cred.h" | |
30 | #include "fs.h" | |
31 | #include "limits.h" | |
32 | #include "ruleset.h" | |
33 | #include "setup.h" | |
34 | ||
35 | /** | |
36 | * copy_min_struct_from_user - Safe future-proof argument copying | |
37 | * | |
38 | * Extend copy_struct_from_user() to check for consistent user buffer. | |
39 | * | |
40 | * @dst: Kernel space pointer or NULL. | |
41 | * @ksize: Actual size of the data pointed to by @dst. | |
42 | * @ksize_min: Minimal required size to be copied. | |
43 | * @src: User space pointer or NULL. | |
44 | * @usize: (Alleged) size of the data pointed to by @src. | |
45 | */ | |
06a1c40a MS |
46 | static __always_inline int |
47 | copy_min_struct_from_user(void *const dst, const size_t ksize, | |
48 | const size_t ksize_min, const void __user *const src, | |
49 | const size_t usize) | |
265885da MS |
50 | { |
51 | /* Checks buffer inconsistencies. */ | |
52 | BUILD_BUG_ON(!dst); | |
53 | if (!src) | |
54 | return -EFAULT; | |
55 | ||
56 | /* Checks size ranges. */ | |
57 | BUILD_BUG_ON(ksize <= 0); | |
58 | BUILD_BUG_ON(ksize < ksize_min); | |
59 | if (usize < ksize_min) | |
60 | return -EINVAL; | |
61 | if (usize > PAGE_SIZE) | |
62 | return -E2BIG; | |
63 | ||
64 | /* Copies user buffer and fills with zeros. */ | |
65 | return copy_struct_from_user(dst, ksize, src, usize); | |
66 | } | |
67 | ||
68 | /* | |
69 | * This function only contains arithmetic operations with constants, leading to | |
70 | * BUILD_BUG_ON(). The related code is evaluated and checked at build time, | |
71 | * but it is then ignored thanks to compiler optimizations. | |
72 | */ | |
73 | static void build_check_abi(void) | |
74 | { | |
75 | struct landlock_ruleset_attr ruleset_attr; | |
76 | struct landlock_path_beneath_attr path_beneath_attr; | |
77 | size_t ruleset_size, path_beneath_size; | |
78 | ||
79 | /* | |
80 | * For each user space ABI structures, first checks that there is no | |
81 | * hole in them, then checks that all architectures have the same | |
82 | * struct size. | |
83 | */ | |
84 | ruleset_size = sizeof(ruleset_attr.handled_access_fs); | |
85 | BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size); | |
86 | BUILD_BUG_ON(sizeof(ruleset_attr) != 8); | |
87 | ||
88 | path_beneath_size = sizeof(path_beneath_attr.allowed_access); | |
89 | path_beneath_size += sizeof(path_beneath_attr.parent_fd); | |
90 | BUILD_BUG_ON(sizeof(path_beneath_attr) != path_beneath_size); | |
91 | BUILD_BUG_ON(sizeof(path_beneath_attr) != 12); | |
92 | } | |
93 | ||
94 | /* Ruleset handling */ | |
95 | ||
96 | static int fop_ruleset_release(struct inode *const inode, | |
06a1c40a | 97 | struct file *const filp) |
265885da MS |
98 | { |
99 | struct landlock_ruleset *ruleset = filp->private_data; | |
100 | ||
101 | landlock_put_ruleset(ruleset); | |
102 | return 0; | |
103 | } | |
104 | ||
105 | static ssize_t fop_dummy_read(struct file *const filp, char __user *const buf, | |
06a1c40a | 106 | const size_t size, loff_t *const ppos) |
265885da MS |
107 | { |
108 | /* Dummy handler to enable FMODE_CAN_READ. */ | |
109 | return -EINVAL; | |
110 | } | |
111 | ||
112 | static ssize_t fop_dummy_write(struct file *const filp, | |
06a1c40a MS |
113 | const char __user *const buf, const size_t size, |
114 | loff_t *const ppos) | |
265885da MS |
115 | { |
