diff options
| author | John Johansen <john.johansen@canonical.com> | 2010-07-29 17:48:02 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-08-02 01:38:36 -0400 |
| commit | 736ec752d95e91e77cc0e8c97c057ab076ac2f51 (patch) | |
| tree | 128d330ecff67c5d83862062825b7975c92fee96 /security | |
| parent | 0ed3b28ab8bf460a3a026f3f1782bf4c53840184 (diff) | |
AppArmor: policy routines for loading and unpacking policy
AppArmor policy is loaded in a platform independent flattened binary
stream. Verify and unpack the data converting it to the internal
format needed for enforcement.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/include/policy_unpack.h | 20 | ||||
| -rw-r--r-- | security/apparmor/policy_unpack.c | 703 |
2 files changed, 723 insertions, 0 deletions
diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h new file mode 100644 index 000000000000..a2dcccac45aa --- /dev/null +++ b/security/apparmor/include/policy_unpack.h | |||
| @@ -0,0 +1,20 @@ | |||
| 1 | /* | ||
| 2 | * AppArmor security module | ||
| 3 | * | ||
| 4 | * This file contains AppArmor policy loading interface function definitions. | ||
| 5 | * | ||
| 6 | * Copyright (C) 1998-2008 Novell/SUSE | ||
| 7 | * Copyright 2009-2010 Canonical Ltd. | ||
| 8 | * | ||
| 9 | * This program is free software; you can redistribute it and/or | ||
| 10 | * modify it under the terms of the GNU General Public License as | ||
| 11 | * published by the Free Software Foundation, version 2 of the | ||
| 12 | * License. | ||
| 13 | */ | ||
| 14 | |||
| 15 | #ifndef __POLICY_INTERFACE_H | ||
| 16 | #define __POLICY_INTERFACE_H | ||
| 17 | |||
| 18 | struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns); | ||
| 19 | |||
| 20 | #endif /* __POLICY_INTERFACE_H */ | ||
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c new file mode 100644 index 000000000000..eb3700e9fd37 --- /dev/null +++ b/security/apparmor/policy_unpack.c | |||
| @@ -0,0 +1,703 @@ | |||
| 1 | /* | ||
| 2 | * AppArmor security module | ||
| 3 | * | ||
| 4 | * This file contains AppArmor functions for unpacking policy loaded from | ||
| 5 | * userspace. | ||
| 6 | * | ||
| 7 | * Copyright (C) 1998-2008 Novell/SUSE | ||
| 8 | * Copyright 2009-2010 Canonical Ltd. | ||
| 9 | * | ||
| 10 | * This program is free software; you can redistribute it and/or | ||
| 11 | * modify it under the terms of the GNU General Public License as | ||
| 12 | * published by the Free Software Foundation, version 2 of the | ||
| 13 | * License. | ||
| 14 | * | ||
| 15 | * AppArmor uses a serialized binary format for loading policy. | ||
| 16 | * To find policy format documentation look in Documentation/apparmor.txt | ||
| 17 | * All policy is validated before it is used. | ||
| 18 | */ | ||
| 19 | |||
| 20 | #include <asm/unaligned.h> | ||
| 21 | #include <linux/ctype.h> | ||
| 22 | #include <linux/errno.h> | ||
| 23 | |||
| 24 | #include "include/apparmor.h" | ||
| 25 | #include "include/audit.h" | ||
| 26 | #include "include/context.h" | ||
| 27 | #include "include/match.h" | ||
| 28 | #include "include/policy.h" | ||
| 29 | #include "include/policy_unpack.h" | ||
| 30 | #include "include/sid.h" | ||
| 31 | |||
| 32 | /* | ||
| 33 | * The AppArmor interface treats data as a type byte followed by the | ||
| 34 | * actual data. The interface has the notion of a a named entry | ||
