~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/landlock/net.c

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/landlock/net.c (Architecture sparc64) and /security/landlock/net.c (Architecture alpha)


  1 // SPDX-License-Identifier: GPL-2.0-only            1 // SPDX-License-Identifier: GPL-2.0-only
  2 /*                                                  2 /*
  3  * Landlock LSM - Network management and hooks      3  * Landlock LSM - Network management and hooks
  4  *                                                  4  *
  5  * Copyright © 2022-2023 Huawei Tech. Co., Lt      5  * Copyright © 2022-2023 Huawei Tech. Co., Ltd.
  6  * Copyright © 2022-2023 Microsoft Corporatio      6  * Copyright © 2022-2023 Microsoft Corporation
  7  */                                                 7  */
  8                                                     8 
  9 #include <linux/in.h>                               9 #include <linux/in.h>
 10 #include <linux/net.h>                             10 #include <linux/net.h>
 11 #include <linux/socket.h>                          11 #include <linux/socket.h>
 12 #include <net/ipv6.h>                              12 #include <net/ipv6.h>
 13                                                    13 
 14 #include "common.h"                                14 #include "common.h"
 15 #include "cred.h"                                  15 #include "cred.h"
 16 #include "limits.h"                                16 #include "limits.h"
 17 #include "net.h"                                   17 #include "net.h"
 18 #include "ruleset.h"                               18 #include "ruleset.h"
 19                                                    19 
 20 int landlock_append_net_rule(struct landlock_r     20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
 21                              const u16 port, a     21                              const u16 port, access_mask_t access_rights)
 22 {                                                  22 {
 23         int err;                                   23         int err;
 24         const struct landlock_id id = {            24         const struct landlock_id id = {
 25                 .key.data = (__force uintptr_t     25                 .key.data = (__force uintptr_t)htons(port),
 26                 .type = LANDLOCK_KEY_NET_PORT,     26                 .type = LANDLOCK_KEY_NET_PORT,
 27         };                                         27         };
 28                                                    28 
 29         BUILD_BUG_ON(sizeof(port) > sizeof(id.     29         BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
 30                                                    30 
 31         /* Transforms relative access rights t     31         /* Transforms relative access rights to absolute ones. */
 32         access_rights |= LANDLOCK_MASK_ACCESS_     32         access_rights |= LANDLOCK_MASK_ACCESS_NET &
 33                          ~landlock_get_net_acc     33                          ~landlock_get_net_access_mask(ruleset, 0);
 34                                                    34 
 35         mutex_lock(&ruleset->lock);                35         mutex_lock(&ruleset->lock);
 36         err = landlock_insert_rule(ruleset, id     36         err = landlock_insert_rule(ruleset, id, access_rights);
 37         mutex_unlock(&ruleset->lock);              37         mutex_unlock(&ruleset->lock);
 38                                                    38 
 39         return err;                                39         return err;
 40 }                                                  40 }
 41                                                    41 
 42 static access_mask_t                               42 static access_mask_t
 43 get_raw_handled_net_accesses(const struct land     43 get_raw_handled_net_accesses(const struct landlock_ruleset *const domain)
 44 {                                                  44 {
 45         access_mask_t access_dom = 0;              45         access_mask_t access_dom = 0;
 46         size_t layer_level;                        46         size_t layer_level;
 47                                                    47 
 48         for (layer_level = 0; layer_level < do     48         for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
 49                 access_dom |= landlock_get_net     49                 access_dom |= landlock_get_net_access_mask(domain, layer_level);
 50         return access_dom;                         50         return access_dom;
 51 }                                                  51 }
 52                                                    52 
 53 static const struct landlock_ruleset *get_curr     53 static const struct landlock_ruleset *get_current_net_domain(void)
 54 {                                                  54 {
 55         const struct landlock_ruleset *const d     55         const struct landlock_ruleset *const dom =
 56                 landlock_get_current_domain();     56                 landlock_get_current_domain();
 57                                                    57 
 58         if (!dom || !get_raw_handled_net_acces     58         if (!dom || !get_raw_handled_net_accesses(dom))
 59                 return NULL;                       59                 return NULL;
 60                                                    60 
 61         return dom;                                61         return dom;
 62 }                                                  62 }
 63                                                    63 
 64 static int current_check_access_socket(struct      64 static int current_check_access_socket(struct socket *const sock,
 65                                        struct      65                                        struct sockaddr *const address,
 66                                        const i     66                                        const int addrlen,
 67                                        access_     67                                        access_mask_t access_request)
 68 {                                                  68 {
