1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor functions for unpacking policy loaded from 6 * userspace. 7 * 8 * Copyright (C) 1998-2008 Novell/SUSE 9 * Copyright 2009-2010 Canonical Ltd. 10 * 11 * AppArmor uses a serialized binary format for loading policy. To find 12 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst 13 * All policy is validated before it is used. 14 */ 15 16 #include <linux/unaligned.h> 17 #include <kunit/visibility.h> 18 #include <linux/ctype.h> 19 #include <linux/errno.h> 20 #include <linux/zstd.h> 21 22 #include "include/apparmor.h" 23 #include "include/audit.h" 24 #include "include/cred.h" 25 #include "include/crypto.h" 26 #include "include/file.h" 27 #include "include/match.h" 28 #include "include/path.h" 29 #include "include/policy.h" 30 #include "include/policy_unpack.h" 31 #include "include/policy_compat.h" 32 #include "include/signal.h" 33 34 /* audit callback for unpack fields */ 35 static void audit_cb(struct audit_buffer *ab, void *va) 36 { 37 struct common_audit_data *sa = va; 38 struct apparmor_audit_data *ad = aad(sa); 39 40 if (ad->iface.ns) { 41 audit_log_format(ab, " ns="); 42 audit_log_untrustedstring(ab, ad->iface.ns); 43 } 44 if (ad->name) { 45 audit_log_format(ab, " name="); 46 audit_log_untrustedstring(ab, ad->name); 47 } 48 if (ad->iface.pos) 49 audit_log_format(ab, " offset=%ld", ad->iface.pos); 50 } 51 52 /** 53 * audit_iface - do audit message for policy unpacking/load/replace/remove 54 * @new: profile if it has been allocated (MAYBE NULL) 55 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL) 56 * @name: name of the profile being manipulated (MAYBE NULL) 57 * @info: any extra info about the failure (MAYBE NULL) 58 * @e: buffer position info 59 * @error: error code 60 * 61 * Returns: %0 or error 62 */ 63 static int audit_iface(struct aa_profile *new, const char *ns_name, 64 const char *name, const char *info, struct aa_ext *e, 65 int error) 66 { 67 struct aa_profile *profile = labels_profile(aa_current_raw_label()); 68 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL); 69 if (e) 70 ad.iface.pos = e->pos - e->start; 71 ad.iface.ns = ns_name; 72 if (new) 73 ad.name = new->base.hname; 74 else 75 ad.name = name; 76 ad.info = info; 77 ad.error = error; 78 79 return aa_audit(AUDIT_APPARMOR_STATUS, profile, &ad, audit_cb); 80 } 81 82 void __aa_loaddata_update(struct aa_loaddata *data, long revision) 83 { 84 AA_BUG(!data); 85 AA_BUG(!data->ns); 86 AA_BUG(!mutex_is_locked(&data->ns->lock)); 87 AA_BUG(data->revision > revision); 88 89 data->revision = revision; 90 if ((data->dents[AAFS_LOADDATA_REVISION])) { 91 struct inode *inode; 92 93 inode = d_inode(data->dents[AAFS_LOADDATA_DIR]); 94 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode)); 95 96 inode = d_inode(data->dents[AAFS_LOADDATA_REVISION]); 97 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode)); 98 } 99 } 100 101 bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r) 102 { 103 if (l->size != r->size) 104 return false; 105 if (l->compressed_size != r->compressed_size) 106 return false; 107 if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0) 108 return false; 109 return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0; 110 } 111 112 static void do_loaddata_free(struct aa_loaddata *d) 113 { 114 kfree_sensitive(d->hash); 115 kfree_sensitive(d->name); 116 kvfree(d->data); 117 kfree_sensitive(d); 118 } 119 120 void aa_loaddata_kref(struct kref *kref) 121 { 122 struct aa_loaddata *d = container_of(kref, struct aa_loaddata, 123 count.count); 124 125 do_loaddata_free(d); 126 } 127 128 /* 129 * need to take the ns mutex lock which is NOT safe most places that 130 * put_loaddata is called, so we have to delay freeing it 131 */ 132 static void do_ploaddata_rmfs(struct work_struct *work) 133 { 134 struct aa_loaddata *d = container_of(work, struct aa_loaddata, work); 135 struct aa_ns *ns = aa_get_ns(d->ns); 136 137 if (ns) { 138 mutex_lock_nested(&ns->lock, ns->level); 139 /* remove fs ref to loaddata */ 140 __aa_fs_remove_rawdata(d); 141 mutex_unlock(&ns->lock); 142 aa_put_ns(ns); 143 } 144 /* called by dropping last pcount, so drop its associated icount */ 145 aa_put_i_loaddata(d); 146 } 147 148 void aa_ploaddata_kref(struct kref *kref) 149 { 150 struct aa_loaddata *d = container_of(kref, struct aa_loaddata, pcount); 151 152 if (d) { 153 INIT_WORK(&d->work, do_ploaddata_rmfs); 154 schedule_work(&d->work); 155 } 156 } 157 158 struct aa_loaddata *aa_loaddata_alloc(size_t size) 159 { 160 struct aa_loaddata *d; 161 162 d = kzalloc_obj(*d); 163 if (d == NULL) 164 return ERR_PTR(-ENOMEM); 165 d->data = kvzalloc(size, GFP_KERNEL); 166 if (!d->data) { 167 kfree(d); 168 return ERR_PTR(-ENOMEM); 169 } 170 kref_init(&d->count.count); 171 d->count.reftype = REF_RAWDATA; 172 kref_init(&d->pcount); 173 INIT_LIST_HEAD(&d->list); 174 175 return d; 176 } 177 178 /* test if read will be in packed data bounds */ 179 VISIBLE_IF_KUNIT bool aa_inbounds(struct aa_ext *e, size_t size) 180 { 181 return (size <= e->end - e->pos); 182 } 183 EXPORT_SYMBOL_IF_KUNIT(aa_inbounds); 184 185 /** 186 * aa_unpack_u16_chunk - test and do bounds checking for a u16 size based chunk 187 * @e: serialized data read head (NOT NULL) 188 * @chunk: start address for chunk of data (NOT NULL) 189 * 190 * Returns: the size of chunk found with the read head at the end of the chunk. 191 */ 192 VISIBLE_IF_KUNIT size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk) 193 { 194 size_t size = 0; 195 void *pos = e->pos; 196 197 if (!aa_inbounds(e, sizeof(u16))) 198 goto fail; 199 size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); 200 e->pos += sizeof(__le16); 201 if (!aa_inbounds(e, size)) 202 goto fail; 203 *chunk = e->pos; 204 e->pos += size; 205 return size; 206 207 fail: 208 e->pos = pos; 209 return 0; 210 } 211 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u16_chunk); 212 213 /* unpack control byte */ 214 VISIBLE_IF_KUNIT bool aa_unpack_X(struct aa_ext *e, enum aa_code code) 215 { 216 if (!aa_inbounds(e, 1)) 217 return false; 218 if (*(u8 *) e->pos != code) 219 return false; 220 e->pos++; 221 return true; 222 } 223 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_X); 224 225 /** 226 * aa_unpack_nameX - check is the next element is of type X with a name of @name 227 * @e: serialized data extent information (NOT NULL) 228 * @code: type code 229 * @name: name to match to the serialized element. (MAYBE NULL) 230 * 231 * check that the next serialized data element is of type X and has a tag 232 * name @name. If @name is specified then there must be a matching 233 * name element in the stream. If @name is NULL any name element will be 234 * skipped and only the typecode will be tested. 