1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor functions for unpacking policy loaded from 5 * userspace. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation, version 2 of the 13 * License. 14 * 15 * AppArmor uses a serialized binary format for loading policy. To find 16 * policy format documentation look in Documentation/security/apparmor.txt 17 * All policy is validated before it is used. 18 */ 19 20 #include <asm/unaligned.h> 21 #include <linux/ctype.h> 22 #include <linux/errno.h> 23 24 #include "include/apparmor.h" 25 #include "include/audit.h" 26 #include "include/context.h" 27 #include "include/match.h" 28 #include "include/policy.h" 29 #include "include/policy_unpack.h" 30 #include "include/sid.h" 31 32 /* 33 * The AppArmor interface treats data as a type byte followed by the 34 * actual data. The interface has the notion of a a named entry 35 * which has a name (AA_NAME typecode followed by name string) followed by 36 * the entries typecode and data. Named types allow for optional 37 * elements and extensions to be added and tested for without breaking 38 * backwards compatibility. 39 */ 40 41 enum aa_code { 42 AA_U8, 43 AA_U16, 44 AA_U32, 45 AA_U64, 46 AA_NAME, /* same as string except it is items name */ 47 AA_STRING, 48 AA_BLOB, 49 AA_STRUCT, 50 AA_STRUCTEND, 51 AA_LIST, 52 AA_LISTEND, 53 AA_ARRAY, 54 AA_ARRAYEND, 55 }; 56 57 /* 58 * aa_ext is the read of the buffer containing the serialized profile. The 59 * data is copied into a kernel buffer in apparmorfs and then handed off to 60 * the unpack routines. 61 */ 62 struct aa_ext { 63 void *start; 64 void *end; 65 void *pos; /* pointer to current position in the buffer */ 66 u32 version; 67 }; 68 69 /* audit callback for unpack fields */ 70 static void audit_cb(struct audit_buffer *ab, void *va) 71 { 72 struct common_audit_data *sa = va; 73 if (sa->aad.iface.target) { 74 struct aa_profile *name = sa->aad.iface.target; 75 audit_log_format(ab, " name="); 76 audit_log_untrustedstring(ab, name->base.hname); 77 } 78 if (sa->aad.iface.pos) 79 audit_log_format(ab, " offset=%ld", sa->aad.iface.pos); 80 } 81 82 /** 83 * audit_iface - do audit message for policy unpacking/load/replace/remove 84 * @new: profile if it has been allocated (MAYBE NULL) 85 * @name: name of the profile being manipulated (MAYBE NULL) 86 * @info: any extra info about the failure (MAYBE NULL) 87 * @e: buffer position info 88 * @error: error code 89 * 90 * Returns: %0 or error 91 */ 92 static int audit_iface(struct aa_profile *new, const char *name, 93 const char *info, struct aa_ext *e, int error) 94 { 95 struct aa_profile *profile = __aa_current_profile(); 96 struct common_audit_data sa; 97 COMMON_AUDIT_DATA_INIT(&sa, NONE); 98 if (e) 99 sa.aad.iface.pos = e->pos - e->start; 100 sa.aad.iface.target = new; 101 sa.aad.name = name; 102 sa.aad.info = info; 103 sa.aad.error = error; 104 105 return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa, 106 audit_cb); 107 } 108 109 /* test if read will be in packed data bounds */ 110 static bool inbounds(struct aa_ext *e, size_t size) 111 { 112 return (size <= e->end - e->pos); 113 } 114 115 /** 116 * aa_u16_chunck - test and do bounds checking for a u16 size based chunk 117 * @e: serialized data read head (NOT NULL) 118 * @chunk: start address for chunk of data (NOT NULL) 119 * 120 * Returns: the size of chunk found with the read head at the end of the chunk. 