From: "Mickaël Salaün" <mic@digikod.net>
To: linux-kernel@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Arnaldo Carvalho de Melo" <acme@kernel.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"David Drysdale" <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"James Morris" <james.l.morris@oracle.com>,
"Jann Horn" <jann@thejh.net>, "Jonathan Corbet" <corbet@lwn.net>,
"Matthew Garrett" <mjg59@srcf.ucam.org>,
"Michael Kerrisk" <mtk.manpages@gmail.com>,
"Kees Cook" <keescook@chromium.org>,
"Paul Moore" <paul@paul-moore.com>,
"Sargun Dhillon" <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Shuah Khan" <shuah@kernel.org>, "Tejun Heo" <tj@kernel.org>,
"Thomas Graf" <tgraf@suug.ch>, "Will Drewry" <wad@chromium.org>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH net-next v6 02/11] bpf,landlock: Define an eBPF program type for Landlock
Date: Wed, 29 Mar 2017 01:46:41 +0200 [thread overview]
Message-ID: <20170328234650.19695-3-mic@digikod.net> (raw)
In-Reply-To: <20170328234650.19695-1-mic@digikod.net>
Add a new type of eBPF program used by Landlock rules.
This new BPF program type will be registered with the Landlock LSM
initialization.
Add an initial Landlock Kconfig.
Changes since v5:
* rename file hooks.c to init.c
* fix spelling
Changes since v4:
* merge a minimal (not enabled) LSM code and Kconfig in this commit
Changes since v3:
* split commit
* revamp the landlock_context:
* add arch, syscall_nr and syscall_cmd (ioctl, fcntl…) to be able to
cross-check action with the event type
* replace args array with dedicated fields to ease the addition of new
fields
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: David S. Miller <davem@davemloft.net>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
---
include/linux/landlock.h | 23 ++++++++
include/uapi/linux/bpf.h | 105 +++++++++++++++++++++++++++++++++++
security/Kconfig | 1 +
security/Makefile | 2 +
security/landlock/Kconfig | 18 ++++++
security/landlock/Makefile | 3 +
security/landlock/common.h | 25 +++++++++
security/landlock/init.c | 123 +++++++++++++++++++++++++++++++++++++++++
tools/include/uapi/linux/bpf.h | 105 +++++++++++++++++++++++++++++++++++
9 files changed, 405 insertions(+)
create mode 100644 include/linux/landlock.h
create mode 100644 security/landlock/Kconfig
create mode 100644 security/landlock/Makefile
create mode 100644 security/landlock/common.h
create mode 100644 security/landlock/init.c
diff --git a/include/linux/landlock.h b/include/linux/landlock.h
new file mode 100644
index 000000000000..53013dc374fe
--- /dev/null
+++ b/include/linux/landlock.h
@@ -0,0 +1,23 @@
+/*
+ * Landlock LSM - public kernel headers
+ *
+ * Copyright © 2017 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _LINUX_LANDLOCK_H
+#define _LINUX_LANDLOCK_H
+#ifdef CONFIG_SECURITY_LANDLOCK
+
+/*
+ * This is not intended for the UAPI headers. Each userland software should use
+ * a static minimal version for the required features as explained in the
+ * documentation.
+ */
+#define LANDLOCK_VERSION 1
+
+#endif /* CONFIG_SECURITY_LANDLOCK */
+#endif /* _LINUX_LANDLOCK_H */
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 0eb71ab9b4fd..619b1f8707cc 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -114,6 +114,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_LWT_IN,
BPF_PROG_TYPE_LWT_OUT,
BPF_PROG_TYPE_LWT_XMIT,
+ BPF_PROG_TYPE_LANDLOCK,
};
enum bpf_attach_type {
@@ -661,4 +662,108 @@ struct xdp_md {
__u32 data_end;
};
+/**
+ * enum landlock_subtype_event - event occurring when an action is performed on
+ * a particular kernel object
+ *
+ * An event is a policy decision point which exposes the same context type
+ * (especially the same arg[0-9] field types) for each rule execution.
+ *
+ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value
+ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event
+ */
+enum landlock_subtype_event {
+ LANDLOCK_SUBTYPE_EVENT_UNSPEC,
+ LANDLOCK_SUBTYPE_EVENT_FS,
+};
+#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS
+
+/**
+ * DOC: landlock_subtype_access
+ *
+ * eBPF context and functions allowed for a rule
+ *
+ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to
+ * userland (e.g. through a map), which may leaks sensitive information
+ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing
+ * logs), which may be dangerous and should only be used for rule testing
+ */
+#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0)
+#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1)
+#define _LANDLOCK_SUBTYPE_ABILITY_NB 2
+#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1)
+
+/*
+ * Future options for a Landlock rule (e.g. run even if a previous rule denied
+ * an action).
+ */
+#define _LANDLOCK_SUBTYPE_OPTION_NB 0
+#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1)
+
+/*
+ * Status visible in the @status field of a context (e.g. already called in
+ * this syscall session, with same args...).
+ *
+ * The @status field exposed to a rule shall depend on the rule version.
+ */
+#define _LANDLOCK_SUBTYPE_STATUS_NB 0
+#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1)
+
+/**
+ * DOC: landlock_action_fs
+ *
+ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory
+ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which
+ * include mount actions)
+ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory
+ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory
+ * - %LANDLOCK_ACTION_FS_GET: open or receive a file
+ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory
+ *
+ * Each of the following actions are specific to syscall multiplexers. They
+ * fill the syscall_cmd field from &struct landlock_context with their custom
+ * command.
+ *
+ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command
+ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command
+ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command
+ */
+#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0)
+#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1)
+#define LANDLOCK_ACTION_FS_READ (1ULL << 2)
+#define LANDLOCK_ACTION_FS_NEW (1ULL << 3)
+#define LANDLOCK_ACTION_FS_GET (1ULL << 4)
+#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5)
+#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6)
+#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7)
+#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8)
+#define _LANDLOCK_ACTION_FS_NB 9
+#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1)
+
+
+/**
+ * struct landlock_context - context accessible to a Landlock rule
+ *
+ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*)
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ * as defined in <linux/audit.h>
+ * @syscall_nr: the system call number called by the current process (may be
+ * useful to debug: find out from which syscall this request came
+ * from)
+ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g.
+ * ioctl, fcntl, flock)
+ * @event: event type (&enum landlock_subtype_event)
+ * @arg1: event's first optional argument
+ * @arg2: event's second optional argument
+ */
+struct landlock_context {
+ __u64 status;
+ __u32 arch;
+ __u32 syscall_nr;
+ __u32 syscall_cmd;
+ __u32 event;
+ __u64 arg1;
+ __u64 arg2;
+};
+
#endif /* _UAPI__LINUX_BPF_H__ */
diff --git a/security/Kconfig b/security/Kconfig
index d900f47eaa68..fb9eb0ac1ee4 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -199,6 +199,7 @@ source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/loadpin/Kconfig
source security/yama/Kconfig
+source security/landlock/Kconfig
source security/integrity/Kconfig
diff --git a/security/Makefile b/security/Makefile
index f2d71cdb8e19..3fdc2f19dc48 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
+subdir-$(CONFIG_SECURITY_LANDLOCK) += landlock
# always enable default capabilities
obj-y += commoncap.o
@@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
+obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists
diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig
new file mode 100644
index 000000000000..aa5808e116f1
--- /dev/null
+++ b/security/landlock/Kconfig
@@ -0,0 +1,18 @@
+config SECURITY_LANDLOCK
+ bool "Landlock sandbox support"
+ depends on SECURITY
+ depends on BPF_SYSCALL
+ depends on SECCOMP_FILTER
+ default y
+ help
+ Landlock is a stackable LSM which allows to load a security policy to
+ restrict processes (i.e. create a sandbox). The policy is a list of
+ stacked eBPF programs, called rules, dedicated to restrict access to
+ a type of kernel object (e.g. file).
+
+ You need to enable seccomp filter to apply a security policy to a
+ process hierarchy (e.g. application with built-in sandboxing).
+
+ See Documentation/security/landlock/ for further information.
+
+ If you are unsure how to answer this question, answer Y.
