[linux-block.git] / security / landlock / syscalls.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Landlock LSM - System call implementations and user space interfaces
 *
 * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
 * Copyright © 2018-2020 ANSSI
 */

#include <asm/current.h>
#include <linux/anon_inodes.h>
#include <linux/build_bug.h>
#include <linux/capability.h>
#include <linux/compiler_types.h>
#include <linux/dcache.h>
#include <linux/err.h>
#include <linux/errno.h>
#include <linux/fs.h>
#include <linux/limits.h>
#include <linux/mount.h>
#include <linux/path.h>
#include <linux/sched.h>
#include <linux/security.h>
#include <linux/stddef.h>
#include <linux/syscalls.h>
#include <linux/types.h>
#include <linux/uaccess.h>
#include <uapi/linux/landlock.h>

#include "cred.h"
#include "fs.h"
#include "limits.h"
#include "ruleset.h"
#include "setup.h"

/**
 * copy_min_struct_from_user - Safe future-proof argument copying
 *
 * Extend copy_struct_from_user() to check for consistent user buffer.
 *
 * @dst: Kernel space pointer or NULL.
 * @ksize: Actual size of the data pointed to by @dst.
 * @ksize_min: Minimal required size to be copied.
 * @src: User space pointer or NULL.
 * @usize: (Alleged) size of the data pointed to by @src.
 */
static __always_inline int
copy_min_struct_from_user(void *const dst, const size_t ksize,
			  const size_t ksize_min, const void __user *const src,
			  const size_t usize)
{
	/* Checks buffer inconsistencies. */
	BUILD_BUG_ON(!dst);
	if (!src)
		return -EFAULT;

	/* Checks size ranges. */
	BUILD_BUG_ON(ksize <= 0);
	BUILD_BUG_ON(ksize < ksize_min);
	if (usize < ksize_min)
		return -EINVAL;
	if (usize > PAGE_SIZE)
		return -E2BIG;

	/* Copies user buffer and fills with zeros. */
	return copy_struct_from_user(dst, ksize, src, usize);
}

/*
 * This function only contains arithmetic operations with constants, leading to
 * BUILD_BUG_ON().  The related code is evaluated and checked at build time,
 * but it is then ignored thanks to compiler optimizations.
 */
static void build_check_abi(void)
{
	struct landlock_ruleset_attr ruleset_attr;
	struct landlock_path_beneath_attr path_beneath_attr;
	size_t ruleset_size, path_beneath_size;

	/*
	 * For each user space ABI structures, first checks that there is no
	 * hole in them, then checks that all architectures have the same
	 * struct size.
	 */
	ruleset_size = sizeof(ruleset_attr.handled_access_fs);
	BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size);
	BUILD_BUG_ON(sizeof(ruleset_attr) != 8);

	path_beneath_size = sizeof(path_beneath_attr.allowed_access);
	path_beneath_size += sizeof(path_beneath_attr.parent_fd);
	BUILD_BUG_ON(sizeof(path_beneath_attr) != path_beneath_size);
	BUILD_BUG_ON(sizeof(path_beneath_attr) != 12);
}

/* Ruleset handling */

static int fop_ruleset_release(struct inode *const inode,
			       struct file *const filp)
{
	struct landlock_ruleset *ruleset = filp->private_data;

	landlock_put_ruleset(ruleset);
	return 0;
}

static ssize_t fop_dummy_read(struct file *const filp, char __user *const buf,
			      const size_t size, loff_t *const ppos)
{
	/* Dummy handler to enable FMODE_CAN_READ. */
	return -EINVAL;
}

static ssize_t fop_dummy_write(struct file *const filp,
			       const char __user *const buf, const size_t size,
			       loff_t *const ppos)
{
	/* Dummy handler to enable FMODE_CAN_WRITE. */
	return -EINVAL;
}

/*
 * A ruleset file descriptor enables to build a ruleset by adding (i.e.
 * writing) rule after rule, without relying on the task's context.  This
 * reentrant design is also used in a read way to enforce the ruleset on the
 * current task.
 */
static const struct file_operations ruleset_fops = {
	.release = fop_ruleset_release,
	.read = fop_dummy_read,
	.write = fop_dummy_write,
};

