]>
Commit | Line | Data |
---|---|---|
736ec752 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor functions for unpacking policy loaded from | |
5 | * userspace. | |
6 | * | |
7 | * Copyright (C) 1998-2008 Novell/SUSE | |
8 | * Copyright 2009-2010 Canonical Ltd. | |
9 | * | |
10 | * This program is free software; you can redistribute it and/or | |
11 | * modify it under the terms of the GNU General Public License as | |
12 | * published by the Free Software Foundation, version 2 of the | |
13 | * License. | |
14 | * | |
d410fa4e RD |
15 | * AppArmor uses a serialized binary format for loading policy. To find |
16 | * policy format documentation look in Documentation/security/apparmor.txt | |
736ec752 JJ |
17 | * All policy is validated before it is used. |
18 | */ | |
19 | ||
20 | #include <asm/unaligned.h> | |
21 | #include <linux/ctype.h> | |
22 | #include <linux/errno.h> | |
23 | ||
24 | #include "include/apparmor.h" | |
25 | #include "include/audit.h" | |
26 | #include "include/context.h" | |
f8eb8a13 | 27 | #include "include/crypto.h" |
736ec752 JJ |
28 | #include "include/match.h" |
29 | #include "include/policy.h" | |
30 | #include "include/policy_unpack.h" | |
736ec752 | 31 | |
474d6b75 | 32 | #define K_ABI_MASK 0x3ff |
5ebfb128 | 33 | #define FORCE_COMPLAIN_FLAG 0x800 |
474d6b75 JJ |
34 | #define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK)) |
35 | #define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK)) | |
36 | ||
37 | #define v5 5 /* base version */ | |
38 | #define v6 6 /* per entry policydb mediation check */ | |
39 | #define v7 7 /* full network masking */ | |
5ebfb128 | 40 | |
736ec752 JJ |
41 | /* |
42 | * The AppArmor interface treats data as a type byte followed by the | |
43 | * actual data. The interface has the notion of a a named entry | |
44 | * which has a name (AA_NAME typecode followed by name string) followed by | |
45 | * the entries typecode and data. Named types allow for optional | |
46 | * elements and extensions to be added and tested for without breaking | |
47 | * backwards compatibility. | |
48 | */ | |
49 | ||
50 | enum aa_code { | |
51 | AA_U8, | |
52 | AA_U16, | |
53 | AA_U32, | |
54 | AA_U64, | |
55 | AA_NAME, /* same as string except it is items name */ | |
56 | AA_STRING, | |
57 | AA_BLOB, | |
58 | AA_STRUCT, | |
59 | AA_STRUCTEND, | |
60 | AA_LIST, | |
61 | AA_LISTEND, | |
62 | AA_ARRAY, | |
63 | AA_ARRAYEND, | |
64 | }; | |
65 | ||
66 | /* | |
67 | * aa_ext is the read of the buffer containing the serialized profile. The | |
68 | * data is copied into a kernel buffer in apparmorfs and then handed off to | |
69 | * the unpack routines. | |
70 | */ | |
71 | struct aa_ext { | |
72 | void *start; | |
73 | void *end; | |
74 | void *pos; /* pointer to current position in the buffer */ | |
75 | u32 version; | |
76 | }; | |
77 | ||
78 | /* audit callback for unpack fields */ | |
79 | static void audit_cb(struct audit_buffer *ab, void *va) | |
80 | { | |
81 | struct common_audit_data *sa = va; | |
ef88a7ac JJ |
82 | |
83 | if (aad(sa)->iface.ns) { | |
84 | audit_log_format(ab, " ns="); | |
85 | audit_log_untrustedstring(ab, aad(sa)->iface.ns); | |
86 | } | |
87 | if (aad(sa)->iface.name) { | |
736ec752 | 88 | audit_log_format(ab, " name="); |
ef88a7ac | 89 | audit_log_untrustedstring(ab, aad(sa)->iface.name); |
736ec752 | 90 | } |
ef88a7ac JJ |
91 | if (aad(sa)->iface.pos) |
92 | audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos); | |
736ec752 JJ |
93 | } |
94 | ||
95 | /** | |
96 | * audit_iface - do audit message for policy unpacking/load/replace/remove | |
97 | * @new: profile if it has been allocated (MAYBE NULL) | |
04dc715e | 98 | * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL) |
736ec752 JJ |
99 | * @name: name of the profile being manipulated (MAYBE NULL) |
100 | * @info: any extra info about the failure (MAYBE NULL) | |
b1b4bc2e | 101 | * @e: buffer position info |
736ec752 JJ |
102 | * @error: error code |
103 | * | |
104 | * Returns: %0 or error | |
105 | */ | |
04dc715e JJ |
106 | static int audit_iface(struct aa_profile *new, const char *ns_name, |
107 | const char *name, const char *info, struct aa_ext *e, | |
108 | int error) | |
736ec752 | 109 | { |
cf797c0e | 110 | struct aa_profile *profile = aa_current_raw_profile(); |
