1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor functions for unpacking policy loaded from 5 * userspace. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation, version 2 of the 13 * License. 14 * 15 * AppArmor uses a serialized binary format for loading policy. To find 16 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst 17 * All policy is validated before it is used. 18 */ 19 20 #include <asm/unaligned.h> 21 #include <linux/ctype.h> 22 #include <linux/errno.h> 23 24 #include "include/apparmor.h" 25 #include "include/audit.h" 26 #include "include/cred.h" 27 #include "include/crypto.h" 28 #include "include/match.h" 29 #include "include/path.h" 30 #include "include/policy.h" 31 #include "include/policy_unpack.h" 32 33 #define K_ABI_MASK 0x3ff 34 #define FORCE_COMPLAIN_FLAG 0x800 35 #define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK)) 36 #define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK)) 37 38 #define v5 5 /* base version */ 39 #define v6 6 /* per entry policydb mediation check */ 40 #define v7 7 /* full network masking */ 41 42 /* 43 * The AppArmor interface treats data as a type byte followed by the 44 * actual data. The interface has the notion of a a named entry 45 * which has a name (AA_NAME typecode followed by name string) followed by 46 * the entries typecode and data. Named types allow for optional 47 * elements and extensions to be added and tested for without breaking 48 * backwards compatibility. 49 */ 50 51 enum aa_code { 52 AA_U8, 53 AA_U16, 54 AA_U32, 55 AA_U64, 56 AA_NAME, /* same as string except it is items name */ 57 AA_STRING, 58 AA_BLOB, 59 AA_STRUCT, 60 AA_STRUCTEND, 61 AA_LIST, 62 AA_LISTEND, 63 AA_ARRAY, 64 AA_ARRAYEND, 65 }; 66 67 /* 68 * aa_ext is the read of the buffer containing the serialized profile. The 69 * data is copied into a kernel buffer in apparmorfs and then handed off to 70 * the unpack routines. 71 */ 72 struct aa_ext { 73 void *start; 74 void *end; 75 void *pos; /* pointer to current position in the buffer */ 76 u32 version; 77 }; 78 79 /* audit callback for unpack fields */ 80 static void audit_cb(struct audit_buffer *ab, void *va) 81 { 82 struct common_audit_data *sa = va; 83 84 if (aad(sa)->iface.ns) { 85 audit_log_format(ab, " ns="); 86 audit_log_untrustedstring(ab, aad(sa)->iface.ns); 87 } 88 if (aad(sa)->name) { 89 audit_log_format(ab, " name="); 90 audit_log_untrustedstring(ab, aad(sa)->name); 91 } 92 if (aad(sa)->iface.pos) 93 audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos); 94 } 95 96 /** 97 * audit_iface - do audit message for policy unpacking/load/replace/remove 98 * @new: profile if it has been allocated (MAYBE NULL) 99 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL) 100 * @name: name of the profile being manipulated (MAYBE NULL) 101 * @info: any extra info about the failure (MAYBE NULL) 102 * @e: buffer position info 103 * @error: error code 104 * 105 * Returns: %0 or error 106 */ 107 static int audit_iface(struct aa_profile *new, const char *ns_name, 108 const char *name, const char *info, struct aa_ext *e, 109 int error) 110 { 111 struct aa_profile *profile = labels_profile(aa_current_raw_label()); 112 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, NULL); 113 if (e) 114 aad(&sa)->iface.pos = e->pos - e->start; 115 aad(&sa)->iface.ns = ns_name; 116 if (new) 117 aad(&sa)->name = new->base.hname; 118 else 119 aad(&sa)->name = name; 120 aad(&sa)->info = info; 121 aad(&sa)->error = error; 122 123 return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb); 124 } 125 126 void __aa_loaddata_update(struct