#define LANDLOCK_ABI_VERSION 3

/**
 * sys_landlock_create_ruleset - Create a new ruleset
 *
 * @attr: Pointer to a &struct landlock_ruleset_attr identifying the scope of
 *        the new ruleset.
 * @size: Size of the pointed &struct landlock_ruleset_attr (needed for
 *        backward and forward compatibility).
 * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION.
 *
 * This system call enables to create a new Landlock ruleset, and returns the
 * related file descriptor on success.
 *
 * If @flags is %LANDLOCK_CREATE_RULESET_VERSION and @attr is NULL and @size is
 * 0, then the returned value is the highest supported Landlock ABI version
 * (starting at 1).
 *
 * Possible returned errors are:
 *
 * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
 * - %EINVAL: unknown @flags, or unknown access, or too small @size;
 * - %E2BIG or %EFAULT: @attr or @size inconsistencies;
 * - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.
 */
SYSCALL_DEFINE3(landlock_create_ruleset,
		const struct landlock_ruleset_attr __user *const, attr,
		const size_t, size, const __u32, flags)
{
	struct landlock_ruleset_attr ruleset_attr;
	struct landlock_ruleset *ruleset;
	int err, ruleset_fd;

	/* Build-time checks. */
	build_check_abi();

	if (!landlock_initialized)
		return -EOPNOTSUPP;

	if (flags) {
		if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr &&
		    !size)
			return LANDLOCK_ABI_VERSION;
		return -EINVAL;
	}

	/* Copies raw user space buffer. */
	err = copy_min_struct_from_user(&ruleset_attr, sizeof(ruleset_attr),
					offsetofend(typeof(ruleset_attr),
						    handled_access_fs),
					attr, size);
	if (err)
		return err;

	/* Checks content (and 32-bits cast). */
	if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_ACCESS_FS) !=
	    LANDLOCK_MASK_ACCESS_FS)
		return -EINVAL;

	/* Checks arguments and transforms to kernel struct. */
	ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs);
	if (IS_ERR(ruleset))
		return PTR_ERR(ruleset);

	/* Creates anonymous FD referring to the ruleset. */
	ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops,
				      ruleset, O_RDWR | O_CLOEXEC);
	if (ruleset_fd < 0)
		landlock_put_ruleset(ruleset);
	return ruleset_fd;
}

/*
 * Returns an owned ruleset from a FD. It is thus needed to call
 * landlock_put_ruleset() on the return value.
 */
static struct landlock_ruleset *get_ruleset_from_fd(const int fd,
						    const fmode_t mode)
{
	struct fd ruleset_f;
	struct landlock_ruleset *ruleset;

	ruleset_f = fdget(fd);
	if (!ruleset_f.file)
		return ERR_PTR(-EBADF);

	/* Checks FD type and access right. */
	if (ruleset_f.file->f_op != &ruleset_fops) {
		ruleset = ERR_PTR(-EBADFD);
		goto out_fdput;
	}
	if (!(ruleset_f.file->f_mode & mode)) {
		ruleset = ERR_PTR(-EPERM);
		goto out_fdput;
	}
	ruleset = ruleset_f.file->private_data;
	if (WARN_ON_ONCE(ruleset->num_layers != 1)) {
		ruleset = ERR_PTR(-EINVAL);
		goto out_fdput;
	}
	landlock_get_ruleset(ruleset);

out_fdput:
	fdput(ruleset_f);
	return ruleset;
}

/* Path handling */

/*
 * @path: Must call put_path(@path) after the call if it succeeded.
 */
static int get_path_from_fd(const s32 fd, struct path *const path)
{
	struct fd f;
	int err = 0;

	BUILD_BUG_ON(!__same_type(
		fd, ((struct landlock_path_beneath_attr *)NULL)->parent_fd));

