1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor functions for unpacking policy loaded from 6 * userspace. 7 * 8 * Copyright (C) 1998-2008 Novell/SUSE 9 * Copyright 2009-2010 Canonical Ltd. 10 * 11 * AppArmor uses a serialized binary format for loading policy. To find 12 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst 13 * All policy is validated before it is used. 14 */ 15 16 #include <asm/unaligned.h> 17 #include <linux/ctype.h> 18 #include <linux/errno.h> 19 #include <linux/zstd.h> 20 21 #include "include/apparmor.h" 22 #include "include/audit.h" 23 #include "include/cred.h" 24 #include "include/crypto.h" 25 #include "include/file.h" 26 #include "include/match.h" 27 #include "include/path.h" 28 #include "include/policy.h" 29 #include "include/policy_unpack.h" 30 #include "include/policy_compat.h" 31 32 33 /* 34 * The AppArmor interface treats data as a type byte followed by the 35 * actual data. The interface has the notion of a named entry 36 * which has a name (AA_NAME typecode followed by name string) followed by 37 * the entries typecode and data. Named types allow for optional 38 * elements and extensions to be added and tested for without breaking 39 * backwards compatibility. 40 */ 41 42 enum aa_code { 43 AA_U8, 44 AA_U16, 45 AA_U32, 46 AA_U64, 47 AA_NAME, /* same as string except it is items name */ 48 AA_STRING, 49 AA_BLOB, 50 AA_STRUCT, 51 AA_STRUCTEND, 52 AA_LIST, 53 AA_LISTEND, 54 AA_ARRAY, 55 AA_ARRAYEND, 56 }; 57 58 /* 59 * aa_ext is the read of the buffer containing the serialized profile. The 60 * data is copied into a kernel buffer in apparmorfs and then handed off to 61 * the unpack routines. 62 */ 63 struct aa_ext { 64 void *start; 65 void *end; 66 void *pos; /* pointer to current position in the buffer */ 67 u32 version; 68 }; 69 70 #define tri int 71 #define TRI_TRUE 1 72 #define TRI_NONE 0 73 #define TRI_FALSE -1 74 75 /* audit callback for unpack fields */ 76 static void audit_cb(struct audit_buffer *ab, void *va) 77 { 78 struct common_audit_data *sa = va; 79 80 if (aad(sa)->iface.ns) { 81 audit_log_format(ab, " ns="); 82 audit_log_untrustedstring(ab, aad(sa)->iface.ns); 83 } 84 if (aad(sa)->name) { 85 audit_log_format(ab, " name="); 86 audit_log_untrustedstring(ab, aad(sa)->name); 87 } 88 if (aad(sa)->iface.pos) 89 audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos); 90 } 91 92 /** 93 * audit_iface - do audit message for policy unpacking/load/replace/remove 94 * @new: profile if it has been allocated (MAYBE NULL) 95 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL) 96 * @name: name of the profile being manipulated (MAYBE NULL) 97 * @info: any extra info about the failure (MAYBE NULL) 98 * @e: buffer position info 99 * @error: error code 100 * 101 * Returns: %0 or error 102 */ 103 static int audit_iface(struct aa_profile *new, const char *ns_name, 104 const char *name, const char *info, struct aa_ext *e, 105 int error) 106 { 107 struct aa_profile *profile = labels_profile(aa_current_raw_label()); 108 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL); 109 if (e) 110 aad(&sa)->iface.pos = e->pos - e->start; 111 aad(&sa)->iface.ns = ns_name; 112 if (new) 113 aad(&sa)->name = new->base.hname; 114 else 115 aad(&sa)->name = name; 116 aad(&sa)->info = info; 117 aad(&sa)->error = error; 118 119 return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb); 120 } 121 122 void __aa_loaddata_update(struct aa_loaddata *data, long revision) 123 { 124 AA_BUG(!data); 125 AA_BUG(!data->ns); 126 AA_BUG(!mutex_is_locked(&data->ns->lock)); 127 AA_BUG(data->revision > revision); 128 129 data->revision = revision; 130 if ((data->dents[AAFS_LOADDATA_REVISION])) { 131 d_inode(data->dents[AAFS_LOADDATA_DIR])->i_mtime = 132 current_time(d_inode(data->dents[AAFS_LOADDATA_DIR])); 133 d_inode(data->dents[AAFS_LOADDATA_REVISION])->i_mtime = 134 current_time(d_inode(data->dents[AAFS_LOADDATA_REVISION])); 135 } 136 } 137 138 bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r) 139 { 140 if (l->size != r->size) 141 return false; 142 if (l->compressed_size != r->compressed_size) 143 return false; 144 if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0) 145 return false; 146 return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0; 147 } 148 149 /* 150 * need to take the ns mutex lock which is NOT safe most places that 151 * put_loaddata is called, so we have to delay freeing it 152 */ 153 static void do_loaddata_free(struct work_struct *work) 154 { 155 struct aa_loaddata *d = container_of(work, struct aa_loaddata, work); 156 struct aa_ns *ns = aa_get_ns(d->ns); 157 158 if (ns) { 159 mutex_lock_nested(&ns->lock, ns->level); 160 __aa_fs_remove_rawdata(d); 161 mutex_unlock(&ns->lock); 162 aa_put_ns(ns); 163 } 164 165 kfree_sensitive(d->hash); 166 kfree_sensitive(d->name); 167 kvfree(d->data); 168 kfree_sensitive(d); 169 } 170 171 void aa_loaddata_kref(struct kref *kref) 172 { 173 struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count); 174 175 if (d) { 176 INIT_WORK(&d->work, do_loaddata_free); 177 schedule_work(&d->work); 178 } 179 } 180 181 struct aa_loaddata *aa_loaddata_alloc(size_t size) 182 { 183 struct aa_loaddata *d; 184 185 d = kzalloc(sizeof(*d), GFP_KERNEL); 186 if (d == NULL) 187 return ERR_PTR(-ENOMEM); 188 d->data = kvzalloc(size, GFP_KERNEL); 189 if (!d->data) { 190 kfree(d); 191 return ERR_PTR(-ENOMEM); 192 } 193 kref_init(&d->count); 194 INIT_LIST_HEAD(&d->list); 195 196 return d; 197 } 198 199 /* test if read will be in packed data bounds */ 200 static bool inbounds(struct aa_ext *e, size_t size) 201 { 202 return (size <= e->end - e->pos); 203 } 204 205 static void *kvmemdup(const void *src, size_t len) 206 { 207 void *p = kvmalloc(len, GFP_KERNEL); 208 209 if (p) 210 memcpy(p, src, len); 211 return p; 212 } 213 214 /** 215 * unpack_u16_chunk - test and do bounds checking for a u16 size based chunk 216 * @e: serialized data read head (NOT NULL) 217 * @chunk: start address for chunk of data (NOT NULL) 218 * 219 * Returns: the size of chunk found with the read head at the end of the chunk. 220 */ 221 static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) 222 { 223 size_t size = 0; 224 void *pos = e->pos; 225 226 if (!inbounds(e, sizeof(u16))) 227 goto fail; 228 size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); 229 e->pos += sizeof(__le16); 230 if (!inbounds(e, size)) 231 goto fail; 232 *chunk = e->pos; 233 e->pos += size; 234 return size; 235 236 fail: 237 e->pos = pos; 238 return 0; 239 } 240 241 /* unpack control byte */ 242 static bool unpack_X(struct aa_ext *e, enum aa_code code) 243 { 244 if (!inbounds(e, 1)) 245 return false; 246 if (*(u8 *) e->pos != code) 247 return false; 248 e->pos++; 249 return true; 250 } 251 252 /** 253 * unpack_nameX - check is the next element is of type X with a name of @name 254 * @e: serialized data extent information (NOT NULL) 255 * @code: type code 256 * @name: name to match to the serialized element. (MAYBE NULL) 257 * 258 * check that the next serialized data element is of type X and has a tag 259 * name @name. If @name is specified then there must be a matching 260 * name element in the stream. If @name is NULL any name element will be 261 * skipped and only the typecode will be tested. 262 * 263 * Returns true on success (both type code and name tests match) and the read 264 * head is advanced past the headers 265 * 266 * Returns: false if either match fails, the read head does not move 267 */ 268 static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) 269 { 270 /* 271 * May need to reset pos if name or type doesn't match 272 */ 273 void *pos = e->pos; 274 /* 275 * Check for presence of a tagname, and if present name size 276 * AA_NAME tag value is a u16. 277 */ 278 if (unpack_X(e, AA_NAME)) { 279 char *tag = NULL; 280 size_t size = unpack_u16_chunk(e, &tag); 281 /* if a name is specified it must match. otherwise skip tag */ 282 if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) 283 goto fail; 284 } else if (name) { 285 /* if a name is specified and there is no name tag fail */ 286 goto fail; 287 } 288 289 /* now check if type code matches */ 290 if (unpack_X(e, code)) 291 return true; 292 293 fail: 294 e->pos = pos; 295 return false; 296 } 297 298 static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name) 299 { 300 void *pos = e->pos; 301 302 if (unpack_nameX(e, AA_U8, name)) { 303 if (!inbounds(e, sizeof(u8))) 304 goto fail; 305 if (data) 306 *data = *((u8 *)e->pos); 307 e->pos += sizeof(u8); 308 return true; 309 } 310 311 fail: 312 e->pos = pos; 313 return false; 314 } 315 316 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) 317 { 318 void *pos = e->pos; 319 320 if (unpack_nameX(e, AA_U32, name)) { 321 if (!inbounds(e, sizeof(u32))) 322 goto fail; 323 if (data) 324 *data = le32_to_cpu(get_unaligned((__le32 *) e->pos)); 325 e->pos += sizeof(u32); 326 return true; 327 } 328 329 fail: 330 e->pos = pos; 331 return false; 332 } 333 334 static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) 335 { 336 void *pos = e->pos; 337 338 if (unpack_nameX(e, AA_U64, name)) { 339 if (!inbounds(e, sizeof(u64))) 340 goto fail; 341 if (data) 342 *data = le64_to_cpu(get_unaligned((__le64 *) e->pos)); 343 e->pos += sizeof(u64); 344 return true; 345 } 346 347 fail: 348 e->pos = pos; 349 return false; 350 } 351 352 static tri unpack_array(struct aa_ext *e, const char *name, u16 *size) 353 { 354 void *pos = e->pos; 355 356 if (unpack_nameX(e, AA_ARRAY, name)) { 357 if (!inbounds(e, sizeof(u16))) 358 goto fail; 359 *size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); 360 e->pos += sizeof(u16); 361 return TRI_TRUE; 362 } 363 364 return TRI_NONE; 365 fail: 366 e->pos = pos; 367 return TRI_FALSE; 368 } 369 370 static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) 371 { 372 void *pos = e->pos; 373 374 if (unpack_nameX(e, AA_BLOB, name)) { 375 u32 size; 376 if (!inbounds(e, sizeof(u32))) 377 goto fail; 378 size = le32_to_cpu(get_unaligned((__le32 *) e->pos)); 379 e->pos += sizeof(u32); 380 if (inbounds(e, (size_t) size)) { 381 *blob = e->pos; 382 e->pos += size; 383 return size; 384 } 385 } 386 387 fail: 388 e->pos = pos; 389 return 0; 390 } 391 392 static int unpack_str(struct aa_ext *e, const char **string, const char *name) 393 { 394 char *src_str; 395 size_t size = 0; 396 void *pos = e->pos; 397 *string = NULL; 398 if (unpack_nameX(e, AA_STRING, name)) { 399 size = unpack_u16_chunk(e, &src_str); 400 if (size) { 401 /* strings are null terminated, length is size - 1 */ 402 if (src_str[size - 1] != 0) 403 goto fail; 404 *string = src_str; 405 406 return size; 407 } 408 } 409 410 fail: 411 e->pos = pos; 412 return 0; 413 } 414 415 static int unpack_strdup(struct aa_ext *e, char **string, const char *name) 416 { 417 const char *tmp; 418 void *pos = e->pos; 419 int res = unpack_str(e, &tmp, name); 420 *string = NULL; 421 422 if (!res) 423 return 0; 424 425 *string = kmemdup(tmp, res, GFP_KERNEL); 426 if (!*string) { 427 e->pos = pos; 428 return 0; 429 } 430 431 return res; 432 } 433 434 435 /** 436 * unpack_dfa - unpack a file rule dfa 437 * @e: serialized data extent information (NOT NULL) 438 * @flags: dfa flags to check 439 * 440 * returns dfa or ERR_PTR or NULL if no dfa 441 */ 442 static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags) 443 { 444 char *blob = NULL; 445 size_t size; 446 struct aa_dfa *dfa = NULL; 447 448 size = unpack_blob(e, &blob, "aadfa"); 449 if (size) { 450 /* 451 * The dfa is aligned with in the blob to 8 bytes 452 * from the beginning of the stream. 453 * alignment adjust needed by dfa unpack 454 */ 455 size_t sz = blob - (char *) e->start - 456 ((e->pos - e->start) & 7); 457 size_t pad = ALIGN(sz, 8) - sz; 458 if (aa_g_paranoid_load) 459 flags |= DFA_FLAG_VERIFY_STATES; 460 dfa = aa_dfa_unpack(blob + pad, size - pad, flags); 461 462 if (IS_ERR(dfa)) 463 return dfa; 464 465 } 466 467 return dfa; 468 } 469 470 /** 471 * unpack_trans_table - unpack a profile transition table 472 * @e: serialized data extent information (NOT NULL) 473 * @table: str table to unpack to (NOT NULL) 474 * 475 * Returns: true if table successfully unpacked or not present 476 */ 477 static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs) 478 { 479 void *saved_pos = e->pos; 480 char **table = NULL; 481 482 /* exec table is optional */ 483 if (unpack_nameX(e, AA_STRUCT, "xtable")) { 484 u16 size; 485 int i; 486 487 if (unpack_array(e, NULL, &size) != TRI_TRUE) 488 /* 489 * Note: index into trans table array is a max 490 * of 2^24, but unpack array can only unpack 491 * an array of 2^16 in size atm so no need 492 * for size check here 493 */ 494 goto fail; 495 table = kcalloc(size, sizeof(char *), GFP_KERNEL); 496 if (!table) 497 goto fail; 498 499 for (i = 0; i < size; i++) { 500 char *str; 501 int c, j, pos, size2 = unpack_strdup(e, &str, NULL); 502 /* unpack_strdup verifies that the last character is 503 * null termination byte. 504 */ 505 if (!size2) 506 goto fail; 507 table[i] = str; 508 /* verify that name doesn't start with space */ 509 if (isspace(*str)) 510 goto fail; 511 512 /* count internal # of internal \0 */ 513 for (c = j = 0; j < size2 - 1; j++) { 514 if (!str[j]) { 515 pos = j; 516 c++; 517 } 518 } 519 if (*str == ':') { 520 /* first character after : must be valid */ 521 if (!str[1]) 522 goto fail; 523 /* beginning with : requires an embedded \0, 524 * verify that exactly 1 internal \0 exists 525 * trailing \0 already verified by unpack_strdup 526 * 527 * convert \0 back to : for label_parse 528 */ 529 if (c == 1) 530 str[pos] = ':'; 531 else if (c > 1) 532 goto fail; 533 } else if (c) 534 /* fail - all other cases with embedded \0 */ 535 goto fail; 536 } 537 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 538 goto fail; 539 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 540 goto fail; 541 542 strs->table = table; 543 strs->size = size; 544 } 545 return true; 546 547 fail: 548 kfree_sensitive(table); 549 e->pos = saved_pos; 550 return false; 551 } 552 553 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile) 554 { 555 void *pos = e->pos; 556 557 if (unpack_nameX(e, AA_STRUCT, "xattrs")) { 558 u16 size; 559 int i; 560 561 if (unpack_array(e, NULL, &size) != TRI_TRUE) 562 goto fail; 563 profile->attach.xattr_count = size; 564 profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL); 565 if (!profile->attach.xattrs) 566 goto fail; 567 for (i = 0; i < size; i++) { 568 if (!unpack_strdup(e, &profile->attach.xattrs[i], NULL)) 569 goto fail; 570 } 571 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 572 goto fail; 573 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 574 goto fail; 575 } 576 577 return true; 578 579 fail: 580 e->pos = pos; 581 return false; 582 } 583 584 