2021-04-22 15:41:14 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
/*
|
|
|
|
|
* Landlock LSM - Ptrace hooks
|
|
|
|
|
*
|
|
|
|
|
* Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
|
|
|
|
|
* Copyright © 2019-2020 ANSSI
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <asm/current.h>
|
|
|
|
|
#include <linux/cred.h>
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/lsm_hooks.h>
|
|
|
|
|
#include <linux/rcupdate.h>
|
|
|
|
|
#include <linux/sched.h>
|
2024-09-05 00:13:55 +00:00
|
|
|
#include <net/af_unix.h>
|
|
|
|
|
#include <net/sock.h>
|
2021-04-22 15:41:14 +00:00
|
|
|
|
|
|
|
|
#include "common.h"
|
|
|
|
|
#include "cred.h"
|
landlock: Add signal scoping
Currently, a sandbox process is not restricted to sending a signal (e.g.
SIGKILL) to a process outside the sandbox environment. The ability to
send a signal for a sandboxed process should be scoped the same way
abstract UNIX sockets are scoped. Therefore, we extend the "scoped"
field in a ruleset with LANDLOCK_SCOPE_SIGNAL to specify that a ruleset
will deny sending any signal from within a sandbox process to its parent
(i.e. any parent sandbox or non-sandboxed processes).
This patch adds file_set_fowner and file_free_security hooks to set and
release a pointer to the file owner's domain. This pointer, fown_domain
in landlock_file_security will be used in file_send_sigiotask to check
if the process can send a signal.
The ruleset_with_unknown_scope test is updated to support
LANDLOCK_SCOPE_SIGNAL.
This depends on two new changes:
- commit 1934b212615d ("file: reclaim 24 bytes from f_owner"): replace
container_of(fown, struct file, f_owner) with fown->file .
- commit 26f204380a3c ("fs: Fix file_set_fowner LSM hook
inconsistencies"): lock before calling the hook.
Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com>
Closes: https://github.com/landlock-lsm/linux/issues/8
Link: https://lore.kernel.org/r/df2b4f880a2ed3042992689a793ea0951f6798a5.1725657727.git.fahimitahera@gmail.com
[mic: Update landlock_get_current_domain()'s return type, improve and
fix locking in hook_file_set_fowner(), simplify and fix sleepable call
and locking issue in hook_file_send_sigiotask() and rebase on the latest
VFS tree, simplify hook_task_kill() and quickly return when not
sandboxed, improve comments, rename LANDLOCK_SCOPED_SIGNAL]
Co-developed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
2024-09-06 21:30:03 +00:00
|
|
|
#include "fs.h"
|
2021-04-22 15:41:14 +00:00
|
|
|
#include "ruleset.h"
|
|
|
|
|
#include "setup.h"
|
2024-03-07 09:39:23 +00:00
|
|
|
#include "task.h"
|
2021-04-22 15:41:14 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* domain_scope_le - Checks domain ordering for scoped ptrace
|
|
|
|
|
*
|
|
|
|
|
* @parent: Parent domain.
|
|
|
|
|
* @child: Potential child of @parent.
|
|
|
|
|
*
|
|
|
|
|
* Checks if the @parent domain is less or equal to (i.e. an ancestor, which
|
|
|
|
|
* means a subset of) the @child domain.
