landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags

 *

 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>

 * Copyright © 2018-2020 ANSSI

 * Copyright © 2021-2025 Microsoft Corporation

 */

#ifndef _UAPI_LINUX_LANDLOCK_H

#define LANDLOCK_CREATE_RULESET_ERRATA			(1U << 1)

/* clang-format on */

/*

 * sys_landlock_restrict_self() flags:

 *

 * - %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF: Do not create any log related to the

 *   enforced restrictions.  This should only be set by tools launching unknown

 *   or untrusted programs (e.g. a sandbox tool, container runtime, system

 *   service manager).  Because programs sandboxing themselves should fix any

 *   denied access, they should not set this flag to be aware of potential

 *   issues reported by system's logs (i.e. audit).

 * - %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON: Explicitly ask to continue

 *   logging denied access requests even after an :manpage:`execve(2)` call.

 *   This flag should only be set if all the programs than can legitimately be

 *   executed will not try to request a denied access (which could spam audit

 *   logs).

 */

/* clang-format off */

#define LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF		(1U << 0)

#define LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON			(1U << 1)

/* clang-format on */

/**

 * enum landlock_rule_type - Landlock rule type

 *

			get_hierarchy(subject->domain, youngest_layer);

	}

	if (READ_ONCE(youngest_denied->log_status) == LANDLOCK_LOG_DISABLED)

		return;

	/*

	 * Consistently keeps track of the number of denied access requests

	 * even if audit is currently disabled, or if audit rules currently

	if (!audit_enabled)

		return;

	/* Ignores denials after an execution. */

	if (!(subject->domain_exec & (1 << youngest_layer)))

	/* Checks if the current exec was restricting itself. */

	if (subject->domain_exec & (1 << youngest_layer)) {

		/* Ignores denials for the same execution. */

		if (!youngest_denied->log_same_exec)

			return;

	} else {

		/* Ignores denials after a new execution. */

		if (!youngest_denied->log_new_exec)

			return;

	}

	/* Uses consistent allocation flags wrt common_lsm_audit(). */

	ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,

	hierarchy->details = details;

	hierarchy->id = landlock_get_id_range(1);

	hierarchy->log_status = LANDLOCK_LOG_PENDING;

	hierarchy->log_same_exec = true;

	hierarchy->log_new_exec = false;

	atomic64_set(&hierarchy->num_denials, 0);

	return 0;

}

enum landlock_log_status {

	LANDLOCK_LOG_PENDING = 0,

	LANDLOCK_LOG_RECORDED,

	LANDLOCK_LOG_DISABLED,

};

/**

	 * @details: Information about the related domain.

	 */

	const struct landlock_details *details;

	/**

	 * @log_same_exec: Set if the domain is *not* configured with

	 * %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF.  Set to true by default.

	 */

	u32 log_same_exec : 1,

		/**

		 * @log_new_exec: Set if the domain is configured with

		 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON.  Set to false by default.

		 */

		log_new_exec : 1;

#endif /* CONFIG_AUDIT */

};

/* SPDX-License-Identifier: GPL-2.0-only */

/*

 * Landlock LSM - Limits for different components

 * Landlock - Limits for different components

 *

 * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>

 * Copyright © 2018-2020 ANSSI

 * Copyright © 2021-2025 Microsoft Corporation

 */

#ifndef _SECURITY_LANDLOCK_LIMITS_H

#define LANDLOCK_LAST_SCOPE		LANDLOCK_SCOPE_SIGNAL

#define LANDLOCK_MASK_SCOPE		((LANDLOCK_LAST_SCOPE << 1) - 1)

#define LANDLOCK_NUM_SCOPE		__const_hweight64(LANDLOCK_MASK_SCOPE)

#define LANDLOCK_LAST_RESTRICT_SELF	LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON

#define LANDLOCK_MASK_RESTRICT_SELF	((LANDLOCK_LAST_RESTRICT_SELF << 1) - 1)

/* clang-format on */

#endif /* _SECURITY_LANDLOCK_LIMITS_H */