vmm: Introduce Landlock module

This module introduces methods to apply Landlock LSM to cloud-hypervisor threads. Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
2024-12-22 13:45:20 +00:00 · 2024-02-12 19:06:43 +00:00 · 2024-02-12 19:06:43 +00:00 · af5a9677c8
commit af5a9677c8
parent 1d89f98edf
4 changed files with 169 additions and 0 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1118,6 +1118,17 @@ dependencies = [
 "vmm-sys-util",
 ]

+[[package]]
+name = "landlock"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dafb8a4afee64f167eb2b52d32f0eea002e41a7a6450e68c799c8ec3a81a634c"
+dependencies = [
+ "enumflags2",
+ "libc",
+ "thiserror",
+]
+
 [[package]]
 name = "lazy_static"
 version = "1.4.0"
@ -2450,6 +2461,7 @@ dependencies = [
 "hypervisor",
 "igvm",
 "igvm_defs",
+ "landlock",
 "libc",
 "linux-loader",
 "log",
--- a/vmm/Cargo.toml
+++ b/vmm/Cargo.toml
@ -39,6 +39,7 @@ hex = { version = "0.4.3", optional = true }
 hypervisor = { path = "../hypervisor" }
 igvm = { version = "0.3.1", optional = true }
 igvm_defs = { version = "0.3.1", optional = true }
+landlock = "0.4.0"
 libc = "0.2.153"
 linux-loader = { version = "0.11.0", features = ["bzimage", "elf", "pe"] }
 log = "0.4.21"
--- a/vmm/src/config.rs
+++ b/vmm/src/config.rs
@ -3,6 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //

+use crate::landlock::LandlockAccess;
 pub use crate::vm_config::*;
 use clap::ArgMatches;
 use option_parser::{
@ -211,6 +212,8 @@ pub enum ValidationError {
    RestoreNetFdCountMismatch(String, usize, usize),
    /// Path provided in landlock-rules doesn't exist
    LandlockPathDoesNotExist(PathBuf),
+    /// Access provided in landlock-rules in invalid
+    InvalidLandlockAccess(String),
 }

 type ValidationResult<T> = std::result::Result<T, ValidationError>;
@ -369,6 +372,9 @@ impl fmt::Display for ValidationError {
                    s.as_path()
                )
            }
+            InvalidLandlockAccess(s) => {
+                write!(f, "{s}")
+            }
        }
    }
 }
@ -2361,6 +2367,8 @@ impl LandlockConfig {
        if !self.path.exists() {
            return Err(ValidationError::LandlockPathDoesNotExist(self.path.clone()));
        }
+        LandlockAccess::try_from(self.access.as_str())
+            .map_err(|e| ValidationError::InvalidLandlockAccess(e.to_string()))?;
        Ok(())
    }
 }
--- a/vmm/src/landlock.rs
+++ b/vmm/src/landlock.rs
@ -1 +1,149 @@
+// Copyright © 2024 Microsoft Corporation
+//
+// SPDX-License-Identifier: Apache-2.0

