[linux-block.git] / security / apparmor / policy_compat.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * AppArmor security module
 *
 * This file contains AppArmor functions for unpacking policy loaded
 * from userspace.
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2022 Canonical Ltd.
 *
 * Code to provide backwards compatibility with older policy versions,
 * by converting/mapping older policy formats into the newer internal
 * formats.
 */

#include <linux/ctype.h>
#include <linux/errno.h>

#include "include/lib.h"
#include "include/policy_unpack.h"
#include "include/policy_compat.h"

/* remap old accept table embedded permissions to separate permission table */
static u32 dfa_map_xindex(u16 mask)
{
	u16 old_index = (mask >> 10) & 0xf;
	u32 index = 0;

	if (mask & 0x100)
		index |= AA_X_UNSAFE;
	if (mask & 0x200)
		index |= AA_X_INHERIT;
	if (mask & 0x80)
		index |= AA_X_UNCONFINED;

	if (old_index == 1) {
		index |= AA_X_UNCONFINED;
	} else if (old_index == 2) {
		index |= AA_X_NAME;
	} else if (old_index == 3) {
		index |= AA_X_NAME | AA_X_CHILD;
	} else if (old_index) {
		index |= AA_X_TABLE;
		index |= old_index - 4;
	}

	return index;
}

/*
 * map old dfa inline permissions to new format
 */
#define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
				    ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
#define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
#define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
#define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
#define dfa_user_xindex(dfa, state) \
	(dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))

#define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
				      0x7f) |				\
				     ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
#define dfa_other_xbits(dfa, state) \
	((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f)
#define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
#define dfa_other_quiet(dfa, state) \
	((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
#define dfa_other_xindex(dfa, state) \
	dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)

/**
 * map_old_perms - map old file perms layout to the new layout
 * @old: permission set in old mapping
 *
 * Returns: new permission mapping
 */
static u32 map_old_perms(u32 old)
{
	u32 new = old & 0xf;

	if (old & MAY_READ)
		new |= AA_MAY_GETATTR | AA_MAY_OPEN;
	if (old & MAY_WRITE)
		new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE |
		       AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN;
	if (old & 0x10)
		new |= AA_MAY_LINK;
	/* the old mapping lock and link_subset flags where overlaid
	 * and use was determined by part of a pair that they were in
	 */
	if (old & 0x20)
		new |= AA_MAY_LOCK | AA_LINK_SUBSET;
	if (old & 0x40)	/* AA_EXEC_MMAP */
		new |= AA_EXEC_MMAP;

	return new;
}

static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
				 aa_state_t state)
{
	perms->allow |= AA_MAY_GETATTR;

	/* change_profile wasn't determined by ownership in old mapping */
	if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
		perms->allow |= AA_MAY_CHANGE_PROFILE;
	if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
		perms->allow |= AA_MAY_ONEXEC;
}

static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
					   aa_state_t state)
{
	struct aa_perms perms = { };

	perms.allow = map_old_perms(dfa_user_allow(dfa, state));
	perms.audit = map_old_perms(dfa_user_audit(dfa, state));
	perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
	perms.xindex = dfa_user_xindex(dfa, state);

	compute_fperms_allow(&perms, dfa, state);

	return perms;
}

static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
					    aa_state_t state)
{
	struct aa_perms perms = { };

	perms.allow = map_old_perms(dfa_other_allow(dfa, state));
	perms.audit = map_old_perms(dfa_other_audit(dfa, state));
	perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
	perms.xindex = dfa_other_xindex(dfa, state);

	compute_fperms_allow(&perms, dfa, state);

	return perms;
}

/**
 * compute_fperms - convert dfa compressed perms to internal perms and store
 *		    them so they can be retrieved later.
 * @dfa: a dfa using fperms to remap to internal permissions
 *
 * Returns: remapped perm table
 */
static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
{
	aa_state_t state;
	unsigned int state_count;
	struct aa_perms *table;

