Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2/*
3 * Landlock - User space API
4 *
5 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6 * Copyright © 2018-2020 ANSSI
7 * Copyright © 2021-2025 Microsoft Corporation
8 */
9
10#ifndef _UAPI_LINUX_LANDLOCK_H
11#define _UAPI_LINUX_LANDLOCK_H
12
13#include <linux/types.h>
14
15/**
16 * struct landlock_ruleset_attr - Ruleset definition.
17 *
18 * Argument of sys_landlock_create_ruleset().
19 *
20 * This structure defines a set of *handled access rights*, a set of actions on
21 * different object types, which should be denied by default when the ruleset is
22 * enacted. Vice versa, access rights that are not specifically listed here are
23 * not going to be denied by this ruleset when it is enacted.
24 *
25 * For historical reasons, the %LANDLOCK_ACCESS_FS_REFER right is always denied
26 * by default, even when its bit is not set in @handled_access_fs. In order to
27 * add new rules with this access right, the bit must still be set explicitly
28 * (cf. `Filesystem flags`_).
29 *
30 * The explicit listing of *handled access rights* is required for backwards
31 * compatibility reasons. In most use cases, processes that use Landlock will
32 * *handle* a wide range or all access rights that they know about at build time
33 * (and that they have tested with a kernel that supported them all).
34 *
35 * This structure can grow in future Landlock versions.
36 */
37struct landlock_ruleset_attr {
38 /**
39 * @handled_access_fs: Bitmask of handled filesystem actions
40 * (cf. `Filesystem flags`_).
41 */
42 __u64 handled_access_fs;
43 /**
44 * @handled_access_net: Bitmask of handled network actions (cf. `Network
45 * flags`_).
46 */
47 __u64 handled_access_net;
48 /**
49 * @scoped: Bitmask of scopes (cf. `Scope flags`_)
50 * restricting a Landlock domain from accessing outside
51 * resources (e.g. IPCs).
52 */
53 __u64 scoped;
54};
55
56/**
57 * DOC: landlock_create_ruleset_flags
58 *
59 * **Flags**
60 *
61 * %LANDLOCK_CREATE_RULESET_VERSION
62 * Get the highest supported Landlock ABI version (starting at 1).
63 *
64 * %LANDLOCK_CREATE_RULESET_ERRATA
65 * Get a bitmask of fixed issues for the current Landlock ABI version.
66 */
67/* clang-format off */
68#define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
69#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
70/* clang-format on */
71
72/**
73 * DOC: landlock_restrict_self_flags
74 *
75 * **Flags**
76 *
77 * By default, denied accesses originating from programs that sandbox themselves
78 * are logged via the audit subsystem. Such events typically indicate unexpected
79 * behavior, such as bugs or exploitation attempts. However, to avoid excessive
80 * logging, access requests denied by a domain not created by the originating
81 * program are not logged by default. The rationale is that programs should know
82 * their own behavior, but not necessarily the behavior of other programs. This
83 * default configuration is suitable for most programs that sandbox themselves.
84 * For specific use cases, the following flags allow programs to modify this
85 * default logging behavior.
86 *
87 * The %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and
88 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON flags apply to the newly created
89 * Landlock domain.
90 *
91 * %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF
92 * Disables logging of denied accesses originating from the thread creating
93 * the Landlock domain, as well as its children, as long as they continue
94 * running the same executable code (i.e., without an intervening
95 * :manpage:`execve(2)` call). This is intended for programs that execute
96 * unknown code without invoking :manpage:`execve(2)`, such as script
97 * interpreters. Programs that only sandbox themselves should not set this
98 * flag, so users can be notified of unauthorized access attempts via system
99 * logs.
100 *
101 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON
102 * Enables logging of denied accesses after an :manpage:`execve(2)` call,
103 * providing visibility into unauthorized access attempts by newly executed
104 * programs within the created Landlock domain. This flag is recommended
105 * only when all potential executables in the domain are expected to comply
106 * with the access restrictions, as excessive audit log entries could make
107 * it more difficult to identify critical events.
108 *
109 * %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
110 * Disables logging of denied accesses originating from nested Landlock
111 * domains created by the caller or its descendants. This flag should be set
112 * according to runtime configuration, not hardcoded, to avoid suppressing
113 * important security events. It is useful for container runtimes or
114 * sandboxing tools that may launch programs which themselves create
115 * Landlock domains and could otherwise generate excessive logs. Unlike
116 * ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects
117 * future nested domains, not the one being created. It can also be used
118 * with a @ruleset_fd value of -1 to mute subdomain logs without creating a
119 * domain.