116 | /* Dummy handler to enable FMODE_CAN_WRITE. */ | |
117 | return -EINVAL; | |
118 | } | |
119 | ||
120 | /* | |
121 | * A ruleset file descriptor enables to build a ruleset by adding (i.e. | |
122 | * writing) rule after rule, without relying on the task's context. This | |
123 | * reentrant design is also used in a read way to enforce the ruleset on the | |
124 | * current task. | |
125 | */ | |
126 | static const struct file_operations ruleset_fops = { | |
127 | .release = fop_ruleset_release, | |
128 | .read = fop_dummy_read, | |
129 | .write = fop_dummy_write, | |
130 | }; | |
131 | ||
b9f5ce27 | 132 | #define LANDLOCK_ABI_VERSION 3 |
3532b0b4 | 133 | |
265885da MS |
134 | /** |
135 | * sys_landlock_create_ruleset - Create a new ruleset | |
136 | * | |
137 | * @attr: Pointer to a &struct landlock_ruleset_attr identifying the scope of | |
138 | * the new ruleset. | |
139 | * @size: Size of the pointed &struct landlock_ruleset_attr (needed for | |
140 | * backward and forward compatibility). | |
3532b0b4 | 141 | * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION. |
265885da MS |
142 | * |
143 | * This system call enables to create a new Landlock ruleset, and returns the | |
144 | * related file descriptor on success. | |
145 | * | |
3532b0b4 MS |
146 | * If @flags is %LANDLOCK_CREATE_RULESET_VERSION and @attr is NULL and @size is |
147 | * 0, then the returned value is the highest supported Landlock ABI version | |
148 | * (starting at 1). | |
149 | * | |
265885da MS |
150 | * Possible returned errors are: |
151 | * | |
2fff00c8 MS |
152 | * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; |
153 | * - %EINVAL: unknown @flags, or unknown access, or too small @size; | |
154 | * - %E2BIG or %EFAULT: @attr or @size inconsistencies; | |
155 | * - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs. | |
265885da MS |
156 | */ |
157 | SYSCALL_DEFINE3(landlock_create_ruleset, | |
158 | const struct landlock_ruleset_attr __user *const, attr, | |
159 | const size_t, size, const __u32, flags) | |
160 | { | |
161 | struct landlock_ruleset_attr ruleset_attr; | |
162 | struct landlock_ruleset *ruleset; | |
163 | int err, ruleset_fd; | |
164 | ||
165 | /* Build-time checks. */ | |
166 | build_check_abi(); | |
167 | ||
168 | if (!landlock_initialized) | |
169 | return -EOPNOTSUPP; | |
170 | ||
3532b0b4 | 171 | if (flags) { |
06a1c40a MS |
172 | if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr && |
173 | !size) | |
3532b0b4 | 174 | return LANDLOCK_ABI_VERSION; |
265885da | 175 | return -EINVAL; |
3532b0b4 | 176 | } |
265885da MS |
177 | |
178 | /* Copies raw user space buffer. */ | |
179 | err = copy_min_struct_from_user(&ruleset_attr, sizeof(ruleset_attr), | |
06a1c40a MS |
180 | offsetofend(typeof(ruleset_attr), |
181 | handled_access_fs), | |
182 | attr, size); | |
265885da MS |
183 | if (err) |
184 | return err; | |
185 | ||
186 | /* Checks content (and 32-bits cast). */ | |
187 | if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_ACCESS_FS) != | |
06a1c40a | 188 | LANDLOCK_MASK_ACCESS_FS) |
265885da MS |
189 | return -EINVAL; |
190 | ||
191 | /* Checks arguments and transforms to kernel struct. */ | |
192 | ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs); | |
193 | if (IS_ERR(ruleset)) | |
194 | return PTR_ERR(ruleset); | |
