tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'landlock-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux

Pull landlock updates from Mickaël Salaün:
"This simplifies code and improves documentation"

* tag 'landlock-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
landlock: Various documentation improvements
landlock: Clarify documentation for struct landlock_ruleset_attr
landlock: Use bit-fields for storing handled layer access masks

Linus Torvalds 9fa23750 8326f5e1

+56 -59
+1 -1
Documentation/userspace-api/landlock.rst
··· 8 8 ===================================== 9 9 10 10 :Author: Mickaël Salaün 11 - :Date: April 2024 11 + :Date: July 2024 12 12 13 13 The goal of Landlock is to enable to restrict ambient rights (e.g. global 14 14 filesystem or network access) for a set of processes. Because Landlock
+37 -29
include/uapi/linux/landlock.h
··· 12 12 #include <linux/types.h> 13 13 14 14 /** 15 - * struct landlock_ruleset_attr - Ruleset definition 15 + * struct landlock_ruleset_attr - Ruleset definition. 16 16 * 17 - * Argument of sys_landlock_create_ruleset(). This structure can grow in 18 - * future versions. 17 + * Argument of sys_landlock_create_ruleset(). 18 + * 19 + * This structure defines a set of *handled access rights*, a set of actions on 20 + * different object types, which should be denied by default when the ruleset is 21 + * enacted. Vice versa, access rights that are not specifically listed here are 22 + * not going to be denied by this ruleset when it is enacted. 23 + * 24 + * For historical reasons, the %LANDLOCK_ACCESS_FS_REFER right is always denied 25 + * by default, even when its bit is not set in @handled_access_fs. In order to 26 + * add new rules with this access right, the bit must still be set explicitly 27 + * (cf. `Filesystem flags`_). 28 + * 29 + * The explicit listing of *handled access rights* is required for backwards 30 + * compatibility reasons. In most use cases, processes that use Landlock will 31 + * *handle* a wide range or all access rights that they know about at build time 32 + * (and that they have tested with a kernel that supported them all). 33 + * 34 + * This structure can grow in future Landlock versions. 19 35 */ 20 36 struct landlock_ruleset_attr { 21 37 /** 22 - * @handled_access_fs: Bitmask of actions (cf. `Filesystem flags`_) 23 - * that is handled by this ruleset and should then be forbidden if no 24 - * rule explicitly allow them: it is a deny-by-default list that should 25 - * contain as much Landlock access rights as possible. Indeed, all 26 - * Landlock filesystem access rights that are not part of 27 - * handled_access_fs are allowed. This is needed for backward 28 - * compatibility reasons. One exception is the 29 - * %LANDLOCK_ACCESS_FS_REFER access right, which is always implicitly 30 - * handled, but must still be explicitly handled to add new rules with 31 - * this access right. 38 + * @handled_access_fs: Bitmask of handled filesystem actions 39 + * (cf. `Filesystem flags`_). 32 40 */ 33 41 __u64 handled_access_fs; 34 42 /** 35 - * @handled_access_net: Bitmask of actions (cf. `Network flags`_) 36 - * that is handled by this ruleset and should then be forbidden if no 37 - * rule explicitly allow them. 43 + * @handled_access_net: Bitmask of handled network actions (cf. `Network 44 + * flags`_). 38 45 */ 39 46 __u64 handled_access_net; 40 47 }; ··· 104 97 */ 105 98 struct landlock_net_port_attr { 106 99 /** 107 - * @allowed_access: Bitmask of allowed access network for a port 100 + * @allowed_access: Bitmask of allowed network actions for a port 108 101 * (cf. `Network flags`_). 109 102 */ 110 103 __u64 allowed_access; 111 104 /** 112 105 * @port: Network port in host endianness. 