projects / deliverable / linux.git / blame
| Commit | Line | Data |
|---|---|---|
| 736ec752 JJ |
1 | /* |
| 2 | * AppArmor security module | |
| 3 | * | |
| 4 | * This file contains AppArmor functions for unpacking policy loaded from | |
| 5 | * userspace. | |
| 6 | * | |
| 7 | * Copyright (C) 1998-2008 Novell/SUSE | |
| 8 | * Copyright 2009-2010 Canonical Ltd. | |
| 9 | * | |
| 10 | * This program is free software; you can redistribute it and/or | |
| 11 | * modify it under the terms of the GNU General Public License as | |
| 12 | * published by the Free Software Foundation, version 2 of the | |
| 13 | * License. | |
| 14 | * | |
| d410fa4e RD |
15 | * AppArmor uses a serialized binary format for loading policy. To find |
| 16 | * policy format documentation look in Documentation/security/apparmor.txt | |
| 736ec752 JJ |
17 | * All policy is validated before it is used. |
| 18 | */ | |
| 19 | ||
| 20 | #include <asm/unaligned.h> | |
| 21 | #include <linux/ctype.h> | |
| 22 | #include <linux/errno.h> | |
| 23 | ||
| 24 | #include "include/apparmor.h" | |
| 25 | #include "include/audit.h" | |
| 26 | #include "include/context.h" | |
| 27 | #include "include/match.h" | |
| 28 | #include "include/policy.h" | |
| 29 | #include "include/policy_unpack.h" | |
| 736ec752 JJ |
30 | |
| 31 | /* | |
| 32 | * The AppArmor interface treats data as a type byte followed by the | |
| 33 | * actual data. The interface has the notion of a a named entry | |
| 34 | * which has a name (AA_NAME typecode followed by name string) followed by | |
| 35 | * the entries typecode and data. Named types allow for optional | |
| 36 | * elements and extensions to be added and tested for without breaking | |
| 37 | * backwards compatibility. | |
| 38 | */ | |
| 39 | ||
| 40 | enum aa_code { | |
| 41 | AA_U8, | |
| 42 | AA_U16, | |
| 43 | AA_U32, | |
| 44 | AA_U64, | |
| 45 | AA_NAME, /* same as string except it is items name */ | |
| 46 | AA_STRING, | |
| 47 | AA_BLOB, | |
| 48 | AA_STRUCT, | |
| 49 | AA_STRUCTEND, | |
| 50 | AA_LIST, | |
| 51 | AA_LISTEND, | |
| 52 | AA_ARRAY, | |
| 53 | AA_ARRAYEND, | |
| 54 | }; | |
| 55 | ||
| 56 | /* | |
| 57 | * aa_ext is the read of the buffer containing the serialized profile. The | |
| 58 | * data is copied into a kernel buffer in apparmorfs and then handed off to | |
| 59 | * the unpack routines. | |
| 60 | */ | |
| 61 | struct aa_ext { | |
| 62 | void *start; | |
| 63 | void *end; | |
| 64 | void *pos; /* pointer to current position in the buffer */ | |
| 65 | u32 version; | |
| 66 | }; | |
| 67 | ||
| 68 | /* audit callback for unpack fields */ | |
| 69 | static void audit_cb(struct audit_buffer *ab, void *va) | |
| 70 | { | |
| 71 | struct common_audit_data *sa = va; | |
| 3b3b0e4f EP |
72 | if (sa->aad->iface.target) { |
| 73 | struct aa_profile *name = sa->aad->iface.target; | |
| 736ec752 JJ |
74 | audit_log_format(ab, " name="); |
| 75 | audit_log_untrustedstring(ab, name->base.hname); | |
| 76 | } | |
| 3b3b0e4f EP |
77 | if (sa->aad->iface.pos) |
| 78 | audit_log_format(ab, " offset=%ld", sa->aad->iface.pos); | |
| 736ec752 JJ |
79 | } |
| 80 | ||
| 81 | /** | |
| 82 | * audit_iface - do audit message for policy unpacking/load/replace/remove | |