static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules) 585 { 586 void *pos = e->pos; 587 u16 size; 588 int i; 589 590 if (unpack_nameX(e, AA_STRUCT, "secmark")) { 591 if (unpack_array(e, NULL, &size) != TRI_TRUE) 592 goto fail; 593 594 rules->secmark = kcalloc(size, sizeof(struct aa_secmark), 595 GFP_KERNEL); 596 if (!rules->secmark) 597 goto fail; 598 599 rules->secmark_count = size; 600 601 for (i = 0; i < size; i++) { 602 if (!unpack_u8(e, &rules->secmark[i].audit, NULL)) 603 goto fail; 604 if (!unpack_u8(e, &rules->secmark[i].deny, NULL)) 605 goto fail; 606 if (!unpack_strdup(e, &rules->secmark[i].label, NULL)) 607 goto fail; 608 } 609 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 610 goto fail; 611 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 612 goto fail; 613 } 614 615 return true; 616 617 fail: 618 if (rules->secmark) { 619 for (i = 0; i < size; i++) 620 kfree(rules->secmark[i].label); 621 kfree(rules->secmark); 622 rules->secmark_count = 0; 623 rules->secmark = NULL; 624 } 625 626 e->pos = pos; 627 return false; 628 } 629 630 static bool unpack_rlimits(struct aa_ext *e, struct aa_ruleset *rules) 631 { 632 void *pos = e->pos; 633 634 /* rlimits are optional */ 635 if (unpack_nameX(e, AA_STRUCT, "rlimits")) { 636 u16 size; 637 int i; 638 u32 tmp = 0; 639 if (!unpack_u32(e, &tmp, NULL)) 640 goto fail; 641 rules->rlimits.mask = tmp; 642 643 if (unpack_array(e, NULL, &size) != TRI_TRUE || 644 size > RLIM_NLIMITS) 645 goto fail; 646 for (i = 0; i < size; i++) { 647 u64 tmp2 = 0; 648 int a = aa_map_resource(i); 649 if (!unpack_u64(e, &tmp2, NULL)) 650 goto fail; 651 rules->rlimits.limits[a].rlim_max = tmp2; 652 } 653 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 654 goto fail; 655 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 656 goto fail; 657 } 658 return true; 659 660 fail: 661 e->pos = pos; 662 return false; 663 } 664 665 static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm) 666 { 667 bool res; 668 669 if (version != 1) 670 return false; 671 672 res = unpack_u32(e, &perm->allow, NULL); 673 res = res && unpack_u32(e, &perm->allow, NULL); 674 res = res && unpack_u32(e, &perm->deny, NULL); 675 res = res && unpack_u32(e, &perm->subtree, NULL); 676 res = res && unpack_u32(e, &perm->cond, NULL); 677 res = res && unpack_u32(e, &perm->kill, NULL); 678 res = res && unpack_u32(e, &perm->complain, NULL); 679 res = res && unpack_u32(e, &perm->prompt, NULL); 680 res = res && unpack_u32(e, &perm->audit, NULL); 681 res = res && unpack_u32(e, &perm->quiet, NULL); 682 res = res && unpack_u32(e, &perm->hide, NULL); 683 res = res && unpack_u32(e, &perm->xindex, NULL); 684 res = res && unpack_u32(e, &perm->tag, NULL); 685 res = res && unpack_u32(e, &perm->label, NULL); 686 687 return res; 688 } 689 690 static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms) 691 { 692 void *pos = e->pos; 693 u16 size = 0; 694 695 AA_BUG(!perms); 696 /* 697 * policy perms are optional, in which case perms are embedded 698 * in the dfa accept table 699 */ 700 if (unpack_nameX(e, AA_STRUCT, "perms")) { 701 int i; 702 u32 version; 703 704 if (!unpack_u32(e, &version, "version")) 705 goto fail_reset; 706 if (unpack_array(e, NULL, &size) != TRI_TRUE) 707 goto fail_reset; 708 *perms = kcalloc(size, sizeof(struct aa_perms), GFP_KERNEL); 709 if (!*perms) 710 goto fail_reset; 711 for (i = 0; i < size; i++) { 712 if (!unpack_perm(e, version, &(*perms)[i])) 713 goto fail; 714 } 715 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 716 goto fail; 717 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 718 goto fail; 719 } else 720 *perms = NULL; 721 722 return size; 723 724 fail: 725 kfree(*perms); 726 fail_reset: 727 e->pos = pos; 728 return -EPROTO; 729 } 730 731 static int unpack_pdb(struct aa_ext *e, struct aa_policydb *policy, 732 bool required_dfa, bool required_trans, 733 const char **info) 734 { 735 void *pos = e->pos; 736 int i, flags, error = -EPROTO; 737 ssize_t size; 738 739 size = unpack_perms_table(e, &policy->perms); 740 if (size < 0) { 741 error = size; 742 policy->perms = NULL; 743 *info = "failed to unpack - perms"; 744 goto fail; 745 } 746 policy->size = size; 747 748 if (policy->perms) { 749 /* perms table present accept is index */ 750 flags = TO_ACCEPT1_FLAG(YYTD_DATA32); 751 } else { 752 /* packed perms in accept1 and accept2 */ 753 flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | 754 TO_ACCEPT2_FLAG(YYTD_DATA32); 755 } 756 757 policy->dfa = unpack_dfa(e, flags); 758 if (IS_ERR(policy->dfa)) { 759 error = PTR_ERR(policy->dfa); 760 policy->dfa = NULL; 761 *info = "failed to unpack - dfa"; 762 goto fail; 763 } else if (!policy->dfa) { 764 if (required_dfa) { 765 *info = "missing required dfa"; 766 goto fail; 767 } 768 goto out; 769 } 770 771 /* 772 * only unpack the following if a dfa is present 773 * 774 * sadly start was given different names for file and policydb 775 * but since it is optional we can try