121 */ 122 static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) 123 { 124 size_t size = 0; 125 126 if (!inbounds(e, sizeof(u16))) 127 return 0; 128 size = le16_to_cpu(get_unaligned((u16 *) e->pos)); 129 e->pos += sizeof(u16); 130 if (!inbounds(e, size)) 131 return 0; 132 *chunk = e->pos; 133 e->pos += size; 134 return size; 135 } 136 137 /* unpack control byte */ 138 static bool unpack_X(struct aa_ext *e, enum aa_code code) 139 { 140 if (!inbounds(e, 1)) 141 return 0; 142 if (*(u8 *) e->pos != code) 143 return 0; 144 e->pos++; 145 return 1; 146 } 147 148 /** 149 * unpack_nameX - check is the next element is of type X with a name of @name 150 * @e: serialized data extent information (NOT NULL) 151 * @code: type code 152 * @name: name to match to the serialized element. (MAYBE NULL) 153 * 154 * check that the next serialized data element is of type X and has a tag 155 * name @name. If @name is specified then there must be a matching 156 * name element in the stream. If @name is NULL any name element will be 157 * skipped and only the typecode will be tested. 158 * 159 * Returns 1 on success (both type code and name tests match) and the read 160 * head is advanced past the headers 161 * 162 * Returns: 0 if either match fails, the read head does not move 163 */ 164 static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) 165 { 166 /* 167 * May need to reset pos if name or type doesn't match 168 */ 169 void *pos = e->pos; 170 /* 171 * Check for presence of a tagname, and if present name size 172 * AA_NAME tag value is a u16. 173 */ 174 if (unpack_X(e, AA_NAME)) { 175 char *tag = NULL; 176 size_t size = unpack_u16_chunk(e, &tag); 177 /* if a name is specified it must match. otherwise skip tag */ 178 if (name && (!size || strcmp(name, tag))) 179 goto fail; 180 } else if (name) { 181 /* if a name is specified and there is no name tag fail */ 182 goto fail; 183 } 184 185 /* now check if type code matches */ 186 if (unpack_X(e, code)) 187 return 1; 188 189 fail: 190 e->pos = pos; 191 return 0; 192 } 193 194 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) 195 { 196 if (unpack_nameX(e, AA_U32, name)) { 197 if (!inbounds(e, sizeof(u32))) 198 return 0; 199 if (data) 200 *data = le32_to_cpu(get_unaligned((u32 *) e->pos)); 201 e->pos += sizeof(u32); 202 return 1; 203 } 204 return 0; 205 } 206 207 static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) 208 { 209 if (unpack_nameX(e, AA_U64, name)) { 210 if (!inbounds(e, sizeof(u64))) 211 return 0; 212 if (data) 213 *data = le64_to_cpu(get_unaligned((u64 *) e->pos)); 214 e->pos += sizeof(u64); 215 return 1; 216 } 217 return 0; 218 } 219 220 static size_t unpack_array(struct aa_ext *e, const char *name) 221 { 222 if (unpack_nameX(e, AA_ARRAY, name)) { 223 int size; 224 if (!inbounds(e, sizeof(u16))) 225 return 0; 226 size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos)); 227 e->pos += sizeof(u16); 228 return size; 229 } 230 return 0; 231 } 232 233 static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) 234 { 235 if (unpack_nameX(e, AA_BLOB, name)) { 236 u32 size; 237 if (!inbounds(e, sizeof(u32))) 238 return 0; 239 size = le32_to_cpu(get_unaligned((u32 *) e->pos)); 240 e->pos += sizeof(u32); 241 if (inbounds(e, (size_t) size)) { 242 *blob = e->pos; 243 e->pos += size; 244 return size; 245 } 246 } 247 return 0; 248 } 249 250 static int unpack_str(struct aa_ext *e, const char **string, const char *name) 251 { 252 char *src_str; 253 size_t size = 0; 254 void *pos = e->pos; 255 *string = NULL; 256 if (unpack_nameX(e, AA_STRING, name)) { 257 size = unpack_u16_chunk(e, &src_str); 258 if (size) { 259 /* strings are null terminated, length is size - 1 */ 260 if (src_str[size - 1] != 0) 261 goto fail; 262 *string = src_str; 263 } 264 } 265 return size; 266 267 fail: 268 e->pos = pos; 269 return 0; 270 } 271 272 static int unpack_strdup(struct aa_ext *e, char **string, const char *name) 273 { 274 const char *tmp; 275 void *pos = e->pos; 276 int res = unpack_str(e, &tmp, name); 277 *string = NULL; 278 279 if (!res) 280 return 0; 281 282 *string = kmemdup(tmp, res, GFP_KERNEL); 283 if (!