	/* Handles O_PATH. */
	f = fdget_raw(fd);
	if (!f.file)
		return -EBADF;
	/*
	 * Forbids ruleset FDs, internal filesystems (e.g. nsfs), including
	 * pseudo filesystems that will never be mountable (e.g. sockfs,
	 * pipefs).
	 */
	if ((f.file->f_op == &ruleset_fops) ||
	    (f.file->f_path.mnt->mnt_flags & MNT_INTERNAL) ||
	    (f.file->f_path.dentry->d_sb->s_flags & SB_NOUSER) ||
	    d_is_negative(f.file->f_path.dentry) ||
	    IS_PRIVATE(d_backing_inode(f.file->f_path.dentry))) {
		err = -EBADFD;
		goto out_fdput;
	}
	*path = f.file->f_path;
	path_get(path);

out_fdput:
	fdput(f);
	return err;
}

/**
 * sys_landlock_add_rule - Add a new rule to a ruleset
 *
 * @ruleset_fd: File descriptor tied to the ruleset that should be extended
 *		with the new rule.
 * @rule_type: Identify the structure type pointed to by @rule_attr (only
 *             %LANDLOCK_RULE_PATH_BENEATH for now).
 * @rule_attr: Pointer to a rule (only of type &struct
 *             landlock_path_beneath_attr for now).
 * @flags: Must be 0.
 *
 * This system call enables to define a new rule and add it to an existing
 * ruleset.
 *
 * Possible returned errors are:
 *
 * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
 * - %EINVAL: @flags is not 0, or inconsistent access in the rule (i.e.
 *   &landlock_path_beneath_attr.allowed_access is not a subset of the
 *   ruleset handled accesses);
 * - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access);
 * - %EBADF: @ruleset_fd is not a file descriptor for the current thread, or a
 *   member of @rule_attr is not a file descriptor as expected;
 * - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
 *   @rule_attr is not the expected file descriptor type;
 * - %EPERM: @ruleset_fd has no write access to the underlying ruleset;
 * - %EFAULT: @rule_attr inconsistency.
 */
SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
		const enum landlock_rule_type, rule_type,
		const void __user *const, rule_attr, const __u32, flags)
{
	struct landlock_path_beneath_attr path_beneath_attr;
	struct path path;
	struct landlock_ruleset *ruleset;
	int res, err;

	if (!landlock_initialized)
		return -EOPNOTSUPP;

	/* No flag for now. */
	if (flags)
		return -EINVAL;

	/* Gets and checks the ruleset. */
	ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE);
	if (IS_ERR(ruleset))
		return PTR_ERR(ruleset);

	if (rule_type != LANDLOCK_RULE_PATH_BENEATH) {
		err = -EINVAL;
		goto out_put_ruleset;
	}

	/* Copies raw user space buffer, only one type for now. */
	res = copy_from_user(&path_beneath_attr, rule_attr,
			     sizeof(path_beneath_attr));
	if (res) {
		err = -EFAULT;
		goto out_put_ruleset;
	}

	/*
	 * Informs about useless rule: empty allowed_access (i.e. deny rules)
	 * are ignored in path walks.
	 */
	if (!path_beneath_attr.allowed_access) {
		err = -ENOMSG;
		goto out_put_ruleset;
	}
	/*
	 * Checks that allowed_access matches the @ruleset constraints
	 * (ruleset->fs_access_masks[0] is automatically upgraded to 64-bits).
	 */
	if ((path_beneath_attr.allowed_access | ruleset->fs_access_masks[0]) !=
	    ruleset->fs_access_masks[0]) {
		err = -EINVAL;
		goto out_put_ruleset;
	}

	/* Gets and checks the new rule. */
	err = get_path_from_fd(path_beneath_attr.parent_fd, &path);
	if (err)
		goto out_put_ruleset;