| 83 | * @new: profile if it has been allocated (MAYBE NULL) | |
| 84 | * @name: name of the profile being manipulated (MAYBE NULL) | |
| 85 | * @info: any extra info about the failure (MAYBE NULL) | |
| b1b4bc2e | 86 | * @e: buffer position info |
| 736ec752 JJ |
87 | * @error: error code |
| 88 | * | |
| 89 | * Returns: %0 or error | |
| 90 | */ | |
| 91 | static int audit_iface(struct aa_profile *new, const char *name, | |
| 92 | const char *info, struct aa_ext *e, int error) | |
| 93 | { | |
| 94 | struct aa_profile *profile = __aa_current_profile(); | |
| 95 | struct common_audit_data sa; | |
| 3b3b0e4f | 96 | struct apparmor_audit_data aad = {0,}; |
| 50c205f5 | 97 | sa.type = LSM_AUDIT_DATA_NONE; |
| 3b3b0e4f | 98 | sa.aad = &aad; |
| b1b4bc2e | 99 | if (e) |
| 3b3b0e4f EP |
100 | aad.iface.pos = e->pos - e->start; |
| 101 | aad.iface.target = new; | |
| 102 | aad.name = name; | |
| 103 | aad.info = info; | |
| 104 | aad.error = error; | |
| 736ec752 JJ |
105 | |
| 106 | return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa, | |
| 107 | audit_cb); | |
| 108 | } | |
| 109 | ||
| 110 | /* test if read will be in packed data bounds */ | |
| 111 | static bool inbounds(struct aa_ext *e, size_t size) | |
| 112 | { | |
| 113 | return (size <= e->end - e->pos); | |
| 114 | } | |
| 115 | ||
| 116 | /** | |
| 117 | * aa_u16_chunck - test and do bounds checking for a u16 size based chunk | |
| 118 | * @e: serialized data read head (NOT NULL) | |
| 119 | * @chunk: start address for chunk of data (NOT NULL) | |
| 120 | * | |
| 121 | * Returns: the size of chunk found with the read head at the end of the chunk. | |
| 122 | */ | |
| 123 | static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) | |
| 124 | { | |
| 125 | size_t size = 0; | |
| 126 | ||
| 127 | if (!inbounds(e, sizeof(u16))) | |
| 128 | return 0; | |
| 129 | size = le16_to_cpu(get_unaligned((u16 *) e->pos)); | |
| 130 | e->pos += sizeof(u16); | |
| 131 | if (!inbounds(e, size)) | |
| 132 | return 0; | |
| 133 | *chunk = e->pos; | |
| 134 | e->pos += size; | |
| 135 | return size; | |
| 136 | } | |
| 137 | ||
| 138 | /* unpack control byte */ | |
| 139 | static bool unpack_X(struct aa_ext *e, enum aa_code code) | |
| 140 | { | |
| 141 | if (!inbounds(e, 1)) | |
| 142 | return 0; | |
| 143 | if (*(u8 *) e->pos != code) | |
| 144 | return 0; | |
| 145 | e->pos++; | |
| 146 | return 1; | |
| 147 | } | |
| 148 | ||
| 149 | /** | |
| 150 | * unpack_nameX - check is the next element is of type X with a name of @name | |
| 151 | * @e: serialized data extent information (NOT NULL) | |
| 152 | * @code: type code | |
| 153 | * @name: name to match to the serialized element. (MAYBE NULL) | |
| 154 | * | |
| 155 | * check that the next serialized data element is of type X and has a tag | |
| 156 | * name @name. If @name is specified then there must be a matching | |
| 157 | * name element in the stream. If @name is NULL any name element will be | |
| 158 | * skipped and only the typecode will be tested. | |
| 159 | * | |
| 160 | * Returns 1 on success (both type code and name tests match) and the read | |
| 161 | * head is advanced past the headers | |
| 162 | * | |
| 163 | * Returns: 0 if either match fails, the read head does not move | |