diff --git a/security/landlock/Makefile b/security/landlock/Makefile
new file mode 100644
index 000000000000..7205f9a7a2ee
--- /dev/null
+++ b/security/landlock/Makefile
@@ -0,0 +1,3 @@
+obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
+
+landlock-y := init.o
diff --git a/security/landlock/common.h b/security/landlock/common.h
new file mode 100644
index 000000000000..a2483405349f
--- /dev/null
+++ b/security/landlock/common.h
@@ -0,0 +1,25 @@
+/*
+ * Landlock LSM - private headers
+ *
+ * Copyright © 2017 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _SECURITY_LANDLOCK_COMMON_H
+#define _SECURITY_LANDLOCK_COMMON_H
+
+/**
+ * get_index - get an index for the rules of struct landlock_events
+ *
+ * @event: a Landlock event type
+ */
+static inline int get_index(enum landlock_subtype_event event)
+{
+ /* event ID > 0 for loaded programs */
+ return event - 1;
+}
+
+#endif /* _SECURITY_LANDLOCK_COMMON_H */
diff --git a/security/landlock/init.c b/security/landlock/init.c
new file mode 100644
index 000000000000..0a97026f1c07
--- /dev/null
+++ b/security/landlock/init.c
@@ -0,0 +1,123 @@
+/*
+ * Landlock LSM - init
+ *
+ * Copyright © 2017 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/bpf.h> /* enum bpf_access_type */
+#include <linux/capability.h> /* capable */
+#include <linux/landlock.h> /* LANDLOCK_VERSION */
+
+
+static inline bool bpf_landlock_is_valid_access(int off, int size,
+ enum bpf_access_type type, enum bpf_reg_type *reg_type,
+ union bpf_prog_subtype *prog_subtype)
+{
+ if (WARN_ON(!prog_subtype))
+ return false;
+
+ switch (prog_subtype->landlock_rule.event) {
+ case LANDLOCK_SUBTYPE_EVENT_FS:
+ case LANDLOCK_SUBTYPE_EVENT_UNSPEC:
+ default:
+ return false;
+ }
+}
+
+static inline bool bpf_landlock_is_valid_subtype(
+ union bpf_prog_subtype *prog_subtype)
+{
+ if (WARN_ON(!prog_subtype))
+ return false;
+
+ switch (prog_subtype->landlock_rule.event) {
+ case LANDLOCK_SUBTYPE_EVENT_FS:
+ break;
+ case LANDLOCK_SUBTYPE_EVENT_UNSPEC:
+ default:
+ return false;
+ }
+
+ if (!prog_subtype->landlock_rule.version ||
+ prog_subtype->landlock_rule.version > LANDLOCK_VERSION)
+ return false;
+ if (!prog_subtype->landlock_rule.event ||
+ prog_subtype->landlock_rule.event > _LANDLOCK_SUBTYPE_EVENT_LAST)
+ return false;
+ if (prog_subtype->landlock_rule.ability & ~_LANDLOCK_SUBTYPE_ABILITY_MASK)
+ return false;
+ if (prog_subtype->landlock_rule.option & ~_LANDLOCK_SUBTYPE_OPTION_MASK)
+ return false;
+
+ /* check ability flags */
+ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_WRITE &&
+ !capable(CAP_SYS_ADMIN))
+ return false;
+ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_DEBUG &&
+ !capable(CAP_SYS_ADMIN))
+ return false;
+
+ return true;
+}
+
+static inline const struct bpf_func_proto *bpf_landlock_func_proto(
+ enum bpf_func_id func_id, union bpf_prog_subtype *prog_subtype)
+{
+ bool event_fs = (prog_subtype->landlock_rule.event ==
+ LANDLOCK_SUBTYPE_EVENT_FS);
+ bool ability_write = !!(prog_subtype->landlock_rule.ability &
+ LANDLOCK_SUBTYPE_ABILITY_WRITE);
+ bool ability_debug = !!(prog_subtype->landlock_rule.ability &
+ LANDLOCK_SUBTYPE_ABILITY_DEBUG);
+
+ switch (func_id) {
+ case BPF_FUNC_map_lookup_elem:
+ return &bpf_map_lookup_elem_proto;
+
+ /* ability_write */
+ case BPF_FUNC_map_delete_elem:
+ if (ability_write)
+ return &bpf_map_delete_elem_proto;
+ return NULL;
+ case BPF_FUNC_map_update_elem:
+ if (ability_write)
+ return &bpf_map_update_elem_proto;
+ return NULL;
+
+ /* ability_debug */
+ case BPF_FUNC_get_current_comm:
+ if (ability_debug)
+ return &bpf_get_current_comm_proto;
+ return NULL;
+ case BPF_FUNC_get_current_pid_tgid:
+ if (ability_debug)
+ return &bpf_get_current_pid_tgid_proto;
+ return NULL;
+ case BPF_FUNC_get_current_uid_gid:
+ if (ability_debug)
+ return &bpf_get_current_uid_gid_proto;
+ return NULL;
+ case BPF_FUNC_trace_printk:
+ if (ability_debug)
+ return bpf_get_trace_printk_proto();
+ return NULL;
+
+ default:
+ return NULL;
+ }
+}
+
+static const struct bpf_verifier_ops bpf_landlock_ops = {
+ .get_func_proto = bpf_landlock_func_proto,
+ .is_valid_access = bpf_landlock_is_valid_access,
+ .is_valid_subtype = bpf_landlock_is_valid_subtype,
+};
+
+static struct bpf_prog_type_list bpf_landlock_type __ro_after_init = {
+ .ops = &bpf_landlock_ops,
+ .type = BPF_PROG_TYPE_LANDLOCK,
+};
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 725c9a7d3dd9..cdb13134f522 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -114,6 +114,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_LWT_IN,
BPF_PROG_TYPE_LWT_OUT,
BPF_PROG_TYPE_LWT_XMIT,
+ BPF_PROG_TYPE_LANDLOCK,
};
enum bpf_attach_type {
@@ -649,4 +650,108 @@ struct xdp_md {
__u32 data_end;
};
+/**
+ * enum landlock_subtype_event - event occurring when an action is performed on
+ * a particular kernel object
+ *
+ * An event is a policy decision point which exposes the same context type
+ * (especially the same arg[0-9] field types) for each rule execution.
+ *
+ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value
+ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event
+ */
+enum landlock_subtype_event {
+ LANDLOCK_SUBTYPE_EVENT_UNSPEC,
+ LANDLOCK_SUBTYPE_EVENT_FS,
+};
+#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS
+
+/**
+ * DOC: landlock_subtype_access
+ *
+ * eBPF context and functions allowed for a rule
+ *
+ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to
+ * userland (e.g. through a map), which may leaks sensitive information
+ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing
+ * logs), which may be dangerous and should only be used for rule testing
+ */
+#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0)
+#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1)
+#define _LANDLOCK_SUBTYPE_ABILITY_NB 2
+#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1)
+
+/*
+ * Future options for a Landlock rule (e.g. run even if a previous rule denied
+ * an action).
+ */
+#define _LANDLOCK_SUBTYPE_OPTION_NB 0
+#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1)
+
+/*
+ * Status visible in the @status field of a context (e.g. already called in
+ * this syscall session, with same args...).
+ *
+ * The @status field exposed to a rule shall depend on the rule version.
+ */
+#define _LANDLOCK_SUBTYPE_STATUS_NB 0
+#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1)
+
+/**
+ * DOC: landlock_action_fs
+ *
+ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory
+ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which
+ * include mount actions)
+ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory
+ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory
+ * - %LANDLOCK_ACTION_FS_GET: open or receive a file
+ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory
+ *
+ * Each of the following actions are specific to syscall multiplexers. They
+ * fill the syscall_cmd field from &struct landlock_context with their custom
+ * command.
+ *
+ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command
+ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command
+ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command
+ */
+#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0)
+#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1)
+#define LANDLOCK_ACTION_FS_READ (1ULL << 2)
+#define LANDLOCK_ACTION_FS_NEW (1ULL << 3)
+#define LANDLOCK_ACTION_FS_GET (1ULL << 4)
+#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5)
+#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6)
+#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7)
+#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8)
+#define _LANDLOCK_ACTION_FS_NB 9
+#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1)
+
+
+/**
+ * struct landlock_context - context accessible to a Landlock rule
+ *
+ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*)
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ * as defined in <linux/audit.h>
+ * @syscall_nr: the system call number called by the current process (may be
+ * useful to debug: find out from which syscall this request came
+ * from)
+ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g.
+ * ioctl, fcntl, flock)
+ * @event: event type (&enum landlock_subtype_event)
+ * @arg1: event's first optional argument
+ * @arg2: event's second optional argument
+ */
+struct landlock_context {
+ __u64 status;
+ __u32 arch;
+ __u32 syscall_nr;
+ __u32 syscall_cmd;
+ __u32 event;
+ __u64 arg1;
+ __u64 arg2;
+};
+
#endif /* _UAPI__LINUX_BPF_H__ */
--
2.11.0
WARNING: multiple messages have this Message-ID (diff)
From: "Mickaël Salaün" <mic@digikod.net>
To: linux-kernel@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Arnaldo Carvalho de Melo" <acme@kernel.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"David Drysdale" <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"James Morris" <james.l.morris@oracle.com>,
"Jann Horn" <jann@thejh.net>, "Jonathan Corbet" <corbet@lwn.net>,
"Matthew Garrett" <mjg59@srcf.ucam.org>,
"Michael Kerrisk" <mtk.manpages@gmail.com>,
"Kees Cook" <keescook@chromium.org>,
"Paul Moore" <paul@paul-moore.com>,
"Sargun Dhillon" <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Shuah Khan" <shuah@kernel.org>, "Tejun Heo" <tj@kernel.or>
Subject: [PATCH net-next v6 02/11] bpf,landlock: Define an eBPF program type for Landlock
Date: Wed, 29 Mar 2017 01:46:41 +0200 [thread overview]
Message-ID: <20170328234650.19695-3-mic@digikod.net> (raw)
In-Reply-To: <20170328234650.19695-1-mic@digikod.net>
Add a new type of eBPF program used by Landlock rules.
This new BPF program type will be registered with the Landlock LSM
initialization.
Add an initial Landlock Kconfig.
Changes since v5:
* rename file hooks.c to init.c
* fix spelling
Changes since v4:
* merge a minimal (not enabled) LSM code and Kconfig in this commit
Changes since v3:
* split commit
* revamp the landlock_context:
* add arch, syscall_nr and syscall_cmd (ioctl, fcntl…) to be able to
cross-check action with the event type
* replace args array with dedicated fields to ease the addition of new
fields
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: David S. Miller <davem@davemloft.net>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
---
include/linux/landlock.h | 23 ++++++++
include/uapi/linux/bpf.h | 105 +++++++++++++++++++++++++++++++++++
security/Kconfig | 1 +
security/Makefile | 2 +
security/landlock/Kconfig | 18 ++++++
security/landlock/Makefile | 3 +
security/landlock/common.h | 25 +++++++++
security/landlock/init.c | 123 +++++++++++++++++++++++++++++++++++++++++
tools/include/uapi/linux/bpf.h | 105 +++++++++++++++++++++++++++++++++++
9 files changed, 405 insertions(+)
create mode 100644 include/linux/landlock.h
create mode 100644 security/landlock/Kconfig
create mode 100644 security/landlock/Makefile
create mode 100644 security/landlock/common.h
create mode 100644 security/landlock/init.c
diff --git a/include/linux/landlock.h b/include/linux/landlock.h
new file mode 100644
index 000000000000..53013dc374fe
--- /dev/null
+++ b/include/linux/landlock.h
@@ -0,0 +1,23 @@
+/*
+ * Landlock LSM - public kernel headers
+ *
+ * Copyright © 2017 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _LINUX_LANDLOCK_H
+#define _LINUX_LANDLOCK_H
+#ifdef CONFIG_SECURITY_LANDLOCK
+
+/*
+ * This is not intended for the UAPI headers. Each userland software should use
+ * a static minimal version for the required features as explained in the
+ * documentation.