|
|
|
|
|
*/
|
|
|
|
|
static bool domain_scope_le(const struct landlock_ruleset *const parent,
|
2022-05-06 16:05:08 +00:00
|
|
|
const struct landlock_ruleset *const child)
|
2021-04-22 15:41:14 +00:00
|
|
|
{
|
|
|
|
|
const struct landlock_hierarchy *walker;
|
|
|
|
|
|
|
|
|
|
if (!parent)
|
|
|
|
|
return true;
|
|
|
|
|
if (!child)
|
|
|
|
|
return false;
|
|
|
|
|
for (walker = child->hierarchy; walker; walker = walker->parent) {
|
|
|
|
|
if (walker == parent->hierarchy)
|
|
|
|
|
/* @parent is in the scoped hierarchy of @child. */
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
/* There is no relationship between @parent and @child. */
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool task_is_scoped(const struct task_struct *const parent,
|
2022-05-06 16:05:08 +00:00
|
|
|
const struct task_struct *const child)
|
2021-04-22 15:41:14 +00:00
|
|
|
{
|
|
|
|
|
bool is_scoped;
|
|
|
|
|
const struct landlock_ruleset *dom_parent, *dom_child;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
dom_parent = landlock_get_task_domain(parent);
|
|
|
|
|
dom_child = landlock_get_task_domain(child);
|
|
|
|
|
is_scoped = domain_scope_le(dom_parent, dom_child);
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return is_scoped;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int task_ptrace(const struct task_struct *const parent,
|
2022-05-06 16:05:08 +00:00
|
|
|
const struct task_struct *const child)
|
2021-04-22 15:41:14 +00:00
|
|
|
{
|
|
|
|
|
/* Quick return for non-landlocked tasks. */
|
|
|
|
|
if (!landlocked(parent))
|
|
|
|
|
return 0;
|
|
|
|
|
if (task_is_scoped(parent, child))
|
|
|
|
|
return 0;
|
|
|
|
|
return -EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* hook_ptrace_access_check - Determines whether the current process may access
|
|
|
|
|
* another
|
|
|
|
|
*
|
|
|
|
|
* @child: Process to be accessed.
|
|
|
|
|
* @mode: Mode of attachment.
|
|
|
|
|
*
|
|
|
|
|
* If the current task has Landlock rules, then the child must have at least
|
|
|
|
|
* the same rules. Else denied.
|
|
|
|
|
*
|
|
|
|
|
* Determines whether a process may access another, returning 0 if permission
|
|
|
|
|
* granted, -errno if denied.
|
|
|
|
|
*/
|
|
|
|
|
static int hook_ptrace_access_check(struct task_struct *const child,
|
2022-05-06 16:05:08 +00:00
|
|
|
const unsigned int mode)
|
2021-04-22 15:41:14 +00:00
|
|
|
{
|
|
|
|
|
return task_ptrace(current, child);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* hook_ptrace_traceme - Determines whether another process may trace the
|
|
|
|
|
* current one
|
|
|
|
|
*
|
|
|
|
|
* @parent: Task proposed to be the tracer.
|
|
|
|
|
*
|
|
|
|
|
* If the parent has Landlock rules, then the current task must have the same
|
|
|
|
|
* or more rules. Else denied.
|
|
|
|
|
*
|
|
|
|
|
* Determines whether the nominated task is permitted to trace the current
|
|
|
|
|
* process, returning 0 if permission is granted, -errno if denied.
|
|
|
|
|
*/
|
|
|
|
|
static int hook_ptrace_traceme(struct task_struct *const parent)
|
|
|
|
|
{
|
|
|
|
|
return task_ptrace(parent, current);
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-05 00:13:55 +00:00
|
|
|
/**
|
|
|
|
|
* domain_is_scoped - Checks if the client domain is scoped in the same
|
|
|
|
|
* domain as the server.
|
|
|
|
|
*
|
|
|
|
|
* @client: IPC sender domain.
|
|
|
|
|
* @server: IPC receiver domain.
|
|
|
|
|
* @scope: The scope restriction criteria.
|
|
|
|
|
*
|
|
|
|
|
* Returns: True if the @client domain is scoped to access the @server,
|
|
|
|
|
* unless the @server is also scoped in the same domain as @client.
|
|
|
|
|
*/
|
|
|
|
|
static bool domain_is_scoped(const struct landlock_ruleset *const client,
|
|
|
|
|
const struct landlock_ruleset *const server,
|
|
|
|
|
access_mask_t scope)
|
|
|
|
|
{
|
|
|
|
|
int client_layer, server_layer;
|
|
|
|
|
struct landlock_hierarchy *client_walker, *server_walker;
|
|
|
|
|
|
|
|
|
|
/* Quick return if client has no domain */
|
|
|
|
|
if (WARN_ON_ONCE(!client))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
client_layer = client->num_layers - 1;
|
|
|
|
|
client_walker = client->hierarchy;
|
|
|
|
|
/*
|
|
|
|
|
* client_layer must be a signed integer with greater capacity
|
|
|
|
|
* than client->num_layers to ensure the following loop stops.
