snac2

Fork of https://codeberg.org/grunfink/snac2
git clone https://git.inz.fi/snac2
Log | Files | Refs | README | LICENSE

landloc.h (7792B)

      1 /**
      2  *  Zero-Clause BSD
      3  *  ===============
      4  *
      5  *  Copyright 2024 shtrophic <christoph@liebender.dev>
      6  *
      7  *  Permission to use, copy, modify, and/or distribute this software for
      8  *  any purpose with or without fee is hereby granted.
      9  *
     10  *  THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
     11  *  WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
     12  *  OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
     13  *  FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
     14  *  DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
     15  *  AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
     16  *  OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
     17  *
     18  */
     19 
     20 /**
     21  * Repository: https://git.sr.ht/~shtrophic/landloc.h
     22  */
     23 
     24 /**
     25  * Usage:
     26  *
     27  * Define a sandboxing function using the LL_BEGIN(...) and LL_END macros.
     28  * the arguments of LL_BEGIN are the function's signature.
     29  * Between those macros, implement your sandbox using LL_PATH() and LL_PORT() macros.
     30  * Calling LL_PATH() and LL_PORT() anywhere else will not work.
     31  * You may prepend `static` before LL_BEGIN to make the function static.
     32  * You need (should) wrap your sandboxing code in another set of braces:
     33  *
     34 LL_BEGIN(my_sandbox_function, const char *rw_path) {
     35 
     36     LL_PATH(rw_path, LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_EXECUTE);
     37     LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP);
     38 
     39 } LL_END
     40 
     41  *
     42  * Then, call it in your application's code.
     43  *
     44 
     45 int main(void) {
     46 
     47     int status = my_sandbox_function("some/path");
     48 
     49     if (status != 0) {
     50         // error
     51     }
     52 
     53 }
     54 
     55  *
     56  * You may define LL_PRINTERR(fmt, ...) before including this header to enable debug output:
     57  *
     58 
     59 #define LL_PRINTERR(fmt, ...) fprintf(stderr, fmt "\n", __VA_ARGS__)
     60 #include "landloc.h"
     61 
     62  */
     63 
     64 #ifndef __LANDLOC_H__
     65 #define __LANDLOC_H__
     66 
     67 #ifndef __linux__
     68 #   error "no landlock without linux"
     69 #endif
     70 
     71 #include <linux/version.h>
     72 
     73 #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 13, 0)
     74 #   error "no landlock on kernels older than 5.13.0"
     75 #endif
     76 
     77 #include <unistd.h>
     78 #include <linux/landlock.h>
     79 #include <sys/syscall.h>
     80 #include <sys/prctl.h>
     81 #include <fcntl.h>
     82 
     83 #ifndef O_PATH
     84 #   define O_PATH		010000000
     85 #endif
     86 
     87 #ifndef LL_PRINTERR
     88 #   define LL_PRINTERR(fmt, ...) (void)fmt;
     89 #else
     90 #   include <string.h>
     91 #   include <errno.h>
     92 #endif
     93 
     94 #ifdef LANDLOCK_ACCESS_FS_REFER
     95 #   define LANDLOCK_ACCESS_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER
     96 #   define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER_COMPAT
     97 #else
     98 #   define LANDLOCK_ACCESS_FS_REFER_COMPAT 0
     99 #   define __LL_SWITCH_FS_REFER (void)0
    100 #endif
    101 
    102 #ifdef LANDLOCK_ACCESS_FS_TRUNCATE
    103 #   define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE
    104 #   define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT
    105 #else
    106 #   define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT 0
    107 #   define __LL_SWITCH_FS_TRUNCATE (void)0
    108 #endif
    109 
    110 #ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV
    111 #   define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV
    112 #   define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT
    113 #else
    114 #   define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT 0
    115 #   define __LL_SWITCH_FS_IOCTL_DEV (void)0
    116 #endif
    117 
    118 #define LL_FS_ALL                           (\
    119     LANDLOCK_ACCESS_FS_EXECUTE              |\
    120     LANDLOCK_ACCESS_FS_WRITE_FILE           |\
    121     LANDLOCK_ACCESS_FS_READ_FILE            |\
    122     LANDLOCK_ACCESS_FS_READ_DIR             |\
    123     LANDLOCK_ACCESS_FS_REMOVE_DIR           |\
    124     LANDLOCK_ACCESS_FS_REMOVE_FILE          |\
    125     LANDLOCK_ACCESS_FS_MAKE_CHAR            |\
    126     LANDLOCK_ACCESS_FS_MAKE_DIR             |\
    127     LANDLOCK_ACCESS_FS_MAKE_REG             |\
    128     LANDLOCK_ACCESS_FS_MAKE_SOCK            |\
