Commit | Line | Data |
---|---|---|
736ec752 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor functions for unpacking policy loaded from | |
5 | * userspace. | |
6 | * | |
7 | * Copyright (C) 1998-2008 Novell/SUSE | |
8 | * Copyright 2009-2010 Canonical Ltd. | |
9 | * | |
10 | * This program is free software; you can redistribute it and/or | |
11 | * modify it under the terms of the GNU General Public License as | |
12 | * published by the Free Software Foundation, version 2 of the | |
13 | * License. | |
14 | * | |
d410fa4e RD |
15 | * AppArmor uses a serialized binary format for loading policy. To find |
16 | * policy format documentation look in Documentation/security/apparmor.txt | |
736ec752 JJ |
17 | * All policy is validated before it is used. |
18 | */ | |
19 | ||
20 | #include <asm/unaligned.h> | |
21 | #include <linux/ctype.h> | |
22 | #include <linux/errno.h> | |
23 | ||
24 | #include "include/apparmor.h" | |
25 | #include "include/audit.h" | |
26 | #include "include/context.h" | |
27 | #include "include/match.h" | |
28 | #include "include/policy.h" | |
29 | #include "include/policy_unpack.h" | |
30 | #include "include/sid.h" | |
31 | ||
32 | /* | |
33 | * The AppArmor interface treats data as a type byte followed by the | |
34 | * actual data. The interface has the notion of a a named entry | |
35 | * which has a name (AA_NAME typecode followed by name string) followed by | |
36 | * the entries typecode and data. Named types allow for optional | |
37 | * elements and extensions to be added and tested for without breaking | |
38 | * backwards compatibility. | |
39 | */ | |
40 | ||
41 | enum aa_code { | |
42 | AA_U8, | |
43 | AA_U16, | |
44 | AA_U32, | |
45 | AA_U64, | |
46 | AA_NAME, /* same as string except it is items name */ | |
47 | AA_STRING, | |
48 | AA_BLOB, | |
49 | AA_STRUCT, | |
50 | AA_STRUCTEND, | |
51 | AA_LIST, | |
52 | AA_LISTEND, | |
53 | AA_ARRAY, | |
54 | AA_ARRAYEND, | |
55 | }; | |
56 | ||
57 | /* | |
58 | * aa_ext is the read of the buffer containing the serialized profile. The | |
59 | * data is copied into a kernel buffer in apparmorfs and then handed off to | |
60 | * the unpack routines. | |
61 | */ | |
62 | struct aa_ext { | |
63 | void *start; | |
64 | void *end; | |
65 | void *pos; /* pointer to current position in the buffer */ | |
66 | u32 version; | |
67 | }; | |
68 | ||
69 | /* audit callback for unpack fields */ | |
70 | static void audit_cb(struct audit_buffer *ab, void *va) | |
71 | { | |
72 | struct common_audit_data *sa = va; | |
3b3b0e4f EP |
73 | if (sa->aad->iface.target) { |
74 | struct aa_profile *name = sa->aad->iface.target; | |
736ec752 JJ |
75 | audit_log_format(ab, " name="); |
76 | audit_log_untrustedstring(ab, name->base.hname); | |
77 | } | |
3b3b0e4f EP |
78 | if (sa->aad->iface.pos) |
79 | audit_log_format(ab, " offset=%ld", sa->aad->iface.pos); | |
736ec752 JJ |
80 | } |
81 | ||
82 | /** | |
83 | * audit_iface - do audit message for policy unpacking/load/replace/remove | |
84 | * @new: profile if it has been allocated (MAYBE NULL) | |
85 | * @name: name of the profile being manipulated (MAYBE NULL) | |
86 | * @info: any extra info about the failure (MAYBE NULL) | |
b1b4bc2e | 87 | * @e: buffer position info |
736ec752 JJ |
88 | * @error: error code |
89 | * | |
90 | * Returns: %0 or error | |
91 | */ | |
