]>
git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - security/apparmor/policy_unpack.c
2 * AppArmor security module
4 * This file contains AppArmor functions for unpacking policy loaded from
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
15 * AppArmor uses a serialized binary format for loading policy. To find
16 * policy format documentation look in Documentation/security/apparmor.txt
17 * All policy is validated before it is used.
20 #include <asm/unaligned.h>
21 #include <linux/ctype.h>
22 #include <linux/errno.h>
23 #include <linux/string.h>
25 #include "include/apparmor.h"
26 #include "include/audit.h"
27 #include "include/context.h"
28 #include "include/crypto.h"
29 #include "include/match.h"
30 #include "include/path.h"
31 #include "include/policy.h"
32 #include "include/policy_unpack.h"
34 #define K_ABI_MASK 0x3ff
35 #define FORCE_COMPLAIN_FLAG 0x800
36 #define VERSION_CMP(OP, X, Y) (((X) & K_ABI_MASK) OP ((Y) & K_ABI_MASK))
38 #define v5 5 /* base version */
39 #define v6 6 /* per entry policydb mediation check */
40 #define v7 7 /* full network masking */
43 * The AppArmor interface treats data as a type byte followed by the
44 * actual data. The interface has the notion of a a named entry
45 * which has a name (AA_NAME typecode followed by name string) followed by
46 * the entries typecode and data. Named types allow for optional
47 * elements and extensions to be added and tested for without breaking
48 * backwards compatibility.
56 AA_NAME
, /* same as string except it is items name */
68 * aa_ext is the read of the buffer containing the serialized profile. The
69 * data is copied into a kernel buffer in apparmorfs and then handed off to
70 * the unpack routines.
75 void *pos
; /* pointer to current position in the buffer */
79 /* audit callback for unpack fields */
80 static void audit_cb(struct audit_buffer
*ab
, void *va
)
82 struct common_audit_data
*sa
= va
;
84 if (aad(sa
)->iface
.ns
) {
85 audit_log_format(ab
, " ns=");
86 audit_log_untrustedstring(ab
, aad(sa
)->iface
.ns
);
89 audit_log_format(ab
, " name=");
90 audit_log_untrustedstring(ab
, aad(sa
)->name
);
92 if (aad(sa
)->iface
.pos
)
93 audit_log_format(ab
, " offset=%ld", aad(sa
)->iface
.pos
);
97 * audit_iface - do audit message for policy unpacking/load/replace/remove
98 * @new: profile if it has been allocated (MAYBE NULL)
99 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
100 * @name: name of the profile being manipulated (MAYBE NULL)
101 * @info: any extra info about the failure (MAYBE NULL)
102 * @e: buffer position info
105 * Returns: %0 or error
107 static int audit_iface(struct aa_profile
*new, const char *ns_name
,
108 const char *name
, const char *info
, struct aa_ext
*e
,
111 struct aa_profile
*profile
= labels_profile(aa_current_raw_label());
112 DEFINE_AUDIT_DATA(sa
, LSM_AUDIT_DATA_NONE
, NULL
);
114 aad(&sa
)->iface
.pos
= e
->pos
- e
->start
;
116 aad(&sa
)->iface
.ns
= ns_name
;
118 aad(&sa
)->name
= new->base
.hname
;
120 aad(&sa
)->name
= name
;
121 aad(&sa
)->info
= info
;
122 aad(&sa
)->error
= error
;
124 return aa_audit(AUDIT_APPARMOR_STATUS
, profile
, &sa
, audit_cb
);
127 /* test if read will be in packed data bounds */
128 static bool inbounds(struct aa_ext
*e
, size_t size
)
130 return (size
<= e
->end
- e
->pos
);
134 * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
135 * @e: serialized data read head (NOT NULL)
136 * @chunk: start address for chunk of data (NOT NULL)
138 * Returns: the size of chunk found with the read head at the end of the chunk.
