1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * AppArmor security module
4 *
5 * This file contains AppArmor functions for unpacking policy loaded from
6 * userspace.
7 *
8 * Copyright (C) 1998-2008 Novell/SUSE
9 * Copyright 2009-2010 Canonical Ltd.
10 *
11 * AppArmor uses a serialized binary format for loading policy. To find
12 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
13 * All policy is validated before it is used.
14 */
15
16 #include <linux/unaligned.h>
17 #include <kunit/visibility.h>
18 #include <linux/ctype.h>
19 #include <linux/errno.h>
20 #include <linux/zstd.h>
21
22 #include "include/apparmor.h"
23 #include "include/audit.h"
24 #include "include/cred.h"
25 #include "include/crypto.h"
26 #include "include/file.h"
27 #include "include/match.h"
28 #include "include/path.h"
29 #include "include/policy.h"
30 #include "include/policy_unpack.h"
31 #include "include/policy_compat.h"
32 #include "include/signal.h"
33
34 /* audit callback for unpack fields */
audit_cb(struct audit_buffer * ab,void * va)35 static void audit_cb(struct audit_buffer *ab, void *va)
36 {
37 struct common_audit_data *sa = va;
38 struct apparmor_audit_data *ad = aad(sa);
39
40 if (ad->iface.ns) {
41 audit_log_format(ab, " ns=");
42 audit_log_untrustedstring(ab, ad->iface.ns);
43 }
44 if (ad->name) {
45 audit_log_format(ab, " name=");
46 audit_log_untrustedstring(ab, ad->name);
47 }
48 if (ad->iface.pos)
49 audit_log_format(ab, " offset=%ld", ad->iface.pos);
50 }
51
52 /**
53 * audit_iface - do audit message for policy unpacking/load/replace/remove
54 * @new: profile if it has been allocated (MAYBE NULL)
55 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
56 * @name: name of the profile being manipulated (MAYBE NULL)
57 * @info: any extra info about the failure (MAYBE NULL)
58 * @e: buffer position info
59 * @error: error code
60 *
61 * Returns: %0 or error
62 */
audit_iface(struct aa_profile * new,const char * ns_name,const char * name,const char * info,struct aa_ext * e,int error)63 static int audit_iface(struct aa_profile *new, const char *ns_name,
64 const char *name, const char *info, struct aa_ext *e,
65 int error)
66 {
67 struct aa_profile *profile = labels_profile(aa_current_raw_label());
68 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
69 if (e)
70 ad.iface.pos = e->pos - e->start;
71 ad.iface.ns = ns_name;
72 if (new)
73 ad.name = new->base.hname;
74 else
75 ad.name = name;
76 ad.info = info;
77 ad.error = error;
78
79 return aa_audit(AUDIT_APPARMOR_STATUS, profile, &ad, audit_cb);
80 }
81
__aa_loaddata_update(struct aa_loaddata * data,long revision)82 void __aa_loaddata_update(struct aa_loaddata *data, long revision)
83 {
84 AA_BUG(!data);
85 AA_BUG(!data->ns);
86 AA_BUG(!mutex_is_locked(&data->ns->lock));
87 AA_BUG(data->revision > revision);
88
89 data->revision = revision;
90 if ((data->dents[AAFS_LOADDATA_REVISION])) {
91 struct inode *inode;
92
93 inode = d_inode(data->dents[AAFS_LOADDATA_DIR]);
94 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
95
96 inode = d_inode(data->dents[AAFS_LOADDATA_REVISION]);
97 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
98 }
99 }
100
aa_rawdata_eq(struct aa_loaddata * l,struct aa_loaddata * r)101 bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r)
102 {
103 if (l->size != r->size)
104 return false;
105 if (l->compressed_size != r->compressed_size)
106 return false;
107 if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0)
108 return false;
109 return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0;
110 }
111
do_loaddata_free(struct aa_loaddata * d)112 static void do_loaddata_free(struct aa_loaddata *d)
113 {
114 kfree_sensitive(d->hash);
115 kfree_sensitive(d->name);
116 kvfree(d->data);
117 kfree_sensitive(d);
118 }
119
aa_loaddata_kref(struct kref * kref)120 void aa_loaddata_kref(struct kref *kref)
121 {
122 struct aa_loaddata *d = container_of(kref, struct aa_loaddata,
123 count.count);
124
125 do_loaddata_free(d);
126 }
127
128 /*
129 * need to take the ns mutex lock which is NOT safe most places that
130 * put_loaddata is called, so we have to delay freeing it
131 */
do_ploaddata_rmfs(struct work_struct * work)132 static void do_ploaddata_rmfs(struct work_struct *work)
133 {
134 struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
135 struct aa_ns *ns = aa_get_ns(d->ns);
136
137 if (ns) {
138 mutex_lock_nested(&ns->lock, ns->level);
139 /* remove fs ref to loaddata */
140 __aa_fs_remove_rawdata(d);
141 mutex_unlock(&ns->lock);
142 aa_put_ns(ns);
143 }
144 /* called by dropping last pcount, so drop its associated icount */
145 aa_put_i_loaddata(d);
146 }
147
aa_ploaddata_kref(struct kref * kref)148 void aa_ploaddata_kref(struct kref *kref)
149 {
150 struct aa_loaddata *d = container_of(kref, struct aa_loaddata, pcount);
151
152 if (d) {
153 INIT_WORK(&d->work, do_ploaddata_rmfs);
154 schedule_work(&d->work);
155 }
156 }
157
aa_loaddata_alloc(size_t size)158 struct aa_loaddata *aa_loaddata_alloc(size_t size)
159 {
160 struct aa_loaddata *d;
161
162 d = kzalloc_obj(*d);
163 if (d == NULL)
164 return ERR_PTR(-ENOMEM);
165 d->data = kvzalloc(size, GFP_KERNEL);
166 if (!d->data) {
167 kfree(d);
168 return ERR_PTR(-ENOMEM);
169 }
170 kref_init(&d->count.count);
171 d->count.reftype = REF_RAWDATA;
172 kref_init(&d->pcount);
173 INIT_LIST_HEAD(&d->list);
174
175 return d;
176 }
177
178 /* test if read will be in packed data bounds */
aa_inbounds(struct aa_ext * e,size_t size)179 VISIBLE_IF_KUNIT bool aa_inbounds(struct aa_ext *e, size_t size)
180 {
181 return (size <= e->end - e->pos);
182 }
183 EXPORT_SYMBOL_IF_KUNIT(aa_inbounds);
184
185 /**
186 * aa_unpack_u16_chunk - test and do bounds checking for a u16 size based chunk
187 * @e: serialized data read head (NOT NULL)
188 * @chunk: start address for chunk of data (NOT NULL)
189 *
190 * Returns: the size of chunk found with the read head at the end of the chunk.
191 */
aa_unpack_u16_chunk(struct aa_ext * e,char ** chunk)192 VISIBLE_IF_KUNIT size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk)
193 {
194 size_t size = 0;
195 void *pos = e->pos;
196
197 if (!aa_inbounds(e, sizeof(u16)))
198 goto fail;
199 size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
200 e->pos += sizeof(__le16);
201 if (!aa_inbounds(e, size))
202 goto fail;
203 *chunk = e->pos;
204 e->pos += size;
205 return size;
206
207 fail:
208 e->pos = pos;
209 return 0;
210 }
211 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u16_chunk);
212
213 /* unpack control byte */
aa_unpack_X(struct aa_ext * e,enum aa_code code)214 VISIBLE_IF_KUNIT bool aa_unpack_X(struct aa_ext *e, enum aa_code code)
215 {
216 if (!aa_inbounds(e, 1))
217 return false;
218 if (*(u8 *) e->pos != code)
219 return false;
220 e->pos++;
221 return true;
222 }
223 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_X);
224
225 /**
226 * aa_unpack_nameX - check is the next element is of type X with a name of @name
227 * @e: serialized data extent information (NOT NULL)
228 * @code: type code
229 * @name: name to match to the serialized element. (MAYBE NULL)
230 *
231 * check that the next serialized data element is of type X and has a tag
232 * name @name. If @name is specified then there must be a matching
233 * name element in the stream. If @name is NULL any name element will be
234 * skipped and only the typecode will be tested.