|
|
|
|
|
*/
|
|
|
|
|
BUILD_BUG_ON(sizeof(client_layer) > sizeof(client->num_layers));
|
|
|
|
|
|
|
|
|
|
server_layer = server ? (server->num_layers - 1) : -1;
|
|
|
|
|
server_walker = server ? server->hierarchy : NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Walks client's parent domains down to the same hierarchy level
|
|
|
|
|
* as the server's domain, and checks that none of these client's
|
|
|
|
|
* parent domains are scoped.
|
|
|
|
|
*/
|
|
|
|
|
for (; client_layer > server_layer; client_layer--) {
|
|
|
|
|
if (landlock_get_scope_mask(client, client_layer) & scope)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
client_walker = client_walker->parent;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Walks server's parent domains down to the same hierarchy level as
|
|
|
|
|
* the client's domain.
|
|
|
|
|
*/
|
|
|
|
|
for (; server_layer > client_layer; server_layer--)
|
|
|
|
|
server_walker = server_walker->parent;
|
|
|
|
|
|
|
|
|
|
for (; client_layer >= 0; client_layer--) {
|
|
|
|
|
if (landlock_get_scope_mask(client, client_layer) & scope) {
|
|
|
|
|
/*
|
|
|
|
|
* Client and server are at the same level in the
|
|
|
|
|
* hierarchy. If the client is scoped, the request is
|
|
|
|
|
* only allowed if this domain is also a server's
|
|
|
|
|
* ancestor.
|
|
|
|
|
*/
|
|
|
|
|
return server_walker != client_walker;
|
|
|
|
|
}
|
|
|
|
|
client_walker = client_walker->parent;
|
|
|
|
|
server_walker = server_walker->parent;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool sock_is_scoped(struct sock *const other,
|
|
|
|
|
const struct landlock_ruleset *const domain)
|
|
|
|
|
{
|
|
|
|
|
const struct landlock_ruleset *dom_other;
|
|
|
|
|
|
|
|
|
|
/* The credentials will not change. */
|
|
|
|
|
lockdep_assert_held(&unix_sk(other)->lock);
|
|
|
|
|
dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain;
|
|
|
|
|
return domain_is_scoped(domain, dom_other,
|
|
|
|
|
LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool is_abstract_socket(struct sock *const sock)
|
|
|
|
|
{
|
|
|
|
|
struct unix_address *addr = unix_sk(sock)->addr;
|
|
|
|
|
|
|
|
|
|
if (!addr)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (addr->len >= offsetof(struct sockaddr_un, sun_path) + 1 &&
|
|
|
|
|
addr->name->sun_path[0] == '\0')
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int hook_unix_stream_connect(struct sock *const sock,
|
|
|
|
|
struct sock *const other,
|
|
|
|
|
struct sock *const newsk)
|
|
|
|
|
{
|
|
|
|
|
const struct landlock_ruleset *const dom =
|
|
|
|
|
landlock_get_current_domain();
|
|
|
|
|
|
|
|
|
|
/* Quick return for non-landlocked tasks. */
|
|
|
|
|
if (!dom)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (is_abstract_socket(other) && sock_is_scoped(other, dom))
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int hook_unix_may_send(struct socket *const sock,
|
|
|
|
|
struct socket *const other)
|
|
|
|
|
{
|
|
|
|
|
const struct landlock_ruleset *const dom =
|
|
|
|
|
landlock_get_current_domain();
|
|
|
|
|
|
|
|
|
|
if (!dom)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Checks if this datagram socket was already allowed to be connected
|
|
|
|
|
* to other.
|
|
|
|
|
*/
|
|
|
|
|
if (unix_peer(sock->sk) == other->sk)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (is_abstract_socket(other->sk) && sock_is_scoped(other->sk, dom))
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
landlock: Add signal scoping
Currently, a sandbox process is not restricted to sending a signal (e.g.