195 | ||
196 | /* Creates anonymous FD referring to the ruleset. */ | |
aea0b9f2 | 197 | ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops, |
06a1c40a | 198 | ruleset, O_RDWR | O_CLOEXEC); |
265885da MS |
199 | if (ruleset_fd < 0) |
200 | landlock_put_ruleset(ruleset); | |
201 | return ruleset_fd; | |
202 | } | |
203 | ||
204 | /* | |
205 | * Returns an owned ruleset from a FD. It is thus needed to call | |
206 | * landlock_put_ruleset() on the return value. | |
207 | */ | |
208 | static struct landlock_ruleset *get_ruleset_from_fd(const int fd, | |
06a1c40a | 209 | const fmode_t mode) |
265885da MS |
210 | { |
211 | struct fd ruleset_f; | |
212 | struct landlock_ruleset *ruleset; | |
213 | ||
214 | ruleset_f = fdget(fd); | |
215 | if (!ruleset_f.file) | |
216 | return ERR_PTR(-EBADF); | |
217 | ||
218 | /* Checks FD type and access right. */ | |
219 | if (ruleset_f.file->f_op != &ruleset_fops) { | |
220 | ruleset = ERR_PTR(-EBADFD); | |
221 | goto out_fdput; | |
222 | } | |
223 | if (!(ruleset_f.file->f_mode & mode)) { | |
224 | ruleset = ERR_PTR(-EPERM); | |
225 | goto out_fdput; | |
226 | } | |
227 | ruleset = ruleset_f.file->private_data; | |
228 | if (WARN_ON_ONCE(ruleset->num_layers != 1)) { | |
229 | ruleset = ERR_PTR(-EINVAL); | |
230 | goto out_fdput; | |
231 | } | |
232 | landlock_get_ruleset(ruleset); | |
233 | ||
234 | out_fdput: | |
235 | fdput(ruleset_f); | |
236 | return ruleset; | |
237 | } | |
238 | ||
239 | /* Path handling */ | |
240 | ||
241 | /* | |
242 | * @path: Must call put_path(@path) after the call if it succeeded. | |
243 | */ | |
244 | static int get_path_from_fd(const s32 fd, struct path *const path) | |
245 | { | |
246 | struct fd f; | |
247 | int err = 0; | |
248 | ||
06a1c40a MS |
249 | BUILD_BUG_ON(!__same_type( |
250 | fd, ((struct landlock_path_beneath_attr *)NULL)->parent_fd)); | |
265885da MS |
251 | |
252 | /* Handles O_PATH. */ | |
253 | f = fdget_raw(fd); | |
254 | if (!f.file) | |
255 | return -EBADF; | |
256 | /* | |
257 | * Forbids ruleset FDs, internal filesystems (e.g. nsfs), including | |
258 | * pseudo filesystems that will never be mountable (e.g. sockfs, | |
259 | * pipefs). | |
260 | */ | |
261 | if ((f.file->f_op == &ruleset_fops) || | |
06a1c40a MS |
262 | (f.file->f_path.mnt->mnt_flags & MNT_INTERNAL) || |
263 | (f.file->f_path.dentry->d_sb->s_flags & SB_NOUSER) || | |
264 | d_is_negative(f.file->f_path.dentry) || | |
265 | IS_PRIVATE(d_backing_inode(f.file->f_path.dentry))) { | |
265885da MS |
266 | err = -EBADFD; |
267 | goto out_fdput; | |
268 | } | |
269 | *path = f.file->f_path; | |
270 | path_get(path); | |
271 | ||
272 | out_fdput: | |
273 | fdput(f); | |
274 | return err; | |
275 | } | |
276 | ||
277 | /** | |
278 | * sys_landlock_add_rule - Add a new rule to a ruleset | |
279 | * | |
280 | * @ruleset_fd: File descriptor tied to the ruleset that should be extended | |
281 | * with the new rule. | |
282 | * @rule_type: Identify the structure type pointed to by @rule_attr (only | |
2fff00c8 | 283 | * %LANDLOCK_RULE_PATH_BENEATH for now). |
265885da MS |
284 | * @rule_attr: Pointer to a rule (only of type &struct |
285 | * landlock_path_beneath_attr for now). | |
286 | * @flags: Must be 0. | |
287 | * | |
288 | * This system call enables to define a new rule and add it to an existing | |
