Lines Matching +full:data +full:- +full:size
1 // SPDX-License-Identifier: GPL-2.0-only
8 * Copyright (C) 1998-2008 Novell/SUSE
9 * Copyright 2009-2010 Canonical Ltd.
12 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
40 if (ad->iface.ns) { in audit_cb()
42 audit_log_untrustedstring(ab, ad->iface.ns); in audit_cb()
44 if (ad->name) { in audit_cb()
46 audit_log_untrustedstring(ab, ad->name); in audit_cb()
48 if (ad->iface.pos) in audit_cb()
49 audit_log_format(ab, " offset=%ld", ad->iface.pos); in audit_cb()
53 * audit_iface - do audit message for policy unpacking/load/replace/remove
70 ad.iface.pos = e->pos - e->start; in audit_iface()
73 ad.name = new->base.hname; in audit_iface()
82 void __aa_loaddata_update(struct aa_loaddata *data, long revision) in __aa_loaddata_update() argument
84 AA_BUG(!data); in __aa_loaddata_update()
85 AA_BUG(!data->ns); in __aa_loaddata_update()
86 AA_BUG(!mutex_is_locked(&data->ns->lock)); in __aa_loaddata_update()
87 AA_BUG(data->revision > revision); in __aa_loaddata_update()
89 data->revision = revision; in __aa_loaddata_update()
90 if ((data->dents[AAFS_LOADDATA_REVISION])) { in __aa_loaddata_update()
93 inode = d_inode(data->dents[AAFS_LOADDATA_DIR]); in __aa_loaddata_update()
96 inode = d_inode(data->dents[AAFS_LOADDATA_REVISION]); in __aa_loaddata_update()
103 if (l->size != r->size) in aa_rawdata_eq()
105 if (l->compressed_size != r->compressed_size) in aa_rawdata_eq()
107 if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0) in aa_rawdata_eq()
109 return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0; in aa_rawdata_eq()
119 struct aa_ns *ns = aa_get_ns(d->ns); in do_loaddata_free()
122 mutex_lock_nested(&ns->lock, ns->level); in do_loaddata_free()
124 mutex_unlock(&ns->lock); in do_loaddata_free()
128 kfree_sensitive(d->hash); in do_loaddata_free()
129 kfree_sensitive(d->name); in do_loaddata_free()
130 kvfree(d->data); in do_loaddata_free()
139 INIT_WORK(&d->work, do_loaddata_free); in aa_loaddata_kref()
140 schedule_work(&d->work); in aa_loaddata_kref()
144 struct aa_loaddata *aa_loaddata_alloc(size_t size) in aa_loaddata_alloc() argument
150 return ERR_PTR(-ENOMEM); in aa_loaddata_alloc()
151 d->data = kvzalloc(size, GFP_KERNEL); in aa_loaddata_alloc()
152 if (!d->data) { in aa_loaddata_alloc()
154 return ERR_PTR(-ENOMEM); in aa_loaddata_alloc()
156 kref_init(&d->count); in aa_loaddata_alloc()
157 INIT_LIST_HEAD(&d->list); in aa_loaddata_alloc()
162 /* test if read will be in packed data bounds */
163 VISIBLE_IF_KUNIT bool aa_inbounds(struct aa_ext *e, size_t size) in aa_inbounds() argument
165 return (size <= e->end - e->pos); in aa_inbounds()
170 * aa_unpack_u16_chunk - test and do bounds checking for a u16 size based chunk
171 * @e: serialized data read head (NOT NULL)
172 * @chunk: start address for chunk of data (NOT NULL)
174 * Returns: the size of chunk found with the read head at the end of the chunk.