 69         __be16 port;                               69         __be16 port;
 70         layer_mask_t layer_masks[LANDLOCK_NUM_     70         layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
 71         const struct landlock_rule *rule;          71         const struct landlock_rule *rule;
 72         struct landlock_id id = {                  72         struct landlock_id id = {
 73                 .type = LANDLOCK_KEY_NET_PORT,     73                 .type = LANDLOCK_KEY_NET_PORT,
 74         };                                         74         };
 75         const struct landlock_ruleset *const d     75         const struct landlock_ruleset *const dom = get_current_net_domain();
 76                                                    76 
 77         if (!dom)                                  77         if (!dom)
 78                 return 0;                          78                 return 0;
 79         if (WARN_ON_ONCE(dom->num_layers < 1))     79         if (WARN_ON_ONCE(dom->num_layers < 1))
 80                 return -EACCES;                    80                 return -EACCES;
 81                                                    81 
 82         /* Checks if it's a (potential) TCP so     82         /* Checks if it's a (potential) TCP socket. */
 83         if (sock->type != SOCK_STREAM)             83         if (sock->type != SOCK_STREAM)
 84                 return 0;                          84                 return 0;
 85                                                    85 
 86         /* Checks for minimal header length to     86         /* Checks for minimal header length to safely read sa_family. */
 87         if (addrlen < offsetofend(typeof(*addr     87         if (addrlen < offsetofend(typeof(*address), sa_family))
 88                 return -EINVAL;                    88                 return -EINVAL;
 89                                                    89 
 90         switch (address->sa_family) {              90         switch (address->sa_family) {
 91         case AF_UNSPEC:                            91         case AF_UNSPEC:
 92         case AF_INET:                              92         case AF_INET:
 93                 if (addrlen < sizeof(struct so     93                 if (addrlen < sizeof(struct sockaddr_in))
 94                         return -EINVAL;            94                         return -EINVAL;
 95                 port = ((struct sockaddr_in *)     95                 port = ((struct sockaddr_in *)address)->sin_port;
 96                 break;                             96                 break;
 97                                                    97 
 98 #if IS_ENABLED(CONFIG_IPV6)                        98 #if IS_ENABLED(CONFIG_IPV6)
 99         case AF_INET6:                             99         case AF_INET6:
100                 if (addrlen < SIN6_LEN_RFC2133    100                 if (addrlen < SIN6_LEN_RFC2133)
101                         return -EINVAL;           101                         return -EINVAL;
102                 port = ((struct sockaddr_in6 *    102                 port = ((struct sockaddr_in6 *)address)->sin6_port;
103                 break;                            103                 break;
104 #endif /* IS_ENABLED(CONFIG_IPV6) */              104 #endif /* IS_ENABLED(CONFIG_IPV6) */
105                                                   105 
106         default:                                  106         default:
107                 return 0;                         107                 return 0;
108         }                                         108         }
109                                                   109 
110         /* Specific AF_UNSPEC handling. */        110         /* Specific AF_UNSPEC handling. */
111         if (address->sa_family == AF_UNSPEC) {    111         if (address->sa_family == AF_UNSPEC) {
112                 /*                                112                 /*
113                  * Connecting to an address wi    113                  * Connecting to an address with AF_UNSPEC dissolves the TCP
114                  * association, which have the    114                  * association, which have the same effect as closing the
115                  * connection while retaining     115                  * connection while retaining the socket object (i.e., the file
116                  * descriptor).  As for droppi    116                  * descriptor).  As for dropping privileges, closing
117                  * connections is always allow    117                  * connections is always allowed.
118                  *                                118                  *
119                  * For a TCP access control sy    119                  * For a TCP access control system, this request is legitimate.
120                  * Let the network stack handl    120                  * Let the network stack handle potential inconsistencies and
121                  * return -EINVAL if needed.      121                  * return -EINVAL if needed.
122                  */                               122                  */
123                 if (access_request == LANDLOCK    123                 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
124                         return 0;                 124                         return 0;
125                                                   125 
126                 /*                                126                 /*
127                  * For compatibility reason, a    127                  * For compatibility reason, accept AF_UNSPEC for bind
128                  * accesses (mapped to AF_INET    128                  * accesses (mapped to AF_INET) only if the address is
129                  * INADDR_ANY (cf. __inet_bind    129                  * INADDR_ANY (cf. __inet_bind).  Checking the address is
130                  * required to not wrongfully     130                  * required to not wrongfully return -EACCES instead of
131                  * -EAFNOSUPPORT.                 131                  * -EAFNOSUPPORT.