235 *
236 * Returns true on success (both type code and name tests match) and the read
237 * head is advanced past the headers
238 *
239 * Returns: false if either match fails, the read head does not move
240 */
aa_unpack_nameX(struct aa_ext * e,enum aa_code code,const char * name)241 VISIBLE_IF_KUNIT bool aa_unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
242 {
243 /*
244 * May need to reset pos if name or type doesn't match
245 */
246 void *pos = e->pos;
247 /*
248 * Check for presence of a tagname, and if present name size
249 * AA_NAME tag value is a u16.
250 */
251 if (aa_unpack_X(e, AA_NAME)) {
252 char *tag = NULL;
253 size_t size = aa_unpack_u16_chunk(e, &tag);
254 /* if a name is specified it must match. otherwise skip tag */
255 if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
256 goto fail;
257 } else if (name) {
258 /* if a name is specified and there is no name tag fail */
259 goto fail;
260 }
261
262 /* now check if type code matches */
263 if (aa_unpack_X(e, code))
264 return true;
265
266 fail:
267 e->pos = pos;
268 return false;
269 }
270 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_nameX);
271
unpack_u8(struct aa_ext * e,u8 * data,const char * name)272 static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
273 {
274 void *pos = e->pos;
275
276 if (aa_unpack_nameX(e, AA_U8, name)) {
277 if (!aa_inbounds(e, sizeof(u8)))
278 goto fail;
279 if (data)
280 *data = *((u8 *)e->pos);
281 e->pos += sizeof(u8);
282 return true;
283 }
284
285 fail:
286 e->pos = pos;
287 return false;
288 }
289
aa_unpack_u32(struct aa_ext * e,u32 * data,const char * name)290 VISIBLE_IF_KUNIT bool aa_unpack_u32(struct aa_ext *e, u32 *data, const char *name)
291 {
292 void *pos = e->pos;
293
294 if (aa_unpack_nameX(e, AA_U32, name)) {
295 if (!aa_inbounds(e, sizeof(u32)))
296 goto fail;
297 if (data)
298 *data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
299 e->pos += sizeof(u32);
300 return true;
301 }
302
303 fail:
304 e->pos = pos;
305 return false;
306 }
307 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u32);
308
aa_unpack_u64(struct aa_ext * e,u64 * data,const char * name)309 VISIBLE_IF_KUNIT bool aa_unpack_u64(struct aa_ext *e, u64 *data, const char *name)
310 {
311 void *pos = e->pos;
312
313 if (aa_unpack_nameX(e, AA_U64, name)) {
314 if (!aa_inbounds(e, sizeof(u64)))
315 goto fail;
316 if (data)
317 *data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
318 e->pos += sizeof(u64);
319 return true;
320 }
321
322 fail:
323 e->pos = pos;
324 return false;
325 }
326 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u64);
327
aa_unpack_cap_low(struct aa_ext * e,kernel_cap_t * data,const char * name)328 static bool aa_unpack_cap_low(struct aa_ext *e, kernel_cap_t *data, const char *name)
329 {
330 u32 val;
331
332 if (!aa_unpack_u32(e, &val, name))
333 return false;
334 data->val = val;
335 return true;
336 }
337
aa_unpack_cap_high(struct aa_ext * e,kernel_cap_t * data,const char * name)338 static bool aa_unpack_cap_high(struct aa_ext *e, kernel_cap_t *data, const char *name)
339 {
340 u32 val;
341
342 if (!aa_unpack_u32(e, &val, name))
343 return false;
344 data->val = (u32)data->val | ((u64)val << 32);
345 return true;
346 }
347
aa_unpack_array(struct aa_ext * e,const char * name,u16 * size)348 VISIBLE_IF_KUNIT bool aa_unpack_array(struct aa_ext *e, const char *name, u16 *size)
349 {
350 void *pos = e->pos;
351
352 if (aa_unpack_nameX(e, AA_ARRAY, name)) {
353 if (!aa_inbounds(e, sizeof(u16)))
354 goto fail;
355 *size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
356 e->pos += sizeof(u16);
357 return true;
358 }
359
360 fail:
361 e->pos = pos;
362 return false;
363 }
364 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_array);
365
aa_unpack_blob(struct aa_ext * e,char ** blob,const char * name)366 VISIBLE_IF_KUNIT size_t aa_unpack_blob(struct aa_ext *e, char **blob, const char *name)
367 {
368 void *pos = e->pos;
369
370 if (aa_unpack_nameX(e, AA_BLOB, name)) {
371 u32 size;
372 if (!aa_inbounds(e, sizeof(u32)))
373 goto fail;
374 size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
375 e->pos += sizeof(u32);
376 if (aa_inbounds(e, (size_t) size)) {
377 *blob = e->pos;
378 e->pos += size;
379 return size;
380 }
381 }
382
383 fail:
384 e->pos = pos;
385 return 0;
386 }
387 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_blob);
388
aa_unpack_str(struct aa_ext * e,const char ** string,const char * name)389 VISIBLE_IF_KUNIT int aa_unpack_str(struct aa_ext *e, const char **string, const char *name)
390 {
391 char *src_str;
392 size_t size = 0;
393 void *pos = e->pos;
394 *string = NULL;
395 if (aa_unpack_nameX(e, AA_STRING, name)) {
396 size = aa_unpack_u16_chunk(e, &src_str);
397 if (size) {
398 /* strings are null terminated, length is size - 1 */
399 if (src_str[size - 1] != 0)
400 goto fail;
401 *string = src_str;
402
403 return size;
404 }
405 }
406
407 fail:
408 e->pos = pos;
409 return 0;
410 }
411 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_str);
412
aa_unpack_strdup(struct aa_ext * e,char ** string,const char * name)413 VISIBLE_IF_KUNIT int aa_unpack_strdup(struct aa_ext *e, char **string, const char *name)
414 {
415 const char *tmp;
416 void *pos = e->pos;
417 int res = aa_unpack_str(e, &tmp, name);
418 *string = NULL;
419
420 if (!res)
421 return 0;
422
423 *string = kmemdup(tmp, res, GFP_KERNEL);
424 if (!*string) {
425 e->pos = pos;
426 return 0;
427 }
428
429 return res;
430 }
431 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_strdup);
432
433
434 /**
435 * unpack_dfa - unpack a file rule dfa
436 * @e: serialized data extent information (NOT NULL)
437 * @flags: dfa flags to check
438 *
439 * returns dfa or ERR_PTR or NULL if no dfa
440 */
unpack_dfa(struct aa_ext * e,int flags)441 static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags)
442 {
443 char *blob = NULL;
444 size_t size;
445 struct aa_dfa *dfa = NULL;
446
447 size = aa_unpack_blob(e, &blob, "aadfa");
448 if (size) {
449 /*
450 * The dfa is aligned with in the blob to 8 bytes
451 * from the beginning of the stream.