aa_loaddata *data, long revision) 127 { 128 AA_BUG(!data); 129 AA_BUG(!data->ns); 130 AA_BUG(!data->dents[AAFS_LOADDATA_REVISION]); 131 AA_BUG(!mutex_is_locked(&data->ns->lock)); 132 AA_BUG(data->revision > revision); 133 134 data->revision = revision; 135 d_inode(data->dents[AAFS_LOADDATA_DIR])->i_mtime = 136 current_time(d_inode(data->dents[AAFS_LOADDATA_DIR])); 137 d_inode(data->dents[AAFS_LOADDATA_REVISION])->i_mtime = 138 current_time(d_inode(data->dents[AAFS_LOADDATA_REVISION])); 139 } 140 141 bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r) 142 { 143 if (l->size != r->size) 144 return false; 145 if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0) 146 return false; 147 return memcmp(l->data, r->data, r->size) == 0; 148 } 149 150 /* 151 * need to take the ns mutex lock which is NOT safe most places that 152 * put_loaddata is called, so we have to delay freeing it 153 */ 154 static void do_loaddata_free(struct work_struct *work) 155 { 156 struct aa_loaddata *d = container_of(work, struct aa_loaddata, work); 157 struct aa_ns *ns = aa_get_ns(d->ns); 158 159 if (ns) { 160 mutex_lock_nested(&ns->lock, ns->level); 161 __aa_fs_remove_rawdata(d); 162 mutex_unlock(&ns->lock); 163 aa_put_ns(ns); 164 } 165 166 kzfree(d->hash); 167 kzfree(d->name); 168 kvfree(d->data); 169 kzfree(d); 170 } 171 172 void aa_loaddata_kref(struct kref *kref) 173 { 174 struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count); 175 176 if (d) { 177 INIT_WORK(&d->work, do_loaddata_free); 178 schedule_work(&d->work); 179 } 180 } 181 182 struct aa_loaddata *aa_loaddata_alloc(size_t size) 183 { 184 struct aa_loaddata *d; 185 186 d = kzalloc(sizeof(*d), GFP_KERNEL); 187 if (d == NULL) 188 return ERR_PTR(-ENOMEM); 189 d->data = kvzalloc(size, GFP_KERNEL); 190 if (!d->data) { 191 kfree(d); 192 return ERR_PTR(-ENOMEM); 193 } 194 kref_init(&d->count); 195 INIT_LIST_HEAD(&d->list); 196 197 return d; 198 } 199 200 /* test if read will be in packed data bounds */ 201 static bool inbounds(struct aa_ext *e, size_t size) 202 { 203 return (size <= e->end - e->pos); 204 } 205 206 static void *kvmemdup(const void *src, size_t len) 207 { 208 void *p = kvmalloc(len, GFP_KERNEL); 209 210 if (p) 211 memcpy(p, src, len); 212 return p; 213 } 214 215 /** 216 * aa_u16_chunck - test and do bounds checking for a u16 size based chunk 217 * @e: serialized data read head (NOT NULL) 218 * @chunk: start address for chunk of data (NOT NULL) 219 * 220 * Returns: the size of chunk found with the read head at the end of the chunk. 221 */ 222 static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) 223 { 224 size_t size = 0; 225 226 if (!inbounds(e, sizeof(u16))) 227 return 0; 228 size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); 229 e->pos += sizeof(__le16); 230 if (!inbounds(e, size)) 231 return 0; 232 *chunk = e->pos; 233 e->pos += size; 234 return size; 235 } 236 237 /* unpack control byte */ 238 static bool unpack_X(struct aa_ext *e, enum aa_code code) 239 { 240 if (!inbounds(e, 1)) 241 return 0; 242 if (*(u8 *) e->pos != code) 243 return 0; 244 e->pos++; 245 return 1; 246 } 247 248 /** 249 * unpack_nameX - check is the next element is of type X with a name of @name 250 * @e: serialized data extent information (NOT NULL) 251 * @code: type code 252 * @name: name to match to the serialized element. (MAYBE NULL) 253 * 254 * check that the next serialized data element is of type X and has a tag 255 * name @name. If @name is specified then there must be a matching 256 * name element in the stream. If @name is NULL any name element will be 257 * skipped and only the typecode will be tested. 