+ */
+#define LANDLOCK_VERSION 1
+
+#endif /* CONFIG_SECURITY_LANDLOCK */
+#endif /* _LINUX_LANDLOCK_H */
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 0eb71ab9b4fd..619b1f8707cc 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -114,6 +114,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_LWT_IN,
BPF_PROG_TYPE_LWT_OUT,
BPF_PROG_TYPE_LWT_XMIT,
+ BPF_PROG_TYPE_LANDLOCK,
};
enum bpf_attach_type {
@@ -661,4 +662,108 @@ struct xdp_md {
__u32 data_end;
};
+/**
+ * enum landlock_subtype_event - event occurring when an action is performed on
+ * a particular kernel object
+ *
+ * An event is a policy decision point which exposes the same context type
+ * (especially the same arg[0-9] field types) for each rule execution.
+ *
+ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value
+ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event
+ */
+enum landlock_subtype_event {
+ LANDLOCK_SUBTYPE_EVENT_UNSPEC,
+ LANDLOCK_SUBTYPE_EVENT_FS,
+};
+#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS
+
+/**
+ * DOC: landlock_subtype_access
+ *
+ * eBPF context and functions allowed for a rule
+ *
+ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to
+ * userland (e.g. through a map), which may leaks sensitive information
+ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing
+ * logs), which may be dangerous and should only be used for rule testing
+ */
+#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0)
+#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1)
+#define _LANDLOCK_SUBTYPE_ABILITY_NB 2
+#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1)
+
+/*
+ * Future options for a Landlock rule (e.g. run even if a previous rule denied
+ * an action).
+ */
+#define _LANDLOCK_SUBTYPE_OPTION_NB 0
+#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1)
+
+/*
+ * Status visible in the @status field of a context (e.g. already called in
+ * this syscall session, with same args...).
+ *
+ * The @status field exposed to a rule shall depend on the rule version.
+ */
+#define _LANDLOCK_SUBTYPE_STATUS_NB 0
+#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1)
+
+/**
+ * DOC: landlock_action_fs
+ *
+ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory
+ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which
+ * include mount actions)
+ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory
+ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory
+ * - %LANDLOCK_ACTION_FS_GET: open or receive a file
+ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory
+ *
+ * Each of the following actions are specific to syscall multiplexers. They
+ * fill the syscall_cmd field from &struct landlock_context with their custom
+ * command.
+ *
+ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command
+ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command
+ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command
+ */
+#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0)
+#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1)
+#define LANDLOCK_ACTION_FS_READ (1ULL << 2)
+#define LANDLOCK_ACTION_FS_NEW (1ULL << 3)
+#define LANDLOCK_ACTION_FS_GET (1ULL << 4)
+#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5)
+#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6)
+#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7)
+#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8)
+#define _LANDLOCK_ACTION_FS_NB 9
+#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1)
+
+
+/**
+ * struct landlock_context - context accessible to a Landlock rule
+ *
+ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*)
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ * as defined in <linux/audit.h>
+ * @syscall_nr: the system call number called by the current process (may be
+ * useful to debug: find out from which syscall this request came
+ * from)
+ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g.
+ * ioctl, fcntl, flock)
+ * @event: event type (&enum landlock_subtype_event)
+ * @arg1: event's first optional argument
+ * @arg2: event's second optional argument
+ */
+struct landlock_context {
+ __u64 status;
+ __u32 arch;
+ __u32 syscall_nr;
+ __u32 syscall_cmd;
+ __u32 event;
+ __u64 arg1;
+ __u64 arg2;
+};
+
#endif /* _UAPI__LINUX_BPF_H__ */
diff --git a/security/Kconfig b/security/Kconfig
index d900f47eaa68..fb9eb0ac1ee4 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -199,6 +199,7 @@ source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/loadpin/Kconfig
source security/yama/Kconfig
+source security/landlock/Kconfig
source security/integrity/Kconfig
diff --git a/security/Makefile b/security/Makefile
index f2d71cdb8e19..3fdc2f19dc48 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
+subdir-$(CONFIG_SECURITY_LANDLOCK) += landlock
# always enable default capabilities
obj-y += commoncap.o
@@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
+obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists
diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig
new file mode 100644
index 000000000000..aa5808e116f1
--- /dev/null
+++ b/security/landlock/Kconfig
@@ -0,0 +1,18 @@
+config SECURITY_LANDLOCK
+ bool "Landlock sandbox support"
+ depends on SECURITY
+ depends on BPF_SYSCALL
+ depends on SECCOMP_FILTER
+ default y
+ help
+ Landlock is a stackable LSM which allows to load a security policy to
+ restrict processes (i.e. create a sandbox). The policy is a list of
+ stacked eBPF programs, called rules, dedicated to restrict access to
+ a type of kernel object (e.g. file).
+
+ You need to enable seccomp filter to apply a security policy to a
+ process hierarchy (e.g. application with built-in sandboxing).
+
+ See Documentation/security/landlock/ for further information.
+
+ If you are unsure how to answer this question, answer Y.
diff --git a/security/landlock/Makefile b/security/landlock/Makefile
new file mode 100644
index 000000000000..7205f9a7a2ee
--- /dev/null
+++ b/security/landlock/Makefile
@@ -0,0 +1,3 @@
+obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
+
+landlock-y := init.o
diff --git a/security/landlock/common.h b/security/landlock/common.h
new file mode 100644
index 000000000000..a2483405349f
--- /dev/null
+++ b/security/landlock/common.h
@@ -0,0 +1,25 @@
+/*
+ * Landlock LSM - private headers
+ *
+ * Copyright © 2017 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _SECURITY_LANDLOCK_COMMON_H
+#define _SECURITY_LANDLOCK_COMMON_H
+
+/**
+ * get_index - get an index for the rules of struct landlock_events
+ *
+ * @event: a Landlock event type
+ */
+static inline int get_index(enum landlock_subtype_event event)
+{
+ /* event ID > 0 for loaded programs */
+ return event - 1;
+}
+
+#endif /* _SECURITY_LANDLOCK_COMMON_H */
diff --git a/security/landlock/init.c b/security/landlock/init.c
new file mode 100644
index 000000000000..0a97026f1c07
--- /dev/null
+++ b/security/landlock/init.c
@@ -0,0 +1,123 @@
+/*
+ * Landlock LSM - init
+ *
+ * Copyright © 2017 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/bpf.h> /* enum bpf_access_type */
+#include <linux/capability.h> /* capable */
+#include <linux/landlock.h> /* LANDLOCK_VERSION */
+
+
+static inline bool bpf_landlock_is_valid_access(int off, int size,
+ enum bpf_access_type type, enum bpf_reg_type *reg_type,
+ union bpf_prog_subtype *prog_subtype)
+{
+ if (WARN_ON(!prog_subtype))
+ return false;
+
+ switch (prog_subtype->landlock_rule.event) {
+ case LANDLOCK_SUBTYPE_EVENT_FS:
+ case LANDLOCK_SUBTYPE_EVENT_UNSPEC:
+ default:
+ return false;
+ }
+}
+
+static inline bool bpf_landlock_is_valid_subtype(
+ union bpf_prog_subtype *prog_subtype)
+{
+ if (WARN_ON(!prog_subtype))
+ return false;
+
+ switch (prog_subtype->landlock_rule.event) {
+ case LANDLOCK_SUBTYPE_EVENT_FS:
+ break;
+ case LANDLOCK_SUBTYPE_EVENT_UNSPEC:
+ default:
+ return false;
+ }
+
+ if (!prog_subtype->landlock_rule.version ||
+ prog_subtype->landlock_rule.version > LANDLOCK_VERSION)
+ return false;
+ if (!prog_subtype->landlock_rule.event ||
+ prog_subtype->landlock_rule.event > _LANDLOCK_SUBTYPE_EVENT_LAST)
+ return false;
+ if (prog_subtype->landlock_rule.ability & ~_LANDLOCK_SUBTYPE_ABILITY_MASK)
+ return false;
+ if (prog_subtype->landlock_rule.option & ~_LANDLOCK_SUBTYPE_OPTION_MASK)
+ return false;
+
+ /* check ability flags */
+ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_WRITE &&
+ !capable(CAP_SYS_ADMIN))
+ return false;
+ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_DEBUG &&
+ !capable(CAP_SYS_ADMIN))
+ return false;
+
+ return true;
+}
+
+static inline const struct bpf_func_proto *bpf_landlock_func_proto(
+ enum bpf_func_id func_id, union bpf_prog_subtype *prog_subtype)
+{
+ bool event_fs = (prog_subtype->landlock_rule.event ==
+ LANDLOCK_SUBTYPE_EVENT_FS);
+ bool ability_write = !!(prog_subtype->landlock_rule.ability &
+ LANDLOCK_SUBTYPE_ABILITY_WRITE);
+ bool ability_debug = !!(prog_subtype->landlock_rule.ability &
+ LANDLOCK_SUBTYPE_ABILITY_DEBUG);
+
+ switch (func_id) {
+ case BPF_FUNC_map_lookup_elem:
+ return &bpf_map_lookup_elem_proto;
+
+ /* ability_write */
+ case BPF_FUNC_map_delete_elem:
+ if (ability_write)
+ return &bpf_map_delete_elem_proto;
+ return NULL;
+ case BPF_FUNC_map_update_elem:
+ if (ability_write)
+ return &bpf_map_update_elem_proto;
+ return NULL;
+
+ /* ability_debug */
+ case BPF_FUNC_get_current_comm:
+ if (ability_debug)
+ return &bpf_get_current_comm_proto;
+ return NULL;
+ case BPF_FUNC_get_current_pid_tgid:
+ if (ability_debug)
+ return &bpf_get_current_pid_tgid_proto;
+ return NULL;
+ case BPF_FUNC_get_current_uid_gid:
+ if (ability_debug)
+ return &bpf_get_current_uid_gid_proto;
+ return NULL;
+ case BPF_FUNC_trace_printk:
+ if (ability_debug)
+ return bpf_get_trace_printk_proto();
+ return NULL;
+
+ default:
+ return NULL;
+ }
+}
+
+static const struct bpf_verifier_ops bpf_landlock_ops = {
+ .get_func_proto = bpf_landlock_func_proto,
+ .is_valid_access = bpf_landlock_is_valid_access,
+ .is_valid_subtype = bpf_landlock_is_valid_subtype,
+};
+
+static struct bpf_prog_type_list bpf_landlock_type __ro_after_init = {
+ .ops = &bpf_landlock_ops,
+ .type = BPF_PROG_TYPE_LANDLOCK,
+};
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 725c9a7d3dd9..cdb13134f522 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -114,6 +114,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_LWT_IN,
BPF_PROG_TYPE_LWT_OUT,
BPF_PROG_TYPE_LWT_XMIT,
+ BPF_PROG_TYPE_LANDLOCK,
};
enum bpf_attach_type {
@@ -649,4 +650,108 @@ struct xdp_md {
__u32 data_end;
};
+/**
+ * enum landlock_subtype_event - event occurring when an action is performed on
+ * a particular kernel object
+ *
+ * An event is a policy decision point which exposes the same context type
+ * (especially the same arg[0-9] field types) for each rule execution.
