1 // SPDX-License-Identifier: GPL-2.0-only 1
2 /*
3 * Landlock LSM - Network management and hooks
4 *
5 * Copyright © 2022-2023 Huawei Tech. Co., Lt
6 * Copyright © 2022-2023 Microsoft Corporatio
7 */
8
9 #include <linux/in.h>
10 #include <linux/net.h>
11 #include <linux/socket.h>
12 #include <net/ipv6.h>
13
14 #include "common.h"
15 #include "cred.h"
16 #include "limits.h"
17 #include "net.h"
18 #include "ruleset.h"
19
20 int landlock_append_net_rule(struct landlock_r
21 const u16 port, a
22 {
23 int err;
24 const struct landlock_id id = {
25 .key.data = (__force uintptr_t
26 .type = LANDLOCK_KEY_NET_PORT,
27 };
28
29 BUILD_BUG_ON(sizeof(port) > sizeof(id.
30
31 /* Transforms relative access rights t
32 access_rights |= LANDLOCK_MASK_ACCESS_
33 ~landlock_get_net_acc
34
35 mutex_lock(&ruleset->lock);
36 err = landlock_insert_rule(ruleset, id
37 mutex_unlock(&ruleset->lock);
38
39 return err;
40 }
41
42 static access_mask_t
43 get_raw_handled_net_accesses(const struct land
44 {
45 access_mask_t access_dom = 0;
46 size_t layer_level;
47
48 for (layer_level = 0; layer_level < do
49 access_dom |= landlock_get_net
50 return access_dom;
51 }
52
53 static const struct landlock_ruleset *get_curr
54 {
55 const struct landlock_ruleset *const d
56 landlock_get_current_domain();
57
58 if (!dom || !get_raw_handled_net_acces
59 return NULL;
60
61 return dom;
62 }
63
64 static int current_check_access_socket(struct
65 struct
66 const i
67 access_
68 {
69 __be16 port;
70 layer_mask_t layer_masks[LANDLOCK_NUM_
71 const struct landlock_rule *rule;
72 struct landlock_id id = {
73 .type = LANDLOCK_KEY_NET_PORT,
74 };
75 const struct landlock_ruleset *const d
76
77 if (!dom)
78 return 0;
79 if (WARN_ON_ONCE(dom->num_layers < 1))
80 return -EACCES;
81
82 /* Checks if it's a (potential) TCP so
83 if (sock->type != SOCK_STREAM)
84 return 0;
85
86 /* Checks for minimal header length to
87 if (addrlen < offsetofend(typeof(*addr
88 return -EINVAL;
89
90 switch (address->sa_family) {
91 case AF_UNSPEC:
92 case AF_INET:
93 if (addrlen < sizeof(struct so
94 return -EINVAL;
95 port = ((struct sockaddr_in *)
96 break;
97
98 #if IS_ENABLED(CONFIG_IPV6)
99 case AF_INET6:
100 if (addrlen < SIN6_LEN_RFC2133
101 return -EINVAL;
102 port = ((struct sockaddr_in6 *
103 break;
104 #endif /* IS_ENABLED(CONFIG_IPV6) */
105
106 default:
107 return 0;
108 }
109
110 /* Specific AF_UNSPEC handling. */
111 if (address->sa_family == AF_UNSPEC) {
112 /*
113 * Connecting to an address wi
114 * association, which have the
115 * connection while retaining
116 * descriptor). As for droppi
117 * connections is always allow
118 *
119 * For a TCP access control sy
120 * Let the network stack handl
121 * return -EINVAL if needed.
122 */
123 if (access_request == LANDLOCK
124 return 0;
125
126 /*
127 * For compatibility reason, a
128 * accesses (mapped to AF_INET
129 * INADDR_ANY (cf. __inet_bind
130 * required to not wrongfully
131 * -EAFNOSUPPORT.
132 *
133 * We could return 0 and let t
134 * checks, but it is safer to
135 * consistency thanks to kself
136 */
137 if (access_request == LANDLOCK
138 /* addrlen has already
139 const struct sockaddr_
140 (struct sockad
141
142 if (sock->sk->__sk_com
143 return -EINVAL
144
145 if (sockaddr->sin_addr
146 return -EAFNOS
147 }
148 } else {
149 /*
150 * Checks sa_family consistenc
151 * -EACCES instead of -EINVAL.
152 * only (from AF_INET or AF_IN
153 *
154 * We could return 0 and let t
155 * check, but it is safer to r
156 * consistency thanks to kself
157 */
158 if (address->sa_family != sock
159 return -EINVAL;
160 }
161
162 id.key.data = (__force uintptr_t)port;
163 BUILD_BUG_ON(sizeof(port) > sizeof(id.
164
165 rule = landlock_find_rule(dom, id);
166 access_request = landlock_init_layer_m
167 dom, access_request, &layer_ma
168 if (landlock_unmask_layers(rule, acces
169 ARRAY_SIZE(
170 return 0;
171
172 return -EACCES;
173 }
174
175 static int hook_socket_bind(struct socket *con
176 struct sockaddr *c
177 {
178 return current_check_access_socket(soc
179 LAN
180 }
181
182 static int hook_socket_connect(struct socket *
183 struct sockaddr
184 const int addrl
185 {
186 return current_check_access_socket(soc
187 LAN
188 }
189
190 static struct security_hook_list landlock_hook
191 LSM_HOOK_INIT(socket_bind, hook_socket
192 LSM_HOOK_INIT(socket_connect, hook_soc
193 };
194
195 __init void landlock_add_net_hooks(void)
196 {
197 security_add_hooks(landlock_hooks, ARR
198 &landlock_lsmid);
199 }
200
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.