1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * AppArmor security module
4 *
5 * This file contains AppArmor functions for unpacking policy loaded from
6 * userspace.
7 *
8 * Copyright (C) 1998-2008 Novell/SUSE
9 * Copyright 2009-2010 Canonical Ltd.
10 *
11 * AppArmor uses a serialized binary format for loading policy. To find
12 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
13 * All policy is validated before it is used.
14 */
15
16 #include <linux/unaligned.h>
17 #include <kunit/visibility.h>
18 #include <linux/ctype.h>
19 #include <linux/errno.h>
20 #include <linux/zstd.h>
21
22 #include "include/apparmor.h"
23 #include "include/audit.h"
24 #include "include/cred.h"
25 #include "include/crypto.h"
26 #include "include/file.h"
27 #include "include/match.h"
28 #include "include/path.h"
29 #include "include/policy.h"
30 #include "include/policy_unpack.h"
31 #include "include/policy_compat.h"
32 #include "include/signal.h"
33
34 /* audit callback for unpack fields */
audit_cb(struct audit_buffer * ab,void * va)35 static void audit_cb(struct audit_buffer *ab, void *va)
36 {
37 struct common_audit_data *sa = va;
38 struct apparmor_audit_data *ad = aad(sa);
39
40 if (ad->iface.ns) {
41 audit_log_format(ab, " ns=");
42 audit_log_untrustedstring(ab, ad->iface.ns);
43 }
44 if (ad->name) {
45 audit_log_format(ab, " name=");
46 audit_log_untrustedstring(ab, ad->name);
47 }
48 if (ad->iface.pos)
49 audit_log_format(ab, " offset=%ld", ad->iface.pos);
50 }
51
52 /**
53 * audit_iface - do audit message for policy unpacking/load/replace/remove
54 * @new: profile if it has been allocated (MAYBE NULL)
55 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
56 * @name: name of the profile being manipulated (MAYBE NULL)
57 * @info: any extra info about the failure (MAYBE NULL)
58 * @e: buffer position info
59 * @error: error code
60 *
61 * Returns: %0 or error
62 */
audit_iface(struct aa_profile * new,const char * ns_name,const char * name,const char * info,struct aa_ext * e,int error)63 static int audit_iface(struct aa_profile *new, const char *ns_name,
64 const char *name, const char *info, struct aa_ext *e,
65 int error)
66 {
67 struct aa_profile *profile = labels_profile(aa_current_raw_label());
68 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
69 if (e)
70 ad.iface.pos = e->pos - e->start;
71 ad.iface.ns = ns_name;
72 if (new)
73 ad.name = new->base.hname;
74 else
75 ad.name = name;
76 ad.info = info;
77 ad.error = error;
78
79 return aa_audit(AUDIT_APPARMOR_STATUS, profile, &ad, audit_cb);
80 }
81
__aa_loaddata_update(struct aa_loaddata * data,long revision)82 void __aa_loaddata_update(struct aa_loaddata *data, long revision)
83 {
84 AA_BUG(!data);
85 AA_BUG(!data->ns);
86 AA_BUG(!mutex_is_locked(&data->ns->lock));
87 AA_BUG(data->revision > revision);
88
89 data->revision = revision;
90 if ((data->dents[AAFS_LOADDATA_REVISION])) {
91 struct inode *inode;
92
93 inode = d_inode(data->dents[AAFS_LOADDATA_DIR]);
94 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
95
96 inode = d_inode(data->dents[AAFS_LOADDATA_REVISION]);
97 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
98 }
99 }
100
aa_rawdata_eq(struct aa_loaddata * l,struct aa_loaddata * r)101 bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r)
102 {
103 if (l->size != r->size)
104 return false;
105 if (l->compressed_size != r->compressed_size)
106 return false;
107 if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0)
108 return false;
109 return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0;
110 }
111
do_loaddata_free(struct aa_loaddata * d)112 static void do_loaddata_free(struct aa_loaddata *d)
113 {
114 kfree_sensitive(d->hash);
115 kfree_sensitive(d->name);
116 kvfree(d->data);
117 kfree_sensitive(d);
118 }
119
aa_loaddata_kref(struct kref * kref)120 void aa_loaddata_kref(struct kref *kref)
121 {
122 struct aa_loaddata *d = container_of(kref, struct aa_loaddata,
123 count.count);
124
125 do_loaddata_free(d);
126 }
127
128 /*
129 * need to take the ns mutex lock which is NOT safe most places that
130 * put_loaddata is called, so we have to delay freeing it
131 */
do_ploaddata_rmfs(struct work_struct * work)132 static void do_ploaddata_rmfs(struct work_struct *work)
133 {
134 struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
135 struct aa_ns *ns = aa_get_ns(d->ns);
136
137 if (ns) {
138 mutex_lock_nested(&ns->lock, ns->level);
139 /* remove fs ref to loaddata */
140 __aa_fs_remove_rawdata(d);
141 mutex_unlock(&ns->lock);
142 aa_put_ns(ns);
143 }
144 /* called by dropping last pcount, so drop its associated icount */
145 aa_put_i_loaddata(d);
146 }
147
aa_ploaddata_kref(struct kref * kref)148 void aa_ploaddata_kref(struct kref *kref)
149 {
150 struct aa_loaddata *d = container_of(kref, struct aa_loaddata, pcount);
151
152 if (d) {
153 INIT_WORK(&d->work, do_ploaddata_rmfs);
154 schedule_work(&d->work);
155 }
156 }
157
aa_loaddata_alloc(size_t size)158 struct aa_loaddata *aa_loaddata_alloc(size_t size)
159 {
160 struct aa_loaddata *d;
161
162 d = kzalloc_obj(*d);
163 if (d == NULL)
164 return ERR_PTR(-ENOMEM);
165 d->data = kvzalloc(size, GFP_KERNEL);
166 if (!d->data) {
167 kfree(d);
168 return ERR_PTR(-ENOMEM);
169 }
170 kref_init(&d->count.count);
171 d->count.reftype = REF_RAWDATA;
172 kref_init(&d->pcount);
173 INIT_LIST_HEAD(&d->list);
174
175 return d;
176 }
177
178 /* test if read will be in packed data bounds */
aa_inbounds(struct aa_ext * e,size_t size)179 VISIBLE_IF_KUNIT bool aa_inbounds(struct aa_ext *e, size_t size)
180 {
181 return (size <= e->end - e->pos);
182 }
183 EXPORT_SYMBOL_IF_KUNIT(aa_inbounds);
184
185 /**
186 * aa_unpack_u16_chunk - test and do bounds checking for a u16 size based chunk
187 * @e: serialized data read head (NOT NULL)
188 * @chunk: start address for chunk of data (NOT NULL)
189 *
190 * Returns: the size of chunk found with the read head at the end of the chunk.
191 */
aa_unpack_u16_chunk(struct aa_ext * e,char ** chunk)192 VISIBLE_IF_KUNIT size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk)
193 {
194 size_t size = 0;
195 void *pos = e->pos;
196
197 if (!aa_inbounds(e, sizeof(u16)))
198 goto fail;
199 size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
200 e->pos += sizeof(__le16);
201 if (!aa_inbounds(e, size))
202 goto fail;
203 *chunk = e->pos;
204 e->pos += size;
205 return size;
206
207 fail:
208 e->pos = pos;
209 return 0;
210 }
211 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u16_chunk);
212
213 /* unpack control byte */
aa_unpack_X(struct aa_ext * e,enum aa_code code)214 VISIBLE_IF_KUNIT bool aa_unpack_X(struct aa_ext *e, enum aa_code code)
215 {
216 if (!aa_inbounds(e, 1))
217 return false;
218 if (*(u8 *) e->pos != code)
219 return false;
220 e->pos++;
221 return true;
222 }
223 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_X);
224
225 /**
226 * aa_unpack_nameX - check is the next element is of type X with a name of @name
227 * @e: serialized data extent information (NOT NULL)
228 * @code: type code
229 * @name: name to match to the serialized element. (MAYBE NULL)
230 *
231 * check that the next serialized data element is of type X and has a tag
232 * name @name. If @name is specified then there must be a matching
233 * name element in the stream. If @name is NULL any name element will be
234 * skipped and only the typecode will be tested.
