1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * AppArmor security module
4 *
5 * This file contains AppArmor functions for unpacking policy loaded from
6 * userspace.
7 *
8 * Copyright (C) 1998-2008 Novell/SUSE
9 * Copyright 2009-2010 Canonical Ltd.
10 *
11 * AppArmor uses a serialized binary format for loading policy. To find
12 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
13 * All policy is validated before it is used.
14 */
15
16 #include <linux/unaligned.h>
17 #include <kunit/visibility.h>
18 #include <linux/ctype.h>
19 #include <linux/errno.h>
20 #include <linux/zstd.h>
21
22 #include "include/apparmor.h"
23 #include "include/audit.h"
24 #include "include/cred.h"
25 #include "include/crypto.h"
26 #include "include/file.h"
27 #include "include/match.h"
28 #include "include/path.h"
29 #include "include/policy.h"
30 #include "include/policy_unpack.h"
31 #include "include/policy_compat.h"
32 #include "include/signal.h"
33
34 /* audit callback for unpack fields */
audit_cb(struct audit_buffer * ab,void * va)35 static void audit_cb(struct audit_buffer *ab, void *va)
36 {
37 struct common_audit_data *sa = va;
38 struct apparmor_audit_data *ad = aad(sa);
39
40 if (ad->iface.ns) {
41 audit_log_format(ab, " ns=");
42 audit_log_untrustedstring(ab, ad->iface.ns);
43 }
44 if (ad->name) {
45 audit_log_format(ab, " name=");
46 audit_log_untrustedstring(ab, ad->name);
47 }
48 if (ad->iface.pos)
49 audit_log_format(ab, " offset=%ld", ad->iface.pos);
50 }
51
52 /**
53 * audit_iface - do audit message for policy unpacking/load/replace/remove
54 * @new: profile if it has been allocated (MAYBE NULL)
55 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
56 * @name: name of the profile being manipulated (MAYBE NULL)
57 * @info: any extra info about the failure (MAYBE NULL)
58 * @e: buffer position info
59 * @error: error code
60 *
61 * Returns: %0 or error
62 */
audit_iface(struct aa_profile * new,const char * ns_name,const char * name,const char * info,struct aa_ext * e,int error)63 static int audit_iface(struct aa_profile *new, const char *ns_name,
64 const char *name, const char *info, struct aa_ext *e,
65 int error)
66 {
67 struct aa_profile *profile = labels_profile(aa_current_raw_label());
68 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
69 if (e)
70 ad.iface.pos = e->pos - e->start;
71 ad.iface.ns = ns_name;
72 if (new)
73 ad.name = new->base.hname;
74 else
75 ad.name = name;
76 ad.info = info;
77 ad.error = error;
78
79 return aa_audit(AUDIT_APPARMOR_STATUS, profile, &ad, audit_cb);
80 }
81
__aa_loaddata_update(struct aa_loaddata * data,long revision)82 void __aa_loaddata_update(struct aa_loaddata *data, long revision)
83 {
84 AA_BUG(!data);
85 AA_BUG(!data->ns);
86 AA_BUG(!mutex_is_locked(&data->ns->lock));
87 AA_BUG(data->revision > revision);
88
89 data->revision = revision;
90 if ((data->dents[AAFS_LOADDATA_REVISION])) {
91 struct inode *inode;
92
93 inode = d_inode(data->dents[AAFS_LOADDATA_DIR]);
94 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
95
96 inode = d_inode(data->dents[AAFS_LOADDATA_REVISION]);
97 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
98 }
99 }
100
aa_rawdata_eq(struct aa_loaddata * l,struct aa_loaddata * r)101 bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r)
102 {
103 if (l->size != r->size)
104 return false;
105 if (l->compressed_size != r->compressed_size)
106 return false;
107 if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0)
108 return false;
109 return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0;
110 }
111
112 /*
113 * need to take the ns mutex lock which is NOT safe most places that
114 * put_loaddata is called, so we have to delay freeing it
115 */
do_loaddata_free(struct work_struct * work)116 static void do_loaddata_free(struct work_struct *work)
117 {
118 struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
119 struct aa_ns *ns = aa_get_ns(d->ns);
120
121 if (ns) {
122 mutex_lock_nested(&ns->lock, ns->level);
123 __aa_fs_remove_rawdata(d);
124 mutex_unlock(&ns->lock);
125 aa_put_ns(ns);
126 }
127
128 kfree_sensitive(d->hash);
129 kfree_sensitive(d->name);
130 kvfree(d->data);
131 kfree_sensitive(d);
132 }
133
aa_loaddata_kref(struct kref * kref)134 void aa_loaddata_kref(struct kref *kref)
135 {
136 struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count);
137
138 if (d) {
139 INIT_WORK(&d->work, do_loaddata_free);
140 schedule_work(&d->work);
141 }
142 }
143
aa_loaddata_alloc(size_t size)144 struct aa_loaddata *aa_loaddata_alloc(size_t size)
145 {
146 struct aa_loaddata *d;
147
148 d = kzalloc(sizeof(*d), GFP_KERNEL);
149 if (d == NULL)
150 return ERR_PTR(-ENOMEM);
151 d->data = kvzalloc(size, GFP_KERNEL);
152 if (!d->data) {
153 kfree(d);
154 return ERR_PTR(-ENOMEM);
155 }
156 kref_init(&d->count);
157 INIT_LIST_HEAD(&d->list);
158
159 return d;
160 }
161
162 /* test if read will be in packed data bounds */
aa_inbounds(struct aa_ext * e,size_t size)163 VISIBLE_IF_KUNIT bool aa_inbounds(struct aa_ext *e, size_t size)
164 {
165 return (size <= e->end - e->pos);
166 }
167 EXPORT_SYMBOL_IF_KUNIT(aa_inbounds);
168
169 /**
170 * aa_unpack_u16_chunk - test and do bounds checking for a u16 size based chunk
171 * @e: serialized data read head (NOT NULL)
172 * @chunk: start address for chunk of data (NOT NULL)
173 *
174 * Returns: the size of chunk found with the read head at the end of the chunk.
