diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 07b63aec56fa31e78ec78b3d515651cf450aa55a..37dafce8038bbbc390caa5baf78f02fca92c87da 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -8,7 +8,7 @@ Landlock: unprivileged access control
=====================================
:Author: Mickaël Salaün
-:Date: April 2024
+:Date: July 2024
The goal of Landlock is to enable to restrict ambient rights (e.g. global
filesystem or network access) for a set of processes. Because Landlock
diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index 68625e728f43d592fc456b7d38da00b1adcdffb0..2c8dbc74b95537df6bafbf1d5bb7145b2686b4e4 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -12,29 +12,36 @@
#include <linux/types.h>
/**
- * struct landlock_ruleset_attr - Ruleset definition
+ * struct landlock_ruleset_attr - Ruleset definition.
*
- * Argument of sys_landlock_create_ruleset(). This structure can grow in
- * future versions.
+ * Argument of sys_landlock_create_ruleset().
+ *
+ * This structure defines a set of *handled access rights*, a set of actions on
+ * different object types, which should be denied by default when the ruleset is
+ * enacted. Vice versa, access rights that are not specifically listed here are
+ * not going to be denied by this ruleset when it is enacted.
+ *
+ * For historical reasons, the %LANDLOCK_ACCESS_FS_REFER right is always denied
+ * by default, even when its bit is not set in @handled_access_fs. In order to
+ * add new rules with this access right, the bit must still be set explicitly
+ * (cf. `Filesystem flags`_).
+ *
+ * The explicit listing of *handled access rights* is required for backwards
+ * compatibility reasons. In most use cases, processes that use Landlock will
+ * *handle* a wide range or all access rights that they know about at build time
+ * (and that they have tested with a kernel that supported them all).
+ *
+ * This structure can grow in future Landlock versions.
*/
struct landlock_ruleset_attr {
/**
- * @handled_access_fs: Bitmask of actions (cf. `Filesystem flags`_)
- * that is handled by this ruleset and should then be forbidden if no
- * rule explicitly allow them: it is a deny-by-default list that should
- * contain as much Landlock access rights as possible. Indeed, all
- * Landlock filesystem access rights that are not part of
- * handled_access_fs are allowed. This is needed for backward
- * compatibility reasons. One exception is the
- * %LANDLOCK_ACCESS_FS_REFER access right, which is always implicitly
- * handled, but must still be explicitly handled to add new rules with
- * this access right.
+ * @handled_access_fs: Bitmask of handled filesystem actions
+ * (cf. `Filesystem flags`_).
*/
__u64 handled_access_fs;
/**
- * @handled_access_net: Bitmask of actions (cf. `Network flags`_)
- * that is handled by this ruleset and should then be forbidden if no
- * rule explicitly allow them.
+ * @handled_access_net: Bitmask of handled network actions (cf. `Network
+ * flags`_).
*/
__u64 handled_access_net;
};
@@ -97,20 +104,21 @@ struct landlock_path_beneath_attr {
*/
struct landlock_net_port_attr {
/**
- * @allowed_access: Bitmask of allowed access network for a port
+ * @allowed_access: Bitmask of allowed network actions for a port
* (cf. `Network flags`_).
*/
__u64 allowed_access;
/**
* @port: Network port in host endianness.
*
- * It should be noted that port 0 passed to :manpage:`bind(2)` will
- * bind to an available port from a specific port range. This can be
- * configured thanks to the ``/proc/sys/net/ipv4/ip_local_port_range``
- * sysctl (also used for IPv6). A Landlock rule with port 0 and the
- * ``LANDLOCK_ACCESS_NET_BIND_TCP`` right means that requesting to bind
- * on port 0 is allowed and it will automatically translate to binding
- * on the related port range.
+ * It should be noted that port 0 passed to :manpage:`bind(2)` will bind
+ * to an available port from the ephemeral port range. This can be
+ * configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl
+ * (also used for IPv6).
+ *
+ * A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP``
+ * right means that requesting to bind on port 0 is allowed and it will
+ * automatically translate to binding on the related port range.
*/
__u64 port;
};
@@ -131,10 +139,10 @@ struct landlock_net_port_attr {
* The following access rights apply only to files:
*
* - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
- * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. Note that
- * you might additionally need the %LANDLOCK_ACCESS_FS_TRUNCATE right in order
- * to overwrite files with :manpage:`open(2)` using ``O_TRUNC`` or
- * :manpage:`creat(2)`.
+ * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. When
+ * opening files for writing, you will often additionally need the
+ * %LANDLOCK_ACCESS_FS_TRUNCATE right. In many cases, these system calls
+ * truncate existing files when overwriting them (e.g., :manpage:`creat(2)`).
* - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
* - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`,
* :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
@@ -256,7 +264,7 @@ struct landlock_net_port_attr {
* These flags enable to restrict a sandboxed process to a set of network
* actions. This is supported since the Landlock ABI version 4.
*
- * TCP sockets with allowed actions:
+ * The following access rights apply to TCP port numbers:
*
* - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind a TCP socket to a local port.
* - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect an active TCP socket to
diff --git a/security/landlock/limits.h b/security/landlock/limits.h
index 20fdb5ff351485989989403949e2ad24ee3fe1e3..4eb643077a2a6e31693d403af89be1046ad6337c 100644
--- a/security/landlock/limits.h
+++ b/security/landlock/limits.h
@@ -21,12 +21,10 @@
#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL_DEV
#define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1)
#define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS)
-#define LANDLOCK_SHIFT_ACCESS_FS 0
#define LANDLOCK_LAST_ACCESS_NET LANDLOCK_ACCESS_NET_CONNECT_TCP
#define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1)
#define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NET)
-#define LANDLOCK_SHIFT_ACCESS_NET LANDLOCK_NUM_ACCESS_FS
/* clang-format on */
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index e0a5fbf9201ade7036e8cb8203f5b99e18b94947..6ff232f586183d6b74c675a1f03555d7831b81f5 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -169,13 +169,9 @@ static void build_check_ruleset(void)
.num_rules = ~0,
.num_layers = ~0,
};
- typeof(ruleset.access_masks[0]) access_masks = ~0;
BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES);
BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS);
- BUILD_BUG_ON(access_masks <
- ((LANDLOCK_MASK_ACCESS_FS << LANDLOCK_SHIFT_ACCESS_FS) |
- (LANDLOCK_MASK_ACCESS_NET << LANDLOCK_SHIFT_ACCESS_NET)));
}
/**
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index c7f1526784fd1043dc85a8ad20df865f56260e93..0f1b5b4c8f6b4136c4a02278cd46a0aef1e23065 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -39,10 +39,10 @@ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);
static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
/* Ruleset access masks. */
-typedef u32 access_masks_t;
-/* Makes sure all ruleset access rights can be stored. */
-static_assert(BITS_PER_TYPE(access_masks_t) >=
- LANDLOCK_NUM_ACCESS_FS + LANDLOCK_NUM_ACCESS_NET);
+struct access_masks {
+ access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
+ access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
+};
typedef u16 layer_mask_t;
/* Makes sure all layers can be checked. */
@@ -226,7 +226,7 @@ struct landlock_ruleset {
* layers are set once and never changed for the
* lifetime of the ruleset.
*/
- access_masks_t access_masks[];
+ struct access_masks access_masks[];
};
};
};
@@ -265,8 +265,7 @@ landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
/* Should already be checked in sys_landlock_create_ruleset(). */
WARN_ON_ONCE(fs_access_mask != fs_mask);
- ruleset->access_masks[layer_level] |=
- (fs_mask << LANDLOCK_SHIFT_ACCESS_FS);
+ ruleset->access_masks[layer_level].fs |= fs_mask;
}
static inline void
@@ -278,17 +277,14 @@ landlock_add_net_access_mask(struct landlock_ruleset *const ruleset,
/* Should already be checked in sys_landlock_create_ruleset(). */
WARN_ON_ONCE(net_access_mask != net_mask);
- ruleset->access_masks[layer_level] |=
- (net_mask << LANDLOCK_SHIFT_ACCESS_NET);
+ ruleset->access_masks[layer_level].net |= net_mask;
}
static inline access_mask_t
landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset,
const u16 layer_level)
{
- return (ruleset->access_masks[layer_level] >>
- LANDLOCK_SHIFT_ACCESS_FS) &
- LANDLOCK_MASK_ACCESS_FS;
+ return ruleset->access_masks[layer_level].fs;
}
static inline access_mask_t
@@ -304,9 +300,7 @@ static inline access_mask_t
landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset,
const u16 layer_level)
{
- return (ruleset->access_masks[layer_level] >>
- LANDLOCK_SHIFT_ACCESS_NET) &
- LANDLOCK_MASK_ACCESS_NET;
+ return ruleset->access_masks[layer_level].net;
}
bool landlock_unmask_layers(const struct landlock_rule *const rule,
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 03b470f5a85a3324a19a7468b3119fe6b060b2ee..ccc8bc6c158456ea9556620c43c169444e5b3da3 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -378,8 +378,7 @@ static int add_rule_net_port(struct landlock_ruleset *ruleset,
* with the new rule.
* @rule_type: Identify the structure type pointed to by @rule_attr:
* %LANDLOCK_RULE_PATH_BENEATH or %LANDLOCK_RULE_NET_PORT.
- * @rule_attr: Pointer to a rule (only of type &struct
- * landlock_path_beneath_attr for now).
+ * @rule_attr: Pointer to a rule (matching the @rule_type).
* @flags: Must be 0.
*
* This system call enables to define a new rule and add it to an existing
@@ -390,18 +389,20 @@ static int add_rule_net_port(struct landlock_ruleset *ruleset,
* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
* - %EAFNOSUPPORT: @rule_type is %LANDLOCK_RULE_NET_PORT but TCP/IP is not
* supported by the running kernel;
- * - %EINVAL: @flags is not 0, or inconsistent access in the rule (i.e.
+ * - %EINVAL: @flags is not 0;
+ * - %EINVAL: The rule accesses are inconsistent (i.e.
* &landlock_path_beneath_attr.allowed_access or
- * &landlock_net_port_attr.allowed_access is not a subset of the
- * ruleset handled accesses), or &landlock_net_port_attr.port is
- * greater than 65535;
- * - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access);
+ * &landlock_net_port_attr.allowed_access is not a subset of the ruleset
+ * handled accesses)
+ * - %EINVAL: &landlock_net_port_attr.port is greater than 65535;
+ * - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access is
+ * 0);
* - %EBADF: @ruleset_fd is not a file descriptor for the current thread, or a
* member of @rule_attr is not a file descriptor as expected;
* - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
* @rule_attr is not the expected file descriptor type;
* - %EPERM: @ruleset_fd has no write access to the underlying ruleset;
- * - %EFAULT: @rule_attr inconsistency.
+ * - %EFAULT: @rule_attr was not a valid address.
*/
SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
const enum landlock_rule_type, rule_type,