235 *
236 * Returns true on success (both type code and name tests match) and the read
237 * head is advanced past the headers
238 *
239 * Returns: false if either match fails, the read head does not move
240 */
aa_unpack_nameX(struct aa_ext * e,enum aa_code code,const char * name)241 VISIBLE_IF_KUNIT bool aa_unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
242 {
243 /*
244 * May need to reset pos if name or type doesn't match
245 */
246 void *pos = e->pos;
247 /*
248 * Check for presence of a tagname, and if present name size
249 * AA_NAME tag value is a u16.
250 */
251 if (aa_unpack_X(e, AA_NAME)) {
252 char *tag = NULL;
253 size_t size = aa_unpack_u16_chunk(e, &tag);
254 /* if a name is specified it must match. otherwise skip tag */
255 if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
256 goto fail;
257 } else if (name) {
258 /* if a name is specified and there is no name tag fail */
259 goto fail;
260 }
261
262 /* now check if type code matches */
263 if (aa_unpack_X(e, code))
264 return true;
265
266 fail:
267 e->pos = pos;
268 return false;
269 }
270 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_nameX);
271
unpack_u8(struct aa_ext * e,u8 * data,const char * name)272 static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
273 {
274 void *pos = e->pos;
275
276 if (aa_unpack_nameX(e, AA_U8, name)) {
277 if (!aa_inbounds(e, sizeof(u8)))
278 goto fail;
279 if (data)
280 *data = *((u8 *)e->pos);
281 e->pos += sizeof(u8);
282 return true;
283 }
284
285 fail:
286 e->pos = pos;
287 return false;
288 }
289
aa_unpack_u32(struct aa_ext * e,u32 * data,const char * name)290 VISIBLE_IF_KUNIT bool aa_unpack_u32(struct aa_ext *e, u32 *data, const char *name)
291 {
292 void *pos = e->pos;
293
294 if (aa_unpack_nameX(e, AA_U32, name)) {
295 if (!aa_inbounds(e, sizeof(u32)))
296 goto fail;
297 if (data)
298 *data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
299 e->pos += sizeof(u32);
300 return true;
301 }
302
303 fail:
304 e->pos = pos;
305 return false;
306 }
307 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u32);
308
aa_unpack_u64(struct aa_ext * e,u64 * data,const char * name)309 VISIBLE_IF_KUNIT bool aa_unpack_u64(struct aa_ext *e, u64 *data, const char *name)
310 {
311 void *pos = e->pos;
312
313 if (aa_unpack_nameX(e, AA_U64, name)) {
314 if (!aa_inbounds(e, sizeof(u64)))
315 goto fail;
316 if (data)
317 *data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
318 e->pos += sizeof(u64);
319 return true;
320 }
321
322 fail:
323 e->pos = pos;
324 return false;
325 }
326 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u64);
327
aa_unpack_cap_low(struct aa_ext * e,kernel_cap_t * data,const char * name)328 static bool aa_unpack_cap_low(struct aa_ext *e, kernel_cap_t *data, const char *name)
329 {
330 u32 val;
331
332 if (!aa_unpack_u32(e, &val, name))
333 return false;
334 data->val = val;
335 return true;
336 }
337
aa_unpack_cap_high(struct aa_ext * e,kernel_cap_t * data,const char * name)338 static bool aa_unpack_cap_high(struct aa_ext *e, kernel_cap_t *data, const char *name)
339 {
340 u32 val;
341
342 if (!aa_unpack_u32(e, &val, name))
343 return false;
344 data->val = (u32)data->val | ((u64)val << 32);
345 return true;
346 }
347
aa_unpack_array(struct aa_ext * e,const char * name,u16 * size)348 VISIBLE_IF_KUNIT bool aa_unpack_array(struct aa_ext *e, const char *name, u16 *size)
349 {
350 void *pos = e->pos;
351
352 if (aa_unpack_nameX(e, AA_ARRAY, name)) {
353 if (!aa_inbounds(e, sizeof(u16)))
354 goto fail;
355 *size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
356 e->pos += sizeof(u16);
357 return true;
358 }
359
360 fail:
361 e->pos = pos;
362 return false;
363 }
364 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_array);
365
aa_unpack_blob(struct aa_ext * e,char ** blob,const char * name)366 VISIBLE_IF_KUNIT size_t aa_unpack_blob(struct aa_ext *e, char **blob, const char *name)
367 {
368 void *pos = e->pos;
369
370 if (aa_unpack_nameX(e, AA_BLOB, name)) {
371 u32 size;
372 if (!aa_inbounds(e, sizeof(u32)))
373 goto fail;
374 size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
375 e->pos += sizeof(u32);
376 if (aa_inbounds(e, (size_t) size)) {
377 *blob = e->pos;
378 e->pos += size;
379 return size;
380 }
381 }
382
383 fail:
384 e->pos = pos;
385 return 0;
386 }
387 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_blob);
388
aa_unpack_str(struct aa_ext * e,const char ** string,const char * name)389 VISIBLE_IF_KUNIT int aa_unpack_str(struct aa_ext *e, const char **string, const char *name)
390 {
391 char *src_str;
392 size_t size = 0;
393 void *pos = e->pos;
394 *string = NULL;
395 if (aa_unpack_nameX(e, AA_STRING, name)) {
396 size = aa_unpack_u16_chunk(e, &src_str);
397 if (size) {
398 /* strings are null terminated, length is size - 1 */
399 if (src_str[size - 1] != 0)
400 goto fail;
401 *string = src_str;
402
403 return size;
404 }
405 }
406
407 fail:
408 e->pos = pos;
409 return 0;
410 }
411 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_str);
412
aa_unpack_strdup(struct aa_ext * e,char ** string,const char * name)413 VISIBLE_IF_KUNIT int aa_unpack_strdup(struct aa_ext *e, char **string, const char *name)
414 {
415 const char *tmp;
416 void *pos = e->pos;
417 int res = aa_unpack_str(e, &tmp, name);
418 *string = NULL;
419
420 if (!res)
421 return 0;
422
423 *string = kmemdup(tmp, res, GFP_KERNEL);
424 if (!*string) {
425 e->pos = pos;
426 return 0;
427 }
428
429 return res;
430 }
431 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_strdup);
432
433
434 /**
435 * unpack_dfa - unpack a file rule dfa
436 * @e: serialized data extent information (NOT NULL)
437 * @flags: dfa flags to check
438 *
439 * returns dfa or ERR_PTR or NULL if no dfa
440 */
unpack_dfa(struct aa_ext * e,int flags)441 static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags)
442 {
443 char *blob = NULL;
444 size_t size;
445 struct aa_dfa *dfa = NULL;
446
447 size = aa_unpack_blob(e, &blob, "aadfa");
448 if (size) {
449 /*
450 * The dfa is aligned with in the blob to 8 bytes
451 * from the beginning of the stream.