235 * 236 * Returns true on success (both type code and name tests match) and the read 237 * head is advanced past the headers 238 * 239 * Returns: false if either match fails, the read head does not move 240 */ 241 VISIBLE_IF_KUNIT bool aa_unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) 242 { 243 /* 244 * May need to reset pos if name or type doesn't match 245 */ 246 void *pos = e->pos; 247 /* 248 * Check for presence of a tagname, and if present name size 249 * AA_NAME tag value is a u16. 250 */ 251 if (aa_unpack_X(e, AA_NAME)) { 252 char *tag = NULL; 253 size_t size = aa_unpack_u16_chunk(e, &tag); 254 /* if a name is specified it must match. otherwise skip tag */ 255 if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) 256 goto fail; 257 } else if (name) { 258 /* if a name is specified and there is no name tag fail */ 259 goto fail; 260 } 261 262 /* now check if type code matches */ 263 if (aa_unpack_X(e, code)) 264 return true; 265 266 fail: 267 e->pos = pos; 268 return false; 269 } 270 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_nameX); 271 272 static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name) 273 { 274 void *pos = e->pos; 275 276 if (aa_unpack_nameX(e, AA_U8, name)) { 277 if (!aa_inbounds(e, sizeof(u8))) 278 goto fail; 279 if (data) 280 *data = *((u8 *)e->pos); 281 e->pos += sizeof(u8); 282 return true; 283 } 284 285 fail: 286 e->pos = pos; 287 return false; 288 } 289 290 VISIBLE_IF_KUNIT bool aa_unpack_u32(struct aa_ext *e, u32 *data, const char *name) 291 { 292 void *pos = e->pos; 293 294 if (aa_unpack_nameX(e, AA_U32, name)) { 295 if (!aa_inbounds(e, sizeof(u32))) 296 goto fail; 297 if (data) 298 *data = le32_to_cpu(get_unaligned((__le32 *) e->pos)); 299 e->pos += sizeof(u32); 300 return true; 301 } 302 303 fail: 304 e->pos = pos; 305 return false; 306 } 307 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u32); 308 309 VISIBLE_IF_KUNIT bool aa_unpack_u64(struct aa_ext *e, u64 *data, const char *name) 310 { 311 void *pos = e->pos; 312 313 if (aa_unpack_nameX(e, AA_U64, name)) { 314 if (!aa_inbounds(e, sizeof(u64))) 315 goto fail; 316 if (data) 317 *data = le64_to_cpu(get_unaligned((__le64 *) e->pos)); 318 e->pos += sizeof(u64); 319 return true; 320 } 321 322 fail: 323 e->pos = pos; 324 return false; 325 } 326 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u64); 327 328 static bool aa_unpack_cap_low(struct aa_ext *e, kernel_cap_t *data, const char *name) 329 { 330 u32 val; 331 332 if (!aa_unpack_u32(e, &val, name)) 333 return false; 334 data->val = val; 335 return true; 336 } 337 338 static bool aa_unpack_cap_high(struct aa_ext *e, kernel_cap_t *data, const char *name) 339 { 340 u32 val; 341 342 if (!aa_unpack_u32(e, &val, name)) 343 return false; 344 data->val = (u32)data->val | ((u64)val << 32); 345 return true; 346 } 347 348 VISIBLE_IF_KUNIT bool aa_unpack_array(struct aa_ext *e, const char *name, u16 *size) 349 { 350 void *pos = e->pos; 351 352 if (aa_unpack_nameX(e, AA_ARRAY, name)) { 353 if (!aa_inbounds(e, sizeof(u16))) 354 goto fail; 355 *size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); 356 e->pos += sizeof(u16); 357 return true; 358 } 359 360 fail: 361 e->pos = pos; 362 return false; 363 } 364 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_array); 365 366 VISIBLE_IF_KUNIT size_t aa_unpack_blob(struct aa_ext *e, char **blob, const char *name) 367 { 368 void *pos = e->pos; 369 370 if (aa_unpack_nameX(e, AA_BLOB, name)) { 371 u32 size; 372 if (!aa_inbounds(e, sizeof(u32))) 373 goto fail; 374 size = le32_to_cpu(get_unaligned((__le32 *) e->pos)); 375 e->pos += sizeof(u32); 376 if (aa_inbounds(e, (size_t) size)) { 377 *blob = e->pos; 378 e->pos += size; 379 return size; 380 } 381 } 382 383 fail: 384 e->pos = pos; 385 return 0; 386 } 387 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_blob); 388 389 VISIBLE_IF_KUNIT int aa_unpack_str(struct aa_ext *e, const char **string, const char *name) 390 { 391 char *src_str; 392 size_t size = 0; 393 void *pos = e->pos; 394 *string = NULL; 395 if (aa_unpack_nameX(e, AA_STRING, name)) { 396 size = aa_unpack_u16_chunk(e, &src_str); 397 if (size) { 398 /* strings are null terminated, length is size - 1 */ 399 if (src_str[size - 1] != 0) 400 goto fail; 401 *string = src_str; 402 403 return size; 404 } 405 } 406 407 fail: 408 e->pos = pos; 409 return 0; 410 } 411 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_str); 412 413 VISIBLE_IF_KUNIT int aa_unpack_strdup(struct aa_ext *e, char **string, const char *name) 414 { 415 const char *tmp; 416 void *pos = e->pos; 417 int res = aa_unpack_str(e, &tmp, name); 418 *string = NULL; 419 420 if (!res) 421 return 0; 422 423 *string = kmemdup(tmp, res, GFP_KERNEL); 424 if (!*string) { 425 e->pos = pos; 426 return 0; 427 } 428 429 return res; 430 } 431 EXPORT_SYMBOL_IF_KUNIT(aa_unpack_strdup); 432 433 434 /** 435 * unpack_dfa - unpack a file rule dfa 436 * @e: serialized data extent information (NOT NULL) 437 * @flags: dfa flags to check 438 * 439 * returns dfa or ERR_PTR or NULL if no dfa 440 */ 441 static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags) 442 { 443 char *blob = NULL; 444 size_t size; 445 struct aa_dfa *dfa = NULL; 446 447 size = aa_unpack_blob(e, &blob, "aadfa"); 448 if (size) { 449 /* 450 * The dfa is aligned with in the blob to 8 bytes 451 * from the beginning of the stream. 