both 776 */ 777 if (!unpack_u32(e, &policy->start[0], "start")) 778 /* default start state */ 779 policy->start[0] = DFA_START; 780 if (!unpack_u32(e, &policy->start[AA_CLASS_FILE], "dfa_start")) { 781 /* default start state for xmatch and file dfa */ 782 policy->start[AA_CLASS_FILE] = DFA_START; 783 } /* setup class index */ 784 for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) { 785 policy->start[i] = aa_dfa_next(policy->dfa, policy->start[0], 786 i); 787 } 788 if (!unpack_trans_table(e, &policy->trans) && required_trans) { 789 *info = "failed to unpack profile transition table"; 790 goto fail; 791 } 792 793 /* TODO: move compat mapping here, requires dfa merging first */ 794 /* TODO: move verify here, it has to be done after compat mappings */ 795 out: 796 return 0; 797 798 fail: 799 e->pos = pos; 800 return error; 801 } 802 803 static u32 strhash(const void *data, u32 len, u32 seed) 804 { 805 const char * const *key = data; 806 807 return jhash(*key, strlen(*key), seed); 808 } 809 810 static int datacmp(struct rhashtable_compare_arg *arg, const void *obj) 811 { 812 const struct aa_data *data = obj; 813 const char * const *key = arg->key; 814 815 return strcmp(data->key, *key); 816 } 817 818 /** 819 * unpack_profile - unpack a serialized profile 820 * @e: serialized data extent information (NOT NULL) 821 * @ns_name: pointer of newly allocated copy of %NULL in case of error 822 * 823 * NOTE: unpack profile sets audit struct if there is a failure 824 */ 825 static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) 826 { 827 struct aa_ruleset *rules; 828 struct aa_profile *profile = NULL; 829 const char *tmpname, *tmpns = NULL, *name = NULL; 830 const char *info = "failed to unpack profile"; 831 size_t ns_len; 832 struct rhashtable_params params = { 0 }; 833 char *key = NULL; 834 struct aa_data *data; 835 int error = -EPROTO; 836 kernel_cap_t tmpcap; 837 u32 tmp; 838 839 *ns_name = NULL; 840 841 /* check that we have the right struct being passed */ 842 if (!unpack_nameX(e, AA_STRUCT, "profile")) 843 goto fail; 844 if (!unpack_str(e, &name, NULL)) 845 goto fail; 846 if (*name == '\0') 847 goto fail; 848 849 tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len); 850 if (tmpns) { 851 *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL); 852 if (!*ns_name) { 853 info = "out of memory"; 854 error = -ENOMEM; 855 goto fail; 856 } 857 name = tmpname; 858 } 859 860 profile = aa_alloc_profile(name, NULL, GFP_KERNEL); 861 if (!profile) { 862 info = "out of memory"; 863 error = -ENOMEM; 864 goto fail; 865 } 866 rules = list_first_entry(&profile->rules, typeof(*rules), list); 867 868 /* profile renaming is optional */ 869 (void) unpack_str(e, &profile->rename, "rename"); 870 871 /* attachment string is optional */ 872 (void) unpack_str(e, &profile->attach.xmatch_str, "attach"); 873 874 /* xmatch is optional and may be NULL */ 875 error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info); 876 if (error) { 877 info = "bad xmatch"; 878 goto fail; 879 } 880 881 /* neither xmatch_len not xmatch_perms are optional if xmatch is set */ 882 if (profile->attach.xmatch.dfa) { 883 if (!unpack_u32(e, &tmp, NULL)) { 884 info = "missing xmatch len"; 885 goto fail; 886 } 887 profile->attach.xmatch_len = tmp; 888 profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START; 889 error = aa_compat_map_xmatch(&profile->attach.xmatch); 890 if (error) { 891 info = "failed to convert xmatch permission table"; 892 goto fail; 893 } 894 } 895 896 /* disconnected attachment string is optional */ 897 (void) unpack_str(e, &profile->disconnected, "disconnected"); 898 899 /* per profile debug flags (complain, audit) */ 900 if (!unpack_nameX(e, AA_STRUCT, "flags")) { 901 info = "profile missing flags"; 902 goto fail; 903 } 904 info = "failed to unpack profile flags"; 905 if (!unpack_u32(e, &tmp, NULL)) 906 goto fail; 907 if (tmp & PACKED_FLAG_HAT) 908 profile->label.flags |= FLAG_HAT; 909 if (tmp & PACKED_FLAG_DEBUG1) 910 profile->label.flags |= FLAG_DEBUG1; 911 if (tmp & PACKED_FLAG_DEBUG2) 912 profile->label.flags |= FLAG_DEBUG2; 913 if (!unpack_u32(e, &tmp, NULL)) 914 goto fail; 915 if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) { 916 profile->mode = APPARMOR_COMPLAIN; 917 } else if (tmp == PACKED_MODE_ENFORCE) { 918 profile->mode = APPARMOR_ENFORCE; 919 } else if (tmp == PACKED_MODE_KILL) { 920 profile->mode = APPARMOR_KILL; 921 } else if (tmp == PACKED_MODE_UNCONFINED) { 922 profile->mode = APPARMOR_UNCONFINED; 923 profile->label.flags |= FLAG_UNCONFINED; 924 } else if (tmp == PACKED_MODE_USER) { 925 profile->mode = APPARMOR_USER; 926 } else { 927 goto fail; 928 } 929 if (!unpack_u32(e, &tmp, NULL)) 930 goto fail; 931 if (tmp) 932 profile->audit = AUDIT_ALL; 933 934 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 935 goto fail; 936 937 /* path_flags is optional */ 938 if (unpack_u32(e, &profile->path_flags, "path_flags")) 