User space API was refactored to support
network actions. New network access flags,
network rule and network attributes were
added.
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx>
---
Changes since v3:
* Split commit.
* Refactoring User API for network rule type.
---
include/uapi/linux/landlock.h | 48 +++++++++++++++++++++++++++++++++++
security/landlock/syscalls.c | 5 ++--
2 files changed, 51 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/landlock.h
b/include/uapi/linux/landlock.h
index b3d952067f59..4fc6c793fdf4 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -25,6 +25,13 @@ struct landlock_ruleset_attr {
* compatibility reasons.
*/
__u64 handled_access_fs;
+
+ /**
+ * @handled_access_net: Bitmask of actions (cf. `Network flags`_)
+ * that is handled by this ruleset and should then be forbidden
if no
+ * rule explicitly allow them.
+ */
+ __u64 handled_access_net;
};
/*
@@ -46,6 +53,11 @@ enum landlock_rule_type {
* landlock_path_beneath_attr .
*/
LANDLOCK_RULE_PATH_BENEATH = 1,
+ /**
+ * @LANDLOCK_RULE_NET_SERVICE: Type of a &struct
+ * landlock_net_service_attr .
+ */
+ LANDLOCK_RULE_NET_SERVICE = 2,
};
/**
@@ -70,6 +82,24 @@ struct landlock_path_beneath_attr {
*/
} __attribute__((packed));
+/**
+ * struct landlock_net_service_attr - TCP subnet definition
+ *
+ * Argument of sys_landlock_add_rule().
+ */
+struct landlock_net_service_attr {
+ /**
+ * @allowed_access: Bitmask of allowed access network for services
+ * (cf. `Network flags`_).
+ */
+ __u64 allowed_access;
+ /**
+ * @port: Network port
+ */
+ __u16 port;
+
+} __attribute__((packed));
+
/**
* DOC: fs_access
*
@@ -134,4 +164,22 @@ struct landlock_path_beneath_attr {
#define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
#define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
+/**
+ * DOC: net_access
+ *
+ * Network flags
+ * ~~~~~~~~~~~~~~~~
+ *
+ * These flags enable to restrict a sandboxed process to a set of
network
+ * actions.
+ *
+ * TCP sockets with allowed actions:
+ *
+ * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind a TCP socket to a local port.
+ * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect an active TCP socket to
+ * a remote port.
+ */
+#define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0)
+#define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1)
+
#endif /* _UAPI_LINUX_LANDLOCK_H */
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 8c0f6165fe3a..fcbce83d64ef 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -81,8 +81,9 @@ static void build_check_abi(void)
* struct size.
*/
ruleset_size = sizeof(ruleset_attr.handled_access_fs);
+ ruleset_size += sizeof(ruleset_attr.handled_access_net);
BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size);
- BUILD_BUG_ON(sizeof(ruleset_attr) != 8);
+ BUILD_BUG_ON(sizeof(ruleset_attr) != 16);
path_beneath_size = sizeof(path_beneath_attr.allowed_access);
path_beneath_size += sizeof(path_beneath_attr.parent_fd);
@@ -184,7 +185,7 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
/* Checks content (and 32-bits cast). */
if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_ACCESS_FS) !=
- LANDLOCK_MASK_ACCESS_FS)
+ LANDLOCK_MASK_ACCESS_FS)