| 35 | * which has a name (AA_NAME typecode followed by name string) followed by | ||
| 36 | * the entries typecode and data. Named types allow for optional | ||
| 37 | * elements and extensions to be added and tested for without breaking | ||
| 38 | * backwards compatibility. | ||
| 39 | */ | ||
| 40 | |||
| 41 | enum aa_code { | ||
| 42 | AA_U8, | ||
| 43 | AA_U16, | ||
| 44 | AA_U32, | ||
| 45 | AA_U64, | ||
| 46 | AA_NAME, /* same as string except it is items name */ | ||
| 47 | AA_STRING, | ||
| 48 | AA_BLOB, | ||
| 49 | AA_STRUCT, | ||
| 50 | AA_STRUCTEND, | ||
| 51 | AA_LIST, | ||
| 52 | AA_LISTEND, | ||
| 53 | AA_ARRAY, | ||
| 54 | AA_ARRAYEND, | ||
| 55 | }; | ||
| 56 | |||
| 57 | /* | ||
| 58 | * aa_ext is the read of the buffer containing the serialized profile. The | ||
| 59 | * data is copied into a kernel buffer in apparmorfs and then handed off to | ||
| 60 | * the unpack routines. | ||
| 61 | */ | ||
| 62 | struct aa_ext { | ||
| 63 | void *start; | ||
| 64 | void *end; | ||
| 65 | void *pos; /* pointer to current position in the buffer */ | ||
| 66 | u32 version; | ||
| 67 | }; | ||
| 68 | |||
| 69 | /* audit callback for unpack fields */ | ||
| 70 | static void audit_cb(struct audit_buffer *ab, void *va) | ||
| 71 | { | ||
| 72 | struct common_audit_data *sa = va; | ||
| 73 | if (sa->aad.iface.target) { | ||
| 74 | struct aa_profile *name = sa->aad.iface.target; | ||
| 75 | audit_log_format(ab, " name="); | ||
| 76 | audit_log_untrustedstring(ab, name->base.hname); | ||
| 77 | } | ||
| 78 | if (sa->aad.iface.pos) | ||
| 79 | audit_log_format(ab, " offset=%ld", sa->aad.iface.pos); | ||
| 80 | } | ||
| 81 | |||
| 82 | /** | ||
| 83 | * audit_iface - do audit message for policy unpacking/load/replace/remove | ||
| 84 | * @new: profile if it has been allocated (MAYBE NULL) | ||
| 85 | * @name: name of the profile being manipulated (MAYBE NULL) | ||
| 86 | * @info: any extra info about the failure (MAYBE NULL) | ||
| 87 | * @e: buffer position info (NOT NULL) | ||
| 88 | * @error: error code | ||
| 89 | * | ||
| 90 | * Returns: %0 or error | ||
| 91 | */ | ||
| 92 | static int audit_iface(struct aa_profile *new, const char *name, | ||
| 93 | const char *info, struct aa_ext *e, int error) | ||
| 94 | { | ||
| 95 | struct aa_profile *profile = __aa_current_profile(); | ||
| 96 | struct common_audit_data sa; | ||
| 97 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | ||
| 98 | sa.aad.iface.pos = e->pos - e->start; | ||
| 99 | sa.aad.iface.target = new; | ||
| 100 | sa.aad.name = name; | ||
| 101 | sa.aad.info = info; | ||
| 102 | sa.aad.error = error; | ||
| 103 | |||
| 104 | return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa, | ||
| 105 | audit_cb); | ||
| 106 | } | ||
| 107 | |||
| 108 | /* test if read will be in packed data bounds */ | ||
| 109 | static bool inbounds(struct aa_ext *e, size_t size) | ||
| 110 | { | ||
| 111 | return (size <= e->end - e->pos); | ||
| 112 | } | ||
| 113 | |||
| 114 | /** | ||
| 115 | * aa_u16_chunck - test and do bounds checking for a u16 size based chunk | ||
| 116 | * @e: serialized data read head (NOT NULL) | ||
| 117 | * @chunk: start address for chunk of data (NOT NULL) | ||
| 118 | * | ||
| 119 | * Returns: the size of chunk found with the read head at the end of the chunk. | ||
| 120 | */ | ||
| 121 | static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) | ||
