1 // SPDX-License-Identifier: GPL-2.0-only 1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 2 /* 3 * Landlock LSM - Network management and hooks 3 * Landlock LSM - Network management and hooks 4 * 4 * 5 * Copyright © 2022-2023 Huawei Tech. Co., Lt 5 * Copyright © 2022-2023 Huawei Tech. Co., Ltd. 6 * Copyright © 2022-2023 Microsoft Corporatio 6 * Copyright © 2022-2023 Microsoft Corporation 7 */ 7 */ 8 8 9 #include <linux/in.h> 9 #include <linux/in.h> 10 #include <linux/net.h> 10 #include <linux/net.h> 11 #include <linux/socket.h> 11 #include <linux/socket.h> 12 #include <net/ipv6.h> 12 #include <net/ipv6.h> 13 13 14 #include "common.h" 14 #include "common.h" 15 #include "cred.h" 15 #include "cred.h" 16 #include "limits.h" 16 #include "limits.h" 17 #include "net.h" 17 #include "net.h" 18 #include "ruleset.h" 18 #include "ruleset.h" 19 19 20 int landlock_append_net_rule(struct landlock_r 20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset, 21 const u16 port, a 21 const u16 port, access_mask_t access_rights) 22 { 22 { 23 int err; 23 int err; 24 const struct landlock_id id = { 24 const struct landlock_id id = { 25 .key.data = (__force uintptr_t 25 .key.data = (__force uintptr_t)htons(port), 26 .type = LANDLOCK_KEY_NET_PORT, 26 .type = LANDLOCK_KEY_NET_PORT, 27 }; 27 }; 28 28 29 BUILD_BUG_ON(sizeof(port) > sizeof(id. 29 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); 30 30 31 /* Transforms relative access rights t 31 /* Transforms relative access rights to absolute ones. */ 32 access_rights |= LANDLOCK_MASK_ACCESS_ 32 access_rights |= LANDLOCK_MASK_ACCESS_NET & 33 ~landlock_get_net_acc 33 ~landlock_get_net_access_mask(ruleset, 0); 34 34 35 mutex_lock(&ruleset->lock); 35 mutex_lock(&ruleset->lock); 36 err = landlock_insert_rule(ruleset, id 36 err = landlock_insert_rule(ruleset, id, access_rights); 37 mutex_unlock(&ruleset->lock); 37 mutex_unlock(&ruleset->lock); 38 38 39 return err; 39 return err; 40 } 40 } 41 41 42 static access_mask_t 42 static access_mask_t 43 get_raw_handled_net_accesses(const struct land 43 get_raw_handled_net_accesses(const struct landlock_ruleset *const domain) 44 { 44 { 45 access_mask_t access_dom = 0; 45 access_mask_t access_dom = 0; 46 size_t layer_level; 46 size_t layer_level; 47 47 48 for (layer_level = 0; layer_level < do 48 for (layer_level = 0; layer_level < domain->num_layers; layer_level++) 49 access_dom |= landlock_get_net 49 access_dom |= landlock_get_net_access_mask(domain, layer_level); 50 return access_dom; 50 return access_dom; 51 } 51 } 52 52 53 static const struct landlock_ruleset *get_curr 53 static const struct landlock_ruleset *get_current_net_domain(void) 54 { 54 { 55 const struct landlock_ruleset *const d 55 const struct landlock_ruleset *const dom = 56 landlock_get_current_domain(); 56 landlock_get_current_domain(); 57 57 58 if (!dom || !get_raw_handled_net_acces 58 if (!dom || !get_raw_handled_net_accesses(dom)) 59 return NULL; 59 return NULL; 60 60 61 return dom; 61 return dom; 62 } 62 } 63 63 64 static int current_check_access_socket(struct 64 static int current_check_access_socket(struct socket *const sock, 65 struct 65 struct sockaddr *const address, 66 const i 66 const int addrlen, 67 access_ 67 access_mask_t access_request) 68 { 68 { 69 __be16 port; 69 __be16 port; 70 layer_mask_t layer_masks[LANDLOCK_NUM_ 70 layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {}; 71 const struct landlock_rule *rule; 71 const struct landlock_rule *rule; 72 struct landlock_id id = { 72 struct landlock_id id = { 73 .type = LANDLOCK_KEY_NET_PORT, 73 .type = LANDLOCK_KEY_NET_PORT, 74 }; 74 }; 75 const struct landlock_ruleset *const d 75 const struct landlock_ruleset *const dom = get_current_net_domain(); 76 76 77 if (!dom) 77 if (!dom) 78 return 0; 78 return 0; 79 if (WARN_ON_ONCE(dom->num_layers < 1)) 79 if (WARN_ON_ONCE(dom->num_layers < 1)) 80 return -EACCES; 80 return -EACCES; 81 81 82 /* Checks if it's a (potential) TCP so 82 /* Checks if it's a (potential) TCP socket. */ 83 if (sock->type != SOCK_STREAM) 83 if (sock->type != SOCK_STREAM) 84 return 0; 84 return 0; 85 85 86 /* Checks for minimal header length to 86 /* Checks for minimal header length to safely read sa_family. */ 87 if (addrlen < offsetofend(typeof(*addr 87 if (addrlen < offsetofend(typeof(*address), sa_family)) 88 return -EINVAL; 88 return -EINVAL; 89 89 90 switch (address->sa_family) { 90 switch (address->sa_family) { 91 case AF_UNSPEC: 91 case AF_UNSPEC: 92 case AF_INET: 92 case AF_INET: 93 if (addrlen < sizeof(struct so 93 if (addrlen < sizeof(struct sockaddr_in)) 94 return -EINVAL; 94 return -EINVAL; 95 port = ((struct sockaddr_in *) 95 port = ((struct sockaddr_in *)address)->sin_port; 96 break; 96 break; 97 97 98 #if IS_ENABLED(CONFIG_IPV6) 98 #if IS_ENABLED(CONFIG_IPV6) 99 case AF_INET6: 99 case AF_INET6: 100 if (addrlen < SIN6_LEN_RFC2133 100 if (addrlen < SIN6_LEN_RFC2133) 101 return -EINVAL; 101 return -EINVAL; 102 port = ((struct sockaddr_in6 * 102 port = ((struct sockaddr_in6 *)address)->sin6_port; 103 break; 103 break; 104 #endif /* IS_ENABLED(CONFIG_IPV6) */ 104 #endif /* IS_ENABLED(CONFIG_IPV6) */ 105 105 106 default: 106 default: 107 return 0; 107 return 0; 108 } 108 } 109 109 110 /* Specific AF_UNSPEC handling. */ 110 /* Specific AF_UNSPEC handling. */ 111 if (address->sa_family == AF_UNSPEC) { 111 if (address->sa_family == AF_UNSPEC) { 112 /* 112 /* 113 * Connecting to an address wi 113 * Connecting to an address with AF_UNSPEC dissolves the TCP 114 * association, which have the 114 * association, which have the same effect as closing the 115 * connection while retaining 115 * connection while retaining the socket object (i.e., the file 116 * descriptor). As for droppi 116 * descriptor). As for dropping privileges, closing 117 * connections is always allow 117 * connections is always allowed. 118 * 118 * 119 * For a TCP access control sy 119 * For a TCP access control system, this request is legitimate. 120 * Let the network stack handl 120 * Let the network stack handle potential inconsistencies and 121 * return -EINVAL if needed. 121 * return -EINVAL if needed. 122 */ 122 */ 123 if (access_request == LANDLOCK 123 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) 124 return 0; 124 return 0; 125 125 126 /* 126 /* 127 * For compatibility reason, a 127 * For compatibility reason, accept AF_UNSPEC for bind 128 * accesses (mapped to AF_INET 128 * accesses (mapped to AF_INET) only if the address is 129 * INADDR_ANY (cf. __inet_bind 129 * INADDR_ANY (cf. __inet_bind). Checking the address is 130 * required to not wrongfully 130 * required to not wrongfully return -EACCES instead of 131 * -EAFNOSUPPORT. 131 * -EAFNOSUPPORT. 132 * 132 * 133 * We could return 0 and let t 133 * We could return 0 and let the network stack handle these 134 * checks, but it is safer to 134 * checks, but it is safer to return a proper error and test 135 * consistency thanks to kself 135 * consistency thanks to kselftest. 