ef88a7ac | 111 | DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, NULL); |
b1b4bc2e | 112 | if (e) |
ef88a7ac JJ |
113 | aad(&sa)->iface.pos = e->pos - e->start; |
114 | aad(&sa)->iface.ns = ns_name; | |
115 | if (new) | |
116 | aad(&sa)->iface.name = new->base.hname; | |
117 | else | |
118 | aad(&sa)->iface.name = name; | |
119 | aad(&sa)->info = info; | |
120 | aad(&sa)->error = error; | |
736ec752 | 121 | |
ef88a7ac | 122 | return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb); |
736ec752 JJ |
123 | } |
124 | ||
5d5182ca JJ |
125 | void __aa_loaddata_update(struct aa_loaddata *data, long revision) |
126 | { | |
127 | AA_BUG(!data); | |
128 | AA_BUG(!data->ns); | |
129 | AA_BUG(!data->dents[AAFS_LOADDATA_REVISION]); | |
130 | AA_BUG(!mutex_is_locked(&data->ns->lock)); | |
131 | AA_BUG(data->revision > revision); | |
132 | ||
133 | data->revision = revision; | |
134 | d_inode(data->dents[AAFS_LOADDATA_DIR])->i_mtime = | |
135 | current_time(d_inode(data->dents[AAFS_LOADDATA_DIR])); | |
136 | d_inode(data->dents[AAFS_LOADDATA_REVISION])->i_mtime = | |
137 | current_time(d_inode(data->dents[AAFS_LOADDATA_REVISION])); | |
138 | } | |
139 | ||
140 | bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r) | |
141 | { | |
142 | if (l->size != r->size) | |
143 | return false; | |
144 | if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0) | |
145 | return false; | |
146 | return memcmp(l->data, r->data, r->size) == 0; | |
147 | } | |
148 | ||
149 | /* | |
150 | * need to take the ns mutex lock which is NOT safe most places that | |
151 | * put_loaddata is called, so we have to delay freeing it | |
152 | */ | |
153 | static void do_loaddata_free(struct work_struct *work) | |
154 | { | |
155 | struct aa_loaddata *d = container_of(work, struct aa_loaddata, work); | |
156 | struct aa_ns *ns = aa_get_ns(d->ns); | |
157 | ||
158 | if (ns) { | |
159 | mutex_lock(&ns->lock); | |
160 | __aa_fs_remove_rawdata(d); | |
161 | mutex_unlock(&ns->lock); | |
162 | aa_put_ns(ns); | |
163 | } | |
164 | ||
165 | kzfree(d->hash); | |
166 | kfree(d->name); | |
167 | kvfree(d); | |
168 | } | |
169 | ||
5ac8c355 JJ |
170 | void aa_loaddata_kref(struct kref *kref) |
171 | { | |
172 | struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count); | |
173 | ||
174 | if (d) { | |
5d5182ca JJ |
175 | INIT_WORK(&d->work, do_loaddata_free); |
176 | schedule_work(&d->work); | |
5ac8c355 JJ |
177 | } |
178 | } | |
179 | ||
5d5182ca JJ |
180 | struct aa_loaddata *aa_loaddata_alloc(size_t size) |
181 | { | |
182 | struct aa_loaddata *d = kvzalloc(sizeof(*d) + size, GFP_KERNEL); | |
183 | ||
184 | if (d == NULL) | |
185 | return ERR_PTR(-ENOMEM); | |
186 | kref_init(&d->count); | |
187 | INIT_LIST_HEAD(&d->list); | |
188 | ||
189 | return d; | |
190 | } | |
191 | ||
736ec752 JJ |
192 | /* test if read will be in packed data bounds */ |
193 | static bool inbounds(struct aa_ext *e, size_t size) | |
194 | { | |
195 | return (size <= e->end - e->pos); | |
196 | } | |
197 | ||
198 | /** | |
199 | * aa_u16_chunck - test and do bounds checking for a u16 size based chunk | |
200 | * @e: serialized data read head (NOT NULL) | |
201 | * @chunk: start address for chunk of data (NOT NULL) | |
202 | * | |
203 | * Returns: the size of chunk found with the read head at the end of the chunk. | |
204 | */ | |
205 | static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) | |
206 | { | |
207 | size_t size = 0; | |
208 | ||
209 | if (!inbounds(e, sizeof(u16))) | |
210 | return 0; | |
2c17cd36 JJ |
211 | size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); |
212 | e->pos += sizeof(__le16); | |
736ec752 JJ |
213 | if (!inbounds(e, size)) |
214 | return 0; | |
215 | *chunk = e->pos; | |
216 | e->pos += size; | |
217 | return size; | |
218 | } | |
219 | ||
220 | /* unpack control byte */ | |
221 | static bool unpack_X(struct aa_ext *e, enum aa_code code) | |
222 | { | |
223 | if (!inbounds(e, 1)) | |
224 | return 0; | |
225 | if (*(u8 *) e->pos != code) | |
226 | return 0; | |
227 | e->pos++; | |
228 | return 1; | |
229 | } | |
230 | ||
231 | /** | |
232 | * unpack_nameX - check is the next element is of type X with a name of @name | |
233 | * @e: serialized data extent information (NOT NULL) | |
234 | * @code: type code | |
235 | * @name: name to match to the serialized element. (MAYBE NULL) | |
236 | * | |
