policy_compat.c 9.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor functions for unpacking policy loaded
  6. * from userspace.
  7. *
  8. * Copyright (C) 1998-2008 Novell/SUSE
  9. * Copyright 2009-2022 Canonical Ltd.
  10. *
  11. * Code to provide backwards compatibility with older policy versions,
  12. * by converting/mapping older policy formats into the newer internal
  13. * formats.
  14. */
  15. #include <linux/ctype.h>
  16. #include <linux/errno.h>
  17. #include "include/lib.h"
  18. #include "include/policy_unpack.h"
  19. #include "include/policy_compat.h"
  20. /* remap old accept table embedded permissions to separate permission table */
  21. static u32 dfa_map_xindex(u16 mask)
  22. {
  23. u16 old_index = (mask >> 10) & 0xf;
  24. u32 index = 0;
  25. if (mask & 0x100)
  26. index |= AA_X_UNSAFE;
  27. if (mask & 0x200)
  28. index |= AA_X_INHERIT;
  29. if (mask & 0x80)
  30. index |= AA_X_UNCONFINED;
  31. if (old_index == 1) {
  32. index |= AA_X_UNCONFINED;
  33. } else if (old_index == 2) {
  34. index |= AA_X_NAME;
  35. } else if (old_index == 3) {
  36. index |= AA_X_NAME | AA_X_CHILD;
  37. } else if (old_index) {
  38. index |= AA_X_TABLE;
  39. index |= old_index - 4;
  40. }
  41. return index;
  42. }
  43. /*
  44. * map old dfa inline permissions to new format
  45. */
  46. #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
  47. ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
  48. #define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
  49. #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
  50. #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
  51. #define dfa_user_xindex(dfa, state) \
  52. (dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
  53. #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
  54. 0x7f) | \
  55. ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
  56. #define dfa_other_xbits(dfa, state) \
  57. ((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f)
  58. #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
  59. #define dfa_other_quiet(dfa, state) \
  60. ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
  61. #define dfa_other_xindex(dfa, state) \
  62. dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
  63. /**
  64. * map_old_perms - map old file perms layout to the new layout
  65. * @old: permission set in old mapping
  66. *
  67. * Returns: new permission mapping
  68. */
  69. static u32 map_old_perms(u32 old)
  70. {
  71. u32 new = old & 0xf;
  72. if (old & MAY_READ)
  73. new |= AA_MAY_GETATTR | AA_MAY_OPEN;
  74. if (old & MAY_WRITE)
  75. new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE |
  76. AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN;
  77. if (old & 0x10)
  78. new |= AA_MAY_LINK;
  79. /* the old mapping lock and link_subset flags where overlaid
  80. * and use was determined by part of a pair that they were in
  81. */
  82. if (old & 0x20)
  83. new |= AA_MAY_LOCK | AA_LINK_SUBSET;
  84. if (old & 0x40) /* AA_EXEC_MMAP */
  85. new |= AA_EXEC_MMAP;
  86. return new;
  87. }
  88. static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
  89. aa_state_t state)
  90. {
  91. perms->allow |= AA_MAY_GETATTR;
  92. /* change_profile wasn't determined by ownership in old mapping */
  93. if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
  94. perms->allow |= AA_MAY_CHANGE_PROFILE;
  95. if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
  96. perms->allow |= AA_MAY_ONEXEC;
  97. }
  98. static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
  99. aa_state_t state)
  100. {
  101. struct aa_perms perms = { };
  102. perms.allow = map_old_perms(dfa_user_allow(dfa, state));
  103. perms.audit = map_old_perms(dfa_user_audit(dfa, state));
  104. perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
  105. perms.xindex = dfa_user_xindex(dfa, state);
  106. compute_fperms_allow(&perms, dfa, state);
  107. return perms;
  108. }
  109. static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
  110. aa_state_t state)
  111. {
  112. struct aa_perms perms = { };
  113. perms.allow = map_old_perms(dfa_other_allow(dfa, state));
  114. perms.audit = map_old_perms(dfa_other_audit(dfa, state));
  115. perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
  116. perms.xindex = dfa_other_xindex(dfa, state);
  117. compute_fperms_allow(&perms, dfa, state);
  118. return perms;
  119. }
  120. /**
  121. * compute_fperms - convert dfa compressed perms to internal perms and store
  122. * them so they can be retrieved later.