SIGKILL) to a process outside the sandbox environment. The ability to
send a signal for a sandboxed process should be scoped the same way
abstract UNIX sockets are scoped. Therefore, we extend the "scoped"
field in a ruleset with LANDLOCK_SCOPE_SIGNAL to specify that a ruleset
will deny sending any signal from within a sandbox process to its parent
(i.e. any parent sandbox or non-sandboxed processes).
This patch adds file_set_fowner and file_free_security hooks to set and
release a pointer to the file owner's domain. This pointer, fown_domain
in landlock_file_security will be used in file_send_sigiotask to check
if the process can send a signal.
The ruleset_with_unknown_scope test is updated to support
LANDLOCK_SCOPE_SIGNAL.
This depends on two new changes:
- commit 1934b212615d ("file: reclaim 24 bytes from f_owner"): replace
container_of(fown, struct file, f_owner) with fown->file .
- commit 26f204380a3c ("fs: Fix file_set_fowner LSM hook
inconsistencies"): lock before calling the hook.
Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com>
Closes: https://github.com/landlock-lsm/linux/issues/8
Link: https://lore.kernel.org/r/df2b4f880a2ed3042992689a793ea0951f6798a5.1725657727.git.fahimitahera@gmail.com
[mic: Update landlock_get_current_domain()'s return type, improve and
fix locking in hook_file_set_fowner(), simplify and fix sleepable call
and locking issue in hook_file_send_sigiotask() and rebase on the latest
VFS tree, simplify hook_task_kill() and quickly return when not
sandboxed, improve comments, rename LANDLOCK_SCOPED_SIGNAL]
Co-developed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
2024-09-06 21:30:03 +00:00
|
|
|
static int hook_task_kill(struct task_struct *const p,
|
|
|
|
|
struct kernel_siginfo *const info, const int sig,
|
|
|
|
|
const struct cred *const cred)
|
|
|
|
|
{
|
|
|
|
|
bool is_scoped;
|
|
|
|
|
const struct landlock_ruleset *dom;
|
|
|
|
|
|
|
|
|
|
if (cred) {
|
|
|
|
|
/* Dealing with USB IO. */
|
|
|
|
|
dom = landlock_cred(cred)->domain;
|
|
|
|
|
} else {
|
|
|
|
|
dom = landlock_get_current_domain();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Quick return for non-landlocked tasks. */
|
|
|
|
|
if (!dom)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
is_scoped = domain_is_scoped(dom, landlock_get_task_domain(p),
|
|
|
|
|
LANDLOCK_SCOPE_SIGNAL);
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
if (is_scoped)
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int hook_file_send_sigiotask(struct task_struct *tsk,
|
|
|
|
|
struct fown_struct *fown, int signum)
|
|
|
|
|
{
|
|
|
|
|
const struct landlock_ruleset *dom;
|
|
|
|
|
bool is_scoped = false;
|
|
|
|
|
|
|
|
|
|
/* Lock already held by send_sigio() and send_sigurg(). */
|
|
|
|
|
lockdep_assert_held(&fown->lock);
|
|
|
|
|
dom = landlock_file(fown->file)->fown_domain;
|
|
|
|
|
|
|
|
|
|
/* Quick return for unowned socket. */
|
|
|
|
|
if (!dom)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
is_scoped = domain_is_scoped(dom, landlock_get_task_domain(tsk),
|
|
|
|
|
LANDLOCK_SCOPE_SIGNAL);
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
if (is_scoped)
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
selinux: remove the runtime disable functionality
After working with the larger SELinux-based distros for several
years, we're finally at a place where we can disable the SELinux
runtime disable functionality. The existing kernel deprecation
notice explains the functionality and why we want to remove it:
The selinuxfs "disable" node allows SELinux to be disabled at
runtime prior to a policy being loaded into the kernel. If
disabled via this mechanism, SELinux will remain disabled until
the system is rebooted.
The preferred method of disabling SELinux is via the "selinux=0"
boot parameter, but the selinuxfs "disable" node was created to
make it easier for systems with primitive bootloaders that did not
allow for easy modification of the kernel command line.