237 | * check that the next serialized data element is of type X and has a tag | |
238 | * name @name. If @name is specified then there must be a matching | |
239 | * name element in the stream. If @name is NULL any name element will be | |
240 | * skipped and only the typecode will be tested. | |
241 | * | |
242 | * Returns 1 on success (both type code and name tests match) and the read | |
243 | * head is advanced past the headers | |
244 | * | |
245 | * Returns: 0 if either match fails, the read head does not move | |
246 | */ | |
247 | static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) | |
248 | { | |
249 | /* | |
250 | * May need to reset pos if name or type doesn't match | |
251 | */ | |
252 | void *pos = e->pos; | |
253 | /* | |
254 | * Check for presence of a tagname, and if present name size | |
255 | * AA_NAME tag value is a u16. | |
256 | */ | |
257 | if (unpack_X(e, AA_NAME)) { | |
258 | char *tag = NULL; | |
259 | size_t size = unpack_u16_chunk(e, &tag); | |
260 | /* if a name is specified it must match. otherwise skip tag */ | |
261 | if (name && (!size || strcmp(name, tag))) | |
262 | goto fail; | |
263 | } else if (name) { | |
264 | /* if a name is specified and there is no name tag fail */ | |
265 | goto fail; | |
266 | } | |
267 | ||
268 | /* now check if type code matches */ | |
269 | if (unpack_X(e, code)) | |
270 | return 1; | |
271 | ||
272 | fail: | |
273 | e->pos = pos; | |
274 | return 0; | |
275 | } | |
276 | ||
277 | static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) | |
278 | { | |
279 | if (unpack_nameX(e, AA_U32, name)) { | |
280 | if (!inbounds(e, sizeof(u32))) | |
281 | return 0; | |
282 | if (data) | |
2c17cd36 | 283 | *data = le32_to_cpu(get_unaligned((__le32 *) e->pos)); |
736ec752 JJ |
284 | e->pos += sizeof(u32); |
285 | return 1; | |
286 | } | |
287 | return 0; | |
288 | } | |
289 | ||
290 | static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) | |
291 | { | |
292 | if (unpack_nameX(e, AA_U64, name)) { | |
293 | if (!inbounds(e, sizeof(u64))) | |
294 | return 0; | |
295 | if (data) | |
2c17cd36 | 296 | *data = le64_to_cpu(get_unaligned((__le64 *) e->pos)); |
736ec752 JJ |
297 | e->pos += sizeof(u64); |
298 | return 1; | |
299 | } | |
300 | return 0; | |
301 | } | |
302 | ||
303 | static size_t unpack_array(struct aa_ext *e, const char *name) | |
304 | { | |
305 | if (unpack_nameX(e, AA_ARRAY, name)) { | |
306 | int size; | |
307 | if (!inbounds(e, sizeof(u16))) | |
308 | return 0; | |
2c17cd36 | 309 | size = (int)le16_to_cpu(get_unaligned((__le16 *) e->pos)); |
736ec752 JJ |
310 | e->pos += sizeof(u16); |
311 | return size; | |
312 | } | |
313 | return 0; | |
314 | } | |
315 | ||
316 | static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) | |
317 | { | |
318 | if (unpack_nameX(e, AA_BLOB, name)) { | |
319 | u32 size; | |
320 | if (!inbounds(e, sizeof(u32))) | |
321 | return 0; | |
2c17cd36 | 322 | size = le32_to_cpu(get_unaligned((__le32 *) e->pos)); |
736ec752 JJ |
323 | e->pos += sizeof(u32); |
324 | if (inbounds(e, (size_t) size)) { | |
325 | *blob = e->pos; | |
326 | e->pos += size; | |
327 | return size; | |
328 | } | |
329 | } | |
330 | return 0; | |
331 | } | |
332 | ||
333 | static int unpack_str(struct aa_ext *e, const char **string, const char *name) | |
334 | { | |
335 | char *src_str; | |
336 | size_t size = 0; | |
337 | void *pos = e->pos; | |
338 | *string = NULL; | |
339 | if (unpack_nameX(e, AA_STRING, name)) { | |
340 | size = unpack_u16_chunk(e, &src_str); | |
341 | if (size) { | |
342 | /* strings are null terminated, length is size - 1 */ | |
343 | if (src_str[size - 1] != 0) | |
344 | goto fail; | |
345 | *string = src_str; | |
346 | } | |
347 | } | |
348 | return size; | |
349 | ||
350 | fail: | |
351 | e->pos = pos; | |
352 | return 0; | |
353 | } | |
354 | ||
355 | static int unpack_strdup(struct aa_ext *e, char **string, const char *name) | |
356 | { | |
357 | const char *tmp; | |
358 | void *pos = e->pos; | |
359 | int res = unpack_str(e, &tmp, name); | |
360 | *string = NULL; | |
361 | ||
362 | if (!res) | |
363 | return 0; | |
364 | ||
365 | *string = kmemdup(tmp, res, GFP_KERNEL); | |
366 | if (!*string) { | |
367 | e->pos = pos; | |
368 | return 0; | |
369 | } | |
370 | ||
371 | return res; | |
372 | } | |
373 | ||
180a6f59 JJ |
374 | #define DFA_VALID_PERM_MASK 0xffffffff |
