~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/landlock/net.c

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/landlock/net.c (Version linux-6.12-rc7) and /security/landlock/net.c (Version linux-5.12.19)


  1 // SPDX-License-Identifier: GPL-2.0-only            1 
  2 /*                                                
  3  * Landlock LSM - Network management and hooks    
  4  *                                                
  5  * Copyright © 2022-2023 Huawei Tech. Co., Lt    
  6  * Copyright © 2022-2023 Microsoft Corporatio    
  7  */                                               
  8                                                   
  9 #include <linux/in.h>                             
 10 #include <linux/net.h>                            
 11 #include <linux/socket.h>                         
 12 #include <net/ipv6.h>                             
 13                                                   
 14 #include "common.h"                               
 15 #include "cred.h"                                 
 16 #include "limits.h"                               
 17 #include "net.h"                                  
 18 #include "ruleset.h"                              
 19                                                   
 20 int landlock_append_net_rule(struct landlock_r    
 21                              const u16 port, a    
 22 {                                                 
 23         int err;                                  
 24         const struct landlock_id id = {           
 25                 .key.data = (__force uintptr_t    
 26                 .type = LANDLOCK_KEY_NET_PORT,    
 27         };                                        
 28                                                   
 29         BUILD_BUG_ON(sizeof(port) > sizeof(id.    
 30                                                   
 31         /* Transforms relative access rights t    
 32         access_rights |= LANDLOCK_MASK_ACCESS_    
 33                          ~landlock_get_net_acc    
 34                                                   
 35         mutex_lock(&ruleset->lock);               
 36         err = landlock_insert_rule(ruleset, id    
 37         mutex_unlock(&ruleset->lock);             
 38                                                   
 39         return err;                               
 40 }                                                 
 41                                                   
 42 static access_mask_t                              
 43 get_raw_handled_net_accesses(const struct land    
 44 {                                                 
 45         access_mask_t access_dom = 0;             
 46         size_t layer_level;                       
 47                                                   
 48         for (layer_level = 0; layer_level < do    
 49                 access_dom |= landlock_get_net    
 50         return access_dom;                        
 51 }                                                 
 52                                                   
 53 static const struct landlock_ruleset *get_curr    
 54 {                                                 
 55         const struct landlock_ruleset *const d    
 56                 landlock_get_current_domain();    
 57                                                   
 58         if (!dom || !get_raw_handled_net_acces    
 59                 return NULL;                      
 60                                                   
 61         return dom;                               
 62 }                                                 
 63                                                   
 64 static int current_check_access_socket(struct     
 65                                        struct     
 66                                        const i    
 67                                        access_    
 68 {                                                 
 69         __be16 port;                              
 70         layer_mask_t layer_masks[LANDLOCK_NUM_    
 71         const struct landlock_rule *rule;         
 72         struct landlock_id id = {                 
 73                 .type = LANDLOCK_KEY_NET_PORT,    
 74         };                                        
 75         const struct landlock_ruleset *const d    
 76                                                   
 77         if (!dom)                                 
 78                 return 0;                         
 79         if (WARN_ON_ONCE(dom->num_layers < 1))    
 80                 return -EACCES;                   
 81                                                   
 82         /* Checks if it's a (potential) TCP so    
 83         if (sock->type != SOCK_STREAM)            
 84                 return 0;                         
 85                                                   
 86         /* Checks for minimal header length to    
 87         if (addrlen < offsetofend(typeof(*addr    
 88                 return -EINVAL;                   
 89                                                   
 90         switch (address->sa_family) {             
 91         case AF_UNSPEC:                           
 92         case AF_INET:                             
 93                 if (addrlen < sizeof(struct so    
 94                         return -EINVAL;           
 95                 port = ((struct sockaddr_in *)    
 96                 break;                            
 97                                                   
 98 #if IS_ENABLED(CONFIG_IPV6)                       
 99         case AF_INET6:                            
100                 if (addrlen < SIN6_LEN_RFC2133    
101                         return -EINVAL;           
102                 port = ((struct sockaddr_in6 *    
103                 break;                            
104 #endif /* IS_ENABLED(CONFIG_IPV6) */              
105                                                   
106         default:                                  
107                 return 0;                         
108         }                                         
109                                                   
110         /* Specific AF_UNSPEC handling. */        
111         if (address->sa_family == AF_UNSPEC) {    
112                 /*                                
113                  * Connecting to an address wi    
114                  * association, which have the    
115                  * connection while retaining     
116                  * descriptor).  As for droppi    
117                  * connections is always allow    
118                  *                                
119                  * For a TCP access control sy    
120                  * Let the network stack handl    
121                  * return -EINVAL if needed.      
122                  */                               
123                 if (access_request == LANDLOCK    
124                         return 0;                 
125                                                   
126                 /*                                
127                  * For compatibility reason, a    
128                  * accesses (mapped to AF_INET    
129                  * INADDR_ANY (cf. __inet_bind    
130                  * required to not wrongfully     
131                  * -EAFNOSUPPORT.                 
132                  *                                
133                  * We could return 0 and let t    
134                  * checks, but it is safer to     
135                  * consistency thanks to kself    
136                  */                               
137                 if (access_request == LANDLOCK    
138                         /* addrlen has already    
139                         const struct sockaddr_    
140                                 (struct sockad    
141                                                   
142                         if (sock->sk->__sk_com    
143                                 return -EINVAL    
144                                                   
145                         if (sockaddr->sin_addr    
146                                 return -EAFNOS    
147                 }                                 
148         } else {                                  
149                 /*                                
150                  * Checks sa_family consistenc    
151                  * -EACCES instead of -EINVAL.    
152                  * only (from AF_INET or AF_IN    
153                  *                                
154                  * We could return 0 and let t    
155                  * check, but it is safer to r    
156                  * consistency thanks to kself    
157                  */                               
158                 if (address->sa_family != sock    
159                         return -EINVAL;           
160         }                                         
161                                                   
162         id.key.data = (__force uintptr_t)port;    
163         BUILD_BUG_ON(sizeof(port) > sizeof(id.    
164                                                   
165         rule = landlock_find_rule(dom, id);       
166         access_request = landlock_init_layer_m    
167                 dom, access_request, &layer_ma    
168         if (landlock_unmask_layers(rule, acces    
169                                    ARRAY_SIZE(    
170                 return 0;                         
171                                                   
172         return -EACCES;                           
173 }                                                 
174                                                   
175 static int hook_socket_bind(struct socket *con    
176                             struct sockaddr *c    
177 {                                                 
178         return current_check_access_socket(soc    
179                                            LAN    
180 }                                                 
181                                                   
182 static int hook_socket_connect(struct socket *    
183                                struct sockaddr    
184                                const int addrl    
185 {                                                 
186         return current_check_access_socket(soc    
187                                            LAN    
188 }                                                 
189                                                   
190 static struct security_hook_list landlock_hook    
191         LSM_HOOK_INIT(socket_bind, hook_socket    
192         LSM_HOOK_INIT(socket_connect, hook_soc    
193 };                                                
194                                                   
195 __init void landlock_add_net_hooks(void)          
196 {                                                 
197         security_add_hooks(landlock_hooks, ARR    
198                            &landlock_lsmid);      
199 }                                                 
200                                                   

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php