178 size_t size = 0; in aa_unpack_u16_chunk() local
179 void *pos = e->pos; in aa_unpack_u16_chunk()
183 size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); in aa_unpack_u16_chunk()
184 e->pos += sizeof(__le16); in aa_unpack_u16_chunk()
185 if (!aa_inbounds(e, size)) in aa_unpack_u16_chunk()
187 *chunk = e->pos; in aa_unpack_u16_chunk()
188 e->pos += size; in aa_unpack_u16_chunk()
189 return size; in aa_unpack_u16_chunk()
192 e->pos = pos; in aa_unpack_u16_chunk()
202 if (*(u8 *) e->pos != code) in aa_unpack_X()
204 e->pos++; in aa_unpack_X()
210 * aa_unpack_nameX - check is the next element is of type X with a name of @name
211 * @e: serialized data extent information (NOT NULL)
215 * check that the next serialized data element is of type X and has a tag
230 void *pos = e->pos; in aa_unpack_nameX()
232 * Check for presence of a tagname, and if present name size in aa_unpack_nameX()
237 size_t size = aa_unpack_u16_chunk(e, &tag); in aa_unpack_nameX() local
239 if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) in aa_unpack_nameX()
251 e->pos = pos; in aa_unpack_nameX()
256 static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name) in unpack_u8() argument
258 void *pos = e->pos; in unpack_u8()
263 if (data) in unpack_u8()
264 *data = *((u8 *)e->pos); in unpack_u8()
265 e->pos += sizeof(u8); in unpack_u8()
270 e->pos = pos; in unpack_u8()
274 VISIBLE_IF_KUNIT bool aa_unpack_u32(struct aa_ext *e, u32 *data, const char *name) in aa_unpack_u32() argument
276 void *pos = e->pos; in aa_unpack_u32()
281 if (data) in aa_unpack_u32()
282 *data = le32_to_cpu(get_unaligned((__le32 *) e->pos)); in aa_unpack_u32()
283 e->pos += sizeof(u32); in aa_unpack_u32()
288 e->pos = pos; in aa_unpack_u32()
293 VISIBLE_IF_KUNIT bool aa_unpack_u64(struct aa_ext *e, u64 *data, const char *name) in aa_unpack_u64() argument
295 void *pos = e->pos; in aa_unpack_u64()
300 if (data) in aa_unpack_u64()
301 *data = le64_to_cpu(get_unaligned((__le64 *) e->pos)); in aa_unpack_u64()
302 e->pos += sizeof(u64); in aa_unpack_u64()
307 e->pos = pos; in aa_unpack_u64()
312 static bool aa_unpack_cap_low(struct aa_ext *e, kernel_cap_t *data, const char *name) in aa_unpack_cap_low() argument
318 data->val = val; in aa_unpack_cap_low()
322 static bool aa_unpack_cap_high(struct aa_ext *e, kernel_cap_t *data, const char *name) in aa_unpack_cap_high() argument
328 data->val = (u32)data->val | ((u64)val << 32); in aa_unpack_cap_high()
332 VISIBLE_IF_KUNIT bool aa_unpack_array(struct aa_ext *e, const char *name, u16 *size) in aa_unpack_array() argument
334 void *pos = e->pos; in aa_unpack_array()
339 *size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); in aa_unpack_array()
340 e->pos += sizeof(u16); in aa_unpack_array()
345 e->pos = pos; in aa_unpack_array()
352 void *pos = e->pos; in aa_unpack_blob()
355 u32 size; in aa_unpack_blob() local
358 size = le32_to_cpu(get_unaligned((__le32 *) e->pos)); in aa_unpack_blob()
359 e->pos += sizeof(u32); in aa_unpack_blob()
360 if (aa_inbounds(e, (size_t) size)) { in aa_unpack_blob()
361 *blob = e->pos; in aa_unpack_blob()
362 e->pos += size; in aa_unpack_blob()
363 return size; in aa_unpack_blob()
368 e->pos = pos; in aa_unpack_blob()
376 size_t size = 0; in aa_unpack_str() local
377 void *pos = e->pos; in aa_unpack_str()
380 size = aa_unpack_u16_chunk(e, &src_str); in aa_unpack_str()
381 if (size) { in aa_unpack_str()
382 /* strings are null terminated, length is size - 1 */ in aa_unpack_str()