+ *
+ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value
+ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event
+ */
+enum landlock_subtype_event {
+ LANDLOCK_SUBTYPE_EVENT_UNSPEC,
+ LANDLOCK_SUBTYPE_EVENT_FS,
+};
+#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS
+
+/**
+ * DOC: landlock_subtype_access
+ *
+ * eBPF context and functions allowed for a rule
+ *
+ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to
+ * userland (e.g. through a map), which may leaks sensitive information
+ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing
+ * logs), which may be dangerous and should only be used for rule testing
+ */
+#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0)
+#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1)
+#define _LANDLOCK_SUBTYPE_ABILITY_NB 2
+#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1)
+
+/*
+ * Future options for a Landlock rule (e.g. run even if a previous rule denied
+ * an action).
+ */
+#define _LANDLOCK_SUBTYPE_OPTION_NB 0
+#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1)
+
+/*
+ * Status visible in the @status field of a context (e.g. already called in
+ * this syscall session, with same args...).
+ *
+ * The @status field exposed to a rule shall depend on the rule version.
+ */
+#define _LANDLOCK_SUBTYPE_STATUS_NB 0
+#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1)
+
+/**
+ * DOC: landlock_action_fs
+ *
+ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory
+ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which
+ * include mount actions)
+ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory
+ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory
+ * - %LANDLOCK_ACTION_FS_GET: open or receive a file
+ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory
+ *
+ * Each of the following actions are specific to syscall multiplexers. They
+ * fill the syscall_cmd field from &struct landlock_context with their custom
+ * command.
+ *
+ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command
+ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command
+ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command
+ */
+#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0)
+#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1)
+#define LANDLOCK_ACTION_FS_READ (1ULL << 2)
+#define LANDLOCK_ACTION_FS_NEW (1ULL << 3)
+#define LANDLOCK_ACTION_FS_GET (1ULL << 4)
+#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5)
+#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6)
+#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7)
+#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8)
+#define _LANDLOCK_ACTION_FS_NB 9
+#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1)
+
+
+/**
+ * struct landlock_context - context accessible to a Landlock rule
+ *
+ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*)
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ * as defined in <linux/audit.h>
+ * @syscall_nr: the system call number called by the current process (may be
+ * useful to debug: find out from which syscall this request came
+ * from)
+ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g.
+ * ioctl, fcntl, flock)
+ * @event: event type (&enum landlock_subtype_event)
+ * @arg1: event's first optional argument
+ * @arg2: event's second optional argument
+ */
+struct landlock_context {
+ __u64 status;
+ __u32 arch;
+ __u32 syscall_nr;
+ __u32 syscall_cmd;
+ __u32 event;
+ __u64 arg1;
+ __u64 arg2;
+};
+
#endif /* _UAPI__LINUX_BPF_H__ */
--
2.11.0
WARNING: multiple messages have this Message-ID (diff)
From: mic@digikod.net (Mickaël Salaün)
To: linux-security-module@vger.kernel.org
Subject: [PATCH net-next v6 02/11] bpf, landlock: Define an eBPF program type for Landlock
Date: Wed, 29 Mar 2017 01:46:41 +0200 [thread overview]
Message-ID: <20170328234650.19695-3-mic@digikod.net> (raw)
In-Reply-To: <20170328234650.19695-1-mic@digikod.net>
Add a new type of eBPF program used by Landlock rules.
This new BPF program type will be registered with the Landlock LSM
initialization.
Add an initial Landlock Kconfig.
Changes since v5:
* rename file hooks.c to init.c
* fix spelling
Changes since v4:
* merge a minimal (not enabled) LSM code and Kconfig in this commit
Changes since v3:
* split commit
* revamp the landlock_context:
* add arch, syscall_nr and syscall_cmd (ioctl, fcntl?) to be able to
cross-check action with the event type
* replace args array with dedicated fields to ease the addition of new
fields
Signed-off-by: Micka?l Sala?n <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: David S. Miller <davem@davemloft.net>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
---
include/linux/landlock.h | 23 ++++++++
include/uapi/linux/bpf.h | 105 +++++++++++++++++++++++++++++++++++
security/Kconfig | 1 +
security/Makefile | 2 +
security/landlock/Kconfig | 18 ++++++
security/landlock/Makefile | 3 +
security/landlock/common.h | 25 +++++++++
security/landlock/init.c | 123 +++++++++++++++++++++++++++++++++++++++++
tools/include/uapi/linux/bpf.h | 105 +++++++++++++++++++++++++++++++++++
9 files changed, 405 insertions(+)
create mode 100644 include/linux/landlock.h
create mode 100644 security/landlock/Kconfig
create mode 100644 security/landlock/Makefile
create mode 100644 security/landlock/common.h
create mode 100644 security/landlock/init.c
diff --git a/include/linux/landlock.h b/include/linux/landlock.h
new file mode 100644
index 000000000000..53013dc374fe
--- /dev/null
+++ b/include/linux/landlock.h
@@ -0,0 +1,23 @@
+/*
+ * Landlock LSM - public kernel headers
+ *
+ * Copyright ? 2017 Micka?l Sala?n <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _LINUX_LANDLOCK_H
+#define _LINUX_LANDLOCK_H
+#ifdef CONFIG_SECURITY_LANDLOCK
+
+/*
+ * This is not intended for the UAPI headers. Each userland software should use
+ * a static minimal version for the required features as explained in the
+ * documentation.
+ */
+#define LANDLOCK_VERSION 1
+
+#endif /* CONFIG_SECURITY_LANDLOCK */
+#endif /* _LINUX_LANDLOCK_H */
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 0eb71ab9b4fd..619b1f8707cc 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -114,6 +114,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_LWT_IN,
BPF_PROG_TYPE_LWT_OUT,
BPF_PROG_TYPE_LWT_XMIT,
+ BPF_PROG_TYPE_LANDLOCK,
};
enum bpf_attach_type {
@@ -661,4 +662,108 @@ struct xdp_md {
__u32 data_end;
};
+/**
+ * enum landlock_subtype_event - event occurring when an action is performed on
+ * a particular kernel object
+ *
+ * An event is a policy decision point which exposes the same context type
+ * (especially the same arg[0-9] field types) for each rule execution.
+ *
+ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value
+ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event
+ */
+enum landlock_subtype_event {
+ LANDLOCK_SUBTYPE_EVENT_UNSPEC,
+ LANDLOCK_SUBTYPE_EVENT_FS,
+};
+#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS
+
+/**
+ * DOC: landlock_subtype_access
+ *
+ * eBPF context and functions allowed for a rule
+ *
+ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to
+ * userland (e.g. through a map), which may leaks sensitive information
+ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing
+ * logs), which may be dangerous and should only be used for rule testing
+ */
+#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0)
+#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1)
+#define _LANDLOCK_SUBTYPE_ABILITY_NB 2
+#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1)
+
+/*
+ * Future options for a Landlock rule (e.g. run even if a previous rule denied
+ * an action).
+ */
+#define _LANDLOCK_SUBTYPE_OPTION_NB 0
+#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1)
+
+/*
+ * Status visible in the @status field of a context (e.g. already called in
+ * this syscall session, with same args...).
+ *
+ * The @status field exposed to a rule shall depend on the rule version.
+ */
+#define _LANDLOCK_SUBTYPE_STATUS_NB 0
+#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1)
+
+/**
+ * DOC: landlock_action_fs
+ *
+ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory
+ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which
+ * include mount actions)
+ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory
+ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory
+ * - %LANDLOCK_ACTION_FS_GET: open or receive a file
+ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory
+ *
+ * Each of the following actions are specific to syscall multiplexers. They
+ * fill the syscall_cmd field from &struct landlock_context with their custom
+ * command.
+ *
+ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command
+ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command
+ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command
+ */
+#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0)
+#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1)
+#define LANDLOCK_ACTION_FS_READ (1ULL << 2)
+#define LANDLOCK_ACTION_FS_NEW (1ULL << 3)
+#define LANDLOCK_ACTION_FS_GET (1ULL << 4)
+#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5)
+#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6)
+#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7)
+#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8)
+#define _LANDLOCK_ACTION_FS_NB 9
+#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1)
+
+
+/**
+ * struct landlock_context - context accessible to a Landlock rule
+ *
+ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*)
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ * as defined in <linux/audit.h>
+ * @syscall_nr: the system call number called by the current process (may be
+ * useful to debug: find out from which syscall this request came
+ * from)
+ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g.