| 122 | { | ||
| 123 | size_t size = 0; | ||
| 124 | |||
| 125 | if (!inbounds(e, sizeof(u16))) | ||
| 126 | return 0; | ||
| 127 | size = le16_to_cpu(get_unaligned((u16 *) e->pos)); | ||
| 128 | e->pos += sizeof(u16); | ||
| 129 | if (!inbounds(e, size)) | ||
| 130 | return 0; | ||
| 131 | *chunk = e->pos; | ||
| 132 | e->pos += size; | ||
| 133 | return size; | ||
| 134 | } | ||
| 135 | |||
| 136 | /* unpack control byte */ | ||
| 137 | static bool unpack_X(struct aa_ext *e, enum aa_code code) | ||
| 138 | { | ||
| 139 | if (!inbounds(e, 1)) | ||
| 140 | return 0; | ||
| 141 | if (*(u8 *) e->pos != code) | ||
| 142 | return 0; | ||
| 143 | e->pos++; | ||
| 144 | return 1; | ||
| 145 | } | ||
| 146 | |||
| 147 | /** | ||
| 148 | * unpack_nameX - check is the next element is of type X with a name of @name | ||
| 149 | * @e: serialized data extent information (NOT NULL) | ||
| 150 | * @code: type code | ||
| 151 | * @name: name to match to the serialized element. (MAYBE NULL) | ||
| 152 | * | ||
| 153 | * check that the next serialized data element is of type X and has a tag | ||
| 154 | * name @name. If @name is specified then there must be a matching | ||
| 155 | * name element in the stream. If @name is NULL any name element will be | ||
| 156 | * skipped and only the typecode will be tested. | ||
| 157 | * | ||
| 158 | * Returns 1 on success (both type code and name tests match) and the read | ||
| 159 | * head is advanced past the headers | ||
| 160 | * | ||
| 161 | * Returns: 0 if either match fails, the read head does not move | ||
| 162 | */ | ||
| 163 | static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) | ||
| 164 | { | ||
| 165 | /* | ||
| 166 | * May need to reset pos if name or type doesn't match | ||
| 167 | */ | ||
| 168 | void *pos = e->pos; | ||
| 169 | /* | ||
| 170 | * Check for presence of a tagname, and if present name size | ||
| 171 | * AA_NAME tag value is a u16. | ||
| 172 | */ | ||
| 173 | if (unpack_X(e, AA_NAME)) { | ||
| 174 | char *tag = NULL; | ||
| 175 | size_t size = unpack_u16_chunk(e, &tag); | ||
| 176 | /* if a name is specified it must match. otherwise skip tag */ | ||
| 177 | if (name && (!size || strcmp(name, tag))) | ||
| 178 | goto fail; | ||
| 179 | } else if (name) { | ||
| 180 | /* if a name is specified and there is no name tag fail */ | ||
| 181 | goto fail; | ||
| 182 | } | ||
| 183 | |||
| 184 | /* now check if type code matches */ | ||
| 185 | if (unpack_X(e, code)) | ||
| 186 | return 1; | ||
| 187 | |||
| 188 | fail: | ||
| 189 | e->pos = pos; | ||
| 190 | return 0; | ||
| 191 | } | ||
| 192 | |||
| 193 | static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) | ||
| 194 | { | ||
| 195 | if (unpack_nameX(e, AA_U32, name)) { | ||
| 196 | if (!inbounds(e, sizeof(u32))) | ||
| 197 | return 0; | ||
| 198 | if (data) | ||
| 199 | *data = le32_to_cpu(get_unaligned((u32 *) e->pos)); | ||
| 200 | e->pos += sizeof(u32); | ||
| 201 | return 1; | ||
| 202 | } | ||
| 203 | return 0; | ||
| 204 | } | ||
| 205 | |||
| 206 | static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) | ||
| 207 | { | ||
| 208 | if (unpack_nameX(e, AA_U64, name)) { | ||
| 209 | if (!inbounds(e, sizeof(u64))) | ||
| 210 | return 0; | ||
| 211 | if (data) | ||
| 212 | *data = le64_to_cpu(get_unaligned((u64 *) e->pos)); | ||
| 213 | e->pos += sizeof(u64); | ||