452 * alignment adjust needed by dfa unpack 453 */ 454 size_t sz = blob - (char *) e->start - 455 ((e->pos - e->start) & 7); 456 size_t pad = ALIGN(sz, 8) - sz; 457 if (aa_g_paranoid_load) 458 flags |= DFA_FLAG_VERIFY_STATES; 459 dfa = aa_dfa_unpack(blob + pad, size - pad, flags); 460 461 if (IS_ERR(dfa)) 462 return dfa; 463 464 } 465 466 return dfa; 467 } 468 469 static int process_strs_entry(char *str, int size, bool multi) 470 { 471 int c = 1; 472 473 if (size <= 0) 474 return -1; 475 if (multi) { 476 if (size < 2) 477 return -2; 478 /* multi ends with double \0 */ 479 if (str[size - 2]) 480 return -3; 481 } 482 483 char *save = str; 484 char *pos = str; 485 char *end = multi ? str + size - 2 : str + size - 1; 486 /* count # of internal \0 */ 487 while (str < end) { 488 if (str == pos) { 489 /* starts with ... */ 490 if (!*str) { 491 AA_DEBUG(DEBUG_UNPACK, 492 "starting with null save=%lu size %d c=%d", 493 (unsigned long)(str - save), size, c); 494 return -4; 495 } 496 if (isspace(*str)) 497 return -5; 498 if (*str == ':') { 499 /* :ns_str\0str\0 500 * first character after : must be valid 501 */ 502 if (!str[1]) 503 return -6; 504 } 505 } else if (!*str) { 506 if (*pos == ':') 507 *str = ':'; 508 else 509 c++; 510 pos = str + 1; 511 } 512 str++; 513 } /* while */ 514 515 return c; 516 } 517 518 /** 519 * unpack_strs_table - unpack a profile transition table 520 * @e: serialized data extent information (NOT NULL) 521 * @name: name of table (MAY BE NULL) 522 * @multi: allow multiple strings on a single entry 523 * @strs: str table to unpack to (NOT NULL) 524 * 525 * Returns: 0 if table successfully unpacked or not present, else error 526 */ 527 static int unpack_strs_table(struct aa_ext *e, const char *name, bool multi, 528 struct aa_str_table *strs) 529 { 530 void *saved_pos = e->pos; 531 struct aa_str_table_ent *table = NULL; 532 int error = -EPROTO; 533 534 /* exec table is optional */ 535 if (aa_unpack_nameX(e, AA_STRUCT, name)) { 536 u16 size; 537 int i; 538 539 if (!aa_unpack_array(e, NULL, &size)) 540 /* 541 * Note: index into trans table array is a max 542 * of 2^24, but unpack array can only unpack 543 * an array of 2^16 in size atm so no need 544 * for size check here 545 */ 546 goto fail; 547 table = kzalloc_objs(struct aa_str_table_ent, size); 548 if (!table) { 549 error = -ENOMEM; 550 goto fail; 551 } 552 strs->table = table; 553 strs->size = size; 554 for (i = 0; i < size; i++) { 555 char *str; 556 int c, size2 = aa_unpack_strdup(e, &str, NULL); 557 /* aa_unpack_strdup verifies that the last character is 558 * null termination byte. 559 */ 560 c = process_strs_entry(str, size2, multi); 561 if (c <= 0) { 562 AA_DEBUG(DEBUG_UNPACK, "process_strs %d i %d pos %ld", 563 c, i, 564 (unsigned long)(e->pos - saved_pos)); 565 goto fail; 566 } 567 if (!multi && c > 1) { 568 AA_DEBUG(DEBUG_UNPACK, "!multi && c > 1"); 569 /* fail - all other cases with embedded \0 */ 570 goto fail; 571 } 572 table[i].strs = str; 573 table[i].count = c; 574 table[i].size = size2; 575 } 576 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) 577 goto fail; 578 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 579 goto fail; 580 } 581 return 0; 582 583 fail: 584 aa_destroy_str_table(strs); 585 e->pos = saved_pos; 586 return error; 587 } 588 589 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile) 590 { 591 void *pos = e->pos; 592 593 if (aa_unpack_nameX(e, AA_STRUCT, "xattrs")) { 594 u16 size; 595 int i; 596 597 if (!aa_unpack_array(e, NULL, &size)) 598 goto fail; 599 profile->attach.xattr_count = size; 600 profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL); 601 if (!profile->attach.xattrs) 602 goto fail; 603 for (i = 0; i < size; i++) { 604 if (!aa_unpack_strdup(e, &profile->attach.xattrs[i], NULL)) 605 goto fail; 606 } 607 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) 608 goto fail; 609 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 610 goto fail; 611 } 612 613 return true; 614 615 fail: 616 e->pos = pos; 617 return false; 618 } 619 620 static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules) 621 { 622 void *pos = e->pos; 623 u16 size; 624 int i; 625 626 if (aa_unpack_nameX(e, AA_STRUCT, "secmark")) { 627 if (!aa_unpack_array(e, NULL, &size)) 628 goto fail; 629 630 rules->secmark = kzalloc_objs(struct aa_secmark, size); 631 if (!rules->secmark) 632 goto fail; 633 634 rules->secmark_count = size; 635 636 for (i = 0; i < size; i++) { 637 if (!unpack_u8(e, &rules->secmark[i].audit, NULL)) 638 goto fail; 639 if (!unpack_u8(e, &rules->secmark[i].deny, NULL)) 640 goto fail; 641 if (!aa_unpack_strdup(e, &rules->secmark[i].label, NULL)) 642 goto fail; 643 } 644 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) 645 goto fail; 646 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 647 goto fail; 648 } 649 650 return true; 651 652 fail: 653 if (rules->secmark) { 654 for (i = 0; i < size; i++) 655 kfree_sensitive(rules->secmark[i].label); 656 kfree_sensitive(rules->secmark); 657 rules->secmark_count = 0; 658 rules->secmark = NULL; 659 } 660 661 e->pos = pos; 662 return false; 663 } 664 665 static bool unpack_rlimits(struct aa_ext *e, struct aa_ruleset *rules) 666 { 667 void *pos = e->pos; 668 669 /* rlimits are optional */ 670 if (aa_unpack_nameX(e, AA_STRUCT, "rlimits")) { 671 u16 size; 672 int i; 673 u32 tmp = 0; 674 if (!aa_unpack_u32(e, &tmp, NULL)) 675 goto fail; 676 rules->rlimits.mask = tmp; 677 678 if (!aa_unpack_array(e, NULL, &size) || 679 size > RLIM_NLIMITS) 680 goto fail; 681 for (i = 0; i < size; i++) { 682 u64 tmp2 = 0; 683 int a = aa_map_resource(i); 684 if (!aa_unpack_u64(e, &tmp2, NULL)) 685 goto fail; 686 rules->rlimits.limits[a].rlim_max = tmp2; 687 } 688 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) 689 goto fail; 690 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 691 goto fail; 692 } 693 return true; 694 695 fail: 696 e->pos = pos; 697 return false; 698 } 699 700 701 static bool verify_tags(struct aa_tags_struct *tags, const char **info) 702 { 703 if ((tags->hdrs.size && !tags->hdrs.table) || 704 (!tags->hdrs.size && tags->hdrs.table)) { 705 *info = "failed verification tag.hdrs disagree"; 706 return false; 707 } 708 if ((tags->sets.size && !tags->sets.table) || 709 (!tags->sets.size && tags->sets.table)) { 710 *info = "failed verification tag.sets disagree"; 711 return false; 712 } 713 if ((tags->strs.size && !tags->strs.table) || 714 (!tags->strs.size && tags->strs.table)) { 715 *info = "failed verification tags->strs disagree"; 716 return false; 717 } 718 /* no data present */ 719 if (!tags->sets.size && !tags->hdrs.size && !tags->strs.size) { 720 return true; 721 } else if (!