289 | * ruleset. | |
290 | * | |
291 | * Possible returned errors are: | |
292 | * | |
2fff00c8 MS |
293 | * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; |
294 | * - %EINVAL: @flags is not 0, or inconsistent access in the rule (i.e. | |
a13e248f MS |
295 | * &landlock_path_beneath_attr.allowed_access is not a subset of the |
296 | * ruleset handled accesses); | |
2fff00c8 MS |
297 | * - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access); |
298 | * - %EBADF: @ruleset_fd is not a file descriptor for the current thread, or a | |
265885da | 299 | * member of @rule_attr is not a file descriptor as expected; |
2fff00c8 | 300 | * - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of |
a13e248f | 301 | * @rule_attr is not the expected file descriptor type; |
2fff00c8 MS |
302 | * - %EPERM: @ruleset_fd has no write access to the underlying ruleset; |
303 | * - %EFAULT: @rule_attr inconsistency. | |
265885da | 304 | */ |
06a1c40a MS |
305 | SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd, |
306 | const enum landlock_rule_type, rule_type, | |
265885da MS |
307 | const void __user *const, rule_attr, const __u32, flags) |
308 | { | |
309 | struct landlock_path_beneath_attr path_beneath_attr; | |
310 | struct path path; | |
311 | struct landlock_ruleset *ruleset; | |
312 | int res, err; | |
313 | ||
314 | if (!landlock_initialized) | |
315 | return -EOPNOTSUPP; | |
316 | ||
317 | /* No flag for now. */ | |
318 | if (flags) | |
319 | return -EINVAL; | |
320 | ||
265885da MS |
321 | /* Gets and checks the ruleset. */ |
322 | ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE); | |
323 | if (IS_ERR(ruleset)) | |
324 | return PTR_ERR(ruleset); | |
325 | ||
589172e5 MS |
326 | if (rule_type != LANDLOCK_RULE_PATH_BENEATH) { |
327 | err = -EINVAL; | |
328 | goto out_put_ruleset; | |
329 | } | |
330 | ||
331 | /* Copies raw user space buffer, only one type for now. */ | |
332 | res = copy_from_user(&path_beneath_attr, rule_attr, | |
333 | sizeof(path_beneath_attr)); | |
334 | if (res) { | |
335 | err = -EFAULT; | |
336 | goto out_put_ruleset; | |
337 | } | |
338 | ||
265885da MS |
339 | /* |
340 | * Informs about useless rule: empty allowed_access (i.e. deny rules) | |
341 | * are ignored in path walks. | |
342 | */ | |
343 | if (!path_beneath_attr.allowed_access) { | |
344 | err = -ENOMSG; | |
345 | goto out_put_ruleset; | |
346 | } | |
347 | /* | |
348 | * Checks that allowed_access matches the @ruleset constraints | |
349 | * (ruleset->fs_access_masks[0] is automatically upgraded to 64-bits). | |
350 | */ | |
351 | if ((path_beneath_attr.allowed_access | ruleset->fs_access_masks[0]) != | |
06a1c40a | 352 | ruleset->fs_access_masks[0]) { |
265885da MS |
353 | err = -EINVAL; |
354 | goto out_put_ruleset; | |
355 | } | |
356 | ||
357 | /* Gets and checks the new rule. */ | |
358 | err = get_path_from_fd(path_beneath_attr.parent_fd, &path); | |
359 | if (err) | |
360 | goto out_put_ruleset; | |
361 | ||
362 | /* Imports the new rule. */ | |
363 | err = landlock_append_fs_rule(ruleset, &path, | |
06a1c40a | 364 | path_beneath_attr.allowed_access); |
265885da MS |
365 | path_put(&path); |
366 | ||
367 | out_put_ruleset: | |
368 | landlock_put_ruleset(ruleset); | |
369 | return err; | |
370 | } | |
371 | ||