| 214 | return 1; | ||
| 215 | } | ||
| 216 | return 0; | ||
| 217 | } | ||
| 218 | |||
| 219 | static size_t unpack_array(struct aa_ext *e, const char *name) | ||
| 220 | { | ||
| 221 | if (unpack_nameX(e, AA_ARRAY, name)) { | ||
| 222 | int size; | ||
| 223 | if (!inbounds(e, sizeof(u16))) | ||
| 224 | return 0; | ||
| 225 | size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos)); | ||
| 226 | e->pos += sizeof(u16); | ||
| 227 | return size; | ||
| 228 | } | ||
| 229 | return 0; | ||
| 230 | } | ||
| 231 | |||
| 232 | static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) | ||
| 233 | { | ||
| 234 | if (unpack_nameX(e, AA_BLOB, name)) { | ||
| 235 | u32 size; | ||
| 236 | if (!inbounds(e, sizeof(u32))) | ||
| 237 | return 0; | ||
| 238 | size = le32_to_cpu(get_unaligned((u32 *) e->pos)); | ||
| 239 | e->pos += sizeof(u32); | ||
| 240 | if (inbounds(e, (size_t) size)) { | ||
| 241 | *blob = e->pos; | ||
| 242 | e->pos += size; | ||
| 243 | return size; | ||
| 244 | } | ||
| 245 | } | ||
| 246 | return 0; | ||
| 247 | } | ||
| 248 | |||
| 249 | static int unpack_str(struct aa_ext *e, const char **string, const char *name) | ||
| 250 | { | ||
| 251 | char *src_str; | ||
| 252 | size_t size = 0; | ||
| 253 | void *pos = e->pos; | ||
| 254 | *string = NULL; | ||
| 255 | if (unpack_nameX(e, AA_STRING, name)) { | ||
| 256 | size = unpack_u16_chunk(e, &src_str); | ||
| 257 | if (size) { | ||
| 258 | /* strings are null terminated, length is size - 1 */ | ||
| 259 | if (src_str[size - 1] != 0) | ||
| 260 | goto fail; | ||
| 261 | *string = src_str; | ||
| 262 | } | ||
| 263 | } | ||
| 264 | return size; | ||
| 265 | |||
| 266 | fail: | ||
| 267 | e->pos = pos; | ||
| 268 | return 0; | ||
| 269 | } | ||
| 270 | |||
| 271 | static int unpack_strdup(struct aa_ext *e, char **string, const char *name) | ||
| 272 | { | ||
| 273 | const char *tmp; | ||
| 274 | void *pos = e->pos; | ||
| 275 | int res = unpack_str(e, &tmp, name); | ||
| 276 | *string = NULL; | ||
| 277 | |||
| 278 | if (!res) | ||
| 279 | return 0; | ||
| 280 | |||
| 281 | *string = kmemdup(tmp, res, GFP_KERNEL); | ||
| 282 | if (!*string) { | ||
| 283 | e->pos = pos; | ||
| 284 | return 0; | ||
| 285 | } | ||
| 286 | |||
| 287 | return res; | ||
| 288 | } | ||
| 289 | |||
| 290 | /** | ||
| 291 | * verify_accept - verify the accept tables of a dfa | ||
| 292 | * @dfa: dfa to verify accept tables of (NOT NULL) | ||
| 293 | * @flags: flags governing dfa | ||
| 294 | * | ||
| 295 | * Returns: 1 if valid accept tables else 0 if error | ||
| 296 | */ | ||
| 297 | static bool verify_accept(struct aa_dfa *dfa, int flags) | ||
| 298 | { | ||
| 299 | int i; | ||
| 300 | |||
| 301 | /* verify accept permissions */ | ||
| 302 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | ||
| 303 | int mode = ACCEPT_TABLE(dfa)[i]; | ||
| 304 | |||
| 305 | if (mode & ~DFA_VALID_PERM_MASK) | ||
| 306 | return 0; | ||
| 307 | |||
| 308 | if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) | ||
| 309 | return 0; | ||
| 310 | } | ||
| 311 | return 1; | ||
| 312 | } | ||
| 313 | |||
| 314 | /** | ||
| 315 | * unpack_dfa - unpack a file rule dfa | ||
| 316 | * @e: serialized data extent information (NOT NULL) | ||
| 317 | * | ||
| 318 | * returns dfa or ERR_PTR or NULL if no dfa | ||
| 319 | */ | ||
| 320 | static struct aa_dfa *unpack_dfa(struct aa_ext *e) | ||
