1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor functions for unpacking policy loaded from 5 * userspace. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation, version 2 of the 13 * License. 14 * 15 * AppArmor uses a serialized binary format for loading policy. To find 16 * policy format documentation look in Documentation/security/apparmor.txt 17 * All policy is validated before it is used. 18 */ 19 20 #include <asm/unaligned.h> 21 #include <linux/ctype.h> 22 #include <linux/errno.h> 23 24 #include "include/apparmor.h" 25 #include "include/audit.h" 26 #include "include/context.h" 27 #include "include/match.h" 28 #include "include/policy.h" 29 #include "include/policy_unpack.h" 30 31 /* 32 * The AppArmor interface treats data as a type byte followed by the 33 * actual data. The interface has the notion of a a named entry 34 * which has a name (AA_NAME typecode followed by name string) followed by 35 * the entries typecode and data. Named types allow for optional 36 * elements and extensions to be added and tested for without breaking 37 * backwards compatibility. 38 */ 39 40 enum aa_code { 41 AA_U8, 42 AA_U16, 43 AA_U32, 44 AA_U64, 45 AA_NAME, /* same as string except it is items name */ 46 AA_STRING, 47 AA_BLOB, 48 AA_STRUCT, 49 AA_STRUCTEND, 50 AA_LIST, 51 AA_LISTEND, 52 AA_ARRAY, 53 AA_ARRAYEND, 54 }; 55 56 /* 57 * aa_ext is the read of the buffer containing the serialized profile. The 58 * data is copied into a kernel buffer in apparmorfs and then handed off to 59 * the unpack routines. 60 */ 61 struct aa_ext { 62 void *start; 63 void *end; 64 void *pos; /* pointer to current position in the buffer */ 65 u32 version; 66 }; 67 68 /* audit callback for unpack fields */ 69 static void audit_cb(struct audit_buffer *ab, void *va) 70 { 71 struct common_audit_data *sa = va; 72 if (sa->aad->iface.target) { 73 struct aa_profile *name = sa->aad->iface.target; 74 audit_log_format(ab, " name="); 75 audit_log_untrustedstring(ab, name->base.hname); 76 } 77 if (sa->aad->iface.pos) 78 audit_log_format(ab, " offset=%ld", sa->aad->iface.pos); 79 } 80 81 /** 82 * audit_iface - do audit message for policy unpacking/load/replace/remove 83 * @new: profile if it has been allocated (MAYBE NULL) 84 * @name: name of the profile being manipulated (MAYBE NULL) 85 * @info: any extra info about the failure (MAYBE NULL) 86 * @e: buffer position info 87 * @error: error code 88 * 89 * Returns: %0 or error 90 */ 91 static int audit_iface(struct aa_profile *new, const char *name, 92 const char *info, struct aa_ext *e, int error) 93 { 94 struct aa_profile *profile = __aa_current_profile(); 95 struct common_audit_data sa; 96 struct apparmor_audit_data aad = {0,}; 97 sa.type = LSM_AUDIT_DATA_NONE; 98 sa.aad = &aad; 99 if (e) 100 aad.iface.pos = e->pos - e->start; 101 aad.iface.target = new; 102 aad.name = name; 103 aad.info = info; 104 aad.error = error; 105 106 return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa, 107 audit_cb); 108 } 109 110 /* test if read will be in packed data bounds */ 111 static bool inbounds(struct aa_ext *e, size_t size) 112 { 113 return (size <= e->end - e->pos); 114 } 115 116 /** 117 * aa_u16_chunck - test and do bounds checking for a u16 size based chunk 118 * @e: serialized data read head (NOT NULL) 119 * @chunk: start address for chunk of data (NOT NULL) 120 * 121 * Returns: the size of chunk found with the read head at the end of the chunk. 