383 if (src_str[size - 1] != 0) in aa_unpack_str()
387 return size; in aa_unpack_str()
392 e->pos = pos; in aa_unpack_str()
400 void *pos = e->pos; in aa_unpack_strdup()
409 e->pos = pos; in aa_unpack_strdup()
419 * unpack_dfa - unpack a file rule dfa
420 * @e: serialized data extent information (NOT NULL)
428 size_t size; in unpack_dfa() local
431 size = aa_unpack_blob(e, &blob, "aadfa"); in unpack_dfa()
432 if (size) { in unpack_dfa()
438 size_t sz = blob - (char *) e->start - in unpack_dfa()
439 ((e->pos - e->start) & 7); in unpack_dfa()
440 size_t pad = ALIGN(sz, 8) - sz; in unpack_dfa()
443 dfa = aa_dfa_unpack(blob + pad, size - pad, flags); in unpack_dfa()
454 * unpack_trans_table - unpack a profile transition table
455 * @e: serialized data extent information (NOT NULL)
462 void *saved_pos = e->pos; in unpack_trans_table()
467 u16 size; in unpack_trans_table() local
470 if (!aa_unpack_array(e, NULL, &size)) in unpack_trans_table()
474 * an array of 2^16 in size atm so no need in unpack_trans_table()
475 * for size check here in unpack_trans_table()
478 table = kcalloc(size, sizeof(char *), GFP_KERNEL); in unpack_trans_table()
482 strs->table = table; in unpack_trans_table()
483 strs->size = size; in unpack_trans_table()
484 for (i = 0; i < size; i++) { in unpack_trans_table()
498 for (c = j = 0; j < size2 - 1; j++) { in unpack_trans_table()
519 /* fail - all other cases with embedded \0 */ in unpack_trans_table()
531 e->pos = saved_pos; in unpack_trans_table()
537 void *pos = e->pos; in unpack_xattrs()
540 u16 size; in unpack_xattrs() local
543 if (!aa_unpack_array(e, NULL, &size)) in unpack_xattrs()
545 profile->attach.xattr_count = size; in unpack_xattrs()
546 profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL); in unpack_xattrs()
547 if (!profile->attach.xattrs) in unpack_xattrs()
549 for (i = 0; i < size; i++) { in unpack_xattrs()
550 if (!aa_unpack_strdup(e, &profile->attach.xattrs[i], NULL)) in unpack_xattrs()
562 e->pos = pos; in unpack_xattrs()
568 void *pos = e->pos; in unpack_secmark()
569 u16 size; in unpack_secmark() local
573 if (!aa_unpack_array(e, NULL, &size)) in unpack_secmark()
576 rules->secmark = kcalloc(size, sizeof(struct aa_secmark), in unpack_secmark()
578 if (!rules->secmark) in unpack_secmark()
581 rules->secmark_count = size; in unpack_secmark()
583 for (i = 0; i < size; i++) { in unpack_secmark()
584 if (!unpack_u8(e, &rules->secmark[i].audit, NULL)) in unpack_secmark()
586 if (!unpack_u8(e, &rules->secmark[i].deny, NULL)) in unpack_secmark()
588 if (!aa_unpack_strdup(e, &rules->secmark[i].label, NULL)) in unpack_secmark()
600 if (rules->secmark) { in unpack_secmark()
601 for (i = 0; i < size; i++) in unpack_secmark()
602 kfree_sensitive(rules->secmark[i].label); in unpack_secmark()
603 kfree_sensitive(rules->secmark); in unpack_secmark()
604 rules->secmark_count = 0; in unpack_secmark()
605 rules->secmark = NULL; in unpack_secmark()
608 e->pos = pos; in unpack_secmark()
614 void *pos = e->pos; in unpack_rlimits()
618 u16 size; in unpack_rlimits() local
623 rules->rlimits.mask = tmp; in unpack_rlimits()
625 if (!aa_unpack_array(e, NULL, &size) || in unpack_rlimits()
626 size > RLIM_NLIMITS) in unpack_rlimits()
628 for (i = 0; i < size; i++) { in unpack_rlimits()
633 rules->rlimits.limits[a].rlim_max = tmp2; in unpack_rlimits()
643 e->pos = pos; in unpack_rlimits()
656 aa_unpack_u32(e, &perm->allow, NULL) && in unpack_perm()
