policy_unpack.c 43 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor functions for unpacking policy loaded from
  6. * userspace.
  7. *
  8. * Copyright (C) 1998-2008 Novell/SUSE
  9. * Copyright 2009-2010 Canonical Ltd.
  10. *
  11. * AppArmor uses a serialized binary format for loading policy. To find
  12. * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
  13. * All policy is validated before it is used.
  14. */
  15. #include <linux/unaligned.h>
  16. #include <kunit/visibility.h>
  17. #include <linux/ctype.h>
  18. #include <linux/errno.h>
  19. #include <linux/zstd.h>
  20. #include "include/apparmor.h"
  21. #include "include/audit.h"
  22. #include "include/cred.h"
  23. #include "include/crypto.h"
  24. #include "include/file.h"
  25. #include "include/match.h"
  26. #include "include/path.h"
  27. #include "include/policy.h"
  28. #include "include/policy_unpack.h"
  29. #include "include/policy_compat.h"
  30. #include "include/signal.h"
  31. /* audit callback for unpack fields */
  32. static void audit_cb(struct audit_buffer *ab, void *va)
  33. {
  34. struct common_audit_data *sa = va;
  35. struct apparmor_audit_data *ad = aad(sa);
  36. if (ad->iface.ns) {
  37. audit_log_format(ab, " ns=");
  38. audit_log_untrustedstring(ab, ad->iface.ns);
  39. }
  40. if (ad->name) {
  41. audit_log_format(ab, " name=");
  42. audit_log_untrustedstring(ab, ad->name);
  43. }
  44. if (ad->iface.pos)
  45. audit_log_format(ab, " offset=%ld", ad->iface.pos);
  46. }
  47. /**
  48. * audit_iface - do audit message for policy unpacking/load/replace/remove
  49. * @new: profile if it has been allocated (MAYBE NULL)
  50. * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
  51. * @name: name of the profile being manipulated (MAYBE NULL)
  52. * @info: any extra info about the failure (MAYBE NULL)
  53. * @e: buffer position info
  54. * @error: error code
  55. *
  56. * Returns: %0 or error
  57. */
  58. static int audit_iface(struct aa_profile *new, const char *ns_name,
  59. const char *name, const char *info, struct aa_ext *e,
  60. int error)
  61. {
  62. struct aa_profile *profile = labels_profile(aa_current_raw_label());
  63. DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
  64. if (e)
  65. ad.iface.pos = e->pos - e->start;
  66. ad.iface.ns = ns_name;
  67. if (new)
  68. ad.name = new->base.hname;
  69. else
  70. ad.name = name;
  71. ad.info = info;
  72. ad.error = error;
  73. return aa_audit(AUDIT_APPARMOR_STATUS, profile, &ad, audit_cb);
  74. }
  75. void __aa_loaddata_update(struct aa_loaddata *data, long revision)
  76. {
  77. AA_BUG(!data);
  78. AA_BUG(!data->ns);
  79. AA_BUG(!mutex_is_locked(&data->ns->lock));
  80. AA_BUG(data->revision > revision);
  81. data->revision = revision;
  82. if ((data->dents[AAFS_LOADDATA_REVISION])) {
  83. struct inode *inode;
  84. inode = d_inode(data->dents[AAFS_LOADDATA_DIR]);
  85. inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
  86. inode = d_inode(data->dents[AAFS_LOADDATA_REVISION]);
  87. inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
  88. }
  89. }
  90. bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r)
  91. {
  92. if (l->size != r->size)
  93. return false;
  94. if (l->compressed_size != r->compressed_size)
  95. return false;
  96. if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0)
  97. return false;
  98. return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0;
  99. }
  100. static void do_loaddata_free(struct aa_loaddata *d)
  101. {
  102. kfree_sensitive(d->hash);
  103. kfree_sensitive(d->name);
  104. kvfree(d->data);
  105. kfree_sensitive(d);
  106. }
  107. void aa_loaddata_kref(struct kref *kref)
  108. {
  109. struct aa_loaddata *d = container_of(kref, struct aa_loaddata,
  110. count.count);
  111. do_loaddata_free(d);
  112. }
  113. /*
  114. * need to take the ns mutex lock which is NOT safe most places that
  115. * put_loaddata is called, so we have to delay freeing it
  116. */
  117. static void do_ploaddata_rmfs(struct work_struct *work)
  118. {
  119. struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
  120. struct aa_ns *ns = aa_get_ns(d->ns);
  121. if (ns) {
  122. mutex_lock_nested(&ns->lock, ns->level);
  123. /* remove fs ref to loaddata */
  124. __aa_fs_remove_rawdata(d);
  125. mutex_unlock(&ns->lock);
  126. aa_put_ns(ns);
  127. }
  128. /* called by dropping last pcount, so drop its associated icount */
  129. aa_put_i_loaddata(d);
  130. }
  131. void aa_ploaddata_kref(struct kref *kref)
  132. {
  133. struct aa_loaddata *d = container_of(kref, struct aa_loaddata, pcount);
  134. if (d) {
  135. INIT_WORK(&d->work, do_ploaddata_rmfs);
  136. schedule_work(&d->work);
  137. }
  138. }
  139. struct aa_loaddata *aa_loaddata_alloc(size_t size)
  140. {
  141. struct aa_loaddata *d;
  142. d = kzalloc_obj(*d);
  143. if (d == NULL)
  144. return ERR_PTR(-ENOMEM);
  145. d->data = kvzalloc(size, GFP_KERNEL);
  146. if (!d->data) {
  147. kfree(d);
  148. return ERR_PTR(-ENOMEM);
  149. }
  150. kref_init(&d->count.count);
  151. d->count.reftype = REF_RAWDATA;
  152. kref_init(&d->pcount);
  153. INIT_LIST_HEAD(&d->list);
  154. return d;
  155. }
  156. /* test if read will be in packed data bounds */
  157. VISIBLE_IF_KUNIT bool aa_inbounds(struct aa_ext *e, size_t size)
  158. {
  159. return (size <= e->end - e->pos);
  160. }
  161. EXPORT_SYMBOL_IF_KUNIT(aa_inbounds);
  162. /**
  163. * aa_unpack_u16_chunk - test and do bounds checking for a u16 size based chunk
  164. * @e: serialized data read head (NOT NULL)
  165. * @chunk: start address for chunk of data (NOT NULL)
  166. *
  167. * Returns: the size of chunk found with the read head at the end of the chunk.
  168. */
  169. VISIBLE_IF_KUNIT size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk)
  170. {
  171. size_t size = 0;
  172. void *pos = e->pos;
  173. if (!aa_inbounds(e, sizeof(u16)))
  174. goto fail;
  175. size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
  176. e->pos += sizeof(__le16);
  177. if (!aa_inbounds(e, size))
  178. goto fail;
  179. *chunk = e->pos;
  180. e->pos += size;
  181. return size;
  182. fail:
  183. e->pos = pos;
  184. return 0;
  185. }
  186. EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u16_chunk);
  187. /* unpack control byte */
  188. VISIBLE_IF_KUNIT bool aa_unpack_X(struct aa_ext *e, enum aa_code code)
  189. {
  190. if (!aa_inbounds(e, 1))
  191. return false;
  192. if (*(u8 *) e->pos != code)
  193. return false;
  194. e->pos++;
  195. return true;
  196. }
  197. EXPORT_SYMBOL_IF_KUNIT(aa_unpack_X);
  198. /**
  199. * aa_unpack_nameX - check is the next element is of type X with a name of @name
  200. * @e: serialized data extent information (NOT NULL)
  201. * @code: type code
  202. * @name: name to match to the serialized element. (MAYBE NULL)
  203. *
  204. * check that the next serialized data element is of type X and has a tag
  205. * name @name. If @name is specified then there must be a matching
  206. * name element in the stream. If @name is NULL any name element will be
  207. * skipped and only the typecode will be tested.