375 | #define DFA_VALID_PERM2_MASK 0xffffffff | |
376 | ||
736ec752 JJ |
377 | /** |
378 | * verify_accept - verify the accept tables of a dfa | |
379 | * @dfa: dfa to verify accept tables of (NOT NULL) | |
380 | * @flags: flags governing dfa | |
381 | * | |
382 | * Returns: 1 if valid accept tables else 0 if error | |
383 | */ | |
384 | static bool verify_accept(struct aa_dfa *dfa, int flags) | |
385 | { | |
386 | int i; | |
387 | ||
388 | /* verify accept permissions */ | |
389 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | |
390 | int mode = ACCEPT_TABLE(dfa)[i]; | |
391 | ||
392 | if (mode & ~DFA_VALID_PERM_MASK) | |
393 | return 0; | |
394 | ||
395 | if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) | |
396 | return 0; | |
397 | } | |
398 | return 1; | |
399 | } | |
400 | ||
401 | /** | |
402 | * unpack_dfa - unpack a file rule dfa | |
403 | * @e: serialized data extent information (NOT NULL) | |
404 | * | |
405 | * returns dfa or ERR_PTR or NULL if no dfa | |
406 | */ | |
407 | static struct aa_dfa *unpack_dfa(struct aa_ext *e) | |
408 | { | |
409 | char *blob = NULL; | |
410 | size_t size; | |
411 | struct aa_dfa *dfa = NULL; | |
412 | ||
413 | size = unpack_blob(e, &blob, "aadfa"); | |
414 | if (size) { | |
415 | /* | |
416 | * The dfa is aligned with in the blob to 8 bytes | |
417 | * from the beginning of the stream. | |
dd51c848 | 418 | * alignment adjust needed by dfa unpack |
736ec752 | 419 | */ |
dd51c848 JJ |
420 | size_t sz = blob - (char *) e->start - |
421 | ((e->pos - e->start) & 7); | |
736ec752 JJ |
422 | size_t pad = ALIGN(sz, 8) - sz; |
423 | int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | | |
abbf8734 | 424 | TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES; |
736ec752 JJ |
425 | dfa = aa_dfa_unpack(blob + pad, size - pad, flags); |
426 | ||
427 | if (IS_ERR(dfa)) | |
428 | return dfa; | |
429 | ||
430 | if (!verify_accept(dfa, flags)) | |
431 | goto fail; | |
432 | } | |
433 | ||
434 | return dfa; | |
435 | ||
436 | fail: | |
437 | aa_put_dfa(dfa); | |
438 | return ERR_PTR(-EPROTO); | |
439 | } | |
440 | ||
441 | /** | |
442 | * unpack_trans_table - unpack a profile transition table | |
443 | * @e: serialized data extent information (NOT NULL) | |
444 | * @profile: profile to add the accept table to (NOT NULL) | |
445 | * | |
25985edc | 446 | * Returns: 1 if table successfully unpacked |
736ec752 JJ |
447 | */ |
448 | static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) | |
449 | { | |
450 | void *pos = e->pos; | |
451 | ||
452 | /* exec table is optional */ | |
453 | if (unpack_nameX(e, AA_STRUCT, "xtable")) { | |
454 | int i, size; | |
455 | ||
456 | size = unpack_array(e, NULL); | |
457 | /* currently 4 exec bits and entries 0-3 are reserved iupcx */ | |
458 | if (size > 16 - 4) | |
459 | goto fail; | |
460 | profile->file.trans.table = kzalloc(sizeof(char *) * size, | |
461 | GFP_KERNEL); | |
462 | if (!profile->file.trans.table) | |
463 | goto fail; | |
464 | ||
465 | profile->file.trans.size = size; | |
466 | for (i = 0; i < size; i++) { | |
467 | char *str; | |
7ee95850 | 468 | int c, j, size2 = unpack_strdup(e, &str, NULL); |
736ec752 JJ |
469 | /* unpack_strdup verifies that the last character is |
470 | * null termination byte. | |
471 | */ | |
7ee95850 | 472 | if (!size2) |
736ec752 JJ |
473 | goto fail; |
474 | profile->file.trans.table[i] = str; | |
475 | /* verify that name doesn't start with space */ | |
476 | if (isspace(*str)) | |
477 | goto fail; | |
478 | ||
479 | /* count internal # of internal \0 */ | |
7ee95850 | 480 | for (c = j = 0; j < size2 - 2; j++) { |
736ec752 JJ |
481 | if (!str[j]) |
482 | c++; | |
483 | } | |
484 | if (*str == ':') { | |
485 | /* beginning with : requires an embedded \0, | |
486 | * verify that exactly 1 internal \0 exists | |
487 | * trailing \0 already verified by unpack_strdup | |
488 | */ | |
489 | if (c != 1) | |
490 | goto fail; | |
491 | /* first character after : must be valid */ | |
492 | if (!str[1]) | |
493 | goto fail; | |
494 | } else if (c) | |
495 | /* fail - all other cases with embedded \0 */ | |
496 | goto fail; | |
497 | } | |
498 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | |
499 | goto fail; | |
500 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
501 | goto fail; | |
502 | } | |