140 static size_t unpack_u16_chunk(struct aa_ext
*e
, char **chunk
)
144 if (!inbounds(e
, sizeof(u16
)))
146 size
= le16_to_cpu(get_unaligned((u16
*) e
->pos
));
147 e
->pos
+= sizeof(u16
);
148 if (!inbounds(e
, size
))
155 /* unpack control byte */
156 static bool unpack_X(struct aa_ext
*e
, enum aa_code code
)
160 if (*(u8
*) e
->pos
!= code
)
167 * unpack_nameX - check is the next element is of type X with a name of @name
168 * @e: serialized data extent information (NOT NULL)
170 * @name: name to match to the serialized element. (MAYBE NULL)
172 * check that the next serialized data element is of type X and has a tag
173 * name @name. If @name is specified then there must be a matching
174 * name element in the stream. If @name is NULL any name element will be
175 * skipped and only the typecode will be tested.
177 * Returns 1 on success (both type code and name tests match) and the read
178 * head is advanced past the headers
180 * Returns: 0 if either match fails, the read head does not move
182 static bool unpack_nameX(struct aa_ext
*e
, enum aa_code code
, const char *name
)
185 * May need to reset pos if name or type doesn't match
189 * Check for presence of a tagname, and if present name size
190 * AA_NAME tag value is a u16.
192 if (unpack_X(e
, AA_NAME
)) {
194 size_t size
= unpack_u16_chunk(e
, &tag
);
195 /* if a name is specified it must match. otherwise skip tag */
196 if (name
&& (!size
|| strcmp(name
, tag
)))
199 /* if a name is specified and there is no name tag fail */
203 /* now check if type code matches */
204 if (unpack_X(e
, code
))
212 static bool unpack_u16(struct aa_ext
*e
, u16
*data
, const char *name
)
214 if (unpack_nameX(e
, AA_U16
, name
)) {
215 if (!inbounds(e
, sizeof(u16
)))
218 *data
= le16_to_cpu(get_unaligned((u16
*) e
->pos
));
219 e
->pos
+= sizeof(u16
);
225 static bool unpack_u32(struct aa_ext
*e
, u32
*data
, const char *name
)
227 if (unpack_nameX(e
, AA_U32
, name
)) {
228 if (!inbounds(e
, sizeof(u32
)))
231 *data
= le32_to_cpu(get_unaligned((u32
*) e
->pos
));
232 e
->pos
+= sizeof(u32
);
238 static bool unpack_u64(struct aa_ext
*e
, u64
*data
, const char *name
)
240 if (unpack_nameX(e
, AA_U64
, name
)) {
241 if (!inbounds(e
, sizeof(u64
)))
244 *data
= le64_to_cpu(get_unaligned((u64
*) e
->pos
));
245 e
->pos
+= sizeof(u64
);
251 static size_t unpack_array(struct aa_ext
*e
, const char *name
)
253 if (unpack_nameX(e
, AA_ARRAY
, name
)) {
255 if (!inbounds(e
, sizeof(u16
)))
257 size
= (int)le16_to_cpu(get_unaligned((u16
*) e
->pos
));
258 e
->pos
+= sizeof(u16
);
264 static size_t unpack_blob(struct aa_ext
*e
, char **blob
, const char *name
)
266 if (unpack_nameX(e
, AA_BLOB
, name
)) {
268 if (!inbounds(e
, sizeof(u32
)))
270 size
= le32_to_cpu(get_unaligned((u32
*) e
->pos
));
271 e
->pos
+= sizeof(u32
);
272 if (inbounds(e
, (size_t) size
)) {
281 static int unpack_str(struct aa_ext
*e
, const char **string
, const char *name
)
287 if (unpack_nameX(e
, AA_STRING
, name
)) {
288 size
= unpack_u16_chunk(e
, &src_str
);
290 /* strings are null terminated, length is size - 1 */
291 if (src_str
[size
- 1] != 0)
303 static int unpack_strdup(struct aa_ext
*e
, char **string
, const char *name
)
307 int res
= unpack_str(e
, &tmp
, name
);
313 *string
= kmemdup(tmp
, res
, GFP_KERNEL
);
322 #define DFA_VALID_PERM_MASK 0xffffffff
323 #define DFA_VALID_PERM2_MASK 0xffffffff
326 * verify_accept - verify the accept tables of a dfa
327 * @dfa: dfa to verify accept tables of (NOT NULL)
328 * @flags: flags governing dfa
330 * Returns: 1 if valid accept tables else 0 if error
332 static bool verify_accept(struct aa_dfa
*dfa
, int flags
)
336 /* verify accept permissions */
337 for (i
= 0; i
< dfa
->tables
[YYTD_ID_ACCEPT
]->td_lolen
; i
++) {
338 int mode
= ACCEPT_TABLE(dfa
)[i
];
340 if (mode
& ~DFA_VALID_PERM_MASK
)
343 if (ACCEPT_TABLE2(dfa
)[i
] & ~DFA_VALID_PERM2_MASK
)
350 * unpack_dfa - unpack a file rule dfa
351 * @e: serialized data extent information (NOT NULL)
353 * returns dfa or ERR_PTR or NULL if no dfa
355 static struct aa_dfa
*unpack_dfa(struct aa_ext
*e
)
359 struct aa_dfa
*dfa
= NULL
;
361 size
= unpack_blob(e
, &blob
, "aadfa");
364 * The dfa is aligned with in the blob to 8 bytes
365 * from the beginning of the stream.