+ * ioctl, fcntl, flock)
+ * @event: event type (&enum landlock_subtype_event)
+ * @arg1: event's first optional argument
+ * @arg2: event's second optional argument
+ */
+struct landlock_context {
+ __u64 status;
+ __u32 arch;
+ __u32 syscall_nr;
+ __u32 syscall_cmd;
+ __u32 event;
+ __u64 arg1;
+ __u64 arg2;
+};
+
#endif /* _UAPI__LINUX_BPF_H__ */
diff --git a/security/Kconfig b/security/Kconfig
index d900f47eaa68..fb9eb0ac1ee4 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -199,6 +199,7 @@ source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/loadpin/Kconfig
source security/yama/Kconfig
+source security/landlock/Kconfig
source security/integrity/Kconfig
diff --git a/security/Makefile b/security/Makefile
index f2d71cdb8e19..3fdc2f19dc48 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
+subdir-$(CONFIG_SECURITY_LANDLOCK) += landlock
# always enable default capabilities
obj-y += commoncap.o
@@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
+obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists
diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig
new file mode 100644
index 000000000000..aa5808e116f1
--- /dev/null
+++ b/security/landlock/Kconfig
@@ -0,0 +1,18 @@
+config SECURITY_LANDLOCK
+ bool "Landlock sandbox support"
+ depends on SECURITY
+ depends on BPF_SYSCALL
+ depends on SECCOMP_FILTER
+ default y
+ help
+ Landlock is a stackable LSM which allows to load a security policy to
+ restrict processes (i.e. create a sandbox). The policy is a list of
+ stacked eBPF programs, called rules, dedicated to restrict access to
+ a type of kernel object (e.g. file).
+
+ You need to enable seccomp filter to apply a security policy to a
+ process hierarchy (e.g. application with built-in sandboxing).
+
+ See Documentation/security/landlock/ for further information.
+
+ If you are unsure how to answer this question, answer Y.
diff --git a/security/landlock/Makefile b/security/landlock/Makefile
new file mode 100644
index 000000000000..7205f9a7a2ee
--- /dev/null
+++ b/security/landlock/Makefile
@@ -0,0 +1,3 @@
+obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
+
+landlock-y := init.o
diff --git a/security/landlock/common.h b/security/landlock/common.h
new file mode 100644
index 000000000000..a2483405349f
--- /dev/null
+++ b/security/landlock/common.h
@@ -0,0 +1,25 @@
+/*
+ * Landlock LSM - private headers
+ *
+ * Copyright ? 2017 Micka?l Sala?n <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _SECURITY_LANDLOCK_COMMON_H
+#define _SECURITY_LANDLOCK_COMMON_H
+
+/**
+ * get_index - get an index for the rules of struct landlock_events
+ *
+ * @event: a Landlock event type
+ */
+static inline int get_index(enum landlock_subtype_event event)
+{
+ /* event ID > 0 for loaded programs */
+ return event - 1;
+}
+
+#endif /* _SECURITY_LANDLOCK_COMMON_H */
diff --git a/security/landlock/init.c b/security/landlock/init.c
new file mode 100644
index 000000000000..0a97026f1c07
--- /dev/null
+++ b/security/landlock/init.c
@@ -0,0 +1,123 @@
+/*
+ * Landlock LSM - init
+ *
+ * Copyright ? 2017 Micka?l Sala?n <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/bpf.h> /* enum bpf_access_type */
+#include <linux/capability.h> /* capable */
+#include <linux/landlock.h> /* LANDLOCK_VERSION */
+
+
+static inline bool bpf_landlock_is_valid_access(int off, int size,
+ enum bpf_access_type type, enum bpf_reg_type *reg_type,
+ union bpf_prog_subtype *prog_subtype)
+{
+ if (WARN_ON(!prog_subtype))
+ return false;
+
+ switch (prog_subtype->landlock_rule.event) {
+ case LANDLOCK_SUBTYPE_EVENT_FS:
+ case LANDLOCK_SUBTYPE_EVENT_UNSPEC:
+ default:
+ return false;
+ }
+}
+
+static inline bool bpf_landlock_is_valid_subtype(
+ union bpf_prog_subtype *prog_subtype)
+{
+ if (WARN_ON(!prog_subtype))
+ return false;
+
+ switch (prog_subtype->landlock_rule.event) {
+ case LANDLOCK_SUBTYPE_EVENT_FS:
+ break;
+ case LANDLOCK_SUBTYPE_EVENT_UNSPEC:
+ default:
+ return false;
+ }
+
+ if (!prog_subtype->landlock_rule.version ||
+ prog_subtype->landlock_rule.version > LANDLOCK_VERSION)
+ return false;
+ if (!prog_subtype->landlock_rule.event ||
+ prog_subtype->landlock_rule.event > _LANDLOCK_SUBTYPE_EVENT_LAST)
+ return false;
+ if (prog_subtype->landlock_rule.ability & ~_LANDLOCK_SUBTYPE_ABILITY_MASK)
+ return false;
+ if (prog_subtype->landlock_rule.option & ~_LANDLOCK_SUBTYPE_OPTION_MASK)
+ return false;
+
+ /* check ability flags */
+ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_WRITE &&
+ !capable(CAP_SYS_ADMIN))
+ return false;
+ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_DEBUG &&
+ !capable(CAP_SYS_ADMIN))
+ return false;
+
+ return true;
+}
+
+static inline const struct bpf_func_proto *bpf_landlock_func_proto(
+ enum bpf_func_id func_id, union bpf_prog_subtype *prog_subtype)
+{
+ bool event_fs = (prog_subtype->landlock_rule.event ==
+ LANDLOCK_SUBTYPE_EVENT_FS);
+ bool ability_write = !!(prog_subtype->landlock_rule.ability &
+ LANDLOCK_SUBTYPE_ABILITY_WRITE);
+ bool ability_debug = !!(prog_subtype->landlock_rule.ability &
+ LANDLOCK_SUBTYPE_ABILITY_DEBUG);
+
+ switch (func_id) {
+ case BPF_FUNC_map_lookup_elem:
+ return &bpf_map_lookup_elem_proto;
+
+ /* ability_write */
+ case BPF_FUNC_map_delete_elem:
+ if (ability_write)
+ return &bpf_map_delete_elem_proto;
+ return NULL;
+ case BPF_FUNC_map_update_elem:
+ if (ability_write)
+ return &bpf_map_update_elem_proto;
+ return NULL;
+
+ /* ability_debug */
+ case BPF_FUNC_get_current_comm:
+ if (ability_debug)
+ return &bpf_get_current_comm_proto;
+ return NULL;
+ case BPF_FUNC_get_current_pid_tgid:
+ if (ability_debug)
+ return &bpf_get_current_pid_tgid_proto;
+ return NULL;
+ case BPF_FUNC_get_current_uid_gid:
+ if (ability_debug)
+ return &bpf_get_current_uid_gid_proto;
+ return NULL;
+ case BPF_FUNC_trace_printk:
+ if (ability_debug)
+ return bpf_get_trace_printk_proto();
+ return NULL;
+
+ default:
+ return NULL;
+ }
+}
+
+static const struct bpf_verifier_ops bpf_landlock_ops = {
+ .get_func_proto = bpf_landlock_func_proto,
+ .is_valid_access = bpf_landlock_is_valid_access,
+ .is_valid_subtype = bpf_landlock_is_valid_subtype,
+};
+
+static struct bpf_prog_type_list bpf_landlock_type __ro_after_init = {
+ .ops = &bpf_landlock_ops,
+ .type = BPF_PROG_TYPE_LANDLOCK,
+};
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 725c9a7d3dd9..cdb13134f522 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -114,6 +114,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_LWT_IN,
BPF_PROG_TYPE_LWT_OUT,
BPF_PROG_TYPE_LWT_XMIT,
+ BPF_PROG_TYPE_LANDLOCK,
};
enum bpf_attach_type {
@@ -649,4 +650,108 @@ struct xdp_md {
__u32 data_end;
};
+/**
+ * enum landlock_subtype_event - event occurring when an action is performed on
+ * a particular kernel object
+ *
+ * An event is a policy decision point which exposes the same context type
+ * (especially the same arg[0-9] field types) for each rule execution.
+ *
+ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value
+ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event
+ */
+enum landlock_subtype_event {
+ LANDLOCK_SUBTYPE_EVENT_UNSPEC,
+ LANDLOCK_SUBTYPE_EVENT_FS,
+};
+#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS
+
+/**
+ * DOC: landlock_subtype_access
+ *
+ * eBPF context and functions allowed for a rule
+ *
+ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to
+ * userland (e.g. through a map), which may leaks sensitive information
+ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing
+ * logs), which may be dangerous and should only be used for rule testing
+ */
+#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0)
+#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1)
+#define _LANDLOCK_SUBTYPE_ABILITY_NB 2
+#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1)
+
+/*
+ * Future options for a Landlock rule (e.g. run even if a previous rule denied
+ * an action).
+ */
+#define _LANDLOCK_SUBTYPE_OPTION_NB 0
+#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1)
+
+/*
+ * Status visible in the @status field of a context (e.g. already called in
+ * this syscall session, with same args...).
+ *
+ * The @status field exposed to a rule shall depend on the rule version.
+ */
+#define _LANDLOCK_SUBTYPE_STATUS_NB 0
+#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1)
+
+/**
+ * DOC: landlock_action_fs
+ *
+ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory
+ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which
+ * include mount actions)
+ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory
+ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory
+ * - %LANDLOCK_ACTION_FS_GET: open or receive a file
+ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory
+ *
+ * Each of the following actions are specific to syscall multiplexers. They
+ * fill the syscall_cmd field from &struct landlock_context with their custom
+ * command.