452 * alignment adjust needed by dfa unpack
453 */
454 size_t sz = blob - (char *) e->start -
455 ((e->pos - e->start) & 7);
456 size_t pad = ALIGN(sz, 8) - sz;
457 if (aa_g_paranoid_load)
458 flags |= DFA_FLAG_VERIFY_STATES;
459 dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
460
461 if (IS_ERR(dfa))
462 return dfa;
463
464 }
465
466 return dfa;
467 }
468
process_strs_entry(char * str,int size,bool multi)469 static int process_strs_entry(char *str, int size, bool multi)
470 {
471 int c = 1;
472
473 if (size <= 0)
474 return -1;
475 if (multi) {
476 if (size < 2)
477 return -2;
478 /* multi ends with double \0 */
479 if (str[size - 2])
480 return -3;
481 }
482
483 char *save = str;
484 char *pos = str;
485 char *end = multi ? str + size - 2 : str + size - 1;
486 /* count # of internal \0 */
487 while (str < end) {
488 if (str == pos) {
489 /* starts with ... */
490 if (!*str) {
491 AA_DEBUG(DEBUG_UNPACK,
492 "starting with null save=%lu size %d c=%d",
493 (unsigned long)(str - save), size, c);
494 return -4;
495 }
496 if (isspace(*str))
497 return -5;
498 if (*str == ':') {
499 /* :ns_str\0str\0
500 * first character after : must be valid
501 */
502 if (!str[1])
503 return -6;
504 }
505 } else if (!*str) {
506 if (*pos == ':')
507 *str = ':';
508 else
509 c++;
510 pos = str + 1;
511 }
512 str++;
513 } /* while */
514
515 return c;
516 }
517
518 /**
519 * unpack_strs_table - unpack a profile transition table
520 * @e: serialized data extent information (NOT NULL)
521 * @name: name of table (MAY BE NULL)
522 * @multi: allow multiple strings on a single entry
523 * @strs: str table to unpack to (NOT NULL)
524 *
525 * Returns: 0 if table successfully unpacked or not present, else error
526 */
unpack_strs_table(struct aa_ext * e,const char * name,bool multi,struct aa_str_table * strs)527 static int unpack_strs_table(struct aa_ext *e, const char *name, bool multi,
528 struct aa_str_table *strs)
529 {
530 void *saved_pos = e->pos;
531 struct aa_str_table_ent *table = NULL;
532 int error = -EPROTO;
533
534 /* exec table is optional */
535 if (aa_unpack_nameX(e, AA_STRUCT, name)) {
536 u16 size;
537 int i;
538
539 if (!aa_unpack_array(e, NULL, &size))
540 /*
541 * Note: index into trans table array is a max
542 * of 2^24, but unpack array can only unpack
543 * an array of 2^16 in size atm so no need
544 * for size check here
545 */
546 goto fail;
547 table = kzalloc_objs(struct aa_str_table_ent, size);
548 if (!table) {
549 error = -ENOMEM;
550 goto fail;
551 }
552 strs->table = table;
553 strs->size = size;
554 for (i = 0; i < size; i++) {
555 char *str;
556 int c, size2 = aa_unpack_strdup(e, &str, NULL);
557 /* aa_unpack_strdup verifies that the last character is
558 * null termination byte.
559 */
560 c = process_strs_entry(str, size2, multi);
561 if (c <= 0) {
562 AA_DEBUG(DEBUG_UNPACK, "process_strs %d i %d pos %ld",
563 c, i,
564 (unsigned long)(e->pos - saved_pos));
565 goto fail;
566 }
567 if (!multi && c > 1) {
568 AA_DEBUG(DEBUG_UNPACK, "!multi && c > 1");
569 /* fail - all other cases with embedded \0 */
570 goto fail;
571 }
572 table[i].strs = str;
573 table[i].count = c;
574 table[i].size = size2;
575 }
576 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
577 goto fail;
578 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
579 goto fail;
580 }
581 return 0;
582
583 fail:
584 aa_destroy_str_table(strs);
585 e->pos = saved_pos;
586 return error;
587 }
588
unpack_xattrs(struct aa_ext * e,struct aa_profile * profile)589 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
590 {
591 void *pos = e->pos;
592
593 if (aa_unpack_nameX(e, AA_STRUCT, "xattrs")) {
594 u16 size;
595 int i;
596
597 if (!aa_unpack_array(e, NULL, &size))
598 goto fail;
599 profile->attach.xattr_count = size;
600 profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
601 if (!profile->attach.xattrs)
602 goto fail;
603 for (i = 0; i < size; i++) {
604 if (!aa_unpack_strdup(e, &profile->attach.xattrs[i], NULL))
605 goto fail;
606 }
607 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
608 goto fail;
609 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
610 goto fail;
611 }
612
613 return true;
614
615 fail:
616 e->pos = pos;
617 return false;
618 }
619
unpack_secmark(struct aa_ext * e,struct aa_ruleset * rules)620 static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules)
621 {
622 void *pos = e->pos;
623 u16 size;
624 int i;
625
626 if (aa_unpack_nameX(e, AA_STRUCT, "secmark")) {
627 if (!aa_unpack_array(e, NULL, &size))
628 goto fail;
629
630 rules->secmark = kzalloc_objs(struct aa_secmark, size);
631 if (!rules->secmark)
632 goto fail;
633
634 rules->secmark_count = size;
635
636 for (i = 0; i < size; i++) {
637 if (!unpack_u8(e, &rules->secmark[i].audit, NULL))
638 goto fail;
639 if (!unpack_u8(e, &rules->secmark[i].deny, NULL))
640 goto fail;
641 if (!aa_unpack_strdup(e, &rules->secmark[i].label, NULL))
642 goto fail;
643 }
644 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
645 goto fail;
646 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
647 goto fail;
648 }
649
650 return true;
651
652 fail:
653 if (rules->secmark) {
654 for (i = 0; i < size; i++)
655 kfree_sensitive(rules->secmark[i].label);
656 kfree_sensitive(rules->secmark);
657 rules->secmark_count = 0;
658 rules->secmark = NULL;
659 }
660
661 e->pos = pos;
662 return false;
663 }
664
unpack_rlimits(struct aa_ext * e,struct aa_ruleset * rules)665 static bool unpack_rlimits(struct aa_ext *e, struct aa_ruleset *rules)
666 {
667 void *pos = e->pos;
668
669 /* rlimits are optional */
670 if (aa_unpack_nameX(e, AA_STRUCT, "rlimits")) {
671 u16 size;
672 int i;
673 u32 tmp = 0;
674 if (!aa_unpack_u32(e, &tmp, NULL))
675 goto fail;
676 rules->rlimits.mask = tmp;
677
678 if (!aa_unpack_array(e, NULL, &size) ||
679 size > RLIM_NLIMITS)
680 goto fail;
681 for (i = 0; i < size; i++) {
682 u64 tmp2 = 0;
683 int a = aa_map_resource(i);