366 * alignment adjust needed by dfa unpack
368 size_t sz
= blob
- (char *) e
->start
-
369 ((e
->pos
- e
->start
) & 7);
370 size_t pad
= ALIGN(sz
, 8) - sz
;
371 int flags
= TO_ACCEPT1_FLAG(YYTD_DATA32
) |
372 TO_ACCEPT2_FLAG(YYTD_DATA32
) | DFA_FLAG_VERIFY_STATES
;
373 dfa
= aa_dfa_unpack(blob
+ pad
, size
- pad
, flags
);
378 if (!verify_accept(dfa
, flags
))
386 return ERR_PTR(-EPROTO
);
390 * unpack_trans_table - unpack a profile transition table
391 * @e: serialized data extent information (NOT NULL)
392 * @profile: profile to add the accept table to (NOT NULL)
394 * Returns: 1 if table successfully unpacked
396 static bool unpack_trans_table(struct aa_ext
*e
, struct aa_profile
*profile
)
400 /* exec table is optional */
401 if (unpack_nameX(e
, AA_STRUCT
, "xtable")) {
404 size
= unpack_array(e
, NULL
);
405 /* currently 4 exec bits and entries 0-3 are reserved iupcx */
408 profile
->file
.trans
.table
= kzalloc(sizeof(char *) * size
,
410 if (!profile
->file
.trans
.table
)
413 profile
->file
.trans
.size
= size
;
414 for (i
= 0; i
< size
; i
++) {
416 int c
, j
, pos
, size2
= unpack_strdup(e
, &str
, NULL
);
417 /* unpack_strdup verifies that the last character is
418 * null termination byte.
422 profile
->file
.trans
.table
[i
] = str
;
423 /* verify that name doesn't start with space */
427 /* count internal # of internal \0 */
428 for (c
= j
= 0; j
< size2
- 1; j
++) {
435 /* first character after : must be valid */
438 /* beginning with : requires an embedded \0,
439 * verify that exactly 1 internal \0 exists
440 * trailing \0 already verified by unpack_strdup
443 /* convert \0 back to : for label_parse */
448 /* fail - all other cases with embedded \0 */
451 if (!unpack_nameX(e
, AA_ARRAYEND
, NULL
))
453 if (!unpack_nameX(e
, AA_STRUCTEND
, NULL
))
459 aa_free_domain_entries(&profile
->file
.trans
);
464 static bool unpack_rlimits(struct aa_ext
*e
, struct aa_profile
*profile
)
468 /* rlimits are optional */
469 if (unpack_nameX(e
, AA_STRUCT
, "rlimits")) {
472 if (!unpack_u32(e
, &tmp
, NULL
))
474 profile
->rlimits
.mask
= tmp
;
476 size
= unpack_array(e
, NULL
);
477 if (size
> RLIM_NLIMITS
)
479 for (i
= 0; i
< size
; i
++) {
481 int a
= aa_map_resource(i
);
482 if (!unpack_u64(e
, &tmp2
, NULL
))
484 profile
->rlimits
.limits
[a
].rlim_max
= tmp2
;
486 if (!unpack_nameX(e
, AA_ARRAYEND
, NULL
))
488 if (!unpack_nameX(e
, AA_STRUCTEND
, NULL
))
499 * unpack_profile - unpack a serialized profile
500 * @e: serialized data extent information (NOT NULL)
502 * NOTE: unpack profile sets audit struct if there is a failure
504 static struct aa_profile
*unpack_profile(struct aa_ext
*e
, char **ns_name
)
506 struct aa_profile
*profile
= NULL
;
507 const char *tmpname
, *tmpns
= NULL
, *name
= NULL
;
508 const char *info
= "failed to unpack profile";
509 size_t size
= 0, ns_len
;
510 int i
, error