452 * alignment adjust needed by dfa unpack
453 */
454 size_t sz = blob - (char *) e->start -
455 ((e->pos - e->start) & 7);
456 size_t pad = ALIGN(sz, 8) - sz;
457 if (aa_g_paranoid_load)
458 flags |= DFA_FLAG_VERIFY_STATES;
459 dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
460
461 if (IS_ERR(dfa))
462 return dfa;
463
464 }
465
466 return dfa;
467 }
468
process_strs_entry(char * str,int size,bool multi)469 static int process_strs_entry(char *str, int size, bool multi)
470 {
471 int c = 1;
472
473 if (size <= 0)
474 return -1;
475 if (multi) {
476 if (size < 2)
477 return -2;
478 /* multi ends with double \0 */
479 if (str[size - 2])
480 return -3;
481 }
482
483 char *save = str;
484 char *pos = str;
485 char *end = multi ? str + size - 2 : str + size - 1;
486 /* count # of internal \0 */
487 while (str < end) {
488 if (str == pos) {
489 /* starts with ... */
490 if (!*str) {
491 AA_DEBUG(DEBUG_UNPACK,
492 "starting with null save=%lu size %d c=%d",
493 (unsigned long)(str - save), size, c);
494 return -4;
495 }
496 if (isspace(*str))
497 return -5;
498 if (*str == ':') {
499 /* :ns_str\0str\0
500 * first character after : must be valid
501 */
502 if (!str[1])
503 return -6;
504 }
505 } else if (!*str) {
506 if (*pos == ':')
507 *str = ':';
508 else
509 c++;
510 pos = str + 1;
511 }
512 str++;
513 } /* while */
514
515 return c;
516 }
517
518 /**
519 * unpack_strs_table - unpack a profile transition table
520 * @e: serialized data extent information (NOT NULL)
521 * @name: name of table (MAY BE NULL)
522 * @multi: allow multiple strings on a single entry
523 * @strs: str table to unpack to (NOT NULL)
524 *
525 * Returns: 0 if table successfully unpacked or not present, else error
526 */
unpack_strs_table(struct aa_ext * e,const char * name,bool multi,struct aa_str_table * strs)527 static int unpack_strs_table(struct aa_ext *e, const char *name, bool multi,
528 struct aa_str_table *strs)
529 {
530 void *saved_pos = e->pos;
531 struct aa_str_table_ent *table = NULL;
532 int error = -EPROTO;
533
534 /* exec table is optional */
535 if (aa_unpack_nameX(e, AA_STRUCT, name)) {
536 u16 size;
537 int i;
538
539 if (!aa_unpack_array(e, NULL, &size))
540 /*
541 * Note: index into trans table array is a max
542 * of 2^24, but unpack array can only unpack
543 * an array of 2^16 in size atm so no need
544 * for size check here
545 */
546 goto fail;
547 table = kzalloc_objs(struct aa_str_table_ent, size);
548 if (!table) {
549 error = -ENOMEM;
550 goto fail;
551 }
552 strs->table = table;
553 strs->size = size;
554 for (i = 0; i < size; i++) {
555 char *str;
556 int c, size2 = aa_unpack_strdup(e, &str, NULL);
557 /* aa_unpack_strdup verifies that the last character is
558 * null termination byte.
559 */
560 c = process_strs_entry(str, size2, multi);
561 if (c <= 0) {
562 AA_DEBUG(DEBUG_UNPACK, "process_strs %d i %d pos %ld",
563 c, i,
564 (unsigned long)(e->pos - saved_pos));
565 goto fail;
566 }
567 if (!multi && c > 1) {
568 AA_DEBUG(DEBUG_UNPACK, "!multi && c > 1");
569 /* fail - all other cases with embedded \0 */
570 goto fail;
571 }
572 table[i].strs = str;
573 table[i].count = c;
574 table[i].size = size2;
575 }
576 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
577 goto fail;
578 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
579 goto fail;
580 }
581 return 0;
582
583 fail:
584 aa_destroy_str_table(strs);
585 e->pos = saved_pos;
586 return error;
587 }
588
unpack_xattrs(struct aa_ext * e,struct aa_profile * profile)589 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
590 {
591 void *pos = e->pos;
592
593 if (aa_unpack_nameX(e, AA_STRUCT, "xattrs")) {
594 u16 size;
595 int i;
596
597 if (!aa_unpack_array(e, NULL, &size))
598 goto fail;
599 profile->attach.xattr_count = size;
600 profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
601 if (!profile->attach.xattrs)
602 goto fail;
603 for (i = 0; i < size; i++) {
604 if (!aa_unpack_strdup(e, &profile->attach.xattrs[i], NULL))
605 goto fail;
606 }
607 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
608 goto fail;
609 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
610 goto fail;
611 }
612
613 return true;
614
615 fail:
616 e->pos = pos;
617 return false;
618 }
619
unpack_secmark(struct aa_ext * e,struct aa_ruleset * rules)620 static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules)
621 {
622 void *pos = e->pos;
623 u16 size;
624 int i;
625
626 if (aa_unpack_nameX(e, AA_STRUCT, "secmark")) {
627 if (!aa_unpack_array(e, NULL, &size))
628 goto fail;
629
630 rules->secmark = kzalloc_objs(struct aa_secmark, size);
631 if (!rules->secmark)
632 goto fail;
633
634 rules->secmark_count = size;
635
636 for (i = 0; i < size; i++) {
637 if (!unpack_u8(e, &rules->secmark[i].audit, NULL))
638 goto fail;
639 if (!unpack_u8(e, &rules->secmark[i].deny, NULL))
640 goto fail;
641 if (!aa_unpack_strdup(e, &rules->secmark[i].label, NULL))
642 goto fail;
643 }
644 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
645 goto fail;
646 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
647 goto fail;
648 }
649
650 return true;
651
652 fail:
653 if (rules->secmark) {
654 for (i = 0; i < size; i++)
655 kfree_sensitive(rules->secmark[i].label);
656 kfree_sensitive(rules->secmark);
657 rules->secmark_count = 0;
658 rules->secmark = NULL;
659 }
660
661 e->pos = pos;
662 return false;
663 }
664
unpack_rlimits(struct aa_ext * e,struct aa_ruleset * rules)665 static bool unpack_rlimits(struct aa_ext *e, struct aa_ruleset *rules)
666 {
667 void *pos = e->pos;
668
669 /* rlimits are optional */
670 if (aa_unpack_nameX(e, AA_STRUCT, "rlimits")) {
671 u16 size;
672 int i;
673 u32 tmp = 0;
674 if (!aa_unpack_u32(e, &tmp, NULL))
675 goto fail;
676 rules->rlimits.mask = tmp;
677
678 if (!aa_unpack_array(e, NULL, &size) ||
679 size > RLIM_NLIMITS)
680 goto fail;
681 for (i = 0; i < size; i++) {
682 u64 tmp2 = 0;
683 int a = aa_map_resource(i);