175 */
aa_unpack_u16_chunk(struct aa_ext * e,char ** chunk)176 VISIBLE_IF_KUNIT size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk)
177 {
178 size_t size = 0;
179 void *pos = e->pos;
180
181 if (!aa_inbounds(e, sizeof(u16)))
182 goto fail;
183 size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
184 e->pos += sizeof(__le16);
185 if (!aa_inbounds(e, size))
186 goto fail;
187 *chunk = e->pos;
188 e->pos += size;
189 return size;
190
191 fail:
192 e->pos = pos;
193 return 0;
194 }
195 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u16_chunk);
196
197 /* unpack control byte */
aa_unpack_X(struct aa_ext * e,enum aa_code code)198 VISIBLE_IF_KUNIT bool aa_unpack_X(struct aa_ext *e, enum aa_code code)
199 {
200 if (!aa_inbounds(e, 1))
201 return false;
202 if (*(u8 *) e->pos != code)
203 return false;
204 e->pos++;
205 return true;
206 }
207 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_X);
208
209 /**
210 * aa_unpack_nameX - check is the next element is of type X with a name of @name
211 * @e: serialized data extent information (NOT NULL)
212 * @code: type code
213 * @name: name to match to the serialized element. (MAYBE NULL)
214 *
215 * check that the next serialized data element is of type X and has a tag
216 * name @name. If @name is specified then there must be a matching
217 * name element in the stream. If @name is NULL any name element will be
218 * skipped and only the typecode will be tested.
219 *
220 * Returns true on success (both type code and name tests match) and the read
221 * head is advanced past the headers
222 *
223 * Returns: false if either match fails, the read head does not move
224 */
aa_unpack_nameX(struct aa_ext * e,enum aa_code code,const char * name)225 VISIBLE_IF_KUNIT bool aa_unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
226 {
227 /*
228 * May need to reset pos if name or type doesn't match
229 */
230 void *pos = e->pos;
231 /*
232 * Check for presence of a tagname, and if present name size
233 * AA_NAME tag value is a u16.
234 */
235 if (aa_unpack_X(e, AA_NAME)) {
236 char *tag = NULL;
237 size_t size = aa_unpack_u16_chunk(e, &tag);
238 /* if a name is specified it must match. otherwise skip tag */
239 if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
240 goto fail;
241 } else if (name) {
242 /* if a name is specified and there is no name tag fail */
243 goto fail;
244 }
245
246 /* now check if type code matches */
247 if (aa_unpack_X(e, code))
248 return true;
249
250 fail:
251 e->pos = pos;
252 return false;
253 }
254 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_nameX);
255
unpack_u8(struct aa_ext * e,u8 * data,const char * name)256 static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
257 {
258 void *pos = e->pos;
259
260 if (aa_unpack_nameX(e, AA_U8, name)) {
261 if (!aa_inbounds(e, sizeof(u8)))
262 goto fail;
263 if (data)
264 *data = *((u8 *)e->pos);
265 e->pos += sizeof(u8);
266 return true;
267 }
268
269 fail:
270 e->pos = pos;
271 return false;
272 }
273
aa_unpack_u32(struct aa_ext * e,u32 * data,const char * name)274 VISIBLE_IF_KUNIT bool aa_unpack_u32(struct aa_ext *e, u32 *data, const char *name)
275 {
276 void *pos = e->pos;
277
278 if (aa_unpack_nameX(e, AA_U32, name)) {
279 if (!aa_inbounds(e, sizeof(u32)))
280 goto fail;
281 if (data)
282 *data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
283 e->pos += sizeof(u32);
284 return true;
285 }
286
287 fail:
288 e->pos = pos;
289 return false;
290 }
291 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u32);
292
aa_unpack_u64(struct aa_ext * e,u64 * data,const char * name)293 VISIBLE_IF_KUNIT bool aa_unpack_u64(struct aa_ext *e, u64 *data, const char *name)
294 {
295 void *pos = e->pos;
296
297 if (aa_unpack_nameX(e, AA_U64, name)) {
298 if (!aa_inbounds(e, sizeof(u64)))
299 goto fail;
300 if (data)
301 *data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
302 e->pos += sizeof(u64);
303 return true;
304 }
305
306 fail:
307 e->pos = pos;
308 return false;
309 }
310 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u64);
311
aa_unpack_cap_low(struct aa_ext * e,kernel_cap_t * data,const char * name)312 static bool aa_unpack_cap_low(struct aa_ext *e, kernel_cap_t *data, const char *name)
313 {
314 u32 val;
315
316 if (!aa_unpack_u32(e, &val, name))
317 return false;
318 data->val = val;
319 return true;
320 }
321
aa_unpack_cap_high(struct aa_ext * e,kernel_cap_t * data,const char * name)322 static bool aa_unpack_cap_high(struct aa_ext *e, kernel_cap_t *data, const char *name)
323 {
324 u32 val;
325
326 if (!aa_unpack_u32(e, &val, name))
327 return false;
328 data->val = (u32)data->val | ((u64)val << 32);
329 return true;
330 }
331
aa_unpack_array(struct aa_ext * e,const char * name,u16 * size)332 VISIBLE_IF_KUNIT bool aa_unpack_array(struct aa_ext *e, const char *name, u16 *size)
333 {
334 void *pos = e->pos;
335
336 if (aa_unpack_nameX(e, AA_ARRAY, name)) {
337 if (!aa_inbounds(e, sizeof(u16)))
338 goto fail;
339 *size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
340 e->pos += sizeof(u16);
341 return true;
342 }
343
344 fail:
345 e->pos = pos;
346 return false;
347 }
348 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_array);
349
aa_unpack_blob(struct aa_ext * e,char ** blob,const char * name)350 VISIBLE_IF_KUNIT size_t aa_unpack_blob(struct aa_ext *e, char **blob, const char *name)
351 {
352 void *pos = e->pos;
353
354 if (aa_unpack_nameX(e, AA_BLOB, name)) {
355 u32 size;
356 if (!aa_inbounds(e, sizeof(u32)))
357 goto fail;
358 size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
359 e->pos += sizeof(u32);
360 if (aa_inbounds(e, (size_t) size)) {
361 *blob = e->pos;
362 e->pos += size;
363 return size;
364 }
365 }
366
367 fail:
368 e->pos = pos;
369 return 0;
370 }
371 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_blob);
372
aa_unpack_str(struct aa_ext * e,const char ** string,const char * name)373 VISIBLE_IF_KUNIT int aa_unpack_str(struct aa_ext *e, const char **string, const char *name)
374 {
375 char *src_str;
376 size_t size = 0;
377 void *pos = e->pos;
378 *string = NULL;
379 if (aa_unpack_nameX(e, AA_STRING, name)) {
380 size = aa_unpack_u16_chunk(e, &src_str);
381 if (size) {
382 /* strings are null terminated, length is size - 1 */
383 if (src_str[size - 1] != 0)
384 goto fail;
385 *string = src_str;
386
387 return size;
388 }
389 }
390
391 fail:
392 e->pos = pos;
393 return 0;
394 }
395 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_str);
396
aa_unpack_strdup(struct aa_ext * e,char ** string,const char * name)397 VISIBLE_IF_KUNIT int aa_unpack_strdup(struct aa_ext *e, char **string, const char *name)
398 {
399 const char *tmp;
400 void *pos = e->pos;
401 int res = aa_unpack_str(e, &tmp, name);
402 *string = NULL;
403
404 if (!res)
405 return 0;
406
407 *string = kmemdup(tmp, res, GFP_KERNEL);
408 if (!*string) {
409 e->pos = pos;
410 return 0;
411 }
412
413 return res;
414 }
415 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_strdup);
416
417
418 /**
419 * unpack_dfa - unpack a file rule dfa
420 * @e: serialized data extent information (NOT NULL)
421 * @flags: dfa flags to check
422 *
423 * returns dfa or ERR_PTR or NULL if no dfa
424 */
unpack_dfa(struct aa_ext * e,int flags)425 static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags)
426 {
427 char *blob = NULL;
428 size_t size;
429 struct aa_dfa *dfa = NULL;
430
431 size = aa_unpack_blob(e, &blob, "aadfa");
432 if (size) {
433 /*
434 * The dfa is aligned with in the blob to 8 bytes
435 * from the beginning of the stream.
