xref: /openbmc/linux/security/landlock/ruleset.h (revision 5f2ff33e10843ef51275c8611bdb7b49537aba5d) 
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * Landlock LSM - Ruleset management
4  *
5  * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2018-2020 ANSSI
7  */
8 
9 #ifndef _SECURITY_LANDLOCK_RULESET_H
10 #define _SECURITY_LANDLOCK_RULESET_H
11 
12 #include <linux/bitops.h>
13 #include <linux/build_bug.h>
14 #include <linux/mutex.h>
15 #include <linux/rbtree.h>
16 #include <linux/refcount.h>
17 #include <linux/workqueue.h>
18 
19 #include "limits.h"
20 #include "object.h"
21 
22 typedef u16 access_mask_t;
23 /* Makes sure all filesystem access rights can be stored. */
24 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
25 
26 /**
27  * struct landlock_layer - Access rights for a given layer
28  */
29 struct landlock_layer {
30 	/**
31 	 * @level: Position of this layer in the layer stack.
32 	 */
33 	u16 level;
34 	/**
35 	 * @access: Bitfield of allowed actions on the kernel object.  They are
36 	 * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ).
37 	 */
38 	access_mask_t access;
39 };
40 
41 /**
42  * struct landlock_rule - Access rights tied to an object
43  */
44 struct landlock_rule {
45 	/**
46 	 * @node: Node in the ruleset's red-black tree.
47 	 */
48 	struct rb_node node;
49 	/**
50 	 * @object: Pointer to identify a kernel object (e.g. an inode).  This
51 	 * is used as a key for this ruleset element.  This pointer is set once
52 	 * and never modified.  It always points to an allocated object because
53 	 * each rule increments the refcount of its object.
54 	 */
55 	struct landlock_object *object;
56 	/**
57 	 * @num_layers: Number of entries in @layers.
58 	 */
59 	u32 num_layers;
60 	/**
61 	 * @layers: Stack of layers, from the latest to the newest, implemented
62 	 * as a flexible array member (FAM).
63 	 */
64 	struct landlock_layer layers[];
65 };
66 
67 /**
68  * struct landlock_hierarchy - Node in a ruleset hierarchy
69  */
70 struct landlock_hierarchy {
71 	/**
72 	 * @parent: Pointer to the parent node, or NULL if it is a root
73 	 * Landlock domain.
74 	 */
75 	struct landlock_hierarchy *parent;
76 	/**
77 	 * @usage: Number of potential children domains plus their parent
78 	 * domain.
79 	 */
80 	refcount_t usage;
81 };
82 
83 /**
84  * struct landlock_ruleset - Landlock ruleset
85  *
86  * This data structure must contain unique entries, be updatable, and quick to
87  * match an object.
88  */
89 struct landlock_ruleset {
90 	/**
91 	 * @root: Root of a red-black tree containing &struct landlock_rule
92 	 * nodes.  Once a ruleset is tied to a process (i.e. as a domain), this
93 	 * tree is immutable until @usage reaches zero.
94 	 */
95 	struct rb_root root;
96 	/**
97 	 * @hierarchy: Enables hierarchy identification even when a parent
98 	 * domain vanishes.  This is needed for the ptrace protection.
99 	 */
100 	struct landlock_hierarchy *hierarchy;
101 	union {
102 		/**
103 		 * @work_free: Enables to free a ruleset within a lockless
104 		 * section.  This is only used by
105 		 * landlock_put_ruleset_deferred() when @usage reaches zero.
106 		 * The fields @lock, @usage, @num_rules, @num_layers and
107 		 * @fs_access_masks are then unused.
108 		 */
109 		struct work_struct work_free;
110 		struct {
111 			/**
112 			 * @lock: Protects against concurrent modifications of
113 			 * @root, if @usage is greater than zero.
114 			 */
115 			struct mutex lock;
116 			/**
117 			 * @usage: Number of processes (i.e. domains) or file
118 			 * descriptors referencing this ruleset.
119 			 */
120 			refcount_t usage;
121 			/**
122 			 * @num_rules: Number of non-overlapping (i.e. not for
123 			 * the same object) rules in this ruleset.
124 			 */
125 			u32 num_rules;
126 			/**
127 			 * @num_layers: Number of layers that are used in this
128 			 * ruleset.  This enables to check that all the layers
129 			 * allow an access request.  A value of 0 identifies a
130 			 * non-merged ruleset (i.e. not a domain).
131 			 */
132 			u32 num_layers;
133 			/**
134 			 * @fs_access_masks: Contains the subset of filesystem
135 			 * actions that are restricted by a ruleset.  A domain
136 			 * saves all layers of merged rulesets in a stack
137 			 * (FAM), starting from the first layer to the last
138 			 * one.  These layers are used when merging rulesets,
139 			 * for user space backward compatibility (i.e.
140 			 * future-proof), and to properly handle merged
141 			 * rulesets without overlapping access rights.  These
142 			 * layers are set once and never changed for the
143 			 * lifetime of the ruleset.
144 			 */
145 			access_mask_t fs_access_masks[];
146 		};
147 	};
148 };
149 
150 struct landlock_ruleset *
151 landlock_create_ruleset(const access_mask_t fs_access_mask);
152 
153 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
154 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
155 
156 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
157 			 struct landlock_object *const object,
158 			 const access_mask_t access);
159 
160 struct landlock_ruleset *
161 landlock_merge_ruleset(struct landlock_ruleset *const parent,
162 		       struct landlock_ruleset *const ruleset);
163 
164 const struct landlock_rule *
165 landlock_find_rule(const struct landlock_ruleset *const ruleset,
166 		   const struct landlock_object *const object);
167 
168 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
169 {
170 	if (ruleset)
171 		refcount_inc(&ruleset->usage);
172 }
173 
174 #endif /* _SECURITY_LANDLOCK_RULESET_H */
175