1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Landlock - Network management and hooks
4 *
5 * Copyright © 2022-2023 Huawei Tech. Co., Ltd.
6 * Copyright © 2022-2025 Microsoft Corporation
7 */
8
9#include <linux/in.h>
10#include <linux/lsm_audit.h>
11#include <linux/net.h>
12#include <linux/socket.h>
13#include <net/ipv6.h>
14
15#include "audit.h"
16#include "common.h"
17#include "cred.h"
18#include "limits.h"
19#include "net.h"
20#include "ruleset.h"
21
22int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
23 const u16 port, access_mask_t access_rights)
24{
25 int err;
26 const struct landlock_id id = {
27 .key.data = (__force uintptr_t)htons(port),
28 .type = LANDLOCK_KEY_NET_PORT,
29 };
30
31 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
32
33 /* Transforms relative access rights to absolute ones. */
34 access_rights |= LANDLOCK_MASK_ACCESS_NET &
35 ~landlock_get_net_access_mask(ruleset, layer_level: 0);
36
37 mutex_lock(&ruleset->lock);
38 err = landlock_insert_rule(ruleset, id, access: access_rights);
39 mutex_unlock(lock: &ruleset->lock);
40
41 return err;
42}
43
44static int current_check_access_socket(struct socket *const sock,
45 struct sockaddr *const address,
46 const int addrlen,
47 access_mask_t access_request)
48{
49 __be16 port;
50 layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
51 const struct landlock_rule *rule;
52 struct landlock_id id = {
53 .type = LANDLOCK_KEY_NET_PORT,
54 };
55 const struct access_masks masks = {
56 .net = access_request,
57 };
58 const struct landlock_cred_security *const subject =
59 landlock_get_applicable_subject(current_cred(), masks, NULL);
60 struct lsm_network_audit audit_net = {};
61
62 if (!subject)
63 return 0;
64
65 if (!sk_is_tcp(sk: sock->sk))
66 return 0;
67
68 /* Checks for minimal header length to safely read sa_family. */
69 if (addrlen < offsetofend(typeof(*address), sa_family))
70 return -EINVAL;
71
72 switch (address->sa_family) {
73 case AF_UNSPEC:
74 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
75 /*
76 * Connecting to an address with AF_UNSPEC dissolves
77 * the TCP association, which have the same effect as
78 * closing the connection while retaining the socket
79 * object (i.e., the file descriptor). As for dropping
80 * privileges, closing connections is always allowed.
81 *
82 * For a TCP access control system, this request is
83 * legitimate. Let the network stack handle potential
84 * inconsistencies and return -EINVAL if needed.
85 */
86 return 0;
87 } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
88 /*
89 * Binding to an AF_UNSPEC address is treated
90 * differently by IPv4 and IPv6 sockets. The socket's
91 * family may change under our feet due to
92 * setsockopt(IPV6_ADDRFORM), but that's ok: we either
93 * reject entirely or require
94 * %LANDLOCK_ACCESS_NET_BIND_TCP for the given port, so
95 * it cannot be used to bypass the policy.
96 *
97 * IPv4 sockets map AF_UNSPEC to AF_INET for
98 * retrocompatibility for bind accesses, only if the
99 * address is INADDR_ANY (cf. __inet_bind). IPv6
100 * sockets always reject it.
101 *
102 * Checking the address is required to not wrongfully
103 * return -EACCES instead of -EAFNOSUPPORT or -EINVAL.
104 * We could return 0 and let the network stack handle
105 * these checks, but it is safer to return a proper
106 * error and test consistency thanks to kselftest.