436 * alignment adjust needed by dfa unpack
437 */
438 size_t sz = blob - (char *) e->start -
439 ((e->pos - e->start) & 7);
440 size_t pad = ALIGN(sz, 8) - sz;
441 if (aa_g_paranoid_load)
442 flags |= DFA_FLAG_VERIFY_STATES;
443 dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
444
445 if (IS_ERR(dfa))
446 return dfa;
447
448 }
449
450 return dfa;
451 }
452
453 /**
454 * unpack_trans_table - unpack a profile transition table
455 * @e: serialized data extent information (NOT NULL)
456 * @strs: str table to unpack to (NOT NULL)
457 *
458 * Returns: true if table successfully unpacked or not present
459 */
unpack_trans_table(struct aa_ext * e,struct aa_str_table * strs)460 static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs)
461 {
462 void *saved_pos = e->pos;
463 char **table = NULL;
464
465 /* exec table is optional */
466 if (aa_unpack_nameX(e, AA_STRUCT, "xtable")) {
467 u16 size;
468 int i;
469
470 if (!aa_unpack_array(e, NULL, &size))
471 /*
472 * Note: index into trans table array is a max
473 * of 2^24, but unpack array can only unpack
474 * an array of 2^16 in size atm so no need
475 * for size check here
476 */
477 goto fail;
478 table = kcalloc(size, sizeof(char *), GFP_KERNEL);
479 if (!table)
480 goto fail;
481
482 strs->table = table;
483 strs->size = size;
484 for (i = 0; i < size; i++) {
485 char *str;
486 int c, j, pos, size2 = aa_unpack_strdup(e, &str, NULL);
487 /* aa_unpack_strdup verifies that the last character is
488 * null termination byte.
489 */
490 if (!size2)
491 goto fail;
492 table[i] = str;
493 /* verify that name doesn't start with space */
494 if (isspace(*str))
495 goto fail;
496
497 /* count internal # of internal \0 */
498 for (c = j = 0; j < size2 - 1; j++) {
499 if (!str[j]) {
500 pos = j;
501 c++;
502 }
503 }
504 if (*str == ':') {
505 /* first character after : must be valid */
506 if (!str[1])
507 goto fail;
508 /* beginning with : requires an embedded \0,
509 * verify that exactly 1 internal \0 exists
510 * trailing \0 already verified by aa_unpack_strdup
511 *
512 * convert \0 back to : for label_parse
513 */
514 if (c == 1)
515 str[pos] = ':';
516 else if (c > 1)
517 goto fail;
518 } else if (c)
519 /* fail - all other cases with embedded \0 */
520 goto fail;
521 }
522 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
523 goto fail;
524 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
525 goto fail;
526 }
527 return true;
528
529 fail:
530 aa_free_str_table(strs);
531 e->pos = saved_pos;
532 return false;
533 }
534
unpack_xattrs(struct aa_ext * e,struct aa_profile * profile)535 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
536 {
537 void *pos = e->pos;
538
539 if (aa_unpack_nameX(e, AA_STRUCT, "xattrs")) {
540 u16 size;
541 int i;
542
543 if (!aa_unpack_array(e, NULL, &size))
544 goto fail;
545 profile->attach.xattr_count = size;
546 profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
547 if (!profile->attach.xattrs)
548 goto fail;
549 for (i = 0; i < size; i++) {
550 if (!aa_unpack_strdup(e, &profile->attach.xattrs[i], NULL))
551 goto fail;
552 }
553 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
554 goto fail;
555 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
556 goto fail;
557 }
558
559 return true;
560
561 fail:
562 e->pos = pos;
563 return false;
564 }
565
unpack_secmark(struct aa_ext * e,struct aa_ruleset * rules)566 static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules)
567 {
568 void *pos = e->pos;
569 u16 size;
570 int i;
571
572 if (aa_unpack_nameX(e, AA_STRUCT, "secmark")) {
573 if (!aa_unpack_array(e, NULL, &size))
574 goto fail;
575
576 rules->secmark = kcalloc(size, sizeof(struct aa_secmark),
577 GFP_KERNEL);
578 if (!rules->secmark)
579 goto fail;
580
581 rules->secmark_count = size;
582
583 for (i = 0; i < size; i++) {
584 if (!unpack_u8(e, &rules->secmark[i].audit, NULL))
585 goto fail;
586 if (!unpack_u8(e, &rules->secmark[i].deny, NULL))
587 goto fail;
588 if (!aa_unpack_strdup(e, &rules->secmark[i].label, NULL))
589 goto fail;
590 }
591 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
592 goto fail;
593 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
594 goto fail;
595 }
596
597 return true;
598
599 fail:
600 if (rules->secmark) {
601 for (i = 0; i < size; i++)
602 kfree_sensitive(rules->secmark[i].label);
603 kfree_sensitive(rules->secmark);
604 rules->secmark_count = 0;
605 rules->secmark = NULL;
606 }
607
608 e->pos = pos;
609 return false;
610 }
611
unpack_rlimits(struct aa_ext * e,struct aa_ruleset * rules)612 static bool unpack_rlimits(struct aa_ext *e, struct aa_ruleset *rules)
613 {
614 void *pos = e->pos;
615
616 /* rlimits are optional */
617 if (aa_unpack_nameX(e, AA_STRUCT, "rlimits")) {
618 u16 size;
619 int i;
620 u32 tmp = 0;
621 if (!aa_unpack_u32(e, &tmp, NULL))
622 goto fail;
623 rules->rlimits.mask = tmp;
624
625 if (!aa_unpack_array(e, NULL, &size) ||
626 size > RLIM_NLIMITS)
627 goto fail;
628 for (i = 0; i < size; i++) {
629 u64 tmp2 = 0;
630 int a = aa_map_resource(i);
631 if (!aa_unpack_u64(e, &tmp2, NULL))
