088e2efaf3
Remove the handled_access variable in current_check_access_socket() and update access_request instead. One up-to-date variable avoids picking the wrong one. Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20240307093923.1466071-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
200 lines
5.5 KiB
C
200 lines
5.5 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Landlock LSM - Network management and hooks
|
|
*
|
|
* Copyright © 2022-2023 Huawei Tech. Co., Ltd.
|
|
* Copyright © 2022-2023 Microsoft Corporation
|
|
*/
|
|
|
|
#include <linux/in.h>
|
|
#include <linux/net.h>
|
|
#include <linux/socket.h>
|
|
#include <net/ipv6.h>
|
|
|
|
#include "common.h"
|
|
#include "cred.h"
|
|
#include "limits.h"
|
|
#include "net.h"
|
|
#include "ruleset.h"
|
|
|
|
int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
|
|
const u16 port, access_mask_t access_rights)
|
|
{
|
|
int err;
|
|
const struct landlock_id id = {
|
|
.key.data = (__force uintptr_t)htons(port),
|
|
.type = LANDLOCK_KEY_NET_PORT,
|
|
};
|
|
|
|
BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
|
|
|
|
/* Transforms relative access rights to absolute ones. */
|
|
access_rights |= LANDLOCK_MASK_ACCESS_NET &
|
|
~landlock_get_net_access_mask(ruleset, 0);
|
|
|
|
mutex_lock(&ruleset->lock);
|
|
err = landlock_insert_rule(ruleset, id, access_rights);
|
|
mutex_unlock(&ruleset->lock);
|
|
|
|
return err;
|
|
}
|
|
|
|
static access_mask_t
|
|
get_raw_handled_net_accesses(const struct landlock_ruleset *const domain)
|
|
{
|
|
access_mask_t access_dom = 0;
|
|
size_t layer_level;
|
|
|
|
for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
|
|
access_dom |= landlock_get_net_access_mask(domain, layer_level);
|
|
return access_dom;
|
|
}
|
|
|
|
static const struct landlock_ruleset *get_current_net_domain(void)
|
|
{
|
|
const struct landlock_ruleset *const dom =
|
|
landlock_get_current_domain();
|
|
|
|
if (!dom || !get_raw_handled_net_accesses(dom))
|
|
return NULL;
|
|
|
|
return dom;
|
|
}
|
|
|
|
static int current_check_access_socket(struct socket *const sock,
|
|
struct sockaddr *const address,
|
|
const int addrlen,
|
|
access_mask_t access_request)
|
|
{
|
|
__be16 port;
|
|
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
|
|
const struct landlock_rule *rule;
|
|
struct landlock_id id = {
|
|
.type = LANDLOCK_KEY_NET_PORT,
|
|
};
|
|
const struct landlock_ruleset *const dom = get_current_net_domain();
|
|
|
|
if (!dom)
|
|
return 0;
|
|
if (WARN_ON_ONCE(dom->num_layers < 1))
|
|
return -EACCES;
|
|
|
|
/* Checks if it's a (potential) TCP socket. */
|
|
if (sock->type != SOCK_STREAM)
|
|
return 0;
|
|
|
|
/* Checks for minimal header length to safely read sa_family. */
|
|
if (addrlen < offsetofend(typeof(*address), sa_family))
|
|
return -EINVAL;
|
|
|
|
switch (address->sa_family) {
|
|
case AF_UNSPEC:
|
|
case AF_INET:
|
|
if (addrlen < sizeof(struct sockaddr_in))
|
|
return -EINVAL;
|
|
port = ((struct sockaddr_in *)address)->sin_port;
|
|
break;
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
case AF_INET6:
|
|
if (addrlen < SIN6_LEN_RFC2133)
|
|
return -EINVAL;
|
|
port = ((struct sockaddr_in6 *)address)->sin6_port;
|
|
break;
|
|
#endif /* IS_ENABLED(CONFIG_IPV6) */
|
|
|
|
default:
|
|
return 0;
|
|
}
|
|
|
|
/* Specific AF_UNSPEC handling. */
|
|
if (address->sa_family == AF_UNSPEC) {
|
|
/*
|
|
* Connecting to an address with AF_UNSPEC dissolves the TCP
|
|
* association, which have the same effect as closing the
|
|
* connection while retaining the socket object (i.e., the file
|
|
* descriptor). As for dropping privileges, closing
|
|
* connections is always allowed.
|
|
*
|
|
* For a TCP access control system, this request is legitimate.
|
|
* Let the network stack handle potential inconsistencies and
|
|
* return -EINVAL if needed.
|
|
*/
|
|
if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
|
|
return 0;
|
|
|
|
/*
|
|
* For compatibility reason, accept AF_UNSPEC for bind
|
|
* accesses (mapped to AF_INET) only if the address is
|
|
* INADDR_ANY (cf. __inet_bind). Checking the address is
|
|
* required to not wrongfully return -EACCES instead of
|
|
* -EAFNOSUPPORT.
|
|
*
|
|
* We could return 0 and let the network stack handle these
|
|
* checks, but it is safer to return a proper error and test
|
|
* consistency thanks to kselftest.
|
|
*/
|
|
if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
|
|
/* addrlen has already been checked for AF_UNSPEC. */
|
|
const struct sockaddr_in *const sockaddr =
|
|
(struct sockaddr_in *)address;
|
|
|
|
if (sock->sk->__sk_common.skc_family != AF_INET)
|
|
return -EINVAL;
|
|
|
|
if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
|
|
return -EAFNOSUPPORT;
|
|
}
|
|
} else {
|
|
/*
|
|
* Checks sa_family consistency to not wrongfully return
|
|
* -EACCES instead of -EINVAL. Valid sa_family changes are
|
|
* only (from AF_INET or AF_INET6) to AF_UNSPEC.
|
|
*
|
|
* We could return 0 and let the network stack handle this
|
|
* check, but it is safer to return a proper error and test
|
|
* consistency thanks to kselftest.
|
|
*/
|
|
if (address->sa_family != sock->sk->__sk_common.skc_family)
|
|
return -EINVAL;
|
|
}
|
|
|
|
id.key.data = (__force uintptr_t)port;
|
|
BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
|
|
|
|
rule = landlock_find_rule(dom, id);
|
|
access_request = landlock_init_layer_masks(
|
|
dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
|
|
if (landlock_unmask_layers(rule, access_request, &layer_masks,
|
|
ARRAY_SIZE(layer_masks)))
|
|
return 0;
|
|
|
|
return -EACCES;
|
|
}
|
|
|
|
static int hook_socket_bind(struct socket *const sock,
|
|
struct sockaddr *const address, const int addrlen)
|
|
{
|
|
return current_check_access_socket(sock, address, addrlen,
|
|
LANDLOCK_ACCESS_NET_BIND_TCP);
|
|
}
|
|
|
|
static int hook_socket_connect(struct socket *const sock,
|
|
struct sockaddr *const address,
|
|
const int addrlen)
|
|
{
|
|
return current_check_access_socket(sock, address, addrlen,
|
|
LANDLOCK_ACCESS_NET_CONNECT_TCP);
|
|
}
|
|
|
|
static struct security_hook_list landlock_hooks[] __ro_after_init = {
|
|
LSM_HOOK_INIT(socket_bind, hook_socket_bind),
|
|
LSM_HOOK_INIT(socket_connect, hook_socket_connect),
|
|
};
|
|
|
|
__init void landlock_add_net_hooks(void)
|
|
{
|
|
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
|
|
&landlock_lsmid);
|
|
}
|