1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 /* 3 * Landlock - User space API 4 * 5 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> 6 * Copyright © 2018-2020 ANSSI 7 * Copyright © 2021-2025 Microsoft Corporation 8 */ 9 10 #ifndef _UAPI_LINUX_LANDLOCK_H 11 #define _UAPI_LINUX_LANDLOCK_H 12 13 #include <linux/types.h> 14 15 /** 16 * struct landlock_ruleset_attr - Ruleset definition. 17 * 18 * Argument of sys_landlock_create_ruleset(). 19 * 20 * This structure defines a set of *handled access rights*, a set of actions on 21 * different object types, which should be denied by default when the ruleset is 22 * enacted. Vice versa, access rights that are not specifically listed here are 23 * not going to be denied by this ruleset when it is enacted. 24 * 25 * For historical reasons, the %LANDLOCK_ACCESS_FS_REFER right is always denied 26 * by default, even when its bit is not set in @handled_access_fs. In order to 27 * add new rules with this access right, the bit must still be set explicitly 28 * (cf. `Filesystem flags`_). 29 * 30 * The explicit listing of *handled access rights* is required for backwards 31 * compatibility reasons. In most use cases, processes that use Landlock will 32 * *handle* a wide range or all access rights that they know about at build time 33 * (and that they have tested with a kernel that supported them all). 34 * 35 * This structure can grow in future Landlock versions. 36 */ 37 struct landlock_ruleset_attr { 38 /** 39 * @handled_access_fs: Bitmask of handled filesystem actions 40 * (cf. `Filesystem flags`_). 41 */ 42 __u64 handled_access_fs; 43 /** 44 * @handled_access_net: Bitmask of handled network actions (cf. `Network 45 * flags`_). 46 */ 47 __u64 handled_access_net; 48 /** 49 * @scoped: Bitmask of scopes (cf. `Scope flags`_) 50 * restricting a Landlock domain from accessing outside 51 * resources (e.g. IPCs). 52 */ 53 __u64 scoped; 54 }; 55 56 /** 57 * DOC: landlock_create_ruleset_flags 58 * 59 * **Flags** 60 * 61 * %LANDLOCK_CREATE_RULESET_VERSION 62 * Get the highest supported Landlock ABI version (starting at 1). 63 * 64 * %LANDLOCK_CREATE_RULESET_ERRATA 65 * Get a bitmask of fixed issues for the current Landlock ABI version. 66 */ 67 /* clang-format off */ 68 #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) 69 #define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1) 70 /* clang-format on */ 71 72 /** 73 * DOC: landlock_restrict_self_flags 74 * 75 * **Flags** 76 * 77 * By default, denied accesses originating from programs that sandbox themselves 78 * are logged via the audit subsystem. Such events typically indicate unexpected 79 * behavior, such as bugs or exploitation attempts. However, to avoid excessive 80 * logging, access requests denied by a domain not created by the originating 81 * program are not logged by default. The rationale is that programs should know 82 * their own behavior, but not necessarily the behavior of other programs. This 83 * default configuration is suitable for most programs that sandbox themselves. 84 * For specific use cases, the following flags allow programs to modify this 85 * default logging behavior. 86 * 87 * The %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and 88 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON flags apply to the newly created 89 * Landlock domain. 90 * 91 * %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF 92 * Disables logging of denied accesses originating from the thread creating 93 * the Landlock domain, as well as its children, as long as they continue 94 * running the same executable code (i.e., without an intervening 95 * :manpage:`execve(2)` call). This is intended for programs that execute 96 * unknown code without invoking :manpage:`execve(2)`, such as script 97 * interpreters. Programs that only sandbox themselves should not set this 98 * flag, so users can be notified of unauthorized access attempts via system 99 * logs. 100 * 101 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON 102 * Enables logging of denied accesses after an :manpage:`execve(2)` call, 103 * providing visibility into unauthorized access attempts by newly executed 104 * programs within the created Landlock domain. This flag is recommended 105 * only when all potential executables in the domain are expected to comply 106 * with the access restrictions, as excessive audit log entries could make 107 * it more difficult to identify critical events. 108 * 109 * %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF 110 * Disables logging of denied accesses originating from nested Landlock 111 * domains created by the caller or its descendants. This flag should be set 112 * according to runtime configuration, not hardcoded, to avoid suppressing 113 * important security events. It is useful for container runtimes or 114 * sandboxing tools that may launch programs which themselves create 115 * Landlock domains and could otherwise generate excessive logs. Unlike 116 * ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects 117 * future nested domains, not the one being created. It can also be used 118 * with a @ruleset_fd value of -1 to mute subdomain logs without creating a 119 * domain. When combined with %LANDLOCK_RESTRICT_SELF_TSYNC and a 120 * @ruleset_fd value of -1, this configuration is propagated to all threads 121 * of the current process. 122 * 123 * The following flag supports policy enforcement in multithreaded processes: 124 * 125 * %LANDLOCK_RESTRICT_SELF_TSYNC 126 * Applies the new Landlock configuration atomically to all threads of the 127 * current process, including the Landlock domain and logging 128 * configuration. This overrides the Landlock configuration of sibling 129 * threads, irrespective of previously established Landlock domains and 130 * logging configurations on these threads. 