2021-04-22 15:41:17 +00:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
|
|
|
/*
|
|
|
|
* Landlock - User space API
|
|
|
|
*
|
|
|
|
* Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
|
|
|
|
* Copyright © 2018-2020 ANSSI
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _UAPI_LINUX_LANDLOCK_H
|
|
|
|
#define _UAPI_LINUX_LANDLOCK_H
|
|
|
|
|
2021-04-22 15:41:18 +00:00
|
|
|
#include <linux/types.h>
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct landlock_ruleset_attr - Ruleset definition
|
|
|
|
*
|
|
|
|
* Argument of sys_landlock_create_ruleset(). This structure can grow in
|
|
|
|
* future versions.
|
|
|
|
*/
|
|
|
|
struct landlock_ruleset_attr {
|
|
|
|
/**
|
|
|
|
* @handled_access_fs: Bitmask of actions (cf. `Filesystem flags`_)
|
|
|
|
* that is handled by this ruleset and should then be forbidden if no
|
landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER
Add a new LANDLOCK_ACCESS_FS_REFER access right to enable policy writers
to allow sandboxed processes to link and rename files from and to a
specific set of file hierarchies. This access right should be composed
with LANDLOCK_ACCESS_FS_MAKE_* for the destination of a link or rename,
and with LANDLOCK_ACCESS_FS_REMOVE_* for a source of a rename. This
lift a Landlock limitation that always denied changing the parent of an
inode.
Renaming or linking to the same directory is still always allowed,
whatever LANDLOCK_ACCESS_FS_REFER is used or not, because it is not
considered a threat to user data.
However, creating multiple links or renaming to a different parent
directory may lead to privilege escalations if not handled properly.
Indeed, we must be sure that the source doesn't gain more privileges by
being accessible from the destination. This is handled by making sure
that the source hierarchy (including the referenced file or directory
itself) restricts at least as much the destination hierarchy. If it is
not the case, an EXDEV error is returned, making it potentially possible
for user space to copy the file hierarchy instead of moving or linking
it.
Instead of creating different access rights for the source and the
destination, we choose to make it simple and consistent for users.
Indeed, considering the previous constraint, it would be weird to
require such destination access right to be also granted to the source
(to make it a superset). Moreover, RENAME_EXCHANGE would also add to
the confusion because of paths being both a source and a destination.
See the provided documentation for additional details.
New tests are provided with a following commit.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220506161102.525323-8-mic@digikod.net
2022-05-06 16:10:57 +00:00
|
|
|
* rule explicitly allow them: it is a deny-by-default list that should
|
|
|
|
* contain as much Landlock access rights as possible. Indeed, all
|
|
|
|
* Landlock filesystem access rights that are not part of
|
|
|
|
* handled_access_fs are allowed. This is needed for backward
|
|
|
|
* compatibility reasons. One exception is the
|
2022-09-23 15:42:07 +00:00
|
|
|
* %LANDLOCK_ACCESS_FS_REFER access right, which is always implicitly
|
landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER
Add a new LANDLOCK_ACCESS_FS_REFER access right to enable policy writers
to allow sandboxed processes to link and rename files from and to a
specific set of file hierarchies. This access right should be composed
with LANDLOCK_ACCESS_FS_MAKE_* for the destination of a link or rename,
and with LANDLOCK_ACCESS_FS_REMOVE_* for a source of a rename. This
lift a Landlock limitation that always denied changing the parent of an
inode.
Renaming or linking to the same directory is still always allowed,
whatever LANDLOCK_ACCESS_FS_REFER is used or not, because it is not
considered a threat to user data.
However, creating multiple links or renaming to a different parent
directory may lead to privilege escalations if not handled properly.
Indeed, we must be sure that the source doesn't gain more privileges by
being accessible from the destination. This is handled by making sure
that the source hierarchy (including the referenced file or directory
itself) restricts at least as much the destination hierarchy. If it is
not the case, an EXDEV error is returned, making it potentially possible
for user space to copy the file hierarchy instead of moving or linking
it.