632 goto fail;
633 rules->rlimits.limits[a].rlim_max = tmp2;
634 }
635 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
636 goto fail;
637 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
638 goto fail;
639 }
640 return true;
641
642 fail:
643 e->pos = pos;
644 return false;
645 }
646
unpack_perm(struct aa_ext * e,u32 version,struct aa_perms * perm)647 static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm)
648 {
649 u32 reserved;
650
651 if (version != 1)
652 return false;
653
654 /* reserved entry is for later expansion, discard for now */
655 return aa_unpack_u32(e, &reserved, NULL) &&
656 aa_unpack_u32(e, &perm->allow, NULL) &&
657 aa_unpack_u32(e, &perm->deny, NULL) &&
658 aa_unpack_u32(e, &perm->subtree, NULL) &&
659 aa_unpack_u32(e, &perm->cond, NULL) &&
660 aa_unpack_u32(e, &perm->kill, NULL) &&
661 aa_unpack_u32(e, &perm->complain, NULL) &&
662 aa_unpack_u32(e, &perm->prompt, NULL) &&
663 aa_unpack_u32(e, &perm->audit, NULL) &&
664 aa_unpack_u32(e, &perm->quiet, NULL) &&
665 aa_unpack_u32(e, &perm->hide, NULL) &&
666 aa_unpack_u32(e, &perm->xindex, NULL) &&
667 aa_unpack_u32(e, &perm->tag, NULL) &&
668 aa_unpack_u32(e, &perm->label, NULL);
669 }
670
unpack_perms_table(struct aa_ext * e,struct aa_perms ** perms)671 static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms)
672 {
673 void *pos = e->pos;
674 u16 size = 0;
675
676 AA_BUG(!perms);
677 /*
678 * policy perms are optional, in which case perms are embedded
679 * in the dfa accept table
680 */
681 if (aa_unpack_nameX(e, AA_STRUCT, "perms")) {
682 int i;
683 u32 version;
684
685 if (!aa_unpack_u32(e, &version, "version"))
686 goto fail_reset;
687 if (!aa_unpack_array(e, NULL, &size))
688 goto fail_reset;
689 *perms = kcalloc(size, sizeof(struct aa_perms), GFP_KERNEL);
690 if (!*perms)
691 goto fail_reset;
692 for (i = 0; i < size; i++) {
693 if (!unpack_perm(e, version, &(*perms)[i]))
694 goto fail;
695 }
696 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
697 goto fail;
698 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
699 goto fail;
700 } else
701 *perms = NULL;
702
703 return size;
704
705 fail:
706 kfree(*perms);
707 fail_reset:
708 e->pos = pos;
709 return -EPROTO;
710 }
711
unpack_pdb(struct aa_ext * e,struct aa_policydb ** policy,bool required_dfa,bool required_trans,const char ** info)712 static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
713 bool required_dfa, bool required_trans,
714 const char **info)
715 {
716 struct aa_policydb *pdb;
717 void *pos = e->pos;
718 int i, flags, error = -EPROTO;
719 ssize_t size;
720 u32 version = 0;
721
722 pdb = aa_alloc_pdb(GFP_KERNEL);
723 if (!pdb)
724 return -ENOMEM;
725
726 size = unpack_perms_table(e, &pdb->perms);
727 if (size < 0) {
728 error = size;
729 pdb->perms = NULL;
730 *info = "failed to unpack - perms";
731 goto fail;
732 }
733 pdb->size = size;
734
735 if (pdb->perms) {
736 /* perms table present accept is index */
737 flags = TO_ACCEPT1_FLAG(YYTD_DATA32);
738 if (aa_unpack_u32(e, &version, "permsv") && version > 2)
739 /* accept2 used for dfa flags */
740 flags |= TO_ACCEPT2_FLAG(YYTD_DATA32);
741 } else {
742 /* packed perms in accept1 and accept2 */
743 flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
744 TO_ACCEPT2_FLAG(YYTD_DATA32);
745 }
746
747 pdb->dfa = unpack_dfa(e, flags);
748 if (IS_ERR(pdb->dfa)) {
749 error = PTR_ERR(pdb->dfa);
750 pdb->dfa = NULL;
751 *info = "failed to unpack - dfa";
752 goto fail;
753 } else if (!pdb->dfa) {
754 if (required_dfa) {
755 *info = "missing required dfa";
756 goto fail;
757 }
758 } else {
759 /*
760 * only unpack the following if a dfa is present
761 *
762 * sadly start was given different names for file and policydb
763 * but since it is optional we can try both
764 */
765 if (!aa_unpack_u32(e, &pdb->start[0], "start"))
766 /* default start state */
767 pdb->start[0] = DFA_START;
768 if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) {
769 /* default start state for xmatch and file dfa */
770 pdb->start[AA_CLASS_FILE] = DFA_START;
771 } /* setup class index */
772 for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
773 pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],
774 i);
775 }
776 }
777
778 /* accept2 is in some cases being allocated, even with perms */
779 if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
780 /* add dfa flags table missing in v2 */
781 u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen;
782 u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags;
783 size_t tsize = table_size(noents, tdflags);
784
785 pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, GFP_KERNEL);
786 if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
787 *info = "failed to alloc dfa flags table";
788 goto out;
789 }
790 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents;
791 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags;
792 }
793 /*
794 * Unfortunately due to a bug in earlier userspaces, a
795 * transition table may be present even when the dfa is
796 * not. For compatibility reasons unpack and discard.