131 * 132 * If the calling thread is running with no_new_privs, this operation 133 * enables no_new_privs on the sibling threads as well. 134 */ 135 /* clang-format off */ 136 #define LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF (1U << 0) 137 #define LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON (1U << 1) 138 #define LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF (1U << 2) 139 #define LANDLOCK_RESTRICT_SELF_TSYNC (1U << 3) 140 /* clang-format on */ 141 142 /** 143 * enum landlock_rule_type - Landlock rule type 144 * 145 * Argument of sys_landlock_add_rule(). 146 */ 147 enum landlock_rule_type { 148 /** 149 * @LANDLOCK_RULE_PATH_BENEATH: Type of a &struct 150 * landlock_path_beneath_attr . 151 */ 152 LANDLOCK_RULE_PATH_BENEATH = 1, 153 /** 154 * @LANDLOCK_RULE_NET_PORT: Type of a &struct 155 * landlock_net_port_attr . 156 */ 157 LANDLOCK_RULE_NET_PORT, 158 }; 159 160 /** 161 * struct landlock_path_beneath_attr - Path hierarchy definition 162 * 163 * Argument of sys_landlock_add_rule(). 164 */ 165 struct landlock_path_beneath_attr { 166 /** 167 * @allowed_access: Bitmask of allowed actions for this file hierarchy 168 * (cf. `Filesystem flags`_). 169 */ 170 __u64 allowed_access; 171 /** 172 * @parent_fd: File descriptor, preferably opened with ``O_PATH``, 173 * which identifies the parent directory of a file hierarchy, or just a 174 * file. 175 */ 176 __s32 parent_fd; 177 /* 178 * This struct is packed to avoid trailing reserved members. 179 * Cf. security/landlock/syscalls.c:build_check_abi() 180 */ 181 } __attribute__((packed)); 182 183 /** 184 * struct landlock_net_port_attr - Network port definition 185 * 186 * Argument of sys_landlock_add_rule(). 187 */ 188 struct landlock_net_port_attr { 189 /** 190 * @allowed_access: Bitmask of allowed network actions for a port 191 * (cf. `Network flags`_). 192 */ 193 __u64 allowed_access; 194 /** 195 * @port: Network port in host endianness. 196 * 197 * It should be noted that port 0 passed to :manpage:`bind(2)` will bind 198 * to an available port from the ephemeral port range. This can be 199 * configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl 200 * (also used for IPv6), and within that range, on a per-socket basis 201 * with ``setsockopt(IP_LOCAL_PORT_RANGE)``. 202 * 203 * A Landlock rule with port 0 and the %LANDLOCK_ACCESS_NET_BIND_TCP 204 * right means that requesting to bind on port 0 is allowed and it will 205 * automatically translate to binding on a kernel-assigned ephemeral 206 * port. 207 */ 208 __u64 port; 209 }; 210 211 /** 212 * DOC: fs_access 213 * 214 * A set of actions on kernel objects may be defined by an attribute (e.g. 215 * &struct landlock_path_beneath_attr) including a bitmask of access. 216 * 217 * Filesystem flags 218 * ~~~~~~~~~~~~~~~~ 219 * 220 * These flags enable to restrict a sandboxed process to a set of actions on 221 * files and directories. Files or directories opened before the sandboxing 222 * are not subject to these restrictions. 223 * 224 * The following access rights apply only to files: 225 * 226 * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. 227 * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. When 228 * opening files for writing, you will often additionally need the 229 * %LANDLOCK_ACCESS_FS_TRUNCATE right. In many cases, these system calls 230 * truncate existing files when overwriting them (e.g., :manpage:`creat(2)`). 231 * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. 232 * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`, 233 * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with 234 * ``O_TRUNC``. This access right is available since the third version of the 235 * Landlock ABI. 236 * - %LANDLOCK_ACCESS_FS_IOCTL_DEV: Invoke :manpage:`ioctl(2)` commands on an opened 237 * character or block device. 238 * 239 * This access right applies to all `ioctl(2)` commands implemented by device 240 * drivers. However, the following common IOCTL commands continue to be 241 * invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL_DEV right: 242 * 243 * * IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``), 244 * * IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``), 245 * * IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``, 246 * ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``) 247 * * Some IOCTL commands which do not make sense when used with devices, but 248 * whose implementations are safe and return the right error codes 249 * (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``) 250 * 251 * This access right is available since the fifth version of the Landlock 252 * ABI. 253 * - %LANDLOCK_ACCESS_FS_RESOLVE_UNIX: Look up pathname UNIX domain sockets 254 * (:manpage:`unix(7)`). On UNIX domain sockets, this restricts both calls to 255 * :manpage:`connect(2)` as well as calls to :manpage:`sendmsg(2)` with an 256 * explicit recipient address. 257 * 258 * This access right only applies to connections to UNIX server sockets which 259 * were created outside of the newly created Landlock domain (e.g. from within 260 * a parent domain or from an unrestricted process). Newly created UNIX 261 * servers within the same Landlock domain continue to be accessible. In this 262 * regard, %LANDLOCK_ACCESS_FS_RESOLVE_UNIX has the same semantics as the 263 * ``LANDLOCK_SCOPE_*`` flags. 264 * 265 * If a resolve attempt is denied, the operation returns an ``EACCES`` error, 266 * in line with other filesystem access rights (but different to denials for 267 * abstract UNIX domain sockets). 268 * 269 * This access right is available since the ninth version of the Landlock ABI. 270 * 271 * The rationale for this design is described in 272 * :ref:`Documentation/security/landlock.rst <scoped-flags-interaction>`. 273 * 274 * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used 275 * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as 276 * read and write permissions are checked during :manpage:`open(2)` using 277 * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE. 278 * 279 * A directory can receive access rights related to files or directories. The 280 * following access right is applied to the directory itself, and the 281 * directories beneath it: 282 * 283 * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content. 