136 */ 136 */ 137 if (access_request == LANDLOCK 137 if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { 138 /* addrlen has already 138 /* addrlen has already been checked for AF_UNSPEC. */ 139 const struct sockaddr_ 139 const struct sockaddr_in *const sockaddr = 140 (struct sockad 140 (struct sockaddr_in *)address; 141 141 142 if (sock->sk->__sk_com 142 if (sock->sk->__sk_common.skc_family != AF_INET) 143 return -EINVAL 143 return -EINVAL; 144 144 145 if (sockaddr->sin_addr 145 if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY)) 146 return -EAFNOS 146 return -EAFNOSUPPORT; 147 } 147 } 148 } else { 148 } else { 149 /* 149 /* 150 * Checks sa_family consistenc 150 * Checks sa_family consistency to not wrongfully return 151 * -EACCES instead of -EINVAL. 151 * -EACCES instead of -EINVAL. Valid sa_family changes are 152 * only (from AF_INET or AF_IN 152 * only (from AF_INET or AF_INET6) to AF_UNSPEC. 153 * 153 * 154 * We could return 0 and let t 154 * We could return 0 and let the network stack handle this 155 * check, but it is safer to r 155 * check, but it is safer to return a proper error and test 156 * consistency thanks to kself 156 * consistency thanks to kselftest. 157 */ 157 */ 158 if (address->sa_family != sock 158 if (address->sa_family != sock->sk->__sk_common.skc_family) 159 return -EINVAL; 159 return -EINVAL; 160 } 160 } 161 161 162 id.key.data = (__force uintptr_t)port; 162 id.key.data = (__force uintptr_t)port; 163 BUILD_BUG_ON(sizeof(port) > sizeof(id. 163 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); 164 164 165 rule = landlock_find_rule(dom, id); 165 rule = landlock_find_rule(dom, id); 166 access_request = landlock_init_layer_m 166 access_request = landlock_init_layer_masks( 167 dom, access_request, &layer_ma 167 dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT); 168 if (landlock_unmask_layers(rule, acces 168 if (landlock_unmask_layers(rule, access_request, &layer_masks, 169 ARRAY_SIZE( 169 ARRAY_SIZE(layer_masks))) 170 return 0; 170 return 0; 171 171 172 return -EACCES; 172 return -EACCES; 173 } 173 } 174 174 175 static int hook_socket_bind(struct socket *con 175 static int hook_socket_bind(struct socket *const sock, 176 struct sockaddr *c 176 struct sockaddr *const address, const int addrlen) 177 { 177 { 178 return current_check_access_socket(soc 178 return current_check_access_socket(sock, address, addrlen, 179 LAN 179 LANDLOCK_ACCESS_NET_BIND_TCP); 180 } 180 } 181 181 182 static int hook_socket_connect(struct socket * 182 static int hook_socket_connect(struct socket *const sock, 183 struct sockaddr 183 struct sockaddr *const address, 184 const int addrl 184 const int addrlen) 185 { 185 { 186 return current_check_access_socket(soc 186 return current_check_access_socket(sock, address, addrlen, 187 LAN 187 LANDLOCK_ACCESS_NET_CONNECT_TCP); 188 } 188 } 189 189 190 static struct security_hook_list landlock_hook 190 static struct security_hook_list landlock_hooks[] __ro_after_init = { 191 LSM_HOOK_INIT(socket_bind, hook_socket 191 LSM_HOOK_INIT(socket_bind, hook_socket_bind), 192 LSM_HOOK_INIT(socket_connect, hook_soc 192 LSM_HOOK_INIT(socket_connect, hook_socket_connect), 193 }; 193 }; 194 194 195 __init void landlock_add_net_hooks(void) 195 __init void landlock_add_net_hooks(void) 196 { 196 { 197 security_add_hooks(landlock_hooks, ARR 197 security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), 198 &landlock_lsmid); 198 &landlock_lsmid); 199 } 199 } 200 200
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.