*string) { 284 e->pos = pos; 285 return 0; 286 } 287 288 return res; 289 } 290 291 /** 292 * verify_accept - verify the accept tables of a dfa 293 * @dfa: dfa to verify accept tables of (NOT NULL) 294 * @flags: flags governing dfa 295 * 296 * Returns: 1 if valid accept tables else 0 if error 297 */ 298 static bool verify_accept(struct aa_dfa *dfa, int flags) 299 { 300 int i; 301 302 /* verify accept permissions */ 303 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 304 int mode = ACCEPT_TABLE(dfa)[i]; 305 306 if (mode & ~DFA_VALID_PERM_MASK) 307 return 0; 308 309 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) 310 return 0; 311 } 312 return 1; 313 } 314 315 /** 316 * unpack_dfa - unpack a file rule dfa 317 * @e: serialized data extent information (NOT NULL) 318 * 319 * returns dfa or ERR_PTR or NULL if no dfa 320 */ 321 static struct aa_dfa *unpack_dfa(struct aa_ext *e) 322 { 323 char *blob = NULL; 324 size_t size; 325 struct aa_dfa *dfa = NULL; 326 327 size = unpack_blob(e, &blob, "aadfa"); 328 if (size) { 329 /* 330 * The dfa is aligned with in the blob to 8 bytes 331 * from the beginning of the stream. 332 */ 333 size_t sz = blob - (char *)e->start; 334 size_t pad = ALIGN(sz, 8) - sz; 335 int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | 336 TO_ACCEPT2_FLAG(YYTD_DATA32); 337 338 339 if (aa_g_paranoid_load) 340 flags |= DFA_FLAG_VERIFY_STATES; 341 342 dfa = aa_dfa_unpack(blob + pad, size - pad, flags); 343 344 if (IS_ERR(dfa)) 345 return dfa; 346 347 if (!verify_accept(dfa, flags)) 348 goto fail; 349 } 350 351 return dfa; 352 353 fail: 354 aa_put_dfa(dfa); 355 return ERR_PTR(-EPROTO); 356 } 357 358 /** 359 * unpack_trans_table - unpack a profile transition table 360 * @e: serialized data extent information (NOT NULL) 361 * @profile: profile to add the accept table to (NOT NULL) 362 * 363 * Returns: 1 if table successfully unpacked 364 */ 365 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) 366 { 367 void *pos = e->pos; 368 369 /* exec table is optional */ 370 if (unpack_nameX(e, AA_STRUCT, "xtable")) { 371 int i, size; 372 373 size = unpack_array(e, NULL); 374 /* currently 4 exec bits and entries 0-3 are reserved iupcx */ 375 if (size > 16 - 4) 376 goto fail; 377 profile->file.trans.table = kzalloc(sizeof(char *) * size, 378 GFP_KERNEL); 379 if (!profile->file.trans.table) 380 goto fail; 381 382 profile->file.trans.size = size; 383 for (i = 0; i < size; i++) { 384 char *str; 385 int c, j, size2 = unpack_strdup(e, &str, NULL); 386 /* unpack_strdup verifies that the last character is 387 * null termination byte. 388 */ 389 if (!size2) 390 goto fail; 391 profile->file.trans.table[i] = str; 392 /* verify that name doesn't start with space */ 393 if (isspace(*str)) 394 goto fail; 395 396 /* count internal # of internal \0 */ 397 for (c = j = 0; j < size2 - 2; j++) { 398 if (!str[j]) 399 c++; 400 } 401 if (*str == ':') { 402 /* beginning with : requires an embedded \0, 403 * verify that exactly 1 internal \0 exists 404 * trailing \0 already verified by unpack_strdup 405 */ 406 if (c != 1) 407 goto fail; 408 /* first character after : must be valid */ 409 if (!str[1]) 410 goto fail; 411 } else if (c) 412 /* fail - all other cases with embedded \0 */ 413 goto fail; 414 } 415 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 416 goto fail; 417 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 418 goto fail; 419 } 420 return 1; 421 422 fail: 423 aa_free_domain_entries(&profile->file.trans); 424 e->pos = pos; 425 return 0; 426 } 427 428 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) 429 { 430 void *pos = e->pos; 431 432 /* rlimits are optional */ 433 if (unpack_nameX(e, AA_STRUCT, "rlimits")) { 434 int i, size; 435 u32 tmp = 0; 436 if (!unpack_u32(e, &tmp, NULL)) 437 goto fail; 438 profile->rlimits.mask = tmp; 439 440 size = unpack_array(e, NULL); 441 if (size > RLIM_NLIMITS) 442 goto fail; 443 for (i = 0; i < size; i++) { 444 u64 tmp2 = 0; 445 int a = aa_map_resource(i); 446 if (!unpack_u64(e, &tmp2, NULL)) 447 goto fail; 448 