cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

landlock.h (6419B)

      1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
      2/*
      3 * Landlock - User space API
      4 *
      5 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
      6 * Copyright © 2018-2020 ANSSI
      7 */
      8
      9#ifndef _UAPI_LINUX_LANDLOCK_H
     10#define _UAPI_LINUX_LANDLOCK_H
     11
     12#include <linux/types.h>
     13
     14/**
     15 * struct landlock_ruleset_attr - Ruleset definition
     16 *
     17 * Argument of sys_landlock_create_ruleset().  This structure can grow in
     18 * future versions.
     19 */
     20struct landlock_ruleset_attr {
     21	/**
     22	 * @handled_access_fs: Bitmask of actions (cf. `Filesystem flags`_)
     23	 * that is handled by this ruleset and should then be forbidden if no
     24	 * rule explicitly allow them: it is a deny-by-default list that should
     25	 * contain as much Landlock access rights as possible. Indeed, all
     26	 * Landlock filesystem access rights that are not part of
     27	 * handled_access_fs are allowed.  This is needed for backward
     28	 * compatibility reasons.  One exception is the
     29	 * LANDLOCK_ACCESS_FS_REFER access right, which is always implicitly
     30	 * handled, but must still be explicitly handled to add new rules with
     31	 * this access right.
     32	 */
     33	__u64 handled_access_fs;
     34};
     35
     36/*
     37 * sys_landlock_create_ruleset() flags:
     38 *
     39 * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
     40 *   version.
     41 */
     42/* clang-format off */
     43#define LANDLOCK_CREATE_RULESET_VERSION			(1U << 0)
     44/* clang-format on */
     45
     46/**
     47 * enum landlock_rule_type - Landlock rule type
     48 *
     49 * Argument of sys_landlock_add_rule().
     50 */
     51enum landlock_rule_type {
     52	/**
     53	 * @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct
     54	 * landlock_path_beneath_attr .
     55	 */
     56	LANDLOCK_RULE_PATH_BENEATH = 1,
     57};
     58
     59/**
     60 * struct landlock_path_beneath_attr - Path hierarchy definition
     61 *
     62 * Argument of sys_landlock_add_rule().
     63 */
     64struct landlock_path_beneath_attr {
     65	/**
     66	 * @allowed_access: Bitmask of allowed actions for this file hierarchy
     67	 * (cf. `Filesystem flags`_).
     68	 */
     69	__u64 allowed_access;
     70	/**
     71	 * @parent_fd: File descriptor, preferably opened with ``O_PATH``,
     72	 * which identifies the parent directory of a file hierarchy, or just a
     73	 * file.
     74	 */
     75	__s32 parent_fd;
     76	/*
     77	 * This struct is packed to avoid trailing reserved members.
     78	 * Cf. security/landlock/syscalls.c:build_check_abi()
     79	 */
     80} __attribute__((packed));
     81
     82/**
     83 * DOC: fs_access
     84 *
     85 * A set of actions on kernel objects may be defined by an attribute (e.g.
     86 * &struct landlock_path_beneath_attr) including a bitmask of access.
     87 *
     88 * Filesystem flags
     89 * ~~~~~~~~~~~~~~~~
     90 *
     91 * These flags enable to restrict a sandboxed process to a set of actions on
     92 * files and directories.  Files or directories opened before the sandboxing
     93 * are not subject to these restrictions.
     94 *
     95 * A file can only receive these access rights:
     96 *
     97 * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
     98 * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access.
     99 * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
    100 *
    101 * A directory can receive access rights related to files or directories.  The
    102 * following access right is applied to the directory itself, and the
    103 * directories beneath it:
    104 *
    105 * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content.
    106 *
    107 * However, the following access rights only apply to the content of a
    108 * directory, not the directory itself:
    109 *
    110 * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one.
    111 * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file.
    112 * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character
    113 *   device.
    114 * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory.
    115 * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file.
    116 * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain
    117 *   socket.
    118 * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe.
    119 * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device.
    120 * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link.
    121 * - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different
    122 *   directory (i.e. reparent a file hierarchy).  This access right is
    123 *   available since the second version of the Landlock ABI.  This is also the
    124 *   only access right which is always considered handled by any ruleset in
    125 *   such a way that reparenting a file hierarchy is always denied by default.
    126 *   To avoid privilege escalation, it is not enough to add a rule with this
    127 *   access right.  When linking or renaming a file, the destination directory
    128 *   hierarchy must also always have the same or a superset of restrictions of
    129 *   the source hierarchy.  If it is not the case, or if the domain doesn't
    130 *   handle this access right, such actions are denied by default with errno
    131 *   set to EXDEV.  Linking also requires a LANDLOCK_ACCESS_FS_MAKE_* access
    132 *   right on the destination directory, and renaming also requires a
    133 *   LANDLOCK_ACCESS_FS_REMOVE_* access right on the source's (file or
    134 *   directory) parent.  Otherwise, such actions are denied with errno set to
    135 *   EACCES.  The EACCES errno prevails over EXDEV to let user space
    136 *   efficiently deal with an unrecoverable error.
    137 *
    138 * .. warning::
    139 *
    140 *   It is currently not possible to restrict some file-related actions
    141 *   accessible through these syscall families: :manpage:`chdir(2)`,
    142 *   :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
    143 *   :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
    144 *   :manpage:`utime(2)`, :manpage:`ioctl(2)`, :manpage:`fcntl(2)`,
    145 *   :manpage:`access(2)`.
    146 *   Future Landlock evolutions will enable to restrict them.
    147 */
    148/* clang-format off */
    149#define LANDLOCK_ACCESS_FS_EXECUTE			(1ULL << 0)
    150#define LANDLOCK_ACCESS_FS_WRITE_FILE			(1ULL << 1)
    151#define LANDLOCK_ACCESS_FS_READ_FILE			(1ULL << 2)
    152#define LANDLOCK_ACCESS_FS_READ_DIR			(1ULL << 3)
    153#define LANDLOCK_ACCESS_FS_REMOVE_DIR			(1ULL << 4)
    154#define LANDLOCK_ACCESS_FS_REMOVE_FILE			(1ULL << 5)
    155#define LANDLOCK_ACCESS_FS_MAKE_CHAR			(1ULL << 6)
    156#define LANDLOCK_ACCESS_FS_MAKE_DIR			(1ULL << 7)
    157#define LANDLOCK_ACCESS_FS_MAKE_REG			(1ULL << 8)
    158#define LANDLOCK_ACCESS_FS_MAKE_SOCK			(1ULL << 9)
    159#define LANDLOCK_ACCESS_FS_MAKE_FIFO			(1ULL << 10)
    160#define LANDLOCK_ACCESS_FS_MAKE_BLOCK			(1ULL << 11)
    161#define LANDLOCK_ACCESS_FS_MAKE_SYM			(1ULL << 12)
    162#define LANDLOCK_ACCESS_FS_REFER			(1ULL << 13)
    163/* clang-format on */
    164
    165#endif /* _UAPI_LINUX_LANDLOCK_H */