	/* Imports the new rule. */
	err = landlock_append_fs_rule(ruleset, &path,
				      path_beneath_attr.allowed_access);
	path_put(&path);

out_put_ruleset:
	landlock_put_ruleset(ruleset);
	return err;
}

/* Enforcement */

/**
 * sys_landlock_restrict_self - Enforce a ruleset on the calling thread
 *
 * @ruleset_fd: File descriptor tied to the ruleset to merge with the target.
 * @flags: Must be 0.
 *
 * This system call enables to enforce a Landlock ruleset on the current
 * thread.  Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its
 * namespace or is running with no_new_privs.  This avoids scenarios where
 * unprivileged tasks can affect the behavior of privileged children.
 *
 * Possible returned errors are:
 *
 * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
 * - %EINVAL: @flags is not 0.
 * - %EBADF: @ruleset_fd is not a file descriptor for the current thread;
 * - %EBADFD: @ruleset_fd is not a ruleset file descriptor;
 * - %EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
 *   current thread is not running with no_new_privs, or it doesn't have
 *   %CAP_SYS_ADMIN in its namespace.
 * - %E2BIG: The maximum number of stacked rulesets is reached for the current
 *   thread.
 */
SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
		flags)
{
	struct landlock_ruleset *new_dom, *ruleset;
	struct cred *new_cred;
	struct landlock_cred_security *new_llcred;
	int err;

	if (!landlock_initialized)
		return -EOPNOTSUPP;

	/*
	 * Similar checks as for seccomp(2), except that an -EPERM may be
	 * returned.
	 */
	if (!task_no_new_privs(current) &&
	    !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN))
		return -EPERM;

	/* No flag for now. */
	if (flags)
		return -EINVAL;

	/* Gets and checks the ruleset. */
	ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ);
	if (IS_ERR(ruleset))
		return PTR_ERR(ruleset);

	/* Prepares new credentials. */
	new_cred = prepare_creds();
	if (!new_cred) {
		err = -ENOMEM;
		goto out_put_ruleset;
	}
	new_llcred = landlock_cred(new_cred);

	/*
	 * There is no possible race condition while copying and manipulating
	 * the current credentials because they are dedicated per thread.
	 */
	new_dom = landlock_merge_ruleset(new_llcred->domain, ruleset);
	if (IS_ERR(new_dom)) {
		err = PTR_ERR(new_dom);
		goto out_put_creds;
	}

	/* Replaces the old (prepared) domain. */
	landlock_put_ruleset(new_llcred->domain);
	new_llcred->domain = new_dom;

	landlock_put_ruleset(ruleset);
	return commit_creds(new_cred);

out_put_creds:
	abort_creds(new_cred);