258 * 259 * Returns 1 on success (both type code and name tests match) and the read 260 * head is advanced past the headers 261 * 262 * Returns: 0 if either match fails, the read head does not move 263 */ 264 static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) 265 { 266 /* 267 * May need to reset pos if name or type doesn't match 268 */ 269 void *pos = e->pos; 270 /* 271 * Check for presence of a tagname, and if present name size 272 * AA_NAME tag value is a u16. 273 */ 274 if (unpack_X(e, AA_NAME)) { 275 char *tag = NULL; 276 size_t size = unpack_u16_chunk(e, &tag); 277 /* if a name is specified it must match. otherwise skip tag */ 278 if (name && (!size || strcmp(name, tag))) 279 goto fail; 280 } else if (name) { 281 /* if a name is specified and there is no name tag fail */ 282 goto fail; 283 } 284 285 /* now check if type code matches */ 286 if (unpack_X(e, code)) 287 return 1; 288 289 fail: 290 e->pos = pos; 291 return 0; 292 } 293 294 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) 295 { 296 if (unpack_nameX(e, AA_U32, name)) { 297 if (!inbounds(e, sizeof(u32))) 298 return 0; 299 if (data) 300 *data = le32_to_cpu(get_unaligned((__le32 *) e->pos)); 301 e->pos += sizeof(u32); 302 return 1; 303 } 304 return 0; 305 } 306 307 static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) 308 { 309 if (unpack_nameX(e, AA_U64, name)) { 310 if (!inbounds(e, sizeof(u64))) 311 return 0; 312 if (data) 313 *data = le64_to_cpu(get_unaligned((__le64 *) e->pos)); 314 e->pos += sizeof(u64); 315 return 1; 316 } 317 return 0; 318 } 319 320 static size_t unpack_array(struct aa_ext *e, const char *name) 321 { 322 if (unpack_nameX(e, AA_ARRAY, name)) { 323 int size; 324 if (!inbounds(e, sizeof(u16))) 325 return 0; 326 size = (int)le16_to_cpu(get_unaligned((__le16 *) e->pos)); 327 e->pos += sizeof(u16); 328 return size; 329 } 330 return 0; 331 } 332 333 static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) 334 { 335 if (unpack_nameX(e, AA_BLOB, name)) { 336 u32 size; 337 if (!inbounds(e, sizeof(u32))) 338 return 0; 339 size = le32_to_cpu(get_unaligned((__le32 *) e->pos)); 340 e->pos += sizeof(u32); 341 if (inbounds(e, (size_t) size)) { 342 *blob = e->pos; 343 e->pos += size; 344 return size; 345 } 346 } 347 return 0; 348 } 349 350 static int unpack_str(struct aa_ext *e, const char **string, const char *name) 351 { 352 char *src_str; 353 size_t size = 0; 354 void *pos = e->pos; 355 *string = NULL; 356 if (unpack_nameX(e, AA_STRING, name)) { 357 size = unpack_u16_chunk(e, &src_str); 358 if (size) { 359 /* strings are null terminated, length is size - 1 */ 360 if (src_str[size - 1] != 0) 361 goto fail; 362 *string = src_str; 363 } 364 } 365 return size; 366 367 fail: 368 e->pos = pos; 369 return 0; 370 } 371 372 static int unpack_strdup(struct aa_ext *e, char **string, const char *name) 373 { 374 const char *tmp; 375 void *pos = e->pos; 376 int res = unpack_str(e, &tmp, name); 377 *string = NULL; 378 379 if (!res) 380 return 0; 381 382 *string = kmemdup(tmp, res, GFP_KERNEL); 383 if (!