92 | static int audit_iface(struct aa_profile *new, const char *name, | |
93 | const char *info, struct aa_ext *e, int error) | |
94 | { | |
95 | struct aa_profile *profile = __aa_current_profile(); | |
96 | struct common_audit_data sa; | |
3b3b0e4f | 97 | struct apparmor_audit_data aad = {0,}; |
50c205f5 | 98 | sa.type = LSM_AUDIT_DATA_NONE; |
3b3b0e4f | 99 | sa.aad = &aad; |
b1b4bc2e | 100 | if (e) |
3b3b0e4f EP |
101 | aad.iface.pos = e->pos - e->start; |
102 | aad.iface.target = new; | |
103 | aad.name = name; | |
104 | aad.info = info; | |
105 | aad.error = error; | |
736ec752 JJ |
106 | |
107 | return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa, | |
108 | audit_cb); | |
109 | } | |
110 | ||
111 | /* test if read will be in packed data bounds */ | |
112 | static bool inbounds(struct aa_ext *e, size_t size) | |
113 | { | |
114 | return (size <= e->end - e->pos); | |
115 | } | |
116 | ||
117 | /** | |
118 | * aa_u16_chunck - test and do bounds checking for a u16 size based chunk | |
119 | * @e: serialized data read head (NOT NULL) | |
120 | * @chunk: start address for chunk of data (NOT NULL) | |
121 | * | |
122 | * Returns: the size of chunk found with the read head at the end of the chunk. | |
123 | */ | |
124 | static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) | |
125 | { | |
126 | size_t size = 0; | |
127 | ||
128 | if (!inbounds(e, sizeof(u16))) | |
129 | return 0; | |
130 | size = le16_to_cpu(get_unaligned((u16 *) e->pos)); | |
131 | e->pos += sizeof(u16); | |
132 | if (!inbounds(e, size)) | |
133 | return 0; | |
134 | *chunk = e->pos; | |
135 | e->pos += size; | |
136 | return size; | |
137 | } | |
138 | ||
139 | /* unpack control byte */ | |
140 | static bool unpack_X(struct aa_ext *e, enum aa_code code) | |
141 | { | |
142 | if (!inbounds(e, 1)) | |
143 | return 0; | |
144 | if (*(u8 *) e->pos != code) | |
145 | return 0; | |
146 | e->pos++; | |
147 | return 1; | |
148 | } | |
149 | ||
150 | /** | |
151 | * unpack_nameX - check is the next element is of type X with a name of @name | |
152 | * @e: serialized data extent information (NOT NULL) | |
153 | * @code: type code | |
154 | * @name: name to match to the serialized element. (MAYBE NULL) | |
155 | * | |
156 | * check that the next serialized data element is of type X and has a tag | |
157 | * name @name. If @name is specified then there must be a matching | |
158 | * name element in the stream. If @name is NULL any name element will be | |
159 | * skipped and only the typecode will be tested. | |
160 | * | |
161 | * Returns 1 on success (both type code and name tests match) and the read | |
162 | * head is advanced past the headers | |
163 | * | |
164 | * Returns: 0 if either match fails, the read head does not move | |
165 | */ | |
166 | static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) | |
167 | { | |
168 | /* | |
169 | * May need to reset pos if name or type doesn't match | |
170 | */ | |
171 | void *pos = e->pos; | |
172 | /* | |
173 | * Check for presence of a tagname, and if present name size | |
174 | * AA_NAME tag value is a u16. | |
175 | */ | |
176 | if (unpack_X(e, AA_NAME)) { | |
177 | char *tag = NULL; | |
178 | size_t size = unpack_u16_chunk(e, &tag); | |
179 | /* if a name is specified it must match. otherwise skip tag */ | |
180 | if (name && (!size || strcmp(name, tag))) | |