= -EPROTO
;
516 /* check that we have the right struct being passed */
517 if (!unpack_nameX(e
, AA_STRUCT
, "profile"))
519 if (!unpack_str(e
, &name
, NULL
))
524 tmpname
= aa_splitn_fqname(name
, strlen(name
), &tmpns
, &ns_len
);
526 *ns_name
= kstrndup(tmpns
, ns_len
, GFP_KERNEL
);
532 profile
= aa_alloc_profile(name
, NULL
, GFP_KERNEL
);
534 return ERR_PTR(-ENOMEM
);
536 /* profile renaming is optional */
537 (void) unpack_str(e
, &profile
->rename
, "rename");
539 /* attachment string is optional */
540 (void) unpack_str(e
, &profile
->attach
, "attach");
542 /* xmatch is optional and may be NULL */
543 profile
->xmatch
= unpack_dfa(e
);
544 if (IS_ERR(profile
->xmatch
)) {
545 error
= PTR_ERR(profile
->xmatch
);
546 profile
->xmatch
= NULL
;
549 /* xmatch_len is not optional if xmatch is set */
550 if (profile
->xmatch
) {
551 if (!unpack_u32(e
, &tmp
, NULL
))
553 profile
->xmatch_len
= tmp
;
556 /* disconnected attachment string is optional */
557 (void) unpack_str(e
, &profile
->disconnected
, "disconnected");
559 /* per profile debug flags (complain, audit) */
560 if (!unpack_nameX(e
, AA_STRUCT
, "flags"))
562 if (!unpack_u32(e
, &tmp
, NULL
))
564 if (tmp
& PACKED_FLAG_HAT
)
565 profile
->label
.flags
|= FLAG_HAT
;
566 if (!unpack_u32(e
, &tmp
, NULL
))
568 if (tmp
== PACKED_MODE_COMPLAIN
|| (e
->version
& FORCE_COMPLAIN_FLAG
))
569 profile
->mode
= APPARMOR_COMPLAIN
;
570 else if (tmp
== PACKED_MODE_KILL
)
571 profile
->mode
= APPARMOR_KILL
;
572 else if (tmp
== PACKED_MODE_UNCONFINED
)
573 profile
->mode
= APPARMOR_UNCONFINED
;
574 if (!unpack_u32(e
, &tmp
, NULL
))
577 profile
->audit
= AUDIT_ALL
;
579 if (!unpack_nameX(e
, AA_STRUCTEND
, NULL
))
582 /* path_flags is optional */
583 if (!unpack_u32(e
, &profile
->path_flags
, "path_flags"))
584 /* set a default value if path_flags field is not present */
585 profile
->path_flags
= PATH_MEDIATE_DELETED
;
587 if (!unpack_u32(e
, &(profile
->caps
.allow
.cap
[0]), NULL
))
589 if (!unpack_u32(e
, &(profile
->caps
.audit
.cap
[0]), NULL
))
591 if (!unpack_u32(e
, &(profile
->caps
.quiet
.cap
[0]), NULL
))
593 if (!unpack_u32(e
, &tmpcap
.cap
[0], NULL
))
596 if (unpack_nameX(e
, AA_STRUCT
, "caps64")) {
597 /* optional upper half of 64 bit caps */
598 if (!unpack_u32(e
, &(profile
->caps
.allow
.cap
[1]), NULL
))
600 if (!unpack_u32(e
, &(profile
->caps
.audit
.cap
[1]), NULL
))
602 if (!unpack_u32(e
, &(profile
->caps
.quiet
.cap
[1]), NULL
))
604 if (!unpack_u32(e
, &(tmpcap
.cap
[1]), NULL
))
606 if (!unpack_nameX(e
, AA_STRUCTEND
, NULL
))
610 if (unpack_nameX(e
, AA_STRUCT
, "capsx")) {
611 /* optional extended caps mediation mask */
612 if (!unpack_u32(e
, &(profile
->caps
.extended
.cap
[0]), NULL
))
614 if (!unpack_u32(e
, &(profile
->caps
.extended
.cap
[1]), NULL
))
616 if (!unpack_nameX(e
, AA_STRUCTEND
, NULL
))
620 if (!unpack_rlimits(e