107 */
108 if (sock->sk->__sk_common.skc_family == AF_INET) {
109 const struct sockaddr_in *const sockaddr =
110 (struct sockaddr_in *)address;
111
112 if (addrlen < sizeof(struct sockaddr_in))
113 return -EINVAL;
114
115 if (sockaddr->sin_addr.s_addr !=
116 htonl(INADDR_ANY))
117 return -EAFNOSUPPORT;
118 } else {
119 if (addrlen < SIN6_LEN_RFC2133)
120 return -EINVAL;
121 else
122 return -EAFNOSUPPORT;
123 }
124 } else {
125 WARN_ON_ONCE(1);
126 }
127 /* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */
128 fallthrough;
129 case AF_INET: {
130 const struct sockaddr_in *addr4;
131
132 if (addrlen < sizeof(struct sockaddr_in))
133 return -EINVAL;
134
135 addr4 = (struct sockaddr_in *)address;
136 port = addr4->sin_port;
137
138 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
139 audit_net.dport = port;
140 audit_net.v4info.daddr = addr4->sin_addr.s_addr;
141 } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
142 audit_net.sport = port;
143 audit_net.v4info.saddr = addr4->sin_addr.s_addr;
144 } else {
145 WARN_ON_ONCE(1);
146 }
147 break;
148 }
149
150#if IS_ENABLED(CONFIG_IPV6)
151 case AF_INET6: {
152 const struct sockaddr_in6 *addr6;
153
154 if (addrlen < SIN6_LEN_RFC2133)
155 return -EINVAL;
156
157 addr6 = (struct sockaddr_in6 *)address;
158 port = addr6->sin6_port;
159
160 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
161 audit_net.dport = port;
162 audit_net.v6info.daddr = addr6->sin6_addr;
163 } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
164 audit_net.sport = port;
165 audit_net.v6info.saddr = addr6->sin6_addr;
166 } else {
167 WARN_ON_ONCE(1);
168 }
169 break;
170 }
171#endif /* IS_ENABLED(CONFIG_IPV6) */
172
173 default:
174 return 0;
175 }
176
177 /*
178 * Checks sa_family consistency to not wrongfully return
179 * -EACCES instead of -EINVAL. Valid sa_family changes are
180 * only (from AF_INET or AF_INET6) to AF_UNSPEC.
181 *
182 * We could return 0 and let the network stack handle this
183 * check, but it is safer to return a proper error and test
184 * consistency thanks to kselftest.
185 */
186 if (address->sa_family != sock->sk->__sk_common.skc_family &&
187 address->sa_family != AF_UNSPEC)
188 return -EINVAL;
189
190 id.key.data = (__force uintptr_t)port;
191 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
192
193 rule = landlock_find_rule(ruleset: subject->domain, id);
194 access_request = landlock_init_layer_masks(domain: subject->domain,
195 access_request, layer_masks: &layer_masks,
196 key_type: LANDLOCK_KEY_NET_PORT);
197 if (landlock_unmask_layers(rule, access_request, layer_masks: &layer_masks,
198 ARRAY_SIZE(layer_masks)))
199 return 0;
200
201 audit_net.family = address->sa_family;
202 landlock_log_denial(subject,
203 request: &(struct landlock_request){
204 .type = LANDLOCK_REQUEST_NET_ACCESS,
205 .audit.type = LSM_AUDIT_DATA_NET,
206 .audit.u.net = &audit_net,
207 .access = access_request,
208 .layer_masks = &layer_masks,
209 .layer_masks_size = ARRAY_SIZE(layer_masks),
210 });
211 return -EACCES;
212}
213
214static int hook_socket_bind(struct socket *const sock,
215 struct sockaddr *const address, const int addrlen)
216{
217 return current_check_access_socket(sock, address, addrlen,
218 LANDLOCK_ACCESS_NET_BIND_TCP);
219}
220
221static int hook_socket_connect(struct socket *const sock,
222 struct sockaddr *const address,
223 const int addrlen)
224{
225 return current_check_access_socket(sock, address, addrlen,
226 LANDLOCK_ACCESS_NET_CONNECT_TCP);
227}
228
229static struct security_hook_list landlock_hooks[] __ro_after_init = {
230 LSM_HOOK_INIT(socket_bind, hook_socket_bind),
231 LSM_HOOK_INIT(socket_connect, hook_socket_connect),
232};
233
234__init void landlock_add_net_hooks(void)
235{
236 security_add_hooks(hooks: landlock_hooks, ARRAY_SIZE(landlock_hooks),
237 lsmid: &landlock_lsmid);
238}
239

source code of linux/security/landlock/net.c