Instead of creating different access rights for the source and the
destination, we choose to make it simple and consistent for users.
Indeed, considering the previous constraint, it would be weird to
require such destination access right to be also granted to the source
(to make it a superset). Moreover, RENAME_EXCHANGE would also add to
the confusion because of paths being both a source and a destination.
See the provided documentation for additional details.
New tests are provided with a following commit.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220506161102.525323-8-mic@digikod.net
2022-05-06 16:10:57 +00:00
|
|
|
* handled, but must still be explicitly handled to add new rules with
|
|
|
|
* this access right.
|
2021-04-22 15:41:18 +00:00
|
|
|
*/
|
|
|
|
__u64 handled_access_fs;
|
|
|
|
};
|
|
|
|
|
2021-04-22 15:41:23 +00:00
|
|
|
/*
|
|
|
|
* sys_landlock_create_ruleset() flags:
|
|
|
|
*
|
|
|
|
* - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
|
|
|
|
* version.
|
|
|
|
*/
|
2022-05-06 16:05:07 +00:00
|
|
|
/* clang-format off */
|
2021-04-22 15:41:23 +00:00
|
|
|
#define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
|
2022-05-06 16:05:07 +00:00
|
|
|
/* clang-format on */
|
2021-04-22 15:41:23 +00:00
|
|
|
|
2021-04-22 15:41:18 +00:00
|
|
|
/**
|
|
|
|
* enum landlock_rule_type - Landlock rule type
|
|
|
|
*
|
|
|
|
* Argument of sys_landlock_add_rule().
|
|
|
|
*/
|
|
|
|
enum landlock_rule_type {
|
|
|
|
/**
|
|
|
|
* @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct
|
|
|
|
* landlock_path_beneath_attr .
|
|
|
|
*/
|
|
|
|
LANDLOCK_RULE_PATH_BENEATH = 1,
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct landlock_path_beneath_attr - Path hierarchy definition
|
|
|
|
*
|
|
|
|
* Argument of sys_landlock_add_rule().
|
|
|
|
*/
|
|
|
|
struct landlock_path_beneath_attr {
|
|
|
|
/**
|
|
|
|
* @allowed_access: Bitmask of allowed actions for this file hierarchy
|
|
|
|
* (cf. `Filesystem flags`_).
|
|
|
|
*/
|
|
|
|
__u64 allowed_access;
|
|
|
|
/**
|
2022-05-06 16:08:11 +00:00
|
|
|
* @parent_fd: File descriptor, preferably opened with ``O_PATH``,
|
|
|
|
* which identifies the parent directory of a file hierarchy, or just a
|
|
|
|
* file.
|
2021-04-22 15:41:18 +00:00
|
|
|
*/
|
|
|
|
__s32 parent_fd;
|
|
|
|
/*
|
|
|
|
* This struct is packed to avoid trailing reserved members.
|
|
|
|
* Cf. security/landlock/syscalls.c:build_check_abi()
|
|
|
|
*/
|
|
|
|
} __attribute__((packed));
|
|
|
|
|
2021-04-22 15:41:17 +00:00
|
|
|
/**
|
|
|
|
* DOC: fs_access
|
|
|
|
*
|
|
|
|
* A set of actions on kernel objects may be defined by an attribute (e.g.
|
|
|
|
* &struct landlock_path_beneath_attr) including a bitmask of access.
|
|
|
|
*
|
|
|
|
* Filesystem flags
|
|
|
|
* ~~~~~~~~~~~~~~~~
|
|
|
|
*
|
|
|
|
* These flags enable to restrict a sandboxed process to a set of actions on
|
|
|
|
* files and directories. Files or directories opened before the sandboxing
|
|
|
|
* are not subject to these restrictions.
|
|
|
|
*
|
|
|
|
* A file can only receive these access rights:
|
|
|
|
*
|
|
|
|
* - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
|
2022-10-18 18:22:09 +00:00
|
|
|
* - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. Note that
|
|
|
|
* you might additionally need the %LANDLOCK_ACCESS_FS_TRUNCATE right in order
|
|
|
|
* to overwrite files with :manpage:`open(2)` using ``O_TRUNC`` or
|
|
|
|
* :manpage:`creat(2)`.
