]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - security/apparmor/policy_unpack.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
[mirror_ubuntu-zesty-kernel.git] / security / apparmor / policy_unpack.c
1 /*
2 * AppArmor security module
3 *
4 * This file contains AppArmor functions for unpacking policy loaded from
5 * userspace.
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
13 * License.
14 *
15 * AppArmor uses a serialized binary format for loading policy. To find
16 * policy format documentation look in Documentation/security/apparmor.txt
17 * All policy is validated before it is used.
18 */
19
20 #include <asm/unaligned.h>
21 #include <linux/ctype.h>
22 #include <linux/errno.h>
23 #include <linux/string.h>
24
25 #include "include/apparmor.h"
26 #include "include/audit.h"
27 #include "include/context.h"
28 #include "include/crypto.h"
29 #include "include/match.h"
30 #include "include/path.h"
31 #include "include/policy.h"
32 #include "include/policy_unpack.h"
33
34 #define K_ABI_MASK 0x3ff
35 #define FORCE_COMPLAIN_FLAG 0x800
36 #define VERSION_CMP(OP, X, Y) (((X) & K_ABI_MASK) OP ((Y) & K_ABI_MASK))
37
38 #define v5 5 /* base version */
39 #define v6 6 /* per entry policydb mediation check */
40 #define v7 7 /* full network masking */
41
42 /*
43 * The AppArmor interface treats data as a type byte followed by the
44 * actual data. The interface has the notion of a a named entry
45 * which has a name (AA_NAME typecode followed by name string) followed by
46 * the entries typecode and data. Named types allow for optional
47 * elements and extensions to be added and tested for without breaking
48 * backwards compatibility.
49 */
50
51 enum aa_code {
52 AA_U8,
53 AA_U16,
54 AA_U32,
55 AA_U64,
56 AA_NAME, /* same as string except it is items name */
57 AA_STRING,
58 AA_BLOB,
59 AA_STRUCT,
60 AA_STRUCTEND,
61 AA_LIST,
62 AA_LISTEND,
63 AA_ARRAY,
64 AA_ARRAYEND,
65 };
66
67 /*
68 * aa_ext is the read of the buffer containing the serialized profile. The
69 * data is copied into a kernel buffer in apparmorfs and then handed off to
70 * the unpack routines.
71 */
72 struct aa_ext {
73 void *start;
74 void *end;
75 void *pos; /* pointer to current position in the buffer */
76 u32 version;
77 };
78
79 /* audit callback for unpack fields */
80 static void audit_cb(struct audit_buffer *ab, void *va)
81 {
82 struct common_audit_data *sa = va;
83
84 if (aad(sa)->iface.ns) {
85 audit_log_format(ab, " ns=");
86 audit_log_untrustedstring(ab, aad(sa)->iface.ns);
87 }
88 if (aad(sa)->name) {
89 audit_log_format(ab, " name=");
90 audit_log_untrustedstring(ab, aad(sa)->name);
91 }
92 if (aad(sa)->iface.pos)
93 audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos);
94 }
95
96 /**
97 * audit_iface - do audit message for policy unpacking/load/replace/remove
98 * @new: profile if it has been allocated (MAYBE NULL)
99 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
100 * @name: name of the profile being manipulated (MAYBE NULL)
101 * @info: any extra info about the failure (MAYBE NULL)
102 * @e: buffer position info
103 * @error: error code
104 *
105 * Returns: %0 or error
106 */
107 static int audit_iface(struct aa_profile *new, const char *ns_name,
108 const char *name, const char *info, struct aa_ext *e,
109 int error)
110 {
111 struct aa_profile *profile = labels_profile(aa_current_raw_label());
112 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, NULL);
113 if (e)
114 aad(&sa)->iface.pos = e->pos - e->start;
115
116 aad(&sa)->iface.ns = ns_name;
117 if (new)
118 aad(&sa)->name = new->base.hname;
119 else
120 aad(&sa)->name = name;
121 aad(&sa)->info = info;
122 aad(&sa)->error = error;
123
124 return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb);
125 }
126
127 /* test if read will be in packed data bounds */
128 static bool inbounds(struct aa_ext *e, size_t size)
129 {
130 return (size <= e->end - e->pos);
131 }
132
133 /**
134 * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
135 * @e: serialized data read head (NOT NULL)
136 * @chunk: start address for chunk of data (NOT NULL)
137 *
138 * Returns: the size of chunk found with the read head at the end of the chunk.