  208. *
  209. * Returns true on success (both type code and name tests match) and the read
  210. * head is advanced past the headers
  211. *
  212. * Returns: false if either match fails, the read head does not move
  213. */
  214. VISIBLE_IF_KUNIT bool aa_unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
  215. {
  216. /*
  217. * May need to reset pos if name or type doesn't match
  218. */
  219. void *pos = e->pos;
  220. /*
  221. * Check for presence of a tagname, and if present name size
  222. * AA_NAME tag value is a u16.
  223. */
  224. if (aa_unpack_X(e, AA_NAME)) {
  225. char *tag = NULL;
  226. size_t size = aa_unpack_u16_chunk(e, &tag);
  227. /* if a name is specified it must match. otherwise skip tag */
  228. if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
  229. goto fail;
  230. } else if (name) {
  231. /* if a name is specified and there is no name tag fail */
  232. goto fail;
  233. }
  234. /* now check if type code matches */
  235. if (aa_unpack_X(e, code))
  236. return true;
  237. fail:
  238. e->pos = pos;
  239. return false;
  240. }
  241. EXPORT_SYMBOL_IF_KUNIT(aa_unpack_nameX);
  242. static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
  243. {
  244. void *pos = e->pos;
  245. if (aa_unpack_nameX(e, AA_U8, name)) {
  246. if (!aa_inbounds(e, sizeof(u8)))
  247. goto fail;
  248. if (data)
  249. *data = *((u8 *)e->pos);
  250. e->pos += sizeof(u8);
  251. return true;
  252. }
  253. fail:
  254. e->pos = pos;
  255. return false;
  256. }
  257. VISIBLE_IF_KUNIT bool aa_unpack_u32(struct aa_ext *e, u32 *data, const char *name)
  258. {
  259. void *pos = e->pos;
  260. if (aa_unpack_nameX(e, AA_U32, name)) {
  261. if (!aa_inbounds(e, sizeof(u32)))
  262. goto fail;
  263. if (data)
  264. *data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
  265. e->pos += sizeof(u32);
  266. return true;
  267. }
  268. fail:
  269. e->pos = pos;
  270. return false;
  271. }
  272. EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u32);
  273. VISIBLE_IF_KUNIT bool aa_unpack_u64(struct aa_ext *e, u64 *data, const char *name)
  274. {
  275. void *pos = e->pos;
  276. if (aa_unpack_nameX(e, AA_U64, name)) {
  277. if (!aa_inbounds(e, sizeof(u64)))
  278. goto fail;
  279. if (data)
  280. *data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
  281. e->pos += sizeof(u64);
  282. return true;
  283. }
  284. fail:
  285. e->pos = pos;
  286. return false;
  287. }
  288. EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u64);
  289. static bool aa_unpack_cap_low(struct aa_ext *e, kernel_cap_t *data, const char *name)
  290. {
  291. u32 val;
  292. if (!aa_unpack_u32(e, &val, name))
  293. return false;
  294. data->val = val;
  295. return true;
  296. }
  297. static bool aa_unpack_cap_high(struct aa_ext *e, kernel_cap_t *data, const char *name)
  298. {
  299. u32 val;
  300. if (!aa_unpack_u32(e, &val, name))
  301. return false;
  302. data->val = (u32)data->val | ((u64)val << 32);
  303. return true;
  304. }
  305. VISIBLE_IF_KUNIT bool aa_unpack_array(struct aa_ext *e, const char *name, u16 *size)
  306. {
  307. void *pos = e->pos;
  308. if (aa_unpack_nameX(e, AA_ARRAY, name)) {
  309. if (!aa_inbounds(e, sizeof(u16)))
  310. goto fail;
  311. *size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
  312. e->pos += sizeof(u16);
  313. return true;
  314. }
  315. fail:
  316. e->pos = pos;
  317. return false;
  318. }
  319. EXPORT_SYMBOL_IF_KUNIT(aa_unpack_array);
  320. VISIBLE_IF_KUNIT size_t aa_unpack_blob(struct aa_ext *e, char **blob, const char *name)
  321. {
  322. void *pos = e->pos;
  323. if (aa_unpack_nameX(e, AA_BLOB, name)) {
  324. u32 size;
  325. if (!aa_inbounds(e, sizeof(u32)))
  326. goto fail;
  327. size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
  328. e->pos += sizeof(u32);
  329. if (aa_inbounds(e, (size_t) size)) {
  330. *blob = e->pos;
  331. e->pos += size;
  332. return size;
  333. }
  334. }
  335. fail:
  336. e->pos = pos;
  337. return 0;
  338. }
  339. EXPORT_SYMBOL_IF_KUNIT(aa_unpack_blob);
  340. VISIBLE_IF_KUNIT int aa_unpack_str(struct aa_ext *e, const char **string, const char *name)
  341. {
  342. char *src_str;
  343. size_t size = 0;
  344. void *pos = e->pos;
  345. *string = NULL;
  346. if (aa_unpack_nameX(e, AA_STRING, name)) {
  347. size = aa_unpack_u16_chunk(e, &src_str);
  348. if (size) {
  349. /* strings are null terminated, length is size - 1 */
  350. if (src_str[size - 1] != 0)
  351. goto fail;
  352. *string = src_str;
  353. return size;
  354. }
  355. }
  356. fail:
  357. e->pos = pos;
  358. return 0;
  359. }
  360. EXPORT_SYMBOL_IF_KUNIT(aa_unpack_str);
  361. VISIBLE_IF_KUNIT int aa_unpack_strdup(struct aa_ext *e, char **string, const char *name)
  362. {
  363. const char *tmp;
  364. void *pos = e->pos;
  365. int res = aa_unpack_str(e, &tmp, name);
  366. *string = NULL;
  367. if (!res)
  368. return 0;
  369. *string = kmemdup(tmp, res, GFP_KERNEL);
  370. if (!*string) {
  371. e->pos = pos;
  372. return 0;
  373. }
  374. return res;
  375. }
  376. EXPORT_SYMBOL_IF_KUNIT(aa_unpack_strdup);
  377. /**
  378. * unpack_dfa - unpack a file rule dfa
  379. * @e: serialized data extent information (NOT NULL)
  380. * @flags: dfa flags to check
  381. *
  382. * returns dfa or ERR_PTR or NULL if no dfa
  383. */
  384. static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags)
  385. {
  386. char *blob = NULL;
  387. size_t size;
  388. struct aa_dfa *dfa = NULL;
  389. size = aa_unpack_blob(e, &blob, "aadfa");
  390. if (size) {
  391. /*
  392. * The dfa is aligned with in the blob to 8 bytes
  393. * from the beginning of the stream.