	AA_BUG(!dfa);

	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
	/* DFAs are restricted from having a state_count of less than 2 */
	table = kvcalloc(state_count * 2, sizeof(struct aa_perms), GFP_KERNEL);
	if (!table)
		return NULL;

	for (state = 0; state < state_count; state++) {
		table[state * 2] = compute_fperms_user(dfa, state);
		table[state * 2 + 1] = compute_fperms_other(dfa, state);
	}

	return table;
}

static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch)
{
	struct aa_perms *perms;
	int state;
	int state_count;

	AA_BUG(!xmatch);

	state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
	/* DFAs are restricted from having a state_count of less than 2 */
	perms = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);

	/* zero init so skip the trap state (state == 0) */
	for (state = 1; state < state_count; state++)
		perms[state].allow = dfa_user_allow(xmatch, state);

	return perms;
}

static u32 map_other(u32 x)
{
	return ((x & 0x3) << 8) |	/* SETATTR/GETATTR */
		((x & 0x1c) << 18) |	/* ACCEPT/BIND/LISTEN */
		((x & 0x60) << 19);	/* SETOPT/GETOPT */
}

static u32 map_xbits(u32 x)
{
	return ((x & 0x1) << 7) |
		((x & 0x7e) << 9);
}

static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
					   aa_state_t state,
					   u32 version)
{
	struct aa_perms perms = { };

	perms.allow = dfa_user_allow(dfa, state);
	perms.audit = dfa_user_audit(dfa, state);
	perms.quiet = dfa_user_quiet(dfa, state);

	/*
	 * This mapping is convulated due to history.
	 * v1-v4: only file perms, which are handled by compute_fperms
	 * v5: added policydb which dropped user conditional to gain new
	 *     perm bits, but had to map around the xbits because the
	 *     userspace compiler was still munging them.
	 * v9: adds using the xbits in policydb because the compiler now
	 *     supports treating policydb permission bits different.
	 *     Unfortunately there is no way to force auditing on the
	 *     perms represented by the xbits
	 */
	perms.allow |= map_other(dfa_other_allow(dfa, state));
	if (VERSION_LE(version, v8))
		perms.allow |= AA_MAY_LOCK;
	else
		perms.allow |= map_xbits(dfa_user_xbits(dfa, state));

	/*
	 * for v5-v9 perm mapping in the policydb, the other set is used
	 * to extend the general perm set
	 */
	perms.audit |= map_other(dfa_other_audit(dfa, state));
	perms.quiet |= map_other(dfa_other_quiet(dfa, state));
	if (VERSION_GT(version, v8))
		perms.quiet |= map_xbits(dfa_other_xbits(dfa, state));

	return perms;
}

static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version)
{
	unsigned int state;
	unsigned int state_count;
	struct aa_perms *table;

	AA_BUG(!dfa);

	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
	/* DFAs are restricted from having a state_count of less than 2 */
	table = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
	if (!table)
		return NULL;

	/* zero init so skip the trap state (state == 0) */
	for (state = 1; state < state_count; state++)
		table[state] = compute_perms_entry(dfa, state, version);

	return table;
}

/**
 * remap_dfa_accept - remap old dfa accept table to be an index
 * @dfa: dfa to do the remapping on
 * @factor: scaling factor for the index conversion.
 *
 * Used in conjunction with compute_Xperms, it converts old style perms
 * that are encoded in the dfa accept tables to the new style where
 * there is a permission table and the accept table is an index into
 * the permission table.
 */
static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor)
{
	unsigned int state;
	unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;

	AA_BUG(!dfa);

	for (state = 0; state < state_count; state++)
		ACCEPT_TABLE(dfa)[state] = state * factor;
	kvfree(dfa->tables[YYTD_ID_ACCEPT2]);
	dfa->tables[YYTD_ID_ACCEPT2] = NULL;
}