797 */
798 if (!unpack_trans_table(e, &pdb->trans) && required_trans) {
799 *info = "failed to unpack profile transition table";
800 goto fail;
801 }
802
803 if (!pdb->dfa && pdb->trans.table)
804 aa_free_str_table(&pdb->trans);
805
806 /* TODO:
807 * - move compat mapping here, requires dfa merging first
808 * - move verify here, it has to be done after compat mappings
809 * - move free of unneeded trans table here, has to be done
810 * after perm mapping.
811 */
812 out:
813 *policy = pdb;
814 return 0;
815
816 fail:
817 aa_put_pdb(pdb);
818 e->pos = pos;
819 return error;
820 }
821
strhash(const void * data,u32 len,u32 seed)822 static u32 strhash(const void *data, u32 len, u32 seed)
823 {
824 const char * const *key = data;
825
826 return jhash(*key, strlen(*key), seed);
827 }
828
datacmp(struct rhashtable_compare_arg * arg,const void * obj)829 static int datacmp(struct rhashtable_compare_arg *arg, const void *obj)
830 {
831 const struct aa_data *data = obj;
832 const char * const *key = arg->key;
833
834 return strcmp(data->key, *key);
835 }
836
837 /**
838 * unpack_profile - unpack a serialized profile
839 * @e: serialized data extent information (NOT NULL)
840 * @ns_name: pointer of newly allocated copy of %NULL in case of error
841 *
842 * NOTE: unpack profile sets audit struct if there is a failure
843 */
unpack_profile(struct aa_ext * e,char ** ns_name)844 static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
845 {
846 struct aa_ruleset *rules;
847 struct aa_profile *profile = NULL;
848 const char *tmpname, *tmpns = NULL, *name = NULL;
849 const char *info = "failed to unpack profile";
850 size_t ns_len;
851 struct rhashtable_params params = { 0 };
852 char *key = NULL, *disconnected = NULL;
853 struct aa_data *data;
854 int error = -EPROTO;
855 kernel_cap_t tmpcap;
856 u32 tmp;
857
858 *ns_name = NULL;
859
860 /* check that we have the right struct being passed */
861 if (!aa_unpack_nameX(e, AA_STRUCT, "profile"))
862 goto fail;
863 if (!aa_unpack_str(e, &name, NULL))
864 goto fail;
865 if (*name == '\0')
866 goto fail;
867
868 tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
869 if (tmpns) {
870 if (!tmpname) {
871 info = "empty profile name";
872 goto fail;
873 }
874 *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
875 if (!*ns_name) {
876 info = "out of memory";
877 error = -ENOMEM;
878 goto fail;
879 }
880 name = tmpname;
881 }
882
883 profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
884 if (!profile) {
885 info = "out of memory";
886 error = -ENOMEM;
887 goto fail;
888 }
889 rules = profile->label.rules[0];
890
891 /* profile renaming is optional */
892 (void) aa_unpack_str(e, &profile->rename, "rename");
893
894 /* attachment string is optional */
895 (void) aa_unpack_str(e, &profile->attach.xmatch_str, "attach");
896
897 /* xmatch is optional and may be NULL */
898 error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info);
899 if (error) {
900 info = "bad xmatch";
901 goto fail;
902 }
903
904 /* neither xmatch_len not xmatch_perms are optional if xmatch is set */
905 if (profile->attach.xmatch->dfa) {
906 if (!aa_unpack_u32(e, &tmp, NULL)) {
907 info = "missing xmatch len";
908 goto fail;
909 }
910 profile->attach.xmatch_len = tmp;
911 profile->attach.xmatch->start[AA_CLASS_XMATCH] = DFA_START;
912 if (!profile->attach.xmatch->perms) {
913 error = aa_compat_map_xmatch(profile->attach.xmatch);
914 if (error) {
915 info = "failed to convert xmatch permission table";
916 goto fail;
917 }
918 }
919 }
920
921 /* disconnected attachment string is optional */
922 (void) aa_unpack_strdup(e, &disconnected, "disconnected");
923 profile->disconnected = disconnected;
924
925 /* optional */
926 (void) aa_unpack_u32(e, &profile->signal, "kill");
927 if (profile->signal < 1 || profile->signal > MAXMAPPED_SIG) {
928 info = "profile kill.signal invalid value";
929 goto fail;
930 }
931 /* per profile debug flags (complain, audit) */
932 if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) {
933 info = "profile missing flags";
934 goto fail;
935 }
936 info = "failed to unpack profile flags";
937 if (!aa_unpack_u32(e, &tmp, NULL))
938 goto fail;
939 if (tmp & PACKED_FLAG_HAT)
940 profile->label.flags |= FLAG_HAT;
941 if (tmp & PACKED_FLAG_DEBUG1)
942 profile->label.flags |= FLAG_DEBUG1;
943 if (tmp & PACKED_FLAG_DEBUG2)
944 profile->label.flags |= FLAG_DEBUG2;
945 if (!aa_unpack_u32(e, &tmp, NULL))
946 goto fail;
947 if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
948 profile->mode = APPARMOR_COMPLAIN;
949 } else if (tmp == PACKED_MODE_ENFORCE) {
950 profile->mode = APPARMOR_ENFORCE;
951 } else if (tmp == PACKED_MODE_KILL) {
952 profile->mode = APPARMOR_KILL;
953 } else if (tmp == PACKED_MODE_UNCONFINED) {
954 profile->mode = APPARMOR_UNCONFINED;
955 profile->label.flags |= FLAG_UNCONFINED;
956 } else if (tmp == PACKED_MODE_USER) {
957 profile->mode = APPARMOR_USER;
958 } else {
959 goto fail;
960 }
961 if (!aa_unpack_u32(e, &tmp, NULL))
962 goto fail;
963 if (tmp)
964 profile->audit = AUDIT_ALL;
965
966 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
967 goto fail;
968
969 /* path_flags is optional */
970 if (aa_unpack_u32(e, &profile->path_flags, "path_flags"))
971 profile->path_flags |= profile->label.flags &
972 PATH_MEDIATE_DELETED;
973 else
974 /* set a default value if path_flags field is not present */
975 profile->path_flags = PATH_MEDIATE_DELETED;
976
977 info = "failed to unpack profile capabilities";
978 if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL))
979 goto fail;
980 if (!aa_unpack_cap_low(e, &rules->caps.audit, NULL))
981 goto fail;
982 if (!aa_unpack_cap_low(e, &rules->caps.quiet, NULL))
983 goto fail;
984 if (!aa_unpack_cap_low(e, &tmpcap, NULL))