939 profile->path_flags |= profile->label.flags & 940 PATH_MEDIATE_DELETED; 941 else 942 /* set a default value if path_flags field is not present */ 943 profile->path_flags = PATH_MEDIATE_DELETED; 944 945 info = "failed to unpack profile capabilities"; 946 if (!unpack_u32(e, &(rules->caps.allow.cap[0]), NULL)) 947 goto fail; 948 if (!unpack_u32(e, &(rules->caps.audit.cap[0]), NULL)) 949 goto fail; 950 if (!unpack_u32(e, &(rules->caps.quiet.cap[0]), NULL)) 951 goto fail; 952 if (!unpack_u32(e, &tmpcap.cap[0], NULL)) 953 goto fail; 954 955 info = "failed to unpack upper profile capabilities"; 956 if (unpack_nameX(e, AA_STRUCT, "caps64")) { 957 /* optional upper half of 64 bit caps */ 958 if (!unpack_u32(e, &(rules->caps.allow.cap[1]), NULL)) 959 goto fail; 960 if (!unpack_u32(e, &(rules->caps.audit.cap[1]), NULL)) 961 goto fail; 962 if (!unpack_u32(e, &(rules->caps.quiet.cap[1]), NULL)) 963 goto fail; 964 if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) 965 goto fail; 966 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 967 goto fail; 968 } 969 970 info = "failed to unpack extended profile capabilities"; 971 if (unpack_nameX(e, AA_STRUCT, "capsx")) { 972 /* optional extended caps mediation mask */ 973 if (!unpack_u32(e, &(rules->caps.extended.cap[0]), NULL)) 974 goto fail; 975 if (!unpack_u32(e, &(rules->caps.extended.cap[1]), NULL)) 976 goto fail; 977 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 978 goto fail; 979 } 980 981 if (!unpack_xattrs(e, profile)) { 982 info = "failed to unpack profile xattrs"; 983 goto fail; 984 } 985 986 if (!unpack_rlimits(e, rules)) { 987 info = "failed to unpack profile rlimits"; 988 goto fail; 989 } 990 991 if (!unpack_secmark(e, rules)) { 992 info = "failed to unpack profile secmark rules"; 993 goto fail; 994 } 995 996 if (unpack_nameX(e, AA_STRUCT, "policydb")) { 997 /* generic policy dfa - optional and may be NULL */ 998 info = "failed to unpack policydb"; 999 error = unpack_pdb(e, &rules->policy, true, false, 1000 &info); 1001 if (error) 1002 goto fail; 1003 /* Fixup: drop when we get rid of start array */ 1004 if (aa_dfa_next(rules->policy.dfa, rules->policy.start[0], 1005 AA_CLASS_FILE)) 1006 rules->policy.start[AA_CLASS_FILE] = 1007 aa_dfa_next(rules->policy.dfa, 1008 rules->policy.start[0], 1009 AA_CLASS_FILE); 1010 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 1011 goto fail; 1012 error = aa_compat_map_policy(&rules->policy, e->version); 1013 if (error) { 1014 info = "failed to remap policydb permission table"; 1015 goto fail; 1016 } 1017 } else 1018 rules->policy.dfa = aa_get_dfa(nulldfa); 1019 1020 /* get file rules */ 1021 error = unpack_pdb(e, &rules->file, false, true, &info); 1022 if (error) { 1023 goto fail; 1024 } else if (rules->file.dfa) { 1025 error = aa_compat_map_file(&rules->file); 1026 if (error) { 1027 info = "failed to remap file permission table"; 1028 goto fail; 1029 } 1030 } else if (rules->policy.dfa && 1031 rules->policy.start[AA_CLASS_FILE]) { 1032 rules->file.dfa = aa_get_dfa(rules->policy.dfa); 1033 rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE]; 1034 } else 1035 rules->file.dfa = aa_get_dfa(nulldfa); 1036 1037 error = -EPROTO; 1038 if (unpack_nameX(e, AA_STRUCT, "data")) { 1039 info = "out of memory"; 1040 profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL); 1041 if (!profile->data) { 1042 error = -ENOMEM; 1043 goto fail; 1044 } 1045 params.nelem_hint = 3; 1046 params.key_len = sizeof(void *); 1047 params.key_offset = offsetof(struct aa_data, key); 1048 params.head_offset = offsetof(struct aa_data, head); 1049 params.hashfn = strhash; 1050 params.obj_cmpfn = datacmp; 1051 1052 if (rhashtable_init(profile->data, ¶ms)) { 1053 info = "failed to init key, value hash table"; 1054 goto fail; 1055 } 1056 1057 while (unpack_strdup(e, &key, NULL)) { 1058 data = kzalloc(sizeof(*data), GFP_KERNEL); 1059 if (!data) { 1060 kfree_sensitive(key); 1061 error = -ENOMEM; 1062 goto fail; 1063 } 1064 1065 data->key = key; 1066 data->size = unpack_blob(e, &data->data, NULL); 1067 data->data = kvmemdup(data->data, data->size); 1068 if (data->size && !data->data) { 1069 kfree_sensitive(data->key); 1070 kfree_sensitive(data); 1071 error = -ENOMEM; 1072 goto fail; 1073 } 1074 1075 rhashtable_insert_fast(profile->data, &data->head, 1076 profile->data->p); 1077 } 1078 1079 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) { 1080 info = "failed to unpack end of key, value data table"; 1081 goto fail; 1082 } 1083 } 1084 1085 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) { 1086 info = "failed to unpack end of profile"; 1087 goto fail; 1088 } 1089 1090 return profile; 1091 1092 fail: 1093 if (error == 0) 1094 /* default error covers most cases */ 1095 error = -EPROTO; 1096 if (*ns_name) { 1097 kfree(*ns_name); 1098 *ns_name = NULL; 1099 } 1100 if (profile) 1101 name = NULL; 1102 else if (!name) 1103 name = "unknown"; 1104 