, profile
))
623 size
= unpack_array(e
, "net_allowed_af");
626 for (i
= 0; i
< size
; i
++) {
627 /* discard extraneous rules that this kernel will
632 if (!unpack_u16(e
, &tmp
, NULL
) ||
633 !unpack_u16(e
, &tmp
, NULL
) ||
634 !unpack_u16(e
, &tmp
, NULL
))
638 if (!unpack_u16(e
, &profile
->net
.allow
[i
], NULL
))
640 if (!unpack_u16(e
, &profile
->net
.audit
[i
], NULL
))
642 if (!unpack_u16(e
, &profile
->net
.quiet
[i
], NULL
))
645 if (!unpack_nameX(e
, AA_ARRAYEND
, NULL
))
648 if (VERSION_CMP(<, e
->version
, v7
)) {
649 /* old policy always allowed these too */
650 profile
->net
.allow
[AF_UNIX
] = 0xffff;
651 profile
->net
.allow
[AF_NETLINK
] = 0xffff;
654 if (unpack_nameX(e
, AA_STRUCT
, "policydb")) {
655 /* generic policy dfa - optional and may be NULL */
656 profile
->policy
.dfa
= unpack_dfa(e
);
657 if (IS_ERR(profile
->policy
.dfa
)) {
658 error
= PTR_ERR(profile
->policy
.dfa
);
659 profile
->policy
.dfa
= NULL
;
661 } else if (!profile
->policy
.dfa
) {
665 if (!unpack_u32(e
, &profile
->policy
.start
[0], "start"))
666 /* default start state */
667 profile
->policy
.start
[0] = DFA_START
;
668 /* setup class index */
669 for (i
= AA_CLASS_FILE
; i
<= AA_CLASS_LAST
; i
++) {
670 profile
->policy
.start
[i
] =
671 aa_dfa_next(profile
->policy
.dfa
,
672 profile
->policy
.start
[0],
675 if (!unpack_nameX(e
, AA_STRUCTEND
, NULL
))
678 profile
->policy
.dfa
= aa_get_dfa(nulldfa
);
681 profile
->file
.dfa
= unpack_dfa(e
);
682 if (IS_ERR(profile
->file
.dfa
)) {
683 error
= PTR_ERR(profile
->file
.dfa
);
684 profile
->file
.dfa
= NULL
;
686 } else if (profile
->file
.dfa
) {
687 if (!unpack_u32(e
, &profile
->file
.start
, "dfa_start"))
688 /* default start state */
689 profile
->file
.start
= DFA_START
;
690 } else if (profile
->policy
.dfa
&&
691 profile
->policy
.start
[AA_CLASS_FILE
]) {
692 profile
->file
.dfa
= aa_get_dfa(profile
->policy
.dfa
);
693 profile
->file
.start
= profile
->policy
.start
[AA_CLASS_FILE
];
695 profile
->file
.dfa
= aa_get_dfa(nulldfa
);
697 if (!unpack_trans_table(e
, profile
))
700 if (!unpack_nameX(e
, AA_STRUCTEND
, NULL
))
710 audit_iface(profile
, NULL
, name
, info
, e
, error
);
711 aa_free_profile(profile
);
713 return ERR_PTR(error
);
717 * verify_head - unpack serialized stream header
718 * @e: serialized data read head (NOT NULL)
719 * @required: whether the header is required or optional
720 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
722 * Returns: error or 0 if header is good
724 static int verify_header(struct aa_ext
*e
, int required
, const char **ns
)
726 int error
= -EPROTONOSUPPORT
;
727 const char *name
= NULL
;
730 /* get the interface version */
731 if (!unpack_u32(e
, &e
->version
, "version")) {
733 audit_iface(NULL
, NULL
, NULL
, "invalid profile format",
739 /* Check that the interface version is currently supported.