139 */
140 static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
141 {
142 size_t size = 0;
143
144 if (!inbounds(e, sizeof(u16)))
145 return 0;
146 size = le16_to_cpu(get_unaligned((u16 *) e->pos));
147 e->pos += sizeof(u16);
148 if (!inbounds(e, size))
149 return 0;
150 *chunk = e->pos;
151 e->pos += size;
152 return size;
153 }
154
155 /* unpack control byte */
156 static bool unpack_X(struct aa_ext *e, enum aa_code code)
157 {
158 if (!inbounds(e, 1))
159 return 0;
160 if (*(u8 *) e->pos != code)
161 return 0;
162 e->pos++;
163 return 1;
164 }
165
166 /**
167 * unpack_nameX - check is the next element is of type X with a name of @name
168 * @e: serialized data extent information (NOT NULL)
169 * @code: type code
170 * @name: name to match to the serialized element. (MAYBE NULL)
171 *
172 * check that the next serialized data element is of type X and has a tag
173 * name @name. If @name is specified then there must be a matching
174 * name element in the stream. If @name is NULL any name element will be
175 * skipped and only the typecode will be tested.
176 *
177 * Returns 1 on success (both type code and name tests match) and the read
178 * head is advanced past the headers
179 *
180 * Returns: 0 if either match fails, the read head does not move
181 */
182 static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
183 {
184 /*
185 * May need to reset pos if name or type doesn't match
186 */
187 void *pos = e->pos;
188 /*
189 * Check for presence of a tagname, and if present name size
190 * AA_NAME tag value is a u16.
191 */
192 if (unpack_X(e, AA_NAME)) {
193 char *tag = NULL;
194 size_t size = unpack_u16_chunk(e, &tag);
195 /* if a name is specified it must match. otherwise skip tag */
196 if (name && (!size || strcmp(name, tag)))
197 goto fail;
198 } else if (name) {
199 /* if a name is specified and there is no name tag fail */
200 goto fail;
201 }
202
203 /* now check if type code matches */
204 if (unpack_X(e, code))
205 return 1;
206
207 fail:
208 e->pos = pos;
209 return 0;
210 }
211
212 static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
213 {
214 if (unpack_nameX(e, AA_U16, name)) {
215 if (!inbounds(e, sizeof(u16)))
216 return 0;
217 if (data)
218 *data = le16_to_cpu(get_unaligned((u16 *) e->pos));
219 e->pos += sizeof(u16);
220 return 1;
221 }
222 return 0;
223 }
224
225 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
226 {
227 if (unpack_nameX(e, AA_U32, name)) {
228 if (!inbounds(e, sizeof(u32)))
229 return 0;
230 if (data)
231 *data = le32_to_cpu(get_unaligned((u32 *) e->pos));
232 e->pos += sizeof(u32);
233 return 1;
234 }
235 return 0;
236 }
237
238 static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
239 {
240 if (unpack_nameX(e, AA_U64, name)) {
241 if (!inbounds(e, sizeof(u64)))
242 return 0;
243 if (data)
244 *data = le64_to_cpu(get_unaligned((u64 *) e->pos));
245 e->pos += sizeof(u64);
246 return 1;
247 }
248 return 0;
249 }
250
251 static size_t unpack_array(struct aa_ext *e, const char *name)
252 {
253 if (unpack_nameX(e, AA_ARRAY, name)) {
254 int size;
255 if (!inbounds(e, sizeof(u16)))
256 return 0;
257 size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos));
258 e->pos += sizeof(u16);
259 return size;
260 }
261 return 0;
262 }
263
264 static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
265 {
266 if (unpack_nameX(e, AA_BLOB, name)) {
267 u32 size;
268 if (!inbounds(e, sizeof(u32)))
269 return 0;
270 size = le32_to_cpu(get_unaligned((u32 *) e->pos));
271 e->pos += sizeof(u32);
272 if (inbounds(e, (size_t) size)) {
