Commit | Line | Data |
---|---|---|
caa9f579 JJ |
1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* | |
3 | * AppArmor security module | |
4 | * | |
5 | * This file contains AppArmor functions for unpacking policy loaded | |
6 | * from userspace. | |
7 | * | |
8 | * Copyright (C) 1998-2008 Novell/SUSE | |
9 | * Copyright 2009-2022 Canonical Ltd. | |
10 | * | |
11 | * Code to provide backwards compatibility with older policy versions, | |
12 | * by converting/mapping older policy formats into the newer internal | |
13 | * formats. | |
14 | */ | |
15 | ||
16 | #include <linux/ctype.h> | |
17 | #include <linux/errno.h> | |
18 | ||
19 | #include "include/lib.h" | |
20 | #include "include/policy_unpack.h" | |
21 | #include "include/policy_compat.h" | |
22 | ||
23 | /* remap old accept table embedded permissions to separate permission table */ | |
24 | static u32 dfa_map_xindex(u16 mask) | |
25 | { | |
26 | u16 old_index = (mask >> 10) & 0xf; | |
27 | u32 index = 0; | |
28 | ||
29 | if (mask & 0x100) | |
30 | index |= AA_X_UNSAFE; | |
31 | if (mask & 0x200) | |
32 | index |= AA_X_INHERIT; | |
33 | if (mask & 0x80) | |
34 | index |= AA_X_UNCONFINED; | |
35 | ||
36 | if (old_index == 1) { | |
37 | index |= AA_X_UNCONFINED; | |
38 | } else if (old_index == 2) { | |
39 | index |= AA_X_NAME; | |
40 | } else if (old_index == 3) { | |
41 | index |= AA_X_NAME | AA_X_CHILD; | |
42 | } else if (old_index) { | |
43 | index |= AA_X_TABLE; | |
44 | index |= old_index - 4; | |
45 | } | |
46 | ||
47 | return index; | |
48 | } | |
49 | ||
50 | /* | |
51 | * map old dfa inline permissions to new format | |
52 | */ | |
53 | #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \ | |
54 | ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) | |
55 | #define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f) | |
56 | #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f) | |
57 | #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f) | |
58 | #define dfa_user_xindex(dfa, state) \ | |
59 | (dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff)) | |
60 | ||
61 | #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \ | |
62 | 0x7f) | \ | |
63 | ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) | |
64 | #define dfa_other_xbits(dfa, state) \ | |
65 | ((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f) | |
66 | #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f) | |
67 | #define dfa_other_quiet(dfa, state) \ | |
68 | ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f) | |
69 | #define dfa_other_xindex(dfa, state) \ | |
70 | dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff) | |
71 | ||
72 | /** | |
73 | * map_old_perms - map old file perms layout to the new layout | |
74 | * @old: permission set in old mapping | |
75 | * | |
76 | * Returns: new permission mapping | |
77 | */ | |
78 | static u32 map_old_perms(u32 old) | |
79 | { | |
80 | u32 new = old & 0xf; | |
81 | ||
82 | if (old & MAY_READ) | |
83 | new |= AA_MAY_GETATTR | AA_MAY_OPEN; | |
84 | if (old & MAY_WRITE) | |
85 | new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE | | |
86 | AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN; | |
87 | if (old & 0x10) | |
88 | new |= AA_MAY_LINK; | |
89 | /* the old mapping lock and link_subset flags where overlaid | |
90 | * and use was determined by part of a pair that they were in | |
91 | */ | |
92 | if (old & 0x20) | |
93 | new |= AA_MAY_LOCK | AA_LINK_SUBSET; | |
94 | if (old & 0x40) /* AA_EXEC_MMAP */ | |
95 | new |= AA_EXEC_MMAP; | |
96 | ||
97 | return new; | |
98 | } | |
99 | ||
100 | static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa, | |
101 | aa_state_t state) | |
102 | { | |
103 | perms->allow |= AA_MAY_GETATTR; | |
104 | ||
105 | /* change_profile wasn't determined by ownership in old mapping */ | |