284 * 285 * However, the following access rights only apply to the content of a 286 * directory, not the directory itself: 287 * 288 * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one. 289 * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file. 290 * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character 291 * device. 292 * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory. 293 * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file. 294 * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain 295 * socket. 296 * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe. 297 * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device. 298 * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link. 299 * - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different 300 * directory (i.e. reparent a file hierarchy). 301 * 302 * This access right is available since the second version of the Landlock 303 * ABI. 304 * 305 * This is the only access right which is denied by default by any ruleset, 306 * even if the right is not specified as handled at ruleset creation time. 307 * The only way to make a ruleset grant this right is to explicitly allow it 308 * for a specific directory by adding a matching rule to the ruleset. 309 * 310 * In particular, when using the first Landlock ABI version, Landlock will 311 * always deny attempts to reparent files between different directories. 312 * 313 * In addition to the source and destination directories having the 314 * %LANDLOCK_ACCESS_FS_REFER access right, the attempted link or rename 315 * operation must meet the following constraints: 316 * 317 * * The reparented file may not gain more access rights in the destination 318 * directory than it previously had in the source directory. If this is 319 * attempted, the operation results in an ``EXDEV`` error. 320 * 321 * * When linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the 322 * respective file type must be granted for the destination directory. 323 * Otherwise, the operation results in an ``EACCES`` error. 324 * 325 * * When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the 326 * respective file type must be granted for the source directory. Otherwise, 327 * the operation results in an ``EACCES`` error. 328 * 329 * If multiple requirements are not met, the ``EACCES`` error code takes 330 * precedence over ``EXDEV``. 331 * 332 * .. warning:: 333 * 334 * It is currently not possible to restrict some file-related actions 335 * accessible through these syscall families: :manpage:`chdir(2)`, 336 * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, 337 * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, 338 * :manpage:`fcntl(2)`, :manpage:`access(2)`. 339 * Future Landlock evolutions will enable to restrict them. 340 */ 341 /* clang-format off */ 342 #define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0) 343 #define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1) 344 #define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2) 345 #define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3) 346 #define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4) 347 #define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5) 348 #define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6) 349 #define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7) 350 #define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8) 351 #define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9) 352 #define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10) 353 #define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11) 354 #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) 355 #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) 356 #define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) 357 #define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) 358 #define LANDLOCK_ACCESS_FS_RESOLVE_UNIX (1ULL << 16) 359 /* clang-format on */ 360 361 /** 362 * DOC: net_access 363 * 364 * Network flags 365 * ~~~~~~~~~~~~~~~~ 366 * 367 * These flags enable to restrict a sandboxed process to a set of network 368 * actions. 369 * 370 * The following access rights apply to TCP port numbers: 371 * 372 * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind TCP sockets to the given local 373 * port. Support added in Landlock ABI version 4. 374 * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect TCP sockets to the given 375 * remote port. Support added in Landlock ABI version 4. 376 */ 377 /* clang-format off */ 378 #define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0) 379 #define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1) 380 /* clang-format on */ 381 382 /** 383 * DOC: scope 384 * 385 * Scope flags 386 * ~~~~~~~~~~~ 387 * 388 * These flags enable to isolate a sandboxed process from a set of IPC actions. 389 * Setting a flag for a ruleset will isolate the Landlock domain to forbid 390 * connections to resources outside the domain. 391 * 392 * This is supported since Landlock ABI version 6. 393 * 394 * Scopes: 395 * 396 * - %LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET: Restrict a sandboxed process from 397 * connecting to an abstract UNIX socket created by a process outside the 398 * related Landlock domain (e.g., a parent domain or a non-sandboxed process). 399 * - %LANDLOCK_SCOPE_SIGNAL: Restrict a sandboxed process from sending a signal 400 * to another process outside the domain. 401 */ 402 /* clang-format off */ 403 #define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0) 404 #define LANDLOCK_SCOPE_SIGNAL (1ULL << 1) 405 /* clang-format on*/ 406 407 #endif /* _UAPI_LINUX_LANDLOCK_H */ 408