113 106 * 114 - * It should be noted that port 0 passed to :manpage:`bind(2)` will 115 - * bind to an available port from a specific port range. This can be 116 - * configured thanks to the ``/proc/sys/net/ipv4/ip_local_port_range`` 117 - * sysctl (also used for IPv6). A Landlock rule with port 0 and the 118 - * ``LANDLOCK_ACCESS_NET_BIND_TCP`` right means that requesting to bind 119 - * on port 0 is allowed and it will automatically translate to binding 120 - * on the related port range. 107 + * It should be noted that port 0 passed to :manpage:`bind(2)` will bind 108 + * to an available port from the ephemeral port range. This can be 109 + * configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl 110 + * (also used for IPv6). 111 + * 112 + * A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP`` 113 + * right means that requesting to bind on port 0 is allowed and it will 114 + * automatically translate to binding on the related port range. 121 115 */ 122 116 __u64 port; 123 117 }; ··· 139 131 * The following access rights apply only to files: 140 132 * 141 133 * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. 142 - * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. Note that 143 - * you might additionally need the %LANDLOCK_ACCESS_FS_TRUNCATE right in order 144 - * to overwrite files with :manpage:`open(2)` using ``O_TRUNC`` or 145 - * :manpage:`creat(2)`. 134 + * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. When 135 + * opening files for writing, you will often additionally need the 136 + * %LANDLOCK_ACCESS_FS_TRUNCATE right. In many cases, these system calls 137 + * truncate existing files when overwriting them (e.g., :manpage:`creat(2)`). 146 138 * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. 147 139 * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`, 148 140 * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with ··· 264 256 * These flags enable to restrict a sandboxed process to a set of network 265 257 * actions. This is supported since the Landlock ABI version 4. 266 258 * 267 - * TCP sockets with allowed actions: 259 + * The following access rights apply to TCP port numbers: 268 260 * 269 261 * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind a TCP socket to a local port. 270 262 * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect an active TCP socket to
-2
security/landlock/limits.h
··· 21 21 #define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL_DEV 22 22 #define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1) 23 23 #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS) 24 - #define LANDLOCK_SHIFT_ACCESS_FS 0 25 24 26 25 #define LANDLOCK_LAST_ACCESS_NET LANDLOCK_ACCESS_NET_CONNECT_TCP 27 26 #define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1) 28 27 #define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NET) 29 - #define LANDLOCK_SHIFT_ACCESS_NET LANDLOCK_NUM_ACCESS_FS 30 28 31 29 /* clang-format on */ 32 30
-4
security/landlock/ruleset.c
··· 169 169 .num_rules = ~0, 170 170 .num_layers = ~0, 171 171 }; 172 - typeof(ruleset.access_masks[0]) access_masks = ~0; 173 172 174 173 BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES); 175 174 BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS); 176 - BUILD_BUG_ON(access_masks < 177 - ((LANDLOCK_MASK_ACCESS_FS << LANDLOCK_SHIFT_ACCESS_FS) | 178 - (LANDLOCK_MASK_ACCESS_NET << LANDLOCK_SHIFT_ACCESS_NET))); 179 175 } 180 176 181 177 /**
+9 -15
security/landlock/ruleset.h