  394. * alignment adjust needed by dfa unpack
  395. */
  396. size_t sz = blob - (char *) e->start -
  397. ((e->pos - e->start) & 7);
  398. size_t pad = ALIGN(sz, 8) - sz;
  399. if (aa_g_paranoid_load)
  400. flags |= DFA_FLAG_VERIFY_STATES;
  401. dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
  402. if (IS_ERR(dfa))
  403. return dfa;
  404. }
  405. return dfa;
  406. }
  407. static int process_strs_entry(char *str, int size, bool multi)
  408. {
  409. int c = 1;
  410. if (size <= 0)
  411. return -1;
  412. if (multi) {
  413. if (size < 2)
  414. return -2;
  415. /* multi ends with double \0 */
  416. if (str[size - 2])
  417. return -3;
  418. }
  419. char *save = str;
  420. char *pos = str;
  421. char *end = multi ? str + size - 2 : str + size - 1;
  422. /* count # of internal \0 */
  423. while (str < end) {
  424. if (str == pos) {
  425. /* starts with ... */
  426. if (!*str) {
  427. AA_DEBUG(DEBUG_UNPACK,
  428. "starting with null save=%lu size %d c=%d",
  429. (unsigned long)(str - save), size, c);
  430. return -4;
  431. }
  432. if (isspace(*str))
  433. return -5;
  434. if (*str == ':') {
  435. /* :ns_str\0str\0
  436. * first character after : must be valid
  437. */
  438. if (!str[1])
  439. return -6;
  440. }
  441. } else if (!*str) {
  442. if (*pos == ':')
  443. *str = ':';
  444. else
  445. c++;
  446. pos = str + 1;
  447. }
  448. str++;
  449. } /* while */
  450. return c;
  451. }
  452. /**
  453. * unpack_strs_table - unpack a profile transition table
  454. * @e: serialized data extent information (NOT NULL)
  455. * @name: name of table (MAY BE NULL)
  456. * @multi: allow multiple strings on a single entry
  457. * @strs: str table to unpack to (NOT NULL)
  458. *
  459. * Returns: 0 if table successfully unpacked or not present, else error
  460. */
  461. static int unpack_strs_table(struct aa_ext *e, const char *name, bool multi,
  462. struct aa_str_table *strs)
  463. {
  464. void *saved_pos = e->pos;
  465. struct aa_str_table_ent *table = NULL;
  466. int error = -EPROTO;
  467. /* exec table is optional */
  468. if (aa_unpack_nameX(e, AA_STRUCT, name)) {
  469. u16 size;
  470. int i;
  471. if (!aa_unpack_array(e, NULL, &size))
  472. /*
  473. * Note: index into trans table array is a max
  474. * of 2^24, but unpack array can only unpack
  475. * an array of 2^16 in size atm so no need
  476. * for size check here
  477. */
  478. goto fail;
  479. table = kzalloc_objs(struct aa_str_table_ent, size);
  480. if (!table) {
  481. error = -ENOMEM;
  482. goto fail;
  483. }
  484. strs->table = table;
  485. strs->size = size;
  486. for (i = 0; i < size; i++) {
  487. char *str;
  488. int c, size2 = aa_unpack_strdup(e, &str, NULL);
  489. /* aa_unpack_strdup verifies that the last character is
  490. * null termination byte.
  491. */
  492. c = process_strs_entry(str, size2, multi);
  493. if (c <= 0) {
  494. AA_DEBUG(DEBUG_UNPACK, "process_strs %d i %d pos %ld",
  495. c, i,
  496. (unsigned long)(e->pos - saved_pos));
  497. goto fail;
  498. }
  499. if (!multi && c > 1) {
  500. AA_DEBUG(DEBUG_UNPACK, "!multi && c > 1");
  501. /* fail - all other cases with embedded \0 */
  502. goto fail;
  503. }
  504. table[i].strs = str;
  505. table[i].count = c;
  506. table[i].size = size2;
  507. }
  508. if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
  509. goto fail;
  510. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  511. goto fail;
  512. }
  513. return 0;
  514. fail:
  515. aa_destroy_str_table(strs);
  516. e->pos = saved_pos;
  517. return error;
  518. }
  519. static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
  520. {
  521. void *pos = e->pos;
  522. if (aa_unpack_nameX(e, AA_STRUCT, "xattrs")) {
  523. u16 size;
  524. int i;
  525. if (!aa_unpack_array(e, NULL, &size))
  526. goto fail;
  527. profile->attach.xattr_count = size;
  528. profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
  529. if (!profile->attach.xattrs)
  530. goto fail;
  531. for (i = 0; i < size; i++) {
  532. if (!aa_unpack_strdup(e, &profile->attach.xattrs[i], NULL))
  533. goto fail;
  534. }
  535. if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
  536. goto fail;
  537. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  538. goto fail;
  539. }
  540. return true;
  541. fail:
  542. e->pos = pos;
  543. return false;
  544. }
  545. static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules)
  546. {
  547. void *pos = e->pos;
  548. u16 size;
  549. int i;
  550. if (aa_unpack_nameX(e, AA_STRUCT, "secmark")) {
  551. if (!aa_unpack_array(e, NULL, &size))
  552. goto fail;
  553. rules->secmark = kzalloc_objs(struct aa_secmark, size);
  554. if (!rules->secmark)
  555. goto fail;
  556. rules->secmark_count = size;
  557. for (i = 0; i < size; i++) {
  558. if (!unpack_u8(e, &rules->secmark[i].audit, NULL))
  559. goto fail;
  560. if (!unpack_u8(e, &rules->secmark[i].deny, NULL))
  561. goto fail;
  562. if (!aa_unpack_strdup(e, &rules->secmark[i].label, NULL))
  563. goto fail;
  564. }
  565. if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
  566. goto fail;
  567. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  568. goto fail;
  569. }
  570. return true;
  571. fail:
  572. if (rules->secmark) {
  573. for (i = 0; i < size; i++)
  574. kfree_sensitive(rules->secmark[i].label);
  575. kfree_sensitive(rules->secmark);
  576. rules->secmark_count = 0;
  577. rules->secmark = NULL;
  578. }
  579. e->pos = pos;
  580. return false;
  581. }
  582. static bool unpack_rlimits(struct aa_ext *e, struct aa_ruleset *rules)
  583. {
  584. void *pos = e->pos;
  585. /* rlimits are optional */
  586. if (aa_unpack_nameX(e, AA_STRUCT, "rlimits")) {
  587. u16 size;
  588. int i;
  589. u32 tmp = 0;
  590. if (!aa_unpack_u32(e, &tmp, NULL))
  591. goto fail;
  592. rules->rlimits.mask = tmp;
  593. if (!aa_unpack_array(e, NULL, &size) ||
  594. size > RLIM_NLIMITS)
  595. goto fail;
  596. for (i = 0; i < size; i++) {
  597. u64 tmp2 = 0;
  598. int a = aa_map_resource(i);
  599. if (!aa_unpack_u64(e, &tmp2, NULL))
  600. goto fail;
  601. rules->rlimits.limits[a].rlim_max = tmp2;
  602. }
  603. if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
  604. goto fail;
  605. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  606. goto fail;
  607. }
  608. return true;
  609. fail:
  610. e->pos = pos;
  611. return false;
  612. }
  613. static bool verify_tags(struct aa_tags_struct *tags, const char **info)
  614. {
  615. if ((tags->hdrs.size && !tags->hdrs.table) ||
  616. (!tags->hdrs.size && tags->hdrs.table)) {