/* TODO: merge different dfa mappings into single map_policy fn */
int aa_compat_map_xmatch(struct aa_policydb *policy)
{
	policy->perms = compute_xmatch_perms(policy->dfa);
	if (!policy->perms)
		return -ENOMEM;

	remap_dfa_accept(policy->dfa, 1);

	return 0;
}

int aa_compat_map_policy(struct aa_policydb *policy, u32 version)
{
	policy->perms = compute_perms(policy->dfa, version);
	if (!policy->perms)
		return -ENOMEM;

	remap_dfa_accept(policy->dfa, 1);

	return 0;
}

int aa_compat_map_file(struct aa_policydb *policy)
{
	policy->perms = compute_fperms(policy->dfa);
	if (!policy->perms)
		return -ENOMEM;

	remap_dfa_accept(policy->dfa, 2);

	return 0;
}
Commit	Line	Data
caa9f579 JJ	1	// SPDX-License-Identifier: GPL-2.0-only
	2	/*
	3	* AppArmor security module
	4	*
	5	* This file contains AppArmor functions for unpacking policy loaded
	6	* from userspace.
	7	*
	8	* Copyright (C) 1998-2008 Novell/SUSE
	9	* Copyright 2009-2022 Canonical Ltd.
	10	*
	11	* Code to provide backwards compatibility with older policy versions,
	12	* by converting/mapping older policy formats into the newer internal
	13	* formats.
	14	*/
	15
	16	#include <linux/ctype.h>
	17	#include <linux/errno.h>
	18
	19	#include "include/lib.h"
	20	#include "include/policy_unpack.h"
	21	#include "include/policy_compat.h"
	22
	23	/* remap old accept table embedded permissions to separate permission table */
	24	static u32 dfa_map_xindex(u16 mask)
	25	{
	26	u16 old_index = (mask >> 10) & 0xf;
	27	u32 index = 0;
	28
	29	if (mask & 0x100)
	30	index \|= AA_X_UNSAFE;
	31	if (mask & 0x200)
	32	index \|= AA_X_INHERIT;
	33	if (mask & 0x80)
	34	index \|= AA_X_UNCONFINED;
	35
	36	if (old_index == 1) {
	37	index \|= AA_X_UNCONFINED;
	38	} else if (old_index == 2) {
	39	index \|= AA_X_NAME;
	40	} else if (old_index == 3) {
	41	index \|= AA_X_NAME \| AA_X_CHILD;
	42	} else if (old_index) {
	43	index \|= AA_X_TABLE;
	44	index \|= old_index - 4;
	45	}
	46
	47	return index;
	48	}
	49
	50	/*
	51	* map old dfa inline permissions to new format
	52	*/
	53	#define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) \| \
	54	((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
	55	#define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
	56	#define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
	57	#define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
	58	#define dfa_user_xindex(dfa, state) \
	59	(dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
	60
	61	#define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
	62	0x7f) \| \
	63	((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
	64	#define dfa_other_xbits(dfa, state) \
65	((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f)
66	#define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
67	#define dfa_other_quiet(dfa, state) \
68	((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
69	#define dfa_other_xindex(dfa, state) \
70	dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
71
72	/**
73	* map_old_perms - map old file perms layout to the new layout
74	* @old: permission set in old mapping
75	*
76	* Returns: new permission mapping
77	*/
78	static u32 map_old_perms(u32 old)
79	{
80	u32 new = old & 0xf;
81
82	if (old & MAY_READ)
83	new \|= AA_MAY_GETATTR \| AA_MAY_OPEN;
84	if (old & MAY_WRITE)
85	new \|= AA_MAY_SETATTR \| AA_MAY_CREATE \| AA_MAY_DELETE \|
86	AA_MAY_CHMOD \| AA_MAY_CHOWN \| AA_MAY_OPEN;
87	if (old & 0x10)
88	new \|= AA_MAY_LINK;
89	/* the old mapping lock and link_subset flags where overlaid