audit_iface(profile, NULL, name, info, e, error); 1105 aa_free_profile(profile); 1106 1107 return ERR_PTR(error); 1108 } 1109 1110 /** 1111 * verify_header - unpack serialized stream header 1112 * @e: serialized data read head (NOT NULL) 1113 * @required: whether the header is required or optional 1114 * @ns: Returns - namespace if one is specified else NULL (NOT NULL) 1115 * 1116 * Returns: error or 0 if header is good 1117 */ 1118 static int verify_header(struct aa_ext *e, int required, const char **ns) 1119 { 1120 int error = -EPROTONOSUPPORT; 1121 const char *name = NULL; 1122 *ns = NULL; 1123 1124 /* get the interface version */ 1125 if (!unpack_u32(e, &e->version, "version")) { 1126 if (required) { 1127 audit_iface(NULL, NULL, NULL, "invalid profile format", 1128 e, error); 1129 return error; 1130 } 1131 } 1132 1133 /* Check that the interface version is currently supported. 1134 * if not specified use previous version 1135 * Mask off everything that is not kernel abi version 1136 */ 1137 if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) { 1138 audit_iface(NULL, NULL, NULL, "unsupported interface version", 1139 e, error); 1140 return error; 1141 } 1142 1143 /* read the namespace if present */ 1144 if (unpack_str(e, &name, "namespace")) { 1145 if (*name == '\0') { 1146 audit_iface(NULL, NULL, NULL, "invalid namespace name", 1147 e, error); 1148 return error; 1149 } 1150 if (*ns && strcmp(*ns, name)) { 1151 audit_iface(NULL, NULL, NULL, "invalid ns change", e, 1152 error); 1153 } else if (!*ns) { 1154 *ns = kstrdup(name, GFP_KERNEL); 1155 if (!*ns) 1156 return -ENOMEM; 1157 } 1158 } 1159 1160 return 0; 1161 } 1162 1163 static bool verify_xindex(int xindex, int table_size) 1164 { 1165 int index, xtype; 1166 xtype = xindex & AA_X_TYPE_MASK; 1167 index = xindex & AA_X_INDEX_MASK; 1168 if (xtype == AA_X_TABLE && index >= table_size) 1169 return false; 1170 return true; 1171 } 1172 1173 /* verify dfa xindexes are in range of transition tables */ 1174 static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) 1175 { 1176 int i; 1177 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 1178 if (!verify_xindex(ACCEPT_TABLE(dfa)[i], table_size)) 1179 return false; 1180 } 1181 return true; 1182 } 1183 1184 static bool verify_perm(struct aa_perms *perm) 1185 { 1186 /* TODO: allow option to just force the perms into a valid state */ 1187 if (perm->allow & perm->deny) 1188 return false; 1189 if (perm->subtree & ~perm->allow) 1190 return false; 1191 if (perm->cond & (perm->allow | perm->deny)) 1192 return false; 1193 if (perm->kill & perm->allow) 1194 return false; 1195 if (perm->complain & (perm->allow | perm->deny)) 1196 return false; 1197 if (perm->prompt & (perm->allow | perm->deny)) 1198 return false; 1199 if (perm->complain & perm->prompt) 1200 return false; 1201 if (perm->hide & perm->allow) 1202 return false; 1203 1204 return true; 1205 } 1206 1207 static bool verify_perms(struct aa_policydb *pdb) 1208 { 1209 int i; 1210 1211 for (i = 0; i < pdb->size; i++) { 1212 if (!verify_perm(&pdb->perms[i])) 1213 return false; 1214 /* verify indexes into str table */ 1215 if (pdb->perms[i].xindex >= pdb->trans.size) 1216 return false; 1217 if (pdb->perms[i].tag >= pdb->trans.size) 1218 return false; 1219 if (pdb->perms[i].label >= pdb->trans.size) 1220 return false; 1221 } 1222 1223 return true; 1224 } 1225 1226 /** 1227 * verify_profile - Do post unpack analysis to verify profile consistency 1228 * @profile: profile to verify (NOT NULL) 1229 * 1230 * Returns: 0 if passes verification else error 1231 * 1232 * This verification is post any unpack mapping or changes 1233 */ 1234 static int verify_profile(struct aa_profile *profile) 1235 { 1236 struct aa_ruleset *rules = list_first_entry(&profile->rules, 1237 typeof(*rules), list); 1238 if (!rules) 1239 return 0; 1240 1241 if ((rules->file.dfa && !verify_dfa_xindex(rules->file.dfa, 1242 rules->file.trans.size)) || 1243 (rules->policy.dfa && 1244 !verify_dfa_xindex(rules->policy.dfa, rules->policy.trans.size))) { 1245 audit_iface(profile, NULL, NULL, 1246 "Unpack: Invalid named transition", NULL, -EPROTO); 1247 return -EPROTO; 1248 } 1249 1250 if (!verify_perms(&rules->file)) { 1251 audit_iface(profile, NULL, NULL, 1252 "Unpack: Invalid perm index", NULL, -EPROTO); 1253 return -EPROTO; 1254 } 1255 if (!verify_perms(&rules->policy)) { 1256 audit_iface(profile, NULL, NULL, 1257 "Unpack: Invalid perm index", NULL, -EPROTO); 1258 return -EPROTO; 1259 } 1260 if (!verify_perms(&profile->attach.xmatch)) { 1261 audit_iface(profile, NULL, NULL, 1262 "Unpack: Invalid perm index", NULL, -EPROTO); 1263 return -EPROTO; 1264 } 1265 1266 return 0; 1267 } 1268 1269 void aa_load_ent_free(struct aa_load_ent *ent) 1270 { 1271 if (ent) { 1272 aa_put_profile(ent->rename); 1273 aa_put_profile(ent->old); 1274 aa_put_profile(ent->new); 1275 kfree(ent->ns_name); 1276 kfree_sensitive(ent); 1277 } 1278 } 1279 1280 struct