684 if (!aa_unpack_u64(e, &tmp2, NULL))
685 goto fail;
686 rules->rlimits.limits[a].rlim_max = tmp2;
687 }
688 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
689 goto fail;
690 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
691 goto fail;
692 }
693 return true;
694
695 fail:
696 e->pos = pos;
697 return false;
698 }
699
700
verify_tags(struct aa_tags_struct * tags,const char ** info)701 static bool verify_tags(struct aa_tags_struct *tags, const char **info)
702 {
703 if ((tags->hdrs.size && !tags->hdrs.table) ||
704 (!tags->hdrs.size && tags->hdrs.table)) {
705 *info = "failed verification tag.hdrs disagree";
706 return false;
707 }
708 if ((tags->sets.size && !tags->sets.table) ||
709 (!tags->sets.size && tags->sets.table)) {
710 *info = "failed verification tag.sets disagree";
711 return false;
712 }
713 if ((tags->strs.size && !tags->strs.table) ||
714 (!tags->strs.size && tags->strs.table)) {
715 *info = "failed verification tags->strs disagree";
716 return false;
717 }
718 /* no data present */
719 if (!tags->sets.size && !tags->hdrs.size && !tags->strs.size) {
720 return true;
721 } else if (!(tags->sets.size && tags->hdrs.size && tags->strs.size)) {
722 /* some data present but not all */
723 *info = "failed verification tags partial data present";
724 return false;
725 }
726
727 u32 i;
728
729 for (i = 0; i < tags->sets.size; i++) {
730 /* count followed by count indexes into hdrs */
731 u32 cnt = tags->sets.table[i];
732
733 if (i+cnt >= tags->sets.size) {
734 AA_DEBUG(DEBUG_UNPACK,
735 "tagset too large %d+%d > sets.table[%d]",
736 i, cnt, tags->sets.size);
737 *info = "failed verification tagset too large";
738 return false;
739 }
740 for (; cnt; cnt--) {
741 if (tags->sets.table[++i] >= tags->hdrs.size) {
742 AA_DEBUG(DEBUG_UNPACK,
743 "tagsets idx out of bounds cnt %d sets.table[%d] >= %d",
744 cnt, i-1, tags->hdrs.size);
745 *info = "failed verification tagsets idx out of bounds";
746 return false;
747 }
748 }
749 }
750 for (i = 0; i < tags->hdrs.size; i++) {
751 u32 idx = tags->hdrs.table[i].tags;
752
753 if (idx >= tags->strs.size) {
754 AA_DEBUG(DEBUG_UNPACK,
755 "tag.hdrs idx oob idx %d > tags->strs.size=%d",
756 idx, tags->strs.size);
757 *info = "failed verification tags.hdrs idx out of bounds";
758 return false;
759 }
760 if (tags->hdrs.table[i].count != tags->strs.table[idx].count) {
761 AA_DEBUG(DEBUG_UNPACK, "hdrs.table[%d].count=%d != tags->strs.table[%d]=%d",
762 i, tags->hdrs.table[i].count, idx, tags->strs.table[idx].count);
763 *info = "failed verification tagd.hdrs[idx].count";
764 return false;
765 }
766 if (tags->hdrs.table[i].size != tags->strs.table[idx].size) {
767 AA_DEBUG(DEBUG_UNPACK, "hdrs.table[%d].size=%d != strs.table[%d].size=%d",
768 i, tags->hdrs.table[i].size, idx, tags->strs.table[idx].size);
769 *info = "failed verification tagd.hdrs[idx].size";
770 return false;
771 }
772 }
773
774 return true;
775 }
776
unpack_tagsets(struct aa_ext * e,struct aa_tags_struct * tags)777 static int unpack_tagsets(struct aa_ext *e, struct aa_tags_struct *tags)
778 {
779 u32 *sets;
780 u16 i, size;
781 int error = -EPROTO;
782 void *pos = e->pos;
783
784 if (!aa_unpack_array(e, "sets", &size))
785 goto fail_reset;
786 sets = kcalloc(size, sizeof(u32), GFP_KERNEL);
787 if (!sets) {
788 error = -ENOMEM;
789 goto fail_reset;
790 }
791 for (i = 0; i < size; i++) {
792 if (!aa_unpack_u32(e, &sets[i], NULL))
793 goto fail;
794 }
795 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
796 goto fail;
797
798 tags->sets.size = size;
799 tags->sets.table = sets;
800
801 return 0;
802
803 fail:
804 kfree_sensitive(sets);
805 fail_reset:
806 e->pos = pos;
807 return error;
808 }
809
unpack_tag_header_ent(struct aa_ext * e,struct aa_tags_header * h)810 static bool unpack_tag_header_ent(struct aa_ext *e, struct aa_tags_header *h)
811 {
812 return aa_unpack_u32(e, &h->mask, NULL) &&
813 aa_unpack_u32(e, &h->count, NULL) &&
814 aa_unpack_u32(e, &h->size, NULL) &&
815 aa_unpack_u32(e, &h->tags, NULL);
816 }
817
unpack_tag_headers(struct aa_ext * e,struct aa_tags_struct * tags)818 static int unpack_tag_headers(struct aa_ext *e, struct aa_tags_struct *tags)
819 {
820 struct aa_tags_header *hdrs;
821 u16 i, size;
822 int error = -EPROTO;
823 void *pos = e->pos;
824
825 if (!aa_unpack_array(e, "hdrs", &size))
826 goto fail_reset;
827 hdrs = kzalloc_objs(struct aa_tags_header, size);
828 if (!hdrs) {
829 error = -ENOMEM;
830 goto fail_reset;
831 }
832 for (i = 0; i < size; i++) {
833 if (!unpack_tag_header_ent(e, &hdrs[i]))
834 goto fail;
835 }
836 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
837 goto fail;
838
839 tags->hdrs.size = size;
840 tags->hdrs.table = hdrs;
841 AA_DEBUG(DEBUG_UNPACK, "headers %ld size %d", (long) hdrs, size);
842 return true;
843
844 fail:
845 kfree_sensitive(hdrs);
846 fail_reset:
847 e->pos = pos;
848 return error;
849 }
850
851
unpack_tags(struct aa_ext * e,struct aa_tags_struct * tags,const char ** info)852 static int unpack_tags(struct aa_ext *e, struct aa_tags_struct *tags,
853 const char **info)
854 {
855 int error = -EPROTO;
856 void *pos = e->pos;
857
858 AA_BUG(!tags);
859 /* policy tags are optional */
860 if (aa_unpack_nameX(e, AA_STRUCT, "tags")) {
861 u32 version;
862
863 if (!aa_unpack_u32(e, &version, "version") || version != 1) {
864 *info = "invalid tags version";
865 goto fail_reset;
866 }
867 error = unpack_strs_table(e, "strs", true, &tags->strs);
868 if (error) {
869 *info = "failed to unpack profile tag.strs";
870 goto fail;
871 }
872 error = unpack_tag_headers(e, tags);
873 if (error) {
874 *info = "failed to unpack profile tag.headers";
875 goto fail;
876 }
877 error = unpack_tagsets(e, tags);
878 if (error) {
879 *info = "failed to unpack profile tag.sets";
880 goto fail;
881 }
882 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
883 goto fail;
884
885 if (!verify_tags(tags, info))