profile->rlimits.limits[a].rlim_max = tmp2; 449 } 450 if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 451 goto fail; 452 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 453 goto fail; 454 } 455 return 1; 456 457 fail: 458 e->pos = pos; 459 return 0; 460 } 461 462 /** 463 * unpack_profile - unpack a serialized profile 464 * @e: serialized data extent information (NOT NULL) 465 * 466 * NOTE: unpack profile sets audit struct if there is a failure 467 */ 468 static struct aa_profile *unpack_profile(struct aa_ext *e) 469 { 470 struct aa_profile *profile = NULL; 471 const char *name = NULL; 472 int i, error = -EPROTO; 473 kernel_cap_t tmpcap; 474 u32 tmp; 475 476 /* check that we have the right struct being passed */ 477 if (!unpack_nameX(e, AA_STRUCT, "profile")) 478 goto fail; 479 if (!unpack_str(e, &name, NULL)) 480 goto fail; 481 482 profile = aa_alloc_profile(name); 483 if (!profile) 484 return ERR_PTR(-ENOMEM); 485 486 /* profile renaming is optional */ 487 (void) unpack_str(e, &profile->rename, "rename"); 488 489 /* xmatch is optional and may be NULL */ 490 profile->xmatch = unpack_dfa(e); 491 if (IS_ERR(profile->xmatch)) { 492 error = PTR_ERR(profile->xmatch); 493 profile->xmatch = NULL; 494 goto fail; 495 } 496 /* xmatch_len is not optional if xmatch is set */ 497 if (profile->xmatch) { 498 if (!unpack_u32(e, &tmp, NULL)) 499 goto fail; 500 profile->xmatch_len = tmp; 501 } 502 503 /* per profile debug flags (complain, audit) */ 504 if (!unpack_nameX(e, AA_STRUCT, "flags")) 505 goto fail; 506 if (!unpack_u32(e, &tmp, NULL)) 507 goto fail; 508 if (tmp) 509 profile->flags |= PFLAG_HAT; 510 if (!unpack_u32(e, &tmp, NULL)) 511 goto fail; 512 if (tmp) 513 profile->mode = APPARMOR_COMPLAIN; 514 if (!unpack_u32(e, &tmp, NULL)) 515 goto fail; 516 if (tmp) 517 profile->audit = AUDIT_ALL; 518 519 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 520 goto fail; 521 522 /* path_flags is optional */ 523 if (unpack_u32(e, &profile->path_flags, "path_flags")) 524 profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED; 525 else 526 /* set a default value if path_flags field is not present */ 527 profile->path_flags = PFLAG_MEDIATE_DELETED; 528 529 if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) 530 goto fail; 531 if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) 532 goto fail; 533 if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) 534 goto fail; 535 if (!unpack_u32(e, &tmpcap.cap[0], NULL)) 536 goto fail; 537 538 if (unpack_nameX(e, AA_STRUCT, "caps64")) { 539 /* optional upper half of 64 bit caps */ 540 if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) 541 goto fail; 542 if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) 543 goto fail; 544 if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) 545 goto fail; 546 if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) 547 goto fail; 548 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 549 goto fail; 550 } 551 552 if (unpack_nameX(e, AA_STRUCT, "capsx")) { 553 /* optional extended caps mediation mask */ 554 if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) 555 goto fail; 556 if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) 557 goto fail; 558 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 559 goto fail; 560 } 561 562 if (!unpack_rlimits(e, profile)) 563 goto fail; 564 565 if (unpack_nameX(e, AA_STRUCT, "policydb")) { 566 /* generic policy dfa - optional and may be NULL */ 567 profile->policy.dfa = unpack_dfa(e); 568 if (IS_ERR(profile->policy.dfa)) { 569 error = PTR_ERR(profile->policy.dfa); 570 profile->policy.dfa = NULL; 571 goto fail; 572 } 573 if (!unpack_u32(e, &profile->policy.start[0], "start")) 574 /* default start state */ 575 profile->policy.start[0] = DFA_START; 576 /* setup class index */ 577 for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) { 578 