273 *blob = e->pos;
274 e->pos += size;
275 return size;
276 }
277 }
278 return 0;
279 }
280
281 static int unpack_str(struct aa_ext *e, const char **string, const char *name)
282 {
283 char *src_str;
284 size_t size = 0;
285 void *pos = e->pos;
286 *string = NULL;
287 if (unpack_nameX(e, AA_STRING, name)) {
288 size = unpack_u16_chunk(e, &src_str);
289 if (size) {
290 /* strings are null terminated, length is size - 1 */
291 if (src_str[size - 1] != 0)
292 goto fail;
293 *string = src_str;
294 }
295 }
296 return size;
297
298 fail:
299 e->pos = pos;
300 return 0;
301 }
302
303 static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
304 {
305 const char *tmp;
306 void *pos = e->pos;
307 int res = unpack_str(e, &tmp, name);
308 *string = NULL;
309
310 if (!res)
311 return 0;
312
313 *string = kmemdup(tmp, res, GFP_KERNEL);
314 if (!*string) {
315 e->pos = pos;
316 return 0;
317 }
318
319 return res;
320 }
321
322 #define DFA_VALID_PERM_MASK 0xffffffff
323 #define DFA_VALID_PERM2_MASK 0xffffffff
324
325 /**
326 * verify_accept - verify the accept tables of a dfa
327 * @dfa: dfa to verify accept tables of (NOT NULL)
328 * @flags: flags governing dfa
329 *
330 * Returns: 1 if valid accept tables else 0 if error
331 */
332 static bool verify_accept(struct aa_dfa *dfa, int flags)
333 {
334 int i;
335
336 /* verify accept permissions */
337 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
338 int mode = ACCEPT_TABLE(dfa)[i];
339
340 if (mode & ~DFA_VALID_PERM_MASK)
341 return 0;
342
343 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
344 return 0;
345 }
346 return 1;
347 }
348
349 /**
350 * unpack_dfa - unpack a file rule dfa
351 * @e: serialized data extent information (NOT NULL)
352 *
353 * returns dfa or ERR_PTR or NULL if no dfa
354 */
355 static struct aa_dfa *unpack_dfa(struct aa_ext *e)
356 {
357 char *blob = NULL;
358 size_t size;
359 struct aa_dfa *dfa = NULL;
360
361 size = unpack_blob(e, &blob, "aadfa");
362 if (size) {
363 /*
364 * The dfa is aligned with in the blob to 8 bytes
365 * from the beginning of the stream.
366 * alignment adjust needed by dfa unpack
367 */
368 size_t sz = blob - (char *) e->start -
369 ((e->pos - e->start) & 7);
370 size_t pad = ALIGN(sz, 8) - sz;
371 int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
372 TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES;
373 dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
374
375 if (IS_ERR(dfa))
376 return dfa;
377
378 if (!verify_accept(dfa, flags))
379 goto fail;
380 }
381
382 return dfa;
383
384 fail:
385 aa_put_dfa(dfa);
386 return ERR_PTR(-EPROTO);
387 }
388
389 /**
390 * unpack_trans_table - unpack a profile transition table
391 * @e: serialized data extent information (NOT NULL)
392 * @profile: profile to add the accept table to (NOT NULL)
393 *
394 * Returns: 1 if table successfully unpacked
395 */
396 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
397 {
398 void *pos = e->pos;
399
400 /* exec table is optional */
401 if (unpack_nameX(e, AA_STRUCT, "xtable")) {
402 int i, size;
403
404 size = unpack_array(e, NULL);
405 /* currently 4 exec bits and entries 0-3 are reserved iupcx */
406 if (size > 16 - 4)
407 goto fail;
408 profile->file.trans.table = kzalloc(sizeof(char *) * size,
409 GFP_KERNEL);
410 if (!profile->file.trans.table)
411 goto fail;
412
413 profile->file.trans.size = size;
414 for (i = 0; i < size; i++) {
415 char *str;
416 int c, j, pos, size2 = unpack_strdup(e, &str, NULL);
417 /* unpack_strdup verifies that the last character is
418 * null termination byte.