Unfortunately, allowing for SELinux to be disabled at runtime makes
it difficult to secure the kernel's LSM hooks using the
"__ro_after_init" feature.
It is that last sentence, mentioning the '__ro_after_init' hardening,
which is the real motivation for this change, and if you look at the
diffstat you'll see that the impact of this patch reaches across all
the different LSMs, helping prevent tampering at the LSM hook level.
From a SELinux perspective, it is important to note that if you
continue to disable SELinux via "/etc/selinux/config" it may appear
that SELinux is disabled, but it is simply in an uninitialized state.
If you load a policy with `load_policy -i`, you will see SELinux
come alive just as if you had loaded the policy during early-boot.
It is also worth noting that the "/sys/fs/selinux/disable" file is
always writable now, regardless of the Kconfig settings, but writing
to the file has no effect on the system, other than to display an
error on the console if a non-zero/true value is written.
Finally, in the several years where we have been working on
deprecating this functionality, there has only been one instance of
someone mentioning any user visible breakage. In this particular
case it was an individual's kernel test system, and the workaround
documented in the deprecation notice ("selinux=0" on the kernel
command line) resolved the issue without problem.
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-03-17 16:43:07 +00:00
|
|
|
static struct security_hook_list landlock_hooks[] __ro_after_init = {
|
2021-04-22 15:41:14 +00:00
|
|
|
LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check),
|
|
|
|
|
LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme),
|
2024-09-05 00:13:55 +00:00
|
|
|
|
|
|
|
|
LSM_HOOK_INIT(unix_stream_connect, hook_unix_stream_connect),
|
|
|
|
|
LSM_HOOK_INIT(unix_may_send, hook_unix_may_send),
|
landlock: Add signal scoping
Currently, a sandbox process is not restricted to sending a signal (e.g.
SIGKILL) to a process outside the sandbox environment. The ability to
send a signal for a sandboxed process should be scoped the same way
abstract UNIX sockets are scoped. Therefore, we extend the "scoped"
field in a ruleset with LANDLOCK_SCOPE_SIGNAL to specify that a ruleset
will deny sending any signal from within a sandbox process to its parent
(i.e. any parent sandbox or non-sandboxed processes).
This patch adds file_set_fowner and file_free_security hooks to set and
release a pointer to the file owner's domain. This pointer, fown_domain
in landlock_file_security will be used in file_send_sigiotask to check
if the process can send a signal.
The ruleset_with_unknown_scope test is updated to support
LANDLOCK_SCOPE_SIGNAL.
This depends on two new changes:
- commit 1934b212615d ("file: reclaim 24 bytes from f_owner"): replace
container_of(fown, struct file, f_owner) with fown->file .
- commit 26f204380a3c ("fs: Fix file_set_fowner LSM hook
inconsistencies"): lock before calling the hook.
Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com>
Closes: https://github.com/landlock-lsm/linux/issues/8
Link: https://lore.kernel.org/r/df2b4f880a2ed3042992689a793ea0951f6798a5.1725657727.git.fahimitahera@gmail.com
[mic: Update landlock_get_current_domain()'s return type, improve and
fix locking in hook_file_set_fowner(), simplify and fix sleepable call
and locking issue in hook_file_send_sigiotask() and rebase on the latest
VFS tree, simplify hook_task_kill() and quickly return when not
sandboxed, improve comments, rename LANDLOCK_SCOPED_SIGNAL]
Co-developed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
2024-09-06 21:30:03 +00:00
|
|
|
|
|
|
|
|
LSM_HOOK_INIT(task_kill, hook_task_kill),
|
|
|
|
|
LSM_HOOK_INIT(file_send_sigiotask, hook_file_send_sigiotask),
|
2021-04-22 15:41:14 +00:00
|
|
|
};
|
|
|
|
|
|
2024-03-07 09:39:23 +00:00
|
|
|
__init void landlock_add_task_hooks(void)
|
2021-04-22 15:41:14 +00:00
|
|
|
{
|
|
|
|
|
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
|
2023-09-12 20:56:46 +00:00
|
|
|
&landlock_lsmid);
|
2021-04-22 15:41:14 +00:00
|
|
|
}
|