372 | /* Enforcement */ | |
373 | ||
374 | /** | |
375 | * sys_landlock_restrict_self - Enforce a ruleset on the calling thread | |
376 | * | |
377 | * @ruleset_fd: File descriptor tied to the ruleset to merge with the target. | |
378 | * @flags: Must be 0. | |
379 | * | |
380 | * This system call enables to enforce a Landlock ruleset on the current | |
2fff00c8 | 381 | * thread. Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its |
265885da MS |
382 | * namespace or is running with no_new_privs. This avoids scenarios where |
383 | * unprivileged tasks can affect the behavior of privileged children. | |
384 | * | |
385 | * Possible returned errors are: | |
386 | * | |
2fff00c8 MS |
387 | * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; |
388 | * - %EINVAL: @flags is not 0. | |
389 | * - %EBADF: @ruleset_fd is not a file descriptor for the current thread; | |
390 | * - %EBADFD: @ruleset_fd is not a ruleset file descriptor; | |
391 | * - %EPERM: @ruleset_fd has no read access to the underlying ruleset, or the | |
265885da | 392 | * current thread is not running with no_new_privs, or it doesn't have |
2fff00c8 MS |
393 | * %CAP_SYS_ADMIN in its namespace. |
394 | * - %E2BIG: The maximum number of stacked rulesets is reached for the current | |
265885da MS |
395 | * thread. |
396 | */ | |
06a1c40a MS |
397 | SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32, |
398 | flags) | |
265885da MS |
399 | { |
400 | struct landlock_ruleset *new_dom, *ruleset; | |
401 | struct cred *new_cred; | |
402 | struct landlock_cred_security *new_llcred; | |
403 | int err; | |
404 | ||
405 | if (!landlock_initialized) | |
406 | return -EOPNOTSUPP; | |
407 | ||
265885da MS |
408 | /* |
409 | * Similar checks as for seccomp(2), except that an -EPERM may be | |
410 | * returned. | |
411 | */ | |
412 | if (!task_no_new_privs(current) && | |
06a1c40a | 413 | !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) |
265885da MS |
414 | return -EPERM; |
415 | ||
eba39ca4 MS |
416 | /* No flag for now. */ |
417 | if (flags) | |
418 | return -EINVAL; | |
419 | ||
265885da MS |
420 | /* Gets and checks the ruleset. */ |
421 | ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ); | |
422 | if (IS_ERR(ruleset)) | |
423 | return PTR_ERR(ruleset); | |
424 | ||
425 | /* Prepares new credentials. */ | |
426 | new_cred = prepare_creds(); | |
427 | if (!new_cred) { | |
428 | err = -ENOMEM; | |
429 | goto out_put_ruleset; | |
430 | } | |
431 | new_llcred = landlock_cred(new_cred); | |
432 | ||
433 | /* | |
434 | * There is no possible race condition while copying and manipulating | |
435 | * the current credentials because they are dedicated per thread. | |
436 | */ | |
437 | new_dom = landlock_merge_ruleset(new_llcred->domain, ruleset); | |
438 | if (IS_ERR(new_dom)) { | |
439 | err = PTR_ERR(new_dom); | |
440 | goto out_put_creds; | |
441 | } | |
442 | ||
443 | /* Replaces the old (prepared) domain. */ | |
444 | landlock_put_ruleset(new_llcred->domain); | |
445 | new_llcred->domain = new_dom; | |
446 | ||
447 | landlock_put_ruleset(ruleset); | |
448 | return commit_creds(new_cred); | |
449 | ||
450 | out_put_creds: | |
451 | abort_creds(new_cred); | |
452 | ||
453 | out_put_ruleset: | |
454 | landlock_put_ruleset(ruleset); | |
455 | return err; | |
456 | } |