aboutsummaryrefslogtreecommitdiffstats
path: root/security/apparmor/include
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2010-07-29 17:48:01 -0400
committerJames Morris <jmorris@namei.org>2010-08-02 01:35:13 -0400
commite06f75a6a2b43bd3a7a197bd21466f9da130e4af (patch)
treebf5aabceae66c62e317a0403b05ffb320aef54d2 /security/apparmor/include
parentc75afcd153f6147d3b094f45a1d87e5df7f4f053 (diff)
AppArmor: dfa match engine
A basic dfa matching engine based off the dfa engine in the Dragon Book. It uses simple row comb compression with a check field. This allows AppArmor to do pattern matching in linear time, and also avoids stack issues that an nfa based engine may have. The dfa engine uses a byte based comparison, with all values being valid. Any potential character encoding are handled user side when the dfa tables are created. By convention AppArmor uses \0 to separate two dependent path matches since \0 is not a valid path character (this is done in the link permission check). The dfa tables are generated in user space and are verified at load time to be internally consistent. There are several future improvements planned for the dfa engine: * The dfa engine may be converted to a hybrid nfa-dfa engine, with a fixed size limited stack. This would allow for size time tradeoffs, by inserting limited nfa states to help control state explosion that can occur with dfas. * The dfa engine may pickup the ability to do limited dynamic variable matching, instead of fixing all variables at policy load time. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/apparmor/include')
-rw-r--r--security/apparmor/include/match.h132
1 files changed, 132 insertions, 0 deletions
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
new file mode 100644
index 000000000000..734a6d35112c
--- /dev/null
+++ b/security/apparmor/include/match.h
@@ -0,0 +1,132 @@
1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor policy dfa matching engine definitions.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#ifndef __AA_MATCH_H
16#define __AA_MATCH_H
17
18#include <linux/workqueue.h>
19
20#define DFA_NOMATCH 0
21#define DFA_START 1
22
23#define DFA_VALID_PERM_MASK 0xffffffff
24#define DFA_VALID_PERM2_MASK 0xffffffff
25
26/**
27 * The format used for transition tables is based on the GNU flex table
28 * file format (--tables-file option; see Table File Format in the flex
29 * info pages and the flex sources for documentation). The magic number
30 * used in the header is 0x1B5E783D insted of 0xF13C57B1 though, because
31 * the YY_ID_CHK (check) and YY_ID_DEF (default) tables are used
32 * slightly differently (see the apparmor-parser package).
33 */
34
35#define YYTH_MAGIC 0x1B5E783D
36#define YYTH_DEF_RECURSE 0x1 /* DEF Table is recursive */
37
38struct table_set_header {
39 u32 th_magic; /* YYTH_MAGIC */
40 u32 th_hsize;
41 u32 th_ssize;
42 u16 th_flags;
43 char th_version[];
44};
45
46/* The YYTD_ID are one less than flex table mappings. The flex id
47 * has 1 subtracted at table load time, this allows us to directly use the
48 * ID's as indexes.
49 */
50#define YYTD_ID_ACCEPT 0
51#define YYTD_ID_BASE 1
52#define YYTD_ID_CHK 2
53#define YYTD_ID_DEF 3
54#define YYTD_ID_EC 4
55#define YYTD_ID_META 5
56#define YYTD_ID_ACCEPT2 6
57#define YYTD_ID_NXT 7
58#define YYTD_ID_TSIZE 8
59
60#define YYTD_DATA8 1
61#define YYTD_DATA16 2
62#define YYTD_DATA32 4
63#define YYTD_DATA64 8
64
65/* Each ACCEPT2 table gets 6 dedicated flags, YYTD_DATAX define the
66 * first flags
67 */
68#define ACCEPT1_FLAGS(X) ((X) & 0x3f)
69#define ACCEPT2_FLAGS(X) ACCEPT1_FLAGS((X) >> YYTD_ID_ACCEPT2)
70#define TO_ACCEPT1_FLAG(X) ACCEPT1_FLAGS(X)
71#define TO_ACCEPT2_FLAG(X) (ACCEPT1_FLAGS(X) << YYTD_ID_ACCEPT2)
72#define DFA_FLAG_VERIFY_STATES 0x1000
73
74struct table_header {
75 u16 td_id;
76 u16 td_flags;
77 u32 td_hilen;
78 u32 td_lolen;
79 char td_data[];
80};
81
82#define DEFAULT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_DEF]->td_data))
83#define BASE_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_BASE]->td_data))
84#define NEXT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_NXT]->td_data))
85#define CHECK_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_CHK]->td_data))
86#define EQUIV_TABLE(DFA) ((u8 *)((DFA)->tables[YYTD_ID_EC]->td_data))
87#define ACCEPT_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT]->td_data))
88#define ACCEPT_TABLE2(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT2]->td_data))
89
90struct aa_dfa {
91 struct kref count;
92 u16 flags;
93 struct table_header *tables[YYTD_ID_TSIZE];
94};
95
96#define byte_to_byte(X) (X)
97
98#define UNPACK_ARRAY(TABLE, BLOB, LEN, TYPE, NTOHX) \
99 do { \
100 typeof(LEN) __i; \
101 TYPE *__t = (TYPE *) TABLE; \
102 TYPE *__b = (TYPE *) BLOB; \
103 for (__i = 0; __i < LEN; __i++) { \
104 __t[__i] = NTOHX(__b[__i]); \
105 } \
106 } while (0)
107
108static inline size_t table_size(size_t len, size_t el_size)
109{
110 return ALIGN(sizeof(struct table_header) + len * el_size, 8);
111}
112
113struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);
114unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
115 const char *str, int len);
116unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
117 const char *str);
118void aa_dfa_free_kref(struct kref *kref);
119
120/**
121 * aa_put_dfa - put a dfa refcount
122 * @dfa: dfa to put refcount (MAYBE NULL)
123 *
124 * Requires: if @dfa != NULL that a valid refcount be held
125 */
126static inline void aa_put_dfa(struct aa_dfa *dfa)
127{
128 if (dfa)
129 kref_put(&dfa->count, aa_dfa_free_kref);
130}
131
132#endif /* __AA_MATCH_H */