| 1 | // SPDX-License-Identifier: GPL-2.0-only |
| 2 | /* |
| 3 | * AppArmor security module |
| 4 | * |
| 5 | * This file contains AppArmor functions for unpacking policy loaded from |
| 6 | * userspace. |
| 7 | * |
| 8 | * Copyright (C) 1998-2008 Novell/SUSE |
| 9 | * Copyright 2009-2010 Canonical Ltd. |
| 10 | * |
| 11 | * AppArmor uses a serialized binary format for loading policy. To find |
| 12 | * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst |
| 13 | * All policy is validated before it is used. |
| 14 | */ |
| 15 | |
| 16 | #include <asm/unaligned.h> |
| 17 | #include <linux/ctype.h> |
| 18 | #include <linux/errno.h> |
| 19 | #include <linux/zstd.h> |
| 20 | |
| 21 | #include "include/apparmor.h" |
| 22 | #include "include/audit.h" |
| 23 | #include "include/cred.h" |
| 24 | #include "include/crypto.h" |
| 25 | #include "include/file.h" |
| 26 | #include "include/match.h" |
| 27 | #include "include/path.h" |
| 28 | #include "include/policy.h" |
| 29 | #include "include/policy_unpack.h" |
| 30 | #include "include/policy_compat.h" |
| 31 | |
| 32 | |
| 33 | /* |
| 34 | * The AppArmor interface treats data as a type byte followed by the |
| 35 | * actual data. The interface has the notion of a named entry |
| 36 | * which has a name (AA_NAME typecode followed by name string) followed by |
| 37 | * the entries typecode and data. Named types allow for optional |
| 38 | * elements and extensions to be added and tested for without breaking |
| 39 | * backwards compatibility. |
| 40 | */ |
| 41 | |
| 42 | enum aa_code { |
| 43 | AA_U8, |
| 44 | AA_U16, |
| 45 | AA_U32, |
| 46 | AA_U64, |
| 47 | AA_NAME, /* same as string except it is items name */ |
| 48 | AA_STRING, |
| 49 | AA_BLOB, |
| 50 | AA_STRUCT, |
| 51 | AA_STRUCTEND, |
| 52 | AA_LIST, |
| 53 | AA_LISTEND, |
| 54 | AA_ARRAY, |
| 55 | AA_ARRAYEND, |
| 56 | }; |
| 57 | |
| 58 | /* |
| 59 | * aa_ext is the read of the buffer containing the serialized profile. The |
| 60 | * data is copied into a kernel buffer in apparmorfs and then handed off to |
| 61 | * the unpack routines. |
| 62 | */ |
| 63 | struct aa_ext { |
| 64 | void *start; |
| 65 | void *end; |
| 66 | void *pos; /* pointer to current position in the buffer */ |
| 67 | u32 version; |
| 68 | }; |
| 69 | |
| 70 | #define tri int |
| 71 | #define TRI_TRUE 1 |
| 72 | #define TRI_NONE 0 |
| 73 | #define TRI_FALSE -1 |
| 74 | |
| 75 | /* audit callback for unpack fields */ |
| 76 | static void audit_cb(struct audit_buffer *ab, void *va) |
| 77 | { |
| 78 | struct common_audit_data *sa = va; |
| 79 | |
| 80 | if (aad(sa)->iface.ns) { |
| 81 | audit_log_format(ab, " ns="); |
| 82 | audit_log_untrustedstring(ab, aad(sa)->iface.ns); |
| 83 | } |
| 84 | if (aad(sa)->name) { |
| 85 | audit_log_format(ab, " name="); |
| 86 | audit_log_untrustedstring(ab, aad(sa)->name); |
| 87 | } |
| 88 | if (aad(sa)->iface.pos) |
| 89 | audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos); |
| 90 | } |
| 91 | |
| 92 | /** |
| 93 | * audit_iface - do audit message for policy unpacking/load/replace/remove |
| 94 | * @new: profile if it has been allocated (MAYBE NULL) |
| 95 | * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL) |
| 96 | * @name: name of the profile being manipulated (MAYBE NULL) |
| 97 | * @info: any extra info about the failure (MAYBE NULL) |
| 98 | * @e: buffer position info |
| 99 | * @error: error code |
| 100 | * |
| 101 | * Returns: %0 or error |
| 102 | */ |
| 103 | static int audit_iface(struct aa_profile *new, const char *ns_name, |
| 104 | const char *name, const char *info, struct aa_ext *e, |
| 105 | int error) |
| 106 | { |
| 107 | struct aa_profile *profile = labels_profile(aa_current_raw_label()); |
| 108 | DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL); |
| 109 | if (e) |
| 110 | aad(&sa)->iface.pos = e->pos - e->start; |
| 111 | aad(&sa)->iface.ns = ns_name; |
| 112 | if (new) |
| 113 | aad(&sa)->name = new->base.hname; |
| 114 | else |
| 115 | aad(&sa)->name = name; |
| 116 | aad(&sa)->info = info; |
| 117 | aad(&sa)->error = error; |
| 118 | |
| 119 | return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb); |
| 120 | } |
| 121 | |
| 122 | void __aa_loaddata_update(struct aa_loaddata *data, long revision) |
| 123 | { |
| 124 | AA_BUG(!data); |
| 125 | AA_BUG(!data->ns); |
| 126 | AA_BUG(!mutex_is_locked(&data->ns->lock)); |
| 127 | AA_BUG(data->revision > revision); |
| 128 | |
| 129 | data->revision = revision; |
| 130 | if ((data->dents[AAFS_LOADDATA_REVISION])) { |
| 131 | d_inode(data->dents[AAFS_LOADDATA_DIR])->i_mtime = |
| 132 | current_time(d_inode(data->dents[AAFS_LOADDATA_DIR])); |
| 133 | d_inode(data->dents[AAFS_LOADDATA_REVISION])->i_mtime = |
| 134 | current_time(d_inode(data->dents[AAFS_LOADDATA_REVISION])); |
| 135 | } |
| 136 | } |
| 137 | |
| 138 | bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r) |
| 139 | { |
| 140 | if (l->size != r->size) |
| 141 | return false; |
| 142 | if (l->compressed_size != r->compressed_size) |
| 143 | return false; |
| 144 | if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0) |
| 145 | return false; |
| 146 | return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0; |
| 147 | } |
| 148 | |
| 149 | /* |
| 150 | * need to take the ns mutex lock which is NOT safe most places that |
| 151 | * put_loaddata is called, so we have to delay freeing it |
| 152 | */ |
| 153 | static void do_loaddata_free(struct work_struct *work) |
| 154 | { |
| 155 | struct aa_loaddata *d = container_of(work, struct aa_loaddata, work); |
| 156 | struct aa_ns *ns = aa_get_ns(d->ns); |
| 157 | |
| 158 | if (ns) { |
| 159 | mutex_lock_nested(&ns->lock, ns->level); |