| 321 | { | ||
| 322 | char *blob = NULL; | ||
| 323 | size_t size; | ||
| 324 | struct aa_dfa *dfa = NULL; | ||
| 325 | |||
| 326 | size = unpack_blob(e, &blob, "aadfa"); | ||
| 327 | if (size) { | ||
| 328 | /* | ||
| 329 | * The dfa is aligned with in the blob to 8 bytes | ||
| 330 | * from the beginning of the stream. | ||
| 331 | */ | ||
| 332 | size_t sz = blob - (char *)e->start; | ||
| 333 | size_t pad = ALIGN(sz, 8) - sz; | ||
| 334 | int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | | ||
| 335 | TO_ACCEPT2_FLAG(YYTD_DATA32); | ||
| 336 | |||
| 337 | |||
| 338 | if (aa_g_paranoid_load) | ||
| 339 | flags |= DFA_FLAG_VERIFY_STATES; | ||
| 340 | |||
| 341 | dfa = aa_dfa_unpack(blob + pad, size - pad, flags); | ||
| 342 | |||
| 343 | if (IS_ERR(dfa)) | ||
| 344 | return dfa; | ||
| 345 | |||
| 346 | if (!verify_accept(dfa, flags)) | ||
| 347 | goto fail; | ||
| 348 | } | ||
| 349 | |||
| 350 | return dfa; | ||
| 351 | |||
| 352 | fail: | ||
| 353 | aa_put_dfa(dfa); | ||
| 354 | return ERR_PTR(-EPROTO); | ||
| 355 | } | ||
| 356 | |||
| 357 | /** | ||
| 358 | * unpack_trans_table - unpack a profile transition table | ||
| 359 | * @e: serialized data extent information (NOT NULL) | ||
| 360 | * @profile: profile to add the accept table to (NOT NULL) | ||
| 361 | * | ||
| 362 | * Returns: 1 if table succesfully unpacked | ||
| 363 | */ | ||
| 364 | static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) | ||
| 365 | { | ||
| 366 | void *pos = e->pos; | ||
| 367 | |||
| 368 | /* exec table is optional */ | ||
| 369 | if (unpack_nameX(e, AA_STRUCT, "xtable")) { | ||
| 370 | int i, size; | ||
| 371 | |||
| 372 | size = unpack_array(e, NULL); | ||
| 373 | /* currently 4 exec bits and entries 0-3 are reserved iupcx */ | ||
| 374 | if (size > 16 - 4) | ||
| 375 | goto fail; | ||
| 376 | profile->file.trans.table = kzalloc(sizeof(char *) * size, | ||
| 377 | GFP_KERNEL); | ||
| 378 | if (!profile->file.trans.table) | ||
| 379 | goto fail; | ||
| 380 | |||
| 381 | profile->file.trans.size = size; | ||
| 382 | for (i = 0; i < size; i++) { | ||
| 383 | char *str; | ||
| 384 | int c, j, size = unpack_strdup(e, &str, NULL); | ||
| 385 | /* unpack_strdup verifies that the last character is | ||
| 386 | * null termination byte. | ||
| 387 | */ | ||
| 388 | if (!size) | ||
| 389 | goto fail; | ||
| 390 | profile->file.trans.table[i] = str; | ||
| 391 | /* verify that name doesn't start with space */ | ||
| 392 | if (isspace(*str)) | ||
| 393 | goto fail; | ||
| 394 | |||
| 395 | /* count internal # of internal \0 */ | ||
| 396 | for (c = j = 0; j < size - 2; j++) { | ||
| 397 | if (!str[j]) | ||
| 398 | c++; | ||
| 399 | } | ||
| 400 | if (*str == ':') { | ||
| 401 | /* beginning with : requires an embedded \0, | ||
| 402 | * verify that exactly 1 internal \0 exists | ||
| 403 | * trailing \0 already verified by unpack_strdup | ||
| 404 | */ | ||
| 405 | if (c != 1) | ||
| 406 | goto fail; | ||
| 407 | /* first character after : must be valid */ | ||
| 408 | if (!str[1]) | ||
| 409 | goto fail; | ||
| 410 | } else if (c) | ||
| 411 | /* fail - all other cases with embedded \0 */ | ||
| 412 | goto fail; | ||
| 413 | } | ||
| 414 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | ||
| 415 | goto fail; | ||
| 416 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
| 417 | goto fail; | ||