419 */
420 if (!size2)
421 goto fail;
422 profile->file.trans.table[i] = str;
423 /* verify that name doesn't start with space */
424 if (isspace(*str))
425 goto fail;
426
427 /* count internal # of internal \0 */
428 for (c = j = 0; j < size2 - 1; j++) {
429 if (!str[j]) {
430 pos = j;
431 c++;
432 }
433 }
434 if (*str == ':') {
435 /* first character after : must be valid */
436 if (!str[1])
437 goto fail;
438 /* beginning with : requires an embedded \0,
439 * verify that exactly 1 internal \0 exists
440 * trailing \0 already verified by unpack_strdup
441 */
442 if (c == 1)
443 /* convert \0 back to : for label_parse */
444 str[pos] = ':';
445 else if (c > 1)
446 goto fail;
447 } else if (c)
448 /* fail - all other cases with embedded \0 */
449 goto fail;
450 }
451 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
452 goto fail;
453 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
454 goto fail;
455 }
456 return 1;
457
458 fail:
459 aa_free_domain_entries(&profile->file.trans);
460 e->pos = pos;
461 return 0;
462 }
463
464 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
465 {
466 void *pos = e->pos;
467
468 /* rlimits are optional */
469 if (unpack_nameX(e, AA_STRUCT, "rlimits")) {
470 int i, size;
471 u32 tmp = 0;
472 if (!unpack_u32(e, &tmp, NULL))
473 goto fail;
474 profile->rlimits.mask = tmp;
475
476 size = unpack_array(e, NULL);
477 if (size > RLIM_NLIMITS)
478 goto fail;
479 for (i = 0; i < size; i++) {
480 u64 tmp2 = 0;
481 int a = aa_map_resource(i);
482 if (!unpack_u64(e, &tmp2, NULL))
483 goto fail;
484 profile->rlimits.limits[a].rlim_max = tmp2;
485 }
486 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
487 goto fail;
488 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
489 goto fail;
490 }
491 return 1;
492
493 fail:
494 e->pos = pos;
495 return 0;
496 }
497
498 /**
499 * unpack_profile - unpack a serialized profile
500 * @e: serialized data extent information (NOT NULL)
501 *
502 * NOTE: unpack profile sets audit struct if there is a failure
503 */
504 static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
505 {
506 struct aa_profile *profile = NULL;
507 const char *tmpname, *tmpns = NULL, *name = NULL;
508 const char *info = "failed to unpack profile";
509 size_t size = 0, ns_len;
510 int i, error = -EPROTO;
511 kernel_cap_t tmpcap;
512 u32 tmp;
513
514 *ns_name = NULL;
515
516 /* check that we have the right struct being passed */
517 if (!unpack_nameX(e, AA_STRUCT, "profile"))
518 goto fail;
519 if (!unpack_str(e, &name, NULL))
520 goto fail;
521 if (*name == '\0')
522 goto fail;
523
524 tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
525 if (tmpns) {
526 *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
527 if (!*ns_name)
528 goto fail;
529 name = tmpname;
530 }
531
532 profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
533 if (!profile)
534 return ERR_PTR(-ENOMEM);
535
536 /* profile renaming is optional */
537 (void) unpack_str(e, &profile->rename, "rename");
538
539 /* attachment string is optional */
540 (void) unpack_str(e, &profile->attach, "attach");
541
542 /* xmatch is optional and may be NULL */
543 profile->xmatch = unpack_dfa(e);
544 if (IS_ERR(profile->xmatch)) {
545 error = PTR_ERR(profile->xmatch);
546 profile->xmatch = NULL;
547 goto fail;
548 }
549 /* xmatch_len is not optional if xmatch is set */
550 if (profile->xmatch) {
551 if (!unpack_u32(e, &tmp, NULL))
552 goto fail;
553 profile->xmatch_len = tmp;
554 }
555
556 /* disconnected attachment string is optional */
557 (void) unpack_str(e, &profile->disconnected, "disconnected");
558
559 /* per profile debug flags (complain, audit) */
560 if (!unpack_nameX(e, AA_STRUCT, "flags"))
561 goto fail;
562 if (!unpack_u32(e, &tmp, NULL))
563 goto fail;
564 if (tmp & PACKED_FLAG_HAT)
565 profile->label.flags |= FLAG_HAT;
566 if (!unpack_u32(e, &tmp, NULL))
567 goto fail;
568 if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG))
569 profile->mode = APPARMOR_COMPLAIN;
570 else if (tmp == PACKED_MODE_KILL)
571 profile->mode = APPARMOR_KILL;
572 else if (tmp == PACKED_MODE_UNCONFINED)
573 profile->mode = APPARMOR_UNCONFINED;
574 if (!unpack_u32(e, &tmp, NULL))
575 goto fail;
576 if (tmp)
577 profile->audit = AUDIT_ALL;
578
579 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
580 goto fail;
581
582 /* path_flags is optional */
583 if (!unpack_u32(e, &profile->path_flags, "path_flags"))
584 /* set a default value if path_flags field is not present */
585 profile->path_flags = PATH_MEDIATE_DELETED;
586