| 160 | __aa_fs_remove_rawdata(d); |
| 161 | mutex_unlock(&ns->lock); |
| 162 | aa_put_ns(ns); |
| 163 | } |
| 164 | |
| 165 | kfree_sensitive(d->hash); |
| 166 | kfree_sensitive(d->name); |
| 167 | kvfree(d->data); |
| 168 | kfree_sensitive(d); |
| 169 | } |
| 170 | |
| 171 | void aa_loaddata_kref(struct kref *kref) |
| 172 | { |
| 173 | struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count); |
| 174 | |
| 175 | if (d) { |
| 176 | INIT_WORK(&d->work, do_loaddata_free); |
| 177 | schedule_work(&d->work); |
| 178 | } |
| 179 | } |
| 180 | |
| 181 | struct aa_loaddata *aa_loaddata_alloc(size_t size) |
| 182 | { |
| 183 | struct aa_loaddata *d; |
| 184 | |
| 185 | d = kzalloc(sizeof(*d), GFP_KERNEL); |
| 186 | if (d == NULL) |
| 187 | return ERR_PTR(-ENOMEM); |
| 188 | d->data = kvzalloc(size, GFP_KERNEL); |
| 189 | if (!d->data) { |
| 190 | kfree(d); |
| 191 | return ERR_PTR(-ENOMEM); |
| 192 | } |
| 193 | kref_init(&d->count); |
| 194 | INIT_LIST_HEAD(&d->list); |
| 195 | |
| 196 | return d; |
| 197 | } |
| 198 | |
| 199 | /* test if read will be in packed data bounds */ |
| 200 | static bool inbounds(struct aa_ext *e, size_t size) |
| 201 | { |
| 202 | return (size <= e->end - e->pos); |
| 203 | } |
| 204 | |
| 205 | static void *kvmemdup(const void *src, size_t len) |
| 206 | { |
| 207 | void *p = kvmalloc(len, GFP_KERNEL); |
| 208 | |
| 209 | if (p) |
| 210 | memcpy(p, src, len); |
| 211 | return p; |
| 212 | } |
| 213 | |
| 214 | /** |
| 215 | * unpack_u16_chunk - test and do bounds checking for a u16 size based chunk |
| 216 | * @e: serialized data read head (NOT NULL) |
| 217 | * @chunk: start address for chunk of data (NOT NULL) |
| 218 | * |
| 219 | * Returns: the size of chunk found with the read head at the end of the chunk. |
| 220 | */ |
| 221 | static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) |
| 222 | { |
| 223 | size_t size = 0; |
| 224 | void *pos = e->pos; |
| 225 | |
| 226 | if (!inbounds(e, sizeof(u16))) |
| 227 | goto fail; |
| 228 | size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); |
| 229 | e->pos += sizeof(__le16); |
| 230 | if (!inbounds(e, size)) |
| 231 | goto fail; |
| 232 | *chunk = e->pos; |
| 233 | e->pos += size; |
| 234 | return size; |
| 235 | |
| 236 | fail: |
| 237 | e->pos = pos; |
| 238 | return 0; |
| 239 | } |
| 240 | |
| 241 | /* unpack control byte */ |
| 242 | static bool unpack_X(struct aa_ext *e, enum aa_code code) |
| 243 | { |
| 244 | if (!inbounds(e, 1)) |
| 245 | return false; |
| 246 | if (*(u8 *) e->pos != code) |
| 247 | return false; |
| 248 | e->pos++; |
| 249 | return true; |
| 250 | } |
| 251 | |
| 252 | /** |
| 253 | * unpack_nameX - check is the next element is of type X with a name of @name |
| 254 | * @e: serialized data extent information (NOT NULL) |
| 255 | * @code: type code |
| 256 | * @name: name to match to the serialized element. (MAYBE NULL) |
| 257 | * |
| 258 | * check that the next serialized data element is of type X and has a tag |
| 259 | * name @name. If @name is specified then there must be a matching |
| 260 | * name element in the stream. If @name is NULL any name element will be |
| 261 | * skipped and only the typecode will be tested. |
| 262 | * |
| 263 | * Returns true on success (both type code and name tests match) and the read |
| 264 | * head is advanced past the headers |
| 265 | * |
| 266 | * Returns: false if either match fails, the read head does not move |
| 267 | */ |
| 268 | static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) |
| 269 | { |
| 270 | /* |
| 271 | * May need to reset pos if name or type doesn't match |
| 272 | */ |
| 273 | void *pos = e->pos; |
| 274 | /* |
| 275 | * Check for presence of a tagname, and if present name size |
| 276 | * AA_NAME tag value is a u16. |
| 277 | */ |
| 278 | if (unpack_X(e, AA_NAME)) { |
| 279 | char *tag = NULL; |
| 280 | size_t size = unpack_u16_chunk(e, &tag); |
| 281 | /* if a name is specified it must match. otherwise skip tag */ |
| 282 | if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) |
| 283 | goto fail; |
| 284 | } else if (name) { |
| 285 | /* if a name is specified and there is no name tag fail */ |
| 286 | goto fail; |
| 287 | } |
| 288 | |
| 289 | /* now check if type code matches */ |
| 290 | if (unpack_X(e, code)) |
| 291 | return true; |
| 292 | |
| 293 | fail: |
| 294 | e->pos = pos; |
| 295 | return false; |
| 296 | } |
| 297 | |
| 298 | static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name) |
| 299 | { |
| 300 | void *pos = e->pos; |
| 301 | |
| 302 | if (unpack_nameX(e, AA_U8, name)) { |
| 303 | if (!inbounds(e, sizeof(u8))) |
| 304 | goto fail; |
| 305 | if (data) |
| 306 | *data = *((u8 *)e->pos); |
| 307 | e->pos += sizeof(u8); |
| 308 | return true; |
| 309 | } |
| 310 | |
| 311 | fail: |
| 312 | e->pos = pos; |
| 313 | return false; |
| 314 | } |
| 315 | |
| 316 | static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) |
| 317 | { |
| 318 | void *pos = e->pos; |
| 319 | |
| 320 | if (unpack_nameX(e, AA_U32, name)) { |
| 321 | if (!inbounds(e, sizeof(u32))) |
| 322 | goto fail; |
| 323 | if (data) |
| 324 | *data = le32_to_cpu(get_unaligned((__le32 *) e->pos)); |
| 325 | e->pos += sizeof(u32); |
| 326 | return true; |
| 327 | } |
| 328 | |
| 329 | fail: |
| 330 | e->pos = pos; |
| 331 | return false; |
| 332 | } |
| 333 | |
| 334 | static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) |
| 335 | { |
| 336 | void *pos = e->pos; |
| 337 | |
| 338 | if (unpack_nameX(e, AA_U64, name)) { |
| 339 | if (!inbounds(e, sizeof(u64))) |
| 340 | goto fail; |
| 341 | if (data) |