| 418 | } | ||
| 419 | return 1; | ||
| 420 | |||
| 421 | fail: | ||
| 422 | aa_free_domain_entries(&profile->file.trans); | ||
| 423 | e->pos = pos; | ||
| 424 | return 0; | ||
| 425 | } | ||
| 426 | |||
| 427 | static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) | ||
| 428 | { | ||
| 429 | void *pos = e->pos; | ||
| 430 | |||
| 431 | /* rlimits are optional */ | ||
| 432 | if (unpack_nameX(e, AA_STRUCT, "rlimits")) { | ||
| 433 | int i, size; | ||
| 434 | u32 tmp = 0; | ||
| 435 | if (!unpack_u32(e, &tmp, NULL)) | ||
| 436 | goto fail; | ||
| 437 | profile->rlimits.mask = tmp; | ||
| 438 | |||
| 439 | size = unpack_array(e, NULL); | ||
| 440 | if (size > RLIM_NLIMITS) | ||
| 441 | goto fail; | ||
| 442 | for (i = 0; i < size; i++) { | ||
| 443 | u64 tmp = 0; | ||
| 444 | int a = aa_map_resource(i); | ||
| 445 | if (!unpack_u64(e, &tmp, NULL)) | ||
| 446 | goto fail; | ||
| 447 | profile->rlimits.limits[a].rlim_max = tmp; | ||
| 448 | } | ||
| 449 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | ||
| 450 | goto fail; | ||
| 451 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
| 452 | goto fail; | ||
| 453 | } | ||
| 454 | return 1; | ||
| 455 | |||
| 456 | fail: | ||
| 457 | e->pos = pos; | ||
| 458 | return 0; | ||
| 459 | } | ||
| 460 | |||
| 461 | /** | ||
| 462 | * unpack_profile - unpack a serialized profile | ||
| 463 | * @e: serialized data extent information (NOT NULL) | ||
| 464 | * | ||
| 465 | * NOTE: unpack profile sets audit struct if there is a failure | ||
| 466 | */ | ||
| 467 | static struct aa_profile *unpack_profile(struct aa_ext *e) | ||
| 468 | { | ||
| 469 | struct aa_profile *profile = NULL; | ||
| 470 | const char *name = NULL; | ||
| 471 | int error = -EPROTO; | ||
| 472 | kernel_cap_t tmpcap; | ||
| 473 | u32 tmp; | ||
| 474 | |||
| 475 | /* check that we have the right struct being passed */ | ||
| 476 | if (!unpack_nameX(e, AA_STRUCT, "profile")) | ||
| 477 | goto fail; | ||
| 478 | if (!unpack_str(e, &name, NULL)) | ||
| 479 | goto fail; | ||
| 480 | |||
| 481 | profile = aa_alloc_profile(name); | ||
| 482 | if (!profile) | ||
| 483 | return ERR_PTR(-ENOMEM); | ||
| 484 | |||
| 485 | /* profile renaming is optional */ | ||
| 486 | (void) unpack_str(e, &profile->rename, "rename"); | ||
| 487 | |||
| 488 | /* xmatch is optional and may be NULL */ | ||
| 489 | profile->xmatch = unpack_dfa(e); | ||
| 490 | if (IS_ERR(profile->xmatch)) { | ||
| 491 | error = PTR_ERR(profile->xmatch); | ||
| 492 | profile->xmatch = NULL; | ||
| 493 | goto fail; | ||
| 494 | } | ||
| 495 | /* xmatch_len is not optional if xmatch is set */ | ||
| 496 | if (profile->xmatch) { | ||
| 497 | if (!unpack_u32(e, &tmp, NULL)) | ||
| 498 | goto fail; | ||
| 499 | profile->xmatch_len = tmp; | ||
| 500 | } | ||
| 501 | |||
| 502 | /* per profile debug flags (complain, audit) */ | ||
| 503 | if (!unpack_nameX(e, AA_STRUCT, "flags")) | ||
| 504 | goto fail; | ||
| 505 | if (!unpack_u32(e, &tmp, NULL)) | ||
| 506 | goto fail; | ||
| 507 | if (tmp) | ||
| 508 | profile->flags |= PFLAG_HAT; | ||
| 509 | if (!unpack_u32(e, &tmp, NULL)) | ||
| 510 | goto fail; | ||
| 511 | if (tmp) | ||
| 512 | profile->mode = APPARMOR_COMPLAIN; | ||
| 513 | if (!unpack_u32(e, &tmp, NULL)) | ||
| 514 | goto fail; | ||
| 515 | if (tmp) | ||
| 516 | profile->audit = AUDIT_ALL; | ||
| 517 | |||