122 */ 123 static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) 124 { 125 size_t size = 0; 126 127 if (!inbounds(e, sizeof(u16))) 128 return 0; 129 size = le16_to_cpu(get_unaligned((u16 *) e->pos)); 130 e->pos += sizeof(u16); 131 if (!inbounds(e, size)) 132 return 0; 133 *chunk = e->pos; 134 e->pos += size; 135 return size; 136 } 137 138 /* unpack control byte */ 139 static bool unpack_X(struct aa_ext *e, enum aa_code code) 140 { 141 if (!inbounds(e, 1)) 142 return 0; 143 if (*(u8 *) e->pos != code) 144 return 0; 145 e->pos++; 146 return 1; 147 } 148 149 /** 150 * unpack_nameX - check is the next element is of type X with a name of @name 151 * @e: serialized data extent information (NOT NULL) 152 * @code: type code 153 * @name: name to match to the serialized element. (MAYBE NULL) 154 * 155 * check that the next serialized data element is of type X and has a tag 156 * name @name. If @name is specified then there must be a matching 157 * name element in the stream. If @name is NULL any name element will be 158 * skipped and only the typecode will be tested. 159 * 160 * Returns 1 on success (both type code and name tests match) and the read 161 * head is advanced past the headers 162 * 163 * Returns: 0 if either match fails, the read head does not move 164 */ 165 static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) 166 { 167 /* 168 * May need to reset pos if name or type doesn't match 169 */ 170 void *pos = e->pos; 171 /* 172 * Check for presence of a tagname, and if present name size 173 * AA_NAME tag value is a u16. 174 */ 175 if (unpack_X(e, AA_NAME)) { 176 char *tag = NULL; 177 size_t size = unpack_u16_chunk(e, &tag); 178 /* if a name is specified it must match. otherwise skip tag */ 179 if (name && (!size || strcmp(name, tag))) 180 goto fail; 181 } else if (name) { 182 /* if a name is specified and there is no name tag fail */ 183 goto fail; 184 } 185 186 /* now check if type code matches */ 187 if (unpack_X(e, code)) 188 return 1; 189 190 fail: 191 e->pos = pos; 192 return 0; 193 } 194 195 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) 196 { 197 if (unpack_nameX(e, AA_U32, name)) { 198 if (!inbounds(e, sizeof(u32))) 199 return 0; 200 if (data) 201 *data = le32_to_cpu(get_unaligned((u32 *) e->pos)); 202 e->pos += sizeof(u32); 203 return 1; 204 } 205 return 0; 206 } 207 208 static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) 209 { 210 if (unpack_nameX(e, AA_U64, name)) { 211 if (!inbounds(e, sizeof(u64))) 212 return 0; 213 if (data) 214 *data = le64_to_cpu(get_unaligned((u64 *) e->pos)); 215 e->pos += sizeof(u64); 216 return 1; 217 } 218 return 0; 219 } 220 221 static size_t unpack_array(struct aa_ext *e, const char *name) 222 { 223 if (unpack_nameX(e, AA_ARRAY, name)) { 224 int size; 225 if (!inbounds(e, sizeof(u16))) 226 return 0; 227 size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos)); 228 e->pos += sizeof(u16); 229 return size; 230 } 231 return 0; 232 } 233 234 static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) 235 { 236 if (unpack_nameX(e, AA_BLOB, name)) { 237 u32 size; 238 if (!inbounds(e, sizeof(u32))) 239 return 0; 240 size = le32_to_cpu(get_unaligned((u32 *) e->pos)); 241 e->pos += sizeof(u32); 242 if (inbounds(e, (size_t) size)) { 243 *blob = e->pos; 244 e->pos += size; 245 return size; 246 } 247 } 248 return 0; 249 } 250 251 static int unpack_str(struct aa_ext *e, const char **string, const char *name) 252 { 253 char *src_str; 254 size_t size = 0; 255 void *pos = e->pos; 256 *string = NULL; 257 if (unpack_nameX(e, AA_STRING, name)) { 258 size = unpack_u16_chunk(e, &src_str); 259 if (size) { 260 /* strings are null terminated, length is size - 1 */ 261 if (src_str[size - 1] != 0) 262 goto fail; 263 *string = src_str; 264 } 265 } 266 return size; 267 268 fail: 269 e->pos = pos; 270 return 0; 271 } 272 273 static int unpack_strdup(struct aa_ext *e, char **string, const char *name) 274 { 275 const char *tmp; 276 void *pos = e->pos; 277 int res = unpack_str(e, &tmp, name); 278 *string = NULL; 279 280 if (!res) 281 return 0; 282 283 *string = kmemdup(tmp, res, GFP_KERNEL); 284 if (!*string) { 285 e->pos = pos; 286 return 0; 287 } 288 289 return res; 290 } 291 292 #define DFA_VALID_PERM_MASK 0xffffffff 293 #define DFA_VALID_PERM2_MASK 0xffffffff 294 295 /** 296 * verify_accept - verify the accept tables of a dfa 297 * @dfa: dfa to verify accept tables of (NOT NULL) 298 * @flags: flags governing dfa 299 * 300 * Returns: 1 if valid accept tables else 0 if error 301 */ 302 static bool verify_accept(struct aa_dfa *dfa, int flags) 303 { 304 int i; 305 306 /* verify accept permissions */ 307 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 308 int mode = ACCEPT_TABLE(dfa)[i]; 309 310 if (mode & ~DFA_VALID_PERM_MASK) 311 return 0; 312 313 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) 314 return 0; 315 } 316 return 1; 317 } 318 319 /** 320 * unpack_dfa - unpack a file rule dfa 321 * @e: serialized data extent information (NOT NULL) 322 * 323 * returns dfa or ERR_PTR or NULL if no dfa 324 */ 325 static struct aa_dfa *unpack_dfa(struct aa_ext *e) 326 { 327 char *blob = NULL; 328 size_t size; 329 struct aa_dfa *dfa = NULL; 330 331 size = unpack_blob(e, &blob, "aadfa"); 332 if (size) { 333 /* 334 * The dfa is aligned with in the blob to 8 bytes 335 * from the beginning of the stream. 336 * alignment adjust needed by dfa unpack 337 */ 338 size_t sz = blob - (char *) e->start - 339 ((e->pos - e->start) & 7); 340 size_t pad = ALIGN(sz, 8) - sz; 341 int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | 342 TO_ACCEPT2_FLAG(YYTD_DATA32); 343 344 345 if (aa_g_paranoid_load) 346 flags |= DFA_FLAG_VERIFY_STATES; 347 348 dfa = aa_dfa_unpack(blob + pad, size - pad, flags); 349 350 if (IS_ERR(dfa)) 351 return dfa; 352 353 if (!verify_accept(dfa, flags)) 354 goto fail; 355 } 356 357 return dfa; 358 359 fail: 360 aa_put_dfa(dfa); 361 return ERR_PTR(-EPROTO); 362 } 363 364 /** 365 * unpack_trans_table - unpack a profile transition table 366 * @e: serialized data extent information (NOT NULL) 367 * @profile: profile to add the accept table to (NOT NULL) 368 * 369 * Returns: 1 if table successfully unpacked 370 */ 371 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) 372 { 373 void *pos = e->pos; 374 375 /* exec table is optional */ 376 if (unpack_nameX(e, AA_STRUCT, "xtable")) { 377 int i, size; 378 379 size = unpack_array(e, NULL); 380 /* currently 4 exec bits and entries 0-3 are reserved iupcx */ 381 if (size > 16 - 4) 382 goto fail; 383 profile->file.trans.table = kzalloc(sizeof(char *) * size, 384 GFP_KERNEL); 385 if (!profile->file.trans.table) 386 goto fail; 387 388 profile->file.trans.size = size; 389 for (i = 0; i < size; i++) { 390 char *str; 391 int c, j, size2 = unpack_strdup(e, &str, NULL); 392 /* unpack_strdup verifies that the last character is 393 * null termination byte. 394 */ 395 if (!size2) 396 goto fail; 397 profile->file.trans.table[i] = str; 398 /* verify that name doesn't start with space */ 399 if (isspace(*str)) 400 goto fail; 401 402 /* count internal # of internal \0 */ 403 for (c = j = 0; j < size2 - 2; j++) { 404 if (!str[j]) 405 c++; 406 } 407 if (*str == ':') { 408 /* beginning with : requires an embedded \0, 409 * verify that exactly 1 internal \0 exists 410 * trailing \0 already verified by unpack_strdup 411 */ 412 if (c != 1) 413 goto fail; 414 /* first character after : must be valid */ 415 if (!str[1]) 416 goto fail; 417 } else if (c) 418 /* fail - all other cases with embedded \0 */ 419 goto fail; 420 } 421 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 422 goto fail; 423 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 424 goto fail; 425 } 426 return 1; 427 428 fail: 429 aa_free_domain_entries(&profile->file.trans); 430 e->pos = pos; 431 return 0; 432 } 433 434 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) 435 { 436 void *pos = e->pos; 437 438 /* rlimits are optional */ 439 if (unpack_nameX(e, AA_STRUCT, "rlimits")) { 440 int i, size; 441 u32 tmp = 0; 442 if (!unpack_u32(e, &tmp, NULL)) 443 goto fail; 444 profile->rlimits.mask = tmp; 445 446 size = unpack_array(e, NULL); 447 if (size > RLIM_NLIMITS) 448 goto fail; 449 for (i = 0; i < size; i++) { 450 u64 tmp2 = 0; 451 int a = aa_map_resource(i); 452 if (!unpack_u64(e, &tmp2, NULL)) 453 goto fail; 454 profile->rlimits.limits[a].rlim_max = tmp2; 455 } 456 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 457 goto fail; 458 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 459 goto fail; 460 } 461 return 1; 462 463 fail: 464 e->pos = pos; 465 return 0; 466 } 467 468 /** 469 * unpack_profile - unpack a serialized profile 470 * @e: serialized data extent information (NOT NULL) 471 * 472 * NOTE: unpack profile sets audit struct if there is a failure 473 */ 474 static struct aa_profile *unpack_profile(struct aa_ext *e) 475 { 476 struct aa_profile *profile = NULL; 477 const char *name = NULL; 478 int i, error = -EPROTO; 479 kernel_cap_t tmpcap; 480 u32 tmp; 481 482 /* check that we have the right struct being passed */ 483 if (!unpack_nameX(e, AA_STRUCT, "profile")) 484 goto fail; 485 if (!unpack_str(e, &name, NULL)) 486 goto fail; 487 488 profile = aa_alloc_profile(name); 489 if (!profile) 490 return ERR_PTR(-ENOMEM); 491 492 /* profile renaming is optional */ 493 (void) unpack_str(e, &profile->rename, "rename"); 494 495 /* attachment string is optional */ 496 (void) unpack_str(e, &profile->attach, "attach"); 497 498 /* xmatch is optional and may be NULL */ 499 profile->xmatch = unpack_dfa(e); 500 if (IS_ERR(profile->xmatch)) { 501 error = PTR_ERR(profile->xmatch); 502 profile->xmatch = NULL; 503 goto fail; 504 } 505 /* xmatch_len is not optional if xmatch is set */ 506 if (profile->xmatch) { 507 if (!unpack_u32(e, &tmp, NULL)) 508 goto fail; 509 profile->xmatch_len = tmp; 510 } 511 512 /* per profile debug flags (complain, audit) */ 513 if (!unpack_nameX(e, AA_STRUCT, "flags")) 514 goto fail; 515 if (!unpack_u32(e, &tmp, NULL)) 516 goto fail; 517 if (tmp & PACKED_FLAG_HAT) 518 profile->flags |= PFLAG_HAT; 519 if (!unpack_u32(e, &tmp, NULL)) 520 goto fail; 521 if (tmp == PACKED_MODE_COMPLAIN) 522 profile->mode = APPARMOR_COMPLAIN; 523 else if (tmp == PACKED_MODE_KILL) 524 profile->mode = APPARMOR_KILL; 525 else if (tmp == PACKED_MODE_UNCONFINED) 526 profile->mode = APPARMOR_UNCONFINED; 527 if (!unpack_u32(e, &tmp, NULL)) 528 goto fail; 529 if (tmp) 530 profile->audit = AUDIT_ALL; 531 532 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 533 goto fail; 534 535 /* path_flags is optional */ 536 if (unpack_u32(e, &profile->path_flags, "path_flags")) 537 profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED; 538 else 539 /* set a default value if path_flags field is not present */ 540 profile->path_flags = PFLAG_MEDIATE_DELETED; 541 542 if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) 543 goto fail; 544 if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) 545 goto fail; 546 if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) 547 goto fail; 548 if (!unpack_u32(e, &tmpcap.cap[0], NULL)) 549 goto fail; 550 551 if (unpack_nameX(e, AA_STRUCT, "caps64")) { 552 /* optional upper half of 64 bit caps */ 553 if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) 554 goto fail; 555 if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) 556 goto fail; 557 if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) 558 goto fail; 559 if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) 560 goto fail; 561 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 562 goto fail; 563 } 564 565 if (unpack_nameX(e, AA_STRUCT, "capsx")) { 566 /* optional extended caps mediation mask */ 567 if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) 568 goto fail; 569 if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) 570 goto fail; 571 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 572 goto fail; 573 } 574 575 if (!unpack_rlimits(e, profile)) 576 goto fail; 577 578 if (unpack_nameX(e, AA_STRUCT, "policydb")) { 579 /* generic policy dfa - optional and may be NULL */ 580 profile->policy.dfa = unpack_dfa(e); 581 if (IS_ERR(profile->policy.dfa)) { 582 error = PTR_ERR(profile->policy.dfa); 583 profile->policy.dfa = NULL; 584 goto fail; 585 } 586 if (!unpack_u32(e, &profile->policy.start[0], "start")) 587 /* default start state */ 588 profile->policy.start[0] = DFA_START; 589 /* setup class index */ 590 for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) { 591 profile->policy.start[i] = 592 aa_dfa_next(profile->policy.dfa, 593 profile->policy.start[0], 594 i); 595 } 596 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 597 goto fail; 598 } 599 600 /* get file rules */ 601 profile->file.dfa = unpack_dfa(e); 602 if (IS_ERR(profile->file.dfa)) { 603 error = PTR_ERR(profile->file.dfa); 604 profile->file.dfa = NULL; 605 goto fail; 606 } 607 608 if (!unpack_u32(e, &profile->file.start, "dfa_start")) 609 /* default start state */ 610 profile->file.start = DFA_START; 611 612 if (!unpack_trans_table(e, profile)) 613 goto fail; 614 615 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 616 goto fail; 617 618 return profile; 619 620 fail: 621 if (profile) 622 name = NULL; 623 else if (!name) 624 name = "unknown"; 625 audit_iface(profile, name, "failed to unpack profile", e, error); 626 aa_free_profile(profile); 627 628 return ERR_PTR(error); 629 } 630 631 /** 632 * verify_head - unpack serialized stream header 633 * @e: serialized data read head (NOT NULL) 634 * @required: whether the header is required or optional 635 * @ns: Returns - namespace if one is specified else NULL (NOT NULL) 636 * 637 * Returns: error or 0 if header is good 638 */ 639 static int verify_header(struct aa_ext *e, int required, const char **ns) 640 { 641 int error = -EPROTONOSUPPORT; 642 const char *name = NULL; 643 *ns = NULL; 644 645 /* get the interface version */ 646 if (!unpack_u32(e, &e->version, "version")) { 647 if (required) { 648 audit_iface(NULL, NULL, "invalid profile format", e, 649 error); 650 return error; 651 } 652 653 /* check that the interface version is currently supported */ 654 if (e->version != 5) { 655 audit_iface(NULL, NULL, "unsupported interface version", 656 e, error); 657 return error; 658 } 659 } 660 661 662 /* read the namespace if present */ 663 if (unpack_str(e, &name, "namespace")) { 664 if (*ns && strcmp(*ns, name)) 665 audit_iface(NULL, NULL, "invalid ns change", e, error); 666 else if (!