| 164 | */ | |
| 165 | static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) | |
| 166 | { | |
| 167 | /* | |
| 168 | * May need to reset pos if name or type doesn't match | |
| 169 | */ | |
| 170 | void *pos = e->pos; | |
| 171 | /* | |
| 172 | * Check for presence of a tagname, and if present name size | |
| 173 | * AA_NAME tag value is a u16. | |
| 174 | */ | |
| 175 | if (unpack_X(e, AA_NAME)) { | |
| 176 | char *tag = NULL; | |
| 177 | size_t size = unpack_u16_chunk(e, &tag); | |
| 178 | /* if a name is specified it must match. otherwise skip tag */ | |
| 179 | if (name && (!size || strcmp(name, tag))) | |
| 180 | goto fail; | |
| 181 | } else if (name) { | |
| 182 | /* if a name is specified and there is no name tag fail */ | |
| 183 | goto fail; | |
| 184 | } | |
| 185 | ||
| 186 | /* now check if type code matches */ | |
| 187 | if (unpack_X(e, code)) | |
| 188 | return 1; | |
| 189 | ||
| 190 | fail: | |
| 191 | e->pos = pos; | |
| 192 | return 0; | |
| 193 | } | |
| 194 | ||
| 195 | static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) | |
| 196 | { | |
| 197 | if (unpack_nameX(e, AA_U32, name)) { | |
| 198 | if (!inbounds(e, sizeof(u32))) | |
| 199 | return 0; | |
| 200 | if (data) | |
| 201 | *data = le32_to_cpu(get_unaligned((u32 *) e->pos)); | |
| 202 | e->pos += sizeof(u32); | |
| 203 | return 1; | |
| 204 | } | |
| 205 | return 0; | |
| 206 | } | |
| 207 | ||
| 208 | static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) | |
| 209 | { | |
| 210 | if (unpack_nameX(e, AA_U64, name)) { | |
| 211 | if (!inbounds(e, sizeof(u64))) | |
| 212 | return 0; | |
| 213 | if (data) | |
| 214 | *data = le64_to_cpu(get_unaligned((u64 *) e->pos)); | |
| 215 | e->pos += sizeof(u64); | |
| 216 | return 1; | |
| 217 | } | |
| 218 | return 0; | |
| 219 | } | |
| 220 | ||
| 221 | static size_t unpack_array(struct aa_ext *e, const char *name) | |
| 222 | { | |
| 223 | if (unpack_nameX(e, AA_ARRAY, name)) { | |
| 224 | int size; | |
| 225 | if (!inbounds(e, sizeof(u16))) | |
| 226 | return 0; | |
| 227 | size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos)); | |
| 228 | e->pos += sizeof(u16); | |
| 229 | return size; | |
| 230 | } | |
| 231 | return 0; | |
| 232 | } | |
| 233 | ||
| 234 | static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) | |
| 235 | { | |
| 236 | if (unpack_nameX(e, AA_BLOB, name)) { | |
| 237 | u32 size; | |
| 238 | if (!inbounds(e, sizeof(u32))) | |
| 239 | return 0; | |
| 240 | size = le32_to_cpu(get_unaligned((u32 *) e->pos)); | |
| 241 | e->pos += sizeof(u32); | |
| 242 | if (inbounds(e, (size_t) size)) { | |
| 243 | *blob = e->pos; | |
| 244 | e->pos += size; | |
| 245 | return size; | |
| 246 | } | |
| 247 | } | |
| 248 | return 0; | |
| 249 | } | |
| 250 | ||
| 251 | static int unpack_str(struct aa_ext *e, const char **string, const char *name) | |
| 252 | { | |
| 253 | char *src_str; | |
| 254 | size_t size = 0; | |
| 255 | void *pos = e->pos; | |
| 256 | *string = NULL; | |
| 257 | if (unpack_nameX(e, AA_STRING, name)) { | |
| 258 | size = unpack_u16_chunk(e, &src_str); | |
| 259 | if (size) { | |
| 260 | /* strings are null terminated, length is size - 1 */ | |
| 261 | if (src_str[size - 1] != 0) | |