106 | if (ACCEPT_TABLE(dfa)[state] & 0x80000000) | |
107 | perms->allow |= AA_MAY_CHANGE_PROFILE; | |
108 | if (ACCEPT_TABLE(dfa)[state] & 0x40000000) | |
109 | perms->allow |= AA_MAY_ONEXEC; | |
110 | } | |
111 | ||
112 | static struct aa_perms compute_fperms_user(struct aa_dfa *dfa, | |
113 | aa_state_t state) | |
114 | { | |
115 | struct aa_perms perms = { }; | |
116 | ||
117 | perms.allow = map_old_perms(dfa_user_allow(dfa, state)); | |
118 | perms.audit = map_old_perms(dfa_user_audit(dfa, state)); | |
119 | perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); | |
120 | perms.xindex = dfa_user_xindex(dfa, state); | |
121 | ||
122 | compute_fperms_allow(&perms, dfa, state); | |
123 | ||
124 | return perms; | |
125 | } | |
126 | ||
127 | static struct aa_perms compute_fperms_other(struct aa_dfa *dfa, | |
128 | aa_state_t state) | |
129 | { | |
130 | struct aa_perms perms = { }; | |
131 | ||
132 | perms.allow = map_old_perms(dfa_other_allow(dfa, state)); | |
133 | perms.audit = map_old_perms(dfa_other_audit(dfa, state)); | |
134 | perms.quiet = map_old_perms(dfa_other_quiet(dfa, state)); | |
135 | perms.xindex = dfa_other_xindex(dfa, state); | |
136 | ||
137 | compute_fperms_allow(&perms, dfa, state); | |
138 | ||
139 | return perms; | |
140 | } | |
141 | ||
142 | /** | |
1ddece8c JJ |
143 | * compute_fperms - convert dfa compressed perms to internal perms and store |
144 | * them so they can be retrieved later. | |
caa9f579 JJ |
145 | * @dfa: a dfa using fperms to remap to internal permissions |
146 | * | |
147 | * Returns: remapped perm table | |
148 | */ | |
149 | static struct aa_perms *compute_fperms(struct aa_dfa *dfa) | |
150 | { | |
151 | aa_state_t state; | |
152 | unsigned int state_count; | |
153 | struct aa_perms *table; | |
154 | ||
155 | AA_BUG(!dfa); | |
156 | ||
157 | state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; | |
158 | /* DFAs are restricted from having a state_count of less than 2 */ | |
159 | table = kvcalloc(state_count * 2, sizeof(struct aa_perms), GFP_KERNEL); | |
160 | if (!table) | |
161 | return NULL; | |
162 | ||
cbb13e12 | 163 | for (state = 0; state < state_count; state++) { |
caa9f579 JJ |
164 | table[state * 2] = compute_fperms_user(dfa, state); |
165 | table[state * 2 + 1] = compute_fperms_other(dfa, state); | |
166 | } | |
167 | ||
168 | return table; | |
169 | } | |
170 | ||
171 | static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch) | |
172 | { | |
173 | struct aa_perms *perms; | |
174 | int state; | |
175 | int state_count; | |
176 | ||
177 | AA_BUG(!xmatch); | |
178 | ||
179 | state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen; | |
180 | /* DFAs are restricted from having a state_count of less than 2 */ | |
181 | perms = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL); | |
182 | ||
183 | /* zero init so skip the trap state (state == 0) */ | |
184 | for (state = 1; state < state_count; state++) | |
185 | perms[state].allow = dfa_user_allow(xmatch, state); | |
186 | ||
187 | return perms; | |
188 | } | |
189 | ||
190 | static u32 map_other(u32 x) | |
191 | { | |
192 | return ((x & 0x3) << 8) | /* SETATTR/GETATTR */ | |
193 | ((x & 0x1c) << 18) | /* ACCEPT/BIND/LISTEN */ | |
194 | ((x & 0x60) << 19); /* SETOPT/GETOPT */ | |
195 | } | |
196 | ||
197 | static u32 map_xbits(u32 x) | |
198 | { | |
199 | return ((x & 0x1) << 7) | | |
200 | ((x & 0x7e) << 9); | |
201 | } | |
202 | ||
203 | static struct aa_perms compute_perms_entry(struct aa_dfa *dfa, | |
204 | aa_state_t state, | |
205 | u32 version) | |
206 | { | |
207 | struct aa_perms perms = { }; | |
208 | ||
209 | perms.allow = dfa_user_allow(dfa, state); | |
210 | perms.audit = dfa_user_audit(dfa, state); | |
211 | perms.quiet = dfa_user_quiet(dfa, state); | |
212 | ||
213 | /* | |
214 | * This mapping is convulated due to history. | |