*string) { 384 e->pos = pos; 385 return 0; 386 } 387 388 return res; 389 } 390 391 #define DFA_VALID_PERM_MASK 0xffffffff 392 #define DFA_VALID_PERM2_MASK 0xffffffff 393 394 /** 395 * verify_accept - verify the accept tables of a dfa 396 * @dfa: dfa to verify accept tables of (NOT NULL) 397 * @flags: flags governing dfa 398 * 399 * Returns: 1 if valid accept tables else 0 if error 400 */ 401 static bool verify_accept(struct aa_dfa *dfa, int flags) 402 { 403 int i; 404 405 /* verify accept permissions */ 406 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 407 int mode = ACCEPT_TABLE(dfa)[i]; 408 409 if (mode & ~DFA_VALID_PERM_MASK) 410 return 0; 411 412 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) 413 return 0; 414 } 415 return 1; 416 } 417 418 /** 419 * unpack_dfa - unpack a file rule dfa 420 * @e: serialized data extent information (NOT NULL) 421 * 422 * returns dfa or ERR_PTR or NULL if no dfa 423 */ 424 static struct aa_dfa *unpack_dfa(struct aa_ext *e) 425 { 426 char *blob = NULL; 427 size_t size; 428 struct aa_dfa *dfa = NULL; 429 430 size = unpack_blob(e, &blob, "aadfa"); 431 if (size) { 432 /* 433 * The dfa is aligned with in the blob to 8 bytes 434 * from the beginning of the stream. 435 * alignment adjust needed by dfa unpack 436 */ 437 size_t sz = blob - (char *) e->start - 438 ((e->pos - e->start) & 7); 439 size_t pad = ALIGN(sz, 8) - sz; 440 int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | 441 TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES; 442 dfa = aa_dfa_unpack(blob + pad, size - pad, flags); 443 444 if (IS_ERR(dfa)) 445 return dfa; 446 447 if (!verify_accept(dfa, flags)) 448 goto fail; 449 } 450 451 return dfa; 452 453 fail: 454 aa_put_dfa(dfa); 455 return ERR_PTR(-EPROTO); 456 } 457 458 /** 459 * unpack_trans_table - unpack a profile transition table 460 * @e: serialized data extent information (NOT NULL) 461 * @profile: profile to add the accept table to (NOT NULL) 462 * 463 * Returns: 1 if table successfully unpacked 464 */ 465 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) 466 { 467 void *saved_pos = e->pos; 468 469 /* exec table is optional */ 470 if (unpack_nameX(e, AA_STRUCT, "xtable")) { 471 int i, size; 472 473 size = unpack_array(e, NULL); 474 /* currently 4 exec bits and entries 0-3 are reserved iupcx */ 475 if (size > 16 - 4) 476 goto fail; 477 profile->file.trans.table = kzalloc(sizeof(char *) * size, 478 GFP_KERNEL); 479 if (!profile->file.trans.table) 480 goto fail; 481 482 profile->file.trans.size = size; 483 for (i = 0; i < size; i++) { 484 char *str; 485 int c, j, pos, size2 = unpack_strdup(e, &str, NULL); 486 /* unpack_strdup verifies that the last character is 487 * null termination byte. 488 */ 489 if (!size2) 490 goto fail; 491 profile->file.trans.table[i] = str; 492 /* verify that name doesn't start with space */ 493 if (isspace(*str)) 494 goto fail; 495 496 /* count internal # of internal \0 */ 497 for (c = j = 0; j < size2 - 1; j++) { 498 if (!str[j]) { 499 pos = j; 500 c++; 501 } 502 } 503 if (*str == ':') { 504 /* first character after : must be valid */ 505 if (!str[1]) 506 goto fail; 507 /* beginning with : requires an embedded \0, 508 * verify that exactly 1 internal \0 exists 509 * trailing \0 already verified by unpack_strdup 510 * 511 * convert \0 back to : for label_parse 512 */ 513 if (c == 1) 514 str[pos] = ':'; 515 else if (c > 1) 516 goto fail; 517 } else if (c) 518 /* fail - all other cases with embedded \0 */ 519 goto fail; 520 } 521 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 522 goto fail; 523 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 524 goto fail; 525 } 526 return 1; 527 528 fail: 529 aa_free_domain_entries(&profile->file.trans); 530 e->pos = saved_pos; 531 return 0; 532 } 533 534 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile) 535 { 536 void *pos = e->pos; 537 538 if (unpack_nameX(e, AA_STRUCT, "xattrs")) { 539 int i, size; 540 541 size = unpack_array(e, NULL); 542 profile->xattr_count = size; 543 profile->xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL); 