  617. *info = "failed verification tag.hdrs disagree";
  618. return false;
  619. }
  620. if ((tags->sets.size && !tags->sets.table) ||
  621. (!tags->sets.size && tags->sets.table)) {
  622. *info = "failed verification tag.sets disagree";
  623. return false;
  624. }
  625. if ((tags->strs.size && !tags->strs.table) ||
  626. (!tags->strs.size && tags->strs.table)) {
  627. *info = "failed verification tags->strs disagree";
  628. return false;
  629. }
  630. /* no data present */
  631. if (!tags->sets.size && !tags->hdrs.size && !tags->strs.size) {
  632. return true;
  633. } else if (!(tags->sets.size && tags->hdrs.size && tags->strs.size)) {
  634. /* some data present but not all */
  635. *info = "failed verification tags partial data present";
  636. return false;
  637. }
  638. u32 i;
  639. for (i = 0; i < tags->sets.size; i++) {
  640. /* count followed by count indexes into hdrs */
  641. u32 cnt = tags->sets.table[i];
  642. if (i+cnt >= tags->sets.size) {
  643. AA_DEBUG(DEBUG_UNPACK,
  644. "tagset too large %d+%d > sets.table[%d]",
  645. i, cnt, tags->sets.size);
  646. *info = "failed verification tagset too large";
  647. return false;
  648. }
  649. for (; cnt; cnt--) {
  650. if (tags->sets.table[++i] >= tags->hdrs.size) {
  651. AA_DEBUG(DEBUG_UNPACK,
  652. "tagsets idx out of bounds cnt %d sets.table[%d] >= %d",
  653. cnt, i-1, tags->hdrs.size);
  654. *info = "failed verification tagsets idx out of bounds";
  655. return false;
  656. }
  657. }
  658. }
  659. for (i = 0; i < tags->hdrs.size; i++) {
  660. u32 idx = tags->hdrs.table[i].tags;
  661. if (idx >= tags->strs.size) {
  662. AA_DEBUG(DEBUG_UNPACK,
  663. "tag.hdrs idx oob idx %d > tags->strs.size=%d",
  664. idx, tags->strs.size);
  665. *info = "failed verification tags.hdrs idx out of bounds";
  666. return false;
  667. }
  668. if (tags->hdrs.table[i].count != tags->strs.table[idx].count) {
  669. AA_DEBUG(DEBUG_UNPACK, "hdrs.table[%d].count=%d != tags->strs.table[%d]=%d",
  670. i, tags->hdrs.table[i].count, idx, tags->strs.table[idx].count);
  671. *info = "failed verification tagd.hdrs[idx].count";
  672. return false;
  673. }
  674. if (tags->hdrs.table[i].size != tags->strs.table[idx].size) {
  675. AA_DEBUG(DEBUG_UNPACK, "hdrs.table[%d].size=%d != strs.table[%d].size=%d",
  676. i, tags->hdrs.table[i].size, idx, tags->strs.table[idx].size);
  677. *info = "failed verification tagd.hdrs[idx].size";
  678. return false;
  679. }
  680. }
  681. return true;
  682. }
  683. static int unpack_tagsets(struct aa_ext *e, struct aa_tags_struct *tags)
  684. {
  685. u32 *sets;
  686. u16 i, size;
  687. int error = -EPROTO;
  688. void *pos = e->pos;
  689. if (!aa_unpack_array(e, "sets", &size))
  690. goto fail_reset;
  691. sets = kcalloc(size, sizeof(u32), GFP_KERNEL);
  692. if (!sets) {
  693. error = -ENOMEM;
  694. goto fail_reset;
  695. }
  696. for (i = 0; i < size; i++) {
  697. if (!aa_unpack_u32(e, &sets[i], NULL))
  698. goto fail;
  699. }
  700. if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
  701. goto fail;
  702. tags->sets.size = size;
  703. tags->sets.table = sets;
  704. return 0;
  705. fail:
  706. kfree_sensitive(sets);
  707. fail_reset:
  708. e->pos = pos;
  709. return error;
  710. }
  711. static bool unpack_tag_header_ent(struct aa_ext *e, struct aa_tags_header *h)
  712. {
  713. return aa_unpack_u32(e, &h->mask, NULL) &&
  714. aa_unpack_u32(e, &h->count, NULL) &&
  715. aa_unpack_u32(e, &h->size, NULL) &&
  716. aa_unpack_u32(e, &h->tags, NULL);
  717. }
  718. static int unpack_tag_headers(struct aa_ext *e, struct aa_tags_struct *tags)
  719. {
  720. struct aa_tags_header *hdrs;
  721. u16 i, size;
  722. int error = -EPROTO;
  723. void *pos = e->pos;
  724. if (!aa_unpack_array(e, "hdrs", &size))
  725. goto fail_reset;
  726. hdrs = kzalloc_objs(struct aa_tags_header, size);
  727. if (!hdrs) {
  728. error = -ENOMEM;
  729. goto fail_reset;
  730. }
  731. for (i = 0; i < size; i++) {
  732. if (!unpack_tag_header_ent(e, &hdrs[i]))
  733. goto fail;
  734. }
  735. if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
  736. goto fail;
  737. tags->hdrs.size = size;
  738. tags->hdrs.table = hdrs;
  739. AA_DEBUG(DEBUG_UNPACK, "headers %ld size %d", (long) hdrs, size);
  740. return true;
  741. fail:
  742. kfree_sensitive(hdrs);
  743. fail_reset:
  744. e->pos = pos;
  745. return error;
  746. }
  747. static int unpack_tags(struct aa_ext *e, struct aa_tags_struct *tags,
  748. const char **info)
  749. {
  750. int error = -EPROTO;
  751. void *pos = e->pos;
  752. AA_BUG(!tags);
  753. /* policy tags are optional */
  754. if (aa_unpack_nameX(e, AA_STRUCT, "tags")) {
  755. u32 version;
  756. if (!aa_unpack_u32(e, &version, "version") || version != 1) {
  757. *info = "invalid tags version";
  758. goto fail_reset;
  759. }
  760. error = unpack_strs_table(e, "strs", true, &tags->strs);
  761. if (error) {
  762. *info = "failed to unpack profile tag.strs";
  763. goto fail;
  764. }
  765. error = unpack_tag_headers(e, tags);
  766. if (error) {
  767. *info = "failed to unpack profile tag.headers";
  768. goto fail;
  769. }
  770. error = unpack_tagsets(e, tags);
  771. if (error) {
  772. *info = "failed to unpack profile tag.sets";
  773. goto fail;
  774. }
  775. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  776. goto fail;
  777. if (!verify_tags(tags, info))
  778. goto fail;
  779. }
  780. return 0;
  781. fail:
  782. aa_destroy_tags(tags);
  783. fail_reset:
  784. e->pos = pos;
  785. return error;
  786. }
  787. static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm)
  788. {
  789. u32 reserved;
  790. if (version != 1)
  791. return false;
  792. /* reserved entry is for later expansion, discard for now */
  793. return aa_unpack_u32(e, &reserved, NULL) &&
  794. aa_unpack_u32(e, &perm->allow, NULL) &&
  795. aa_unpack_u32(e, &perm->deny, NULL) &&
  796. aa_unpack_u32(e, &perm->subtree, NULL) &&
  797. aa_unpack_u32(e, &perm->cond, NULL) &&
  798. aa_unpack_u32(e, &perm->kill, NULL) &&
  799. aa_unpack_u32(e, &perm->complain, NULL) &&
  800. aa_unpack_u32(e, &perm->prompt, NULL) &&
  801. aa_unpack_u32(e, &perm->audit, NULL) &&
  802. aa_unpack_u32(e, &perm->quiet, NULL) &&
  803. aa_unpack_u32(e, &perm->hide, NULL) &&
  804. aa_unpack_u32(e, &perm->xindex, NULL) &&
  805. aa_unpack_u32(e, &perm->tag, NULL) &&
  806. aa_unpack_u32(e, &perm->label, NULL);
  807. }
  808. static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms)
  809. {
  810. void *pos = e->pos;
  811. u16 size = 0;
  812. AA_BUG(!perms);