886 goto fail;
887 }
888
889 return 0;
890
891 fail:
892 aa_destroy_tags(tags);
893 fail_reset:
894 e->pos = pos;
895 return error;
896 }
897
unpack_perm(struct aa_ext * e,u32 version,struct aa_perms * perm)898 static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm)
899 {
900 u32 reserved;
901
902 if (version != 1)
903 return false;
904
905 /* reserved entry is for later expansion, discard for now */
906 return aa_unpack_u32(e, &reserved, NULL) &&
907 aa_unpack_u32(e, &perm->allow, NULL) &&
908 aa_unpack_u32(e, &perm->deny, NULL) &&
909 aa_unpack_u32(e, &perm->subtree, NULL) &&
910 aa_unpack_u32(e, &perm->cond, NULL) &&
911 aa_unpack_u32(e, &perm->kill, NULL) &&
912 aa_unpack_u32(e, &perm->complain, NULL) &&
913 aa_unpack_u32(e, &perm->prompt, NULL) &&
914 aa_unpack_u32(e, &perm->audit, NULL) &&
915 aa_unpack_u32(e, &perm->quiet, NULL) &&
916 aa_unpack_u32(e, &perm->hide, NULL) &&
917 aa_unpack_u32(e, &perm->xindex, NULL) &&
918 aa_unpack_u32(e, &perm->tag, NULL) &&
919 aa_unpack_u32(e, &perm->label, NULL);
920 }
921
unpack_perms_table(struct aa_ext * e,struct aa_perms ** perms)922 static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms)
923 {
924 void *pos = e->pos;
925 u16 size = 0;
926
927 AA_BUG(!perms);
928 /*
929 * policy perms are optional, in which case perms are embedded
930 * in the dfa accept table
931 */
932 if (aa_unpack_nameX(e, AA_STRUCT, "perms")) {
933 int i;
934 u32 version;
935
936 if (!aa_unpack_u32(e, &version, "version"))
937 goto fail_reset;
938 if (!aa_unpack_array(e, NULL, &size))
939 goto fail_reset;
940 *perms = kzalloc_objs(struct aa_perms, size);
941 if (!*perms) {
942 e->pos = pos;
943 return -ENOMEM;
944 }
945 for (i = 0; i < size; i++) {
946 if (!unpack_perm(e, version, &(*perms)[i]))
947 goto fail;
948 }
949 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
950 goto fail;
951 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
952 goto fail;
953 } else
954 *perms = NULL;
955
956 return size;
957
958 fail:
959 kfree(*perms);
960 fail_reset:
961 e->pos = pos;
962 return -EPROTO;
963 }
964
unpack_pdb(struct aa_ext * e,struct aa_policydb ** policy,bool required_dfa,bool required_trans,const char ** info)965 static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
966 bool required_dfa, bool required_trans,
967 const char **info)
968 {
969 struct aa_policydb *pdb;
970 void *pos = e->pos;
971 int i, flags, error = -EPROTO;
972 ssize_t size;
973 u32 version = 0;
974
975 pdb = aa_alloc_pdb(GFP_KERNEL);
976 if (!pdb)
977 return -ENOMEM;
978
979 AA_DEBUG(DEBUG_UNPACK, "unpacking tags");
980 if (unpack_tags(e, &pdb->tags, info) < 0)
981 goto fail;
982 AA_DEBUG(DEBUG_UNPACK, "done unpacking tags");
983
984 size = unpack_perms_table(e, &pdb->perms);
985 if (size < 0) {
986 error = size;
987 pdb->perms = NULL;
988 *info = "failed to unpack - perms";
989 goto fail;
990 }
991 pdb->size = size;
992
993 if (pdb->perms) {
994 /* perms table present accept is index */
995 flags = TO_ACCEPT1_FLAG(YYTD_DATA32);
996 if (aa_unpack_u32(e, &version, "permsv") && version > 2)
997 /* accept2 used for dfa flags */
998 flags |= TO_ACCEPT2_FLAG(YYTD_DATA32);
999 } else {
1000 /* packed perms in accept1 and accept2 */
1001 flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
1002 TO_ACCEPT2_FLAG(YYTD_DATA32);
1003 }
1004
1005 pdb->dfa = unpack_dfa(e, flags);
1006 if (IS_ERR(pdb->dfa)) {
1007 error = PTR_ERR(pdb->dfa);
1008 pdb->dfa = NULL;
1009 *info = "failed to unpack - dfa";
1010 goto fail;
1011 } else if (!pdb->dfa) {
1012 if (required_dfa) {
1013 *info = "missing required dfa";
1014 goto fail;
1015 }
1016 } else {
1017 /*
1018 * only unpack the following if a dfa is present
1019 *
1020 * sadly start was given different names for file and policydb
1021 * but since it is optional we can try both
1022 */
1023 if (!aa_unpack_u32(e, &pdb->start[0], "start"))
1024 /* default start state */
1025 pdb->start[0] = DFA_START;
1026 if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) {
1027 /* default start state for xmatch and file dfa */
1028 pdb->start[AA_CLASS_FILE] = DFA_START;
1029 }
1030
1031 size_t state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen;
1032
1033 if (pdb->start[0] >= state_count ||
1034 pdb->start[AA_CLASS_FILE] >= state_count) {
1035 *info = "invalid dfa start state";
1036 goto fail;
1037 }
1038
1039 /* setup class index */
1040 for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
1041 pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],
1042 i);
1043 }
1044 }
1045
1046 /* accept2 is in some cases being allocated, even with perms */
1047 if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
1048 /* add dfa flags table missing in v2 */
1049 u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen;
1050 u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags;
1051 size_t tsize = table_size(noents, tdflags);
1052
1053 pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, GFP_KERNEL);
1054 if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
1055 *info = "failed to alloc dfa flags table";
1056 goto out;
1057 }
1058 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents;
1059 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags;
1060 }
1061 /*
1062 * Unfortunately due to a bug in earlier userspaces, a
1063 * transition table may be present even when the dfa is
1064 * not. For compatibility reasons unpack and discard.
1065 */
1066 error = unpack_strs_table(e, "xtable", false, &pdb->trans);
1067 if (error && required_trans) {
1068 *info = "failed to unpack profile transition table";
1069 goto fail;
1070 }
1071
1072 if (!pdb->dfa && pdb->trans.table)
1073 aa_destroy_str_table(&pdb->trans);
1074
1075 /* TODO:
1076 * - move compat mapping here, requires dfa merging first
1077 * - move verify here, it has to be done after compat mappings
1078 * - move free of unneeded trans table here, has to be done
1079 * after perm mapping.