657 aa_unpack_u32(e, &perm->deny, NULL) && in unpack_perm()
658 aa_unpack_u32(e, &perm->subtree, NULL) && in unpack_perm()
659 aa_unpack_u32(e, &perm->cond, NULL) && in unpack_perm()
660 aa_unpack_u32(e, &perm->kill, NULL) && in unpack_perm()
661 aa_unpack_u32(e, &perm->complain, NULL) && in unpack_perm()
662 aa_unpack_u32(e, &perm->prompt, NULL) && in unpack_perm()
663 aa_unpack_u32(e, &perm->audit, NULL) && in unpack_perm()
664 aa_unpack_u32(e, &perm->quiet, NULL) && in unpack_perm()
665 aa_unpack_u32(e, &perm->hide, NULL) && in unpack_perm()
666 aa_unpack_u32(e, &perm->xindex, NULL) && in unpack_perm()
667 aa_unpack_u32(e, &perm->tag, NULL) && in unpack_perm()
668 aa_unpack_u32(e, &perm->label, NULL); in unpack_perm()
673 void *pos = e->pos; in unpack_perms_table()
674 u16 size = 0; in unpack_perms_table() local
687 if (!aa_unpack_array(e, NULL, &size)) in unpack_perms_table()
689 *perms = kcalloc(size, sizeof(struct aa_perms), GFP_KERNEL); in unpack_perms_table()
692 for (i = 0; i < size; i++) { in unpack_perms_table()
703 return size; in unpack_perms_table()
708 e->pos = pos; in unpack_perms_table()
709 return -EPROTO; in unpack_perms_table()
717 void *pos = e->pos; in unpack_pdb()
718 int i, flags, error = -EPROTO; in unpack_pdb()
719 ssize_t size; in unpack_pdb() local
724 return -ENOMEM; in unpack_pdb()
726 size = unpack_perms_table(e, &pdb->perms); in unpack_pdb()
727 if (size < 0) { in unpack_pdb()
728 error = size; in unpack_pdb()
729 pdb->perms = NULL; in unpack_pdb()
730 *info = "failed to unpack - perms"; in unpack_pdb()
733 pdb->size = size; in unpack_pdb()
735 if (pdb->perms) { in unpack_pdb()
747 pdb->dfa = unpack_dfa(e, flags); in unpack_pdb()
748 if (IS_ERR(pdb->dfa)) { in unpack_pdb()
749 error = PTR_ERR(pdb->dfa); in unpack_pdb()
750 pdb->dfa = NULL; in unpack_pdb()
751 *info = "failed to unpack - dfa"; in unpack_pdb()
753 } else if (!pdb->dfa) { in unpack_pdb()
765 if (!aa_unpack_u32(e, &pdb->start[0], "start")) in unpack_pdb()
767 pdb->start[0] = DFA_START; in unpack_pdb()
768 if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) { in unpack_pdb()
770 pdb->start[AA_CLASS_FILE] = DFA_START; in unpack_pdb()
773 pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0], in unpack_pdb()
779 if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) { in unpack_pdb()
781 u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen; in unpack_pdb()
782 u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags; in unpack_pdb()
785 pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, GFP_KERNEL); in unpack_pdb()
786 if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) { in unpack_pdb()
790 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents; in unpack_pdb()
791 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags; in unpack_pdb()
798 if (!unpack_trans_table(e, &pdb->trans) && required_trans) { in unpack_pdb()
803 if (!pdb->dfa && pdb->trans.table) in unpack_pdb()
804 aa_free_str_table(&pdb->trans); in unpack_pdb()
807 * - move compat mapping here, requires dfa merging first in unpack_pdb()
808 * - move verify here, it has to be done after compat mappings in unpack_pdb()
809 * - move free of unneeded trans table here, has to be done in unpack_pdb()
818 e->pos = pos; in unpack_pdb()
822 static u32 strhash(const void *data, u32 len, u32 seed) in strhash() argument
824 const char * const *key = data; in strhash()
831 const struct aa_data *data = obj; in datacmp() local