  813. /*
  814. * policy perms are optional, in which case perms are embedded
  815. * in the dfa accept table
  816. */
  817. if (aa_unpack_nameX(e, AA_STRUCT, "perms")) {
  818. int i;
  819. u32 version;
  820. if (!aa_unpack_u32(e, &version, "version"))
  821. goto fail_reset;
  822. if (!aa_unpack_array(e, NULL, &size))
  823. goto fail_reset;
  824. *perms = kzalloc_objs(struct aa_perms, size);
  825. if (!*perms) {
  826. e->pos = pos;
  827. return -ENOMEM;
  828. }
  829. for (i = 0; i < size; i++) {
  830. if (!unpack_perm(e, version, &(*perms)[i]))
  831. goto fail;
  832. }
  833. if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
  834. goto fail;
  835. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  836. goto fail;
  837. } else
  838. *perms = NULL;
  839. return size;
  840. fail:
  841. kfree(*perms);
  842. fail_reset:
  843. e->pos = pos;
  844. return -EPROTO;
  845. }
  846. static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
  847. bool required_dfa, bool required_trans,
  848. const char **info)
  849. {
  850. struct aa_policydb *pdb;
  851. void *pos = e->pos;
  852. int i, flags, error = -EPROTO;
  853. ssize_t size;
  854. u32 version = 0;
  855. pdb = aa_alloc_pdb(GFP_KERNEL);
  856. if (!pdb)
  857. return -ENOMEM;
  858. AA_DEBUG(DEBUG_UNPACK, "unpacking tags");
  859. if (unpack_tags(e, &pdb->tags, info) < 0)
  860. goto fail;
  861. AA_DEBUG(DEBUG_UNPACK, "done unpacking tags");
  862. size = unpack_perms_table(e, &pdb->perms);
  863. if (size < 0) {
  864. error = size;
  865. pdb->perms = NULL;
  866. *info = "failed to unpack - perms";
  867. goto fail;
  868. }
  869. pdb->size = size;
  870. if (pdb->perms) {
  871. /* perms table present accept is index */
  872. flags = TO_ACCEPT1_FLAG(YYTD_DATA32);
  873. if (aa_unpack_u32(e, &version, "permsv") && version > 2)
  874. /* accept2 used for dfa flags */
  875. flags |= TO_ACCEPT2_FLAG(YYTD_DATA32);
  876. } else {
  877. /* packed perms in accept1 and accept2 */
  878. flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
  879. TO_ACCEPT2_FLAG(YYTD_DATA32);
  880. }
  881. pdb->dfa = unpack_dfa(e, flags);
  882. if (IS_ERR(pdb->dfa)) {
  883. error = PTR_ERR(pdb->dfa);
  884. pdb->dfa = NULL;
  885. *info = "failed to unpack - dfa";
  886. goto fail;
  887. } else if (!pdb->dfa) {
  888. if (required_dfa) {
  889. *info = "missing required dfa";
  890. goto fail;
  891. }
  892. } else {
  893. /*
  894. * only unpack the following if a dfa is present
  895. *
  896. * sadly start was given different names for file and policydb
  897. * but since it is optional we can try both
  898. */
  899. if (!aa_unpack_u32(e, &pdb->start[0], "start"))
  900. /* default start state */
  901. pdb->start[0] = DFA_START;
  902. if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) {
  903. /* default start state for xmatch and file dfa */
  904. pdb->start[AA_CLASS_FILE] = DFA_START;
  905. }
  906. size_t state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen;
  907. if (pdb->start[0] >= state_count ||
  908. pdb->start[AA_CLASS_FILE] >= state_count) {
  909. *info = "invalid dfa start state";
  910. goto fail;
  911. }
  912. /* setup class index */
  913. for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
  914. pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],
  915. i);
  916. }
  917. }
  918. /* accept2 is in some cases being allocated, even with perms */
  919. if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
  920. /* add dfa flags table missing in v2 */
  921. u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen;
  922. u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags;
  923. size_t tsize = table_size(noents, tdflags);
  924. pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, GFP_KERNEL);
  925. if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
  926. *info = "failed to alloc dfa flags table";
  927. goto out;
  928. }
  929. pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents;
  930. pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags;
  931. }
  932. /*
  933. * Unfortunately due to a bug in earlier userspaces, a
  934. * transition table may be present even when the dfa is
  935. * not. For compatibility reasons unpack and discard.
  936. */
  937. error = unpack_strs_table(e, "xtable", false, &pdb->trans);
  938. if (error && required_trans) {
  939. *info = "failed to unpack profile transition table";
  940. goto fail;
  941. }
  942. if (!pdb->dfa && pdb->trans.table)
  943. aa_destroy_str_table(&pdb->trans);
  944. /* TODO:
  945. * - move compat mapping here, requires dfa merging first
  946. * - move verify here, it has to be done after compat mappings
  947. * - move free of unneeded trans table here, has to be done
  948. * after perm mapping.
  949. */
  950. out:
  951. *policy = pdb;
  952. return 0;
  953. fail:
  954. aa_put_pdb(pdb);
  955. e->pos = pos;
  956. return error;
  957. }
  958. static u32 strhash(const void *data, u32 len, u32 seed)
  959. {
  960. const char * const *key = data;
  961. return jhash(*key, strlen(*key), seed);
  962. }
  963. static int datacmp(struct rhashtable_compare_arg *arg, const void *obj)
  964. {
  965. const struct aa_data *data = obj;
  966. const char * const *key = arg->key;
  967. return strcmp(data->key, *key);
  968. }
  969. /**
  970. * unpack_profile - unpack a serialized profile
  971. * @e: serialized data extent information (NOT NULL)
  972. * @ns_name: pointer of newly allocated copy of %NULL in case of error
  973. *
  974. * NOTE: unpack profile sets audit struct if there is a failure
  975. */
  976. static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
  977. {
  978. struct aa_ruleset *rules;
  979. struct aa_profile *profile = NULL;
  980. const char *tmpname, *tmpns = NULL, *name = NULL;
  981. const char *info = "failed to unpack profile";
  982. size_t ns_len;
  983. struct rhashtable_params params = { 0 };
  984. char *key = NULL, *disconnected = NULL;
  985. struct aa_data *data;
  986. int error = -EPROTO;
  987. kernel_cap_t tmpcap;
  988. u32 tmp;
  989. *ns_name = NULL;
  990. /* check that we have the right struct being passed */
  991. if (!aa_unpack_nameX(e, AA_STRUCT, "profile"))
  992. goto fail;
  993. if (!aa_unpack_str(e, &name, NULL))
  994. goto fail;
  995. if (*name == '\0')
  996. goto fail;
  997. tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
  998. if (tmpns) {
  999. if (!tmpname) {
  1000. info = "empty profile name";
  1001. goto fail;
  1002. }
  1003. *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
  1004. if (!*ns_name) {