| 262 | goto fail; | |
| 263 | *string = src_str; | |
| 264 | } | |
| 265 | } | |
| 266 | return size; | |
| 267 | ||
| 268 | fail: | |
| 269 | e->pos = pos; | |
| 270 | return 0; | |
| 271 | } | |
| 272 | ||
| 273 | static int unpack_strdup(struct aa_ext *e, char **string, const char *name) | |
| 274 | { | |
| 275 | const char *tmp; | |
| 276 | void *pos = e->pos; | |
| 277 | int res = unpack_str(e, &tmp, name); | |
| 278 | *string = NULL; | |
| 279 | ||
| 280 | if (!res) | |
| 281 | return 0; | |
| 282 | ||
| 283 | *string = kmemdup(tmp, res, GFP_KERNEL); | |
| 284 | if (!*string) { | |
| 285 | e->pos = pos; | |
| 286 | return 0; | |
| 287 | } | |
| 288 | ||
| 289 | return res; | |
| 290 | } | |
| 291 | ||
| 180a6f59 JJ |
292 | #define DFA_VALID_PERM_MASK 0xffffffff |
| 293 | #define DFA_VALID_PERM2_MASK 0xffffffff | |
| 294 | ||
| 736ec752 JJ |
295 | /** |
| 296 | * verify_accept - verify the accept tables of a dfa | |
| 297 | * @dfa: dfa to verify accept tables of (NOT NULL) | |
| 298 | * @flags: flags governing dfa | |
| 299 | * | |
| 300 | * Returns: 1 if valid accept tables else 0 if error | |
| 301 | */ | |
| 302 | static bool verify_accept(struct aa_dfa *dfa, int flags) | |
| 303 | { | |
| 304 | int i; | |
| 305 | ||
| 306 | /* verify accept permissions */ | |
| 307 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | |
| 308 | int mode = ACCEPT_TABLE(dfa)[i]; | |
| 309 | ||
| 310 | if (mode & ~DFA_VALID_PERM_MASK) | |
| 311 | return 0; | |
| 312 | ||
| 313 | if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) | |
| 314 | return 0; | |
| 315 | } | |
| 316 | return 1; | |
| 317 | } | |
| 318 | ||
| 319 | /** | |
| 320 | * unpack_dfa - unpack a file rule dfa | |
| 321 | * @e: serialized data extent information (NOT NULL) | |
| 322 | * | |
| 323 | * returns dfa or ERR_PTR or NULL if no dfa | |
| 324 | */ | |
| 325 | static struct aa_dfa *unpack_dfa(struct aa_ext *e) | |
| 326 | { | |
| 327 | char *blob = NULL; | |
| 328 | size_t size; | |
| 329 | struct aa_dfa *dfa = NULL; | |
| 330 | ||
| 331 | size = unpack_blob(e, &blob, "aadfa"); | |
| 332 | if (size) { | |
| 333 | /* | |
| 334 | * The dfa is aligned with in the blob to 8 bytes | |
| 335 | * from the beginning of the stream. | |
| 336 | */ | |
| 337 | size_t sz = blob - (char *)e->start; | |
| 338 | size_t pad = ALIGN(sz, 8) - sz; | |
| 339 | int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | | |
| 340 | TO_ACCEPT2_FLAG(YYTD_DATA32); | |
| 341 | ||
| 342 | ||
| 343 | if (aa_g_paranoid_load) | |
| 344 | flags |= DFA_FLAG_VERIFY_STATES; | |
| 345 | ||
| 346 | dfa = aa_dfa_unpack(blob + pad, size - pad, flags); | |
| 347 | ||
| 348 | if (IS_ERR(dfa)) | |
| 349 | return dfa; | |
| 350 | ||
| 351 | if (!verify_accept(dfa, flags)) | |
| 352 | goto fail; | |
| 353 | } | |
| 354 | ||
| 355 | return dfa; | |
| 356 | ||
| 357 | fail: | |
| 358 | aa_put_dfa(dfa); | |
| 359 | return ERR_PTR(-EPROTO); | |
| 360 | } | |
| 361 | ||
| 362 | /** | |
| 363 | * unpack_trans_table - unpack a profile transition table | |
| 364 | * @e: serialized data extent information (NOT NULL) | |
| 365 | * @profile: profile to add the accept table to (NOT NULL) | |
| 366 | * | |
| 25985edc | 367 | * Returns: 1 if table successfully unpacked |