832 const char * const *key = arg->key; in datacmp()
834 return strcmp(data->key, *key); in datacmp()
838 * unpack_profile - unpack a serialized profile
839 * @e: serialized data extent information (NOT NULL)
853 struct aa_data *data; in unpack_profile() local
854 int error = -EPROTO; in unpack_profile()
877 error = -ENOMEM; in unpack_profile()
886 error = -ENOMEM; in unpack_profile()
889 rules = profile->label.rules[0]; in unpack_profile()
892 (void) aa_unpack_str(e, &profile->rename, "rename"); in unpack_profile()
895 (void) aa_unpack_str(e, &profile->attach.xmatch_str, "attach"); in unpack_profile()
898 error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info); in unpack_profile()
905 if (profile->attach.xmatch->dfa) { in unpack_profile()
910 profile->attach.xmatch_len = tmp; in unpack_profile()
911 profile->attach.xmatch->start[AA_CLASS_XMATCH] = DFA_START; in unpack_profile()
912 if (!profile->attach.xmatch->perms) { in unpack_profile()
913 error = aa_compat_map_xmatch(profile->attach.xmatch); in unpack_profile()
923 profile->disconnected = disconnected; in unpack_profile()
926 (void) aa_unpack_u32(e, &profile->signal, "kill"); in unpack_profile()
927 if (profile->signal < 1 || profile->signal > MAXMAPPED_SIG) { in unpack_profile()
940 profile->label.flags |= FLAG_HAT; in unpack_profile()
942 profile->label.flags |= FLAG_DEBUG1; in unpack_profile()
944 profile->label.flags |= FLAG_DEBUG2; in unpack_profile()
947 if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) { in unpack_profile()
948 profile->mode = APPARMOR_COMPLAIN; in unpack_profile()
950 profile->mode = APPARMOR_ENFORCE; in unpack_profile()
952 profile->mode = APPARMOR_KILL; in unpack_profile()
954 profile->mode = APPARMOR_UNCONFINED; in unpack_profile()
955 profile->label.flags |= FLAG_UNCONFINED; in unpack_profile()
957 profile->mode = APPARMOR_USER; in unpack_profile()
964 profile->audit = AUDIT_ALL; in unpack_profile()
970 if (aa_unpack_u32(e, &profile->path_flags, "path_flags")) in unpack_profile()
971 profile->path_flags |= profile->label.flags & in unpack_profile()
975 profile->path_flags = PATH_MEDIATE_DELETED; in unpack_profile()
978 if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL)) in unpack_profile()
980 if (!aa_unpack_cap_low(e, &rules->caps.audit, NULL)) in unpack_profile()
982 if (!aa_unpack_cap_low(e, &rules->caps.quiet, NULL)) in unpack_profile()
990 if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL)) in unpack_profile()
992 if (!aa_unpack_cap_high(e, &rules->caps.audit, NULL)) in unpack_profile()
994 if (!aa_unpack_cap_high(e, &rules->caps.quiet, NULL)) in unpack_profile()
1005 if (!aa_unpack_cap_low(e, &rules->caps.extended, NULL)) in unpack_profile()
1007 if (!aa_unpack_cap_high(e, &rules->caps.extended, NULL)) in unpack_profile()
1029 /* generic policy dfa - optional and may be NULL */ in unpack_profile()
1031 error = unpack_pdb(e, &rules->policy, true, false, in unpack_profile()
1036 if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0], in unpack_profile()
1038 rules->policy->start[AA_CLASS_FILE] = in unpack_profile()
1039 aa_dfa_next(rules->policy->dfa, in unpack_profile()
1040 rules->policy->start[0], in unpack_profile()
1044 if (!rules->policy->perms) { in unpack_profile()
1045 error = aa_compat_map_policy(rules->policy, in unpack_profile()
1046 e->version); in unpack_profile()
1053 rules->policy = aa_get_pdb(nullpdb); in unpack_profile()