(tags->sets.size && tags->hdrs.size && tags->strs.size)) { 722 /* some data present but not all */ 723 *info = "failed verification tags partial data present"; 724 return false; 725 } 726 727 u32 i; 728 729 for (i = 0; i < tags->sets.size; i++) { 730 /* count followed by count indexes into hdrs */ 731 u32 cnt = tags->sets.table[i]; 732 733 if (i+cnt >= tags->sets.size) { 734 AA_DEBUG(DEBUG_UNPACK, 735 "tagset too large %d+%d > sets.table[%d]", 736 i, cnt, tags->sets.size); 737 *info = "failed verification tagset too large"; 738 return false; 739 } 740 for (; cnt; cnt--) { 741 if (tags->sets.table[++i] >= tags->hdrs.size) { 742 AA_DEBUG(DEBUG_UNPACK, 743 "tagsets idx out of bounds cnt %d sets.table[%d] >= %d", 744 cnt, i-1, tags->hdrs.size); 745 *info = "failed verification tagsets idx out of bounds"; 746 return false; 747 } 748 } 749 } 750 for (i = 0; i < tags->hdrs.size; i++) { 751 u32 idx = tags->hdrs.table[i].tags; 752 753 if (idx >= tags->strs.size) { 754 AA_DEBUG(DEBUG_UNPACK, 755 "tag.hdrs idx oob idx %d > tags->strs.size=%d", 756 idx, tags->strs.size); 757 *info = "failed verification tags.hdrs idx out of bounds"; 758 return false; 759 } 760 if (tags->hdrs.table[i].count != tags->strs.table[idx].count) { 761 AA_DEBUG(DEBUG_UNPACK, "hdrs.table[%d].count=%d != tags->strs.table[%d]=%d", 762 i, tags->hdrs.table[i].count, idx, tags->strs.table[idx].count); 763 *info = "failed verification tagd.hdrs[idx].count"; 764 return false; 765 } 766 if (tags->hdrs.table[i].size != tags->strs.table[idx].size) { 767 AA_DEBUG(DEBUG_UNPACK, "hdrs.table[%d].size=%d != strs.table[%d].size=%d", 768 i, tags->hdrs.table[i].size, idx, tags->strs.table[idx].size); 769 *info = "failed verification tagd.hdrs[idx].size"; 770 return false; 771 } 772 } 773 774 return true; 775 } 776 777 static int unpack_tagsets(struct aa_ext *e, struct aa_tags_struct *tags) 778 { 779 u32 *sets; 780 u16 i, size; 781 int error = -EPROTO; 782 void *pos = e->pos; 783 784 if (!aa_unpack_array(e, "sets", &size)) 785 goto fail_reset; 786 sets = kcalloc(size, sizeof(u32), GFP_KERNEL); 787 if (!sets) { 788 error = -ENOMEM; 789 goto fail_reset; 790 } 791 for (i = 0; i < size; i++) { 792 if (!aa_unpack_u32(e, &sets[i], NULL)) 793 goto fail; 794 } 795 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) 796 goto fail; 797 798 tags->sets.size = size; 799 tags->sets.table = sets; 800 801 return 0; 802 803 fail: 804 kfree_sensitive(sets); 805 fail_reset: 806 e->pos = pos; 807 return error; 808 } 809 810 static bool unpack_tag_header_ent(struct aa_ext *e, struct aa_tags_header *h) 811 { 812 return aa_unpack_u32(e, &h->mask, NULL) && 813 aa_unpack_u32(e, &h->count, NULL) && 814 aa_unpack_u32(e, &h->size, NULL) && 815 aa_unpack_u32(e, &h->tags, NULL); 816 } 817 818 static int unpack_tag_headers(struct aa_ext *e, struct aa_tags_struct *tags) 819 { 820 struct aa_tags_header *hdrs; 821 u16 i, size; 822 int error = -EPROTO; 823 void *pos = e->pos; 824 825 if (!aa_unpack_array(e, "hdrs", &size)) 826 goto fail_reset; 827 hdrs = kzalloc_objs(struct aa_tags_header, size); 828 if (!hdrs) { 829 error = -ENOMEM; 830 goto fail_reset; 831 } 832 for (i = 0; i < size; i++) { 833 if (!unpack_tag_header_ent(e, &hdrs[i])) 834 goto fail; 835 } 836 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) 837 goto fail; 838 839 tags->hdrs.size = size; 840 tags->hdrs.table = hdrs; 841 AA_DEBUG(DEBUG_UNPACK, "headers %ld size %d", (long) hdrs, size); 842 return true; 843 844 fail: 845 kfree_sensitive(hdrs); 846 fail_reset: 847 e->pos = pos; 848 return error; 849 } 850 851 852 static int unpack_tags(struct aa_ext *e, struct aa_tags_struct *tags, 853 const char **info) 854 { 855 int error = -EPROTO; 856 void *pos = e->pos; 857 858 AA_BUG(!tags); 859 /* policy tags are optional */ 860 if (aa_unpack_nameX(e, AA_STRUCT, "tags")) { 861 u32 version; 862 863 if (!aa_unpack_u32(e, &version, "version") || version != 1) { 864 *info = "invalid tags version"; 865 goto fail_reset; 866 } 867 error = unpack_strs_table(e, "strs", true, &tags->strs); 868 if (error) { 869 *info = "failed to unpack profile tag.strs"; 870 goto fail; 871 } 872 error = unpack_tag_headers(e, tags); 873 if (error) { 874 *info = "failed to unpack profile tag.headers"; 875 goto fail; 876 } 877 error = unpack_tagsets(e, tags); 878 if (error) { 879 *info = "failed to unpack profile tag.sets"; 880 goto fail; 881 } 882 error = -EPROTO; 883 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 884 goto fail; 885 886 if (!verify_tags(tags, info)) 887 goto fail; 888 } 889 890 return 0; 891 892 fail: 893 aa_destroy_tags(tags); 894 fail_reset: 895 e->pos = pos; 896 return error; 897 } 898 899 static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm) 900 { 901 u32 reserved; 902 903 if (version != 1) 904 return false; 905 906 /* reserved entry is for later expansion, discard for now */ 907 return aa_unpack_u32(e, &reserved, NULL) && 908 aa_unpack_u32(e, &perm->allow, NULL) && 909 aa_unpack_u32(e, &perm->deny, NULL) && 910 aa_unpack_u32(e, &perm->subtree, NULL) && 911 aa_unpack_u32(e, &perm->cond, NULL) && 912 aa_unpack_u32(e, &perm->kill, NULL) && 913 aa_unpack_u32(e, &perm->complain, NULL) && 914 aa_unpack_u32(e, &perm->prompt, NULL) && 915 aa_unpack_u32(e, &perm->audit, NULL) && 916 aa_unpack_u32(e, &perm->quiet, NULL) && 917 aa_unpack_u32(e, &perm->hide, NULL) && 918 aa_unpack_u32(e, &perm->xindex, NULL) && 919 aa_unpack_u32(e, &perm->tag, NULL) && 920 aa_unpack_u32(e, &perm->label, NULL); 921 } 922 923 static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms) 924 { 925 void *pos = e->pos; 926 u16 size = 0; 927 928 AA_BUG(!perms); 929 /* 930 * policy perms are optional, in which case perms are embedded 931 * in the dfa accept table 932 */ 933 if (aa_unpack_nameX(e, AA_STRUCT, "perms")) { 934 int i; 935 u32 version; 936 937 if (!aa_unpack_u32(e, &version, "version")) 938 goto fail_reset; 939 if (!aa_unpack_array(e, NULL, &size)) 940 goto fail_reset; 941 *perms = kzalloc_objs(struct aa_perms, size); 942 if (!