+#[cfg(test)]
+use landlock::make_bitflags;
+use landlock::{
+    path_beneath_rules, Access, AccessFs, BitFlags, Ruleset, RulesetAttr, RulesetCreated,
+    RulesetCreatedAttr, RulesetError, ABI,
+};
+use std::convert::TryFrom;
+use std::io::Error as IoError;
+use std::path::PathBuf;
+use thiserror::Error;
+
+#[derive(Debug, Error)]
+pub enum LandlockError {
+    /// All RulesetErrors from Landlock library are wrapped in this error
+    #[error("Error creating/adding/restricting ruleset: {0}")]
+    ManageRuleset(#[source] RulesetError),
+
+    /// Error opening path
+    #[error("Error opening path: {0}")]
+    OpenPath(#[source] IoError),
+
+    /// Invalid Landlock access
+    #[error("Invalid Landlock access: {0}")]
+    InvalidLandlockAccess(String),
+}
+
+// https://docs.rs/landlock/latest/landlock/enum.ABI.html for more info on ABI
+static ABI: ABI = ABI::V3;
+
+pub struct LandlockAccess {
+    access: BitFlags<AccessFs>,
+}
+
+impl TryFrom<&str> for LandlockAccess {
+    type Error = LandlockError;
+
+    fn try_from(s: &str) -> Result<LandlockAccess, LandlockError> {
+        if s.is_empty() {
+            return Err(LandlockError::InvalidLandlockAccess(
+                "Access cannot be empty".to_string(),
+            ));
+        }
+
+        let mut access = BitFlags::<AccessFs>::empty();
+        for c in s.chars() {
+            match c {
+                'r' => access |= AccessFs::from_read(ABI),
+                'w' => access |= AccessFs::from_write(ABI),
+                _ => {
+                    return Err(LandlockError::InvalidLandlockAccess(
+                        format!("Invalid access: {c}").to_string(),
+                    ))
+                }
+            };
+        }
+        Ok(LandlockAccess { access })
+    }
+}
+pub struct Landlock {
+    ruleset: RulesetCreated,
+}
+
+impl Landlock {
+    pub fn new() -> Result<Landlock, LandlockError> {
+        let file_access = AccessFs::from_all(ABI);
+
+        let def_ruleset = Ruleset::default()
+            .handle_access(file_access)
+            .map_err(LandlockError::ManageRuleset)?;
+
+        // By default, rulesets are created in `BestEffort` mode. This lets Landlock
+        // to enable all the supported rules and silently ignore the unsupported ones.
+        let ruleset = def_ruleset.create().map_err(LandlockError::ManageRuleset)?;
+
+        Ok(Landlock { ruleset })
+    }
+
+    pub fn add_rule(
+        &mut self,
+        path: PathBuf,
+        access: BitFlags<AccessFs>,
+    ) -> Result<(), LandlockError> {
+        // path_beneath_rules in landlock crate handles file and directory access rules.
+        // Incoming path/s are passed to path_beneath_rules, so that we don't
+        // have to worry about the type of the path.
+        let paths = vec![path.clone()];
+        let path_beneath_rules = path_beneath_rules(paths, access);
+        self.ruleset
+            .as_mut()
+            .add_rules(path_beneath_rules)
+            .map_err(LandlockError::ManageRuleset)?;
+        Ok(())
+    }
+
+    pub fn add_rule_with_access(
+        &mut self,
+        path: PathBuf,
+        access: &str,
+    ) -> Result<(), LandlockError> {
+        self.add_rule(path, LandlockAccess::try_from(access)?.access)?;
+        Ok(())
+    }
+
+    pub fn restrict_self(self) -> Result<(), LandlockError> {
+        self.ruleset
+            .restrict_self()
+            .map_err(LandlockError::ManageRuleset)?;
+        Ok(())
+    }
+}
+
+#[test]
+fn test_try_from_access() {
+    // These access rights could change in future versions of Landlock. Listing
+    // them here explicitly to raise their visibility during code reviews.
+    let read_access = make_bitflags!(AccessFs::{
+        Execute
+        | ReadFile
+        | ReadDir
+    });
+    let write_access = make_bitflags!(AccessFs::{
+        WriteFile
+        | RemoveDir
+        | RemoveFile
+        | MakeChar
+        | MakeDir
+        | MakeReg
+        | MakeSock
+        | MakeFifo
+        | MakeBlock
+        | MakeSym
+        | Refer
+        | Truncate
+    });
+    let landlock_access = LandlockAccess::try_from("rw").unwrap();
+    assert!(landlock_access.access == read_access | write_access);
+
+    let landlock_access = LandlockAccess::try_from("r").unwrap();
+    assert!(landlock_access.access == read_access);
+
+    let landlock_access = LandlockAccess::try_from("w").unwrap();
+    assert!(landlock_access.access == write_access);
+
+    assert!(LandlockAccess::try_from("").is_err());
+}