aa_load_ent *aa_load_ent_alloc(void) 1281 { 1282 struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL); 1283 if (ent) 1284 INIT_LIST_HEAD(&ent->list); 1285 return ent; 1286 } 1287 1288 static int compress_zstd(const char *src, size_t slen, char **dst, size_t *dlen) 1289 { 1290 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1291 const zstd_parameters params = 1292 zstd_get_params(aa_g_rawdata_compression_level, slen); 1293 const size_t wksp_len = zstd_cctx_workspace_bound(¶ms.cParams); 1294 void *wksp = NULL; 1295 zstd_cctx *ctx = NULL; 1296 size_t out_len = zstd_compress_bound(slen); 1297 void *out = NULL; 1298 int ret = 0; 1299 1300 out = kvzalloc(out_len, GFP_KERNEL); 1301 if (!out) { 1302 ret = -ENOMEM; 1303 goto cleanup; 1304 } 1305 1306 wksp = kvzalloc(wksp_len, GFP_KERNEL); 1307 if (!wksp) { 1308 ret = -ENOMEM; 1309 goto cleanup; 1310 } 1311 1312 ctx = zstd_init_cctx(wksp, wksp_len); 1313 if (!ctx) { 1314 ret = -EINVAL; 1315 goto cleanup; 1316 } 1317 1318 out_len = zstd_compress_cctx(ctx, out, out_len, src, slen, ¶ms); 1319 if (zstd_is_error(out_len) || out_len >= slen) { 1320 ret = -EINVAL; 1321 goto cleanup; 1322 } 1323 1324 if (is_vmalloc_addr(out)) { 1325 *dst = kvzalloc(out_len, GFP_KERNEL); 1326 if (*dst) { 1327 memcpy(*dst, out, out_len); 1328 kvfree(out); 1329 out = NULL; 1330 } 1331 } else { 1332 /* 1333 * If the staging buffer was kmalloc'd, then using krealloc is 1334 * probably going to be faster. The destination buffer will 1335 * always be smaller, so it's just shrunk, avoiding a memcpy 1336 */ 1337 *dst = krealloc(out, out_len, GFP_KERNEL); 1338 } 1339 1340 if (!*dst) { 1341 ret = -ENOMEM; 1342 goto cleanup; 1343 } 1344 1345 *dlen = out_len; 1346 1347 cleanup: 1348 if (ret) { 1349 kvfree(out); 1350 *dst = NULL; 1351 } 1352 1353 kvfree(wksp); 1354 return ret; 1355 #else 1356 *dlen = slen; 1357 return 0; 1358 #endif 1359 } 1360 1361 static int compress_loaddata(struct aa_loaddata *data) 1362 { 1363 AA_BUG(data->compressed_size > 0); 1364 1365 /* 1366 * Shortcut the no compression case, else we increase the amount of 1367 * storage required by a small amount 1368 */ 1369 if (aa_g_rawdata_compression_level != 0) { 1370 void *udata = data->data; 1371 int error = compress_zstd(udata, data->size, &data->data, 1372 &data->compressed_size); 1373 if (error) { 1374 data->compressed_size = data->size; 1375 return error; 1376 } 1377 if (udata != data->data) 1378 kvfree(udata); 1379 } else 1380 data->compressed_size = data->size; 1381 1382 return 0; 1383 } 1384 1385 /** 1386 * aa_unpack - unpack packed binary profile(s) data loaded from user space 1387 * @udata: user data copied to kmem (NOT NULL) 1388 * @lh: list to place unpacked profiles in a aa_repl_ws 1389 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) 1390 * 1391 * Unpack user data and return refcounted allocated profile(s) stored in 1392 * @lh in order of discovery, with the list chain stored in base.list 1393 * or error 1394 * 1395 * Returns: profile(s) on @lh else error pointer if fails to unpack 1396 */ 1397 int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, 1398 const char **ns) 1399 { 1400 struct aa_load_ent *tmp, *ent; 1401 struct aa_profile *profile = NULL; 1402 char *ns_name = NULL; 1403 int error; 1404 struct aa_ext e = { 1405 .start = udata->data, 1406 .end = udata->data + udata->size, 1407 .pos = udata->data, 1408 }; 1409 1410 *ns = NULL; 1411 while (e.pos < e.end) { 1412 void *start; 1413 error = verify_header(&e, e.pos == e.start, ns); 1414 if (error) 1415 goto fail; 1416 1417 start = e.pos; 1418 profile = unpack_profile(&e, &ns_name); 1419 if (IS_ERR(profile)) { 1420 error = PTR_ERR(profile); 1421 goto fail; 1422 } 1423 1424 error = verify_profile(profile); 1425 if (error) 1426 goto fail_profile; 1427 1428 if (aa_g_hash_policy) 1429 error = aa_calc_profile_hash(profile, e.version, start, 1430 e.pos - start); 1431 if (error) 1432 goto fail_profile; 1433 1434 ent = aa_load_ent_alloc(); 1435 if (!ent) { 1436 error = -ENOMEM; 1437 goto fail_profile; 1438 } 1439 1440 ent->new = profile; 1441 ent->ns_name = ns_name; 1442 ns_name = NULL; 1443 list_add_tail(&ent->list, lh); 1444 } 1445 udata->abi = e.version & K_ABI_MASK; 1446 if (aa_g_hash_policy) { 1447 udata->hash = aa_calc_hash(udata->data, udata->size); 1448 if (IS_ERR(udata->hash)) { 1449 error = PTR_ERR(udata->hash); 1450 udata->hash = NULL; 1451 goto fail; 1452 } 1453 } 1454 1455 if (aa_g_export_binary) { 1456 error = compress_loaddata(udata); 1457 if (error) 1458 goto fail; 1459 } 1460 return 0; 1461 1462 fail_profile: 1463 kfree(ns_name); 1464 aa_put_profile(profile); 1465 1466 fail: 1467 list_for_each_entry_safe(ent, tmp, lh, list) { 1468 list_del_init(&ent->list); 1469 aa_load_ent_free(ent); 1470 } 1471 1472 return error; 1473 } 1474 1475 #ifdef CONFIG_SECURITY_APPARMOR_KUNIT_TEST 1476 #include "policy_unpack_test.c" 1477 #endif /* CONFIG_SECURITY_APPARMOR_KUNIT_TEST */ 1478