740 * if not specified use previous version
741 * Mask off everything that is not kernel abi version
743 if (VERSION_CMP(<, e
->version
, v5
) && VERSION_CMP(>, e
->version
, v7
)) {
744 audit_iface(NULL
, NULL
, NULL
, "unsupported interface version",
749 /* read the namespace if present */
750 if (unpack_str(e
, &name
, "namespace")) {
752 audit_iface(NULL
, NULL
, NULL
, "invalid namespace name",
756 if (*ns
&& strcmp(*ns
, name
))
757 audit_iface(NULL
, NULL
, NULL
, "invalid ns change", e
,
766 static bool verify_xindex(int xindex
, int table_size
)
769 xtype
= xindex
& AA_X_TYPE_MASK
;
770 index
= xindex
& AA_X_INDEX_MASK
;
771 if (xtype
== AA_X_TABLE
&& index
>= table_size
)
776 /* verify dfa xindexes are in range of transition tables */
777 static bool verify_dfa_xindex(struct aa_dfa
*dfa
, int table_size
)
780 for (i
= 0; i
< dfa
->tables
[YYTD_ID_ACCEPT
]->td_lolen
; i
++) {
781 if (!verify_xindex(dfa_user_xindex(dfa
, i
), table_size
))
783 if (!verify_xindex(dfa_other_xindex(dfa
, i
), table_size
))
790 * verify_profile - Do post unpack analysis to verify profile consistency
791 * @profile: profile to verify (NOT NULL)
793 * Returns: 0 if passes verification else error
795 static int verify_profile(struct aa_profile
*profile
)
797 if (profile
->file
.dfa
&&
798 !verify_dfa_xindex(profile
->file
.dfa
,
799 profile
->file
.trans
.size
)) {
800 audit_iface(profile
, NULL
, NULL
,
801 "Invalid named transition", NULL
, -EPROTO
);
808 void aa_load_ent_free(struct aa_load_ent
*ent
)
811 aa_put_profile(ent
->rename
);
812 aa_put_profile(ent
->old
);
813 aa_put_profile(ent
->new);
819 struct aa_load_ent
*aa_load_ent_alloc(void)
821 struct aa_load_ent
*ent
= kzalloc(sizeof(*ent
), GFP_KERNEL
);
823 INIT_LIST_HEAD(&ent
->list
);
828 * aa_unpack - unpack packed binary profile(s) data loaded from user space
829 * @udata: user data copied to kmem (NOT NULL)
830 * @size: the size of the user data
831 * @lh: list to place unpacked profiles in a aa_repl_ws
832 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
834 * Unpack user data and return refcounted allocated profile(s) stored in
835 * @lh in order of discovery, with the list chain stored in base.list
838 * Returns: profile(s) on @lh else error pointer if fails to unpack
840 int aa_unpack(void *udata
, size_t size
, struct list_head
*lh
, const char **ns
)
842 struct aa_load_ent
*tmp
, *ent
;
843 struct aa_profile
*profile
= NULL
;
852 while (e
.pos
< e
.end
) {
853 char *ns_name
= NULL
;
855 error
= verify_header(&e
, e
.pos
== e
.start
, ns
);
860 profile
= unpack_profile(&e
, &ns_name
);
861 if (IS_ERR(profile
)) {
862 error
= PTR_ERR(profile
);
866 error
= verify_profile(profile
);
870 if (aa_g_hash_policy
)
871 error
= aa_calc_profile_hash(profile
, e
.version
, start
,
876 ent
= aa_load_ent_alloc();
883 ent
->ns_name
= ns_name
;
884 list_add_tail(&ent
->list
, lh
);
890 aa_put_profile(profile
);
893 list_for_each_entry_safe(ent
, tmp
, lh
, list
) {
894 list_del_init(&ent
->list
);
895 aa_load_ent_free(ent
);