544 if (!profile->xattrs) 545 goto fail; 546 for (i = 0; i < size; i++) { 547 if (!unpack_strdup(e, &profile->xattrs[i], NULL)) 548 goto fail; 549 } 550 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 551 goto fail; 552 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 553 goto fail; 554 } 555 556 return 1; 557 558 fail: 559 e->pos = pos; 560 return 0; 561 } 562 563 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) 564 { 565 void *pos = e->pos; 566 567 /* rlimits are optional */ 568 if (unpack_nameX(e, AA_STRUCT, "rlimits")) { 569 int i, size; 570 u32 tmp = 0; 571 if (!unpack_u32(e, &tmp, NULL)) 572 goto fail; 573 profile->rlimits.mask = tmp; 574 575 size = unpack_array(e, NULL); 576 if (size > RLIM_NLIMITS) 577 goto fail; 578 for (i = 0; i < size; i++) { 579 u64 tmp2 = 0; 580 int a = aa_map_resource(i); 581 if (!unpack_u64(e, &tmp2, NULL)) 582 goto fail; 583 profile->rlimits.limits[a].rlim_max = tmp2; 584 } 585 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 586 goto fail; 587 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 588 goto fail; 589 } 590 return 1; 591 592 fail: 593 e->pos = pos; 594 return 0; 595 } 596 597 static u32 strhash(const void *data, u32 len, u32 seed) 598 { 599 const char * const *key = data; 600 601 return jhash(*key, strlen(*key), seed); 602 } 603 604 static int datacmp(struct rhashtable_compare_arg *arg, const void *obj) 605 { 606 const struct aa_data *data = obj; 607 const char * const *key = arg->key; 608 609 return strcmp(data->key, *key); 610 } 611 612 /** 613 * unpack_profile - unpack a serialized profile 614 * @e: serialized data extent information (NOT NULL) 615 * 616 * NOTE: unpack profile sets audit struct if there is a failure 617 */ 618 static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) 619 { 620 struct aa_profile *profile = NULL; 621 const char *tmpname, *tmpns = NULL, *name = NULL; 622 const char *info = "failed to unpack profile"; 623 size_t ns_len; 624 struct rhashtable_params params = { 0 }; 625 char *key = NULL; 626 struct aa_data *data; 627 int i, error = -EPROTO; 628 kernel_cap_t tmpcap; 629 u32 tmp; 630 631 *ns_name = NULL; 632 633 /* check that we have the right struct being passed */ 634 if (!unpack_nameX(e, AA_STRUCT, "profile")) 635 goto fail; 636 if (!unpack_str(e, &name, NULL)) 637 goto fail; 638 if (*name == '\0') 639 goto fail; 640 641 tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len); 642 if (tmpns) { 643 *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL); 644 if (!*ns_name) { 645 info = "out of memory"; 646 goto fail; 647 } 648 name = tmpname; 649 } 650 651 profile = aa_alloc_profile(name, NULL, GFP_KERNEL); 652 if (!profile) 653 return ERR_PTR(-ENOMEM); 654 655 /* profile renaming is optional */ 656 (void) unpack_str(e, &profile->rename, "rename"); 657 658 /* attachment string is optional */ 659 (void) unpack_str(e, &profile->attach, "attach"); 660 661 /* xmatch is optional and may be NULL */ 662 profile->xmatch = unpack_dfa(e); 663 if (IS_ERR(profile->xmatch)) { 664 error = PTR_ERR(profile->xmatch); 665 profile->xmatch = NULL; 666 info = "bad xmatch"; 667 goto fail; 668 } 669 /* xmatch_len is not optional if xmatch is set */ 670 if (profile->xmatch) { 671 if (!unpack_u32(e, &tmp, NULL)) { 672 info = "missing xmatch len"; 673 goto fail; 674 } 675 profile->xmatch_len = tmp; 676 } 677 678 /* disconnected attachment string is optional */ 679 (void) unpack_str(e, &profile->disconnected, "disconnected"); 680 681 /* per profile debug flags (complain, audit) */ 682 if (!unpack_nameX(e, AA_STRUCT, "flags")) { 