587 if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
588 goto fail;
589 if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
590 goto fail;
591 if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))
592 goto fail;
593 if (!unpack_u32(e, &tmpcap.cap[0], NULL))
594 goto fail;
595
596 if (unpack_nameX(e, AA_STRUCT, "caps64")) {
597 /* optional upper half of 64 bit caps */
598 if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
599 goto fail;
600 if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))
601 goto fail;
602 if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))
603 goto fail;
604 if (!unpack_u32(e, &(tmpcap.cap[1]), NULL))
605 goto fail;
606 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
607 goto fail;
608 }
609
610 if (unpack_nameX(e, AA_STRUCT, "capsx")) {
611 /* optional extended caps mediation mask */
612 if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
613 goto fail;
614 if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
615 goto fail;
616 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
617 goto fail;
618 }
619
620 if (!unpack_rlimits(e, profile))
621 goto fail;
622
623 size = unpack_array(e, "net_allowed_af");
624 if (size) {
625
626 for (i = 0; i < size; i++) {
627 /* discard extraneous rules that this kernel will
628 * never request
629 */
630 if (i >= AF_MAX) {
631 u16 tmp;
632 if (!unpack_u16(e, &tmp, NULL) ||
633 !unpack_u16(e, &tmp, NULL) ||
634 !unpack_u16(e, &tmp, NULL))
635 goto fail;
636 continue;
637 }
638 if (!unpack_u16(e, &profile->net.allow[i], NULL))
639 goto fail;
640 if (!unpack_u16(e, &profile->net.audit[i], NULL))
641 goto fail;
642 if (!unpack_u16(e, &profile->net.quiet[i], NULL))
643 goto fail;
644 }
645 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
646 goto fail;
647 }
648 if (VERSION_CMP(<, e->version, v7)) {
649 /* old policy always allowed these too */
650 profile->net.allow[AF_UNIX] = 0xffff;
651 profile->net.allow[AF_NETLINK] = 0xffff;
652 }
653
654 if (unpack_nameX(e, AA_STRUCT, "policydb")) {
655 /* generic policy dfa - optional and may be NULL */
656 profile->policy.dfa = unpack_dfa(e);
657 if (IS_ERR(profile->policy.dfa)) {
658 error = PTR_ERR(profile->policy.dfa);
659 profile->policy.dfa = NULL;
660 goto fail;
661 } else if (!profile->policy.dfa) {
662 error = -EPROTO;
663 goto fail;
664 }
665 if (!unpack_u32(e, &profile->policy.start[0], "start"))
666 /* default start state */
667 profile->policy.start[0] = DFA_START;
668 /* setup class index */
669 for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) {
670 profile->policy.start[i] =
671 aa_dfa_next(profile->policy.dfa,
672 profile->policy.start[0],
673 i);
674 }
675 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
676 goto fail;
677 } else
678 profile->policy.dfa = aa_get_dfa(nulldfa);
679
680 /* get file rules */
681 profile->file.dfa = unpack_dfa(e);
682 if (IS_ERR(profile->file.dfa)) {
683 error = PTR_ERR(profile->file.dfa);
684 profile->file.dfa = NULL;
685 goto fail;
686 } else if (profile->file.dfa) {
687 if (!unpack_u32(e, &profile->file.start, "dfa_start"))
688 /* default start state */
689 profile->file.start = DFA_START;
690 } else if (profile->policy.dfa &&
691 profile->policy.start[AA_CLASS_FILE]) {
692 profile->file.dfa = aa_get_dfa(profile->policy.dfa);
693 profile->file.start = profile->policy.start[AA_CLASS_FILE];
694 } else
695 profile->file.dfa = aa_get_dfa(nulldfa);
696
697 if (!unpack_trans_table(e, profile))
698 goto fail;
699
700 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
701 goto fail;
702
703 return profile;
704
705 fail:
706 if (profile)
707 name = NULL;
708 else if (!name)
709 name = "unknown";
710 audit_iface(profile, NULL, name, info, e, error);
711 aa_free_profile(profile);
712
713 return ERR_PTR(error);
714 }
715
716 /**
717 * verify_head - unpack serialized stream header
718 * @e: serialized data read head (NOT NULL)
719 * @required: whether the header is required or optional
720 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
721 *
722 * Returns: error or 0 if header is good
723 */
724 static int verify_header(struct aa_ext *e, int required, const char **ns)
725 {
726 int error = -EPROTONOSUPPORT;
727 const char *name = NULL;
728 *ns = NULL;
729
730 /* get the interface version */
731 if (!unpack_u32(e, &e->version, "version")) {
732 if (required) {
733 audit_iface(NULL, NULL, NULL, "invalid profile format",
734 e, error);
735 return error;
736 }
737 }
738
739 /* Check that the interface version is currently supported.