181 | goto fail; | |
182 | } else if (name) { | |
183 | /* if a name is specified and there is no name tag fail */ | |
184 | goto fail; | |
185 | } | |
186 | ||
187 | /* now check if type code matches */ | |
188 | if (unpack_X(e, code)) | |
189 | return 1; | |
190 | ||
191 | fail: | |
192 | e->pos = pos; | |
193 | return 0; | |
194 | } | |
195 | ||
196 | static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) | |
197 | { | |
198 | if (unpack_nameX(e, AA_U32, name)) { | |
199 | if (!inbounds(e, sizeof(u32))) | |
200 | return 0; | |
201 | if (data) | |
202 | *data = le32_to_cpu(get_unaligned((u32 *) e->pos)); | |
203 | e->pos += sizeof(u32); | |
204 | return 1; | |
205 | } | |
206 | return 0; | |
207 | } | |
208 | ||
209 | static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) | |
210 | { | |
211 | if (unpack_nameX(e, AA_U64, name)) { | |
212 | if (!inbounds(e, sizeof(u64))) | |
213 | return 0; | |
214 | if (data) | |
215 | *data = le64_to_cpu(get_unaligned((u64 *) e->pos)); | |
216 | e->pos += sizeof(u64); | |
217 | return 1; | |
218 | } | |
219 | return 0; | |
220 | } | |
221 | ||
222 | static size_t unpack_array(struct aa_ext *e, const char *name) | |
223 | { | |
224 | if (unpack_nameX(e, AA_ARRAY, name)) { | |
225 | int size; | |
226 | if (!inbounds(e, sizeof(u16))) | |
227 | return 0; | |
228 | size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos)); | |
229 | e->pos += sizeof(u16); | |
230 | return size; | |
231 | } | |
232 | return 0; | |
233 | } | |
234 | ||
235 | static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) | |
236 | { | |
237 | if (unpack_nameX(e, AA_BLOB, name)) { | |
238 | u32 size; | |
239 | if (!inbounds(e, sizeof(u32))) | |
240 | return 0; | |
241 | size = le32_to_cpu(get_unaligned((u32 *) e->pos)); | |
242 | e->pos += sizeof(u32); | |
243 | if (inbounds(e, (size_t) size)) { | |
244 | *blob = e->pos; | |
245 | e->pos += size; | |
246 | return size; | |
247 | } | |
248 | } | |
249 | return 0; | |
250 | } | |
251 | ||
252 | static int unpack_str(struct aa_ext *e, const char **string, const char *name) | |
253 | { | |
254 | char *src_str; | |
255 | size_t size = 0; | |
256 | void *pos = e->pos; | |
257 | *string = NULL; | |
258 | if (unpack_nameX(e, AA_STRING, name)) { | |
259 | size = unpack_u16_chunk(e, &src_str); | |
260 | if (size) { | |
261 | /* strings are null terminated, length is size - 1 */ | |
262 | if (src_str[size - 1] != 0) | |
263 | goto fail; | |
264 | *string = src_str; | |
265 | } | |
266 | } | |
267 | return size; | |
268 | ||
269 | fail: | |
270 | e->pos = pos; | |
271 | return 0; | |
272 | } | |
273 | ||
274 | static int unpack_strdup(struct aa_ext *e, char **string, const char *name) | |
275 | { | |
276 | const char *tmp; | |
277 | void *pos = e->pos; | |
278 | int res = unpack_str(e, &tmp, name); | |
279 | *string = NULL; | |
280 | ||
281 | if (!res) | |
282 | return 0; | |
283 | ||
284 | *string = kmemdup(tmp, res, GFP_KERNEL); | |
285 | if (!*string) { | |
286 | e->pos = pos; | |
287 | return 0; | |
288 | } | |
289 | ||
290 | return res; | |
291 | } | |
292 | ||
293 | /** | |
294 | * verify_accept - verify the accept tables of a dfa | |
295 | * @dfa: dfa to verify accept tables of (NOT NULL) | |
296 | * @flags: flags governing dfa | |
297 | * | |
298 | * Returns: 1 if valid accept tables else 0 if error | |