1056 error = unpack_pdb(e, &rules->file, false, true, &info); in unpack_profile()
1059 } else if (rules->file->dfa) { in unpack_profile()
1060 if (!rules->file->perms) { in unpack_profile()
1061 error = aa_compat_map_file(rules->file); in unpack_profile()
1067 } else if (rules->policy->dfa && in unpack_profile()
1068 rules->policy->start[AA_CLASS_FILE]) { in unpack_profile()
1069 aa_put_pdb(rules->file); in unpack_profile()
1070 rules->file = aa_get_pdb(rules->policy); in unpack_profile()
1072 aa_put_pdb(rules->file); in unpack_profile()
1073 rules->file = aa_get_pdb(nullpdb); in unpack_profile()
1075 error = -EPROTO; in unpack_profile()
1076 if (aa_unpack_nameX(e, AA_STRUCT, "data")) { in unpack_profile()
1078 profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL); in unpack_profile()
1079 if (!profile->data) { in unpack_profile()
1080 error = -ENOMEM; in unpack_profile()
1090 if (rhashtable_init(profile->data, ¶ms)) { in unpack_profile()
1096 data = kzalloc(sizeof(*data), GFP_KERNEL); in unpack_profile()
1097 if (!data) { in unpack_profile()
1099 error = -ENOMEM; in unpack_profile()
1103 data->key = key; in unpack_profile()
1104 data->size = aa_unpack_blob(e, &data->data, NULL); in unpack_profile()
1105 data->data = kvmemdup(data->data, data->size, GFP_KERNEL); in unpack_profile()
1106 if (data->size && !data->data) { in unpack_profile()
1107 kfree_sensitive(data->key); in unpack_profile()
1108 kfree_sensitive(data); in unpack_profile()
1109 error = -ENOMEM; in unpack_profile()
1113 if (rhashtable_insert_fast(profile->data, &data->head, in unpack_profile()
1114 profile->data->p)) { in unpack_profile()
1115 kvfree_sensitive(data->data, data->size); in unpack_profile()
1116 kfree_sensitive(data->key); in unpack_profile()
1117 kfree_sensitive(data); in unpack_profile()
1118 info = "failed to insert data to table"; in unpack_profile()
1124 info = "failed to unpack end of key, value data table"; in unpack_profile()
1141 error = -EPROTO; in unpack_profile()
1157 * verify_header - unpack serialized stream header
1158 * @e: serialized data read head (NOT NULL)
1160 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
1166 int error = -EPROTONOSUPPORT; in verify_header()
1171 if (!aa_unpack_u32(e, &e->version, "version")) { in verify_header()
1183 if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) { in verify_header()
1202 return -ENOMEM; in verify_header()
1210 * verify_dfa_accept_index - verify accept indexes are in range of perms table
1212 * @table_size: the permission table size the indexes should be within
1217 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { in verify_dfa_accept_index()
1227 if (perm->allow & perm->deny) in verify_perm()
1229 if (perm->subtree & ~perm->allow) in verify_perm()
1231 if (perm->cond & (perm->allow | perm->deny)) in verify_perm()
1233 if (perm->kill & perm->allow) in verify_perm()
1235 if (perm->complain & (perm->allow | perm->deny)) in verify_perm()
1237 if (perm->prompt & (perm->allow | perm->deny)) in verify_perm()
1239 if (perm->complain & perm->prompt) in verify_perm()
1241 if (perm->hide & perm->allow) in verify_perm()
1250 int xidx, xmax = -1; in verify_perms()
1252 for (i = 0; i < pdb->size; i++) { in verify_perms()
1253 if (!verify_perm(&pdb->perms[i])) in verify_perms()
1256 if ((pdb->perms[i].xindex & AA_X_TYPE_MASK) == AA_X_TABLE) { in verify_perms()
1257 xidx = pdb->perms[i].xindex & AA_X_INDEX_MASK; in verify_perms()