985 goto fail;
986
987 info = "failed to unpack upper profile capabilities";
988 if (aa_unpack_nameX(e, AA_STRUCT, "caps64")) {
989 /* optional upper half of 64 bit caps */
990 if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL))
991 goto fail;
992 if (!aa_unpack_cap_high(e, &rules->caps.audit, NULL))
993 goto fail;
994 if (!aa_unpack_cap_high(e, &rules->caps.quiet, NULL))
995 goto fail;
996 if (!aa_unpack_cap_high(e, &tmpcap, NULL))
997 goto fail;
998 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
999 goto fail;
1000 }
1001
1002 info = "failed to unpack extended profile capabilities";
1003 if (aa_unpack_nameX(e, AA_STRUCT, "capsx")) {
1004 /* optional extended caps mediation mask */
1005 if (!aa_unpack_cap_low(e, &rules->caps.extended, NULL))
1006 goto fail;
1007 if (!aa_unpack_cap_high(e, &rules->caps.extended, NULL))
1008 goto fail;
1009 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1010 goto fail;
1011 }
1012
1013 if (!unpack_xattrs(e, profile)) {
1014 info = "failed to unpack profile xattrs";
1015 goto fail;
1016 }
1017
1018 if (!unpack_rlimits(e, rules)) {
1019 info = "failed to unpack profile rlimits";
1020 goto fail;
1021 }
1022
1023 if (!unpack_secmark(e, rules)) {
1024 info = "failed to unpack profile secmark rules";
1025 goto fail;
1026 }
1027
1028 if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) {
1029 /* generic policy dfa - optional and may be NULL */
1030 info = "failed to unpack policydb";
1031 error = unpack_pdb(e, &rules->policy, true, false,
1032 &info);
1033 if (error)
1034 goto fail;
1035 /* Fixup: drop when we get rid of start array */
1036 if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0],
1037 AA_CLASS_FILE))
1038 rules->policy->start[AA_CLASS_FILE] =
1039 aa_dfa_next(rules->policy->dfa,
1040 rules->policy->start[0],
1041 AA_CLASS_FILE);
1042 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1043 goto fail;
1044 if (!rules->policy->perms) {
1045 error = aa_compat_map_policy(rules->policy,
1046 e->version);
1047 if (error) {
1048 info = "failed to remap policydb permission table";
1049 goto fail;
1050 }
1051 }
1052 } else {
1053 rules->policy = aa_get_pdb(nullpdb);
1054 }
1055 /* get file rules */
1056 error = unpack_pdb(e, &rules->file, false, true, &info);
1057 if (error) {
1058 goto fail;
1059 } else if (rules->file->dfa) {
1060 if (!rules->file->perms) {
1061 error = aa_compat_map_file(rules->file);
1062 if (error) {
1063 info = "failed to remap file permission table";
1064 goto fail;
1065 }
1066 }
1067 } else if (rules->policy->dfa &&
1068 rules->policy->start[AA_CLASS_FILE]) {
1069 aa_put_pdb(rules->file);
1070 rules->file = aa_get_pdb(rules->policy);
1071 } else {
1072 aa_put_pdb(rules->file);
1073 rules->file = aa_get_pdb(nullpdb);
1074 }
1075 error = -EPROTO;
1076 if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
1077 info = "out of memory";
1078 profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL);
1079 if (!profile->data) {
1080 error = -ENOMEM;
1081 goto fail;
1082 }
1083 params.nelem_hint = 3;
1084 params.key_len = sizeof(void *);
1085 params.key_offset = offsetof(struct aa_data, key);
1086 params.head_offset = offsetof(struct aa_data, head);
1087 params.hashfn = strhash;
1088 params.obj_cmpfn = datacmp;
1089
1090 if (rhashtable_init(profile->data, ¶ms)) {
1091 info = "failed to init key, value hash table";
1092 goto fail;
1093 }
1094
1095 while (aa_unpack_strdup(e, &key, NULL)) {
1096 data = kzalloc(sizeof(*data), GFP_KERNEL);
1097 if (!data) {
1098 kfree_sensitive(key);
1099 error = -ENOMEM;
1100 goto fail;
1101 }
1102
1103 data->key = key;
1104 data->size = aa_unpack_blob(e, &data->data, NULL);
1105 data->data = kvmemdup(data->data, data->size, GFP_KERNEL);
1106 if (data->size && !data->data) {
1107 kfree_sensitive(data->key);
1108 kfree_sensitive(data);
1109 error = -ENOMEM;
1110 goto fail;
1111 }
1112
1113 if (rhashtable_insert_fast(profile->data, &data->head,
1114 profile->data->p)) {
1115 kvfree_sensitive(data->data, data->size);
1116 kfree_sensitive(data->key);
1117 kfree_sensitive(data);
1118 info = "failed to insert data to table";
1119 goto fail;
1120 }
1121 }
1122
1123 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
1124 info = "failed to unpack end of key, value data table";
1125 goto fail;
1126 }
1127 }
1128
1129 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
1130 info = "failed to unpack end of profile";
1131 goto fail;
1132 }
1133
1134 aa_compute_profile_mediates(profile);
1135
1136 return profile;
1137
1138 fail:
1139 if (error == 0)
1140 /* default error covers most cases */
1141 error = -EPROTO;
1142 if (*ns_name) {
1143 kfree(*ns_name);
1144 *ns_name = NULL;
1145 }
1146 if (profile)
1147 name = NULL;
1148 else if (!name)
1149 name = "unknown";
1150 audit_iface(profile, NULL, name, info, e, error);
1151 aa_free_profile(profile);
1152
1153 return ERR_PTR(error);
1154 }
1155
1156 /**
1157 * verify_header - unpack serialized stream header
1158 * @e: serialized data read head (NOT NULL)
1159 * @required: whether the header is required or optional
1160 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
1161 *
1162 * Returns: error or 0 if header is good
1163 */
verify_header(struct aa_ext * e,int required,const char ** ns)1164 static int verify_header(struct aa_ext *e, int required, const char **ns)
1165 {
1166 int error = -EPROTONOSUPPORT;
1167 const char *name = NULL;
1168 *ns = NULL;
1169
1170 /* get the interface version */
1171 if (!aa_unpack_u32(e, &e->version, "version")) {
1172 if (required) {
1173 audit_iface(NULL, NULL, NULL, "invalid profile format",
1174 e, error);
1175 return error;
1176 }
1177 }
1178
1179 /* Check that the interface version is currently supported.