684 if (!aa_unpack_u64(e, &tmp2, NULL))
685 goto fail;
686 rules->rlimits.limits[a].rlim_max = tmp2;
687 }
688 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
689 goto fail;
690 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
691 goto fail;
692 }
693 return true;
694
695 fail:
696 e->pos = pos;
697 return false;
698 }
699
700
verify_tags(struct aa_tags_struct * tags,const char ** info)701 static bool verify_tags(struct aa_tags_struct *tags, const char **info)
702 {
703 if ((tags->hdrs.size && !tags->hdrs.table) ||
704 (!tags->hdrs.size && tags->hdrs.table)) {
705 *info = "failed verification tag.hdrs disagree";
706 return false;
707 }
708 if ((tags->sets.size && !tags->sets.table) ||
709 (!tags->sets.size && tags->sets.table)) {
710 *info = "failed verification tag.sets disagree";
711 return false;
712 }
713 if ((tags->strs.size && !tags->strs.table) ||
714 (!tags->strs.size && tags->strs.table)) {
715 *info = "failed verification tags->strs disagree";
716 return false;
717 }
718 /* no data present */
719 if (!tags->sets.size && !tags->hdrs.size && !tags->strs.size) {
720 return true;
721 } else if (!(tags->sets.size && tags->hdrs.size && tags->strs.size)) {
722 /* some data present but not all */
723 *info = "failed verification tags partial data present";
724 return false;
725 }
726
727 u32 i;
728
729 for (i = 0; i < tags->sets.size; i++) {
730 /* count followed by count indexes into hdrs */
731 u32 cnt = tags->sets.table[i];
732
733 if (i+cnt >= tags->sets.size) {
734 AA_DEBUG(DEBUG_UNPACK,
735 "tagset too large %d+%d > sets.table[%d]",
736 i, cnt, tags->sets.size);
737 *info = "failed verification tagset too large";
738 return false;
739 }
740 for (; cnt; cnt--) {
741 if (tags->sets.table[++i] >= tags->hdrs.size) {
742 AA_DEBUG(DEBUG_UNPACK,
743 "tagsets idx out of bounds cnt %d sets.table[%d] >= %d",
744 cnt, i-1, tags->hdrs.size);
745 *info = "failed verification tagsets idx out of bounds";
746 return false;
747 }
748 }
749 }
750 for (i = 0; i < tags->hdrs.size; i++) {
751 u32 idx = tags->hdrs.table[i].tags;
752
753 if (idx >= tags->strs.size) {
754 AA_DEBUG(DEBUG_UNPACK,
755 "tag.hdrs idx oob idx %d > tags->strs.size=%d",
756 idx, tags->strs.size);
757 *info = "failed verification tags.hdrs idx out of bounds";
758 return false;
759 }
760 if (tags->hdrs.table[i].count != tags->strs.table[idx].count) {
761 AA_DEBUG(DEBUG_UNPACK, "hdrs.table[%d].count=%d != tags->strs.table[%d]=%d",
762 i, tags->hdrs.table[i].count, idx, tags->strs.table[idx].count);
763 *info = "failed verification tagd.hdrs[idx].count";
764 return false;
765 }
766 if (tags->hdrs.table[i].size != tags->strs.table[idx].size) {
767 AA_DEBUG(DEBUG_UNPACK, "hdrs.table[%d].size=%d != strs.table[%d].size=%d",
768 i, tags->hdrs.table[i].size, idx, tags->strs.table[idx].size);
769 *info = "failed verification tagd.hdrs[idx].size";
770 return false;
771 }
772 }
773
774 return true;
775 }
776
unpack_tagsets(struct aa_ext * e,struct aa_tags_struct * tags)777 static int unpack_tagsets(struct aa_ext *e, struct aa_tags_struct *tags)
778 {
779 u32 *sets;
780 u16 i, size;
781 int error = -EPROTO;
782 void *pos = e->pos;
783
784 if (!aa_unpack_array(e, "sets", &size))
785 goto fail_reset;
786 sets = kcalloc(size, sizeof(u32), GFP_KERNEL);
787 if (!sets) {
788 error = -ENOMEM;
789 goto fail_reset;
790 }
791 for (i = 0; i < size; i++) {
792 if (!aa_unpack_u32(e, &sets[i], NULL))
793 goto fail;
794 }
795 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
796 goto fail;
797
798 tags->sets.size = size;
799 tags->sets.table = sets;
800
801 return 0;
802
803 fail:
804 kfree_sensitive(sets);
805 fail_reset:
806 e->pos = pos;
807 return error;
808 }
809
unpack_tag_header_ent(struct aa_ext * e,struct aa_tags_header * h)810 static bool unpack_tag_header_ent(struct aa_ext *e, struct aa_tags_header *h)
811 {
812 return aa_unpack_u32(e, &h->mask, NULL) &&
813 aa_unpack_u32(e, &h->count, NULL) &&
814 aa_unpack_u32(e, &h->size, NULL) &&
815 aa_unpack_u32(e, &h->tags, NULL);
816 }
817
unpack_tag_headers(struct aa_ext * e,struct aa_tags_struct * tags)818 static int unpack_tag_headers(struct aa_ext *e, struct aa_tags_struct *tags)
819 {
820 struct aa_tags_header *hdrs;
821 u16 i, size;
822 int error = -EPROTO;
823 void *pos = e->pos;
824
825 if (!aa_unpack_array(e, "hdrs", &size))
826 goto fail_reset;
827 hdrs = kzalloc_objs(struct aa_tags_header, size);
828 if (!hdrs) {
829 error = -ENOMEM;
830 goto fail_reset;
831 }
832 for (i = 0; i < size; i++) {
833 if (!unpack_tag_header_ent(e, &hdrs[i]))
834 goto fail;
835 }
836 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
837 goto fail;
838
839 tags->hdrs.size = size;
840 tags->hdrs.table = hdrs;
841 AA_DEBUG(DEBUG_UNPACK, "headers %ld size %d", (long) hdrs, size);
842 return true;
843
844 fail:
845 kfree_sensitive(hdrs);
846 fail_reset:
847 e->pos = pos;
848 return error;
849 }
850
851
unpack_tags(struct aa_ext * e,struct aa_tags_struct * tags,const char ** info)852 static int unpack_tags(struct aa_ext *e, struct aa_tags_struct *tags,
853 const char **info)
854 {
855 int error = -EPROTO;
856 void *pos = e->pos;
857
858 AA_BUG(!tags);
859 /* policy tags are optional */
860 if (aa_unpack_nameX(e, AA_STRUCT, "tags")) {
861 u32 version;
862
863 if (!aa_unpack_u32(e, &version, "version") || version != 1) {
864 *info = "invalid tags version";
865 goto fail_reset;
866 }
867 error = unpack_strs_table(e, "strs", true, &tags->strs);
868 if (error) {
869 *info = "failed to unpack profile tag.strs";
870 goto fail;
871 }
872 error = unpack_tag_headers(e, tags);
873 if (error) {
874 *info = "failed to unpack profile tag.headers";
875 goto fail;
876 }
877 error = unpack_tagsets(e, tags);
878 if (error) {
879 *info = "failed to unpack profile tag.sets";
880 goto fail;
881 }
882 error = -EPROTO;
883 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
884 goto fail;
885
886 if (!verify_tags(tags, info))