*perms) { 943 e->pos = pos; 944 return -ENOMEM; 945 } 946 for (i = 0; i < size; i++) { 947 if (!unpack_perm(e, version, &(*perms)[i])) 948 goto fail; 949 } 950 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) 951 goto fail; 952 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 953 goto fail; 954 } else 955 *perms = NULL; 956 957 return size; 958 959 fail: 960 kfree(*perms); 961 fail_reset: 962 e->pos = pos; 963 return -EPROTO; 964 } 965 966 static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, 967 bool required_dfa, bool required_trans, 968 const char **info) 969 { 970 struct aa_policydb *pdb; 971 void *pos = e->pos; 972 int i, flags, error = -EPROTO; 973 ssize_t size; 974 u32 version = 0; 975 976 pdb = aa_alloc_pdb(GFP_KERNEL); 977 if (!pdb) 978 return -ENOMEM; 979 980 AA_DEBUG(DEBUG_UNPACK, "unpacking tags"); 981 if (unpack_tags(e, &pdb->tags, info) < 0) 982 goto fail; 983 AA_DEBUG(DEBUG_UNPACK, "done unpacking tags"); 984 985 size = unpack_perms_table(e, &pdb->perms); 986 if (size < 0) { 987 error = size; 988 pdb->perms = NULL; 989 *info = "failed to unpack - perms"; 990 goto fail; 991 } 992 pdb->size = size; 993 994 if (pdb->perms) { 995 /* perms table present accept is index */ 996 flags = TO_ACCEPT1_FLAG(YYTD_DATA32); 997 if (aa_unpack_u32(e, &version, "permsv") && version > 2) 998 /* accept2 used for dfa flags */ 999 flags |= TO_ACCEPT2_FLAG(YYTD_DATA32); 1000 } else { 1001 /* packed perms in accept1 and accept2 */ 1002 flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | 1003 TO_ACCEPT2_FLAG(YYTD_DATA32); 1004 } 1005 1006 pdb->dfa = unpack_dfa(e, flags); 1007 if (IS_ERR(pdb->dfa)) { 1008 error = PTR_ERR(pdb->dfa); 1009 pdb->dfa = NULL; 1010 *info = "failed to unpack - dfa"; 1011 goto fail; 1012 } else if (!pdb->dfa) { 1013 if (required_dfa) { 1014 *info = "missing required dfa"; 1015 goto fail; 1016 } 1017 } else { 1018 /* 1019 * only unpack the following if a dfa is present 1020 * 1021 * sadly start was given different names for file and policydb 1022 * but since it is optional we can try both 1023 */ 1024 if (!aa_unpack_u32(e, &pdb->start[0], "start")) 1025 /* default start state */ 1026 pdb->start[0] = DFA_START; 1027 if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) { 1028 /* default start state for xmatch and file dfa */ 1029 pdb->start[AA_CLASS_FILE] = DFA_START; 1030 } 1031 1032 size_t state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen; 1033 1034 if (pdb->start[0] >= state_count || 1035 pdb->start[AA_CLASS_FILE] >= state_count) { 1036 *info = "invalid dfa start state"; 1037 goto fail; 1038 } 1039 1040 /* setup class index */ 1041 for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) { 1042 pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0], 1043 i); 1044 } 1045 } 1046 1047 /* accept2 is in some cases being allocated, even with perms */ 1048 if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) { 1049 /* add dfa flags table missing in v2 */ 1050 u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen; 1051 u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags; 1052 size_t tsize = table_size(noents, tdflags); 1053 1054 pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, GFP_KERNEL); 1055 if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) { 1056 *info = "failed to alloc dfa flags table"; 1057 goto out; 1058 } 1059 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents; 1060 pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags; 1061 } 1062 /* 1063 * Unfortunately due to a bug in earlier userspaces, a 1064 * transition table may be present even when the dfa is 1065 * not. For compatibility reasons unpack and discard. 1066 */ 1067 error = unpack_strs_table(e, "xtable", false, &pdb->trans); 1068 if (error && required_trans) { 1069 *info = "failed to unpack profile transition table"; 1070 goto fail; 1071 } 1072 1073 if (!pdb->dfa && pdb->trans.table) 1074 aa_destroy_str_table(&pdb->trans); 1075 1076 /* TODO: 1077 * - move compat mapping here, requires dfa merging first 1078 * - move verify here, it has to be done after compat mappings 1079 * - move free of unneeded trans table here, has to be done 1080 * after perm mapping. 1081 */ 1082 out: 1083 *policy = pdb; 1084 return 0; 1085 1086 fail: 1087 aa_put_pdb(pdb); 1088 e->pos = pos; 1089 return error; 1090 } 1091 1092 static u32 strhash(const void *data, u32 len, u32 seed) 1093 { 1094 const char * const *key = data; 1095 1096 return jhash(*key, strlen(*key), seed); 1097 } 1098 1099 static int datacmp(struct rhashtable_compare_arg *arg, const void *obj) 1100 { 1101 const struct aa_data *data = obj; 1102 const char * const *key = arg->key; 1103 1104 return strcmp(data->key, *key); 1105 } 1106 1107 /** 1108 * unpack_profile - unpack a serialized profile 1109 * @e: serialized data extent information (NOT NULL) 1110 * @ns_name: pointer of newly allocated copy of %NULL in case of error 1111 * 1112 * NOTE: unpack profile sets audit struct if there is a failure 1113 */ 1114 static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) 1115 { 1116 struct aa_ruleset *rules; 1117 struct aa_profile *profile = NULL; 1118 const char *tmpname, *tmpns = NULL, *name = NULL; 1119 const char *info = "failed to unpack profile"; 1120 size_t ns_len; 1121 struct rhashtable_params params = { 0 }; 1122 char *key = NULL, *disconnected = NULL; 1123 struct aa_data *data; 1124 int error = -EPROTO; 1125 kernel_cap_t tmpcap; 1126 u32 tmp; 1127 1128 *ns_name = NULL; 1129 1130 /* check that we have the right struct being passed */ 1131 if (!aa_unpack_nameX(e, AA_STRUCT, "profile")) 1132 goto fail; 1133 if (!aa_unpack_str(e, &name, NULL)) 1134 goto fail; 1135 if (*name == '\0') 1136 goto fail; 1137 1138 tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len); 1139 if (tmpns) { 1140 if (!tmpname) { 1141 info = "empty profile name"; 1142 goto fail; 1143 } 1144 *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL); 1145 if (!