| 736ec752 JJ |
368 | */ |
| 369 | static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) | |
| 370 | { | |
| 371 | void *pos = e->pos; | |
| 372 | ||
| 373 | /* exec table is optional */ | |
| 374 | if (unpack_nameX(e, AA_STRUCT, "xtable")) { | |
| 375 | int i, size; | |
| 376 | ||
| 377 | size = unpack_array(e, NULL); | |
| 378 | /* currently 4 exec bits and entries 0-3 are reserved iupcx */ | |
| 379 | if (size > 16 - 4) | |
| 380 | goto fail; | |
| 381 | profile->file.trans.table = kzalloc(sizeof(char *) * size, | |
| 382 | GFP_KERNEL); | |
| 383 | if (!profile->file.trans.table) | |
| 384 | goto fail; | |
| 385 | ||
| 386 | profile->file.trans.size = size; | |
| 387 | for (i = 0; i < size; i++) { | |
| 388 | char *str; | |
| 7ee95850 | 389 | int c, j, size2 = unpack_strdup(e, &str, NULL); |
| 736ec752 JJ |
390 | /* unpack_strdup verifies that the last character is |
| 391 | * null termination byte. | |
| 392 | */ | |
| 7ee95850 | 393 | if (!size2) |
| 736ec752 JJ |
394 | goto fail; |
| 395 | profile->file.trans.table[i] = str; | |
| 396 | /* verify that name doesn't start with space */ | |
| 397 | if (isspace(*str)) | |
| 398 | goto fail; | |
| 399 | ||
| 400 | /* count internal # of internal \0 */ | |
| 7ee95850 | 401 | for (c = j = 0; j < size2 - 2; j++) { |
| 736ec752 JJ |
402 | if (!str[j]) |
| 403 | c++; | |
| 404 | } | |
| 405 | if (*str == ':') { | |
| 406 | /* beginning with : requires an embedded \0, | |
| 407 | * verify that exactly 1 internal \0 exists | |
| 408 | * trailing \0 already verified by unpack_strdup | |
| 409 | */ | |
| 410 | if (c != 1) | |
| 411 | goto fail; | |
| 412 | /* first character after : must be valid */ | |
| 413 | if (!str[1]) | |
| 414 | goto fail; | |
| 415 | } else if (c) | |
| 416 | /* fail - all other cases with embedded \0 */ | |
| 417 | goto fail; | |
| 418 | } | |
| 419 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | |
| 420 | goto fail; | |
| 421 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
| 422 | goto fail; | |
| 423 | } | |
| 424 | return 1; | |
| 425 | ||
| 426 | fail: | |
| 427 | aa_free_domain_entries(&profile->file.trans); | |
| 428 | e->pos = pos; | |
| 429 | return 0; | |
| 430 | } | |
| 431 | ||
| 432 | static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) | |
| 433 | { | |
| 434 | void *pos = e->pos; | |
| 435 | ||
| 436 | /* rlimits are optional */ | |
| 437 | if (unpack_nameX(e, AA_STRUCT, "rlimits")) { | |
| 438 | int i, size; | |
| 439 | u32 tmp = 0; | |
| 440 | if (!unpack_u32(e, &tmp, NULL)) | |
| 441 | goto fail; | |
| 442 | profile->rlimits.mask = tmp; | |
| 443 | ||
| 444 | size = unpack_array(e, NULL); | |
| 445 | if (size > RLIM_NLIMITS) | |
| 446 | goto fail; | |
| 447 | for (i = 0; i < size; i++) { | |
| 7ee95850 | 448 | u64 tmp2 = 0; |
| 736ec752 | 449 | int a = aa_map_resource(i); |
| 7ee95850 | 450 | if (!unpack_u64(e, &tmp2, NULL)) |
| 736ec752 | 451 | goto fail; |
| 7ee95850 | 452 | profile->rlimits.limits[a].rlim_max = tmp2; |
| 736ec752 JJ |
453 | } |
| 454 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | |
| 455 | goto fail; | |
| 456 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
| 457 | goto fail; | |
| 458 | } | |
| 459 | return 1; | |