299 | */ | |
300 | static bool verify_accept(struct aa_dfa *dfa, int flags) | |
301 | { | |
302 | int i; | |
303 | ||
304 | /* verify accept permissions */ | |
305 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | |
306 | int mode = ACCEPT_TABLE(dfa)[i]; | |
307 | ||
308 | if (mode & ~DFA_VALID_PERM_MASK) | |
309 | return 0; | |
310 | ||
311 | if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) | |
312 | return 0; | |
313 | } | |
314 | return 1; | |
315 | } | |
316 | ||
317 | /** | |
318 | * unpack_dfa - unpack a file rule dfa | |
319 | * @e: serialized data extent information (NOT NULL) | |
320 | * | |
321 | * returns dfa or ERR_PTR or NULL if no dfa | |
322 | */ | |
323 | static struct aa_dfa *unpack_dfa(struct aa_ext *e) | |
324 | { | |
325 | char *blob = NULL; | |
326 | size_t size; | |
327 | struct aa_dfa *dfa = NULL; | |
328 | ||
329 | size = unpack_blob(e, &blob, "aadfa"); | |
330 | if (size) { | |
331 | /* | |
332 | * The dfa is aligned with in the blob to 8 bytes | |
333 | * from the beginning of the stream. | |
334 | */ | |
335 | size_t sz = blob - (char *)e->start; | |
336 | size_t pad = ALIGN(sz, 8) - sz; | |
337 | int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | | |
338 | TO_ACCEPT2_FLAG(YYTD_DATA32); | |
339 | ||
340 | ||
341 | if (aa_g_paranoid_load) | |
342 | flags |= DFA_FLAG_VERIFY_STATES; | |
343 | ||
344 | dfa = aa_dfa_unpack(blob + pad, size - pad, flags); | |
345 | ||
346 | if (IS_ERR(dfa)) | |
347 | return dfa; | |
348 | ||
349 | if (!verify_accept(dfa, flags)) | |
350 | goto fail; | |
351 | } | |
352 | ||
353 | return dfa; | |
354 | ||
355 | fail: | |
356 | aa_put_dfa(dfa); | |
357 | return ERR_PTR(-EPROTO); | |
358 | } | |
359 | ||
360 | /** | |
361 | * unpack_trans_table - unpack a profile transition table | |
362 | * @e: serialized data extent information (NOT NULL) | |
363 | * @profile: profile to add the accept table to (NOT NULL) | |
364 | * | |
25985edc | 365 | * Returns: 1 if table successfully unpacked |
736ec752 JJ |
366 | */ |
367 | static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) | |
368 | { | |
369 | void *pos = e->pos; | |
370 | ||
371 | /* exec table is optional */ | |
372 | if (unpack_nameX(e, AA_STRUCT, "xtable")) { | |
373 | int i, size; | |
374 | ||
375 | size = unpack_array(e, NULL); | |
376 | /* currently 4 exec bits and entries 0-3 are reserved iupcx */ | |
377 | if (size > 16 - 4) | |
378 | goto fail; | |
379 | profile->file.trans.table = kzalloc(sizeof(char *) * size, | |
380 | GFP_KERNEL); | |
381 | if (!profile->file.trans.table) | |
382 | goto fail; | |
383 | ||
384 | profile->file.trans.size = size; | |
385 | for (i = 0; i < size; i++) { | |
386 | char *str; | |
7ee95850 | 387 | int c, j, size2 = unpack_strdup(e, &str, NULL); |
736ec752 JJ |
388 | /* unpack_strdup verifies that the last character is |
389 | * null termination byte. | |
390 | */ | |
7ee95850 | 391 | if (!size2) |
736ec752 JJ |
392 | goto fail; |
393 | profile->file.trans.table[i] = str; | |
394 | /* verify that name doesn't start with space */ | |
395 | if (isspace(*str)) | |
396 | goto fail; | |
397 | ||
398 | /* count internal # of internal \0 */ | |
7ee95850 | 399 | for (c = j = 0; j < size2 - 2; j++) { |
736ec752 JJ |
400 | if (!str[j]) |
401 | c++; | |
402 | } | |
403 | if (*str == ':') { | |