··· 39 39 static_assert(sizeof(unsigned long) >= sizeof(access_mask_t)); 40 40 41 41 /* Ruleset access masks. */ 42 - typedef u32 access_masks_t; 43 - /* Makes sure all ruleset access rights can be stored. */ 44 - static_assert(BITS_PER_TYPE(access_masks_t) >= 45 - LANDLOCK_NUM_ACCESS_FS + LANDLOCK_NUM_ACCESS_NET); 42 + struct access_masks { 43 + access_mask_t fs : LANDLOCK_NUM_ACCESS_FS; 44 + access_mask_t net : LANDLOCK_NUM_ACCESS_NET; 45 + }; 46 46 47 47 typedef u16 layer_mask_t; 48 48 /* Makes sure all layers can be checked. */ ··· 226 226 * layers are set once and never changed for the 227 227 * lifetime of the ruleset. 228 228 */ 229 - access_masks_t access_masks[]; 229 + struct access_masks access_masks[]; 230 230 }; 231 231 }; 232 232 }; ··· 265 265 266 266 /* Should already be checked in sys_landlock_create_ruleset(). */ 267 267 WARN_ON_ONCE(fs_access_mask != fs_mask); 268 - ruleset->access_masks[layer_level] |= 269 - (fs_mask << LANDLOCK_SHIFT_ACCESS_FS); 268 + ruleset->access_masks[layer_level].fs |= fs_mask; 270 269 } 271 270 272 271 static inline void ··· 277 278 278 279 /* Should already be checked in sys_landlock_create_ruleset(). */ 279 280 WARN_ON_ONCE(net_access_mask != net_mask); 280 - ruleset->access_masks[layer_level] |= 281 - (net_mask << LANDLOCK_SHIFT_ACCESS_NET); 281 + ruleset->access_masks[layer_level].net |= net_mask; 282 282 } 283 283 284 284 static inline access_mask_t 285 285 landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset, 286 286 const u16 layer_level) 287 287 { 288 - return (ruleset->access_masks[layer_level] >> 289 - LANDLOCK_SHIFT_ACCESS_FS) & 290 - LANDLOCK_MASK_ACCESS_FS; 288 + return ruleset->access_masks[layer_level].fs; 291 289 } 292 290 293 291 static inline access_mask_t ··· 300 304 landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset, 301 305 const u16 layer_level) 302 306 { 303 - return (ruleset->access_masks[layer_level] >> 304 - LANDLOCK_SHIFT_ACCESS_NET) & 305 - LANDLOCK_MASK_ACCESS_NET; 307 + return ruleset->access_masks[layer_level].net; 306 308 } 307 309 308 310 bool landlock_unmask_layers(const struct landlock_rule *const rule,
+9 -8
security/landlock/syscalls.c
··· 378 378 * with the new rule. 379 379 * @rule_type: Identify the structure type pointed to by @rule_attr: 380 380 * %LANDLOCK_RULE_PATH_BENEATH or %LANDLOCK_RULE_NET_PORT. 381 - * @rule_attr: Pointer to a rule (only of type &struct 382 - * landlock_path_beneath_attr for now). 381 + * @rule_attr: Pointer to a rule (matching the @rule_type). 383 382 * @flags: Must be 0. 384 383 * 385 384 * This system call enables to define a new rule and add it to an existing ··· 389 390 * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; 390 391 * - %EAFNOSUPPORT: @rule_type is %LANDLOCK_RULE_NET_PORT but TCP/IP is not 391 392 * supported by the running kernel; 392 - * - %EINVAL: @flags is not 0, or inconsistent access in the rule (i.e. 393 + * - %EINVAL: @flags is not 0; 394 + * - %EINVAL: The rule accesses are inconsistent (i.e. 393 395 * &landlock_path_beneath_attr.allowed_access or 394 - * &landlock_net_port_attr.allowed_access is not a subset of the 395 - * ruleset handled accesses), or &landlock_net_port_attr.port is 396 - * greater than 65535; 397 - * - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access); 396 + * &landlock_net_port_attr.allowed_access is not a subset of the ruleset 397 + * handled accesses) 398 + * - %EINVAL: &landlock_net_port_attr.port is greater than 65535; 399 + * - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access is 400 + * 0); 398 401 * - %EBADF: @ruleset_fd is not a file descriptor for the current thread, or a 399 402 * member of @rule_attr is not a file descriptor as expected; 400 403 * - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of 401 404 * @rule_attr is not the expected file descriptor type; 402 405 * - %EPERM: @ruleset_fd has no write access to the underlying ruleset; 403 - * - %EFAULT: @rule_attr inconsistency. 406 + * - %EFAULT: @rule_attr was not a valid address. 404 407 */ 405 408 SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd, 406 409 const enum landlock_rule_type, rule_type,