90	* and use was determined by part of a pair that they were in
91	*/
92	if (old & 0x20)
93	new \|= AA_MAY_LOCK \| AA_LINK_SUBSET;
94	if (old & 0x40) /* AA_EXEC_MMAP */
95	new \|= AA_EXEC_MMAP;
96
97	return new;
98	}
99
100	static void compute_fperms_allow(struct aa_perms perms, struct aa_dfa dfa,
101	aa_state_t state)
102	{
103	perms->allow \|= AA_MAY_GETATTR;
104
105	/* change_profile wasn't determined by ownership in old mapping */
106	if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
107	perms->allow \|= AA_MAY_CHANGE_PROFILE;
108	if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
109	perms->allow \|= AA_MAY_ONEXEC;
110	}
111
112	static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
113	aa_state_t state)
114	{
115	struct aa_perms perms = { };
116
117	perms.allow = map_old_perms(dfa_user_allow(dfa, state));
118	perms.audit = map_old_perms(dfa_user_audit(dfa, state));
119	perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
120	perms.xindex = dfa_user_xindex(dfa, state);
121
122	compute_fperms_allow(&perms, dfa, state);
123
124	return perms;
125	}
126
127	static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
128	aa_state_t state)
129	{
130	struct aa_perms perms = { };
131
132	perms.allow = map_old_perms(dfa_other_allow(dfa, state));
133	perms.audit = map_old_perms(dfa_other_audit(dfa, state));
134	perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
135	perms.xindex = dfa_other_xindex(dfa, state);
136
137	compute_fperms_allow(&perms, dfa, state);
138
139	return perms;
140	}
141
142	/**
1ddece8c JJ	143	* compute_fperms - convert dfa compressed perms to internal perms and store
1ddece8c JJ	144	* them so they can be retrieved later.
caa9f579 JJ	145	* @dfa: a dfa using fperms to remap to internal permissions
	146	*
	147	* Returns: remapped perm table
	148	*/
	149	static struct aa_perms compute_fperms(struct aa_dfa dfa)
	150	{
	151	aa_state_t state;
	152	unsigned int state_count;
	153	struct aa_perms *table;
	154
	155	AA_BUG(!dfa);
	156
	157	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
	158	/* DFAs are restricted from having a state_count of less than 2 */
	159	table = kvcalloc(state_count * 2, sizeof(struct aa_perms), GFP_KERNEL);
	160	if (!table)
	161	return NULL;
	162
cbb13e12	163	for (state = 0; state < state_count; state++) {
caa9f579 JJ	164	table[state * 2] = compute_fperms_user(dfa, state);
	165	table[state * 2 + 1] = compute_fperms_other(dfa, state);
	166	}
	167
	168	return table;
	169	}
	170
	171	static struct aa_perms compute_xmatch_perms(struct aa_dfa xmatch)
	172	{
	173	struct aa_perms *perms;
	174	int state;
	175	int state_count;
	176
	177	AA_BUG(!xmatch);
	178
	179	state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
	180	/* DFAs are restricted from having a state_count of less than 2 */
	181	perms = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
	182
	183	/* zero init so skip the trap state (state == 0) */
	184	for (state = 1; state < state_count; state++)
	185	perms[state].allow = dfa_user_allow(xmatch, state);
	186
	187	return perms;
	188	}
	189
	190	static u32 map_other(u32 x)
	191	{
	192	return ((x & 0x3) << 8) \| /* SETATTR/GETATTR */
	193	((x & 0x1c) << 18) \| /* ACCEPT/BIND/LISTEN */
	194	((x & 0x60) << 19); /* SETOPT/GETOPT */
	195	}
	196
	197	static u32 map_xbits(u32 x)
	198	{
	199	return ((x & 0x1) << 7) \|
	200	((x & 0x7e) << 9);
	201	}
	202
	203	static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
	204	aa_state_t state,
	205	u32 version)