215 | * v1-v4: only file perms, which are handled by compute_fperms | |
216 | * v5: added policydb which dropped user conditional to gain new | |
217 | * perm bits, but had to map around the xbits because the | |
218 | * userspace compiler was still munging them. | |
219 | * v9: adds using the xbits in policydb because the compiler now | |
220 | * supports treating policydb permission bits different. | |
221 | * Unfortunately there is no way to force auditing on the | |
222 | * perms represented by the xbits | |
223 | */ | |
224 | perms.allow |= map_other(dfa_other_allow(dfa, state)); | |
225 | if (VERSION_LE(version, v8)) | |
226 | perms.allow |= AA_MAY_LOCK; | |
227 | else | |
228 | perms.allow |= map_xbits(dfa_user_xbits(dfa, state)); | |
229 | ||
230 | /* | |
231 | * for v5-v9 perm mapping in the policydb, the other set is used | |
232 | * to extend the general perm set | |
233 | */ | |
234 | perms.audit |= map_other(dfa_other_audit(dfa, state)); | |
235 | perms.quiet |= map_other(dfa_other_quiet(dfa, state)); | |
236 | if (VERSION_GT(version, v8)) | |
237 | perms.quiet |= map_xbits(dfa_other_xbits(dfa, state)); | |
238 | ||
239 | return perms; | |
240 | } | |
241 | ||
242 | static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version) | |
243 | { | |
244 | unsigned int state; | |
245 | unsigned int state_count; | |
246 | struct aa_perms *table; | |
247 | ||
248 | AA_BUG(!dfa); | |
249 | ||
250 | state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; | |
251 | /* DFAs are restricted from having a state_count of less than 2 */ | |
252 | table = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL); | |
253 | if (!table) | |
254 | return NULL; | |
255 | ||
256 | /* zero init so skip the trap state (state == 0) */ | |
257 | for (state = 1; state < state_count; state++) | |
258 | table[state] = compute_perms_entry(dfa, state, version); | |
259 | ||
260 | return table; | |
261 | } | |
262 | ||
263 | /** | |
264 | * remap_dfa_accept - remap old dfa accept table to be an index | |
265 | * @dfa: dfa to do the remapping on | |
266 | * @factor: scaling factor for the index conversion. | |
267 | * | |
268 | * Used in conjunction with compute_Xperms, it converts old style perms | |
269 | * that are encoded in the dfa accept tables to the new style where | |
270 | * there is a permission table and the accept table is an index into | |
271 | * the permission table. | |
272 | */ | |
273 | static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor) | |
274 | { | |
275 | unsigned int state; | |
276 | unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; | |
277 | ||
278 | AA_BUG(!dfa); | |
279 | ||
280 | for (state = 0; state < state_count; state++) | |
281 | ACCEPT_TABLE(dfa)[state] = state * factor; | |
282 | kvfree(dfa->tables[YYTD_ID_ACCEPT2]); | |
283 | dfa->tables[YYTD_ID_ACCEPT2] = NULL; | |
284 | } | |
285 | ||
286 | /* TODO: merge different dfa mappings into single map_policy fn */ | |
287 | int aa_compat_map_xmatch(struct aa_policydb *policy) | |
288 | { | |
289 | policy->perms = compute_xmatch_perms(policy->dfa); | |
290 | if (!policy->perms) | |
291 | return -ENOMEM; | |
292 | ||
293 | remap_dfa_accept(policy->dfa, 1); | |
294 | ||
295 | return 0; | |
296 | } | |
297 | ||
298 | int aa_compat_map_policy(struct aa_policydb *policy, u32 version) | |
299 | { | |
300 | policy->perms = compute_perms(policy->dfa, version); | |
301 | if (!policy->perms) | |
302 | return -ENOMEM; | |
303 | ||
304 | remap_dfa_accept(policy->dfa, 1); | |
305 | ||
306 | return 0; | |
307 | } | |
308 | ||
309 | int aa_compat_map_file(struct aa_policydb *policy) | |
310 | { | |
311 | policy->perms = compute_fperms(policy->dfa); | |
312 | if (!policy->perms) | |
313 | return -ENOMEM; | |
314 | ||
315 | remap_dfa_accept(policy->dfa, 2); | |
316 | ||
317 | return 0; | |
318 | } |