404 | /* beginning with : requires an embedded \0, | |
405 | * verify that exactly 1 internal \0 exists | |
406 | * trailing \0 already verified by unpack_strdup | |
407 | */ | |
408 | if (c != 1) | |
409 | goto fail; | |
410 | /* first character after : must be valid */ | |
411 | if (!str[1]) | |
412 | goto fail; | |
413 | } else if (c) | |
414 | /* fail - all other cases with embedded \0 */ | |
415 | goto fail; | |
416 | } | |
417 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | |
418 | goto fail; | |
419 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
420 | goto fail; | |
421 | } | |
422 | return 1; | |
423 | ||
424 | fail: | |
425 | aa_free_domain_entries(&profile->file.trans); | |
426 | e->pos = pos; | |
427 | return 0; | |
428 | } | |
429 | ||
430 | static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) | |
431 | { | |
432 | void *pos = e->pos; | |
433 | ||
434 | /* rlimits are optional */ | |
435 | if (unpack_nameX(e, AA_STRUCT, "rlimits")) { | |
436 | int i, size; | |
437 | u32 tmp = 0; | |
438 | if (!unpack_u32(e, &tmp, NULL)) | |
439 | goto fail; | |
440 | profile->rlimits.mask = tmp; | |
441 | ||
442 | size = unpack_array(e, NULL); | |
443 | if (size > RLIM_NLIMITS) | |
444 | goto fail; | |
445 | for (i = 0; i < size; i++) { | |
7ee95850 | 446 | u64 tmp2 = 0; |
736ec752 | 447 | int a = aa_map_resource(i); |
7ee95850 | 448 | if (!unpack_u64(e, &tmp2, NULL)) |
736ec752 | 449 | goto fail; |
7ee95850 | 450 | profile->rlimits.limits[a].rlim_max = tmp2; |
736ec752 JJ |
451 | } |
452 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | |
453 | goto fail; | |
454 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
455 | goto fail; | |
456 | } | |
457 | return 1; | |
458 | ||
459 | fail: | |
460 | e->pos = pos; | |
461 | return 0; | |
462 | } | |
463 | ||
464 | /** | |
465 | * unpack_profile - unpack a serialized profile | |
466 | * @e: serialized data extent information (NOT NULL) | |
467 | * | |
468 | * NOTE: unpack profile sets audit struct if there is a failure | |
469 | */ | |
470 | static struct aa_profile *unpack_profile(struct aa_ext *e) | |
471 | { | |
472 | struct aa_profile *profile = NULL; | |
473 | const char *name = NULL; | |
ad5ff3db | 474 | int i, error = -EPROTO; |
736ec752 JJ |
475 | kernel_cap_t tmpcap; |
476 | u32 tmp; | |
477 | ||
478 | /* check that we have the right struct being passed */ | |
479 | if (!unpack_nameX(e, AA_STRUCT, "profile")) | |
480 | goto fail; | |
481 | if (!unpack_str(e, &name, NULL)) | |
482 | goto fail; | |
483 | ||
484 | profile = aa_alloc_profile(name); | |
485 | if (!profile) | |
486 | return ERR_PTR(-ENOMEM); | |
487 | ||
488 | /* profile renaming is optional */ | |
489 | (void) unpack_str(e, &profile->rename, "rename"); | |
490 | ||
491 | /* xmatch is optional and may be NULL */ | |
492 | profile->xmatch = unpack_dfa(e); | |
493 | if (IS_ERR(profile->xmatch)) { | |
494 | error = PTR_ERR(profile->xmatch); | |
495 | profile->xmatch = NULL; | |
496 | goto fail; | |
497 | } | |
498 | /* xmatch_len is not optional if xmatch is set */ | |
499 | if (profile->xmatch) { | |
500 | if (!unpack_u32(e, &tmp, NULL)) | |
501 | goto fail; | |
502 | profile->xmatch_len = tmp; | |
503 | } | |
504 | ||
505 | /* per profile debug flags (complain, audit) */ | |
506 | if (!unpack_nameX(e, AA_STRUCT, "flags")) | |
507 | goto fail; | |