*ns_name) { 1146 info = "out of memory"; 1147 error = -ENOMEM; 1148 goto fail; 1149 } 1150 name = tmpname; 1151 } 1152 1153 profile = aa_alloc_profile(name, NULL, GFP_KERNEL); 1154 if (!profile) { 1155 info = "out of memory"; 1156 error = -ENOMEM; 1157 goto fail; 1158 } 1159 rules = profile->label.rules[0]; 1160 1161 /* profile renaming is optional */ 1162 (void) aa_unpack_str(e, &profile->rename, "rename"); 1163 1164 /* attachment string is optional */ 1165 (void) aa_unpack_str(e, &profile->attach.xmatch_str, "attach"); 1166 1167 /* xmatch is optional and may be NULL */ 1168 error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info); 1169 if (error) { 1170 info = "bad xmatch"; 1171 goto fail; 1172 } 1173 1174 /* neither xmatch_len not xmatch_perms are optional if xmatch is set */ 1175 if (profile->attach.xmatch->dfa) { 1176 if (!aa_unpack_u32(e, &tmp, NULL)) { 1177 info = "missing xmatch len"; 1178 goto fail; 1179 } 1180 profile->attach.xmatch_len = tmp; 1181 profile->attach.xmatch->start[AA_CLASS_XMATCH] = DFA_START; 1182 if (!profile->attach.xmatch->perms) { 1183 error = aa_compat_map_xmatch(profile->attach.xmatch); 1184 if (error) { 1185 info = "failed to convert xmatch permission table"; 1186 goto fail; 1187 } 1188 } 1189 } 1190 1191 /* disconnected attachment string is optional */ 1192 (void) aa_unpack_strdup(e, &disconnected, "disconnected"); 1193 profile->disconnected = disconnected; 1194 1195 /* optional */ 1196 (void) aa_unpack_u32(e, &profile->signal, "kill"); 1197 if (profile->signal < 1 || profile->signal > MAXMAPPED_SIG) { 1198 info = "profile kill.signal invalid value"; 1199 goto fail; 1200 } 1201 /* per profile debug flags (complain, audit) */ 1202 if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) { 1203 info = "profile missing flags"; 1204 goto fail; 1205 } 1206 info = "failed to unpack profile flags"; 1207 if (!aa_unpack_u32(e, &tmp, NULL)) 1208 goto fail; 1209 if (tmp & PACKED_FLAG_HAT) 1210 profile->label.flags |= FLAG_HAT; 1211 if (tmp & PACKED_FLAG_DEBUG1) 1212 profile->label.flags |= FLAG_DEBUG1; 1213 if (tmp & PACKED_FLAG_DEBUG2) 1214 profile->label.flags |= FLAG_DEBUG2; 1215 if (!aa_unpack_u32(e, &tmp, NULL)) 1216 goto fail; 1217 if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) { 1218 profile->mode = APPARMOR_COMPLAIN; 1219 } else if (tmp == PACKED_MODE_ENFORCE) { 1220 profile->mode = APPARMOR_ENFORCE; 1221 } else if (tmp == PACKED_MODE_KILL) { 1222 profile->mode = APPARMOR_KILL; 1223 } else if (tmp == PACKED_MODE_UNCONFINED) { 1224 profile->mode = APPARMOR_UNCONFINED; 1225 profile->label.flags |= FLAG_UNCONFINED; 1226 } else if (tmp == PACKED_MODE_USER) { 1227 profile->mode = APPARMOR_USER; 1228 } else { 1229 goto fail; 1230 } 1231 if (!aa_unpack_u32(e, &tmp, NULL)) 1232 goto fail; 1233 if (tmp) 1234 profile->audit = AUDIT_ALL; 1235 1236 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 1237 goto fail; 1238 1239 /* path_flags is optional */ 1240 if (aa_unpack_u32(e, &profile->path_flags, "path_flags")) 1241 profile->path_flags |= profile->label.flags & 1242 PATH_MEDIATE_DELETED; 1243 else 1244 /* set a default value if path_flags field is not present */ 1245 profile->path_flags = PATH_MEDIATE_DELETED; 1246 1247 info = "failed to unpack profile capabilities"; 1248 if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL)) 1249 goto fail; 1250 if (!aa_unpack_cap_low(e, &rules->caps.audit, NULL)) 1251 goto fail; 1252 if (!aa_unpack_cap_low(e, &rules->caps.quiet, NULL)) 1253 goto fail; 1254 if (!aa_unpack_cap_low(e, &tmpcap, NULL)) 1255 goto fail; 1256 1257 info = "failed to unpack upper profile capabilities"; 1258 if (aa_unpack_nameX(e, AA_STRUCT, "caps64")) { 1259 /* optional upper half of 64 bit caps */ 1260 if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL)) 1261 goto fail; 1262 if (!aa_unpack_cap_high(e, &rules->caps.audit, NULL)) 1263 goto fail; 1264 if (!aa_unpack_cap_high(e, &rules->caps.quiet, NULL)) 1265 goto fail; 1266 if (!aa_unpack_cap_high(e, &tmpcap, NULL)) 1267 goto fail; 1268 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 1269 goto fail; 1270 } 1271 1272 info = "failed to unpack extended profile capabilities"; 1273 if (aa_unpack_nameX(e, AA_STRUCT, "capsx")) { 1274 /* optional extended caps mediation mask */ 1275 if (!aa_unpack_cap_low(e, &rules->caps.extended, NULL)) 1276 goto fail; 1277 if (!aa_unpack_cap_high(e, &rules->caps.extended, NULL)) 1278 goto fail; 1279 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 1280 goto fail; 1281 } 1282 1283 if (!unpack_xattrs(e, profile)) { 1284 info = "failed to unpack profile xattrs"; 1285 goto fail; 1286 } 1287 1288 if (!unpack_rlimits(e, rules)) { 1289 info = "failed to unpack profile rlimits"; 1290 goto fail; 1291 } 1292 1293 if (!unpack_secmark(e, rules)) { 1294 info = "failed to unpack profile secmark rules"; 1295 goto fail; 1296 } 1297 1298 if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) { 1299 /* generic policy dfa - optional and may be NULL */ 1300 info = "failed to unpack policydb"; 1301 error = unpack_pdb(e, &rules->policy, true, false, 1302 &info); 1303 if (error) 1304 goto fail; 1305 /* Fixup: drop when we get rid of start array */ 1306 if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0], 1307 AA_CLASS_FILE)) 1308 rules->policy->start[AA_CLASS_FILE] = 1309 aa_dfa_next(rules->policy->dfa, 1310 rules->policy->start[0], 1311 AA_CLASS_FILE); 1312 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 1313 goto fail; 1314 if (!rules->policy->perms) { 1315 error = aa_compat_map_policy(rules->policy, 1316 e->version); 1317 if (error) { 1318 info = "failed to remap policydb permission table"; 1319 goto fail; 1320 } 1321 } 1322 } else { 1323 rules->policy = aa_get_pdb(nullpdb); 1324 } 1325 /* get file rules */ 1326 error = unpack_pdb(e, &rules->file, false, true, &info); 1327 if (error) { 1328 goto fail; 1329 } else if (rules->file->dfa) { 1330 if (!rules->file->perms) { 1331 AA_DEBUG(DEBUG_UNPACK, "compat mapping perms"); 1332 error = aa_compat_map_file(rules->file); 1333 if (error) { 1334 info = "failed to remap file permission table"; 1335 goto fail; 1336 } 1337 } 1338 } else if (rules->policy->dfa && 1339 rules->policy->start[AA_CLASS_FILE]) { 1340 