  123. * @dfa: a dfa using fperms to remap to internal permissions
  124. * @size: Returns the permission table size
  125. *
  126. * Returns: remapped perm table
  127. */
  128. static struct aa_perms *compute_fperms(struct aa_dfa *dfa,
  129. u32 *size)
  130. {
  131. aa_state_t state;
  132. unsigned int state_count;
  133. struct aa_perms *table;
  134. AA_BUG(!dfa);
  135. state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
  136. /* DFAs are restricted from having a state_count of less than 2 */
  137. table = kvzalloc_objs(struct aa_perms, state_count * 2);
  138. if (!table)
  139. return NULL;
  140. *size = state_count * 2;
  141. for (state = 0; state < state_count; state++) {
  142. table[state * 2] = compute_fperms_user(dfa, state);
  143. table[state * 2 + 1] = compute_fperms_other(dfa, state);
  144. }
  145. return table;
  146. }
  147. static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch,
  148. u32 *size)
  149. {
  150. struct aa_perms *perms;
  151. int state;
  152. int state_count;
  153. AA_BUG(!xmatch);
  154. state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
  155. /* DFAs are restricted from having a state_count of less than 2 */
  156. perms = kvzalloc_objs(struct aa_perms, state_count);
  157. if (!perms)
  158. return NULL;
  159. *size = state_count;
  160. /* zero init so skip the trap state (state == 0) */
  161. for (state = 1; state < state_count; state++)
  162. perms[state].allow = dfa_user_allow(xmatch, state);
  163. return perms;
  164. }
  165. static u32 map_other(u32 x)
  166. {
  167. return ((x & 0x3) << 8) | /* SETATTR/GETATTR */
  168. ((x & 0x1c) << 18) | /* ACCEPT/BIND/LISTEN */
  169. ((x & 0x60) << 19); /* SETOPT/GETOPT */
  170. }
  171. static u32 map_xbits(u32 x)
  172. {
  173. return ((x & 0x1) << 7) |
  174. ((x & 0x7e) << 9);
  175. }
  176. static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
  177. aa_state_t state,
  178. u32 version)
  179. {
  180. struct aa_perms perms = { };
  181. perms.allow = dfa_user_allow(dfa, state);
  182. perms.audit = dfa_user_audit(dfa, state);
  183. perms.quiet = dfa_user_quiet(dfa, state);
  184. /*
  185. * This mapping is convulated due to history.
  186. * v1-v4: only file perms, which are handled by compute_fperms
  187. * v5: added policydb which dropped user conditional to gain new
  188. * perm bits, but had to map around the xbits because the
  189. * userspace compiler was still munging them.
  190. * v9: adds using the xbits in policydb because the compiler now
  191. * supports treating policydb permission bits different.
  192. * Unfortunately there is no way to force auditing on the
  193. * perms represented by the xbits
  194. */
  195. perms.allow |= map_other(dfa_other_allow(dfa, state));
  196. if (VERSION_LE(version, v8))
  197. perms.allow |= AA_MAY_LOCK;
  198. else
  199. perms.allow |= map_xbits(dfa_user_xbits(dfa, state));
  200. /*
  201. * for v5-v9 perm mapping in the policydb, the other set is used
  202. * to extend the general perm set
  203. */
  204. perms.audit |= map_other(dfa_other_audit(dfa, state));
  205. perms.quiet |= map_other(dfa_other_quiet(dfa, state));
  206. if (VERSION_GT(version, v8))
  207. perms.quiet |= map_xbits(dfa_other_xbits(dfa, state));
  208. return perms;
  209. }
  210. static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version,
  211. u32 *size)
  212. {
  213. unsigned int state;
  214. unsigned int state_count;
  215. struct aa_perms *table;
  216. AA_BUG(!dfa);
  217. state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
  218. /* DFAs are restricted from having a state_count of less than 2 */
  219. table = kvzalloc_objs(struct aa_perms, state_count);
  220. if (!table)
  221. return NULL;
  222. *size = state_count;
  223. /* zero init so skip the trap state (state == 0) */
  224. for (state = 1; state < state_count; state++) {
  225. table[state] = compute_perms_entry(dfa, state, version);
  226. AA_DEBUG(DEBUG_UNPACK,
  227. "[%d]: (0x%x/0x%x/0x%x//0x%x/0x%x//0x%x), converted from accept1: 0x%x, accept2: 0x%x",
  228. state, table[state].allow, table[state].deny,
  229. table[state].prompt, table[state].audit,
  230. table[state].quiet, table[state].xindex,
  231. ACCEPT_TABLE(dfa)[state], ACCEPT_TABLE2(dfa)[state]);
  232. }
  233. return table;
  234. }
  235. /**
  236. * remap_dfa_accept - remap old dfa accept table to be an index
  237. * @dfa: dfa to do the remapping on
  238. * @factor: scaling factor for the index conversion.
  239. *
  240. * Used in conjunction with compute_Xperms, it converts old style perms
  241. * that are encoded in the dfa accept tables to the new style where
  242. * there is a permission table and the accept table is an index into
  243. * the permission table.
  244. */
  245. static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor)
  246. {
  247. unsigned int state;
  248. unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
  249. AA_BUG(!dfa);
  250. for (state = 0; state < state_count; state++) {
  251. ACCEPT_TABLE(dfa)[state] = state * factor;
  252. ACCEPT_TABLE2(dfa)[state] = factor > 1 ? ACCEPT_FLAG_OWNER : 0;
  253. }
  254. }
  255. /* TODO: merge different dfa mappings into single map_policy fn */
  256. int aa_compat_map_xmatch(struct aa_policydb *policy)
  257. {
  258. policy->perms = compute_xmatch_perms(policy->dfa, &policy->size);
  259. if (!policy->perms)
  260. return -ENOMEM;
  261. remap_dfa_accept(policy->dfa, 1);
  262. return 0;
  263. }
  264. int aa_compat_map_policy(struct aa_policydb *policy, u32 version)
  265. {
  266. policy->perms = compute_perms(policy->dfa, version, &policy->size);
  267. if (!policy->perms)
  268. return -ENOMEM;
  269. remap_dfa_accept(policy->dfa, 1);
  270. return 0;
  271. }
  272. int aa_compat_map_file(struct aa_policydb *policy)
  273. {
  274. policy->perms = compute_fperms(policy->dfa, &policy->size);
  275. if (!policy->perms)
  276. return -ENOMEM;
  277. remap_dfa_accept(policy->dfa, 2);
  278. return 0;
  279. }