  1005. info = "out of memory";
  1006. error = -ENOMEM;
  1007. goto fail;
  1008. }
  1009. name = tmpname;
  1010. }
  1011. profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
  1012. if (!profile) {
  1013. info = "out of memory";
  1014. error = -ENOMEM;
  1015. goto fail;
  1016. }
  1017. rules = profile->label.rules[0];
  1018. /* profile renaming is optional */
  1019. (void) aa_unpack_str(e, &profile->rename, "rename");
  1020. /* attachment string is optional */
  1021. (void) aa_unpack_str(e, &profile->attach.xmatch_str, "attach");
  1022. /* xmatch is optional and may be NULL */
  1023. error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info);
  1024. if (error) {
  1025. info = "bad xmatch";
  1026. goto fail;
  1027. }
  1028. /* neither xmatch_len not xmatch_perms are optional if xmatch is set */
  1029. if (profile->attach.xmatch->dfa) {
  1030. if (!aa_unpack_u32(e, &tmp, NULL)) {
  1031. info = "missing xmatch len";
  1032. goto fail;
  1033. }
  1034. profile->attach.xmatch_len = tmp;
  1035. profile->attach.xmatch->start[AA_CLASS_XMATCH] = DFA_START;
  1036. if (!profile->attach.xmatch->perms) {
  1037. error = aa_compat_map_xmatch(profile->attach.xmatch);
  1038. if (error) {
  1039. info = "failed to convert xmatch permission table";
  1040. goto fail;
  1041. }
  1042. }
  1043. }
  1044. /* disconnected attachment string is optional */
  1045. (void) aa_unpack_strdup(e, &disconnected, "disconnected");
  1046. profile->disconnected = disconnected;
  1047. /* optional */
  1048. (void) aa_unpack_u32(e, &profile->signal, "kill");
  1049. if (profile->signal < 1 || profile->signal > MAXMAPPED_SIG) {
  1050. info = "profile kill.signal invalid value";
  1051. goto fail;
  1052. }
  1053. /* per profile debug flags (complain, audit) */
  1054. if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) {
  1055. info = "profile missing flags";
  1056. goto fail;
  1057. }
  1058. info = "failed to unpack profile flags";
  1059. if (!aa_unpack_u32(e, &tmp, NULL))
  1060. goto fail;
  1061. if (tmp & PACKED_FLAG_HAT)
  1062. profile->label.flags |= FLAG_HAT;
  1063. if (tmp & PACKED_FLAG_DEBUG1)
  1064. profile->label.flags |= FLAG_DEBUG1;
  1065. if (tmp & PACKED_FLAG_DEBUG2)
  1066. profile->label.flags |= FLAG_DEBUG2;
  1067. if (!aa_unpack_u32(e, &tmp, NULL))
  1068. goto fail;
  1069. if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
  1070. profile->mode = APPARMOR_COMPLAIN;
  1071. } else if (tmp == PACKED_MODE_ENFORCE) {
  1072. profile->mode = APPARMOR_ENFORCE;
  1073. } else if (tmp == PACKED_MODE_KILL) {
  1074. profile->mode = APPARMOR_KILL;
  1075. } else if (tmp == PACKED_MODE_UNCONFINED) {
  1076. profile->mode = APPARMOR_UNCONFINED;
  1077. profile->label.flags |= FLAG_UNCONFINED;
  1078. } else if (tmp == PACKED_MODE_USER) {
  1079. profile->mode = APPARMOR_USER;
  1080. } else {
  1081. goto fail;
  1082. }
  1083. if (!aa_unpack_u32(e, &tmp, NULL))
  1084. goto fail;
  1085. if (tmp)
  1086. profile->audit = AUDIT_ALL;
  1087. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  1088. goto fail;
  1089. /* path_flags is optional */
  1090. if (aa_unpack_u32(e, &profile->path_flags, "path_flags"))
  1091. profile->path_flags |= profile->label.flags &
  1092. PATH_MEDIATE_DELETED;
  1093. else
  1094. /* set a default value if path_flags field is not present */
  1095. profile->path_flags = PATH_MEDIATE_DELETED;
  1096. info = "failed to unpack profile capabilities";
  1097. if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL))
  1098. goto fail;
  1099. if (!aa_unpack_cap_low(e, &rules->caps.audit, NULL))
  1100. goto fail;
  1101. if (!aa_unpack_cap_low(e, &rules->caps.quiet, NULL))
  1102. goto fail;
  1103. if (!aa_unpack_cap_low(e, &tmpcap, NULL))
  1104. goto fail;
  1105. info = "failed to unpack upper profile capabilities";
  1106. if (aa_unpack_nameX(e, AA_STRUCT, "caps64")) {
  1107. /* optional upper half of 64 bit caps */
  1108. if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL))
  1109. goto fail;
  1110. if (!aa_unpack_cap_high(e, &rules->caps.audit, NULL))
  1111. goto fail;
  1112. if (!aa_unpack_cap_high(e, &rules->caps.quiet, NULL))
  1113. goto fail;
  1114. if (!aa_unpack_cap_high(e, &tmpcap, NULL))
  1115. goto fail;
  1116. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  1117. goto fail;
  1118. }
  1119. info = "failed to unpack extended profile capabilities";
  1120. if (aa_unpack_nameX(e, AA_STRUCT, "capsx")) {
  1121. /* optional extended caps mediation mask */
  1122. if (!aa_unpack_cap_low(e, &rules->caps.extended, NULL))
  1123. goto fail;
  1124. if (!aa_unpack_cap_high(e, &rules->caps.extended, NULL))
  1125. goto fail;
  1126. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  1127. goto fail;
  1128. }
  1129. if (!unpack_xattrs(e, profile)) {
  1130. info = "failed to unpack profile xattrs";
  1131. goto fail;
  1132. }
  1133. if (!unpack_rlimits(e, rules)) {
  1134. info = "failed to unpack profile rlimits";
  1135. goto fail;
  1136. }
  1137. if (!unpack_secmark(e, rules)) {
  1138. info = "failed to unpack profile secmark rules";
  1139. goto fail;
  1140. }
  1141. if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) {
  1142. /* generic policy dfa - optional and may be NULL */
  1143. info = "failed to unpack policydb";
  1144. error = unpack_pdb(e, &rules->policy, true, false,
  1145. &info);
  1146. if (error)
  1147. goto fail;
  1148. /* Fixup: drop when we get rid of start array */
  1149. if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0],
  1150. AA_CLASS_FILE))
  1151. rules->policy->start[AA_CLASS_FILE] =
  1152. aa_dfa_next(rules->policy->dfa,
  1153. rules->policy->start[0],
  1154. AA_CLASS_FILE);
  1155. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
  1156. goto fail;
  1157. if (!rules->policy->perms) {
  1158. error = aa_compat_map_policy(rules->policy,
  1159. e->version);
  1160. if (error) {
  1161. info = "failed to remap policydb permission table";
  1162. goto fail;
  1163. }
  1164. }
  1165. } else {
  1166. rules->policy = aa_get_pdb(nullpdb);
  1167. }
  1168. /* get file rules */
  1169. error = unpack_pdb(e, &rules->file, false, true, &info);
  1170. if (error) {
  1171. goto fail;
  1172. } else if (rules->file->dfa) {
  1173. if (!rules->file->perms) {
  1174. AA_DEBUG(DEBUG_UNPACK, "compat mapping perms");
  1175. error = aa_compat_map_file(rules->file);
  1176. if (error) {
  1177. info = "failed to remap file permission table";
  1178. goto fail;
  1179. }
  1180. }
  1181. } else if (rules->policy->dfa &&
  1182. rules->policy->start[AA_CLASS_FILE]) {