| 460 | ||
| 461 | fail: | |
| 462 | e->pos = pos; | |
| 463 | return 0; | |
| 464 | } | |
| 465 | ||
| 466 | /** | |
| 467 | * unpack_profile - unpack a serialized profile | |
| 468 | * @e: serialized data extent information (NOT NULL) | |
| 469 | * | |
| 470 | * NOTE: unpack profile sets audit struct if there is a failure | |
| 471 | */ | |
| 472 | static struct aa_profile *unpack_profile(struct aa_ext *e) | |
| 473 | { | |
| 474 | struct aa_profile *profile = NULL; | |
| 475 | const char *name = NULL; | |
| ad5ff3db | 476 | int i, error = -EPROTO; |
| 736ec752 JJ |
477 | kernel_cap_t tmpcap; |
| 478 | u32 tmp; | |
| 479 | ||
| 480 | /* check that we have the right struct being passed */ | |
| 481 | if (!unpack_nameX(e, AA_STRUCT, "profile")) | |
| 482 | goto fail; | |
| 483 | if (!unpack_str(e, &name, NULL)) | |
| 484 | goto fail; | |
| 485 | ||
| 486 | profile = aa_alloc_profile(name); | |
| 487 | if (!profile) | |
| 488 | return ERR_PTR(-ENOMEM); | |
| 489 | ||
| 490 | /* profile renaming is optional */ | |
| 491 | (void) unpack_str(e, &profile->rename, "rename"); | |
| 492 | ||
| 493 | /* xmatch is optional and may be NULL */ | |
| 494 | profile->xmatch = unpack_dfa(e); | |
| 495 | if (IS_ERR(profile->xmatch)) { | |
| 496 | error = PTR_ERR(profile->xmatch); | |
| 497 | profile->xmatch = NULL; | |
| 498 | goto fail; | |
| 499 | } | |
| 500 | /* xmatch_len is not optional if xmatch is set */ | |
| 501 | if (profile->xmatch) { | |
| 502 | if (!unpack_u32(e, &tmp, NULL)) | |
| 503 | goto fail; | |
| 504 | profile->xmatch_len = tmp; | |
| 505 | } | |
| 506 | ||
| 507 | /* per profile debug flags (complain, audit) */ | |
| 508 | if (!unpack_nameX(e, AA_STRUCT, "flags")) | |
| 509 | goto fail; | |
| 510 | if (!unpack_u32(e, &tmp, NULL)) | |
| 511 | goto fail; | |
| 512 | if (tmp) | |
| 513 | profile->flags |= PFLAG_HAT; | |
| 514 | if (!unpack_u32(e, &tmp, NULL)) | |
| 515 | goto fail; | |
| 516 | if (tmp) | |
| 517 | profile->mode = APPARMOR_COMPLAIN; | |
| 518 | if (!unpack_u32(e, &tmp, NULL)) | |
| 519 | goto fail; | |
| 520 | if (tmp) | |
| 521 | profile->audit = AUDIT_ALL; | |
| 522 | ||
| 523 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
| 524 | goto fail; | |
| 525 | ||
| 526 | /* path_flags is optional */ | |
| 527 | if (unpack_u32(e, &profile->path_flags, "path_flags")) | |
| 528 | profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED; | |
| 529 | else | |
| 530 | /* set a default value if path_flags field is not present */ | |
| 531 | profile->path_flags = PFLAG_MEDIATE_DELETED; | |
| 532 | ||
| 533 | if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) | |
| 534 | goto fail; | |
| 535 | if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) | |
| 536 | goto fail; | |
| 537 | if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) | |
| 538 | goto fail; | |
| 539 | if (!unpack_u32(e, &tmpcap.cap[0], NULL)) | |
| 540 | goto fail; | |
| 541 | ||
| 542 | if (unpack_nameX(e, AA_STRUCT, "caps64")) { | |
| 543 | /* optional upper half of 64 bit caps */ | |
| 544 | if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) | |
| 545 | goto fail; | |
| 546 | if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) | |
| 547 | goto fail; | |