| 342 | *data = le64_to_cpu(get_unaligned((__le64 *) e->pos)); |
| 343 | e->pos += sizeof(u64); |
| 344 | return true; |
| 345 | } |
| 346 | |
| 347 | fail: |
| 348 | e->pos = pos; |
| 349 | return false; |
| 350 | } |
| 351 | |
| 352 | static tri unpack_array(struct aa_ext *e, const char *name, u16 *size) |
| 353 | { |
| 354 | void *pos = e->pos; |
| 355 | |
| 356 | if (unpack_nameX(e, AA_ARRAY, name)) { |
| 357 | if (!inbounds(e, sizeof(u16))) |
| 358 | goto fail; |
| 359 | *size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); |
| 360 | e->pos += sizeof(u16); |
| 361 | return TRI_TRUE; |
| 362 | } |
| 363 | |
| 364 | return TRI_NONE; |
| 365 | fail: |
| 366 | e->pos = pos; |
| 367 | return TRI_FALSE; |
| 368 | } |
| 369 | |
| 370 | static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) |
| 371 | { |
| 372 | void *pos = e->pos; |
| 373 | |
| 374 | if (unpack_nameX(e, AA_BLOB, name)) { |
| 375 | u32 size; |
| 376 | if (!inbounds(e, sizeof(u32))) |
| 377 | goto fail; |
| 378 | size = le32_to_cpu(get_unaligned((__le32 *) e->pos)); |
| 379 | e->pos += sizeof(u32); |
| 380 | if (inbounds(e, (size_t) size)) { |
| 381 | *blob = e->pos; |
| 382 | e->pos += size; |
| 383 | return size; |
| 384 | } |
| 385 | } |
| 386 | |
| 387 | fail: |
| 388 | e->pos = pos; |
| 389 | return 0; |
| 390 | } |
| 391 | |
| 392 | static int unpack_str(struct aa_ext *e, const char **string, const char *name) |
| 393 | { |
| 394 | char *src_str; |
| 395 | size_t size = 0; |
| 396 | void *pos = e->pos; |
| 397 | *string = NULL; |
| 398 | if (unpack_nameX(e, AA_STRING, name)) { |
| 399 | size = unpack_u16_chunk(e, &src_str); |
| 400 | if (size) { |
| 401 | /* strings are null terminated, length is size - 1 */ |
| 402 | if (src_str[size - 1] != 0) |
| 403 | goto fail; |
| 404 | *string = src_str; |
| 405 | |
| 406 | return size; |
| 407 | } |
| 408 | } |
| 409 | |
| 410 | fail: |
| 411 | e->pos = pos; |
| 412 | return 0; |
| 413 | } |
| 414 | |
| 415 | static int unpack_strdup(struct aa_ext *e, char **string, const char *name) |
| 416 | { |
| 417 | const char *tmp; |
| 418 | void *pos = e->pos; |
| 419 | int res = unpack_str(e, &tmp, name); |
| 420 | *string = NULL; |
| 421 | |
| 422 | if (!res) |
| 423 | return 0; |
| 424 | |
| 425 | *string = kmemdup(tmp, res, GFP_KERNEL); |
| 426 | if (!*string) { |
| 427 | e->pos = pos; |
| 428 | return 0; |
| 429 | } |
| 430 | |
| 431 | return res; |
| 432 | } |
| 433 | |
| 434 | |
| 435 | /** |
| 436 | * unpack_dfa - unpack a file rule dfa |
| 437 | * @e: serialized data extent information (NOT NULL) |
| 438 | * @flags: dfa flags to check |
| 439 | * |
| 440 | * returns dfa or ERR_PTR or NULL if no dfa |
| 441 | */ |
| 442 | static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags) |
| 443 | { |
| 444 | char *blob = NULL; |
| 445 | size_t size; |
| 446 | struct aa_dfa *dfa = NULL; |
| 447 | |
| 448 | size = unpack_blob(e, &blob, "aadfa"); |
| 449 | if (size) { |
| 450 | /* |
| 451 | * The dfa is aligned with in the blob to 8 bytes |
| 452 | * from the beginning of the stream. |
| 453 | * alignment adjust needed by dfa unpack |
| 454 | */ |
| 455 | size_t sz = blob - (char *) e->start - |
| 456 | ((e->pos - e->start) & 7); |
| 457 | size_t pad = ALIGN(sz, 8) - sz; |
| 458 | if (aa_g_paranoid_load) |
| 459 | flags |= DFA_FLAG_VERIFY_STATES; |
| 460 | dfa = aa_dfa_unpack(blob + pad, size - pad, flags); |
| 461 | |
| 462 | if (IS_ERR(dfa)) |
| 463 | return dfa; |
| 464 | |
| 465 | } |
| 466 | |
| 467 | return dfa; |
| 468 | } |
| 469 | |
| 470 | /** |
| 471 | * unpack_trans_table - unpack a profile transition table |
| 472 | * @e: serialized data extent information (NOT NULL) |
| 473 | * @table: str table to unpack to (NOT NULL) |
| 474 | * |
| 475 | * Returns: true if table successfully unpacked or not present |
| 476 | */ |
| 477 | static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs) |
| 478 | { |
| 479 | void *saved_pos = e->pos; |
| 480 | char **table; |
| 481 | |
| 482 | /* exec table is optional */ |
| 483 | if (unpack_nameX(e, AA_STRUCT, "xtable")) { |
| 484 | u16 size; |
| 485 | int i; |
| 486 | |
| 487 | if (unpack_array(e, NULL, &size) != TRI_TRUE || |
| 488 | size > (1 << 24)) |
| 489 | /* currently 2^24 bits entries 0-3 */ |
| 490 | goto fail; |
| 491 | table = kcalloc(size, sizeof(char *), GFP_KERNEL); |
| 492 | if (!table) |
| 493 | goto fail; |
| 494 | |
| 495 | for (i = 0; i < size; i++) { |
| 496 | char *str; |
| 497 | int c, j, pos, size2 = unpack_strdup(e, &str, NULL); |
| 498 | /* unpack_strdup verifies that the last character is |
| 499 | * null termination byte. |
| 500 | */ |
| 501 | if (!size2) |
| 502 | goto fail; |
| 503 | table[i] = str; |
| 504 | /* verify that name doesn't start with space */ |
| 505 | if (isspace(*str)) |
| 506 | goto fail; |
| 507 | |
| 508 | /* count internal # of internal \0 */ |
| 509 | for (c = j = 0; j < size2 - 1; j++) { |
| 510 | if (!str[j]) { |
| 511 | pos = j; |
| 512 | c++; |
| 513 | } |
| 514 | } |
| 515 | if (*str == ':') { |
| 516 | /* first character after : must be valid */ |
| 517 | if (!str[1]) |
| 518 | goto fail; |
| 519 | /* beginning with : requires an embedded \0, |
| 520 | * verify that exactly 1 internal \0 exists |
| 521 | * trailing \0 already verified by unpack_strdup |
| 522 | * |
| 523 | * convert \0 back to : for label_parse |
| 524 | */ |
| 525 | if (c == 1) |
| 526 | str[pos] = ':'; |
| 527 | else if (c > 1) |
| 528 | goto fail; |
| 529 | } else if (c) |
| 530 | /* fail - all other cases with embedded \0 */ |
| 531 | goto fail; |
| 532 | } |
| 533 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) |
| 534 | goto fail; |