1258 if (xidx >= pdb->trans.size) in verify_perms()
1263 if (pdb->perms[i].tag && pdb->perms[i].tag >= pdb->trans.size) in verify_perms()
1265 if (pdb->perms[i].label && in verify_perms()
1266 pdb->perms[i].label >= pdb->trans.size) in verify_perms()
1270 if (xmax == -1) { in verify_perms()
1271 aa_free_str_table(&pdb->trans); in verify_perms()
1272 } else if (pdb->trans.size > xmax + 1) { in verify_perms()
1273 if (!aa_resize_str_table(&pdb->trans, xmax + 1, GFP_KERNEL)) in verify_perms()
1280 * verify_profile - Do post unpack analysis to verify profile consistency
1289 struct aa_ruleset *rules = profile->label.rules[0]; in verify_profile()
1294 if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa, in verify_profile()
1295 rules->file->size)) { in verify_profile()
1298 -EPROTO); in verify_profile()
1299 return -EPROTO; in verify_profile()
1301 if (rules->policy->dfa && in verify_profile()
1302 !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) { in verify_profile()
1305 -EPROTO); in verify_profile()
1306 return -EPROTO; in verify_profile()
1309 if (!verify_perms(rules->file)) { in verify_profile()
1311 "Unpack: Invalid perm index", NULL, -EPROTO); in verify_profile()
1312 return -EPROTO; in verify_profile()
1314 if (!verify_perms(rules->policy)) { in verify_profile()
1316 "Unpack: Invalid perm index", NULL, -EPROTO); in verify_profile()
1317 return -EPROTO; in verify_profile()
1319 if (!verify_perms(profile->attach.xmatch)) { in verify_profile()
1321 "Unpack: Invalid perm index", NULL, -EPROTO); in verify_profile()
1322 return -EPROTO; in verify_profile()
1331 aa_put_profile(ent->rename); in aa_load_ent_free()
1332 aa_put_profile(ent->old); in aa_load_ent_free()
1333 aa_put_profile(ent->new); in aa_load_ent_free()
1334 kfree(ent->ns_name); in aa_load_ent_free()
1343 INIT_LIST_HEAD(&ent->list); in aa_load_ent_alloc()
1361 ret = -ENOMEM; in compress_zstd()
1367 ret = -ENOMEM; in compress_zstd()
1373 ret = -EINVAL; in compress_zstd()
1379 ret = -EINVAL; in compress_zstd()
1400 ret = -ENOMEM; in compress_zstd()
1420 static int compress_loaddata(struct aa_loaddata *data) in compress_loaddata() argument
1422 AA_BUG(data->compressed_size > 0); in compress_loaddata()
1429 void *udata = data->data; in compress_loaddata()
1430 int error = compress_zstd(udata, data->size, &data->data, in compress_loaddata()
1431 &data->compressed_size); in compress_loaddata()
1433 data->compressed_size = data->size; in compress_loaddata()
1436 if (udata != data->data) in compress_loaddata()
1439 data->compressed_size = data->size; in compress_loaddata()
1445 * aa_unpack - unpack packed binary profile(s) data loaded from user space
1446 * @udata: user data copied to kmem (NOT NULL)
1450 * Unpack user data and return refcounted allocated profile(s) stored in
1464 .start = udata->data, in aa_unpack()
1465 .end = udata->data + udata->size, in aa_unpack()
1466 .pos = udata->data, in aa_unpack()
1489 e.pos - start); in aa_unpack()
1495 error = -ENOMEM; in aa_unpack()
1499 ent->new = profile; in aa_unpack()
1500 ent->ns_name = ns_name; in aa_unpack()
1502 list_add_tail(&ent->list, lh); in aa_unpack()
1504 udata->abi = e.version & K_ABI_MASK; in aa_unpack()
1506 udata->hash = aa_calc_hash(udata->data, udata->size); in aa_unpack()
1507 if (IS_ERR(udata->hash)) { in aa_unpack()
1508 error = PTR_ERR(udata->hash); in aa_unpack()
1509 udata->hash = NULL; in aa_unpack()
1527 list_del_init(&ent->list); in aa_unpack()