	206	{
	207	struct aa_perms perms = { };
	208
	209	perms.allow = dfa_user_allow(dfa, state);
	210	perms.audit = dfa_user_audit(dfa, state);
	211	perms.quiet = dfa_user_quiet(dfa, state);
	212
	213	/*
	214	* This mapping is convulated due to history.
	215	* v1-v4: only file perms, which are handled by compute_fperms
	216	* v5: added policydb which dropped user conditional to gain new
	217	* perm bits, but had to map around the xbits because the
	218	* userspace compiler was still munging them.
	219	* v9: adds using the xbits in policydb because the compiler now
	220	* supports treating policydb permission bits different.
	221	* Unfortunately there is no way to force auditing on the
	222	* perms represented by the xbits
	223	*/
	224	perms.allow \|= map_other(dfa_other_allow(dfa, state));
	225	if (VERSION_LE(version, v8))
	226	perms.allow \|= AA_MAY_LOCK;
	227	else
228	perms.allow \|= map_xbits(dfa_user_xbits(dfa, state));
229
230	/*
231	* for v5-v9 perm mapping in the policydb, the other set is used
232	* to extend the general perm set
233	*/
234	perms.audit \|= map_other(dfa_other_audit(dfa, state));
235	perms.quiet \|= map_other(dfa_other_quiet(dfa, state));
236	if (VERSION_GT(version, v8))
237	perms.quiet \|= map_xbits(dfa_other_xbits(dfa, state));
238
239	return perms;
240	}
241
242	static struct aa_perms compute_perms(struct aa_dfa dfa, u32 version)
243	{
244	unsigned int state;
245	unsigned int state_count;
246	struct aa_perms *table;
247
248	AA_BUG(!dfa);
249
250	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
251	/* DFAs are restricted from having a state_count of less than 2 */
252	table = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
253	if (!table)
254	return NULL;
255
256	/* zero init so skip the trap state (state == 0) */
257	for (state = 1; state < state_count; state++)
258	table[state] = compute_perms_entry(dfa, state, version);
259
260	return table;
261	}
262
263	/**
264	* remap_dfa_accept - remap old dfa accept table to be an index
265	* @dfa: dfa to do the remapping on
266	* @factor: scaling factor for the index conversion.
267	*
268	* Used in conjunction with compute_Xperms, it converts old style perms
269	* that are encoded in the dfa accept tables to the new style where
270	* there is a permission table and the accept table is an index into
271	* the permission table.
272	*/
273	static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor)
274	{
275	unsigned int state;
276	unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
277
278	AA_BUG(!dfa);
279
280	for (state = 0; state < state_count; state++)
281	ACCEPT_TABLE(dfa)[state] = state * factor;
282	kvfree(dfa->tables[YYTD_ID_ACCEPT2]);
283	dfa->tables[YYTD_ID_ACCEPT2] = NULL;
284	}
285
286	/* TODO: merge different dfa mappings into single map_policy fn */
287	int aa_compat_map_xmatch(struct aa_policydb *policy)
288	{
289	policy->perms = compute_xmatch_perms(policy->dfa);
290	if (!policy->perms)
291	return -ENOMEM;
292
293	remap_dfa_accept(policy->dfa, 1);
294
295	return 0;
296	}
297
298	int aa_compat_map_policy(struct aa_policydb *policy, u32 version)
299	{
300	policy->perms = compute_perms(policy->dfa, version);
301	if (!policy->perms)
302	return -ENOMEM;
303
304	remap_dfa_accept(policy->dfa, 1);
305
306	return 0;
307	}
308
309	int aa_compat_map_file(struct aa_policydb *policy)
310	{
311	policy->perms = compute_fperms(policy->dfa);
312	if (!policy->perms)
313	return -ENOMEM;
314
315	remap_dfa_accept(policy->dfa, 2);
316
317	return 0;
318	}