508 | if (!unpack_u32(e, &tmp, NULL)) | |
509 | goto fail; | |
510 | if (tmp) | |
511 | profile->flags |= PFLAG_HAT; | |
512 | if (!unpack_u32(e, &tmp, NULL)) | |
513 | goto fail; | |
514 | if (tmp) | |
515 | profile->mode = APPARMOR_COMPLAIN; | |
516 | if (!unpack_u32(e, &tmp, NULL)) | |
517 | goto fail; | |
518 | if (tmp) | |
519 | profile->audit = AUDIT_ALL; | |
520 | ||
521 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
522 | goto fail; | |
523 | ||
524 | /* path_flags is optional */ | |
525 | if (unpack_u32(e, &profile->path_flags, "path_flags")) | |
526 | profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED; | |
527 | else | |
528 | /* set a default value if path_flags field is not present */ | |
529 | profile->path_flags = PFLAG_MEDIATE_DELETED; | |
530 | ||
531 | if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) | |
532 | goto fail; | |
533 | if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) | |
534 | goto fail; | |
535 | if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) | |
536 | goto fail; | |
537 | if (!unpack_u32(e, &tmpcap.cap[0], NULL)) | |
538 | goto fail; | |
539 | ||
540 | if (unpack_nameX(e, AA_STRUCT, "caps64")) { | |
541 | /* optional upper half of 64 bit caps */ | |
542 | if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) | |
543 | goto fail; | |
544 | if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) | |
545 | goto fail; | |
546 | if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) | |
547 | goto fail; | |
548 | if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) | |
549 | goto fail; | |
550 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
551 | goto fail; | |
552 | } | |
553 | ||
554 | if (unpack_nameX(e, AA_STRUCT, "capsx")) { | |
555 | /* optional extended caps mediation mask */ | |
556 | if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) | |
557 | goto fail; | |
558 | if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) | |
559 | goto fail; | |
cdbd2884 JJ |
560 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) |
561 | goto fail; | |
736ec752 JJ |
562 | } |
563 | ||
564 | if (!unpack_rlimits(e, profile)) | |
565 | goto fail; | |
566 | ||
ad5ff3db JJ |
567 | if (unpack_nameX(e, AA_STRUCT, "policydb")) { |
568 | /* generic policy dfa - optional and may be NULL */ | |
569 | profile->policy.dfa = unpack_dfa(e); | |
570 | if (IS_ERR(profile->policy.dfa)) { | |
571 | error = PTR_ERR(profile->policy.dfa); | |
572 | profile->policy.dfa = NULL; | |
573 | goto fail; | |
574 | } | |
575 | if (!unpack_u32(e, &profile->policy.start[0], "start")) | |
576 | /* default start state */ | |
577 | profile->policy.start[0] = DFA_START; | |
578 | /* setup class index */ | |
579 | for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) { | |
580 | profile->policy.start[i] = | |
581 | aa_dfa_next(profile->policy.dfa, | |
582 | profile->policy.start[0], | |
583 | i); | |
584 | } | |
585 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
586 | goto fail; | |
587 | } | |
588 | ||
736ec752 JJ |
589 | /* get file rules */ |
590 | profile->file.dfa = unpack_dfa(e); | |
591 | if (IS_ERR(profile->file.dfa)) { | |
592 | error = PTR_ERR(profile->file.dfa); | |
593 | profile->file.dfa = NULL; | |
594 | goto fail; | |
595 | } | |
596 | ||
597 | if (!unpack_u32(e, &profile->file.start, "dfa_start")) | |