out_put_ruleset:
	landlock_put_ruleset(ruleset);
	return err;
}
Commit	Line	Data
265885da MS	1	// SPDX-License-Identifier: GPL-2.0-only
	2	/*
	3	* Landlock LSM - System call implementations and user space interfaces
	4	*
	5	* Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
	6	* Copyright © 2018-2020 ANSSI
	7	*/
	8
	9	#include <asm/current.h>
	10	#include <linux/anon_inodes.h>
	11	#include <linux/build_bug.h>
	12	#include <linux/capability.h>
	13	#include <linux/compiler_types.h>
	14	#include <linux/dcache.h>
	15	#include <linux/err.h>
	16	#include <linux/errno.h>
	17	#include <linux/fs.h>
	18	#include <linux/limits.h>
	19	#include <linux/mount.h>
	20	#include <linux/path.h>
	21	#include <linux/sched.h>
	22	#include <linux/security.h>
	23	#include <linux/stddef.h>
	24	#include <linux/syscalls.h>
	25	#include <linux/types.h>
	26	#include <linux/uaccess.h>
	27	#include <uapi/linux/landlock.h>
	28
	29	#include "cred.h"
	30	#include "fs.h"
	31	#include "limits.h"
	32	#include "ruleset.h"
	33	#include "setup.h"
	34
	35	/**
	36	* copy_min_struct_from_user - Safe future-proof argument copying
	37	*
	38	* Extend copy_struct_from_user() to check for consistent user buffer.
	39	*
	40	* @dst: Kernel space pointer or NULL.
	41	* @ksize: Actual size of the data pointed to by @dst.
	42	* @ksize_min: Minimal required size to be copied.
	43	* @src: User space pointer or NULL.
	44	* @usize: (Alleged) size of the data pointed to by @src.
	45	*/
06a1c40a MS	46	static __always_inline int
	47	copy_min_struct_from_user(void *const dst, const size_t ksize,
	48	const size_t ksize_min, const void __user *const src,
	49	const size_t usize)
265885da MS	50	{
	51	/* Checks buffer inconsistencies. */
	52	BUILD_BUG_ON(!dst);
	53	if (!src)
	54	return -EFAULT;
	55
	56	/* Checks size ranges. */
	57	BUILD_BUG_ON(ksize <= 0);
	58	BUILD_BUG_ON(ksize < ksize_min);
	59	if (usize < ksize_min)
	60	return -EINVAL;
	61	if (usize > PAGE_SIZE)
	62	return -E2BIG;
	63
	64	/* Copies user buffer and fills with zeros. */
	65	return copy_struct_from_user(dst, ksize, src, usize);
	66	}
	67
	68	/*
	69	* This function only contains arithmetic operations with constants, leading to
	70	* BUILD_BUG_ON(). The related code is evaluated and checked at build time,
	71	* but it is then ignored thanks to compiler optimizations.
	72	*/
	73	static void build_check_abi(void)
	74	{
	75	struct landlock_ruleset_attr ruleset_attr;
	76	struct landlock_path_beneath_attr path_beneath_attr;
	77	size_t ruleset_size, path_beneath_size;
	78
	79	/*
	80	* For each user space ABI structures, first checks that there is no
	81	* hole in them, then checks that all architectures have the same
	82	* struct size.
	83	*/
	84	ruleset_size = sizeof(ruleset_attr.handled_access_fs);
	85	BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size);
	86	BUILD_BUG_ON(sizeof(ruleset_attr) != 8);
	87
	88	path_beneath_size = sizeof(path_beneath_attr.allowed_access);
	89	path_beneath_size += sizeof(path_beneath_attr.parent_fd);
	90	BUILD_BUG_ON(sizeof(path_beneath_attr) != path_beneath_size);
	91	BUILD_BUG_ON(sizeof(path_beneath_attr) != 12);
	92	}
	93
	94	/* Ruleset handling */
	95
	96	static int fop_ruleset_release(struct inode *const inode,
06a1c40a	97	struct file *const filp)
265885da MS	98	{
	99	struct landlock_ruleset *ruleset = filp->private_data;
	100
	101	landlock_put_ruleset(ruleset);
	102	return 0;
	103	}
	104
	105	static ssize_t fop_dummy_read(struct file const filp, char __user const buf,
06a1c40a	106	const size_t size, loff_t *const ppos)
265885da MS	107	{
	108	/* Dummy handler to enable FMODE_CAN_READ. */
	109	return -EINVAL;
	110	}
	111
	112	static ssize_t fop_dummy_write(struct file *const filp,
06a1c40a MS	113	const char __user *const buf, const size_t size,
06a1c40a MS	114	loff_t *const ppos)
265885da MS	115	{
	116	/* Dummy handler to enable FMODE_CAN_WRITE. */