|
2021-04-22 15:41:17 +00:00
|
|
|
* - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
|
2022-10-18 18:22:09 +00:00
|
|
|
* - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`,
|
|
|
|
* :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
|
|
|
|
* ``O_TRUNC``. Whether an opened file can be truncated with
|
|
|
|
* :manpage:`ftruncate(2)` is determined during :manpage:`open(2)`, in the
|
|
|
|
* same way as read and write permissions are checked during
|
|
|
|
* :manpage:`open(2)` using %LANDLOCK_ACCESS_FS_READ_FILE and
|
|
|
|
* %LANDLOCK_ACCESS_FS_WRITE_FILE. This access right is available since the
|
|
|
|
* third version of the Landlock ABI.
|
2021-04-22 15:41:17 +00:00
|
|
|
*
|
|
|
|
* A directory can receive access rights related to files or directories. The
|
|
|
|
* following access right is applied to the directory itself, and the
|
|
|
|
* directories beneath it:
|
|
|
|
*
|
|
|
|
* - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content.
|
|
|
|
*
|
|
|
|
* However, the following access rights only apply to the content of a
|
|
|
|
* directory, not the directory itself:
|
|
|
|
*
|
|
|
|
* - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one.
|
|
|
|
* - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file.
|
|
|
|
* - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character
|
|
|
|
* device.
|
|
|
|
* - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory.
|
|
|
|
* - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file.
|
|
|
|
* - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain
|
|
|
|
* socket.
|
|
|
|
* - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe.
|
|
|
|
* - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device.
|
|
|
|
* - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link.
|
landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER
Add a new LANDLOCK_ACCESS_FS_REFER access right to enable policy writers
to allow sandboxed processes to link and rename files from and to a
specific set of file hierarchies. This access right should be composed
with LANDLOCK_ACCESS_FS_MAKE_* for the destination of a link or rename,
and with LANDLOCK_ACCESS_FS_REMOVE_* for a source of a rename. This
lift a Landlock limitation that always denied changing the parent of an
inode.
Renaming or linking to the same directory is still always allowed,
whatever LANDLOCK_ACCESS_FS_REFER is used or not, because it is not
considered a threat to user data.
However, creating multiple links or renaming to a different parent
directory may lead to privilege escalations if not handled properly.
Indeed, we must be sure that the source doesn't gain more privileges by
being accessible from the destination. This is handled by making sure
that the source hierarchy (including the referenced file or directory
itself) restricts at least as much the destination hierarchy. If it is
not the case, an EXDEV error is returned, making it potentially possible
for user space to copy the file hierarchy instead of moving or linking
it.
Instead of creating different access rights for the source and the
destination, we choose to make it simple and consistent for users.
Indeed, considering the previous constraint, it would be weird to
require such destination access right to be also granted to the source
(to make it a superset). Moreover, RENAME_EXCHANGE would also add to
the confusion because of paths being both a source and a destination.
See the provided documentation for additional details.
New tests are provided with a following commit.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220506161102.525323-8-mic@digikod.net
2022-05-06 16:10:57 +00:00
|
|
|
* - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different
|
2023-02-21 16:52:05 +00:00
|
|
|
* directory (i.e. reparent a file hierarchy).
|
|
|
|
*
|
|
|
|
* This access right is available since the second version of the Landlock
|
|
|
|
* ABI.
|
|
|
|
*
|
|
|
|
* This is the only access right which is denied by default by any ruleset,
|
|
|
|
* even if the right is not specified as handled at ruleset creation time.
|
|
|
|
* The only way to make a ruleset grant this right is to explicitly allow it
|
|
|
|
* for a specific directory by adding a matching rule to the ruleset.
|
|
|
|
*
|
|
|
|
* In particular, when using the first Landlock ABI version, Landlock will
|
|
|
|
* always deny attempts to reparent files between different directories.