profile->policy.start[i] = 579 aa_dfa_next(profile->policy.dfa, 580 profile->policy.start[0], 581 i); 582 } 583 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 584 goto fail; 585 } 586 587 /* get file rules */ 588 profile->file.dfa = unpack_dfa(e); 589 if (IS_ERR(profile->file.dfa)) { 590 error = PTR_ERR(profile->file.dfa); 591 profile->file.dfa = NULL; 592 goto fail; 593 } 594 595 if (!unpack_u32(e, &profile->file.start, "dfa_start")) 596 /* default start state */ 597 profile->file.start = DFA_START; 598 599 if (!unpack_trans_table(e, profile)) 600 goto fail; 601 602 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 603 goto fail; 604 605 return profile; 606 607 fail: 608 if (profile) 609 name = NULL; 610 else if (!name) 611 name = "unknown"; 612 audit_iface(profile, name, "failed to unpack profile", e, error); 613 aa_put_profile(profile); 614 615 return ERR_PTR(error); 616 } 617 618 /** 619 * verify_head - unpack serialized stream header 620 * @e: serialized data read head (NOT NULL) 621 * @ns: Returns - namespace if one is specified else NULL (NOT NULL) 622 * 623 * Returns: error or 0 if header is good 624 */ 625 static int verify_header(struct aa_ext *e, const char **ns) 626 { 627 int error = -EPROTONOSUPPORT; 628 /* get the interface version */ 629 if (!unpack_u32(e, &e->version, "version")) { 630 audit_iface(NULL, NULL, "invalid profile format", e, error); 631 return error; 632 } 633 634 /* check that the interface version is currently supported */ 635 if (e->version != 5) { 636 audit_iface(NULL, NULL, "unsupported interface version", e, 637 error); 638 return error; 639 } 640 641 /* read the namespace if present */ 642 if (!unpack_str(e, ns, "namespace")) 643 *ns = NULL; 644 645 return 0; 646 } 647 648 static bool verify_xindex(int xindex, int table_size) 649 { 650 int index, xtype; 651 xtype = xindex & AA_X_TYPE_MASK; 652 index = xindex & AA_X_INDEX_MASK; 653 if (xtype == AA_X_TABLE && index > table_size) 654 return 0; 655 return 1; 656 } 657 658 /* verify dfa xindexes are in range of transition tables */ 659 static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) 660 { 661 int i; 662 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 663 if (!verify_xindex(dfa_user_xindex(dfa, i), table_size)) 664 return 0; 665 if (!verify_xindex(dfa_other_xindex(dfa, i), table_size)) 666 return 0; 667 } 668 return 1; 669 } 670 671 /** 672 * verify_profile - Do post unpack analysis to verify profile consistency 673 * @profile: profile to verify (NOT NULL) 674 * 675 * Returns: 0 if passes verification else error 676 */ 677 static int verify_profile(struct aa_profile *profile) 678 { 679 if (aa_g_paranoid_load) { 680 if (profile->file.dfa && 681 !verify_dfa_xindex(profile->file.dfa, 682 profile->file.trans.size)) { 683 audit_iface(profile, NULL, "Invalid named transition", 684 NULL, -EPROTO); 685 return -EPROTO; 686 } 687 } 688 689 return 0; 690 } 691 692 /** 693 * aa_unpack - unpack packed binary profile data loaded from user space 694 * @udata: user data copied to kmem (NOT NULL) 695 * @size: the size of the user data 696 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) 697 * 698 * Unpack user data and return refcounted allocated profile or ERR_PTR 699 * 700 * Returns: profile else error pointer if fails to unpack 701 */ 702 struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns) 703 { 704 struct aa_profile *profile = NULL; 705 int error; 706 struct aa_ext e = { 707 .start = udata, 708 .end = udata + size, 709 .pos = udata, 710 }; 711 712 error = verify_header(&e, ns); 713 if (error) 714 return ERR_PTR(error); 715 716 profile = unpack_profile(&e); 717 if (IS_ERR(profile)) 718 return profile; 719 720 error = verify_profile(profile); 721 if (error) { 722 aa_put_profile(profile); 723 profile = ERR_PTR(error); 724 } 725 726 /* return refcount */ 727 return profile; 728 } 729