+ *
+ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command
+ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command
+ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command
+ */
+#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0)
+#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1)
+#define LANDLOCK_ACTION_FS_READ (1ULL << 2)
+#define LANDLOCK_ACTION_FS_NEW (1ULL << 3)
+#define LANDLOCK_ACTION_FS_GET (1ULL << 4)
+#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5)
+#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6)
+#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7)
+#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8)
+#define _LANDLOCK_ACTION_FS_NB 9
+#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1)
+
+
+/**
+ * struct landlock_context - context accessible to a Landlock rule
+ *
+ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*)
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ * as defined in <linux/audit.h>
+ * @syscall_nr: the system call number called by the current process (may be
+ * useful to debug: find out from which syscall this request came
+ * from)
+ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g.
+ * ioctl, fcntl, flock)
+ * @event: event type (&enum landlock_subtype_event)
+ * @arg1: event's first optional argument
+ * @arg2: event's second optional argument
+ */
+struct landlock_context {
+ __u64 status;
+ __u32 arch;
+ __u32 syscall_nr;
+ __u32 syscall_cmd;
+ __u32 event;
+ __u64 arg1;
+ __u64 arg2;
+};
+
#endif /* _UAPI__LINUX_BPF_H__ */
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: "Mickaël Salaün" <mic@digikod.net>
To: linux-kernel@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Arnaldo Carvalho de Melo" <acme@kernel.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"David Drysdale" <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"James Morris" <james.l.morris@oracle.com>,
"Jann Horn" <jann@thejh.net>, "Jonathan Corbet" <corbet@lwn.net>,
"Matthew Garrett" <mjg59@srcf.ucam.org>,
"Michael Kerrisk" <mtk.manpages@gmail.com>,
"Kees Cook" <keescook@chromium.org>,
"Paul Moore" <paul@paul-moore.com>,
"Sargun Dhillon" <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Shuah Khan" <shuah@kernel.org>, "Tejun Heo" <tj@kernel.org>,
"Thomas Graf" <tgraf@suug.ch>, "Will Drewry" <wad@chromium.org>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org
Subject: [kernel-hardening] [PATCH net-next v6 02/11] bpf,landlock: Define an eBPF program type for Landlock
Date: Wed, 29 Mar 2017 01:46:41 +0200 [thread overview]
Message-ID: <20170328234650.19695-3-mic@digikod.net> (raw)
In-Reply-To: <20170328234650.19695-1-mic@digikod.net>
Add a new type of eBPF program used by Landlock rules.
This new BPF program type will be registered with the Landlock LSM
initialization.
Add an initial Landlock Kconfig.
Changes since v5:
* rename file hooks.c to init.c
* fix spelling
Changes since v4:
* merge a minimal (not enabled) LSM code and Kconfig in this commit
Changes since v3:
* split commit
* revamp the landlock_context:
* add arch, syscall_nr and syscall_cmd (ioctl, fcntl…) to be able to
cross-check action with the event type
* replace args array with dedicated fields to ease the addition of new
fields
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: David S. Miller <davem@davemloft.net>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
---
include/linux/landlock.h | 23 ++++++++
include/uapi/linux/bpf.h | 105 +++++++++++++++++++++++++++++++++++
security/Kconfig | 1 +
security/Makefile | 2 +
security/landlock/Kconfig | 18 ++++++
security/landlock/Makefile | 3 +
security/landlock/common.h | 25 +++++++++
security/landlock/init.c | 123 +++++++++++++++++++++++++++++++++++++++++
tools/include/uapi/linux/bpf.h | 105 +++++++++++++++++++++++++++++++++++
9 files changed, 405 insertions(+)
create mode 100644 include/linux/landlock.h
create mode 100644 security/landlock/Kconfig
create mode 100644 security/landlock/Makefile
create mode 100644 security/landlock/common.h
create mode 100644 security/landlock/init.c
diff --git a/include/linux/landlock.h b/include/linux/landlock.h
new file mode 100644
index 000000000000..53013dc374fe
--- /dev/null
+++ b/include/linux/landlock.h
@@ -0,0 +1,23 @@
+/*
+ * Landlock LSM - public kernel headers
+ *
+ * Copyright © 2017 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _LINUX_LANDLOCK_H
+#define _LINUX_LANDLOCK_H
+#ifdef CONFIG_SECURITY_LANDLOCK
+
+/*
+ * This is not intended for the UAPI headers. Each userland software should use
+ * a static minimal version for the required features as explained in the
+ * documentation.
+ */
+#define LANDLOCK_VERSION 1
+
+#endif /* CONFIG_SECURITY_LANDLOCK */
+#endif /* _LINUX_LANDLOCK_H */
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 0eb71ab9b4fd..619b1f8707cc 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -114,6 +114,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_LWT_IN,
BPF_PROG_TYPE_LWT_OUT,
BPF_PROG_TYPE_LWT_XMIT,
+ BPF_PROG_TYPE_LANDLOCK,
};
enum bpf_attach_type {
@@ -661,4 +662,108 @@ struct xdp_md {
__u32 data_end;
};
+/**
+ * enum landlock_subtype_event - event occurring when an action is performed on
+ * a particular kernel object
+ *
+ * An event is a policy decision point which exposes the same context type
+ * (especially the same arg[0-9] field types) for each rule execution.
+ *
+ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value
+ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event
+ */
+enum landlock_subtype_event {
+ LANDLOCK_SUBTYPE_EVENT_UNSPEC,
+ LANDLOCK_SUBTYPE_EVENT_FS,
+};
+#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS
+
+/**
+ * DOC: landlock_subtype_access
+ *
+ * eBPF context and functions allowed for a rule
+ *
+ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to
+ * userland (e.g. through a map), which may leaks sensitive information
+ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing
+ * logs), which may be dangerous and should only be used for rule testing
+ */
+#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0)
+#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1)
+#define _LANDLOCK_SUBTYPE_ABILITY_NB 2
+#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1)
+
+/*
+ * Future options for a Landlock rule (e.g. run even if a previous rule denied
+ * an action).
+ */
+#define _LANDLOCK_SUBTYPE_OPTION_NB 0
+#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1)
+
+/*
+ * Status visible in the @status field of a context (e.g. already called in
+ * this syscall session, with same args...).
+ *
+ * The @status field exposed to a rule shall depend on the rule version.
+ */
+#define _LANDLOCK_SUBTYPE_STATUS_NB 0
+#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1)
+
+/**
+ * DOC: landlock_action_fs
+ *
+ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory
+ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which
+ * include mount actions)
+ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory
+ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory
+ * - %LANDLOCK_ACTION_FS_GET: open or receive a file
+ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory
+ *
+ * Each of the following actions are specific to syscall multiplexers. They
+ * fill the syscall_cmd field from &struct landlock_context with their custom
+ * command.
+ *
+ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command
+ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command
+ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command
+ */
+#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0)
+#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1)
+#define LANDLOCK_ACTION_FS_READ (1ULL << 2)
+#define LANDLOCK_ACTION_FS_NEW (1ULL << 3)
+#define LANDLOCK_ACTION_FS_GET (1ULL << 4)
+#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5)
+#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6)
+#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7)
+#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8)
+#define _LANDLOCK_ACTION_FS_NB 9
+#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1)
+
+
+/**
+ * struct landlock_context - context accessible to a Landlock rule
+ *
+ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*)
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ * as defined in <linux/audit.h>
+ * @syscall_nr: the system call number called by the current process (may be
+ * useful to debug: find out from which syscall this request came
+ * from)
+ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g.
+ * ioctl, fcntl, flock)
+ * @event: event type (&enum landlock_subtype_event)
+ * @arg1: event's first optional argument
+ * @arg2: event's second optional argument
+ */
+struct landlock_context {
+ __u64 status;
+ __u32 arch;
+ __u32 syscall_nr;
+ __u32 syscall_cmd;
+ __u32 event;
+ __u64 arg1;
+ __u64 arg2;
+};
+
#endif /* _UAPI__LINUX_BPF_H__ */
diff --git a/security/Kconfig b/security/Kconfig
index d900f47eaa68..fb9eb0ac1ee4 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -199,6 +199,7 @@ source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/loadpin/Kconfig
source security/yama/Kconfig
+source security/landlock/Kconfig
source security/integrity/Kconfig
diff --git a/security/Makefile b/security/Makefile
index f2d71cdb8e19..3fdc2f19dc48 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
+subdir-$(CONFIG_SECURITY_LANDLOCK) += landlock
# always enable default capabilities
obj-y += commoncap.o
@@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
+obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists
diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig
new file mode 100644
index 000000000000..aa5808e116f1
--- /dev/null
+++ b/security/landlock/Kconfig
@@ -0,0 +1,18 @@
+config SECURITY_LANDLOCK
+ bool "Landlock sandbox support"
+ depends on SECURITY
+ depends on BPF_SYSCALL
+ depends on SECCOMP_FILTER
+ default y
+ help
+ Landlock is a stackable LSM which allows to load a security policy to
+ restrict processes (i.e. create a sandbox). The policy is a list of
+ stacked eBPF programs, called rules, dedicated to restrict access to
+ a type of kernel object (e.g. file).
+
+ You need to enable seccomp filter to apply a security policy to a
+ process hierarchy (e.g. application with built-in sandboxing).
+
+ See Documentation/security/landlock/ for further information.