| 535 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 536 | goto fail; |
| 537 | |
| 538 | strs->table = table; |
| 539 | strs->size = size; |
| 540 | } |
| 541 | return true; |
| 542 | |
| 543 | fail: |
| 544 | kfree_sensitive(table); |
| 545 | e->pos = saved_pos; |
| 546 | return false; |
| 547 | } |
| 548 | |
| 549 | static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile) |
| 550 | { |
| 551 | void *pos = e->pos; |
| 552 | |
| 553 | if (unpack_nameX(e, AA_STRUCT, "xattrs")) { |
| 554 | u16 size; |
| 555 | int i; |
| 556 | |
| 557 | if (unpack_array(e, NULL, &size) != TRI_TRUE) |
| 558 | goto fail; |
| 559 | profile->xattr_count = size; |
| 560 | profile->xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL); |
| 561 | if (!profile->xattrs) |
| 562 | goto fail; |
| 563 | for (i = 0; i < size; i++) { |
| 564 | if (!unpack_strdup(e, &profile->xattrs[i], NULL)) |
| 565 | goto fail; |
| 566 | } |
| 567 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) |
| 568 | goto fail; |
| 569 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 570 | goto fail; |
| 571 | } |
| 572 | |
| 573 | return true; |
| 574 | |
| 575 | fail: |
| 576 | e->pos = pos; |
| 577 | return false; |
| 578 | } |
| 579 | |
| 580 | static bool unpack_secmark(struct aa_ext *e, struct aa_profile *profile) |
| 581 | { |
| 582 | void *pos = e->pos; |
| 583 | u16 size; |
| 584 | int i; |
| 585 | |
| 586 | if (unpack_nameX(e, AA_STRUCT, "secmark")) { |
| 587 | if (unpack_array(e, NULL, &size) != TRI_TRUE) |
| 588 | goto fail; |
| 589 | |
| 590 | profile->secmark = kcalloc(size, sizeof(struct aa_secmark), |
| 591 | GFP_KERNEL); |
| 592 | if (!profile->secmark) |
| 593 | goto fail; |
| 594 | |
| 595 | profile->secmark_count = size; |
| 596 | |
| 597 | for (i = 0; i < size; i++) { |
| 598 | if (!unpack_u8(e, &profile->secmark[i].audit, NULL)) |
| 599 | goto fail; |
| 600 | if (!unpack_u8(e, &profile->secmark[i].deny, NULL)) |
| 601 | goto fail; |
| 602 | if (!unpack_strdup(e, &profile->secmark[i].label, NULL)) |
| 603 | goto fail; |
| 604 | } |
| 605 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) |
| 606 | goto fail; |
| 607 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 608 | goto fail; |
| 609 | } |
| 610 | |
| 611 | return true; |
| 612 | |
| 613 | fail: |
| 614 | if (profile->secmark) { |
| 615 | for (i = 0; i < size; i++) |
| 616 | kfree(profile->secmark[i].label); |
| 617 | kfree(profile->secmark); |
| 618 | profile->secmark_count = 0; |
| 619 | profile->secmark = NULL; |
| 620 | } |
| 621 | |
| 622 | e->pos = pos; |
| 623 | return false; |
| 624 | } |
| 625 | |
| 626 | static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) |
| 627 | { |
| 628 | void *pos = e->pos; |
| 629 | |
| 630 | /* rlimits are optional */ |
| 631 | if (unpack_nameX(e, AA_STRUCT, "rlimits")) { |
| 632 | u16 size; |
| 633 | int i; |
| 634 | u32 tmp = 0; |
| 635 | if (!unpack_u32(e, &tmp, NULL)) |
| 636 | goto fail; |
| 637 | profile->rlimits.mask = tmp; |
| 638 | |
| 639 | if (unpack_array(e, NULL, &size) != TRI_TRUE || |
| 640 | size > RLIM_NLIMITS) |
| 641 | goto fail; |
| 642 | for (i = 0; i < size; i++) { |
| 643 | u64 tmp2 = 0; |
| 644 | int a = aa_map_resource(i); |
| 645 | if (!unpack_u64(e, &tmp2, NULL)) |
| 646 | goto fail; |
| 647 | profile->rlimits.limits[a].rlim_max = tmp2; |
| 648 | } |
| 649 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) |
| 650 | goto fail; |
| 651 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 652 | goto fail; |
| 653 | } |
| 654 | return true; |
| 655 | |
| 656 | fail: |
| 657 | e->pos = pos; |
| 658 | return false; |
| 659 | } |
| 660 | |
| 661 | static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm) |
| 662 | { |
| 663 | bool res; |
| 664 | |
| 665 | if (version != 1) |
| 666 | return false; |
| 667 | |
| 668 | res = unpack_u32(e, &perm->allow, NULL); |
| 669 | res = res && unpack_u32(e, &perm->allow, NULL); |
| 670 | res = res && unpack_u32(e, &perm->deny, NULL); |
| 671 | res = res && unpack_u32(e, &perm->subtree, NULL); |
| 672 | res = res && unpack_u32(e, &perm->cond, NULL); |
| 673 | res = res && unpack_u32(e, &perm->kill, NULL); |
| 674 | res = res && unpack_u32(e, &perm->complain, NULL); |
| 675 | res = res && unpack_u32(e, &perm->prompt, NULL); |
| 676 | res = res && unpack_u32(e, &perm->audit, NULL); |
| 677 | res = res && unpack_u32(e, &perm->quiet, NULL); |
| 678 | res = res && unpack_u32(e, &perm->hide, NULL); |
| 679 | res = res && unpack_u32(e, &perm->xindex, NULL); |
| 680 | res = res && unpack_u32(e, &perm->tag, NULL); |
| 681 | res = res && unpack_u32(e, &perm->label, NULL); |
| 682 | |
| 683 | return res; |
| 684 | } |
| 685 | |
| 686 | static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms) |
| 687 | { |
| 688 | void *pos = e->pos; |
| 689 | u16 size = 0; |
| 690 | |
| 691 | AA_BUG(!perms); |
| 692 | /* |
| 693 | * policy perms are optional, in which case perms are embedded |
| 694 | * in the dfa accept table |
| 695 | */ |
| 696 | if (unpack_nameX(e, AA_STRUCT, "perms")) { |
| 697 | int i; |
| 698 | u32 version; |
| 699 | |
| 700 | if (!unpack_u32(e, &version, "version")) |
| 701 | goto fail_reset; |
| 702 | if (unpack_array(e, NULL, &size) != TRI_TRUE) |
| 703 | goto fail_reset; |
| 704 | *perms = kcalloc(size, sizeof(struct aa_perms), GFP_KERNEL); |
| 705 | if (!*perms) |
| 706 | goto fail_reset; |
| 707 | for (i = 0; i < size; i++) { |
| 708 | if (!unpack_perm(e, version, &(*perms)[i])) |
| 709 | goto fail; |
| 710 | } |
| 711 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) |
| 712 | goto fail; |
| 713 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 714 | goto fail; |
| 715 | } else |