503 | return 1; | |
504 | ||
505 | fail: | |
506 | aa_free_domain_entries(&profile->file.trans); | |
507 | e->pos = pos; | |
508 | return 0; | |
509 | } | |
510 | ||
511 | static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) | |
512 | { | |
513 | void *pos = e->pos; | |
514 | ||
515 | /* rlimits are optional */ | |
516 | if (unpack_nameX(e, AA_STRUCT, "rlimits")) { | |
517 | int i, size; | |
518 | u32 tmp = 0; | |
519 | if (!unpack_u32(e, &tmp, NULL)) | |
520 | goto fail; | |
521 | profile->rlimits.mask = tmp; | |
522 | ||
523 | size = unpack_array(e, NULL); | |
524 | if (size > RLIM_NLIMITS) | |
525 | goto fail; | |
526 | for (i = 0; i < size; i++) { | |
7ee95850 | 527 | u64 tmp2 = 0; |
736ec752 | 528 | int a = aa_map_resource(i); |
7ee95850 | 529 | if (!unpack_u64(e, &tmp2, NULL)) |
736ec752 | 530 | goto fail; |
7ee95850 | 531 | profile->rlimits.limits[a].rlim_max = tmp2; |
736ec752 JJ |
532 | } |
533 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | |
534 | goto fail; | |
535 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
536 | goto fail; | |
537 | } | |
538 | return 1; | |
539 | ||
540 | fail: | |
541 | e->pos = pos; | |
542 | return 0; | |
543 | } | |
544 | ||
e025be0f WH |
545 | static void *kvmemdup(const void *src, size_t len) |
546 | { | |
a7c3e901 | 547 | void *p = kvmalloc(len, GFP_KERNEL); |
e025be0f WH |
548 | |
549 | if (p) | |
550 | memcpy(p, src, len); | |
551 | return p; | |
552 | } | |
553 | ||
554 | static u32 strhash(const void *data, u32 len, u32 seed) | |
555 | { | |
556 | const char * const *key = data; | |
557 | ||
558 | return jhash(*key, strlen(*key), seed); | |
559 | } | |
560 | ||
561 | static int datacmp(struct rhashtable_compare_arg *arg, const void *obj) | |
562 | { | |
563 | const struct aa_data *data = obj; | |
564 | const char * const *key = arg->key; | |
565 | ||
566 | return strcmp(data->key, *key); | |
567 | } | |
568 | ||
736ec752 JJ |
569 | /** |
570 | * unpack_profile - unpack a serialized profile | |
571 | * @e: serialized data extent information (NOT NULL) | |
572 | * | |
573 | * NOTE: unpack profile sets audit struct if there is a failure | |
574 | */ | |
04dc715e | 575 | static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) |
736ec752 JJ |
576 | { |
577 | struct aa_profile *profile = NULL; | |
04dc715e JJ |
578 | const char *tmpname, *tmpns = NULL, *name = NULL; |
579 | size_t ns_len; | |
e025be0f WH |
580 | struct rhashtable_params params = { 0 }; |
581 | char *key = NULL; | |
582 | struct aa_data *data; | |
ad5ff3db | 583 | int i, error = -EPROTO; |
736ec752 JJ |
584 | kernel_cap_t tmpcap; |
585 | u32 tmp; | |
586 | ||
04dc715e JJ |
587 | *ns_name = NULL; |
588 | ||
736ec752 JJ |
589 | /* check that we have the right struct being passed */ |
590 | if (!unpack_nameX(e, AA_STRUCT, "profile")) | |
591 | goto fail; | |
592 | if (!unpack_str(e, &name, NULL)) | |
593 | goto fail; | |
04dc715e JJ |
594 | if (*name == '\0') |
595 | goto fail; | |
596 | ||
597 | tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len); | |
598 | if (tmpns) { | |
599 | *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL); | |
600 | if (!*ns_name) | |
601 | goto fail; | |
602 | name = tmpname; | |
603 | } | |
736ec752 | 604 | |
30b026a8 | 605 | profile = aa_alloc_profile(name, GFP_KERNEL); |
736ec752 JJ |
606 | if (!profile) |
607 | return ERR_PTR(-ENOMEM); | |
608 | ||
609 | /* profile renaming is optional */ | |
610 | (void) unpack_str(e, &profile->rename, "rename"); | |
611 | ||
556d0be7 JJ |
612 | /* attachment string is optional */ |
613 | (void) unpack_str(e, &profile->attach, "attach"); | |
614 | ||
736ec752 JJ |
615 | /* xmatch is optional and may be NULL */ |
616 | profile->xmatch = unpack_dfa(e); | |
617 | if (IS_ERR(profile->xmatch)) { | |
618 | error = PTR_ERR(profile->xmatch); | |
619 | profile->xmatch = NULL; | |
620 | goto fail; | |
621 | } | |
622 | /* xmatch_len is not optional if xmatch is set */ | |
623 | if (profile->xmatch) { | |
624 | if (!unpack_u32(e, &tmp, NULL)) | |
625 | goto fail; | |
626 | profile->xmatch_len = tmp; | |
627 | } | |
628 | ||
72c8a768 JJ |
629 | /* disconnected attachment string is optional */ |
630 | (void) unpack_str(e, &profile->disconnected, "disconnected"); | |
631 | ||
736ec752 JJ |
632 | /* per profile debug flags (complain, audit) */ |
