landlock: Add abstract UNIX socket scoping

	 * flags`_).

	 */

	__u64 handled_access_net;

	/**

	 * @scoped: Bitmask of scopes (cf. `Scope flags`_)

	 * restricting a Landlock domain from accessing outside

	 * resources (e.g. IPCs).

	 */

	__u64 scoped;

};

/*

#define LANDLOCK_ACCESS_NET_BIND_TCP			(1ULL << 0)

#define LANDLOCK_ACCESS_NET_CONNECT_TCP			(1ULL << 1)

/* clang-format on */

/**

 * DOC: scope

 *

 * Scope flags

 * ~~~~~~~~~~~

 *

 * These flags enable to isolate a sandboxed process from a set of IPC actions.

 * Setting a flag for a ruleset will isolate the Landlock domain to forbid

 * connections to resources outside the domain.

 *

 * Scopes:

 *

 * - %LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET: Restrict a sandboxed process from

 *   connecting to an abstract UNIX socket created by a process outside the

 *   related Landlock domain (e.g. a parent domain or a non-sandboxed process).

 */

/* clang-format off */

#define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET		(1ULL << 0)

/* clang-format on*/

#endif /* _UAPI_LINUX_LANDLOCK_H */

#define LANDLOCK_MASK_ACCESS_NET	((LANDLOCK_LAST_ACCESS_NET << 1) - 1)

#define LANDLOCK_NUM_ACCESS_NET		__const_hweight64(LANDLOCK_MASK_ACCESS_NET)

#define LANDLOCK_LAST_SCOPE		LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET

#define LANDLOCK_MASK_SCOPE		((LANDLOCK_LAST_SCOPE << 1) - 1)

#define LANDLOCK_NUM_SCOPE		__const_hweight64(LANDLOCK_MASK_SCOPE)

/* clang-format on */

#endif /* _SECURITY_LANDLOCK_LIMITS_H */

struct landlock_ruleset *

landlock_create_ruleset(const access_mask_t fs_access_mask,

			const access_mask_t net_access_mask)

			const access_mask_t net_access_mask,

			const access_mask_t scope_mask)

{

	struct landlock_ruleset *new_ruleset;

	/* Informs about useless ruleset. */

	if (!fs_access_mask && !net_access_mask)

	if (!fs_access_mask && !net_access_mask && !scope_mask)

		return ERR_PTR(-ENOMSG);

	new_ruleset = create_ruleset(1);

	if (IS_ERR(new_ruleset))

		landlock_add_fs_access_mask(new_ruleset, fs_access_mask, 0);

	if (net_access_mask)

		landlock_add_net_access_mask(new_ruleset, net_access_mask, 0);

	if (scope_mask)

		landlock_add_scope_mask(new_ruleset, scope_mask, 0);

	return new_ruleset;

}

static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);

/* Makes sure all network access rights can be stored. */

static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET);

/* Makes sure all scoped rights can be stored. */

static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);

/* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */

static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));

struct access_masks {

	access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;

	access_mask_t net : LANDLOCK_NUM_ACCESS_NET;

	access_mask_t scope : LANDLOCK_NUM_SCOPE;

};

typedef u16 layer_mask_t;

struct landlock_ruleset *

landlock_create_ruleset(const access_mask_t access_mask_fs,

			const access_mask_t access_mask_net);

			const access_mask_t access_mask_net,

			const access_mask_t scope_mask);

void landlock_put_ruleset(struct landlock_ruleset *const ruleset);

void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);

	ruleset->access_masks[layer_level].net |= net_mask;

}

static inline void

landlock_add_scope_mask(struct landlock_ruleset *const ruleset,

			const access_mask_t scope_mask, const u16 layer_level)

{

	access_mask_t mask = scope_mask & LANDLOCK_MASK_SCOPE;

	/* Should already be checked in sys_landlock_create_ruleset(). */

	WARN_ON_ONCE(scope_mask != mask);

	ruleset->access_masks[layer_level].scope |= mask;

}

static inline access_mask_t

landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset,

				const u16 layer_level)

	return ruleset->access_masks[layer_level].net;

}

static inline access_mask_t

landlock_get_scope_mask(const struct landlock_ruleset *const ruleset,

			const u16 layer_level)

{

	return ruleset->access_masks[layer_level].scope;

}

bool landlock_unmask_layers(const struct landlock_rule *const rule,

			    const access_mask_t access_request,

			    layer_mask_t (*const layer_masks)[],

	 */

	ruleset_size = sizeof(ruleset_attr.handled_access_fs);

	ruleset_size += sizeof(ruleset_attr.handled_access_net);

	ruleset_size += sizeof(ruleset_attr.scoped);

	BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size);

	BUILD_BUG_ON(sizeof(ruleset_attr) != 16);

	BUILD_BUG_ON(sizeof(ruleset_attr) != 24);

	path_beneath_size = sizeof(path_beneath_attr.allowed_access);

	path_beneath_size += sizeof(path_beneath_attr.parent_fd);

	.write = fop_dummy_write,

};

#define LANDLOCK_ABI_VERSION 5

#define LANDLOCK_ABI_VERSION 6

/**

 * sys_landlock_create_ruleset - Create a new ruleset

 * Possible returned errors are:

 *

 * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;

 * - %EINVAL: unknown @flags, or unknown access, or too small @size;

 * - %E2BIG or %EFAULT: @attr or @size inconsistencies;

 * - %EINVAL: unknown @flags, or unknown access, or unknown scope, or too small @size;

 * - %E2BIG: @attr or @size inconsistencies;

 * - %EFAULT: @attr or @size inconsistencies;

 * - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.

 */

SYSCALL_DEFINE3(landlock_create_ruleset,

	    LANDLOCK_MASK_ACCESS_NET)

		return -EINVAL;

	/* Checks IPC scoping content (and 32-bits cast). */

	if ((ruleset_attr.scoped | LANDLOCK_MASK_SCOPE) != LANDLOCK_MASK_SCOPE)

		return -EINVAL;

	/* Checks arguments and transforms to kernel struct. */

	ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs,

					  ruleset_attr.handled_access_net);

					  ruleset_attr.handled_access_net,

					  ruleset_attr.scoped);

	if (IS_ERR(ruleset))

		return PTR_ERR(ruleset);