|
|
|
|
*
|
|
|
|
* In addition to the source and destination directories having the
|
|
|
|
* %LANDLOCK_ACCESS_FS_REFER access right, the attempted link or rename
|
|
|
|
* operation must meet the following constraints:
|
|
|
|
*
|
|
|
|
* * The reparented file may not gain more access rights in the destination
|
|
|
|
* directory than it previously had in the source directory. If this is
|
|
|
|
* attempted, the operation results in an ``EXDEV`` error.
|
|
|
|
*
|
|
|
|
* * When linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the
|
|
|
|
* respective file type must be granted for the destination directory.
|
|
|
|
* Otherwise, the operation results in an ``EACCES`` error.
|
|
|
|
*
|
|
|
|
* * When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the
|
|
|
|
* respective file type must be granted for the source directory. Otherwise,
|
|
|
|
* the operation results in an ``EACCES`` error.
|
|
|
|
*
|
|
|
|
* If multiple requirements are not met, the ``EACCES`` error code takes
|
|
|
|
* precedence over ``EXDEV``.
|
2021-04-22 15:41:17 +00:00
|
|
|
*
|
|
|
|
* .. warning::
|
|
|
|
*
|
|
|
|
* It is currently not possible to restrict some file-related actions
|
|
|
|
* accessible through these syscall families: :manpage:`chdir(2)`,
|
2022-10-18 18:22:09 +00:00
|
|
|
* :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
|
|
|
|
* :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
|
|
|
|
* :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`.
|
2021-04-22 15:41:17 +00:00
|
|
|
* Future Landlock evolutions will enable to restrict them.
|
|
|
|
*/
|
2022-05-06 16:05:07 +00:00
|
|
|
/* clang-format off */
|
2021-04-22 15:41:17 +00:00
|
|
|
#define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0)
|
|
|
|
#define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)
|
|
|
|
#define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2)
|
|
|
|
#define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3)
|
|
|
|
#define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4)
|
|
|
|
#define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5)
|
|
|
|
#define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6)
|
|
|
|
#define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7)
|
|
|
|
#define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8)
|
|
|
|
#define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9)
|
|
|
|
#define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10)
|
|
|
|
#define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
|
|
|
|
#define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
|
landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER
Add a new LANDLOCK_ACCESS_FS_REFER access right to enable policy writers
to allow sandboxed processes to link and rename files from and to a
specific set of file hierarchies. This access right should be composed
with LANDLOCK_ACCESS_FS_MAKE_* for the destination of a link or rename,
and with LANDLOCK_ACCESS_FS_REMOVE_* for a source of a rename. This
lift a Landlock limitation that always denied changing the parent of an
inode.
Renaming or linking to the same directory is still always allowed,
whatever LANDLOCK_ACCESS_FS_REFER is used or not, because it is not
considered a threat to user data.
However, creating multiple links or renaming to a different parent
directory may lead to privilege escalations if not handled properly.
Indeed, we must be sure that the source doesn't gain more privileges by
being accessible from the destination. This is handled by making sure
that the source hierarchy (including the referenced file or directory
itself) restricts at least as much the destination hierarchy. If it is
not the case, an EXDEV error is returned, making it potentially possible
for user space to copy the file hierarchy instead of moving or linking
it.
Instead of creating different access rights for the source and the
destination, we choose to make it simple and consistent for users.
Indeed, considering the previous constraint, it would be weird to
require such destination access right to be also granted to the source
(to make it a superset). Moreover, RENAME_EXCHANGE would also add to
the confusion because of paths being both a source and a destination.
See the provided documentation for additional details.
New tests are provided with a following commit.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220506161102.525323-8-mic@digikod.net
2022-05-06 16:10:57 +00:00
|
|
|
#define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
|
2022-10-18 18:22:09 +00:00
|
|
|
#define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14)
|
2022-05-06 16:05:07 +00:00
|
|
|
/* clang-format on */
|
2021-04-22 15:41:17 +00:00
|
|
|
|
|
|
|
#endif /* _UAPI_LINUX_LANDLOCK_H */
|