aa_put_pdb(rules->file); 1341 rules->file = aa_get_pdb(rules->policy); 1342 } else { 1343 aa_put_pdb(rules->file); 1344 rules->file = aa_get_pdb(nullpdb); 1345 } 1346 error = -EPROTO; 1347 if (aa_unpack_nameX(e, AA_STRUCT, "data")) { 1348 info = "out of memory"; 1349 profile->data = kzalloc_obj(*profile->data); 1350 if (!profile->data) { 1351 error = -ENOMEM; 1352 goto fail; 1353 } 1354 params.nelem_hint = 3; 1355 params.key_len = sizeof(void *); 1356 params.key_offset = offsetof(struct aa_data, key); 1357 params.head_offset = offsetof(struct aa_data, head); 1358 params.hashfn = strhash; 1359 params.obj_cmpfn = datacmp; 1360 1361 if (rhashtable_init(profile->data, ¶ms)) { 1362 info = "failed to init key, value hash table"; 1363 goto fail; 1364 } 1365 1366 while (aa_unpack_strdup(e, &key, NULL)) { 1367 data = kzalloc_obj(*data); 1368 if (!data) { 1369 kfree_sensitive(key); 1370 error = -ENOMEM; 1371 goto fail; 1372 } 1373 1374 data->key = key; 1375 data->size = aa_unpack_blob(e, &data->data, NULL); 1376 data->data = kvmemdup(data->data, data->size, GFP_KERNEL); 1377 if (data->size && !data->data) { 1378 kfree_sensitive(data->key); 1379 kfree_sensitive(data); 1380 error = -ENOMEM; 1381 goto fail; 1382 } 1383 1384 if (rhashtable_insert_fast(profile->data, &data->head, 1385 profile->data->p)) { 1386 kvfree_sensitive(data->data, data->size); 1387 kfree_sensitive(data->key); 1388 kfree_sensitive(data); 1389 info = "failed to insert data to table"; 1390 goto fail; 1391 } 1392 } 1393 1394 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) { 1395 info = "failed to unpack end of key, value data table"; 1396 goto fail; 1397 } 1398 } 1399 1400 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) { 1401 info = "failed to unpack end of profile"; 1402 goto fail; 1403 } 1404 1405 aa_compute_profile_mediates(profile); 1406 1407 return profile; 1408 1409 fail: 1410 if (error == 0) 1411 /* default error covers most cases */ 1412 error = -EPROTO; 1413 if (*ns_name) { 1414 kfree(*ns_name); 1415 *ns_name = NULL; 1416 } 1417 if (profile) 1418 name = NULL; 1419 else if (!name) 1420 name = "unknown"; 1421 audit_iface(profile, NULL, name, info, e, error); 1422 aa_free_profile(profile); 1423 1424 return ERR_PTR(error); 1425 } 1426 1427 /** 1428 * verify_header - unpack serialized stream header 1429 * @e: serialized data read head (NOT NULL) 1430 * @required: whether the header is required or optional 1431 * @ns: Returns - namespace if one is specified else NULL (NOT NULL) 1432 * 1433 * Returns: error or 0 if header is good 1434 */ 1435 static int verify_header(struct aa_ext *e, int required, const char **ns) 1436 { 1437 int error = -EPROTONOSUPPORT; 1438 const char *name = NULL; 1439 1440 /* get the interface version */ 1441 if (!aa_unpack_u32(e, &e->version, "version")) { 1442 if (required) { 1443 audit_iface(NULL, NULL, NULL, "invalid profile format", 1444 e, error); 1445 return error; 1446 } 1447 } 1448 1449 /* Check that the interface version is currently supported. 1450 * if not specified use previous version 1451 * Mask off everything that is not kernel abi version 1452 */ 1453 if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) { 1454 audit_iface(NULL, NULL, NULL, "unsupported interface version", 1455 e, error); 1456 return error; 1457 } 1458 1459 /* read the namespace if present */ 1460 if (aa_unpack_str(e, &name, "namespace")) { 1461 if (*name == '\0') { 1462 audit_iface(NULL, NULL, NULL, "invalid namespace name", 1463 e, error); 1464 return error; 1465 } 1466 if (*ns && strcmp(*ns, name)) { 1467 audit_iface(NULL, NULL, NULL, "invalid ns change", e, 1468 error); 1469 return error; 1470 } else if (!*ns) { 1471 *ns = kstrdup(name, GFP_KERNEL); 1472 if (!*ns) 1473 return -ENOMEM; 1474 } 1475 } 1476 1477 return 0; 1478 } 1479 1480 /** 1481 * verify_dfa_accept_index - verify accept indexes are in range of perms table 1482 * @dfa: the dfa to check accept indexes are in range 1483 * @table_size: the permission table size the indexes should be within 1484 */ 1485 static bool verify_dfa_accept_index(struct aa_dfa *dfa, int table_size) 1486 { 1487 int i; 1488 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 1489 if (ACCEPT_TABLE(dfa)[i] >= table_size) 1490 return false; 1491 } 1492 return true; 1493 } 1494 1495 static bool verify_perm(struct aa_perms *perm) 1496 { 1497 /* TODO: allow option to just force the perms into a valid state */ 1498 if (perm->allow & perm->deny) 1499 return false; 1500 if (perm->subtree & ~perm->allow) 1501 return false; 1502 if (perm->cond & (perm->allow | perm->deny)) 1503 return false; 1504 if (perm->kill & perm->allow) 1505 return false; 1506 if (perm->complain & (perm->allow | perm->deny)) 1507 return false; 1508 if (perm->prompt & (perm->allow | perm->deny)) 1509 return false; 1510 if (perm->complain & perm->prompt) 1511 return false; 1512 if (perm->hide & perm->allow) 1513 return false; 1514 1515 return true; 1516 } 1517 1518 static bool verify_perms(struct aa_policydb *pdb) 1519 { 1520 int i; 1521 int xidx, xmax = -1; 1522 1523 for (i = 0; i < pdb->size; i++) { 1524 if (!verify_perm(&pdb->perms[i])) 1525 return false; 1526 /* verify indexes into str table */ 1527 if ((pdb->perms[i].xindex & AA_X_TYPE_MASK) == AA_X_TABLE) { 1528 xidx = pdb->perms[i].xindex & AA_X_INDEX_MASK; 1529 if (xidx >= pdb->trans.size) 1530 return false; 1531 if (xmax < xidx) 1532 xmax = xidx; 1533 } 1534 if (pdb->perms[i].tag && pdb->perms[i].tag >= pdb->tags.sets.size) 1535 return false; 1536 if (pdb->perms[i].label && 1537 pdb->perms[i].label >= pdb->trans.size) 1538 return false; 1539 } 1540 /* deal with incorrectly constructed string tables */ 1541 if (xmax == -1) { 1542 aa_destroy_str_table(&pdb->trans); 1543 } else if (pdb->trans.size > xmax + 1) { 1544 if (!aa_resize_str_table(&pdb->trans, xmax + 1, GFP_KERNEL)) 1545 return false; 1546 } 1547 return true; 1548 } 1549 1550 /** 1551 * verify_profile - Do post unpack analysis to verify profile consistency 1552 * @profile: profile to verify (NOT NULL) 1553 * 1554 * Returns: 0 if passes verification else error 1555 * 1556 * This verification is post any unpack mapping or changes 1557 */ 1558 static int verify_profile(struct aa_profile *profile) 1559 { 1560 struct aa_ruleset *rules = profile->label.rules[0]; 1561 1562 if (!rules) 1563 return 0; 1564 1565 if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa, 1566 rules->file->size)) { 1567 audit_iface(profile, NULL, NULL, 1568 "Unpack: file Invalid named transition", NULL, 1569 -EPROTO); 1570 return -EPROTO; 1571 } 1572 if (rules->policy->dfa && 1573 !