| 716 | *perms = NULL; |
| 717 | |
| 718 | return size; |
| 719 | |
| 720 | fail: |
| 721 | kfree(*perms); |
| 722 | fail_reset: |
| 723 | e->pos = pos; |
| 724 | return -EPROTO; |
| 725 | } |
| 726 | |
| 727 | static int unpack_pdb(struct aa_ext *e, struct aa_policydb *policy, |
| 728 | bool required_dfa, bool required_trans, |
| 729 | const char **info) |
| 730 | { |
| 731 | void *pos = e->pos; |
| 732 | int i, flags, error = -EPROTO; |
| 733 | |
| 734 | policy->size = unpack_perms_table(e, &policy->perms); |
| 735 | if (policy->size < 0) { |
| 736 | error = policy->size; |
| 737 | policy->perms = NULL; |
| 738 | *info = "failed to unpack - perms"; |
| 739 | goto fail; |
| 740 | } else if (policy->perms) { |
| 741 | /* perms table present accept is index */ |
| 742 | flags = TO_ACCEPT1_FLAG(YYTD_DATA32); |
| 743 | } else { |
| 744 | /* packed perms in accept1 and accept2 */ |
| 745 | flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | |
| 746 | TO_ACCEPT2_FLAG(YYTD_DATA32); |
| 747 | } |
| 748 | |
| 749 | policy->dfa = unpack_dfa(e, flags); |
| 750 | if (IS_ERR(policy->dfa)) { |
| 751 | error = PTR_ERR(policy->dfa); |
| 752 | policy->dfa = NULL; |
| 753 | *info = "failed to unpack - dfa"; |
| 754 | goto fail; |
| 755 | } else if (!policy->dfa) { |
| 756 | if (required_dfa) { |
| 757 | *info = "missing required dfa"; |
| 758 | goto fail; |
| 759 | } |
| 760 | goto out; |
| 761 | } |
| 762 | |
| 763 | /* |
| 764 | * only unpack the following if a dfa is present |
| 765 | * |
| 766 | * sadly start was given different names for file and policydb |
| 767 | * but since it is optional we can try both |
| 768 | */ |
| 769 | if (!unpack_u32(e, &policy->start[0], "start")) |
| 770 | /* default start state */ |
| 771 | policy->start[0] = DFA_START; |
| 772 | if (!unpack_u32(e, &policy->start[AA_CLASS_FILE], "dfa_start")) { |
| 773 | /* default start state for xmatch and file dfa */ |
| 774 | policy->start[AA_CLASS_FILE] = DFA_START; |
| 775 | } /* setup class index */ |
| 776 | for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) { |
| 777 | policy->start[i] = aa_dfa_next(policy->dfa, policy->start[0], |
| 778 | i); |
| 779 | } |
| 780 | if (!unpack_trans_table(e, &policy->trans) && required_trans) { |
| 781 | *info = "failed to unpack profile transition table"; |
| 782 | goto fail; |
| 783 | } |
| 784 | /* TODO: move compat mapping here, requires dfa merging first */ |
| 785 | |
| 786 | out: |
| 787 | return 0; |
| 788 | |
| 789 | fail: |
| 790 | e->pos = pos; |
| 791 | return error; |
| 792 | } |
| 793 | |
| 794 | static u32 strhash(const void *data, u32 len, u32 seed) |
| 795 | { |
| 796 | const char * const *key = data; |
| 797 | |
| 798 | return jhash(*key, strlen(*key), seed); |
| 799 | } |
| 800 | |
| 801 | static int datacmp(struct rhashtable_compare_arg *arg, const void *obj) |
| 802 | { |
| 803 | const struct aa_data *data = obj; |
| 804 | const char * const *key = arg->key; |
| 805 | |
| 806 | return strcmp(data->key, *key); |
| 807 | } |
| 808 | |
| 809 | /** |
| 810 | * unpack_profile - unpack a serialized profile |
| 811 | * @e: serialized data extent information (NOT NULL) |
| 812 | * @ns_name: pointer of newly allocated copy of %NULL in case of error |
| 813 | * |
| 814 | * NOTE: unpack profile sets audit struct if there is a failure |
| 815 | */ |
| 816 | static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) |
| 817 | { |
| 818 | struct aa_profile *profile = NULL; |
| 819 | const char *tmpname, *tmpns = NULL, *name = NULL; |
| 820 | const char *info = "failed to unpack profile"; |
| 821 | size_t ns_len; |
| 822 | struct rhashtable_params params = { 0 }; |
| 823 | char *key = NULL; |
| 824 | struct aa_data *data; |
| 825 | int error = -EPROTO; |
| 826 | kernel_cap_t tmpcap; |
| 827 | u32 tmp; |
| 828 | |
| 829 | *ns_name = NULL; |
| 830 | |
| 831 | /* check that we have the right struct being passed */ |
| 832 | if (!unpack_nameX(e, AA_STRUCT, "profile")) |
| 833 | goto fail; |
| 834 | if (!unpack_str(e, &name, NULL)) |
| 835 | goto fail; |
| 836 | if (*name == '\0') |
| 837 | goto fail; |
| 838 | |
| 839 | tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len); |
| 840 | if (tmpns) { |
| 841 | *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL); |
| 842 | if (!*ns_name) { |
| 843 | info = "out of memory"; |
| 844 | goto fail; |
| 845 | } |
| 846 | name = tmpname; |
| 847 | } |
| 848 | |
| 849 | profile = aa_alloc_profile(name, NULL, GFP_KERNEL); |
| 850 | if (!profile) |
| 851 | return ERR_PTR(-ENOMEM); |
| 852 | |
| 853 | /* profile renaming is optional */ |
| 854 | (void) unpack_str(e, &profile->rename, "rename"); |
| 855 | |
| 856 | /* attachment string is optional */ |
| 857 | (void) unpack_str(e, &profile->attach, "attach"); |
| 858 | |
| 859 | /* xmatch is optional and may be NULL */ |
| 860 | error = unpack_pdb(e, &profile->xmatch, false, false, &info); |
| 861 | if (error) |
| 862 | goto fail; |
| 863 | |
| 864 | /* neither xmatch_len not xmatch_perms are optional if xmatch is set */ |
| 865 | if (profile->xmatch.dfa) { |
| 866 | if (!unpack_u32(e, &tmp, NULL)) { |
| 867 | info = "missing xmatch len"; |
| 868 | goto fail; |
| 869 | } |
| 870 | profile->xmatch_len = tmp; |
| 871 | profile->xmatch.start[AA_CLASS_XMATCH] = DFA_START; |
| 872 | if (aa_compat_map_xmatch(&profile->xmatch)) { |
| 873 | info = "failed to convert xmatch permission table"; |
| 874 | goto fail; |
| 875 | } |
| 876 | } |
| 877 | |
| 878 | /* disconnected attachment string is optional */ |
| 879 | (void) unpack_str(e, &profile->disconnected, "disconnected"); |
| 880 | |
| 881 | /* per profile debug flags (complain, audit) */ |
