uapi/linux/landlock.h

0001 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
0002 /*
0003  * Landlock - User space API
0004  *
0005  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
0006  * Copyright © 2018-2020 ANSSI
0007  */
0008
0009 #ifndef _UAPI_LINUX_LANDLOCK_H
0010 #define _UAPI_LINUX_LANDLOCK_H
0011
0012 #include <linux/types.h>
0013
0014 /**
0015  * struct landlock_ruleset_attr - Ruleset definition
0016  *
0017  * Argument of sys_landlock_create_ruleset().  This structure can grow in
0018  * future versions.
0019  */
0020 struct landlock_ruleset_attr {
0021     /**
0022      * @handled_access_fs: Bitmask of actions (cf. `Filesystem flags`_)
0023      * that is handled by this ruleset and should then be forbidden if no
0024      * rule explicitly allow them: it is a deny-by-default list that should
0025      * contain as much Landlock access rights as possible. Indeed, all
0026      * Landlock filesystem access rights that are not part of
0027      * handled_access_fs are allowed.  This is needed for backward
0028      * compatibility reasons.  One exception is the
0029      * LANDLOCK_ACCESS_FS_REFER access right, which is always implicitly
0030      * handled, but must still be explicitly handled to add new rules with
0031      * this access right.
0032      */
0033     __u64 handled_access_fs;
0034 };
0035
0036 /*
0037  * sys_landlock_create_ruleset() flags:
0038  *
0039  * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
0040  *   version.
0041  */
0042 /* clang-format off */
0043 #define LANDLOCK_CREATE_RULESET_VERSION         (1U << 0)
0044 /* clang-format on */
0045
0046 /**
0047  * enum landlock_rule_type - Landlock rule type
0048  *
0049  * Argument of sys_landlock_add_rule().
0050  */
0051 enum landlock_rule_type {
0052     /**
0053      * @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct
0054      * landlock_path_beneath_attr .
0055      */
0056     LANDLOCK_RULE_PATH_BENEATH = 1,
0057 };
0058
0059 /**
0060  * struct landlock_path_beneath_attr - Path hierarchy definition
0061  *
0062  * Argument of sys_landlock_add_rule().
0063  */
0064 struct landlock_path_beneath_attr {
0065     /**
0066      * @allowed_access: Bitmask of allowed actions for this file hierarchy
0067      * (cf. `Filesystem flags`_).
0068      */
0069     __u64 allowed_access;
0070     /**
0071      * @parent_fd: File descriptor, preferably opened with ``O_PATH``,
0072      * which identifies the parent directory of a file hierarchy, or just a
0073      * file.
0074      */
0075     __s32 parent_fd;
0076     /*
0077      * This struct is packed to avoid trailing reserved members.
0078      * Cf. security/landlock/syscalls.c:build_check_abi()
0079      */
0080 } __attribute__((packed));
0081
0082 /**
0083  * DOC: fs_access
0084  *
0085  * A set of actions on kernel objects may be defined by an attribute (e.g.
0086  * &struct landlock_path_beneath_attr) including a bitmask of access.
0087  *
0088  * Filesystem flags
0089  * ~~~~~~~~~~~~~~~~
0090  *
0091  * These flags enable to restrict a sandboxed process to a set of actions on
0092  * files and directories.  Files or directories opened before the sandboxing
0093  * are not subject to these restrictions.
0094  *
0095  * A file can only receive these access rights:
0096  *
0097  * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
0098  * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access.
0099  * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
0100  *
0101  * A directory can receive access rights related to files or directories.  The
0102  * following access right is applied to the directory itself, and the
0103  * directories beneath it:
0104  *
0105  * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content.
0106  *
0107  * However, the following access rights only apply to the content of a
0108  * directory, not the directory itself:
0109  *
0110  * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one.
0111  * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file.
0112  * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character
0113  *   device.
0114  * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory.
0115  * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file.
0116  * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain
0117  *   socket.
0118  * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe.
0119  * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device.
0120  * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link.
0121  * - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different
0122  *   directory (i.e. reparent a file hierarchy).  This access right is
0123  *   available since the second version of the Landlock ABI.  This is also the
0124  *   only access right which is always considered handled by any ruleset in
0125  *   such a way that reparenting a file hierarchy is always denied by default.
0126  *   To avoid privilege escalation, it is not enough to add a rule with this
0127  *   access right.  When linking or renaming a file, the destination directory
0128  *   hierarchy must also always have the same or a superset of restrictions of
0129  *   the source hierarchy.  If it is not the case, or if the domain doesn't
0130  *   handle this access right, such actions are denied by default with errno
0131  *   set to EXDEV.  Linking also requires a LANDLOCK_ACCESS_FS_MAKE_* access
0132  *   right on the destination directory, and renaming also requires a
0133  *   LANDLOCK_ACCESS_FS_REMOVE_* access right on the source's (file or
0134  *   directory) parent.  Otherwise, such actions are denied with errno set to
0135  *   EACCES.  The EACCES errno prevails over EXDEV to let user space
0136  *   efficiently deal with an unrecoverable error.
0137  *
0138  * .. warning::
0139  *
0140  *   It is currently not possible to restrict some file-related actions
0141  *   accessible through these syscall families: :manpage:`chdir(2)`,
0142  *   :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
0143  *   :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
0144  *   :manpage:`utime(2)`, :manpage:`ioctl(2)`, :manpage:`fcntl(2)`,
0145  *   :manpage:`access(2)`.
0146  *   Future Landlock evolutions will enable to restrict them.
0147  */
0148 /* clang-format off */
0149 #define LANDLOCK_ACCESS_FS_EXECUTE          (1ULL << 0)
0150 #define LANDLOCK_ACCESS_FS_WRITE_FILE           (1ULL << 1)
0151 #define LANDLOCK_ACCESS_FS_READ_FILE            (1ULL << 2)
0152 #define LANDLOCK_ACCESS_FS_READ_DIR         (1ULL << 3)
0153 #define LANDLOCK_ACCESS_FS_REMOVE_DIR           (1ULL << 4)
0154 #define LANDLOCK_ACCESS_FS_REMOVE_FILE          (1ULL << 5)
0155 #define LANDLOCK_ACCESS_FS_MAKE_CHAR            (1ULL << 6)
0156 #define LANDLOCK_ACCESS_FS_MAKE_DIR         (1ULL << 7)
0157 #define LANDLOCK_ACCESS_FS_MAKE_REG         (1ULL << 8)
0158 #define LANDLOCK_ACCESS_FS_MAKE_SOCK            (1ULL << 9)
0159 #define LANDLOCK_ACCESS_FS_MAKE_FIFO            (1ULL << 10)
0160 #define LANDLOCK_ACCESS_FS_MAKE_BLOCK           (1ULL << 11)
0161 #define LANDLOCK_ACCESS_FS_MAKE_SYM         (1ULL << 12)
0162 #define LANDLOCK_ACCESS_FS_REFER            (1ULL << 13)
0163 /* clang-format on */
0164
0165 #endif /* _UAPI_LINUX_LANDLOCK_H */