1080 */
1081 out:
1082 *policy = pdb;
1083 return 0;
1084
1085 fail:
1086 aa_put_pdb(pdb);
1087 e->pos = pos;
1088 return error;
1089 }
1090
strhash(const void * data,u32 len,u32 seed)1091 static u32 strhash(const void *data, u32 len, u32 seed)
1092 {
1093 const char * const *key = data;
1094
1095 return jhash(*key, strlen(*key), seed);
1096 }
1097
datacmp(struct rhashtable_compare_arg * arg,const void * obj)1098 static int datacmp(struct rhashtable_compare_arg *arg, const void *obj)
1099 {
1100 const struct aa_data *data = obj;
1101 const char * const *key = arg->key;
1102
1103 return strcmp(data->key, *key);
1104 }
1105
1106 /**
1107 * unpack_profile - unpack a serialized profile
1108 * @e: serialized data extent information (NOT NULL)
1109 * @ns_name: pointer of newly allocated copy of %NULL in case of error
1110 *
1111 * NOTE: unpack profile sets audit struct if there is a failure
1112 */
unpack_profile(struct aa_ext * e,char ** ns_name)1113 static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
1114 {
1115 struct aa_ruleset *rules;
1116 struct aa_profile *profile = NULL;
1117 const char *tmpname, *tmpns = NULL, *name = NULL;
1118 const char *info = "failed to unpack profile";
1119 size_t ns_len;
1120 struct rhashtable_params params = { 0 };
1121 char *key = NULL, *disconnected = NULL;
1122 struct aa_data *data;
1123 int error = -EPROTO;
1124 kernel_cap_t tmpcap;
1125 u32 tmp;
1126
1127 *ns_name = NULL;
1128
1129 /* check that we have the right struct being passed */
1130 if (!aa_unpack_nameX(e, AA_STRUCT, "profile"))
1131 goto fail;
1132 if (!aa_unpack_str(e, &name, NULL))
1133 goto fail;
1134 if (*name == '\0')
1135 goto fail;
1136
1137 tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
1138 if (tmpns) {
1139 if (!tmpname) {
1140 info = "empty profile name";
1141 goto fail;
1142 }
1143 *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
1144 if (!*ns_name) {
1145 info = "out of memory";
1146 error = -ENOMEM;
1147 goto fail;
1148 }
1149 name = tmpname;
1150 }
1151
1152 profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
1153 if (!profile) {
1154 info = "out of memory";
1155 error = -ENOMEM;
1156 goto fail;
1157 }
1158 rules = profile->label.rules[0];
1159
1160 /* profile renaming is optional */
1161 (void) aa_unpack_str(e, &profile->rename, "rename");
1162
1163 /* attachment string is optional */
1164 (void) aa_unpack_str(e, &profile->attach.xmatch_str, "attach");
1165
1166 /* xmatch is optional and may be NULL */
1167 error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info);
1168 if (error) {
1169 info = "bad xmatch";
1170 goto fail;
1171 }
1172
1173 /* neither xmatch_len not xmatch_perms are optional if xmatch is set */
1174 if (profile->attach.xmatch->dfa) {
1175 if (!aa_unpack_u32(e, &tmp, NULL)) {
1176 info = "missing xmatch len";
1177 goto fail;
1178 }
1179 profile->attach.xmatch_len = tmp;
1180 profile->attach.xmatch->start[AA_CLASS_XMATCH] = DFA_START;
1181 if (!profile->attach.xmatch->perms) {
1182 error = aa_compat_map_xmatch(profile->attach.xmatch);
1183 if (error) {
1184 info = "failed to convert xmatch permission table";
1185 goto fail;
1186 }
1187 }
1188 }
1189
1190 /* disconnected attachment string is optional */
1191 (void) aa_unpack_strdup(e, &disconnected, "disconnected");
1192 profile->disconnected = disconnected;
1193
1194 /* optional */
1195 (void) aa_unpack_u32(e, &profile->signal, "kill");
1196 if (profile->signal < 1 || profile->signal > MAXMAPPED_SIG) {
1197 info = "profile kill.signal invalid value";
1198 goto fail;
1199 }
1200 /* per profile debug flags (complain, audit) */
1201 if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) {
1202 info = "profile missing flags";
1203 goto fail;
1204 }
1205 info = "failed to unpack profile flags";
1206 if (!aa_unpack_u32(e, &tmp, NULL))
1207 goto fail;
1208 if (tmp & PACKED_FLAG_HAT)
1209 profile->label.flags |= FLAG_HAT;
1210 if (tmp & PACKED_FLAG_DEBUG1)
1211 profile->label.flags |= FLAG_DEBUG1;
1212 if (tmp & PACKED_FLAG_DEBUG2)
1213 profile->label.flags |= FLAG_DEBUG2;
1214 if (!aa_unpack_u32(e, &tmp, NULL))
1215 goto fail;
1216 if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
1217 profile->mode = APPARMOR_COMPLAIN;
1218 } else if (tmp == PACKED_MODE_ENFORCE) {
1219 profile->mode = APPARMOR_ENFORCE;
1220 } else if (tmp == PACKED_MODE_KILL) {
1221 profile->mode = APPARMOR_KILL;
1222 } else if (tmp == PACKED_MODE_UNCONFINED) {
1223 profile->mode = APPARMOR_UNCONFINED;
1224 profile->label.flags |= FLAG_UNCONFINED;
1225 } else if (tmp == PACKED_MODE_USER) {
1226 profile->mode = APPARMOR_USER;
1227 } else {
1228 goto fail;
1229 }
1230 if (!aa_unpack_u32(e, &tmp, NULL))
1231 goto fail;
1232 if (tmp)
1233 profile->audit = AUDIT_ALL;
1234
1235 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1236 goto fail;
1237
1238 /* path_flags is optional */
1239 if (aa_unpack_u32(e, &profile->path_flags, "path_flags"))
1240 profile->path_flags |= profile->label.flags &
1241 PATH_MEDIATE_DELETED;
1242 else
1243 /* set a default value if path_flags field is not present */
1244 profile->path_flags = PATH_MEDIATE_DELETED;
1245
1246 info = "failed to unpack profile capabilities";
1247 if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL))
1248 goto fail;
1249 if (!aa_unpack_cap_low(e, &rules->caps.audit, NULL))
1250 goto fail;
1251 if (!aa_unpack_cap_low(e, &rules->caps.quiet, NULL))
1252 goto fail;
1253 if (!aa_unpack_cap_low(e, &tmpcap, NULL))
1254 goto fail;
1255
1256 info = "failed to unpack upper profile capabilities";
1257 if (aa_unpack_nameX(e, AA_STRUCT, "caps64")) {
1258 /* optional upper half of 64 bit caps */
1259 if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL))
1260 goto fail;
1261 if (!aa_unpack_cap_high(e, &rules->caps.audit, NULL))
1262 goto fail;
1263 if (!aa_unpack_cap_high(e, &rules->caps.quiet, NULL))
1264 goto fail;
1265 if (!aa_unpack_cap_high(e, &tmpcap, NULL))
1266 goto fail;
1267 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1268 goto fail;
1269 }
1270
1271 info = "failed to unpack extended profile capabilities";
1272 if (aa_unpack_nameX(e, AA_STRUCT, "capsx")) {
1273 /* optional extended caps mediation mask */
1274 if (!aa_unpack_cap_low(e, &rules->caps.extended, NULL))
1275 goto fail;
1276 if (!aa_unpack_cap_high(e, &rules->caps.extended, NULL))
1277 goto fail;
1278 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1279 goto fail;
1280 }
1281
1282 if (!unpack_xattrs(e, profile)) {
1283 info = "failed to unpack profile xattrs";
1284 goto fail;
1285 }
1286
1287 if (!unpack_rlimits(e, rules)) {
1288 info = "failed to unpack profile rlimits";
1289 goto fail;
1290 }
1291
1292 if (!unpack_secmark(e, rules)) {
1293 info = "failed to unpack profile secmark rules";
1294 goto fail;
1295 }
1296
1297 if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) {
1298 /* generic policy dfa - optional and may be NULL */
1299 info = "failed to unpack policydb";
1300 error = unpack_pdb(e, &rules->policy, true, false,