1180 * if not specified use previous version
1181 * Mask off everything that is not kernel abi version
1182 */
1183 if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) {
1184 audit_iface(NULL, NULL, NULL, "unsupported interface version",
1185 e, error);
1186 return error;
1187 }
1188
1189 /* read the namespace if present */
1190 if (aa_unpack_str(e, &name, "namespace")) {
1191 if (*name == '\0') {
1192 audit_iface(NULL, NULL, NULL, "invalid namespace name",
1193 e, error);
1194 return error;
1195 }
1196 if (*ns && strcmp(*ns, name)) {
1197 audit_iface(NULL, NULL, NULL, "invalid ns change", e,
1198 error);
1199 } else if (!*ns) {
1200 *ns = kstrdup(name, GFP_KERNEL);
1201 if (!*ns)
1202 return -ENOMEM;
1203 }
1204 }
1205
1206 return 0;
1207 }
1208
1209 /**
1210 * verify_dfa_accept_index - verify accept indexes are in range of perms table
1211 * @dfa: the dfa to check accept indexes are in range
1212 * @table_size: the permission table size the indexes should be within
1213 */
verify_dfa_accept_index(struct aa_dfa * dfa,int table_size)1214 static bool verify_dfa_accept_index(struct aa_dfa *dfa, int table_size)
1215 {
1216 int i;
1217 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
1218 if (ACCEPT_TABLE(dfa)[i] >= table_size)
1219 return false;
1220 }
1221 return true;
1222 }
1223
verify_perm(struct aa_perms * perm)1224 static bool verify_perm(struct aa_perms *perm)
1225 {
1226 /* TODO: allow option to just force the perms into a valid state */
1227 if (perm->allow & perm->deny)
1228 return false;
1229 if (perm->subtree & ~perm->allow)
1230 return false;
1231 if (perm->cond & (perm->allow | perm->deny))
1232 return false;
1233 if (perm->kill & perm->allow)
1234 return false;
1235 if (perm->complain & (perm->allow | perm->deny))
1236 return false;
1237 if (perm->prompt & (perm->allow | perm->deny))
1238 return false;
1239 if (perm->complain & perm->prompt)
1240 return false;
1241 if (perm->hide & perm->allow)
1242 return false;
1243
1244 return true;
1245 }
1246
verify_perms(struct aa_policydb * pdb)1247 static bool verify_perms(struct aa_policydb *pdb)
1248 {
1249 int i;
1250 int xidx, xmax = -1;
1251
1252 for (i = 0; i < pdb->size; i++) {
1253 if (!verify_perm(&pdb->perms[i]))
1254 return false;
1255 /* verify indexes into str table */
1256 if ((pdb->perms[i].xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
1257 xidx = pdb->perms[i].xindex & AA_X_INDEX_MASK;
1258 if (xidx >= pdb->trans.size)
1259 return false;
1260 if (xmax < xidx)
1261 xmax = xidx;
1262 }
1263 if (pdb->perms[i].tag && pdb->perms[i].tag >= pdb->trans.size)
1264 return false;
1265 if (pdb->perms[i].label &&
1266 pdb->perms[i].label >= pdb->trans.size)
1267 return false;
1268 }
1269 /* deal with incorrectly constructed string tables */
1270 if (xmax == -1) {
1271 aa_free_str_table(&pdb->trans);
1272 } else if (pdb->trans.size > xmax + 1) {
1273 if (!aa_resize_str_table(&pdb->trans, xmax + 1, GFP_KERNEL))
1274 return false;
1275 }
1276 return true;
1277 }
1278
1279 /**
1280 * verify_profile - Do post unpack analysis to verify profile consistency
1281 * @profile: profile to verify (NOT NULL)
1282 *
1283 * Returns: 0 if passes verification else error
1284 *
1285 * This verification is post any unpack mapping or changes
1286 */
verify_profile(struct aa_profile * profile)1287 static int verify_profile(struct aa_profile *profile)
1288 {
1289 struct aa_ruleset *rules = profile->label.rules[0];
1290
1291 if (!rules)
1292 return 0;
1293
1294 if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa,
1295 rules->file->size)) {
1296 audit_iface(profile, NULL, NULL,
1297 "Unpack: file Invalid named transition", NULL,
1298 -EPROTO);
1299 return -EPROTO;
1300 }
1301 if (rules->policy->dfa &&
1302 !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) {
1303 audit_iface(profile, NULL, NULL,
1304 "Unpack: policy Invalid named transition", NULL,
1305 -EPROTO);
1306 return -EPROTO;
1307 }
1308
1309 if (!verify_perms(rules->file)) {
1310 audit_iface(profile, NULL, NULL,
1311 "Unpack: Invalid perm index", NULL, -EPROTO);
1312 return -EPROTO;
1313 }
1314 if (!verify_perms(rules->policy)) {
1315 audit_iface(profile, NULL, NULL,
1316 "Unpack: Invalid perm index", NULL, -EPROTO);
1317 return -EPROTO;
1318 }
1319 if (!verify_perms(profile->attach.xmatch)) {
1320 audit_iface(profile, NULL, NULL,
1321 "Unpack: Invalid perm index", NULL, -EPROTO);
1322 return -EPROTO;
1323 }
1324
1325 return 0;
1326 }
1327
aa_load_ent_free(struct aa_load_ent * ent)1328 void aa_load_ent_free(struct aa_load_ent *ent)
1329 {
1330 if (ent) {
1331 aa_put_profile(ent->rename);
1332 aa_put_profile(ent->old);
1333 aa_put_profile(ent->new);
1334 kfree(ent->ns_name);
1335 kfree_sensitive(ent);
1336 }
1337 }
1338
aa_load_ent_alloc(void)1339 struct aa_load_ent *aa_load_ent_alloc(void)
1340 {
1341 struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL);