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) { 1574 audit_iface(profile, NULL, NULL, 1575 "Unpack: policy Invalid named transition", NULL, 1576 -EPROTO); 1577 return -EPROTO; 1578 } 1579 1580 if (!verify_perms(rules->file)) { 1581 audit_iface(profile, NULL, NULL, 1582 "Unpack: Invalid perm index", NULL, -EPROTO); 1583 return -EPROTO; 1584 } 1585 if (!verify_perms(rules->policy)) { 1586 audit_iface(profile, NULL, NULL, 1587 "Unpack: Invalid perm index", NULL, -EPROTO); 1588 return -EPROTO; 1589 } 1590 if (!verify_perms(profile->attach.xmatch)) { 1591 audit_iface(profile, NULL, NULL, 1592 "Unpack: Invalid perm index", NULL, -EPROTO); 1593 return -EPROTO; 1594 } 1595 1596 return 0; 1597 } 1598 1599 void aa_load_ent_free(struct aa_load_ent *ent) 1600 { 1601 if (ent) { 1602 aa_put_profile(ent->rename); 1603 aa_put_profile(ent->old); 1604 aa_put_profile(ent->new); 1605 kfree(ent->ns_name); 1606 kfree_sensitive(ent); 1607 } 1608 } 1609 1610 struct aa_load_ent *aa_load_ent_alloc(void) 1611 { 1612 struct aa_load_ent *ent = kzalloc_obj(*ent); 1613 if (ent) 1614 INIT_LIST_HEAD(&ent->list); 1615 return ent; 1616 } 1617 1618 static int compress_zstd(const char *src, size_t slen, char **dst, size_t *dlen) 1619 { 1620 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1621 const zstd_parameters params = 1622 zstd_get_params(aa_g_rawdata_compression_level, slen); 1623 const size_t wksp_len = zstd_cctx_workspace_bound(¶ms.cParams); 1624 void *wksp = NULL; 1625 zstd_cctx *ctx = NULL; 1626 size_t out_len = zstd_compress_bound(slen); 1627 void *out = NULL; 1628 int ret = 0; 1629 1630 out = kvzalloc(out_len, GFP_KERNEL); 1631 if (!out) { 1632 ret = -ENOMEM; 1633 goto cleanup; 1634 } 1635 1636 wksp = kvzalloc(wksp_len, GFP_KERNEL); 1637 if (!wksp) { 1638 ret = -ENOMEM; 1639 goto cleanup; 1640 } 1641 1642 ctx = zstd_init_cctx(wksp, wksp_len); 1643 if (!ctx) { 1644 ret = -EINVAL; 1645 goto cleanup; 1646 } 1647 1648 out_len = zstd_compress_cctx(ctx, out, out_len, src, slen, ¶ms); 1649 if (zstd_is_error(out_len) || out_len >= slen) { 1650 ret = -EINVAL; 1651 goto cleanup; 1652 } 1653 1654 if (is_vmalloc_addr(out)) { 1655 *dst = kvzalloc(out_len, GFP_KERNEL); 1656 if (*dst) { 1657 memcpy(*dst, out, out_len); 1658 kvfree(out); 1659 out = NULL; 1660 } 1661 } else { 1662 /* 1663 * If the staging buffer was kmalloc'd, then using krealloc is 1664 * probably going to be faster. The destination buffer will 1665 * always be smaller, so it's just shrunk, avoiding a memcpy 1666 */ 1667 *dst = krealloc(out, out_len, GFP_KERNEL); 1668 } 1669 1670 if (!*dst) { 1671 ret = -ENOMEM; 1672 goto cleanup; 1673 } 1674 1675 *dlen = out_len; 1676 1677 cleanup: 1678 if (ret) { 1679 kvfree(out); 1680 *dst = NULL; 1681 } 1682 1683 kvfree(wksp); 1684 return ret; 1685 #else 1686 *dlen = slen; 1687 return 0; 1688 #endif 1689 } 1690 1691 static int compress_loaddata(struct aa_loaddata *data) 1692 { 1693 AA_BUG(data->compressed_size > 0); 1694 1695 /* 1696 * Shortcut the no compression case, else we increase the amount of 1697 * storage required by a small amount 1698 */ 1699 if (aa_g_rawdata_compression_level != 0) { 1700 void *udata = data->data; 1701 int error = compress_zstd(udata, data->size, &data->data, 1702 &data->compressed_size); 1703 if (error) { 1704 data->compressed_size = data->size; 1705 return error; 1706 } 1707 if (udata != data->data) 1708 kvfree(udata); 1709 } else 1710 data->compressed_size = data->size; 1711 1712 return 0; 1713 } 1714 1715 /** 1716 * aa_unpack - unpack packed binary profile(s) data loaded from user space 1717 * @udata: user data copied to kmem (NOT NULL) 1718 * @lh: list to place unpacked profiles in a aa_repl_ws 1719 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) 1720 * 1721 * Unpack user data and return refcounted allocated profile(s) stored in 1722 * @lh in order of discovery, with the list chain stored in base.list 1723 * or error 1724 * 1725 * Returns: profile(s) on @lh else error pointer if fails to unpack 1726 */ 1727 int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, 1728 const char **ns) 1729 { 1730 struct aa_load_ent *tmp, *ent; 1731 struct aa_profile *profile = NULL; 1732 char *ns_name = NULL; 1733 int error; 1734 struct aa_ext e = { 1735 .start = udata->data, 1736 .end = udata->data + udata->size, 1737 .pos = udata->data, 1738 }; 1739 1740 *ns = NULL; 1741 while (e.pos < e.end) { 1742 void *start; 1743 error = verify_header(&e, e.pos == e.start, ns); 1744 if (error) 1745 goto fail; 1746 1747 start = e.pos; 1748 profile = unpack_profile(&e, &ns_name); 1749 if (IS_ERR(profile)) { 1750 error = PTR_ERR(profile); 1751 goto fail; 1752 } 1753 1754 error = verify_profile(profile); 1755 if (error) 1756 goto fail_profile; 1757 1758 if (aa_g_hash_policy) 1759 error = aa_calc_profile_hash(profile, e.version, start, 1760 e.pos - start); 1761 if (error) 1762 goto fail_profile; 1763 1764 ent = aa_load_ent_alloc(); 1765 if (!ent) { 1766 error = -ENOMEM; 1767 goto fail_profile; 1768 } 1769 1770 ent->new = profile; 1771 ent->ns_name = ns_name; 1772 ns_name = NULL; 1773 list_add_tail(&ent->list, lh); 1774 } 1775 udata->abi = e.version & K_ABI_MASK; 1776 if (aa_g_hash_policy) { 1777 udata->hash = aa_calc_hash(udata->data, udata->size); 1778 if (IS_ERR(udata->hash)) { 1779 error = PTR_ERR(udata->hash); 1780 udata->hash = NULL; 1781 goto fail; 1782 } 1783 } 1784 1785 if (aa_g_export_binary) { 1786 error = compress_loaddata(udata); 1787 if (error) 1788 goto fail; 1789 } 1790 return 0; 1791 1792 fail_profile: 1793 kfree(ns_name); 1794 aa_put_profile(profile); 1795 1796 fail: 1797 list_for_each_entry_safe(ent, tmp, lh, list) { 1798 list_del_init(&ent->list); 1799 aa_load_ent_free(ent); 1800 } 1801 1802 return error; 1803 } 1804