  1183. aa_put_pdb(rules->file);
  1184. rules->file = aa_get_pdb(rules->policy);
  1185. } else {
  1186. aa_put_pdb(rules->file);
  1187. rules->file = aa_get_pdb(nullpdb);
  1188. }
  1189. error = -EPROTO;
  1190. if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
  1191. info = "out of memory";
  1192. profile->data = kzalloc_obj(*profile->data);
  1193. if (!profile->data) {
  1194. error = -ENOMEM;
  1195. goto fail;
  1196. }
  1197. params.nelem_hint = 3;
  1198. params.key_len = sizeof(void *);
  1199. params.key_offset = offsetof(struct aa_data, key);
  1200. params.head_offset = offsetof(struct aa_data, head);
  1201. params.hashfn = strhash;
  1202. params.obj_cmpfn = datacmp;
  1203. if (rhashtable_init(profile->data, &params)) {
  1204. info = "failed to init key, value hash table";
  1205. goto fail;
  1206. }
  1207. while (aa_unpack_strdup(e, &key, NULL)) {
  1208. data = kzalloc_obj(*data);
  1209. if (!data) {
  1210. kfree_sensitive(key);
  1211. error = -ENOMEM;
  1212. goto fail;
  1213. }
  1214. data->key = key;
  1215. data->size = aa_unpack_blob(e, &data->data, NULL);
  1216. data->data = kvmemdup(data->data, data->size, GFP_KERNEL);
  1217. if (data->size && !data->data) {
  1218. kfree_sensitive(data->key);
  1219. kfree_sensitive(data);
  1220. error = -ENOMEM;
  1221. goto fail;
  1222. }
  1223. if (rhashtable_insert_fast(profile->data, &data->head,
  1224. profile->data->p)) {
  1225. kvfree_sensitive(data->data, data->size);
  1226. kfree_sensitive(data->key);
  1227. kfree_sensitive(data);
  1228. info = "failed to insert data to table";
  1229. goto fail;
  1230. }
  1231. }
  1232. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
  1233. info = "failed to unpack end of key, value data table";
  1234. goto fail;
  1235. }
  1236. }
  1237. if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
  1238. info = "failed to unpack end of profile";
  1239. goto fail;
  1240. }
  1241. aa_compute_profile_mediates(profile);
  1242. return profile;
  1243. fail:
  1244. if (error == 0)
  1245. /* default error covers most cases */
  1246. error = -EPROTO;
  1247. if (*ns_name) {
  1248. kfree(*ns_name);
  1249. *ns_name = NULL;
  1250. }
  1251. if (profile)
  1252. name = NULL;
  1253. else if (!name)
  1254. name = "unknown";
  1255. audit_iface(profile, NULL, name, info, e, error);
  1256. aa_free_profile(profile);
  1257. return ERR_PTR(error);
  1258. }
  1259. /**
  1260. * verify_header - unpack serialized stream header
  1261. * @e: serialized data read head (NOT NULL)
  1262. * @required: whether the header is required or optional
  1263. * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
  1264. *
  1265. * Returns: error or 0 if header is good
  1266. */
  1267. static int verify_header(struct aa_ext *e, int required, const char **ns)
  1268. {
  1269. int error = -EPROTONOSUPPORT;
  1270. const char *name = NULL;
  1271. /* get the interface version */
  1272. if (!aa_unpack_u32(e, &e->version, "version")) {
  1273. if (required) {
  1274. audit_iface(NULL, NULL, NULL, "invalid profile format",
  1275. e, error);
  1276. return error;
  1277. }
  1278. }
  1279. /* Check that the interface version is currently supported.
  1280. * if not specified use previous version
  1281. * Mask off everything that is not kernel abi version
  1282. */
  1283. if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) {
  1284. audit_iface(NULL, NULL, NULL, "unsupported interface version",
  1285. e, error);
  1286. return error;
  1287. }
  1288. /* read the namespace if present */
  1289. if (aa_unpack_str(e, &name, "namespace")) {
  1290. if (*name == '\0') {
  1291. audit_iface(NULL, NULL, NULL, "invalid namespace name",
  1292. e, error);
  1293. return error;
  1294. }
  1295. if (*ns && strcmp(*ns, name)) {
  1296. audit_iface(NULL, NULL, NULL, "invalid ns change", e,
  1297. error);
  1298. } else if (!*ns) {
  1299. *ns = kstrdup(name, GFP_KERNEL);
  1300. if (!*ns)
  1301. return -ENOMEM;
  1302. }
  1303. }
  1304. return 0;
  1305. }
  1306. /**
  1307. * verify_dfa_accept_index - verify accept indexes are in range of perms table
  1308. * @dfa: the dfa to check accept indexes are in range
  1309. * @table_size: the permission table size the indexes should be within
  1310. */
  1311. static bool verify_dfa_accept_index(struct aa_dfa *dfa, int table_size)
  1312. {
  1313. int i;
  1314. for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
  1315. if (ACCEPT_TABLE(dfa)[i] >= table_size)
  1316. return false;
  1317. }
  1318. return true;
  1319. }
  1320. static bool verify_perm(struct aa_perms *perm)
  1321. {
  1322. /* TODO: allow option to just force the perms into a valid state */
  1323. if (perm->allow & perm->deny)
  1324. return false;
  1325. if (perm->subtree & ~perm->allow)
  1326. return false;
  1327. if (perm->cond & (perm->allow | perm->deny))
  1328. return false;
  1329. if (perm->kill & perm->allow)
  1330. return false;
  1331. if (perm->complain & (perm->allow | perm->deny))
  1332. return false;
  1333. if (perm->prompt & (perm->allow | perm->deny))
  1334. return false;
  1335. if (perm->complain & perm->prompt)
  1336. return false;
  1337. if (perm->hide & perm->allow)
  1338. return false;
  1339. return true;
  1340. }
  1341. static bool verify_perms(struct aa_policydb *pdb)
  1342. {
  1343. int i;
  1344. int xidx, xmax = -1;
  1345. for (i = 0; i < pdb->size; i++) {
  1346. if (!verify_perm(&pdb->perms[i]))
  1347. return false;
  1348. /* verify indexes into str table */
  1349. if ((pdb->perms[i].xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
  1350. xidx = pdb->perms[i].xindex & AA_X_INDEX_MASK;
  1351. if (xidx >= pdb->trans.size)
  1352. return false;
  1353. if (xmax < xidx)
  1354. xmax = xidx;
  1355. }
  1356. if (pdb->perms[i].tag && pdb->perms[i].tag >= pdb->tags.sets.size)
  1357. return false;
  1358. if (pdb->perms[i].label &&
  1359. pdb->perms[i].label >= pdb->trans.size)
  1360. return false;
  1361. }
  1362. /* deal with incorrectly constructed string tables */
  1363. if (xmax == -1) {
  1364. aa_destroy_str_table(&pdb->trans);
  1365. } else if (pdb->trans.size > xmax + 1) {
  1366. if (!aa_resize_str_table(&pdb->trans, xmax + 1, GFP_KERNEL))
  1367. return false;
  1368. }
  1369. return true;
  1370. }
  1371. /**
  1372. * verify_profile - Do post unpack analysis to verify profile consistency
  1373. * @profile: profile to verify (NOT NULL)
  1374. *
  1375. * Returns: 0 if passes verification else error
  1376. *
  1377. * This verification is post any unpack mapping or changes
  1378. */