1301 &info);
1302 if (error)
1303 goto fail;
1304 /* Fixup: drop when we get rid of start array */
1305 if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0],
1306 AA_CLASS_FILE))
1307 rules->policy->start[AA_CLASS_FILE] =
1308 aa_dfa_next(rules->policy->dfa,
1309 rules->policy->start[0],
1310 AA_CLASS_FILE);
1311 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1312 goto fail;
1313 if (!rules->policy->perms) {
1314 error = aa_compat_map_policy(rules->policy,
1315 e->version);
1316 if (error) {
1317 info = "failed to remap policydb permission table";
1318 goto fail;
1319 }
1320 }
1321 } else {
1322 rules->policy = aa_get_pdb(nullpdb);
1323 }
1324 /* get file rules */
1325 error = unpack_pdb(e, &rules->file, false, true, &info);
1326 if (error) {
1327 goto fail;
1328 } else if (rules->file->dfa) {
1329 if (!rules->file->perms) {
1330 AA_DEBUG(DEBUG_UNPACK, "compat mapping perms");
1331 error = aa_compat_map_file(rules->file);
1332 if (error) {
1333 info = "failed to remap file permission table";
1334 goto fail;
1335 }
1336 }
1337 } else if (rules->policy->dfa &&
1338 rules->policy->start[AA_CLASS_FILE]) {
1339 aa_put_pdb(rules->file);
1340 rules->file = aa_get_pdb(rules->policy);
1341 } else {
1342 aa_put_pdb(rules->file);
1343 rules->file = aa_get_pdb(nullpdb);
1344 }
1345 error = -EPROTO;
1346 if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
1347 info = "out of memory";
1348 profile->data = kzalloc_obj(*profile->data);
1349 if (!profile->data) {
1350 error = -ENOMEM;
1351 goto fail;
1352 }
1353 params.nelem_hint = 3;
1354 params.key_len = sizeof(void *);
1355 params.key_offset = offsetof(struct aa_data, key);
1356 params.head_offset = offsetof(struct aa_data, head);
1357 params.hashfn = strhash;
1358 params.obj_cmpfn = datacmp;
1359
1360 if (rhashtable_init(profile->data, ¶ms)) {
1361 info = "failed to init key, value hash table";
1362 goto fail;
1363 }
1364
1365 while (aa_unpack_strdup(e, &key, NULL)) {
1366 data = kzalloc_obj(*data);
1367 if (!data) {
1368 kfree_sensitive(key);
1369 error = -ENOMEM;
1370 goto fail;
1371 }
1372
1373 data->key = key;
1374 data->size = aa_unpack_blob(e, &data->data, NULL);
1375 data->data = kvmemdup(data->data, data->size, GFP_KERNEL);
1376 if (data->size && !data->data) {
1377 kfree_sensitive(data->key);
1378 kfree_sensitive(data);
1379 error = -ENOMEM;
1380 goto fail;
1381 }
1382
1383 if (rhashtable_insert_fast(profile->data, &data->head,
1384 profile->data->p)) {
1385 kvfree_sensitive(data->data, data->size);
1386 kfree_sensitive(data->key);
1387 kfree_sensitive(data);
1388 info = "failed to insert data to table";
1389 goto fail;
1390 }
1391 }
1392
1393 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
1394 info = "failed to unpack end of key, value data table";
1395 goto fail;
1396 }
1397 }
1398
1399 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
1400 info = "failed to unpack end of profile";
1401 goto fail;
1402 }
1403
1404 aa_compute_profile_mediates(profile);
1405
1406 return profile;
1407
1408 fail:
1409 if (error == 0)
1410 /* default error covers most cases */
1411 error = -EPROTO;
1412 if (*ns_name) {
1413 kfree(*ns_name);
1414 *ns_name = NULL;
1415 }
1416 if (profile)
1417 name = NULL;
1418 else if (!name)
1419 name = "unknown";
1420 audit_iface(profile, NULL, name, info, e, error);
1421 aa_free_profile(profile);
1422
1423 return ERR_PTR(error);
1424 }
1425
1426 /**
1427 * verify_header - unpack serialized stream header
1428 * @e: serialized data read head (NOT NULL)
1429 * @required: whether the header is required or optional
1430 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
1431 *
1432 * Returns: error or 0 if header is good
1433 */
verify_header(struct aa_ext * e,int required,const char ** ns)1434 static int verify_header(struct aa_ext *e, int required, const char **ns)
1435 {
1436 int error = -EPROTONOSUPPORT;
1437 const char *name = NULL;
1438
1439 /* get the interface version */
1440 if (!aa_unpack_u32(e, &e->version, "version")) {
1441 if (required) {
1442 audit_iface(NULL, NULL, NULL, "invalid profile format",
1443 e, error);
1444 return error;
1445 }
1446 }
1447
1448 /* Check that the interface version is currently supported.
1449 * if not specified use previous version
1450 * Mask off everything that is not kernel abi version
1451 */
1452 if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) {
1453 audit_iface(NULL, NULL, NULL, "unsupported interface version",
1454 e, error);
1455 return error;
1456 }
1457
1458 /* read the namespace if present */
1459 if (aa_unpack_str(e, &name, "namespace")) {
1460 if (*name == '\0') {
1461 audit_iface(NULL, NULL, NULL, "invalid namespace name",
1462 e, error);
1463 return error;
1464 }
1465 if (*ns && strcmp(*ns, name)) {
1466 audit_iface(NULL, NULL, NULL, "invalid ns change", e,
1467 error);
1468 } else if (!*ns) {
1469 *ns = kstrdup(name, GFP_KERNEL);
1470 if (!*ns)
1471 return -ENOMEM;
1472 }
1473 }
1474
1475 return 0;
1476 }
1477
1478 /**
1479 * verify_dfa_accept_index - verify accept indexes are in range of perms table
1480 * @dfa: the dfa to check accept indexes are in range
1481 * @table_size: the permission table size the indexes should be within
1482 */
verify_dfa_accept_index(struct aa_dfa * dfa,int table_size)1483 static bool verify_dfa_accept_index(struct aa_dfa *dfa, int table_size)
1484 {
1485 int i;
1486 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
1487 if (ACCEPT_TABLE(dfa)[i] >= table_size)
1488 return false;
1489 }
1490 return true;
1491 }
1492
verify_perm(struct aa_perms * perm)1493 static bool verify_perm(struct aa_perms *perm)
1494 {
1495 /* TODO: allow option to just force the perms into a valid state */
1496 if (perm->allow & perm->deny)
1497 return false;
1498 if (perm->subtree & ~perm->allow)
1499 return false;
1500 if (perm->cond & (perm->allow | perm->deny))
1501 return false;
1502 if (perm->kill & perm->allow)
1503 return false;
1504 if (perm->complain & (perm->allow | perm->deny))
1505 return false;
1506 if (perm->prompt & (perm->allow | perm->deny))
1507 return false;
1508 if (perm->complain & perm->prompt)
1509 return false;
1510 if (perm->hide & perm->allow)
1511 return false;
1512
1513 return true;
1514 }
1515
verify_perms(struct aa_policydb * pdb)1516 static bool verify_perms(struct aa_policydb *pdb)
1517 {
1518 int i;
1519 int xidx, xmax = -1;
1520
1521 for (i = 0; i < pdb->size; i++) {
1522 if (!verify_perm(&pdb->perms[i]))
1523 return false;
1524 /* verify indexes into str table */
1525 if ((pdb->perms[i].xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
1526 xidx = pdb->perms[i].xindex & AA_X_INDEX_MASK;
1527 if (xidx >= pdb->trans.size)
1528 return false;
1529 if (xmax < xidx)
1530 xmax = xidx;
1531 }
1532 if (pdb->perms[i].tag && pdb->perms[i].tag >= pdb->tags.sets.size)
1533 return false;
1534 if (pdb->perms[i].label &&
1535 pdb->perms[i].label >= pdb->trans.size)
1536 return false;
1537 }
1538 /* deal with incorrectly constructed string tables */