	117	return -EINVAL;
	118	}
	119
	120	/*
	121	* A ruleset file descriptor enables to build a ruleset by adding (i.e.
	122	* writing) rule after rule, without relying on the task's context. This
	123	* reentrant design is also used in a read way to enforce the ruleset on the
	124	* current task.
	125	*/
	126	static const struct file_operations ruleset_fops = {
	127	.release = fop_ruleset_release,
	128	.read = fop_dummy_read,
	129	.write = fop_dummy_write,
	130	};
	131
b9f5ce27	132	#define LANDLOCK_ABI_VERSION 3
3532b0b4	133
265885da MS	134	/**
	135	* sys_landlock_create_ruleset - Create a new ruleset
	136	*
	137	* @attr: Pointer to a &struct landlock_ruleset_attr identifying the scope of
	138	* the new ruleset.
	139	* @size: Size of the pointed &struct landlock_ruleset_attr (needed for
	140	* backward and forward compatibility).
3532b0b4	141	* @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION.
265885da MS	142	*
	143	* This system call enables to create a new Landlock ruleset, and returns the
	144	* related file descriptor on success.
	145	*
3532b0b4 MS	146	* If @flags is %LANDLOCK_CREATE_RULESET_VERSION and @attr is NULL and @size is
	147	* 0, then the returned value is the highest supported Landlock ABI version
	148	* (starting at 1).
	149	*
265885da MS	150	* Possible returned errors are:
265885da MS	151	*
2fff00c8 MS	152	* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
	153	* - %EINVAL: unknown @flags, or unknown access, or too small @size;
	154	* - %E2BIG or %EFAULT: @attr or @size inconsistencies;
	155	* - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.
265885da MS	156	*/
	157	SYSCALL_DEFINE3(landlock_create_ruleset,
	158	const struct landlock_ruleset_attr __user *const, attr,
	159	const size_t, size, const __u32, flags)
	160	{
	161	struct landlock_ruleset_attr ruleset_attr;
	162	struct landlock_ruleset *ruleset;
	163	int err, ruleset_fd;
	164
	165	/* Build-time checks. */
	166	build_check_abi();
	167
	168	if (!landlock_initialized)
	169	return -EOPNOTSUPP;
	170
3532b0b4	171	if (flags) {
06a1c40a MS	172	if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr &&
06a1c40a MS	173	!size)
3532b0b4	174	return LANDLOCK_ABI_VERSION;
265885da	175	return -EINVAL;
3532b0b4	176	}
265885da MS	177
	178	/* Copies raw user space buffer. */
	179	err = copy_min_struct_from_user(&ruleset_attr, sizeof(ruleset_attr),
06a1c40a MS	180	offsetofend(typeof(ruleset_attr),
	181	handled_access_fs),
	182	attr, size);
265885da MS	183	if (err)
	184	return err;
	185
	186	/* Checks content (and 32-bits cast). */
	187	if ((ruleset_attr.handled_access_fs \| LANDLOCK_MASK_ACCESS_FS) !=
06a1c40a	188	LANDLOCK_MASK_ACCESS_FS)
265885da MS	189	return -EINVAL;
	190
	191	/* Checks arguments and transforms to kernel struct. */
	192	ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs);
	193	if (IS_ERR(ruleset))
	194	return PTR_ERR(ruleset);
	195
	196	/* Creates anonymous FD referring to the ruleset. */
aea0b9f2	197	ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops,
06a1c40a	198	ruleset, O_RDWR \| O_CLOEXEC);
265885da MS	199	if (ruleset_fd < 0)
	200	landlock_put_ruleset(ruleset);
	201	return ruleset_fd;
	202	}
	203
	204	/*
	205	* Returns an owned ruleset from a FD. It is thus needed to call
	206	* landlock_put_ruleset() on the return value.
	207	*/
	208	static struct landlock_ruleset *get_ruleset_from_fd(const int fd,
06a1c40a	209	const fmode_t mode)
265885da MS	210	{
	211	struct fd ruleset_f;
	212	struct landlock_ruleset *ruleset;
	213
	214	ruleset_f = fdget(fd);
	215	if (!ruleset_f.file)
	216	return ERR_PTR(-EBADF);
	217
	218	/* Checks FD type and access right. */
	219	if (ruleset_f.file->f_op != &ruleset_fops) {
	220	ruleset = ERR_PTR(-EBADFD);
	221	goto out_fdput;
	222	}
	223	if (!(ruleset_f.file->f_mode & mode)) {
	224	ruleset = ERR_PTR(-EPERM);
	225	goto out_fdput;
	226	}