120 *
121 * The following flag supports policy enforcement in multithreaded processes:
122 *
123 * %LANDLOCK_RESTRICT_SELF_TSYNC
124 * Applies the new Landlock configuration atomically to all threads of the
125 * current process, including the Landlock domain and logging
126 * configuration. This overrides the Landlock configuration of sibling
127 * threads, irrespective of previously established Landlock domains and
128 * logging configurations on these threads.
129 *
130 * If the calling thread is running with no_new_privs, this operation
131 * enables no_new_privs on the sibling threads as well.
132 */
133/* clang-format off */
134#define LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF (1U << 0)
135#define LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON (1U << 1)
136#define LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF (1U << 2)
137#define LANDLOCK_RESTRICT_SELF_TSYNC (1U << 3)
138/* clang-format on */
139
140/**
141 * enum landlock_rule_type - Landlock rule type
142 *
143 * Argument of sys_landlock_add_rule().
144 */
145enum landlock_rule_type {
146 /**
147 * @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct
148 * landlock_path_beneath_attr .
149 */
150 LANDLOCK_RULE_PATH_BENEATH = 1,
151 /**
152 * @LANDLOCK_RULE_NET_PORT: Type of a &struct
153 * landlock_net_port_attr .
154 */
155 LANDLOCK_RULE_NET_PORT,
156};
157
158/**
159 * struct landlock_path_beneath_attr - Path hierarchy definition
160 *
161 * Argument of sys_landlock_add_rule().
162 */
163struct landlock_path_beneath_attr {
164 /**
165 * @allowed_access: Bitmask of allowed actions for this file hierarchy
166 * (cf. `Filesystem flags`_).
167 */
168 __u64 allowed_access;
169 /**
170 * @parent_fd: File descriptor, preferably opened with ``O_PATH``,
171 * which identifies the parent directory of a file hierarchy, or just a
172 * file.
173 */
174 __s32 parent_fd;
175 /*
176 * This struct is packed to avoid trailing reserved members.
177 * Cf. security/landlock/syscalls.c:build_check_abi()
178 */
179} __attribute__((packed));
180
181/**
182 * struct landlock_net_port_attr - Network port definition
183 *
184 * Argument of sys_landlock_add_rule().
185 */
186struct landlock_net_port_attr {
187 /**
188 * @allowed_access: Bitmask of allowed network actions for a port
189 * (cf. `Network flags`_).
190 */
191 __u64 allowed_access;
192 /**
193 * @port: Network port in host endianness.
194 *
195 * It should be noted that port 0 passed to :manpage:`bind(2)` will bind
196 * to an available port from the ephemeral port range. This can be
197 * configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl
198 * (also used for IPv6), and within that range, on a per-socket basis
199 * with ``setsockopt(IP_LOCAL_PORT_RANGE)``.
200 *
201 * A Landlock rule with port 0 and the %LANDLOCK_ACCESS_NET_BIND_TCP
202 * right means that requesting to bind on port 0 is allowed and it will
203 * automatically translate to binding on a kernel-assigned ephemeral
204 * port.
205 */
206 __u64 port;
207};
208
209/**
210 * DOC: fs_access
211 *
212 * A set of actions on kernel objects may be defined by an attribute (e.g.
213 * &struct landlock_path_beneath_attr) including a bitmask of access.
214 *
215 * Filesystem flags
216 * ~~~~~~~~~~~~~~~~
217 *
218 * These flags enable to restrict a sandboxed process to a set of actions on
219 * files and directories. Files or directories opened before the sandboxing
220 * are not subject to these restrictions.
221 *
222 * The following access rights apply only to files:
223 *
224 * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
225 * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. When
226 * opening files for writing, you will often additionally need the
227 * %LANDLOCK_ACCESS_FS_TRUNCATE right. In many cases, these system calls
228 * truncate existing files when overwriting them (e.g., :manpage:`creat(2)`).
229 * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
230 * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`,
231 * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
232 * ``O_TRUNC``. This access right is available since the third version of the
233 * Landlock ABI.
234 * - %LANDLOCK_ACCESS_FS_IOCTL_DEV: Invoke :manpage:`ioctl(2)` commands on an opened
235 * character or block device.