1539 if (xmax == -1) {
1540 aa_destroy_str_table(&pdb->trans);
1541 } else if (pdb->trans.size > xmax + 1) {
1542 if (!aa_resize_str_table(&pdb->trans, xmax + 1, GFP_KERNEL))
1543 return false;
1544 }
1545 return true;
1546 }
1547
1548 /**
1549 * verify_profile - Do post unpack analysis to verify profile consistency
1550 * @profile: profile to verify (NOT NULL)
1551 *
1552 * Returns: 0 if passes verification else error
1553 *
1554 * This verification is post any unpack mapping or changes
1555 */
verify_profile(struct aa_profile * profile)1556 static int verify_profile(struct aa_profile *profile)
1557 {
1558 struct aa_ruleset *rules = profile->label.rules[0];
1559
1560 if (!rules)
1561 return 0;
1562
1563 if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa,
1564 rules->file->size)) {
1565 audit_iface(profile, NULL, NULL,
1566 "Unpack: file Invalid named transition", NULL,
1567 -EPROTO);
1568 return -EPROTO;
1569 }
1570 if (rules->policy->dfa &&
1571 !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) {
1572 audit_iface(profile, NULL, NULL,
1573 "Unpack: policy Invalid named transition", NULL,
1574 -EPROTO);
1575 return -EPROTO;
1576 }
1577
1578 if (!verify_perms(rules->file)) {
1579 audit_iface(profile, NULL, NULL,
1580 "Unpack: Invalid perm index", NULL, -EPROTO);
1581 return -EPROTO;
1582 }
1583 if (!verify_perms(rules->policy)) {
1584 audit_iface(profile, NULL, NULL,
1585 "Unpack: Invalid perm index", NULL, -EPROTO);
1586 return -EPROTO;
1587 }
1588 if (!verify_perms(profile->attach.xmatch)) {
1589 audit_iface(profile, NULL, NULL,
1590 "Unpack: Invalid perm index", NULL, -EPROTO);
1591 return -EPROTO;
1592 }
1593
1594 return 0;
1595 }
1596
aa_load_ent_free(struct aa_load_ent * ent)1597 void aa_load_ent_free(struct aa_load_ent *ent)
1598 {
1599 if (ent) {
1600 aa_put_profile(ent->rename);
1601 aa_put_profile(ent->old);
1602 aa_put_profile(ent->new);
1603 kfree(ent->ns_name);
1604 kfree_sensitive(ent);
1605 }
1606 }
1607
aa_load_ent_alloc(void)1608 struct aa_load_ent *aa_load_ent_alloc(void)
1609 {
1610 struct aa_load_ent *ent = kzalloc_obj(*ent);
1611 if (ent)
1612 INIT_LIST_HEAD(&ent->list);
1613 return ent;
1614 }
1615
compress_zstd(const char * src,size_t slen,char ** dst,size_t * dlen)1616 static int compress_zstd(const char *src, size_t slen, char **dst, size_t *dlen)
1617 {
1618 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
1619 const zstd_parameters params =
1620 zstd_get_params(aa_g_rawdata_compression_level, slen);
1621 const size_t wksp_len = zstd_cctx_workspace_bound(¶ms.cParams);
1622 void *wksp = NULL;
1623 zstd_cctx *ctx = NULL;
1624 size_t out_len = zstd_compress_bound(slen);
1625 void *out = NULL;
1626 int ret = 0;
1627
1628 out = kvzalloc(out_len, GFP_KERNEL);
1629 if (!out) {
1630 ret = -ENOMEM;
1631 goto cleanup;
1632 }
1633
1634 wksp = kvzalloc(wksp_len, GFP_KERNEL);
1635 if (!wksp) {
1636 ret = -ENOMEM;
1637 goto cleanup;
1638 }
1639
1640 ctx = zstd_init_cctx(wksp, wksp_len);
1641 if (!ctx) {
1642 ret = -EINVAL;
1643 goto cleanup;
1644 }
1645
1646 out_len = zstd_compress_cctx(ctx, out, out_len, src, slen, ¶ms);
1647 if (zstd_is_error(out_len) || out_len >= slen) {
1648 ret = -EINVAL;
1649 goto cleanup;
1650 }
1651
1652 if (is_vmalloc_addr(out)) {
1653 *dst = kvzalloc(out_len, GFP_KERNEL);
1654 if (*dst) {
1655 memcpy(*dst, out, out_len);
1656 kvfree(out);
1657 out = NULL;
1658 }
1659 } else {
1660 /*
1661 * If the staging buffer was kmalloc'd, then using krealloc is
1662 * probably going to be faster. The destination buffer will
1663 * always be smaller, so it's just shrunk, avoiding a memcpy
1664 */
1665 *dst = krealloc(out, out_len, GFP_KERNEL);
1666 }
1667
1668 if (!*dst) {
1669 ret = -ENOMEM;
1670 goto cleanup;
1671 }
1672
1673 *dlen = out_len;
1674
1675 cleanup:
1676 if (ret) {
1677 kvfree(out);
1678 *dst = NULL;
1679 }
1680
1681 kvfree(wksp);
1682 return ret;
1683 #else
1684 *dlen = slen;
1685 return 0;
1686 #endif
1687 }
1688
compress_loaddata(struct aa_loaddata * data)1689 static int compress_loaddata(struct aa_loaddata *data)
1690 {
1691 AA_BUG(data->compressed_size > 0);
1692
1693 /*
1694 * Shortcut the no compression case, else we increase the amount of
1695 * storage required by a small amount
1696 */
1697 if (aa_g_rawdata_compression_level != 0) {
1698 void *udata = data->data;
1699 int error = compress_zstd(udata, data->size, &data->data,
1700 &data->compressed_size);
1701 if (error) {
1702 data->compressed_size = data->size;
1703 return error;
1704 }
1705 if (udata != data->data)
1706 kvfree(udata);
1707 } else
1708 data->compressed_size = data->size;
1709
1710 return 0;
1711 }
1712
1713 /**
1714 * aa_unpack - unpack packed binary profile(s) data loaded from user space
1715 * @udata: user data copied to kmem (NOT NULL)
1716 * @lh: list to place unpacked profiles in a aa_repl_ws
1717 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
1718 *
1719 * Unpack user data and return refcounted allocated profile(s) stored in
1720 * @lh in order of discovery, with the list chain stored in base.list
1721 * or error
1722 *
1723 * Returns: profile(s) on @lh else error pointer if fails to unpack
1724 */
aa_unpack(struct aa_loaddata * udata,struct list_head * lh,const char ** ns)1725 int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
1726 const char **ns)
1727 {
1728 struct aa_load_ent *tmp, *ent;
1729 struct aa_profile *profile = NULL;
1730 char *ns_name = NULL;
1731 int error;
1732 struct aa_ext e = {
1733 .start = udata->data,
1734 .end = udata->data + udata->size,
1735 .pos = udata->data,
1736 };
1737
1738 *ns = NULL;
1739 while (e.pos < e.end) {
1740 void *start;
1741 error = verify_header(&e, e.pos == e.start, ns);
1742 if (error)
1743 goto fail;
1744
1745 start = e.pos;
1746 profile = unpack_profile(&e, &ns_name);
1747 if (IS_ERR(profile)) {
1748 error = PTR_ERR(profile);
1749 goto fail;
1750 }
1751
1752 error = verify_profile(profile);
1753 if (error)
1754 goto fail_profile;
1755
1756 if (aa_g_hash_policy)
1757 error = aa_calc_profile_hash(profile, e.version, start,
1758 e.pos - start);
1759 if (error)
1760 goto fail_profile;
1761
1762 ent = aa_load_ent_alloc();
1763 if (!ent) {
1764 error = -ENOMEM;
1765 goto fail_profile;
1766 }
1767
1768 ent->new = profile;
1769 ent->ns_name = ns_name;
1770 ns_name = NULL;
1771 list_add_tail(&ent->list, lh);
1772 }
1773 udata->abi = e.version & K_ABI_MASK;
1774 if (aa_g_hash_policy) {
1775 udata->hash = aa_calc_hash(udata->data, udata->size);
1776 if (IS_ERR(udata->hash)) {
1777 error = PTR_ERR(udata->hash);
1778 udata->hash = NULL;
1779 goto fail;
1780 }
1781 }
1782
1783 if (aa_g_export_binary) {
1784 error = compress_loaddata(udata);
1785 if (error)
1786 goto fail;
1787 }
1788 return 0;
1789
1790 fail_profile:
1791 kfree(ns_name);
1792 aa_put_profile(profile);
1793
1794 fail:
1795 list_for_each_entry_safe(ent, tmp, lh, list) {
1796 list_del_init(&ent->list);
1797 aa_load_ent_free(ent);
1798 }
1799
1800 return error;
1801 }
1802