	227	ruleset = ruleset_f.file->private_data;
	228	if (WARN_ON_ONCE(ruleset->num_layers != 1)) {
	229	ruleset = ERR_PTR(-EINVAL);
	230	goto out_fdput;
	231	}
	232	landlock_get_ruleset(ruleset);
	233
	234	out_fdput:
	235	fdput(ruleset_f);
	236	return ruleset;
	237	}
	238
	239	/* Path handling */
	240
	241	/*
	242	* @path: Must call put_path(@path) after the call if it succeeded.
	243	*/
	244	static int get_path_from_fd(const s32 fd, struct path *const path)
	245	{
	246	struct fd f;
	247	int err = 0;
	248
06a1c40a MS	249	BUILD_BUG_ON(!__same_type(
06a1c40a MS	250	fd, ((struct landlock_path_beneath_attr *)NULL)->parent_fd));
265885da MS	251
	252	/* Handles O_PATH. */
	253	f = fdget_raw(fd);
	254	if (!f.file)
	255	return -EBADF;
	256	/*
	257	* Forbids ruleset FDs, internal filesystems (e.g. nsfs), including
	258	* pseudo filesystems that will never be mountable (e.g. sockfs,
	259	* pipefs).
	260	*/
	261	if ((f.file->f_op == &ruleset_fops) \|\|
06a1c40a MS	262	(f.file->f_path.mnt->mnt_flags & MNT_INTERNAL) \|\|
	263	(f.file->f_path.dentry->d_sb->s_flags & SB_NOUSER) \|\|
	264	d_is_negative(f.file->f_path.dentry) \|\|
	265	IS_PRIVATE(d_backing_inode(f.file->f_path.dentry))) {
265885da MS	266	err = -EBADFD;
	267	goto out_fdput;
	268	}
	269	*path = f.file->f_path;
	270	path_get(path);
	271
	272	out_fdput:
	273	fdput(f);
	274	return err;
	275	}
	276
	277	/**
	278	* sys_landlock_add_rule - Add a new rule to a ruleset
	279	*
	280	* @ruleset_fd: File descriptor tied to the ruleset that should be extended
	281	* with the new rule.
	282	* @rule_type: Identify the structure type pointed to by @rule_attr (only
2fff00c8	283	* %LANDLOCK_RULE_PATH_BENEATH for now).
265885da MS	284	* @rule_attr: Pointer to a rule (only of type &struct
	285	* landlock_path_beneath_attr for now).
	286	* @flags: Must be 0.
	287	*
	288	* This system call enables to define a new rule and add it to an existing
	289	* ruleset.
	290	*
	291	* Possible returned errors are:
	292	*
2fff00c8 MS	293	* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
2fff00c8 MS	294	* - %EINVAL: @flags is not 0, or inconsistent access in the rule (i.e.
a13e248f MS	295	* &landlock_path_beneath_attr.allowed_access is not a subset of the
a13e248f MS	296	* ruleset handled accesses);
2fff00c8 MS	297	* - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access);
2fff00c8 MS	298	* - %EBADF: @ruleset_fd is not a file descriptor for the current thread, or a
265885da	299	* member of @rule_attr is not a file descriptor as expected;
2fff00c8	300	* - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
a13e248f	301	* @rule_attr is not the expected file descriptor type;
2fff00c8 MS	302	* - %EPERM: @ruleset_fd has no write access to the underlying ruleset;
2fff00c8 MS	303	* - %EFAULT: @rule_attr inconsistency.
265885da	304	*/
06a1c40a MS	305	SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
06a1c40a MS	306	const enum landlock_rule_type, rule_type,
265885da MS	307	const void __user *const, rule_attr, const __u32, flags)
	308	{
	309	struct landlock_path_beneath_attr path_beneath_attr;
	310	struct path path;
	311	struct landlock_ruleset *ruleset;
	312	int res, err;
	313
	314	if (!landlock_initialized)
	315	return -EOPNOTSUPP;
	316
	317	/* No flag for now. */
	318	if (flags)
	319	return -EINVAL;
	320
265885da MS	321	/* Gets and checks the ruleset. */
	322	ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE);
	323	if (IS_ERR(ruleset))
	324	return PTR_ERR(ruleset);
	325
589172e5 MS	326	if (rule_type != LANDLOCK_RULE_PATH_BENEATH) {
	327	err = -EINVAL;
	328	goto out_put_ruleset;
	329	}
	330
	331	/* Copies raw user space buffer, only one type for now. */
	332	res = copy_from_user(&path_beneath_attr, rule_attr,
	333	sizeof(path_beneath_attr));
	334	if (res) {
	335	err = -EFAULT;
	336	goto out_put_ruleset;
	337	}
	338
265885da MS	339	/*