887 goto fail;
888 }
889
890 return 0;
891
892 fail:
893 aa_destroy_tags(tags);
894 fail_reset:
895 e->pos = pos;
896 return error;
897 }
898
unpack_perm(struct aa_ext * e,u32 version,struct aa_perms * perm)899 static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm)
900 {
901 u32 reserved;
902
903 if (version != 1)
904 return false;
905
906 /* reserved entry is for later expansion, discard for now */
907 return aa_unpack_u32(e, &reserved, NULL) &&
908 aa_unpack_u32(e, &perm->allow, NULL) &&
909 aa_unpack_u32(e, &perm->deny, NULL) &&
910 aa_unpack_u32(e, &perm->subtree, NULL) &&
911 aa_unpack_u32(e, &perm->cond, NULL) &&
912 aa_unpack_u32(e, &perm->kill, NULL) &&
913 aa_unpack_u32(e, &perm->complain, NULL) &&
914 aa_unpack_u32(e, &perm->prompt, NULL) &&
915 aa_unpack_u32(e, &perm->audit, NULL) &&
916 aa_unpack_u32(e, &perm->quiet, NULL) &&
917 aa_unpack_u32(e, &perm->hide, NULL) &&
918 aa_unpack_u32(e, &perm->xindex, NULL) &&
919 aa_unpack_u32(e, &perm->tag, NULL) &&
920 aa_unpack_u32(e, &perm->label, NULL);
921 }
922
unpack_perms_table(struct aa_ext * e,struct aa_perms ** perms)923 static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms)
924 {
925 void *pos = e->pos;
926 u16 size = 0;
927
928 AA_BUG(!perms);
929 /*
930 * policy perms are optional, in which case perms are embedded
931 * in the dfa accept table
932 */
933 if (aa_unpack_nameX(e, AA_STRUCT, "perms")) {
934 int i;
935 u32 version;
936
937 if (!aa_unpack_u32(e, &version, "version"))
938 goto fail_reset;
939 if (!aa_unpack_array(e, NULL, &size))
940 goto fail_reset;
941 *perms = kzalloc_objs(struct aa_perms, size);
942 if (!*perms) {
943 e->pos = pos;
944 return -ENOMEM;
945 }
946 for (i = 0; i < size; i++) {
947 if (!unpack_perm(e, version, &(*perms)[i]))
948 goto fail;
949 }
950 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
951 goto fail;
952 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
953 goto fail;
954 } else
955 *perms = NULL;
956
957 return size;
958
959 fail:
960 kfree(*perms);
961 fail_reset:
962 e->pos = pos;
963 return -EPROTO;
964 }
965
unpack_pdb(struct aa_ext * e,struct aa_policydb ** policy,bool required_dfa,bool required_trans,const char ** info)966 static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
967 bool required_dfa, bool required_trans,
968 const char **info)
969 {
970 struct aa_policydb *pdb;
971 void *pos = e->pos;
972 int i, flags, error = -EPROTO;
973 ssize_t size;
974 u32 version = 0;
975
976 pdb = aa_alloc_pdb(GFP_KERNEL);
977 if (!pdb)
978 return -ENOMEM;
979
980 AA_DEBUG(DEBUG_UNPACK, "unpacking tags");
981 if (unpack_tags(e, &pdb->tags, info) < 0)
982 goto fail;
983 AA_DEBUG(DEBUG_UNPACK, "done unpacking tags");
984
985 size = unpack_perms_table(e, &pdb->perms);
986 if (size < 0) {
987 error = size;
988 pdb->perms = NULL;
989 *info = "failed to unpack - perms";
990 goto fail;
991 }
992 pdb->size = size;
993
994 if (pdb->perms) {
995 /* perms table present accept is index */
996 flags = TO_ACCEPT1_FLAG(YYTD_DATA32);
997 if (aa_unpack_u32(e, &version, "permsv") && version > 2)
998 /* accept2 used for dfa flags */
999 flags |= TO_ACCEPT2_FLAG(YYTD_DATA32);
1000 } else {
1001 /* packed perms in accept1 and accept2 */
1002 flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
1003 TO_ACCEPT2_FLAG(YYTD_DATA32);
1004 }
1005
1006 pdb->dfa = unpack_dfa(e, flags);
1007 if (IS_ERR(pdb->dfa)) {
1008 error = PTR_ERR(pdb->dfa);
1009 pdb->dfa = NULL;
1010 *info = "failed to unpack - dfa";
1011 goto fail;
1012 } else if (!pdb->dfa) {
1013 if (required_dfa) {
1014 *info = "missing required dfa";
1015 goto fail;
1016 }
1017 } else {
1018 /*
1019 * only unpack the following if a dfa is present
1020 *
1021 * sadly start was given different names for file and policydb
1022 * but since it is optional we can try both
1023 */
1024 if (!aa_unpack_u32(e, &pdb->start[0], "start"))
1025 /* default start state */
1026 pdb->start[0] = DFA_START;
1027 if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) {
1028 /* default start state for xmatch and file dfa */
1029 pdb->start[AA_CLASS_FILE] = DFA_START;
1030 }
1031
1032 size_t state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen;
1033
1034 if (pdb->start[0] >= state_count ||
1035 pdb->start[AA_CLASS_FILE] >= state_count) {
1036 *info = "invalid dfa start state";
1037 goto fail;
1038 }
1039
1040 /* setup class index */
1041 for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
1042 pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],
1043 i);
1044 }
1045 }
1046
1047 /* accept2 is in some cases being allocated, even with perms */
1048 if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
1049 /* add dfa flags table missing in v2 */
1050 u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen;
1051 u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags;
1052 size_t tsize = table_size(noents, tdflags);
1053
1054 pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, GFP_KERNEL);
1055 if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
1056 *info = "failed to alloc dfa flags table";
1057 goto out;
1058 }
1059 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents;
1060 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags;
1061 }
1062 /*
1063 * Unfortunately due to a bug in earlier userspaces, a
1064 * transition table may be present even when the dfa is
1065 * not. For compatibility reasons unpack and discard.
1066 */
1067 error = unpack_strs_table(e, "xtable", false, &pdb->trans);
1068 if (error && required_trans) {
1069 *info = "failed to unpack profile transition table";
1070 goto fail;
1071 }
1072
1073 if (!pdb->dfa && pdb->trans.table)
1074 aa_destroy_str_table(&pdb->trans);
1075
1076 /* TODO:
1077 * - move compat mapping here, requires dfa merging first
1078 * - move verify here, it has to be done after compat mappings
1079 * - move free of unneeded trans table here, has to be done
1080 * after perm mapping.