+
+ If you are unsure how to answer this question, answer Y.
diff --git a/security/landlock/Makefile b/security/landlock/Makefile
new file mode 100644
index 000000000000..7205f9a7a2ee
--- /dev/null
+++ b/security/landlock/Makefile
@@ -0,0 +1,3 @@
+obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
+
+landlock-y := init.o
diff --git a/security/landlock/common.h b/security/landlock/common.h
new file mode 100644
index 000000000000..a2483405349f
--- /dev/null
+++ b/security/landlock/common.h
@@ -0,0 +1,25 @@
+/*
+ * Landlock LSM - private headers
+ *
+ * Copyright © 2017 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _SECURITY_LANDLOCK_COMMON_H
+#define _SECURITY_LANDLOCK_COMMON_H
+
+/**
+ * get_index - get an index for the rules of struct landlock_events
+ *
+ * @event: a Landlock event type
+ */
+static inline int get_index(enum landlock_subtype_event event)
+{
+ /* event ID > 0 for loaded programs */
+ return event - 1;
+}
+
+#endif /* _SECURITY_LANDLOCK_COMMON_H */
diff --git a/security/landlock/init.c b/security/landlock/init.c
new file mode 100644
index 000000000000..0a97026f1c07
--- /dev/null
+++ b/security/landlock/init.c
@@ -0,0 +1,123 @@
+/*
+ * Landlock LSM - init
+ *
+ * Copyright © 2017 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/bpf.h> /* enum bpf_access_type */
+#include <linux/capability.h> /* capable */
+#include <linux/landlock.h> /* LANDLOCK_VERSION */
+
+
+static inline bool bpf_landlock_is_valid_access(int off, int size,
+ enum bpf_access_type type, enum bpf_reg_type *reg_type,
+ union bpf_prog_subtype *prog_subtype)
+{
+ if (WARN_ON(!prog_subtype))
+ return false;
+
+ switch (prog_subtype->landlock_rule.event) {
+ case LANDLOCK_SUBTYPE_EVENT_FS:
+ case LANDLOCK_SUBTYPE_EVENT_UNSPEC:
+ default:
+ return false;
+ }
+}
+
+static inline bool bpf_landlock_is_valid_subtype(
+ union bpf_prog_subtype *prog_subtype)
+{
+ if (WARN_ON(!prog_subtype))
+ return false;
+
+ switch (prog_subtype->landlock_rule.event) {
+ case LANDLOCK_SUBTYPE_EVENT_FS:
+ break;
+ case LANDLOCK_SUBTYPE_EVENT_UNSPEC:
+ default:
+ return false;
+ }
+
+ if (!prog_subtype->landlock_rule.version ||
+ prog_subtype->landlock_rule.version > LANDLOCK_VERSION)
+ return false;
+ if (!prog_subtype->landlock_rule.event ||
+ prog_subtype->landlock_rule.event > _LANDLOCK_SUBTYPE_EVENT_LAST)
+ return false;
+ if (prog_subtype->landlock_rule.ability & ~_LANDLOCK_SUBTYPE_ABILITY_MASK)
+ return false;
+ if (prog_subtype->landlock_rule.option & ~_LANDLOCK_SUBTYPE_OPTION_MASK)
+ return false;
+
+ /* check ability flags */
+ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_WRITE &&
+ !capable(CAP_SYS_ADMIN))
+ return false;
+ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_DEBUG &&
+ !capable(CAP_SYS_ADMIN))
+ return false;
+
+ return true;
+}
+
+static inline const struct bpf_func_proto *bpf_landlock_func_proto(
+ enum bpf_func_id func_id, union bpf_prog_subtype *prog_subtype)
+{
+ bool event_fs = (prog_subtype->landlock_rule.event ==
+ LANDLOCK_SUBTYPE_EVENT_FS);
+ bool ability_write = !!(prog_subtype->landlock_rule.ability &
+ LANDLOCK_SUBTYPE_ABILITY_WRITE);
+ bool ability_debug = !!(prog_subtype->landlock_rule.ability &
+ LANDLOCK_SUBTYPE_ABILITY_DEBUG);
+
+ switch (func_id) {
+ case BPF_FUNC_map_lookup_elem:
+ return &bpf_map_lookup_elem_proto;
+
+ /* ability_write */
+ case BPF_FUNC_map_delete_elem:
+ if (ability_write)
+ return &bpf_map_delete_elem_proto;
+ return NULL;
+ case BPF_FUNC_map_update_elem:
+ if (ability_write)
+ return &bpf_map_update_elem_proto;
+ return NULL;
+
+ /* ability_debug */
+ case BPF_FUNC_get_current_comm:
+ if (ability_debug)
+ return &bpf_get_current_comm_proto;
+ return NULL;
+ case BPF_FUNC_get_current_pid_tgid:
+ if (ability_debug)
+ return &bpf_get_current_pid_tgid_proto;
+ return NULL;
+ case BPF_FUNC_get_current_uid_gid:
+ if (ability_debug)
+ return &bpf_get_current_uid_gid_proto;
+ return NULL;
+ case BPF_FUNC_trace_printk:
+ if (ability_debug)
+ return bpf_get_trace_printk_proto();
+ return NULL;
+
+ default:
+ return NULL;
+ }
+}
+
+static const struct bpf_verifier_ops bpf_landlock_ops = {
+ .get_func_proto = bpf_landlock_func_proto,
+ .is_valid_access = bpf_landlock_is_valid_access,
+ .is_valid_subtype = bpf_landlock_is_valid_subtype,
+};
+
+static struct bpf_prog_type_list bpf_landlock_type __ro_after_init = {
+ .ops = &bpf_landlock_ops,
+ .type = BPF_PROG_TYPE_LANDLOCK,
+};
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 725c9a7d3dd9..cdb13134f522 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -114,6 +114,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_LWT_IN,
BPF_PROG_TYPE_LWT_OUT,
BPF_PROG_TYPE_LWT_XMIT,
+ BPF_PROG_TYPE_LANDLOCK,
};
enum bpf_attach_type {
@@ -649,4 +650,108 @@ struct xdp_md {
__u32 data_end;
};
+/**
+ * enum landlock_subtype_event - event occurring when an action is performed on
+ * a particular kernel object
+ *
+ * An event is a policy decision point which exposes the same context type
+ * (especially the same arg[0-9] field types) for each rule execution.
+ *
+ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value
+ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event
+ */
+enum landlock_subtype_event {
+ LANDLOCK_SUBTYPE_EVENT_UNSPEC,
+ LANDLOCK_SUBTYPE_EVENT_FS,
+};
+#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS
+
+/**
+ * DOC: landlock_subtype_access
+ *
+ * eBPF context and functions allowed for a rule
+ *
+ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to
+ * userland (e.g. through a map), which may leaks sensitive information
+ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing
+ * logs), which may be dangerous and should only be used for rule testing
+ */
+#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0)
+#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1)
+#define _LANDLOCK_SUBTYPE_ABILITY_NB 2
+#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1)
+
+/*
+ * Future options for a Landlock rule (e.g. run even if a previous rule denied
+ * an action).
+ */
+#define _LANDLOCK_SUBTYPE_OPTION_NB 0
+#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1)
+
+/*
+ * Status visible in the @status field of a context (e.g. already called in
+ * this syscall session, with same args...).
+ *
+ * The @status field exposed to a rule shall depend on the rule version.
+ */
+#define _LANDLOCK_SUBTYPE_STATUS_NB 0
+#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1)
+
+/**
+ * DOC: landlock_action_fs
+ *
+ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory
+ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which
+ * include mount actions)
+ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory
+ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory
+ * - %LANDLOCK_ACTION_FS_GET: open or receive a file
+ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory
+ *
+ * Each of the following actions are specific to syscall multiplexers. They
+ * fill the syscall_cmd field from &struct landlock_context with their custom
+ * command.
+ *
+ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command
+ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command
+ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command
+ */
+#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0)
+#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1)
+#define LANDLOCK_ACTION_FS_READ (1ULL << 2)
+#define LANDLOCK_ACTION_FS_NEW (1ULL << 3)
+#define LANDLOCK_ACTION_FS_GET (1ULL << 4)
+#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5)
+#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6)
+#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7)
+#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8)
+#define _LANDLOCK_ACTION_FS_NB 9
+#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1)
+
+
+/**
+ * struct landlock_context - context accessible to a Landlock rule
+ *
+ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*)
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ * as defined in <linux/audit.h>
+ * @syscall_nr: the system call number called by the current process (may be
+ * useful to debug: find out from which syscall this request came
+ * from)
+ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g.