	340	* Informs about useless rule: empty allowed_access (i.e. deny rules)
	341	* are ignored in path walks.
	342	*/
	343	if (!path_beneath_attr.allowed_access) {
	344	err = -ENOMSG;
	345	goto out_put_ruleset;
	346	}
	347	/*
	348	* Checks that allowed_access matches the @ruleset constraints
	349	* (ruleset->fs_access_masks[0] is automatically upgraded to 64-bits).
	350	*/
	351	if ((path_beneath_attr.allowed_access \| ruleset->fs_access_masks[0]) !=
06a1c40a	352	ruleset->fs_access_masks[0]) {
265885da MS	353	err = -EINVAL;
	354	goto out_put_ruleset;
	355	}
	356
	357	/* Gets and checks the new rule. */
	358	err = get_path_from_fd(path_beneath_attr.parent_fd, &path);
	359	if (err)
	360	goto out_put_ruleset;
	361
	362	/* Imports the new rule. */
	363	err = landlock_append_fs_rule(ruleset, &path,
06a1c40a	364	path_beneath_attr.allowed_access);
265885da MS	365	path_put(&path);
	366
	367	out_put_ruleset:
	368	landlock_put_ruleset(ruleset);
	369	return err;
	370	}
	371
	372	/* Enforcement */
	373
	374	/**
	375	* sys_landlock_restrict_self - Enforce a ruleset on the calling thread
	376	*
	377	* @ruleset_fd: File descriptor tied to the ruleset to merge with the target.
	378	* @flags: Must be 0.
	379	*
	380	* This system call enables to enforce a Landlock ruleset on the current
2fff00c8	381	* thread. Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its
265885da MS	382	* namespace or is running with no_new_privs. This avoids scenarios where
	383	* unprivileged tasks can affect the behavior of privileged children.
	384	*
	385	* Possible returned errors are:
	386	*
2fff00c8 MS	387	* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
	388	* - %EINVAL: @flags is not 0.
	389	* - %EBADF: @ruleset_fd is not a file descriptor for the current thread;
	390	* - %EBADFD: @ruleset_fd is not a ruleset file descriptor;
	391	* - %EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
265885da	392	* current thread is not running with no_new_privs, or it doesn't have
2fff00c8 MS	393	* %CAP_SYS_ADMIN in its namespace.
2fff00c8 MS	394	* - %E2BIG: The maximum number of stacked rulesets is reached for the current
265885da MS	395	* thread.
265885da MS	396	*/
06a1c40a MS	397	SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
06a1c40a MS	398	flags)
265885da MS	399	{
	400	struct landlock_ruleset new_dom, ruleset;
	401	struct cred *new_cred;
	402	struct landlock_cred_security *new_llcred;
	403	int err;
	404
	405	if (!landlock_initialized)
	406	return -EOPNOTSUPP;
	407
265885da MS	408	/*
	409	* Similar checks as for seccomp(2), except that an -EPERM may be
	410	* returned.
	411	*/
	412	if (!task_no_new_privs(current) &&
06a1c40a	413	!ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN))
265885da MS	414	return -EPERM;
265885da MS	415
eba39ca4 MS	416	/* No flag for now. */
	417	if (flags)
	418	return -EINVAL;
	419
265885da MS	420	/* Gets and checks the ruleset. */
	421	ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ);
	422	if (IS_ERR(ruleset))
	423	return PTR_ERR(ruleset);
	424
	425	/* Prepares new credentials. */
	426	new_cred = prepare_creds();
	427	if (!new_cred) {
	428	err = -ENOMEM;
	429	goto out_put_ruleset;
	430	}
	431	new_llcred = landlock_cred(new_cred);
	432
	433	/*
	434	* There is no possible race condition while copying and manipulating
	435	* the current credentials because they are dedicated per thread.
	436	*/
	437	new_dom = landlock_merge_ruleset(new_llcred->domain, ruleset);
	438	if (IS_ERR(new_dom)) {
	439	err = PTR_ERR(new_dom);
	440	goto out_put_creds;
	441	}
	442
	443	/* Replaces the old (prepared) domain. */
	444	landlock_put_ruleset(new_llcred->domain);
	445	new_llcred->domain = new_dom;
	446
	447	landlock_put_ruleset(ruleset);
	448	return commit_creds(new_cred);
	449
	450	out_put_creds:
	451	abort_creds(new_cred);
	452
	453	out_put_ruleset:
	454	landlock_put_ruleset(ruleset);
	455	return err;
	456	}