1081 */
1082 out:
1083 *policy = pdb;
1084 return 0;
1085
1086 fail:
1087 aa_put_pdb(pdb);
1088 e->pos = pos;
1089 return error;
1090 }
1091
strhash(const void * data,u32 len,u32 seed)1092 static u32 strhash(const void *data, u32 len, u32 seed)
1093 {
1094 const char * const *key = data;
1095
1096 return jhash(*key, strlen(*key), seed);
1097 }
1098
datacmp(struct rhashtable_compare_arg * arg,const void * obj)1099 static int datacmp(struct rhashtable_compare_arg *arg, const void *obj)
1100 {
1101 const struct aa_data *data = obj;
1102 const char * const *key = arg->key;
1103
1104 return strcmp(data->key, *key);
1105 }
1106
1107 /**
1108 * unpack_profile - unpack a serialized profile
1109 * @e: serialized data extent information (NOT NULL)
1110 * @ns_name: pointer of newly allocated copy of %NULL in case of error
1111 *
1112 * NOTE: unpack profile sets audit struct if there is a failure
1113 */
unpack_profile(struct aa_ext * e,char ** ns_name)1114 static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
1115 {
1116 struct aa_ruleset *rules;
1117 struct aa_profile *profile = NULL;
1118 const char *tmpname, *tmpns = NULL, *name = NULL;
1119 const char *info = "failed to unpack profile";
1120 size_t ns_len;
1121 struct rhashtable_params params = { 0 };
1122 char *key = NULL, *disconnected = NULL;
1123 struct aa_data *data;
1124 int error = -EPROTO;
1125 kernel_cap_t tmpcap;
1126 u32 tmp;
1127
1128 *ns_name = NULL;
1129
1130 /* check that we have the right struct being passed */
1131 if (!aa_unpack_nameX(e, AA_STRUCT, "profile"))
1132 goto fail;
1133 if (!aa_unpack_str(e, &name, NULL))
1134 goto fail;
1135 if (*name == '\0')
1136 goto fail;
1137
1138 tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
1139 if (tmpns) {
1140 if (!tmpname) {
1141 info = "empty profile name";
1142 goto fail;
1143 }
1144 *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
1145 if (!*ns_name) {
1146 info = "out of memory";
1147 error = -ENOMEM;
1148 goto fail;
1149 }
1150 name = tmpname;
1151 }
1152
1153 profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
1154 if (!profile) {
1155 info = "out of memory";
1156 error = -ENOMEM;
1157 goto fail;
1158 }
1159 rules = profile->label.rules[0];
1160
1161 /* profile renaming is optional */
1162 (void) aa_unpack_str(e, &profile->rename, "rename");
1163
1164 /* attachment string is optional */
1165 (void) aa_unpack_str(e, &profile->attach.xmatch_str, "attach");
1166
1167 /* xmatch is optional and may be NULL */
1168 error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info);
1169 if (error) {
1170 info = "bad xmatch";
1171 goto fail;
1172 }
1173
1174 /* neither xmatch_len not xmatch_perms are optional if xmatch is set */
1175 if (profile->attach.xmatch->dfa) {
1176 if (!aa_unpack_u32(e, &tmp, NULL)) {
1177 info = "missing xmatch len";
1178 goto fail;
1179 }
1180 profile->attach.xmatch_len = tmp;
1181 profile->attach.xmatch->start[AA_CLASS_XMATCH] = DFA_START;
1182 if (!profile->attach.xmatch->perms) {
1183 error = aa_compat_map_xmatch(profile->attach.xmatch);
1184 if (error) {
1185 info = "failed to convert xmatch permission table";
1186 goto fail;
1187 }
1188 }
1189 }
1190
1191 /* disconnected attachment string is optional */
1192 (void) aa_unpack_strdup(e, &disconnected, "disconnected");
1193 profile->disconnected = disconnected;
1194
1195 /* optional */
1196 (void) aa_unpack_u32(e, &profile->signal, "kill");
1197 if (profile->signal < 1 || profile->signal > MAXMAPPED_SIG) {
1198 info = "profile kill.signal invalid value";
1199 goto fail;
1200 }
1201 /* per profile debug flags (complain, audit) */
1202 if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) {
1203 info = "profile missing flags";
1204 goto fail;
1205 }
1206 info = "failed to unpack profile flags";
1207 if (!aa_unpack_u32(e, &tmp, NULL))
1208 goto fail;
1209 if (tmp & PACKED_FLAG_HAT)
1210 profile->label.flags |= FLAG_HAT;
1211 if (tmp & PACKED_FLAG_DEBUG1)
1212 profile->label.flags |= FLAG_DEBUG1;
1213 if (tmp & PACKED_FLAG_DEBUG2)
1214 profile->label.flags |= FLAG_DEBUG2;
1215 if (!aa_unpack_u32(e, &tmp, NULL))
1216 goto fail;
1217 if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
1218 profile->mode = APPARMOR_COMPLAIN;
1219 } else if (tmp == PACKED_MODE_ENFORCE) {
1220 profile->mode = APPARMOR_ENFORCE;
1221 } else if (tmp == PACKED_MODE_KILL) {
1222 profile->mode = APPARMOR_KILL;
1223 } else if (tmp == PACKED_MODE_UNCONFINED) {
1224 profile->mode = APPARMOR_UNCONFINED;
1225 profile->label.flags |= FLAG_UNCONFINED;
1226 } else if (tmp == PACKED_MODE_USER) {
1227 profile->mode = APPARMOR_USER;
1228 } else {
1229 goto fail;
1230 }
1231 if (!aa_unpack_u32(e, &tmp, NULL))
1232 goto fail;
1233 if (tmp)
1234 profile->audit = AUDIT_ALL;
1235
1236 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1237 goto fail;
1238
1239 /* path_flags is optional */
1240 if (aa_unpack_u32(e, &profile->path_flags, "path_flags"))
1241 profile->path_flags |= profile->label.flags &
1242 PATH_MEDIATE_DELETED;
1243 else
1244 /* set a default value if path_flags field is not present */
1245 profile->path_flags = PATH_MEDIATE_DELETED;
1246
1247 info = "failed to unpack profile capabilities";
1248 if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL))
1249 goto fail;
1250 if (!aa_unpack_cap_low(e, &rules->caps.audit, NULL))
1251 goto fail;
1252 if (!aa_unpack_cap_low(e, &rules->caps.quiet, NULL))
1253 goto fail;
1254 if (!aa_unpack_cap_low(e, &tmpcap, NULL))
1255 goto fail;
1256
1257 info = "failed to unpack upper profile capabilities";
1258 if (aa_unpack_nameX(e, AA_STRUCT, "caps64")) {
1259 /* optional upper half of 64 bit caps */
1260 if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL))
1261 goto fail;
1262 if (!aa_unpack_cap_high(e, &rules->caps.audit, NULL))
1263 goto fail;
1264 if (!aa_unpack_cap_high(e, &rules->caps.quiet, NULL))
1265 goto fail;
1266 if (!aa_unpack_cap_high(e, &tmpcap, NULL))
1267 goto fail;
1268 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1269 goto fail;
1270 }
1271
1272 info = "failed to unpack extended profile capabilities";
1273 if (aa_unpack_nameX(e, AA_STRUCT, "capsx")) {
1274 /* optional extended caps mediation mask */
1275 if (!aa_unpack_cap_low(e, &rules->caps.extended, NULL))
1276 goto fail;
1277 if (!aa_unpack_cap_high(e, &rules->caps.extended, NULL))
1278 goto fail;
1279 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1280 goto fail;
1281 }
1282
1283 if (!unpack_xattrs(e, profile)) {
1284 info = "failed to unpack profile xattrs";
1285 goto fail;
1286 }
1287
1288 if (!unpack_rlimits(e, rules)) {
1289 info = "failed to unpack profile rlimits";
1290 goto fail;
1291 }
1292
1293 if (!unpack_secmark(e, rules)) {
1294 info = "failed to unpack profile secmark rules";
1295 goto fail;
1296 }
1297
1298 if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) {
1299 /* generic policy dfa - optional and may be NULL */
1300 info = "failed to unpack policydb";
1301 error = unpack_pdb(e, &rules->policy, true, false,