+ * ioctl, fcntl, flock)
+ * @event: event type (&enum landlock_subtype_event)
+ * @arg1: event's first optional argument
+ * @arg2: event's second optional argument
+ */
+struct landlock_context {
+ __u64 status;
+ __u32 arch;
+ __u32 syscall_nr;
+ __u32 syscall_cmd;
+ __u32 event;
+ __u64 arg1;
+ __u64 arg2;
+};
+
#endif /* _UAPI__LINUX_BPF_H__ */
--
2.11.0
next prev parent reply other threads:[~2017-03-28 23:48 UTC|newest]
Thread overview: 221+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-28 23:46 [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 01/11] bpf: Add eBPF program subtype and is_valid_subtype() verifier Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-29 13:48 ` kbuild test robot
2017-03-29 13:48 ` [kernel-hardening] " kbuild test robot
2017-03-29 13:48 ` kbuild test robot
2017-03-29 13:48 ` kbuild test robot
2017-03-29 13:48 ` kbuild test robot
2017-04-18 21:48 ` Kees Cook
2017-04-18 21:48 ` [kernel-hardening] " Kees Cook
2017-04-18 21:48 ` Kees Cook
2017-04-18 21:48 ` Kees Cook
2017-04-18 21:48 ` Kees Cook
2017-03-28 23:46 ` Mickaël Salaün [this message]
2017-03-28 23:46 ` [kernel-hardening] [PATCH net-next v6 02/11] bpf,landlock: Define an eBPF program type for Landlock Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 02/11] bpf, landlock: " Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 02/11] bpf,landlock: " Mickaël Salaün
2017-04-16 21:57 ` Mickaël Salaün
2017-04-16 21:57 ` [kernel-hardening] " Mickaël Salaün
2017-04-16 21:57 ` Mickaël Salaün
2017-04-16 21:57 ` Mickaël Salaün
2017-04-16 21:57 ` Mickaël Salaün
2017-04-18 21:58 ` Kees Cook
2017-04-18 21:58 ` [kernel-hardening] " Kees Cook
2017-04-18 21:58 ` Kees Cook
2017-04-18 21:58 ` Kees Cook
2017-04-18 21:58 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 03/11] bpf: Define handle_fs and add a new helper bpf_handle_fs_get_mode() Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-29 15:18 ` kbuild test robot
2017-03-29 15:18 ` [kernel-hardening] " kbuild test robot
2017-03-29 15:18 ` kbuild test robot
2017-03-29 15:18 ` kbuild test robot
2017-03-29 15:18 ` kbuild test robot
2017-04-18 22:17 ` Kees Cook
2017-04-18 22:17 ` [kernel-hardening] " Kees Cook
2017-04-18 22:17 ` Kees Cook
2017-04-18 22:17 ` Kees Cook
2017-04-18 22:17 ` Kees Cook
2017-04-18 22:44 ` Mickaël Salaün
2017-04-18 22:44 ` [kernel-hardening] " Mickaël Salaün
2017-04-18 22:44 ` Mickaël Salaün
2017-04-18 22:44 ` Mickaël Salaün
2017-04-18 23:16 ` Casey Schaufler
2017-04-18 23:16 ` [kernel-hardening] " Casey Schaufler
2017-04-18 23:16 ` Casey Schaufler
2017-04-18 23:16 ` Casey Schaufler
2017-04-18 23:40 ` Kees Cook
2017-04-18 23:40 ` [kernel-hardening] " Kees Cook
2017-04-18 23:40 ` Kees Cook
2017-04-18 23:40 ` Kees Cook
2017-04-19 22:03 ` Mickaël Salaün
2017-04-19 22:03 ` [kernel-hardening] " Mickaël Salaün
2017-04-19 22:03 ` Mickaël Salaün
2017-04-19 22:03 ` Mickaël Salaün
2017-04-19 22:03 ` Mickaël Salaün
2017-04-19 23:58 ` [kernel-hardening] " Casey Schaufler
2017-04-19 23:58 ` Casey Schaufler
2017-04-19 23:58 ` Casey Schaufler
2017-04-19 23:58 ` Casey Schaufler
2017-04-20 1:48 ` Kees Cook
2017-04-20 1:48 ` [kernel-hardening] " Kees Cook
2017-04-20 1:48 ` Kees Cook
2017-04-20 1:48 ` Kees Cook
2017-04-20 1:48 ` Kees Cook
2017-04-18 23:39 ` Kees Cook
2017-04-18 23:39 ` [kernel-hardening] " Kees Cook
2017-04-18 23:39 ` Kees Cook
2017-04-18 23:39 ` Kees Cook
2017-04-18 23:39 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter() with put_seccomp() Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-04-18 22:23 ` Kees Cook
2017-04-18 22:23 ` [kernel-hardening] " Kees Cook
2017-04-18 22:23 ` Kees Cook
2017-04-18 22:23 ` Kees Cook
2017-04-18 22:23 ` Kees Cook
2017-04-18 22:47 ` Mickaël Salaün
2017-04-18 22:47 ` [kernel-hardening] " Mickaël Salaün
2017-04-18 22:47 ` Mickaël Salaün
2017-04-18 22:47 ` Mickaël Salaün
2017-04-19 22:18 ` Mickaël Salaün
2017-04-19 22:18 ` [kernel-hardening] " Mickaël Salaün
2017-04-19 22:18 ` Mickaël Salaün
2017-04-19 22:18 ` Mickaël Salaün
2017-04-20 1:54 ` Kees Cook
2017-04-20 1:54 ` [kernel-hardening] " Kees Cook
2017-04-20 1:54 ` Kees Cook
2017-04-20 1:54 ` Kees Cook
2017-04-20 1:54 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 06/11] seccomp, landlock: " Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 06/11] seccomp,landlock: " Mickaël Salaün
2017-03-29 10:35 ` [kernel-hardening] " Djalal Harouni
2017-03-29 10:35 ` Djalal Harouni
2017-03-29 10:35 ` Djalal Harouni
2017-03-29 10:35 ` Djalal Harouni
2017-03-31 21:15 ` [kernel-hardening] " Mickaël Salaün
2017-03-31 21:15 ` Mickaël Salaün
2017-03-31 21:15 ` Mickaël Salaün
2017-03-31 21:15 ` Mickaël Salaün
2017-04-18 22:54 ` [kernel-hardening] " Kees Cook
2017-04-18 22:54 ` Kees Cook
2017-04-18 22:54 ` Kees Cook
2017-04-18 22:54 ` Kees Cook
2017-04-18 22:54 ` Kees Cook
2017-04-18 22:53 ` Kees Cook
2017-04-18 22:53 ` [kernel-hardening] " Kees Cook
2017-04-18 22:53 ` Kees Cook
2017-04-18 22:53 ` Kees Cook
2017-04-18 22:53 ` Kees Cook
2017-04-18 23:24 ` Mickaël Salaün
2017-04-18 23:24 ` [kernel-hardening] " Mickaël Salaün
2017-04-18 23:24 ` Mickaël Salaün
2017-04-18 23:24 ` Mickaël Salaün
2017-04-18 23:48 ` Kees Cook
2017-04-18 23:48 ` [kernel-hardening] " Kees Cook
2017-04-18 23:48 ` Kees Cook
2017-04-18 23:48 ` Kees Cook
2017-04-18 23:48 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 07/11] landlock: Add ptrace restrictions Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-04-10 6:48 ` [kernel-hardening] " Djalal Harouni
2017-04-10 6:48 ` Djalal Harouni
2017-04-10 6:48 ` Djalal Harouni
2017-04-10 6:48 ` Djalal Harouni
2017-04-11 7:19 ` Mickaël Salaün
2017-04-11 7:19 ` Mickaël Salaün
2017-04-11 7:19 ` Mickaël Salaün
2017-04-11 7:19 ` Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 08/11] bpf: Add a Landlock sandbox example Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-04-18 23:06 ` Kees Cook
2017-04-18 23:06 ` [kernel-hardening] " Kees Cook
2017-04-18 23:06 ` Kees Cook
2017-04-18 23:06 ` Kees Cook
2017-04-18 23:06 ` Kees Cook
2017-04-18 23:35 ` Mickaël Salaün
2017-04-18 23:35 ` [kernel-hardening] " Mickaël Salaün
2017-04-18 23:35 ` Mickaël Salaün
2017-04-18 23:35 ` Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-04-19 0:02 ` Kees Cook
2017-04-19 0:02 ` [kernel-hardening] " Kees Cook
2017-04-19 0:02 ` Kees Cook
2017-04-19 0:02 ` Kees Cook
2017-04-19 0:02 ` Kees Cook
2017-04-19 21:51 ` Mickaël Salaün
2017-04-19 21:51 ` [kernel-hardening] " Mickaël Salaün
2017-04-19 21:51 ` Mickaël Salaün
2017-04-19 21:51 ` Mickaël Salaün
2017-04-19 22:02 ` Kees Cook
2017-04-19 22:02 ` [kernel-hardening] " Kees Cook
2017-04-19 22:02 ` Kees Cook
2017-04-19 22:02 ` Kees Cook
2017-04-19 22:02 ` Kees Cook
2017-04-19 22:05 ` Mickaël Salaün
2017-04-19 22:05 ` [kernel-hardening] " Mickaël Salaün
2017-04-19 22:05 ` Mickaël Salaün
2017-04-19 22:05 ` Mickaël Salaün
2017-04-20 1:50 ` Kees Cook
2017-04-20 1:50 ` [kernel-hardening] " Kees Cook
2017-04-20 1:50 ` Kees Cook
2017-04-20 1:50 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 10/11] bpf,landlock: Add tests for Landlock Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-04-18 23:16 ` Kees Cook
2017-04-18 23:16 ` [kernel-hardening] " Kees Cook
2017-04-18 23:16 ` Kees Cook
2017-04-18 23:16 ` Kees Cook
2017-04-18 23:16 ` Kees Cook
2017-04-18 23:53 ` Mickaël Salaün
2017-04-18 23:53 ` [kernel-hardening] " Mickaël Salaün
2017-04-18 23:53 ` Mickaël Salaün
2017-04-18 23:53 ` Mickaël Salaün
2017-04-18 23:59 ` Kees Cook
2017-04-18 23:59 ` [kernel-hardening] " Kees Cook
2017-04-18 23:59 ` Kees Cook
2017-04-18 23:59 ` Kees Cook
2017-04-18 23:59 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 11/11] landlock: Add user and kernel documentation " Mickaël Salaün
2017-03-28 23:46 ` [kernel-hardening] " Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-28 23:46 ` Mickaël Salaün
2017-03-29 15:58 ` kbuild test robot
2017-03-29 15:58 ` [kernel-hardening] " kbuild test robot
2017-03-29 15:58 ` kbuild test robot
2017-03-29 15:58 ` kbuild test robot
2017-03-29 15:58 ` kbuild test robot
2017-04-18 23:26 ` [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing Kees Cook
2017-04-18 23:26 ` [kernel-hardening] " Kees Cook
2017-04-18 23:26 ` Kees Cook
2017-04-18 23:26 ` Kees Cook
2017-04-18 23:26 ` Kees Cook
2017-04-19 0:12 ` Mickaël Salaün
2017-04-19 0:12 ` [kernel-hardening] " Mickaël Salaün
2017-04-19 0:12 ` Mickaël Salaün
2017-04-19 0:12 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170328234650.19695-3-mic@digikod.net \
--to=mic@digikod.net \
--cc=acme@kernel.org \
--cc=ast@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mjg59@srcf.ucam.org \
--cc=mtk.manpages@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sargun@sargun.me \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=tgraf@suug.ch \
--cc=tj@kernel.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.