| 518 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
| 519 | goto fail; | ||
| 520 | |||
| 521 | /* path_flags is optional */ | ||
| 522 | if (unpack_u32(e, &profile->path_flags, "path_flags")) | ||
| 523 | profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED; | ||
| 524 | else | ||
| 525 | /* set a default value if path_flags field is not present */ | ||
| 526 | profile->path_flags = PFLAG_MEDIATE_DELETED; | ||
| 527 | |||
| 528 | if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) | ||
| 529 | goto fail; | ||
| 530 | if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) | ||
| 531 | goto fail; | ||
| 532 | if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) | ||
| 533 | goto fail; | ||
| 534 | if (!unpack_u32(e, &tmpcap.cap[0], NULL)) | ||
| 535 | goto fail; | ||
| 536 | |||
| 537 | if (unpack_nameX(e, AA_STRUCT, "caps64")) { | ||
| 538 | /* optional upper half of 64 bit caps */ | ||
| 539 | if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) | ||
| 540 | goto fail; | ||
| 541 | if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) | ||
| 542 | goto fail; | ||
| 543 | if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) | ||
| 544 | goto fail; | ||
| 545 | if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) | ||
| 546 | goto fail; | ||
| 547 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
| 548 | goto fail; | ||
| 549 | } | ||
| 550 | |||
| 551 | if (unpack_nameX(e, AA_STRUCT, "capsx")) { | ||
| 552 | /* optional extended caps mediation mask */ | ||
| 553 | if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) | ||
| 554 | goto fail; | ||
| 555 | if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) | ||
| 556 | goto fail; | ||
| 557 | } | ||
| 558 | |||
| 559 | if (!unpack_rlimits(e, profile)) | ||
| 560 | goto fail; | ||
| 561 | |||
| 562 | /* get file rules */ | ||
| 563 | profile->file.dfa = unpack_dfa(e); | ||
| 564 | if (IS_ERR(profile->file.dfa)) { | ||
| 565 | error = PTR_ERR(profile->file.dfa); | ||
| 566 | profile->file.dfa = NULL; | ||
| 567 | goto fail; | ||
| 568 | } | ||
| 569 | |||
| 570 | if (!unpack_u32(e, &profile->file.start, "dfa_start")) | ||
| 571 | /* default start state */ | ||
| 572 | profile->file.start = DFA_START; | ||
| 573 | |||
| 574 | if (!unpack_trans_table(e, profile)) | ||
| 575 | goto fail; | ||
| 576 | |||
| 577 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
| 578 | goto fail; | ||
| 579 | |||
| 580 | return profile; | ||
| 581 | |||
| 582 | fail: | ||
| 583 | if (profile) | ||
| 584 | name = NULL; | ||
| 585 | else if (!name) | ||
| 586 | name = "unknown"; | ||
| 587 | audit_iface(profile, name, "failed to unpack profile", e, error); | ||
| 588 | aa_put_profile(profile); | ||
| 589 | |||
| 590 | return ERR_PTR(error); | ||
| 591 | } | ||
| 592 | |||
| 593 | /** | ||
| 594 | * verify_head - unpack serialized stream header | ||
| 595 | * @e: serialized data read head (NOT NULL) | ||
| 596 | * @ns: Returns - namespace if one is specified else NULL (NOT NULL) | ||
| 597 | * | ||
| 598 | * Returns: error or 0 if header is good | ||
| 599 | */ | ||
| 600 | static int verify_header(struct aa_ext *e, const char **ns) | ||
| 601 | { | ||
| 602 | int error = -EPROTONOSUPPORT; | ||
| 603 | /* get the interface version */ | ||
| 604 | if (!unpack_u32(e, &e->version, "version")) { | ||
| 605 | audit_iface(NULL, NULL, "invalid profile format", e, error); | ||