740 * if not specified use previous version
741 * Mask off everything that is not kernel abi version
742 */
743 if (VERSION_CMP(<, e->version, v5) && VERSION_CMP(>, e->version, v7)) {
744 audit_iface(NULL, NULL, NULL, "unsupported interface version",
745 e, error);
746 return error;
747 }
748
749 /* read the namespace if present */
750 if (unpack_str(e, &name, "namespace")) {
751 if (*name == '\0') {
752 audit_iface(NULL, NULL, NULL, "invalid namespace name",
753 e, error);
754 return error;
755 }
756 if (*ns && strcmp(*ns, name))
757 audit_iface(NULL, NULL, NULL, "invalid ns change", e,
758 error);
759 else if (!*ns)
760 *ns = name;
761 }
762
763 return 0;
764 }
765
766 static bool verify_xindex(int xindex, int table_size)
767 {
768 int index, xtype;
769 xtype = xindex & AA_X_TYPE_MASK;
770 index = xindex & AA_X_INDEX_MASK;
771 if (xtype == AA_X_TABLE && index >= table_size)
772 return 0;
773 return 1;
774 }
775
776 /* verify dfa xindexes are in range of transition tables */
777 static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
778 {
779 int i;
780 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
781 if (!verify_xindex(dfa_user_xindex(dfa, i), table_size))
782 return 0;
783 if (!verify_xindex(dfa_other_xindex(dfa, i), table_size))
784 return 0;
785 }
786 return 1;
787 }
788
789 /**
790 * verify_profile - Do post unpack analysis to verify profile consistency
791 * @profile: profile to verify (NOT NULL)
792 *
793 * Returns: 0 if passes verification else error
794 */
795 static int verify_profile(struct aa_profile *profile)
796 {
797 if (profile->file.dfa &&
798 !verify_dfa_xindex(profile->file.dfa,
799 profile->file.trans.size)) {
800 audit_iface(profile, NULL, NULL,
801 "Invalid named transition", NULL, -EPROTO);
802 return -EPROTO;
803 }
804
805 return 0;
806 }
807
808 void aa_load_ent_free(struct aa_load_ent *ent)
809 {
810 if (ent) {
811 aa_put_profile(ent->rename);
812 aa_put_profile(ent->old);
813 aa_put_profile(ent->new);
814 kfree(ent->ns_name);
815 kzfree(ent);
816 }
817 }
818
819 struct aa_load_ent *aa_load_ent_alloc(void)
820 {
821 struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL);
822 if (ent)
823 INIT_LIST_HEAD(&ent->list);
824 return ent;
825 }
826
827 /**
828 * aa_unpack - unpack packed binary profile(s) data loaded from user space
829 * @udata: user data copied to kmem (NOT NULL)
830 * @size: the size of the user data
831 * @lh: list to place unpacked profiles in a aa_repl_ws
832 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
833 *
834 * Unpack user data and return refcounted allocated profile(s) stored in
835 * @lh in order of discovery, with the list chain stored in base.list
836 * or error
837 *
838 * Returns: profile(s) on @lh else error pointer if fails to unpack
839 */
840 int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns)
841 {
842 struct aa_load_ent *tmp, *ent;
843 struct aa_profile *profile = NULL;
844 int error;
845 struct aa_ext e = {
846 .start = udata,
847 .end = udata + size,
848 .pos = udata,
849 };
850
851 *ns = NULL;
852 while (e.pos < e.end) {
853 char *ns_name = NULL;
854 void *start;
855 error = verify_header(&e, e.pos == e.start, ns);
856 if (error)
857 goto fail;
858
859 start = e.pos;
860 profile = unpack_profile(&e, &ns_name);
861 if (IS_ERR(profile)) {
862 error = PTR_ERR(profile);
863 goto fail;
864 }
865
866 error = verify_profile(profile);
867 if (error)
868 goto fail_profile;
869
870 if (aa_g_hash_policy)
871 error = aa_calc_profile_hash(profile, e.version, start,
872 e.pos - start);
873 if (error)
874 goto fail_profile;
875
876 ent = aa_load_ent_alloc();
877 if (!ent) {
878 error = -ENOMEM;
879 goto fail_profile;
880 }
881
882 ent->new = profile;
883 ent->ns_name = ns_name;
884 list_add_tail(&ent->list, lh);
885 }
886
887 return 0;
888
889 fail_profile:
890 aa_put_profile(profile);
891
892 fail:
893 list_for_each_entry_safe(ent, tmp, lh, list) {
894 list_del_init(&ent->list);
895 aa_load_ent_free(ent);
896 }
897
898 return error;
899 }
ubuntu-zesty-kernel mirror