  1379. static int verify_profile(struct aa_profile *profile)
  1380. {
  1381. struct aa_ruleset *rules = profile->label.rules[0];
  1382. if (!rules)
  1383. return 0;
  1384. if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa,
  1385. rules->file->size)) {
  1386. audit_iface(profile, NULL, NULL,
  1387. "Unpack: file Invalid named transition", NULL,
  1388. -EPROTO);
  1389. return -EPROTO;
  1390. }
  1391. if (rules->policy->dfa &&
  1392. !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) {
  1393. audit_iface(profile, NULL, NULL,
  1394. "Unpack: policy Invalid named transition", NULL,
  1395. -EPROTO);
  1396. return -EPROTO;
  1397. }
  1398. if (!verify_perms(rules->file)) {
  1399. audit_iface(profile, NULL, NULL,
  1400. "Unpack: Invalid perm index", NULL, -EPROTO);
  1401. return -EPROTO;
  1402. }
  1403. if (!verify_perms(rules->policy)) {
  1404. audit_iface(profile, NULL, NULL,
  1405. "Unpack: Invalid perm index", NULL, -EPROTO);
  1406. return -EPROTO;
  1407. }
  1408. if (!verify_perms(profile->attach.xmatch)) {
  1409. audit_iface(profile, NULL, NULL,
  1410. "Unpack: Invalid perm index", NULL, -EPROTO);
  1411. return -EPROTO;
  1412. }
  1413. return 0;
  1414. }
  1415. void aa_load_ent_free(struct aa_load_ent *ent)
  1416. {
  1417. if (ent) {
  1418. aa_put_profile(ent->rename);
  1419. aa_put_profile(ent->old);
  1420. aa_put_profile(ent->new);
  1421. kfree(ent->ns_name);
  1422. kfree_sensitive(ent);
  1423. }
  1424. }
  1425. struct aa_load_ent *aa_load_ent_alloc(void)
  1426. {
  1427. struct aa_load_ent *ent = kzalloc_obj(*ent);
  1428. if (ent)
  1429. INIT_LIST_HEAD(&ent->list);
  1430. return ent;
  1431. }
  1432. static int compress_zstd(const char *src, size_t slen, char **dst, size_t *dlen)
  1433. {
  1434. #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
  1435. const zstd_parameters params =
  1436. zstd_get_params(aa_g_rawdata_compression_level, slen);
  1437. const size_t wksp_len = zstd_cctx_workspace_bound(&params.cParams);
  1438. void *wksp = NULL;
  1439. zstd_cctx *ctx = NULL;
  1440. size_t out_len = zstd_compress_bound(slen);
  1441. void *out = NULL;
  1442. int ret = 0;
  1443. out = kvzalloc(out_len, GFP_KERNEL);
  1444. if (!out) {
  1445. ret = -ENOMEM;
  1446. goto cleanup;
  1447. }
  1448. wksp = kvzalloc(wksp_len, GFP_KERNEL);
  1449. if (!wksp) {
  1450. ret = -ENOMEM;
  1451. goto cleanup;
  1452. }
  1453. ctx = zstd_init_cctx(wksp, wksp_len);
  1454. if (!ctx) {
  1455. ret = -EINVAL;
  1456. goto cleanup;
  1457. }
  1458. out_len = zstd_compress_cctx(ctx, out, out_len, src, slen, &params);
  1459. if (zstd_is_error(out_len) || out_len >= slen) {
  1460. ret = -EINVAL;
  1461. goto cleanup;
  1462. }
  1463. if (is_vmalloc_addr(out)) {
  1464. *dst = kvzalloc(out_len, GFP_KERNEL);
  1465. if (*dst) {
  1466. memcpy(*dst, out, out_len);
  1467. kvfree(out);
  1468. out = NULL;
  1469. }
  1470. } else {
  1471. /*
  1472. * If the staging buffer was kmalloc'd, then using krealloc is
  1473. * probably going to be faster. The destination buffer will
  1474. * always be smaller, so it's just shrunk, avoiding a memcpy
  1475. */
  1476. *dst = krealloc(out, out_len, GFP_KERNEL);
  1477. }
  1478. if (!*dst) {
  1479. ret = -ENOMEM;
  1480. goto cleanup;
  1481. }
  1482. *dlen = out_len;
  1483. cleanup:
  1484. if (ret) {
  1485. kvfree(out);
  1486. *dst = NULL;
  1487. }
  1488. kvfree(wksp);
  1489. return ret;
  1490. #else
  1491. *dlen = slen;
  1492. return 0;
  1493. #endif
  1494. }
  1495. static int compress_loaddata(struct aa_loaddata *data)
  1496. {
  1497. AA_BUG(data->compressed_size > 0);
  1498. /*
  1499. * Shortcut the no compression case, else we increase the amount of
  1500. * storage required by a small amount
  1501. */
  1502. if (aa_g_rawdata_compression_level != 0) {
  1503. void *udata = data->data;
  1504. int error = compress_zstd(udata, data->size, &data->data,
  1505. &data->compressed_size);
  1506. if (error) {
  1507. data->compressed_size = data->size;
  1508. return error;
  1509. }
  1510. if (udata != data->data)
  1511. kvfree(udata);
  1512. } else
  1513. data->compressed_size = data->size;
  1514. return 0;
  1515. }
  1516. /**
  1517. * aa_unpack - unpack packed binary profile(s) data loaded from user space
  1518. * @udata: user data copied to kmem (NOT NULL)
  1519. * @lh: list to place unpacked profiles in a aa_repl_ws
  1520. * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
  1521. *
  1522. * Unpack user data and return refcounted allocated profile(s) stored in
  1523. * @lh in order of discovery, with the list chain stored in base.list
  1524. * or error
  1525. *
  1526. * Returns: profile(s) on @lh else error pointer if fails to unpack
  1527. */
  1528. int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
  1529. const char **ns)
  1530. {
  1531. struct aa_load_ent *tmp, *ent;
  1532. struct aa_profile *profile = NULL;
  1533. char *ns_name = NULL;
  1534. int error;
  1535. struct aa_ext e = {
  1536. .start = udata->data,
  1537. .end = udata->data + udata->size,
  1538. .pos = udata->data,
  1539. };
  1540. *ns = NULL;
  1541. while (e.pos < e.end) {
  1542. void *start;
  1543. error = verify_header(&e, e.pos == e.start, ns);
  1544. if (error)
  1545. goto fail;
  1546. start = e.pos;
  1547. profile = unpack_profile(&e, &ns_name);
  1548. if (IS_ERR(profile)) {
  1549. error = PTR_ERR(profile);
  1550. goto fail;
  1551. }
  1552. error = verify_profile(profile);
  1553. if (error)
  1554. goto fail_profile;
  1555. if (aa_g_hash_policy)
  1556. error = aa_calc_profile_hash(profile, e.version, start,
  1557. e.pos - start);
  1558. if (error)
  1559. goto fail_profile;
  1560. ent = aa_load_ent_alloc();
  1561. if (!ent) {
  1562. error = -ENOMEM;
  1563. goto fail_profile;
  1564. }
  1565. ent->new = profile;
  1566. ent->ns_name = ns_name;
  1567. ns_name = NULL;
  1568. list_add_tail(&ent->list, lh);
  1569. }
  1570. udata->abi = e.version & K_ABI_MASK;
  1571. if (aa_g_hash_policy) {
  1572. udata->hash = aa_calc_hash(udata->data, udata->size);
  1573. if (IS_ERR(udata->hash)) {
  1574. error = PTR_ERR(udata->hash);
  1575. udata->hash = NULL;
  1576. goto fail;
  1577. }
  1578. }
  1579. if (aa_g_export_binary) {
  1580. error = compress_loaddata(udata);
  1581. if (error)
  1582. goto fail;
  1583. }
  1584. return 0;
  1585. fail_profile:
  1586. kfree(ns_name);
  1587. aa_put_profile(profile);
  1588. fail:
  1589. list_for_each_entry_safe(ent, tmp, lh, list) {
  1590. list_del_init(&ent->list);
  1591. aa_load_ent_free(ent);
  1592. }
  1593. return error;
  1594. }