236 *
237 * This access right applies to all `ioctl(2)` commands implemented by device
238 * drivers. However, the following common IOCTL commands continue to be
239 * invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL_DEV right:
240 *
241 * * IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``),
242 * * IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``),
243 * * IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``,
244 * ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)
245 * * Some IOCTL commands which do not make sense when used with devices, but
246 * whose implementations are safe and return the right error codes
247 * (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)
248 *
249 * This access right is available since the fifth version of the Landlock
250 * ABI.
251 *
252 * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used
253 * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as
254 * read and write permissions are checked during :manpage:`open(2)` using
255 * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE.
256 *
257 * A directory can receive access rights related to files or directories. The
258 * following access right is applied to the directory itself, and the
259 * directories beneath it:
260 *
261 * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content.
262 *
263 * However, the following access rights only apply to the content of a
264 * directory, not the directory itself:
265 *
266 * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one.
267 * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file.
268 * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character
269 * device.
270 * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory.
271 * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file.
272 * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain
273 * socket.
274 * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe.
275 * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device.
276 * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link.
277 * - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different
278 * directory (i.e. reparent a file hierarchy).
279 *
280 * This access right is available since the second version of the Landlock
281 * ABI.
282 *
283 * This is the only access right which is denied by default by any ruleset,
284 * even if the right is not specified as handled at ruleset creation time.
285 * The only way to make a ruleset grant this right is to explicitly allow it
286 * for a specific directory by adding a matching rule to the ruleset.
287 *
288 * In particular, when using the first Landlock ABI version, Landlock will
289 * always deny attempts to reparent files between different directories.
290 *
291 * In addition to the source and destination directories having the
292 * %LANDLOCK_ACCESS_FS_REFER access right, the attempted link or rename
293 * operation must meet the following constraints:
294 *
295 * * The reparented file may not gain more access rights in the destination
296 * directory than it previously had in the source directory. If this is
297 * attempted, the operation results in an ``EXDEV`` error.
298 *
299 * * When linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the
300 * respective file type must be granted for the destination directory.
301 * Otherwise, the operation results in an ``EACCES`` error.
302 *
303 * * When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the
304 * respective file type must be granted for the source directory. Otherwise,
305 * the operation results in an ``EACCES`` error.
306 *
307 * If multiple requirements are not met, the ``EACCES`` error code takes
308 * precedence over ``EXDEV``.
309 *
310 * .. warning::
311 *
312 * It is currently not possible to restrict some file-related actions
313 * accessible through these syscall families: :manpage:`chdir(2)`,
314 * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
315 * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
316 * :manpage:`fcntl(2)`, :manpage:`access(2)`.
317 * Future Landlock evolutions will enable to restrict them.
318 */
319/* clang-format off */
320#define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0)
321#define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)
322#define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2)
323#define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3)
324#define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4)
325#define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5)
326#define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6)
327#define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7)
328#define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8)
329#define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9)
330#define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10)
331#define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
332#define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
333#define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
334#define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14)
335#define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15)
336/* clang-format on */
337
338/**
339 * DOC: net_access
340 *
341 * Network flags
342 * ~~~~~~~~~~~~~~~~
343 *
344 * These flags enable to restrict a sandboxed process to a set of network
345 * actions.
346 *
347 * The following access rights apply to TCP port numbers:
348 *
349 * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind TCP sockets to the given local
350 * port. Support added in Landlock ABI version 4.
351 * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect TCP sockets to the given
352 * remote port. Support added in Landlock ABI version 4.
353 */
354/* clang-format off */
355#define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0)
356#define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1)
357/* clang-format on */
358
359/**
360 * DOC: scope
361 *
362 * Scope flags
363 * ~~~~~~~~~~~
364 *
365 * These flags enable to isolate a sandboxed process from a set of IPC actions.
366 * Setting a flag for a ruleset will isolate the Landlock domain to forbid
367 * connections to resources outside the domain.
368 *
369 * This is supported since Landlock ABI version 6.
370 *
371 * Scopes:
372 *
373 * - %LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET: Restrict a sandboxed process from
374 * connecting to an abstract UNIX socket created by a process outside the
375 * related Landlock domain (e.g., a parent domain or a non-sandboxed process).
376 * - %LANDLOCK_SCOPE_SIGNAL: Restrict a sandboxed process from sending a signal
377 * to another process outside the domain.
378 */
379/* clang-format off */
380#define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0)
381#define LANDLOCK_SCOPE_SIGNAL (1ULL << 1)
382/* clang-format on*/
383
384#endif /* _UAPI_LINUX_LANDLOCK_H */