683 info = "profile missing flags"; 684 goto fail; 685 } 686 info = "failed to unpack profile flags"; 687 if (!unpack_u32(e, &tmp, NULL)) 688 goto fail; 689 if (tmp & PACKED_FLAG_HAT) 690 profile->label.flags |= FLAG_HAT; 691 if (!unpack_u32(e, &tmp, NULL)) 692 goto fail; 693 if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) 694 profile->mode = APPARMOR_COMPLAIN; 695 else if (tmp == PACKED_MODE_KILL) 696 profile->mode = APPARMOR_KILL; 697 else if (tmp == PACKED_MODE_UNCONFINED) 698 profile->mode = APPARMOR_UNCONFINED; 699 if (!unpack_u32(e, &tmp, NULL)) 700 goto fail; 701 if (tmp) 702 profile->audit = AUDIT_ALL; 703 704 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 705 goto fail; 706 707 /* path_flags is optional */ 708 if (unpack_u32(e, &profile->path_flags, "path_flags")) 709 profile->path_flags |= profile->label.flags & 710 PATH_MEDIATE_DELETED; 711 else 712 /* set a default value if path_flags field is not present */ 713 profile->path_flags = PATH_MEDIATE_DELETED; 714 715 info = "failed to unpack profile capabilities"; 716 if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) 717 goto fail; 718 if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) 719 goto fail; 720 if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) 721 goto fail; 722 if (!unpack_u32(e, &tmpcap.cap[0], NULL)) 723 goto fail; 724 725 info = "failed to unpack upper profile capabilities"; 726 if (unpack_nameX(e, AA_STRUCT, "caps64")) { 727 /* optional upper half of 64 bit caps */ 728 if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) 729 goto fail; 730 if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) 731 goto fail; 732 if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) 733 goto fail; 734 if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) 735 goto fail; 736 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 737 goto fail; 738 } 739 740 info = "failed to unpack extended profile capabilities"; 741 if (unpack_nameX(e, AA_STRUCT, "capsx")) { 742 /* optional extended caps mediation mask */ 743 if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) 744 goto fail; 745 if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) 746 goto fail; 747 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 748 goto fail; 749 } 750 751 if (!unpack_xattrs(e, profile)) { 752 info = "failed to unpack profile xattrs"; 753 goto fail; 754 } 755 756 if (!unpack_rlimits(e, profile)) { 757 info = "failed to unpack profile rlimits"; 758 goto fail; 759 } 760 761 if (unpack_nameX(e, AA_STRUCT, "policydb")) { 762 /* generic policy dfa - optional and may be NULL */ 763 info = "failed to unpack policydb"; 764 profile->policy.dfa = unpack_dfa(e); 765 if (IS_ERR(profile->policy.dfa)) { 766 error = PTR_ERR(profile->policy.dfa); 767 profile->policy.dfa = NULL; 768 goto fail; 769 } else if (!profile->policy.dfa) { 770 error = -EPROTO; 771 goto fail; 772 } 773 if (!unpack_u32(e, &profile->policy.start[0], "start")) 774 /* default start state */ 775 profile->policy.start[0] = DFA_START; 776 /* setup class index */ 777 for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) { 778 profile->policy.start[i] = 779 aa_dfa_next(profile->policy.dfa, 780 profile->policy.start[0], 781 i); 782 } 783 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 784 goto fail; 785 } else 786 profile->policy.dfa = aa_get_dfa(nulldfa); 787 788 /* get file rules */ 789 profile->file.dfa = unpack_dfa(e); 790 if (IS_ERR(profile->file.dfa)) { 791 error = PTR_ERR(profile->file.dfa); 792 profile->file.dfa = NULL; 793 info = "failed to unpack