| 882 | if (!unpack_nameX(e, AA_STRUCT, "flags")) { |
| 883 | info = "profile missing flags"; |
| 884 | goto fail; |
| 885 | } |
| 886 | info = "failed to unpack profile flags"; |
| 887 | if (!unpack_u32(e, &tmp, NULL)) |
| 888 | goto fail; |
| 889 | if (tmp & PACKED_FLAG_HAT) |
| 890 | profile->label.flags |= FLAG_HAT; |
| 891 | if (tmp & PACKED_FLAG_DEBUG1) |
| 892 | profile->label.flags |= FLAG_DEBUG1; |
| 893 | if (tmp & PACKED_FLAG_DEBUG2) |
| 894 | profile->label.flags |= FLAG_DEBUG2; |
| 895 | if (!unpack_u32(e, &tmp, NULL)) |
| 896 | goto fail; |
| 897 | if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) { |
| 898 | profile->mode = APPARMOR_COMPLAIN; |
| 899 | } else if (tmp == PACKED_MODE_ENFORCE) { |
| 900 | profile->mode = APPARMOR_ENFORCE; |
| 901 | } else if (tmp == PACKED_MODE_KILL) { |
| 902 | profile->mode = APPARMOR_KILL; |
| 903 | } else if (tmp == PACKED_MODE_UNCONFINED) { |
| 904 | profile->mode = APPARMOR_UNCONFINED; |
| 905 | profile->label.flags |= FLAG_UNCONFINED; |
| 906 | } else if (tmp == PACKED_MODE_USER) { |
| 907 | profile->mode = APPARMOR_USER; |
| 908 | } else { |
| 909 | goto fail; |
| 910 | } |
| 911 | if (!unpack_u32(e, &tmp, NULL)) |
| 912 | goto fail; |
| 913 | if (tmp) |
| 914 | profile->audit = AUDIT_ALL; |
| 915 | |
| 916 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 917 | goto fail; |
| 918 | |
| 919 | /* path_flags is optional */ |
| 920 | if (unpack_u32(e, &profile->path_flags, "path_flags")) |
| 921 | profile->path_flags |= profile->label.flags & |
| 922 | PATH_MEDIATE_DELETED; |
| 923 | else |
| 924 | /* set a default value if path_flags field is not present */ |
| 925 | profile->path_flags = PATH_MEDIATE_DELETED; |
| 926 | |
| 927 | info = "failed to unpack profile capabilities"; |
| 928 | if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) |
| 929 | goto fail; |
| 930 | if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) |
| 931 | goto fail; |
| 932 | if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) |
| 933 | goto fail; |
| 934 | if (!unpack_u32(e, &tmpcap.cap[0], NULL)) |
| 935 | goto fail; |
| 936 | |
| 937 | info = "failed to unpack upper profile capabilities"; |
| 938 | if (unpack_nameX(e, AA_STRUCT, "caps64")) { |
| 939 | /* optional upper half of 64 bit caps */ |
| 940 | if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) |
| 941 | goto fail; |
| 942 | if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) |
| 943 | goto fail; |
| 944 | if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) |
| 945 | goto fail; |
| 946 | if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) |
| 947 | goto fail; |
| 948 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 949 | goto fail; |
| 950 | } |
| 951 | |
| 952 | info = "failed to unpack extended profile capabilities"; |
| 953 | if (unpack_nameX(e, AA_STRUCT, "capsx")) { |
| 954 | /* optional extended caps mediation mask */ |
| 955 | if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) |
| 956 | goto fail; |
| 957 | if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) |
| 958 | goto fail; |
| 959 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 960 | goto fail; |
| 961 | } |
| 962 | |
| 963 | if (!unpack_xattrs(e, profile)) { |
| 964 | info = "failed to unpack profile xattrs"; |
| 965 | goto fail; |
| 966 | } |
| 967 | |
| 968 | if (!unpack_rlimits(e, profile)) { |
| 969 | info = "failed to unpack profile rlimits"; |
| 970 | goto fail; |
| 971 | } |
| 972 | |
| 973 | if (!unpack_secmark(e, profile)) { |
| 974 | info = "failed to unpack profile secmark rules"; |
| 975 | goto fail; |
| 976 | } |
| 977 | |
| 978 | if (unpack_nameX(e, AA_STRUCT, "policydb")) { |
| 979 | /* generic policy dfa - optional and may be NULL */ |
| 980 | info = "failed to unpack policydb"; |
| 981 | error = unpack_pdb(e, &profile->policy, true, false, &info); |
| 982 | if (error) |
| 983 | goto fail; |
| 984 | /* Fixup: drop when we get rid of start array */ |
| 985 | if (aa_dfa_next(profile->policy.dfa, profile->policy.start[0], |
| 986 | AA_CLASS_FILE)) |
| 987 | profile->policy.start[AA_CLASS_FILE] = |
| 988 | aa_dfa_next(profile->policy.dfa, |
| 989 | profile->policy.start[0], |
| 990 | AA_CLASS_FILE); |
| 991 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 992 | goto fail; |
| 993 | if (aa_compat_map_policy(&profile->policy, e->version)) { |
| 994 | info = "failed to remap policydb permission table"; |
| 995 | goto fail; |
| 996 | } |
| 997 | } else |
| 998 | profile->policy.dfa = aa_get_dfa(nulldfa); |
| 999 | |
| 1000 | /* get file rules */ |
| 1001 | error = unpack_pdb(e, &profile->file, false, true, &info); |
| 1002 | if (error) { |
| 1003 | goto fail; |
| 1004 | } else if (profile->file.dfa) { |
| 1005 | if (aa_compat_map_file(&profile->file)) { |
| 1006 | info = "failed to remap file permission table"; |
| 1007 | goto fail; |
| 1008 | } |
| 1009 | } else if (profile->policy.dfa && |
| 1010 | profile->policy.start[AA_CLASS_FILE]) { |
| 1011 | profile->file.dfa = aa_get_dfa(profile->policy.dfa); |
| 1012 | profile->file.start[AA_CLASS_FILE] = profile->policy.start[AA_CLASS_FILE]; |
| 1013 | } else |
| 1014 | profile->file.dfa = aa_get_dfa(nulldfa); |
| 1015 | |
| 1016 | if (unpack_nameX(e, AA_STRUCT, "data")) { |
| 1017 | info = "out of memory"; |
| 1018 | profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL); |
| 1019 | if (!profile->data) |
| 1020 | goto fail; |
| 1021 | |
| 1022 | params.nelem_hint = 3; |
| 1023 | params.key_len = sizeof(void *); |
| 1024 | params.key_offset = offsetof(struct aa_data, key); |
| 1025 | params.head_offset = offsetof(struct aa_data, head); |