    129     LANDLOCK_ACCESS_FS_MAKE_FIFO            |\
    130     LANDLOCK_ACCESS_FS_MAKE_BLOCK           |\
    131     LANDLOCK_ACCESS_FS_MAKE_SYM             |\
    132     LANDLOCK_ACCESS_FS_REFER_COMPAT         |\
    133     LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT      |\
    134     LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT     )
    135 
    136 #if defined(LANDLOCK_ACCESS_NET_BIND_TCP) && defined(LANDLOCK_ACCESS_NET_CONNECT_TCP)
    137 #   define LL_HAVE_NET 1
    138 
    139 #   define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT LANDLOCK_ACCESS_NET_BIND_TCP
    140 #   define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT LANDLOCK_ACCESS_NET_CONNECT_TCP
    141 
    142 #   define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT | LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT)
    143 #   define __LL_DECLARE_NET struct landlock_net_port_attr __nattr = {0}
    144 #   define __LL_INIT_NET __rattr.handled_access_net = LL_NET_ALL
    145 #   define __LL_SWITCH_NET do { __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); } while (0)
    146 #else
    147 #   define LL_HAVE_NET 0
    148 
    149 #   define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT 0
    150 #   define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT 0
    151 
    152 #   define LL_NET_ALL 0
    153 #   define __LL_DECLARE_NET (void)0
    154 #   define __LL_INIT_NET (void)0
    155 #   define __LL_SWITCH_NET (void)0
    156 #endif
    157 
    158 #define LL_BEGIN(function, ...) int function(__VA_ARGS__) {\
    159     int ll_rule_fd, ll_abi;\
    160     struct landlock_ruleset_attr      __rattr = {0};\
    161     struct landlock_path_beneath_attr __pattr = {0};\
    162     __LL_DECLARE_NET;\
    163     int __err = 0;\
    164     __rattr.handled_access_fs  = LL_FS_ALL;\
    165     __LL_INIT_NET;\
    166     ll_abi = (int)syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);\
    167     switch (ll_abi) {\
    168     case -1: return -1;\
    169     case  1: __LL_SWITCH_FS_REFER; __attribute__((fallthrough));\
    170     case  2: __LL_SWITCH_FS_TRUNCATE; __attribute__((fallthrough));\
    171     case  3: __LL_SWITCH_NET; __attribute__((fallthrough));\
    172     case  4: __LL_SWITCH_FS_IOCTL_DEV;\
    173     default: break;\
    174     }\
    175     ll_rule_fd = (int)syscall(SYS_landlock_create_ruleset, &__rattr, sizeof(struct landlock_ruleset_attr), 0);\
    176     if (-1 == ll_rule_fd) {\
    177         LL_PRINTERR("landlock_create_ruleset: %s", strerror(errno));\
    178         return -1;\
    179     }
    180 
    181 #define LL_END \
    182     __err = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);\
    183     if (-1 == __err) {\
    184         LL_PRINTERR("set_no_new_privs: %s", strerror(errno));\
    185         goto __close;\
    186     }\
    187     __err = (int)syscall(SYS_landlock_restrict_self, ll_rule_fd, 0);\
    188     if (__err)\
    189         LL_PRINTERR("landlock_restrict_self: %s", strerror(errno));\
    190     __close: close(ll_rule_fd);\
    191     return __err; }
    192 
    193 #define LL_PATH(p, rules) do {\
    194     const char *__path = (p);\
    195     __pattr.allowed_access = (rules) & __rattr.handled_access_fs;\
    196     if (__pattr.allowed_access != 0) {\
    197         __pattr.parent_fd = open(__path, O_PATH | O_CLOEXEC);\
    198         if (-1 == __pattr.parent_fd) {\
    199             LL_PRINTERR("open(%s): %s", __path, strerror(errno));\
    200             __err = -1;\
    201             goto __close;\
    202         }\
    203         __err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_PATH_BENEATH, &__pattr, 0);\
    204         if (__err) {\
    205             LL_PRINTERR("landlock_add_rule(%s): %s", __path, strerror(errno));\
    206             goto __close;\
    207         }\
    208         close(__pattr.parent_fd);\
    209     }\
    210 } while (0)
    211 
    212 #if LL_HAVE_NET
    213 
    214 #define LL_PORT(p, rules) do {\
    215     unsigned short __port = (p);\
    216     __nattr.allowed_access = (rules);\
    217     if (ll_abi > 3 && __nattr.allowed_access != 0) {\
    218         __nattr.port = __port;\
    219         __err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_NET_PORT, &__nattr, 0);\
    220         if (__err) {\
    221             LL_PRINTERR("landlock_add_rule(%u): %s", __port, strerror(errno));\
    222             goto __close;\
    223         }\
    224     }\
    225 } while (0)
    226 
    227 #else
    228 
    229 #define LL_PORT(p, rules) do {\
    230     unsigned short __port = (p);\
    231     __u64 __rules = (rules);\
    232     (void)__port;\
    233     (void)__rules;\
    234 } while (0)
    235 
    236 #endif /* LL_HAVE_NET */
    237 
    238 #endif /* __LANDLOC_H__ */