| 548 | if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) | |
| 549 | goto fail; | |
| 550 | if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) | |
| 551 | goto fail; | |
| 552 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
| 553 | goto fail; | |
| 554 | } | |
| 555 | ||
| 556 | if (unpack_nameX(e, AA_STRUCT, "capsx")) { | |
| 557 | /* optional extended caps mediation mask */ | |
| 558 | if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) | |
| 559 | goto fail; | |
| 560 | if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) | |
| 561 | goto fail; | |
| cdbd2884 JJ |
562 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
| 563 | goto fail; | |
| 736ec752 JJ |
564 | } |
| 565 | ||
| 566 | if (!unpack_rlimits(e, profile)) | |
| 567 | goto fail; | |
| 568 | ||
| ad5ff3db JJ |
569 | if (unpack_nameX(e, AA_STRUCT, "policydb")) { |
| 570 | /* generic policy dfa - optional and may be NULL */ | |
| 571 | profile->policy.dfa = unpack_dfa(e); | |
| 572 | if (IS_ERR(profile->policy.dfa)) { | |
| 573 | error = PTR_ERR(profile->policy.dfa); | |
| 574 | profile->policy.dfa = NULL; | |
| 575 | goto fail; | |
| 576 | } | |
| 577 | if (!unpack_u32(e, &profile->policy.start[0], "start")) | |
| 578 | /* default start state */ | |
| 579 | profile->policy.start[0] = DFA_START; | |
| 580 | /* setup class index */ | |
| 581 | for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) { | |
| 582 | profile->policy.start[i] = | |
| 583 | aa_dfa_next(profile->policy.dfa, | |
| 584 | profile->policy.start[0], | |
| 585 | i); | |
| 586 | } | |
| 587 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
| 588 | goto fail; | |
| 589 | } | |
| 590 | ||
| 736ec752 JJ |
591 | /* get file rules */ |
| 592 | profile->file.dfa = unpack_dfa(e); | |
| 593 | if (IS_ERR(profile->file.dfa)) { | |
| 594 | error = PTR_ERR(profile->file.dfa); | |
| 595 | profile->file.dfa = NULL; | |
| 596 | goto fail; | |
| 597 | } | |
| 598 | ||
| 599 | if (!unpack_u32(e, &profile->file.start, "dfa_start")) | |
| 600 | /* default start state */ | |
| 601 | profile->file.start = DFA_START; | |
| 602 | ||
| 603 | if (!unpack_trans_table(e, profile)) | |
| 604 | goto fail; | |
| 605 | ||
| 606 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
| 607 | goto fail; | |
| 608 | ||
| 609 | return profile; | |
| 610 | ||
| 611 | fail: | |
| 612 | if (profile) | |
| 613 | name = NULL; | |
| 614 | else if (!name) | |
| 615 | name = "unknown"; | |
| 616 | audit_iface(profile, name, "failed to unpack profile", e, error); | |
| 617 | aa_put_profile(profile); | |
| 618 | ||
| 619 | return ERR_PTR(error); | |
| 620 | } | |
| 621 | ||
| 622 | /** | |
| 623 | * verify_head - unpack serialized stream header | |
| 624 | * @e: serialized data read head (NOT NULL) | |
| 625 | * @ns: Returns - namespace if one is specified else NULL (NOT NULL) | |
| 626 | * | |
| 627 | * Returns: error or 0 if header is good | |
| 628 | */ | |
| 629 | static int verify_header(struct aa_ext *e, const char **ns) | |
| 630 | { | |
| 631 | int error = -EPROTONOSUPPORT; | |
| 632 | /* get the interface version */ | |
| 633 | if (!unpack_u32(e, &e->version, "version")) { | |
| 634 | audit_iface(NULL, NULL, "invalid profile format", e, error); | |
