security/landlock/ptrace.c

62306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only
62306a36Sopenharmony_ci/*
62306a36Sopenharmony_ci * Landlock LSM - Ptrace hooks
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
62306a36Sopenharmony_ci * Copyright © 2019-2020 ANSSI
62306a36Sopenharmony_ci */
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#include <asm/current.h>
62306a36Sopenharmony_ci#include <linux/cred.h>
62306a36Sopenharmony_ci#include <linux/errno.h>
62306a36Sopenharmony_ci#include <linux/kernel.h>
62306a36Sopenharmony_ci#include <linux/lsm_hooks.h>
62306a36Sopenharmony_ci#include <linux/rcupdate.h>
62306a36Sopenharmony_ci#include <linux/sched.h>
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#include "common.h"
62306a36Sopenharmony_ci#include "cred.h"
62306a36Sopenharmony_ci#include "ptrace.h"
62306a36Sopenharmony_ci#include "ruleset.h"
62306a36Sopenharmony_ci#include "setup.h"
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci/**
62306a36Sopenharmony_ci * domain_scope_le - Checks domain ordering for scoped ptrace
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * @parent: Parent domain.
62306a36Sopenharmony_ci * @child: Potential child of @parent.
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * Checks if the @parent domain is less or equal to (i.e. an ancestor, which
62306a36Sopenharmony_ci * means a subset of) the @child domain.
62306a36Sopenharmony_ci */
62306a36Sopenharmony_cistatic bool domain_scope_le(const struct landlock_ruleset *const parent,
62306a36Sopenharmony_ci			    const struct landlock_ruleset *const child)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	const struct landlock_hierarchy *walker;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	if (!parent)
62306a36Sopenharmony_ci		return true;
62306a36Sopenharmony_ci	if (!child)
62306a36Sopenharmony_ci		return false;
62306a36Sopenharmony_ci	for (walker = child->hierarchy; walker; walker = walker->parent) {
62306a36Sopenharmony_ci		if (walker == parent->hierarchy)
62306a36Sopenharmony_ci			/* @parent is in the scoped hierarchy of @child. */
62306a36Sopenharmony_ci			return true;
62306a36Sopenharmony_ci	}
62306a36Sopenharmony_ci	/* There is no relationship between @parent and @child. */
62306a36Sopenharmony_ci	return false;
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic bool task_is_scoped(const struct task_struct *const parent,
62306a36Sopenharmony_ci			   const struct task_struct *const child)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	bool is_scoped;
62306a36Sopenharmony_ci	const struct landlock_ruleset *dom_parent, *dom_child;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	rcu_read_lock();
62306a36Sopenharmony_ci	dom_parent = landlock_get_task_domain(parent);
62306a36Sopenharmony_ci	dom_child = landlock_get_task_domain(child);
62306a36Sopenharmony_ci	is_scoped = domain_scope_le(dom_parent, dom_child);
62306a36Sopenharmony_ci	rcu_read_unlock();
62306a36Sopenharmony_ci	return is_scoped;
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic int task_ptrace(const struct task_struct *const parent,
62306a36Sopenharmony_ci		       const struct task_struct *const child)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	/* Quick return for non-landlocked tasks. */
62306a36Sopenharmony_ci	if (!landlocked(parent))
62306a36Sopenharmony_ci		return 0;
62306a36Sopenharmony_ci	if (task_is_scoped(parent, child))
62306a36Sopenharmony_ci		return 0;
62306a36Sopenharmony_ci	return -EPERM;
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci/**
62306a36Sopenharmony_ci * hook_ptrace_access_check - Determines whether the current process may access
62306a36Sopenharmony_ci *			      another
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * @child: Process to be accessed.
62306a36Sopenharmony_ci * @mode: Mode of attachment.
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * If the current task has Landlock rules, then the child must have at least
62306a36Sopenharmony_ci * the same rules.  Else denied.
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * Determines whether a process may access another, returning 0 if permission
62306a36Sopenharmony_ci * granted, -errno if denied.
62306a36Sopenharmony_ci */
62306a36Sopenharmony_cistatic int hook_ptrace_access_check(struct task_struct *const child,
62306a36Sopenharmony_ci				    const unsigned int mode)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	return task_ptrace(current, child);
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci/**
62306a36Sopenharmony_ci * hook_ptrace_traceme - Determines whether another process may trace the
62306a36Sopenharmony_ci *			 current one
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * @parent: Task proposed to be the tracer.
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * If the parent has Landlock rules, then the current task must have the same
62306a36Sopenharmony_ci * or more rules.  Else denied.
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * Determines whether the nominated task is permitted to trace the current
62306a36Sopenharmony_ci * process, returning 0 if permission is granted, -errno if denied.
62306a36Sopenharmony_ci */
62306a36Sopenharmony_cistatic int hook_ptrace_traceme(struct task_struct *const parent)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	return task_ptrace(parent, current);
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic struct security_hook_list landlock_hooks[] __ro_after_init = {
62306a36Sopenharmony_ci	LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check),
62306a36Sopenharmony_ci	LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme),
62306a36Sopenharmony_ci};
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci__init void landlock_add_ptrace_hooks(void)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
62306a36Sopenharmony_ci			   LANDLOCK_NAME);
62306a36Sopenharmony_ci}