*ns) 667 *ns = name; 668 } 669 670 return 0; 671 } 672 673 static bool verify_xindex(int xindex, int table_size) 674 { 675 int index, xtype; 676 xtype = xindex & AA_X_TYPE_MASK; 677 index = xindex & AA_X_INDEX_MASK; 678 if (xtype == AA_X_TABLE && index > table_size) 679 return 0; 680 return 1; 681 } 682 683 /* verify dfa xindexes are in range of transition tables */ 684 static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) 685 { 686 int i; 687 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 688 if (!verify_xindex(dfa_user_xindex(dfa, i), table_size)) 689 return 0; 690 if (!verify_xindex(dfa_other_xindex(dfa, i), table_size)) 691 return 0; 692 } 693 return 1; 694 } 695 696 /** 697 * verify_profile - Do post unpack analysis to verify profile consistency 698 * @profile: profile to verify (NOT NULL) 699 * 700 * Returns: 0 if passes verification else error 701 */ 702 static int verify_profile(struct aa_profile *profile) 703 { 704 if (aa_g_paranoid_load) { 705 if (profile->file.dfa && 706 !verify_dfa_xindex(profile->file.dfa, 707 profile->file.trans.size)) { 708 audit_iface(profile, NULL, "Invalid named transition", 709 NULL, -EPROTO); 710 return -EPROTO; 711 } 712 } 713 714 return 0; 715 } 716 717 void aa_load_ent_free(struct aa_load_ent *ent) 718 { 719 if (ent) { 720 aa_put_profile(ent->rename); 721 aa_put_profile(ent->old); 722 aa_put_profile(ent->new); 723 kzfree(ent); 724 } 725 } 726 727 struct aa_load_ent *aa_load_ent_alloc(void) 728 { 729 struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL); 730 if (ent) 731 INIT_LIST_HEAD(&ent->list); 732 return ent; 733 } 734 735 /** 736 * aa_unpack - unpack packed binary profile(s) data loaded from user space 737 * @udata: user data copied to kmem (NOT NULL) 738 * @size: the size of the user data 739 * @lh: list to place unpacked profiles in a aa_repl_ws 740 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) 741 * 742 * Unpack user data and return refcounted allocated profile(s) stored in 743 * @lh in order of discovery, with the list chain stored in base.list 744 * or error 745 * 746 * Returns: profile(s) on @lh else error pointer if fails to unpack 747 */ 748 int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns) 749 { 750 struct aa_load_ent *tmp, *ent; 751 struct aa_profile *profile = NULL; 752 int error; 753 struct aa_ext e = { 754 .start = udata, 755 .end = udata + size, 756 .pos = udata, 757 }; 758 759 *ns = NULL; 760 while (e.pos < e.end) { 761 error = verify_header(&e, e.pos == e.start, ns); 762 if (error) 763 goto fail; 764 765 profile = unpack_profile(&e); 766 if (IS_ERR(profile)) { 767 error = PTR_ERR(profile); 768 goto fail; 769 } 770 771 error = verify_profile(profile); 772 if (error) { 773 aa_free_profile(profile); 774 goto fail; 775 } 776 777 ent = aa_load_ent_alloc(); 778 if (!ent) { 779 error = -ENOMEM; 780 aa_put_profile(profile); 781 goto fail; 782 } 783 784 ent->new = profile; 785 list_add_tail(&ent->list, lh); 786 } 787 788 return 0; 789 790 fail: 791 list_for_each_entry_safe(ent, tmp, lh, list) { 792 list_del_init(&ent->list); 793 aa_load_ent_free(ent); 794 } 795 796 return error; 797 } 798