profile file rules"; 794 goto fail; 795 } else if (profile->file.dfa) { 796 if (!unpack_u32(e, &profile->file.start, "dfa_start")) 797 /* default start state */ 798 profile->file.start = DFA_START; 799 } else if (profile->policy.dfa && 800 profile->policy.start[AA_CLASS_FILE]) { 801 profile->file.dfa = aa_get_dfa(profile->policy.dfa); 802 profile->file.start = profile->policy.start[AA_CLASS_FILE]; 803 } else 804 profile->file.dfa = aa_get_dfa(nulldfa); 805 806 if (!unpack_trans_table(e, profile)) { 807 info = "failed to unpack profile transition table"; 808 goto fail; 809 } 810 811 if (unpack_nameX(e, AA_STRUCT, "data")) { 812 info = "out of memory"; 813 profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL); 814 if (!profile->data) 815 goto fail; 816 817 params.nelem_hint = 3; 818 params.key_len = sizeof(void *); 819 params.key_offset = offsetof(struct aa_data, key); 820 params.head_offset = offsetof(struct aa_data, head); 821 params.hashfn = strhash; 822 params.obj_cmpfn = datacmp; 823 824 if (rhashtable_init(profile->data, ¶ms)) { 825 info = "failed to init key, value hash table"; 826 goto fail; 827 } 828 829 while (unpack_strdup(e, &key, NULL)) { 830 data = kzalloc(sizeof(*data), GFP_KERNEL); 831 if (!data) { 832 kzfree(key); 833 goto fail; 834 } 835 836 data->key = key; 837 data->size = unpack_blob(e, &data->data, NULL); 838 data->data = kvmemdup(data->data, data->size); 839 if (data->size && !data->data) { 840 kzfree(data->key); 841 kzfree(data); 842 goto fail; 843 } 844 845 rhashtable_insert_fast(profile->data, &data->head, 846 profile->data->p); 847 } 848 849 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) { 850 info = "failed to unpack end of key, value data table"; 851 goto fail; 852 } 853 } 854 855 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) { 856 info = "failed to unpack end of profile"; 857 goto fail; 858 } 859 860 return profile; 861 862 fail: 863 if (profile) 864 name = NULL; 865 else if (!name) 866 name = "unknown"; 867 audit_iface(profile, NULL, name, info, e, error); 868 aa_free_profile(profile); 869 870 return ERR_PTR(error); 871 } 872 873 /** 874 * verify_head - unpack serialized stream header 875 * @e: serialized data read head (NOT NULL) 876 * @required: whether the header is required or optional 877 * @ns: Returns - namespace if one is specified else NULL (NOT NULL) 878 * 879 * Returns: error or 0 if header is good 880 */ 881 static int verify_header(struct aa_ext *e, int required, const char **ns) 882 { 883 int error = -EPROTONOSUPPORT; 884 const char *name = NULL; 885 *ns = NULL; 886 887 /* get the interface version */ 888 if (!unpack_u32(e, &e->version, "version")) { 889 if (required) { 890 audit_iface(NULL, NULL, NULL, "invalid profile format", 891 e, error); 892 return error; 893 } 894 } 895 896 /* Check that the interface version is currently supported. 897 * if not specified use previous version 898 * Mask off everything that is not kernel abi version 899 */ 900 if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v7)) { 901 audit_iface(NULL, NULL, NULL, "unsupported interface version", 902 e, error); 903 return error; 904 } 905 906 /* read the namespace if present */ 907 if (unpack_str(e, &name, "namespace")) { 908 if (*name == '\0') { 909 audit_iface(NULL, NULL, NULL, "invalid namespace name", 910 e, error); 911 return error; 912 } 913 if (*ns && strcmp(*ns, name)) 914 audit_iface(NULL, NULL, NULL, "invalid ns change", e, 915 error); 916 else if (!