1302 &info);
1303 if (error)
1304 goto fail;
1305 /* Fixup: drop when we get rid of start array */
1306 if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0],
1307 AA_CLASS_FILE))
1308 rules->policy->start[AA_CLASS_FILE] =
1309 aa_dfa_next(rules->policy->dfa,
1310 rules->policy->start[0],
1311 AA_CLASS_FILE);
1312 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1313 goto fail;
1314 if (!rules->policy->perms) {
1315 error = aa_compat_map_policy(rules->policy,
1316 e->version);
1317 if (error) {
1318 info = "failed to remap policydb permission table";
1319 goto fail;
1320 }
1321 }
1322 } else {
1323 rules->policy = aa_get_pdb(nullpdb);
1324 }
1325 /* get file rules */
1326 error = unpack_pdb(e, &rules->file, false, true, &info);
1327 if (error) {
1328 goto fail;
1329 } else if (rules->file->dfa) {
1330 if (!rules->file->perms) {
1331 AA_DEBUG(DEBUG_UNPACK, "compat mapping perms");
1332 error = aa_compat_map_file(rules->file);
1333 if (error) {
1334 info = "failed to remap file permission table";
1335 goto fail;
1336 }
1337 }
1338 } else if (rules->policy->dfa &&
1339 rules->policy->start[AA_CLASS_FILE]) {
1340 aa_put_pdb(rules->file);
1341 rules->file = aa_get_pdb(rules->policy);
1342 } else {
1343 aa_put_pdb(rules->file);
1344 rules->file = aa_get_pdb(nullpdb);
1345 }
1346 error = -EPROTO;
1347 if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
1348 info = "out of memory";
1349 profile->data = kzalloc_obj(*profile->data);
1350 if (!profile->data) {
1351 error = -ENOMEM;
1352 goto fail;
1353 }
1354 params.nelem_hint = 3;
1355 params.key_len = sizeof(void *);
1356 params.key_offset = offsetof(struct aa_data, key);
1357 params.head_offset = offsetof(struct aa_data, head);
1358 params.hashfn = strhash;
1359 params.obj_cmpfn = datacmp;
1360
1361 if (rhashtable_init(profile->data, ¶ms)) {
1362 info = "failed to init key, value hash table";
1363 goto fail;
1364 }
1365
1366 while (aa_unpack_strdup(e, &key, NULL)) {
1367 data = kzalloc_obj(*data);
1368 if (!data) {
1369 kfree_sensitive(key);
1370 error = -ENOMEM;
1371 goto fail;
1372 }
1373
1374 data->key = key;
1375 data->size = aa_unpack_blob(e, &data->data, NULL);
1376 data->data = kvmemdup(data->data, data->size, GFP_KERNEL);
1377 if (data->size && !data->data) {
1378 kfree_sensitive(data->key);
1379 kfree_sensitive(data);
1380 error = -ENOMEM;
1381 goto fail;
1382 }
1383
1384 if (rhashtable_insert_fast(profile->data, &data->head,
1385 profile->data->p)) {
1386 kvfree_sensitive(data->data, data->size);
1387 kfree_sensitive(data->key);
1388 kfree_sensitive(data);
1389 info = "failed to insert data to table";
1390 goto fail;
1391 }
1392 }
1393
1394 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
1395 info = "failed to unpack end of key, value data table";
1396 goto fail;
1397 }
1398 }
1399
1400 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
1401 info = "failed to unpack end of profile";
1402 goto fail;
1403 }
1404
1405 aa_compute_profile_mediates(profile);
1406
1407 return profile;
1408
1409 fail:
1410 if (error == 0)
1411 /* default error covers most cases */
1412 error = -EPROTO;
1413 if (*ns_name) {
1414 kfree(*ns_name);
1415 *ns_name = NULL;
1416 }
1417 if (profile)
1418 name = NULL;
1419 else if (!name)
1420 name = "unknown";
1421 audit_iface(profile, NULL, name, info, e, error);
1422 aa_free_profile(profile);
1423
1424 return ERR_PTR(error);
1425 }
1426
1427 /**
1428 * verify_header - unpack serialized stream header
1429 * @e: serialized data read head (NOT NULL)
1430 * @required: whether the header is required or optional
1431 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
1432 *
1433 * Returns: error or 0 if header is good
1434 */
verify_header(struct aa_ext * e,int required,const char ** ns)1435 static int verify_header(struct aa_ext *e, int required, const char **ns)
1436 {
1437 int error = -EPROTONOSUPPORT;
1438 const char *name = NULL;
1439
1440 /* get the interface version */
1441 if (!aa_unpack_u32(e, &e->version, "version")) {
1442 if (required) {
1443 audit_iface(NULL, NULL, NULL, "invalid profile format",
1444 e, error);
1445 return error;
1446 }
1447 }
1448
1449 /* Check that the interface version is currently supported.
1450 * if not specified use previous version
1451 * Mask off everything that is not kernel abi version
1452 */
1453 if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) {
1454 audit_iface(NULL, NULL, NULL, "unsupported interface version",
1455 e, error);
1456 return error;
1457 }
1458
1459 /* read the namespace if present */
1460 if (aa_unpack_str(e, &name, "namespace")) {
1461 if (*name == '\0') {
1462 audit_iface(NULL, NULL, NULL, "invalid namespace name",
1463 e, error);
1464 return error;
1465 }
1466 if (*ns && strcmp(*ns, name)) {
1467 audit_iface(NULL, NULL, NULL, "invalid ns change", e,
1468 error);
1469 return error;
1470 } else if (!*ns) {
1471 *ns = kstrdup(name, GFP_KERNEL);
1472 if (!*ns)
1473 return -ENOMEM;
1474 }
1475 }
1476
1477 return 0;
1478 }
1479
1480 /**
1481 * verify_dfa_accept_index - verify accept indexes are in range of perms table
1482 * @dfa: the dfa to check accept indexes are in range
1483 * @table_size: the permission table size the indexes should be within
1484 */
verify_dfa_accept_index(struct aa_dfa * dfa,int table_size)1485 static bool verify_dfa_accept_index(struct aa_dfa *dfa, int table_size)
1486 {
1487 int i;
1488 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
1489 if (ACCEPT_TABLE(dfa)[i] >= table_size)
1490 return false;
1491 }
1492 return true;
1493 }
1494
verify_perm(struct aa_perms * perm)1495 static bool verify_perm(struct aa_perms *perm)
1496 {
1497 /* TODO: allow option to just force the perms into a valid state */
1498 if (perm->allow & perm->deny)
1499 return false;
1500 if (perm->subtree & ~perm->allow)
1501 return false;
1502 if (perm->cond & (perm->allow | perm->deny))
1503 return false;
1504 if (perm->kill & perm->allow)
1505 return false;
1506 if (perm->complain & (perm->allow | perm->deny))
1507 return false;
1508 if (perm->prompt & (perm->allow | perm->deny))
1509 return false;
1510 if (perm->complain & perm->prompt)
1511 return false;
1512 if (perm->hide & perm->allow)
1513 return false;
1514
1515 return true;
1516 }
1517
verify_perms(struct aa_policydb * pdb)1518 static bool verify_perms(struct aa_policydb *pdb)
1519 {
1520 int i;
1521 int xidx, xmax = -1;
1522
1523 for (i = 0; i < pdb->size; i++) {
1524 if (!verify_perm(&pdb->perms[i]))
1525 return false;
1526 /* verify indexes into str table */
1527 if ((pdb->perms[i].xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
1528 xidx = pdb->perms[i].xindex & AA_X_INDEX_MASK;
1529 if (xidx >= pdb->trans.size)
1530 return false;
1531 if (xmax < xidx)
1532 xmax = xidx;
1533 }
1534 if (pdb->perms[i].tag && pdb->perms[i].tag >= pdb->tags.sets.size)
1535 return false;
1536 if (pdb->perms[i].label &&
1537 pdb->perms[i].label >= pdb->trans.size)
1538 return false;
1539 }
1540 /* deal with incorrectly constructed string tables */