633 | if (!unpack_nameX(e, AA_STRUCT, "flags")) | |
634 | goto fail; | |
635 | if (!unpack_u32(e, &tmp, NULL)) | |
636 | goto fail; | |
03816507 | 637 | if (tmp & PACKED_FLAG_HAT) |
736ec752 JJ |
638 | profile->flags |= PFLAG_HAT; |
639 | if (!unpack_u32(e, &tmp, NULL)) | |
640 | goto fail; | |
5ebfb128 | 641 | if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) |
736ec752 | 642 | profile->mode = APPARMOR_COMPLAIN; |
03816507 JJ |
643 | else if (tmp == PACKED_MODE_KILL) |
644 | profile->mode = APPARMOR_KILL; | |
645 | else if (tmp == PACKED_MODE_UNCONFINED) | |
646 | profile->mode = APPARMOR_UNCONFINED; | |
736ec752 JJ |
647 | if (!unpack_u32(e, &tmp, NULL)) |
648 | goto fail; | |
649 | if (tmp) | |
650 | profile->audit = AUDIT_ALL; | |
651 | ||
652 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
653 | goto fail; | |
654 | ||
655 | /* path_flags is optional */ | |
656 | if (unpack_u32(e, &profile->path_flags, "path_flags")) | |
657 | profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED; | |
658 | else | |
659 | /* set a default value if path_flags field is not present */ | |
660 | profile->path_flags = PFLAG_MEDIATE_DELETED; | |
661 | ||
662 | if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) | |
663 | goto fail; | |
664 | if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) | |
665 | goto fail; | |
666 | if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) | |
667 | goto fail; | |
668 | if (!unpack_u32(e, &tmpcap.cap[0], NULL)) | |
669 | goto fail; | |
670 | ||
671 | if (unpack_nameX(e, AA_STRUCT, "caps64")) { | |
672 | /* optional upper half of 64 bit caps */ | |
673 | if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) | |
674 | goto fail; | |
675 | if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) | |
676 | goto fail; | |
677 | if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) | |
678 | goto fail; | |
679 | if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) | |
680 | goto fail; | |
681 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
682 | goto fail; | |
683 | } | |
684 | ||
685 | if (unpack_nameX(e, AA_STRUCT, "capsx")) { | |
686 | /* optional extended caps mediation mask */ | |
687 | if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) | |
688 | goto fail; | |
689 | if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) | |
690 | goto fail; | |
cdbd2884 JJ |
691 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
692 | goto fail; | |
736ec752 JJ |
693 | } |
694 | ||
695 | if (!unpack_rlimits(e, profile)) | |
696 | goto fail; | |
697 | ||
ad5ff3db JJ |
698 | if (unpack_nameX(e, AA_STRUCT, "policydb")) { |
699 | /* generic policy dfa - optional and may be NULL */ | |
700 | profile->policy.dfa = unpack_dfa(e); | |
701 | if (IS_ERR(profile->policy.dfa)) { | |
702 | error = PTR_ERR(profile->policy.dfa); | |
703 | profile->policy.dfa = NULL; | |
704 | goto fail; | |
5f20fdfe JJ |
705 | } else if (!profile->policy.dfa) { |
706 | error = -EPROTO; | |
707 | goto fail; | |
ad5ff3db JJ |
708 | } |
709 | if (!unpack_u32(e, &profile->policy.start[0], "start")) | |
710 | /* default start state */ | |
711 | profile->policy.start[0] = DFA_START; | |
712 | /* setup class index */ | |
713 | for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) { | |
714 | profile->policy.start[i] = | |
715 | aa_dfa_next(profile->policy.dfa, | |
716 | profile->policy.start[0], | |
717 | i); | |
718 | } | |
719 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
720 | goto fail; | |
11c236b8 JJ |
721 | } else |
722 | profile->policy.dfa = aa_get_dfa(nulldfa); | |
ad5ff3db | 723 | |
736ec752 JJ |
724 | /* get file rules */ |
725 | profile->file.dfa = unpack_dfa(e); | |
726 | if (IS_ERR(profile->file.dfa)) { | |
727 | error = PTR_ERR(profile->file.dfa); | |
728 | profile->file.dfa = NULL; | |
729 | goto fail; | |
6604d4c1 JJ |
730 | } else if (profile->file.dfa) { |
731 | if (!unpack_u32(e, &profile->file.start, "dfa_start")) | |
732 | /* default start state */ | |
733 | profile->file.start = DFA_START; | |
734 | } else if (profile->policy.dfa && | |
735 | profile->policy.start[AA_CLASS_FILE]) { | |
736 | profile->file.dfa = aa_get_dfa(profile->policy.dfa); | |
737 | profile->file.start = profile->policy.start[AA_CLASS_FILE]; | |
11c236b8 JJ |
738 | } else |
739 | profile->file.dfa = aa_get_dfa(nulldfa); | |
736ec752 | 740 | |