*ns) 917 *ns = name; 918 } 919 920 return 0; 921 } 922 923 static bool verify_xindex(int xindex, int table_size) 924 { 925 int index, xtype; 926 xtype = xindex & AA_X_TYPE_MASK; 927 index = xindex & AA_X_INDEX_MASK; 928 if (xtype == AA_X_TABLE && index >= table_size) 929 return 0; 930 return 1; 931 } 932 933 /* verify dfa xindexes are in range of transition tables */ 934 static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) 935 { 936 int i; 937 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 938 if (!verify_xindex(dfa_user_xindex(dfa, i), table_size)) 939 return 0; 940 if (!verify_xindex(dfa_other_xindex(dfa, i), table_size)) 941 return 0; 942 } 943 return 1; 944 } 945 946 /** 947 * verify_profile - Do post unpack analysis to verify profile consistency 948 * @profile: profile to verify (NOT NULL) 949 * 950 * Returns: 0 if passes verification else error 951 */ 952 static int verify_profile(struct aa_profile *profile) 953 { 954 if (profile->file.dfa && 955 !verify_dfa_xindex(profile->file.dfa, 956 profile->file.trans.size)) { 957 audit_iface(profile, NULL, NULL, "Invalid named transition", 958 NULL, -EPROTO); 959 return -EPROTO; 960 } 961 962 return 0; 963 } 964 965 void aa_load_ent_free(struct aa_load_ent *ent) 966 { 967 if (ent) { 968 aa_put_profile(ent->rename); 969 aa_put_profile(ent->old); 970 aa_put_profile(ent->new); 971 kfree(ent->ns_name); 972 kzfree(ent); 973 } 974 } 975 976 struct aa_load_ent *aa_load_ent_alloc(void) 977 { 978 struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL); 979 if (ent) 980 INIT_LIST_HEAD(&ent->list); 981 return ent; 982 } 983 984 /** 985 * aa_unpack - unpack packed binary profile(s) data loaded from user space 986 * @udata: user data copied to kmem (NOT NULL) 987 * @lh: list to place unpacked profiles in a aa_repl_ws 988 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) 989 * 990 * Unpack user data and return refcounted allocated profile(s) stored in 991 * @lh in order of discovery, with the list chain stored in base.list 992 * or error 993 * 994 * Returns: profile(s) on @lh else error pointer if fails to unpack 995 */ 996 int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, 997 const char **ns) 998 { 999 struct aa_load_ent *tmp, *ent; 1000 struct aa_profile *profile = NULL; 1001 int error; 1002 struct aa_ext e = { 1003 .start = udata->data, 1004 .end = udata->data + udata->size, 1005 .pos = udata->data, 1006 }; 1007 1008 *ns = NULL; 1009 while (e.pos < e.end) { 1010 char *ns_name = NULL; 1011 void *start; 1012 error = verify_header(&e, e.pos == e.start, ns); 1013 if (error) 1014 goto fail; 1015 1016 start = e.pos; 1017 profile = unpack_profile(&e, &ns_name); 1018 if (IS_ERR(profile)) { 1019 error = PTR_ERR(profile); 1020 goto fail; 1021 } 1022 1023 error = verify_profile(profile); 1024 if (error) 1025 goto fail_profile; 1026 1027 if (aa_g_hash_policy) 1028 error = aa_calc_profile_hash(profile, e.version, start, 1029 e.pos - start); 1030 if (error) 1031 goto fail_profile; 1032 1033 ent = aa_load_ent_alloc(); 1034 if (!ent) { 1035 error = -ENOMEM; 1036 goto fail_profile; 1037 } 1038 1039 ent->new = profile; 1040 ent->ns_name = ns_name; 1041 list_add_tail(&ent->list, lh); 1042 } 1043 udata->abi = e.version & K_ABI_MASK; 1044 if (aa_g_hash_policy) { 1045 udata->hash = aa_calc_hash(udata->data, udata->size); 1046 if (IS_ERR(udata->hash)) { 1047 error = PTR_ERR(udata->hash); 1048 udata->hash = NULL; 1049 goto fail; 1050 } 1051 } 1052 return 0; 1053 1054 fail_profile: 1055 aa_put_profile(profile); 1056 1057 fail: 1058 list_for_each_entry_safe(ent, tmp, lh, list) { 1059 list_del_init(&ent->list); 1060 aa_load_ent_free(ent); 1061 } 1062 1063 return error; 1064 } 1065