| 606 | return error; | ||
| 607 | } | ||
| 608 | |||
| 609 | /* check that the interface version is currently supported */ | ||
| 610 | if (e->version != 5) { | ||
| 611 | audit_iface(NULL, NULL, "unsupported interface version", e, | ||
| 612 | error); | ||
| 613 | return error; | ||
| 614 | } | ||
| 615 | |||
| 616 | /* read the namespace if present */ | ||
| 617 | if (!unpack_str(e, ns, "namespace")) | ||
| 618 | *ns = NULL; | ||
| 619 | |||
| 620 | return 0; | ||
| 621 | } | ||
| 622 | |||
| 623 | static bool verify_xindex(int xindex, int table_size) | ||
| 624 | { | ||
| 625 | int index, xtype; | ||
| 626 | xtype = xindex & AA_X_TYPE_MASK; | ||
| 627 | index = xindex & AA_X_INDEX_MASK; | ||
| 628 | if (xtype == AA_X_TABLE && index > table_size) | ||
| 629 | return 0; | ||
| 630 | return 1; | ||
| 631 | } | ||
| 632 | |||
| 633 | /* verify dfa xindexes are in range of transition tables */ | ||
| 634 | static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) | ||
| 635 | { | ||
| 636 | int i; | ||
| 637 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | ||
| 638 | if (!verify_xindex(dfa_user_xindex(dfa, i), table_size)) | ||
| 639 | return 0; | ||
| 640 | if (!verify_xindex(dfa_other_xindex(dfa, i), table_size)) | ||
| 641 | return 0; | ||
| 642 | } | ||
| 643 | return 1; | ||
| 644 | } | ||
| 645 | |||
| 646 | /** | ||
| 647 | * verify_profile - Do post unpack analysis to verify profile consistency | ||
| 648 | * @profile: profile to verify (NOT NULL) | ||
| 649 | * | ||
| 650 | * Returns: 0 if passes verification else error | ||
| 651 | */ | ||
| 652 | static int verify_profile(struct aa_profile *profile) | ||
| 653 | { | ||
| 654 | if (aa_g_paranoid_load) { | ||
| 655 | if (profile->file.dfa && | ||
| 656 | !verify_dfa_xindex(profile->file.dfa, | ||
| 657 | profile->file.trans.size)) { | ||
| 658 | audit_iface(profile, NULL, "Invalid named transition", | ||
| 659 | NULL, -EPROTO); | ||
| 660 | return -EPROTO; | ||
| 661 | } | ||
| 662 | } | ||
| 663 | |||
| 664 | return 0; | ||
| 665 | } | ||
| 666 | |||
| 667 | /** | ||
| 668 | * aa_unpack - unpack packed binary profile data loaded from user space | ||
| 669 | * @udata: user data copied to kmem (NOT NULL) | ||
| 670 | * @size: the size of the user data | ||
| 671 | * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) | ||
| 672 | * | ||
| 673 | * Unpack user data and return refcounted allocated profile or ERR_PTR | ||
| 674 | * | ||
| 675 | * Returns: profile else error pointer if fails to unpack | ||
| 676 | */ | ||
| 677 | struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns) | ||
| 678 | { | ||
| 679 | struct aa_profile *profile = NULL; | ||
| 680 | int error; | ||
| 681 | struct aa_ext e = { | ||
| 682 | .start = udata, | ||
| 683 | .end = udata + size, | ||
| 684 | .pos = udata, | ||
| 685 | }; | ||
| 686 | |||
| 687 | error = verify_header(&e, ns); | ||
| 688 | if (error) | ||
| 689 | return ERR_PTR(error); | ||
| 690 | |||
| 691 | profile = unpack_profile(&e); | ||
| 692 | if (IS_ERR(profile)) | ||
| 693 | return profile; | ||
| 694 | |||
| 695 | error = verify_profile(profile); | ||
| 696 | if (error) { | ||
| 697 | aa_put_profile(profile); | ||
| 698 | profile = ERR_PTR(error); | ||
| 699 | } | ||
| 700 | |||
| 701 | /* return refcount */ | ||
| 702 | return profile; | ||
| 703 | } | ||