132                  *                                132                  *
133                  * We could return 0 and let t    133                  * We could return 0 and let the network stack handle these
134                  * checks, but it is safer to     134                  * checks, but it is safer to return a proper error and test
135                  * consistency thanks to kself    135                  * consistency thanks to kselftest.
136                  */                               136                  */
137                 if (access_request == LANDLOCK    137                 if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
138                         /* addrlen has already    138                         /* addrlen has already been checked for AF_UNSPEC. */
139                         const struct sockaddr_    139                         const struct sockaddr_in *const sockaddr =
140                                 (struct sockad    140                                 (struct sockaddr_in *)address;
141                                                   141 
142                         if (sock->sk->__sk_com    142                         if (sock->sk->__sk_common.skc_family != AF_INET)
143                                 return -EINVAL    143                                 return -EINVAL;
144                                                   144 
145                         if (sockaddr->sin_addr    145                         if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
146                                 return -EAFNOS    146                                 return -EAFNOSUPPORT;
147                 }                                 147                 }
148         } else {                                  148         } else {
149                 /*                                149                 /*
150                  * Checks sa_family consistenc    150                  * Checks sa_family consistency to not wrongfully return
151                  * -EACCES instead of -EINVAL.    151                  * -EACCES instead of -EINVAL.  Valid sa_family changes are
152                  * only (from AF_INET or AF_IN    152                  * only (from AF_INET or AF_INET6) to AF_UNSPEC.
153                  *                                153                  *
154                  * We could return 0 and let t    154                  * We could return 0 and let the network stack handle this
155                  * check, but it is safer to r    155                  * check, but it is safer to return a proper error and test
156                  * consistency thanks to kself    156                  * consistency thanks to kselftest.
157                  */                               157                  */
158                 if (address->sa_family != sock    158                 if (address->sa_family != sock->sk->__sk_common.skc_family)
159                         return -EINVAL;           159                         return -EINVAL;
160         }                                         160         }
161                                                   161 
162         id.key.data = (__force uintptr_t)port;    162         id.key.data = (__force uintptr_t)port;
163         BUILD_BUG_ON(sizeof(port) > sizeof(id.    163         BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
164                                                   164 
165         rule = landlock_find_rule(dom, id);       165         rule = landlock_find_rule(dom, id);
166         access_request = landlock_init_layer_m    166         access_request = landlock_init_layer_masks(
167                 dom, access_request, &layer_ma    167                 dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
168         if (landlock_unmask_layers(rule, acces    168         if (landlock_unmask_layers(rule, access_request, &layer_masks,
169                                    ARRAY_SIZE(    169                                    ARRAY_SIZE(layer_masks)))
170                 return 0;                         170                 return 0;
171                                                   171 
172         return -EACCES;                           172         return -EACCES;
173 }                                                 173 }
174                                                   174 
175 static int hook_socket_bind(struct socket *con    175 static int hook_socket_bind(struct socket *const sock,
176                             struct sockaddr *c    176                             struct sockaddr *const address, const int addrlen)
177 {                                                 177 {
178         return current_check_access_socket(soc    178         return current_check_access_socket(sock, address, addrlen,
179                                            LAN    179                                            LANDLOCK_ACCESS_NET_BIND_TCP);
180 }                                                 180 }
181                                                   181 
182 static int hook_socket_connect(struct socket *    182 static int hook_socket_connect(struct socket *const sock,
183                                struct sockaddr    183                                struct sockaddr *const address,
184                                const int addrl    184                                const int addrlen)
185 {                                                 185 {
186         return current_check_access_socket(soc    186         return current_check_access_socket(sock, address, addrlen,
187                                            LAN    187                                            LANDLOCK_ACCESS_NET_CONNECT_TCP);
188 }                                                 188 }
189                                                   189 
190 static struct security_hook_list landlock_hook    190 static struct security_hook_list landlock_hooks[] __ro_after_init = {
191         LSM_HOOK_INIT(socket_bind, hook_socket    191         LSM_HOOK_INIT(socket_bind, hook_socket_bind),
192         LSM_HOOK_INIT(socket_connect, hook_soc    192         LSM_HOOK_INIT(socket_connect, hook_socket_connect),
193 };                                                193 };
194                                                   194 
195 __init void landlock_add_net_hooks(void)          195 __init void landlock_add_net_hooks(void)
196 {                                                 196 {
197         security_add_hooks(landlock_hooks, ARR    197         security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
198                            &landlock_lsmid);      198                            &landlock_lsmid);
199 }                                                 199 }
200                                                   200 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php