1342 if (ent)
1343 INIT_LIST_HEAD(&ent->list);
1344 return ent;
1345 }
1346
compress_zstd(const char * src,size_t slen,char ** dst,size_t * dlen)1347 static int compress_zstd(const char *src, size_t slen, char **dst, size_t *dlen)
1348 {
1349 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
1350 const zstd_parameters params =
1351 zstd_get_params(aa_g_rawdata_compression_level, slen);
1352 const size_t wksp_len = zstd_cctx_workspace_bound(¶ms.cParams);
1353 void *wksp = NULL;
1354 zstd_cctx *ctx = NULL;
1355 size_t out_len = zstd_compress_bound(slen);
1356 void *out = NULL;
1357 int ret = 0;
1358
1359 out = kvzalloc(out_len, GFP_KERNEL);
1360 if (!out) {
1361 ret = -ENOMEM;
1362 goto cleanup;
1363 }
1364
1365 wksp = kvzalloc(wksp_len, GFP_KERNEL);
1366 if (!wksp) {
1367 ret = -ENOMEM;
1368 goto cleanup;
1369 }
1370
1371 ctx = zstd_init_cctx(wksp, wksp_len);
1372 if (!ctx) {
1373 ret = -EINVAL;
1374 goto cleanup;
1375 }
1376
1377 out_len = zstd_compress_cctx(ctx, out, out_len, src, slen, ¶ms);
1378 if (zstd_is_error(out_len) || out_len >= slen) {
1379 ret = -EINVAL;
1380 goto cleanup;
1381 }
1382
1383 if (is_vmalloc_addr(out)) {
1384 *dst = kvzalloc(out_len, GFP_KERNEL);
1385 if (*dst) {
1386 memcpy(*dst, out, out_len);
1387 kvfree(out);
1388 out = NULL;
1389 }
1390 } else {
1391 /*
1392 * If the staging buffer was kmalloc'd, then using krealloc is
1393 * probably going to be faster. The destination buffer will
1394 * always be smaller, so it's just shrunk, avoiding a memcpy
1395 */
1396 *dst = krealloc(out, out_len, GFP_KERNEL);
1397 }
1398
1399 if (!*dst) {
1400 ret = -ENOMEM;
1401 goto cleanup;
1402 }
1403
1404 *dlen = out_len;
1405
1406 cleanup:
1407 if (ret) {
1408 kvfree(out);
1409 *dst = NULL;
1410 }
1411
1412 kvfree(wksp);
1413 return ret;
1414 #else
1415 *dlen = slen;
1416 return 0;
1417 #endif
1418 }
1419
compress_loaddata(struct aa_loaddata * data)1420 static int compress_loaddata(struct aa_loaddata *data)
1421 {
1422 AA_BUG(data->compressed_size > 0);
1423
1424 /*
1425 * Shortcut the no compression case, else we increase the amount of
1426 * storage required by a small amount
1427 */
1428 if (aa_g_rawdata_compression_level != 0) {
1429 void *udata = data->data;
1430 int error = compress_zstd(udata, data->size, &data->data,
1431 &data->compressed_size);
1432 if (error) {
1433 data->compressed_size = data->size;
1434 return error;
1435 }
1436 if (udata != data->data)
1437 kvfree(udata);
1438 } else
1439 data->compressed_size = data->size;
1440
1441 return 0;
1442 }
1443
1444 /**
1445 * aa_unpack - unpack packed binary profile(s) data loaded from user space
1446 * @udata: user data copied to kmem (NOT NULL)
1447 * @lh: list to place unpacked profiles in a aa_repl_ws
1448 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
1449 *
1450 * Unpack user data and return refcounted allocated profile(s) stored in
1451 * @lh in order of discovery, with the list chain stored in base.list
1452 * or error
1453 *
1454 * Returns: profile(s) on @lh else error pointer if fails to unpack
1455 */
aa_unpack(struct aa_loaddata * udata,struct list_head * lh,const char ** ns)1456 int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
1457 const char **ns)
1458 {
1459 struct aa_load_ent *tmp, *ent;
1460 struct aa_profile *profile = NULL;
1461 char *ns_name = NULL;
1462 int error;
1463 struct aa_ext e = {
1464 .start = udata->data,
1465 .end = udata->data + udata->size,
1466 .pos = udata->data,
1467 };
1468
1469 *ns = NULL;
1470 while (e.pos < e.end) {
1471 void *start;
1472 error = verify_header(&e, e.pos == e.start, ns);
1473 if (error)
1474 goto fail;
1475
1476 start = e.pos;
1477 profile = unpack_profile(&e, &ns_name);
1478 if (IS_ERR(profile)) {
1479 error = PTR_ERR(profile);
1480 goto fail;
1481 }
1482
1483 error = verify_profile(profile);
1484 if (error)
1485 goto fail_profile;
1486
1487 if (aa_g_hash_policy)
1488 error = aa_calc_profile_hash(profile, e.version, start,
1489 e.pos - start);
1490 if (error)
1491 goto fail_profile;
1492
1493 ent = aa_load_ent_alloc();
1494 if (!ent) {
1495 error = -ENOMEM;
1496 goto fail_profile;
1497 }
1498
1499 ent->new = profile;
1500 ent->ns_name = ns_name;
1501 ns_name = NULL;
1502 list_add_tail(&ent->list, lh);
1503 }
1504 udata->abi = e.version & K_ABI_MASK;
1505 if (aa_g_hash_policy) {
1506 udata->hash = aa_calc_hash(udata->data, udata->size);
1507 if (IS_ERR(udata->hash)) {
1508 error = PTR_ERR(udata->hash);
1509 udata->hash = NULL;
1510 goto fail;
1511 }
1512 }
1513
1514 if (aa_g_export_binary) {
1515 error = compress_loaddata(udata);
1516 if (error)
1517 goto fail;
1518 }
1519 return 0;
1520
1521 fail_profile:
1522 kfree(ns_name);
1523 aa_put_profile(profile);
1524
1525 fail:
1526 list_for_each_entry_safe(ent, tmp, lh, list) {
1527 list_del_init(&ent->list);
1528 aa_load_ent_free(ent);
1529 }
1530
1531 return error;
1532 }
1533