1541 if (xmax == -1) {
1542 aa_destroy_str_table(&pdb->trans);
1543 } else if (pdb->trans.size > xmax + 1) {
1544 if (!aa_resize_str_table(&pdb->trans, xmax + 1, GFP_KERNEL))
1545 return false;
1546 }
1547 return true;
1548 }
1549
1550 /**
1551 * verify_profile - Do post unpack analysis to verify profile consistency
1552 * @profile: profile to verify (NOT NULL)
1553 *
1554 * Returns: 0 if passes verification else error
1555 *
1556 * This verification is post any unpack mapping or changes
1557 */
verify_profile(struct aa_profile * profile)1558 static int verify_profile(struct aa_profile *profile)
1559 {
1560 struct aa_ruleset *rules = profile->label.rules[0];
1561
1562 if (!rules)
1563 return 0;
1564
1565 if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa,
1566 rules->file->size)) {
1567 audit_iface(profile, NULL, NULL,
1568 "Unpack: file Invalid named transition", NULL,
1569 -EPROTO);
1570 return -EPROTO;
1571 }
1572 if (rules->policy->dfa &&
1573 !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) {
1574 audit_iface(profile, NULL, NULL,
1575 "Unpack: policy Invalid named transition", NULL,
1576 -EPROTO);
1577 return -EPROTO;
1578 }
1579
1580 if (!verify_perms(rules->file)) {
1581 audit_iface(profile, NULL, NULL,
1582 "Unpack: Invalid perm index", NULL, -EPROTO);
1583 return -EPROTO;
1584 }
1585 if (!verify_perms(rules->policy)) {
1586 audit_iface(profile, NULL, NULL,
1587 "Unpack: Invalid perm index", NULL, -EPROTO);
1588 return -EPROTO;
1589 }
1590 if (!verify_perms(profile->attach.xmatch)) {
1591 audit_iface(profile, NULL, NULL,
1592 "Unpack: Invalid perm index", NULL, -EPROTO);
1593 return -EPROTO;
1594 }
1595
1596 return 0;
1597 }
1598
aa_load_ent_free(struct aa_load_ent * ent)1599 void aa_load_ent_free(struct aa_load_ent *ent)
1600 {
1601 if (ent) {
1602 aa_put_profile(ent->rename);
1603 aa_put_profile(ent->old);
1604 aa_put_profile(ent->new);
1605 kfree(ent->ns_name);
1606 kfree_sensitive(ent);
1607 }
1608 }
1609
aa_load_ent_alloc(void)1610 struct aa_load_ent *aa_load_ent_alloc(void)
1611 {
1612 struct aa_load_ent *ent = kzalloc_obj(*ent);
1613 if (ent)
1614 INIT_LIST_HEAD(&ent->list);
1615 return ent;
1616 }
1617
compress_zstd(const char * src,size_t slen,char ** dst,size_t * dlen)1618 static int compress_zstd(const char *src, size_t slen, char **dst, size_t *dlen)
1619 {
1620 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
1621 const zstd_parameters params =
1622 zstd_get_params(aa_g_rawdata_compression_level, slen);
1623 const size_t wksp_len = zstd_cctx_workspace_bound(¶ms.cParams);
1624 void *wksp = NULL;
1625 zstd_cctx *ctx = NULL;
1626 size_t out_len = zstd_compress_bound(slen);
1627 void *out = NULL;
1628 int ret = 0;
1629
1630 out = kvzalloc(out_len, GFP_KERNEL);
1631 if (!out) {
1632 ret = -ENOMEM;
1633 goto cleanup;
1634 }
1635
1636 wksp = kvzalloc(wksp_len, GFP_KERNEL);
1637 if (!wksp) {
1638 ret = -ENOMEM;
1639 goto cleanup;
1640 }
1641
1642 ctx = zstd_init_cctx(wksp, wksp_len);
1643 if (!ctx) {
1644 ret = -EINVAL;
1645 goto cleanup;
1646 }
1647
1648 out_len = zstd_compress_cctx(ctx, out, out_len, src, slen, ¶ms);
1649 if (zstd_is_error(out_len) || out_len >= slen) {
1650 ret = -EINVAL;
1651 goto cleanup;
1652 }
1653
1654 if (is_vmalloc_addr(out)) {
1655 *dst = kvzalloc(out_len, GFP_KERNEL);
1656 if (*dst) {
1657 memcpy(*dst, out, out_len);
1658 kvfree(out);
1659 out = NULL;
1660 }
1661 } else {
1662 /*
1663 * If the staging buffer was kmalloc'd, then using krealloc is
1664 * probably going to be faster. The destination buffer will
1665 * always be smaller, so it's just shrunk, avoiding a memcpy
1666 */
1667 *dst = krealloc(out, out_len, GFP_KERNEL);
1668 }
1669
1670 if (!*dst) {
1671 ret = -ENOMEM;
1672 goto cleanup;
1673 }
1674
1675 *dlen = out_len;
1676
1677 cleanup:
1678 if (ret) {
1679 kvfree(out);
1680 *dst = NULL;
1681 }
1682
1683 kvfree(wksp);
1684 return ret;
1685 #else
1686 *dlen = slen;
1687 return 0;
1688 #endif
1689 }
1690
compress_loaddata(struct aa_loaddata * data)1691 static int compress_loaddata(struct aa_loaddata *data)
1692 {
1693 AA_BUG(data->compressed_size > 0);
1694
1695 /*
1696 * Shortcut the no compression case, else we increase the amount of
1697 * storage required by a small amount
1698 */
1699 if (aa_g_rawdata_compression_level != 0) {
1700 void *udata = data->data;
1701 int error = compress_zstd(udata, data->size, &data->data,
1702 &data->compressed_size);
1703 if (error) {
1704 data->compressed_size = data->size;
1705 return error;
1706 }
1707 if (udata != data->data)
1708 kvfree(udata);
1709 } else
1710 data->compressed_size = data->size;
1711
1712 return 0;
1713 }
1714
1715 /**
1716 * aa_unpack - unpack packed binary profile(s) data loaded from user space
1717 * @udata: user data copied to kmem (NOT NULL)
1718 * @lh: list to place unpacked profiles in a aa_repl_ws
1719 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
1720 *
1721 * Unpack user data and return refcounted allocated profile(s) stored in
1722 * @lh in order of discovery, with the list chain stored in base.list
1723 * or error
1724 *
1725 * Returns: profile(s) on @lh else error pointer if fails to unpack
1726 */
aa_unpack(struct aa_loaddata * udata,struct list_head * lh,const char ** ns)1727 int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
1728 const char **ns)
1729 {
1730 struct aa_load_ent *tmp, *ent;
1731 struct aa_profile *profile = NULL;
1732 char *ns_name = NULL;
1733 int error;
1734 struct aa_ext e = {
1735 .start = udata->data,
1736 .end = udata->data + udata->size,
1737 .pos = udata->data,
1738 };
1739
1740 *ns = NULL;
1741 while (e.pos < e.end) {
1742 void *start;
1743 error = verify_header(&e, e.pos == e.start, ns);
1744 if (error)
1745 goto fail;
1746
1747 start = e.pos;
1748 profile = unpack_profile(&e, &ns_name);
1749 if (IS_ERR(profile)) {
1750 error = PTR_ERR(profile);
1751 goto fail;
1752 }
1753
1754 error = verify_profile(profile);
1755 if (error)
1756 goto fail_profile;
1757
1758 if (aa_g_hash_policy)
1759 error = aa_calc_profile_hash(profile, e.version, start,
1760 e.pos - start);
1761 if (error)
1762 goto fail_profile;
1763
1764 ent = aa_load_ent_alloc();
1765 if (!ent) {
1766 error = -ENOMEM;
1767 goto fail_profile;
1768 }
1769
1770 ent->new = profile;
1771 ent->ns_name = ns_name;
1772 ns_name = NULL;
1773 list_add_tail(&ent->list, lh);
1774 }
1775 udata->abi = e.version & K_ABI_MASK;
1776 if (aa_g_hash_policy) {
1777 udata->hash = aa_calc_hash(udata->data, udata->size);
1778 if (IS_ERR(udata->hash)) {
1779 error = PTR_ERR(udata->hash);
1780 udata->hash = NULL;
1781 goto fail;
1782 }
1783 }
1784
1785 if (aa_g_export_binary) {
1786 error = compress_loaddata(udata);
1787 if (error)
1788 goto fail;
1789 }
1790 return 0;
1791
1792 fail_profile:
1793 kfree(ns_name);
1794 aa_put_profile(profile);
1795
1796 fail:
1797 list_for_each_entry_safe(ent, tmp, lh, list) {
1798 list_del_init(&ent->list);
1799 aa_load_ent_free(ent);
1800 }
1801
1802 return error;
1803 }
1804