736ec752 JJ |
741 | if (!unpack_trans_table(e, profile)) |
742 | goto fail; | |
743 | ||
e025be0f WH |
744 | if (unpack_nameX(e, AA_STRUCT, "data")) { |
745 | profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL); | |
746 | if (!profile->data) | |
747 | goto fail; | |
748 | ||
749 | params.nelem_hint = 3; | |
750 | params.key_len = sizeof(void *); | |
751 | params.key_offset = offsetof(struct aa_data, key); | |
752 | params.head_offset = offsetof(struct aa_data, head); | |
753 | params.hashfn = strhash; | |
754 | params.obj_cmpfn = datacmp; | |
755 | ||
756 | if (rhashtable_init(profile->data, ¶ms)) | |
757 | goto fail; | |
758 | ||
759 | while (unpack_strdup(e, &key, NULL)) { | |
760 | data = kzalloc(sizeof(*data), GFP_KERNEL); | |
761 | if (!data) { | |
762 | kzfree(key); | |
763 | goto fail; | |
764 | } | |
765 | ||
766 | data->key = key; | |
767 | data->size = unpack_blob(e, &data->data, NULL); | |
768 | data->data = kvmemdup(data->data, data->size); | |
769 | if (data->size && !data->data) { | |
770 | kzfree(data->key); | |
771 | kzfree(data); | |
772 | goto fail; | |
773 | } | |
774 | ||
775 | rhashtable_insert_fast(profile->data, &data->head, | |
776 | profile->data->p); | |
777 | } | |
778 | ||
779 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
780 | goto fail; | |
781 | } | |
782 | ||
736ec752 JJ |
783 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
784 | goto fail; | |
785 | ||
786 | return profile; | |
787 | ||
788 | fail: | |
789 | if (profile) | |
790 | name = NULL; | |
791 | else if (!name) | |
792 | name = "unknown"; | |
04dc715e JJ |
793 | audit_iface(profile, NULL, name, "failed to unpack profile", e, |
794 | error); | |
8651e1d6 | 795 | aa_free_profile(profile); |
736ec752 JJ |
796 | |
797 | return ERR_PTR(error); | |
798 | } | |
799 | ||
800 | /** | |
801 | * verify_head - unpack serialized stream header | |
802 | * @e: serialized data read head (NOT NULL) | |
dd51c848 | 803 | * @required: whether the header is required or optional |
736ec752 JJ |
804 | * @ns: Returns - namespace if one is specified else NULL (NOT NULL) |
805 | * | |
806 | * Returns: error or 0 if header is good | |
807 | */ | |
dd51c848 | 808 | static int verify_header(struct aa_ext *e, int required, const char **ns) |
736ec752 JJ |
809 | { |
810 | int error = -EPROTONOSUPPORT; | |
dd51c848 JJ |
811 | const char *name = NULL; |
812 | *ns = NULL; | |
813 | ||
736ec752 JJ |
814 | /* get the interface version */ |
815 | if (!unpack_u32(e, &e->version, "version")) { | |
dd51c848 | 816 | if (required) { |
04dc715e | 817 | audit_iface(NULL, NULL, NULL, "invalid profile format", |
dd51c848 JJ |
818 | e, error); |
819 | return error; | |
820 | } | |
736ec752 JJ |
821 | } |
822 | ||
474d6b75 JJ |
823 | /* Check that the interface version is currently supported. |
824 | * if not specified use previous version | |
825 | * Mask off everything that is not kernel abi version | |
826 | */ | |
827 | if (VERSION_LT(e->version, v5) && VERSION_GT(e->version, v7)) { | |
04dc715e | 828 | audit_iface(NULL, NULL, NULL, "unsupported interface version", |
474d6b75 JJ |
829 | e, error); |
830 | return error; | |
831 | } | |
dd51c848 | 832 | |
736ec752 | 833 | /* read the namespace if present */ |
dd51c848 | 834 | if (unpack_str(e, &name, "namespace")) { |
04dc715e JJ |
835 | if (*name == '\0') { |
836 | audit_iface(NULL, NULL, NULL, "invalid namespace name", | |
837 | e, error); | |
838 | return error; | |
839 | } | |
dd51c848 | 840 | if (*ns && strcmp(*ns, name)) |
04dc715e JJ |
841 | audit_iface(NULL, NULL, NULL, "invalid ns change", e, |
842 | error); | |
dd51c848 JJ |
843 | else if (!*ns) |
844 | *ns = name; | |
845 | } | |
736ec752 JJ |
846 | |
847 | return 0; | |
848 | } | |
849 | ||
850 | static bool verify_xindex(int xindex, int table_size) | |
851 | { | |
852 | int index, xtype; | |
853 | xtype = xindex & AA_X_TYPE_MASK; | |
854 | index = xindex & AA_X_INDEX_MASK; | |
23ca7b64 | 855 | if (xtype == AA_X_TABLE && index >= table_size) |
736ec752 JJ |
856 | return 0; |
857 | return 1; | |
858 | } | |
859 | ||
860 | /* verify dfa xindexes are in range of transition tables */ | |
861 | static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) | |
862 | { | |
863 | int i; | |
864 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | |
865 | if (!verify_xindex(dfa_user_xindex(dfa, i), table_size)) | |