| 1026 | params.hashfn = strhash; |
| 1027 | params.obj_cmpfn = datacmp; |
| 1028 | |
| 1029 | if (rhashtable_init(profile->data, ¶ms)) { |
| 1030 | info = "failed to init key, value hash table"; |
| 1031 | goto fail; |
| 1032 | } |
| 1033 | |
| 1034 | while (unpack_strdup(e, &key, NULL)) { |
| 1035 | data = kzalloc(sizeof(*data), GFP_KERNEL); |
| 1036 | if (!data) { |
| 1037 | kfree_sensitive(key); |
| 1038 | goto fail; |
| 1039 | } |
| 1040 | |
| 1041 | data->key = key; |
| 1042 | data->size = unpack_blob(e, &data->data, NULL); |
| 1043 | data->data = kvmemdup(data->data, data->size); |
| 1044 | if (data->size && !data->data) { |
| 1045 | kfree_sensitive(data->key); |
| 1046 | kfree_sensitive(data); |
| 1047 | goto fail; |
| 1048 | } |
| 1049 | |
| 1050 | rhashtable_insert_fast(profile->data, &data->head, |
| 1051 | profile->data->p); |
| 1052 | } |
| 1053 | |
| 1054 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) { |
| 1055 | info = "failed to unpack end of key, value data table"; |
| 1056 | goto fail; |
| 1057 | } |
| 1058 | } |
| 1059 | |
| 1060 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) { |
| 1061 | info = "failed to unpack end of profile"; |
| 1062 | goto fail; |
| 1063 | } |
| 1064 | |
| 1065 | return profile; |
| 1066 | |
| 1067 | fail: |
| 1068 | if (profile) |
| 1069 | name = NULL; |
| 1070 | else if (!name) |
| 1071 | name = "unknown"; |
| 1072 | audit_iface(profile, NULL, name, info, e, error); |
| 1073 | aa_free_profile(profile); |
| 1074 | |
| 1075 | return ERR_PTR(error); |
| 1076 | } |
| 1077 | |
| 1078 | /** |
| 1079 | * verify_header - unpack serialized stream header |
| 1080 | * @e: serialized data read head (NOT NULL) |
| 1081 | * @required: whether the header is required or optional |
| 1082 | * @ns: Returns - namespace if one is specified else NULL (NOT NULL) |
| 1083 | * |
| 1084 | * Returns: error or 0 if header is good |
| 1085 | */ |
| 1086 | static int verify_header(struct aa_ext *e, int required, const char **ns) |
| 1087 | { |
| 1088 | int error = -EPROTONOSUPPORT; |
| 1089 | const char *name = NULL; |
| 1090 | *ns = NULL; |
| 1091 | |
| 1092 | /* get the interface version */ |
| 1093 | if (!unpack_u32(e, &e->version, "version")) { |
| 1094 | if (required) { |
| 1095 | audit_iface(NULL, NULL, NULL, "invalid profile format", |
| 1096 | e, error); |
| 1097 | return error; |
| 1098 | } |
| 1099 | } |
| 1100 | |
| 1101 | /* Check that the interface version is currently supported. |
| 1102 | * if not specified use previous version |
| 1103 | * Mask off everything that is not kernel abi version |
| 1104 | */ |
| 1105 | if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) { |
| 1106 | audit_iface(NULL, NULL, NULL, "unsupported interface version", |
| 1107 | e, error); |
| 1108 | return error; |
| 1109 | } |
| 1110 | |
| 1111 | /* read the namespace if present */ |
| 1112 | if (unpack_str(e, &name, "namespace")) { |
| 1113 | if (*name == '\0') { |
| 1114 | audit_iface(NULL, NULL, NULL, "invalid namespace name", |
| 1115 | e, error); |
| 1116 | return error; |
| 1117 | } |
| 1118 | if (*ns && strcmp(*ns, name)) { |
| 1119 | audit_iface(NULL, NULL, NULL, "invalid ns change", e, |
| 1120 | error); |
| 1121 | } else if (!*ns) { |
| 1122 | *ns = kstrdup(name, GFP_KERNEL); |
| 1123 | if (!*ns) |
| 1124 | return -ENOMEM; |
| 1125 | } |
| 1126 | } |
| 1127 | |
| 1128 | return 0; |
| 1129 | } |
| 1130 | |
| 1131 | static bool verify_xindex(int xindex, int table_size) |
| 1132 | { |
| 1133 | int index, xtype; |
| 1134 | xtype = xindex & AA_X_TYPE_MASK; |
| 1135 | index = xindex & AA_X_INDEX_MASK; |
| 1136 | if (xtype == AA_X_TABLE && index >= table_size) |
| 1137 | return false; |
| 1138 | return true; |
| 1139 | } |
| 1140 | |
| 1141 | /* verify dfa xindexes are in range of transition tables */ |
| 1142 | static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) |
| 1143 | { |
| 1144 | int i; |
| 1145 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { |
| 1146 | if (!verify_xindex(ACCEPT_TABLE(dfa)[i], table_size)) |
| 1147 | return false; |
| 1148 | } |
| 1149 | return true; |
| 1150 | } |
| 1151 | |
| 1152 | /** |
| 1153 | * verify_profile - Do post unpack analysis to verify profile consistency |
| 1154 | * @profile: profile to verify (NOT NULL) |
| 1155 | * |
| 1156 | * Returns: 0 if passes verification else error |
| 1157 | * |
| 1158 | * This verification is post any unpack mapping or changes |
| 1159 | */ |
| 1160 | static int verify_profile(struct aa_profile *profile) |
| 1161 | { |
| 1162 | if ((profile->file.dfa && |
| 1163 | !verify_dfa_xindex(profile->file.dfa, |
| 1164 | profile->file.trans.size)) || |
| 1165 | (profile->policy.dfa && |
| 1166 | !verify_dfa_xindex(profile->policy.dfa, |
| 1167 | profile->policy.trans.size))) { |
| 1168 | audit_iface(profile, NULL, NULL, |
| 1169 | "Unpack: Invalid named transition", NULL, -EPROTO); |
| 1170 | return -EPROTO; |
| 1171 | } |
| 1172 | |
| 1173 | return 0; |
| 1174 | } |
| 1175 | |
| 1176 | void aa_load_ent_free(struct aa_load_ent *ent) |
| 1177 | { |
| 1178 | if (ent) { |
| 1179 | aa_put_profile(ent->rename); |
| 1180 | aa_put_profile(ent->old); |
| 1181 | aa_put_profile(ent->new); |
| 1182 | kfree(ent->ns_name); |
| 1183 | kfree_sensitive(ent); |
| 1184 | } |
| 1185 | } |
| 1186 | |
| 1187 | struct aa_load_ent *aa_load_ent_alloc(void) |
| 1188 | { |
| 1189 | struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL); |
| 1190 | if (ent) |
| 1191 | INIT_LIST_HEAD(&ent->list); |
| 1192 | return ent; |
| 1193 | } |
| 1194 | |
| 1195 | static int compress_zstd(const char *src, size_t slen, char **dst, size_t *dlen) |
| 1196 | { |