| 635 | return error; | |
| 636 | } | |
| 637 | ||
| 638 | /* check that the interface version is currently supported */ | |
| 639 | if (e->version != 5) { | |
| 640 | audit_iface(NULL, NULL, "unsupported interface version", e, | |
| 641 | error); | |
| 642 | return error; | |
| 643 | } | |
| 644 | ||
| 645 | /* read the namespace if present */ | |
| 646 | if (!unpack_str(e, ns, "namespace")) | |
| 647 | *ns = NULL; | |
| 648 | ||
| 649 | return 0; | |
| 650 | } | |
| 651 | ||
| 652 | static bool verify_xindex(int xindex, int table_size) | |
| 653 | { | |
| 654 | int index, xtype; | |
| 655 | xtype = xindex & AA_X_TYPE_MASK; | |
| 656 | index = xindex & AA_X_INDEX_MASK; | |
| 657 | if (xtype == AA_X_TABLE && index > table_size) | |
| 658 | return 0; | |
| 659 | return 1; | |
| 660 | } | |
| 661 | ||
| 662 | /* verify dfa xindexes are in range of transition tables */ | |
| 663 | static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) | |
| 664 | { | |
| 665 | int i; | |
| 666 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | |
| 667 | if (!verify_xindex(dfa_user_xindex(dfa, i), table_size)) | |
| 668 | return 0; | |
| 669 | if (!verify_xindex(dfa_other_xindex(dfa, i), table_size)) | |
| 670 | return 0; | |
| 671 | } | |
| 672 | return 1; | |
| 673 | } | |
| 674 | ||
| 675 | /** | |
| 676 | * verify_profile - Do post unpack analysis to verify profile consistency | |
| 677 | * @profile: profile to verify (NOT NULL) | |
| 678 | * | |
| 679 | * Returns: 0 if passes verification else error | |
| 680 | */ | |
| 681 | static int verify_profile(struct aa_profile *profile) | |
| 682 | { | |
| 683 | if (aa_g_paranoid_load) { | |
| 684 | if (profile->file.dfa && | |
| 685 | !verify_dfa_xindex(profile->file.dfa, | |
| 686 | profile->file.trans.size)) { | |
| 687 | audit_iface(profile, NULL, "Invalid named transition", | |
| 688 | NULL, -EPROTO); | |
| 689 | return -EPROTO; | |
| 690 | } | |
| 691 | } | |
| 692 | ||
| 693 | return 0; | |
| 694 | } | |
| 695 | ||
| 696 | /** | |
| 697 | * aa_unpack - unpack packed binary profile data loaded from user space | |
| 698 | * @udata: user data copied to kmem (NOT NULL) | |
| 699 | * @size: the size of the user data | |
| 700 | * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) | |
| 701 | * | |
| 702 | * Unpack user data and return refcounted allocated profile or ERR_PTR | |
| 703 | * | |
| 704 | * Returns: profile else error pointer if fails to unpack | |
| 705 | */ | |
| 706 | struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns) | |
| 707 | { | |
| 708 | struct aa_profile *profile = NULL; | |
| 709 | int error; | |
| 710 | struct aa_ext e = { | |
| 711 | .start = udata, | |
| 712 | .end = udata + size, | |
| 713 | .pos = udata, | |
| 714 | }; | |
| 715 | ||
| 716 | error = verify_header(&e, ns); | |
| 717 | if (error) | |
| 718 | return ERR_PTR(error); | |
| 719 | ||
| 720 | profile = unpack_profile(&e); | |
| 721 | if (IS_ERR(profile)) | |
| 722 | return profile; | |
| 723 | ||
| 724 | error = verify_profile(profile); | |
| 725 | if (error) { | |
| 726 | aa_put_profile(profile); | |
| 727 | profile = ERR_PTR(error); | |
| 728 | } | |
| 729 | ||
| 730 | /* return refcount */ | |
| 731 | return profile; | |
| 732 | } |