866 | return 0; | |
867 | if (!verify_xindex(dfa_other_xindex(dfa, i), table_size)) | |
868 | return 0; | |
869 | } | |
870 | return 1; | |
871 | } | |
872 | ||
873 | /** | |
874 | * verify_profile - Do post unpack analysis to verify profile consistency | |
875 | * @profile: profile to verify (NOT NULL) | |
876 | * | |
877 | * Returns: 0 if passes verification else error | |
878 | */ | |
879 | static int verify_profile(struct aa_profile *profile) | |
880 | { | |
abbf8734 JJ |
881 | if (profile->file.dfa && |
882 | !verify_dfa_xindex(profile->file.dfa, | |
883 | profile->file.trans.size)) { | |
04dc715e | 884 | audit_iface(profile, NULL, NULL, "Invalid named transition", |
abbf8734 JJ |
885 | NULL, -EPROTO); |
886 | return -EPROTO; | |
736ec752 JJ |
887 | } |
888 | ||
889 | return 0; | |
890 | } | |
891 | ||
dd51c848 JJ |
892 | void aa_load_ent_free(struct aa_load_ent *ent) |
893 | { | |
894 | if (ent) { | |
895 | aa_put_profile(ent->rename); | |
896 | aa_put_profile(ent->old); | |
897 | aa_put_profile(ent->new); | |
04dc715e | 898 | kfree(ent->ns_name); |
dd51c848 JJ |
899 | kzfree(ent); |
900 | } | |
901 | } | |
902 | ||
903 | struct aa_load_ent *aa_load_ent_alloc(void) | |
904 | { | |
905 | struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL); | |
906 | if (ent) | |
907 | INIT_LIST_HEAD(&ent->list); | |
908 | return ent; | |
909 | } | |
910 | ||
736ec752 | 911 | /** |
dd51c848 | 912 | * aa_unpack - unpack packed binary profile(s) data loaded from user space |
736ec752 | 913 | * @udata: user data copied to kmem (NOT NULL) |
dd51c848 | 914 | * @lh: list to place unpacked profiles in a aa_repl_ws |
736ec752 JJ |
915 | * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) |
916 | * | |
dd51c848 JJ |
917 | * Unpack user data and return refcounted allocated profile(s) stored in |
918 | * @lh in order of discovery, with the list chain stored in base.list | |
919 | * or error | |
736ec752 | 920 | * |
dd51c848 | 921 | * Returns: profile(s) on @lh else error pointer if fails to unpack |
736ec752 | 922 | */ |
5ac8c355 JJ |
923 | int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, |
924 | const char **ns) | |
736ec752 | 925 | { |
dd51c848 | 926 | struct aa_load_ent *tmp, *ent; |
736ec752 JJ |
927 | struct aa_profile *profile = NULL; |
928 | int error; | |
929 | struct aa_ext e = { | |
5ac8c355 JJ |
930 | .start = udata->data, |
931 | .end = udata->data + udata->size, | |
932 | .pos = udata->data, | |
736ec752 JJ |
933 | }; |
934 | ||
dd51c848 JJ |
935 | *ns = NULL; |
936 | while (e.pos < e.end) { | |
04dc715e | 937 | char *ns_name = NULL; |
f8eb8a13 | 938 | void *start; |
dd51c848 JJ |
939 | error = verify_header(&e, e.pos == e.start, ns); |
940 | if (error) | |
941 | goto fail; | |
736ec752 | 942 | |
f8eb8a13 | 943 | start = e.pos; |
04dc715e | 944 | profile = unpack_profile(&e, &ns_name); |
dd51c848 JJ |
945 | if (IS_ERR(profile)) { |
946 | error = PTR_ERR(profile); | |
947 | goto fail; | |
948 | } | |
949 | ||
950 | error = verify_profile(profile); | |
f8eb8a13 JJ |
951 | if (error) |
952 | goto fail_profile; | |
953 | ||
31f75bfe JJ |
954 | if (aa_g_hash_policy) |
955 | error = aa_calc_profile_hash(profile, e.version, start, | |
6059f71f | 956 | e.pos - start); |
f8eb8a13 JJ |
957 | if (error) |
958 | goto fail_profile; | |
dd51c848 JJ |
959 | |
960 | ent = aa_load_ent_alloc(); | |
961 | if (!ent) { | |
962 | error = -ENOMEM; | |
f8eb8a13 | 963 | goto fail_profile; |
dd51c848 | 964 | } |
736ec752 | 965 | |
dd51c848 | 966 | ent->new = profile; |
04dc715e | 967 | ent->ns_name = ns_name; |
dd51c848 | 968 | list_add_tail(&ent->list, lh); |
736ec752 | 969 | } |
5ac8c355 | 970 | udata->abi = e.version & K_ABI_MASK; |
31f75bfe JJ |
971 | if (aa_g_hash_policy) { |
972 | udata->hash = aa_calc_hash(udata->data, udata->size); | |
973 | if (IS_ERR(udata->hash)) { | |
974 | error = PTR_ERR(udata->hash); | |
975 | udata->hash = NULL; | |
976 | goto fail; | |
977 | } | |
5ac8c355 | 978 | } |
dd51c848 JJ |
979 | return 0; |
980 | ||
f8eb8a13 JJ |
981 | fail_profile: |
982 | aa_put_profile(profile); | |
983 | ||
dd51c848 JJ |
984 | fail: |
985 | list_for_each_entry_safe(ent, tmp, lh, list) { | |
986 | list_del_init(&ent->list); | |
987 | aa_load_ent_free(ent); | |
988 | } | |
989 | ||
990 | return error; | |
736ec752 | 991 | } |