| 1197 | #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY |
| 1198 | const zstd_parameters params = |
| 1199 | zstd_get_params(aa_g_rawdata_compression_level, slen); |
| 1200 | const size_t wksp_len = zstd_cctx_workspace_bound(¶ms.cParams); |
| 1201 | void *wksp = NULL; |
| 1202 | zstd_cctx *ctx = NULL; |
| 1203 | size_t out_len = zstd_compress_bound(slen); |
| 1204 | void *out = NULL; |
| 1205 | int ret = 0; |
| 1206 | |
| 1207 | out = kvzalloc(out_len, GFP_KERNEL); |
| 1208 | if (!out) { |
| 1209 | ret = -ENOMEM; |
| 1210 | goto cleanup; |
| 1211 | } |
| 1212 | |
| 1213 | wksp = kvzalloc(wksp_len, GFP_KERNEL); |
| 1214 | if (!wksp) { |
| 1215 | ret = -ENOMEM; |
| 1216 | goto cleanup; |
| 1217 | } |
| 1218 | |
| 1219 | ctx = zstd_init_cctx(wksp, wksp_len); |
| 1220 | if (!ctx) { |
| 1221 | ret = -EINVAL; |
| 1222 | goto cleanup; |
| 1223 | } |
| 1224 | |
| 1225 | out_len = zstd_compress_cctx(ctx, out, out_len, src, slen, ¶ms); |
| 1226 | if (zstd_is_error(out_len)) { |
| 1227 | ret = -EINVAL; |
| 1228 | goto cleanup; |
| 1229 | } |
| 1230 | |
| 1231 | if (is_vmalloc_addr(out)) { |
| 1232 | *dst = kvzalloc(out_len, GFP_KERNEL); |
| 1233 | if (*dst) { |
| 1234 | memcpy(*dst, out, out_len); |
| 1235 | kvfree(out); |
| 1236 | out = NULL; |
| 1237 | } |
| 1238 | } else { |
| 1239 | /* |
| 1240 | * If the staging buffer was kmalloc'd, then using krealloc is |
| 1241 | * probably going to be faster. The destination buffer will |
| 1242 | * always be smaller, so it's just shrunk, avoiding a memcpy |
| 1243 | */ |
| 1244 | *dst = krealloc(out, out_len, GFP_KERNEL); |
| 1245 | } |
| 1246 | |
| 1247 | if (!*dst) { |
| 1248 | ret = -ENOMEM; |
| 1249 | goto cleanup; |
| 1250 | } |
| 1251 | |
| 1252 | *dlen = out_len; |
| 1253 | |
| 1254 | cleanup: |
| 1255 | if (ret) { |
| 1256 | kvfree(out); |
| 1257 | *dst = NULL; |
| 1258 | } |
| 1259 | |
| 1260 | kvfree(wksp); |
| 1261 | return ret; |
| 1262 | #else |
| 1263 | *dlen = slen; |
| 1264 | return 0; |
| 1265 | #endif |
| 1266 | } |
| 1267 | |
| 1268 | static int compress_loaddata(struct aa_loaddata *data) |
| 1269 | { |
| 1270 | AA_BUG(data->compressed_size > 0); |
| 1271 | |
| 1272 | /* |
| 1273 | * Shortcut the no compression case, else we increase the amount of |
| 1274 | * storage required by a small amount |
| 1275 | */ |
| 1276 | if (aa_g_rawdata_compression_level != 0) { |
| 1277 | void *udata = data->data; |
| 1278 | int error = compress_zstd(udata, data->size, &data->data, |
| 1279 | &data->compressed_size); |
| 1280 | if (error) |
| 1281 | return error; |
| 1282 | |
| 1283 | if (udata != data->data) |
| 1284 | kvfree(udata); |
| 1285 | } else |
| 1286 | data->compressed_size = data->size; |
| 1287 | |
| 1288 | return 0; |
| 1289 | } |
| 1290 | |
| 1291 | /** |
| 1292 | * aa_unpack - unpack packed binary profile(s) data loaded from user space |
| 1293 | * @udata: user data copied to kmem (NOT NULL) |
| 1294 | * @lh: list to place unpacked profiles in a aa_repl_ws |
| 1295 | * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) |
| 1296 | * |
| 1297 | * Unpack user data and return refcounted allocated profile(s) stored in |
| 1298 | * @lh in order of discovery, with the list chain stored in base.list |
| 1299 | * or error |
| 1300 | * |
| 1301 | * Returns: profile(s) on @lh else error pointer if fails to unpack |
| 1302 | */ |
| 1303 | int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, |
| 1304 | const char **ns) |
| 1305 | { |
| 1306 | struct aa_load_ent *tmp, *ent; |
| 1307 | struct aa_profile *profile = NULL; |
| 1308 | int error; |
| 1309 | struct aa_ext e = { |
| 1310 | .start = udata->data, |
| 1311 | .end = udata->data + udata->size, |
| 1312 | .pos = udata->data, |
| 1313 | }; |
| 1314 | |
| 1315 | *ns = NULL; |
| 1316 | while (e.pos < e.end) { |
| 1317 | char *ns_name = NULL; |
| 1318 | void *start; |
| 1319 | error = verify_header(&e, e.pos == e.start, ns); |
| 1320 | if (error) |
| 1321 | goto fail; |
| 1322 | |
| 1323 | start = e.pos; |
| 1324 | profile = unpack_profile(&e, &ns_name); |
| 1325 | if (IS_ERR(profile)) { |
| 1326 | error = PTR_ERR(profile); |
| 1327 | goto fail; |
| 1328 | } |
| 1329 | |
| 1330 | error = verify_profile(profile); |
| 1331 | if (error) |
| 1332 | goto fail_profile; |
| 1333 | |
| 1334 | if (aa_g_hash_policy) |
| 1335 | error = aa_calc_profile_hash(profile, e.version, start, |
| 1336 | e.pos - start); |
| 1337 | if (error) |
| 1338 | goto fail_profile; |
| 1339 | |
| 1340 | ent = aa_load_ent_alloc(); |
| 1341 | if (!ent) { |
| 1342 | error = -ENOMEM; |
| 1343 | goto fail_profile; |
| 1344 | } |
| 1345 | |
| 1346 | ent->new = profile; |
| 1347 | ent->ns_name = ns_name; |
| 1348 | list_add_tail(&ent->list, lh); |
| 1349 | } |
| 1350 | udata->abi = e.version & K_ABI_MASK; |
| 1351 | if (aa_g_hash_policy) { |
| 1352 | udata->hash = aa_calc_hash(udata->data, udata->size); |
| 1353 | if (IS_ERR(udata->hash)) { |
| 1354 | error = PTR_ERR(udata->hash); |
| 1355 | udata->hash = NULL; |
| 1356 | goto fail; |
| 1357 | } |
| 1358 | } |
| 1359 | |
| 1360 | if (aa_g_export_binary) { |
| 1361 | error = compress_loaddata(udata); |
| 1362 | if (error) |
| 1363 | goto fail; |
| 1364 | } |
| 1365 | return 0; |
| 1366 | |
| 1367 | fail_profile: |
| 1368 | aa_put_profile(profile); |
| 1369 | |
| 1370 | fail: |
| 1371 | list_for_each_entry_safe(ent, tmp, lh, list) { |
| 1372 | list_del_init(&ent->list); |
| 1373 | aa_load_ent_free(ent); |
| 1374 | } |
| 1375 | |
| 1376 | return error; |
| 1377 | } |
| 1378 | |
| 1379 | #ifdef CONFIG_SECURITY_APPARMOR_KUNIT_TEST |
| 1380 | #include "policy_unpack_test.c" |
| 1381 | #endif /* CONFIG_SECURITY_APPARMOR_KUNIT_TEST */ |