598 | /* default start state */ | |
599 | profile->file.start = DFA_START; | |
600 | ||
601 | if (!unpack_trans_table(e, profile)) | |
602 | goto fail; | |
603 | ||
604 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | |
605 | goto fail; | |
606 | ||
607 | return profile; | |
608 | ||
609 | fail: | |
610 | if (profile) | |
611 | name = NULL; | |
612 | else if (!name) | |
613 | name = "unknown"; | |
614 | audit_iface(profile, name, "failed to unpack profile", e, error); | |
615 | aa_put_profile(profile); | |
616 | ||
617 | return ERR_PTR(error); | |
618 | } | |
619 | ||
620 | /** | |
621 | * verify_head - unpack serialized stream header | |
622 | * @e: serialized data read head (NOT NULL) | |
623 | * @ns: Returns - namespace if one is specified else NULL (NOT NULL) | |
624 | * | |
625 | * Returns: error or 0 if header is good | |
626 | */ | |
627 | static int verify_header(struct aa_ext *e, const char **ns) | |
628 | { | |
629 | int error = -EPROTONOSUPPORT; | |
630 | /* get the interface version */ | |
631 | if (!unpack_u32(e, &e->version, "version")) { | |
632 | audit_iface(NULL, NULL, "invalid profile format", e, error); | |
633 | return error; | |
634 | } | |
635 | ||
636 | /* check that the interface version is currently supported */ | |
637 | if (e->version != 5) { | |
638 | audit_iface(NULL, NULL, "unsupported interface version", e, | |
639 | error); | |
640 | return error; | |
641 | } | |
642 | ||
643 | /* read the namespace if present */ | |
644 | if (!unpack_str(e, ns, "namespace")) | |
645 | *ns = NULL; | |
646 | ||
647 | return 0; | |
648 | } | |
649 | ||
650 | static bool verify_xindex(int xindex, int table_size) | |
651 | { | |
652 | int index, xtype; | |
653 | xtype = xindex & AA_X_TYPE_MASK; | |
654 | index = xindex & AA_X_INDEX_MASK; | |
655 | if (xtype == AA_X_TABLE && index > table_size) | |
656 | return 0; | |
657 | return 1; | |
658 | } | |
659 | ||
660 | /* verify dfa xindexes are in range of transition tables */ | |
661 | static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) | |
662 | { | |
663 | int i; | |
664 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | |
665 | if (!verify_xindex(dfa_user_xindex(dfa, i), table_size)) | |
666 | return 0; | |
667 | if (!verify_xindex(dfa_other_xindex(dfa, i), table_size)) | |
668 | return 0; | |
669 | } | |
670 | return 1; | |
671 | } | |
672 | ||
673 | /** | |
674 | * verify_profile - Do post unpack analysis to verify profile consistency | |
675 | * @profile: profile to verify (NOT NULL) | |
676 | * | |
677 | * Returns: 0 if passes verification else error | |
678 | */ | |
679 | static int verify_profile(struct aa_profile *profile) | |
680 | { | |
681 | if (aa_g_paranoid_load) { | |
682 | if (profile->file.dfa && | |
683 | !verify_dfa_xindex(profile->file.dfa, | |
684 | profile->file.trans.size)) { | |
685 | audit_iface(profile, NULL, "Invalid named transition", | |
686 | NULL, -EPROTO); | |
687 | return -EPROTO; | |
688 | } | |
689 | } | |
690 | ||
691 | return 0; | |
692 | } | |
693 | ||
694 | /** | |
695 | * aa_unpack - unpack packed binary profile data loaded from user space | |
696 | * @udata: user data copied to kmem (NOT NULL) | |
697 | * @size: the size of the user data | |
698 | * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) | |
699 | * | |
700 | * Unpack user data and return refcounted allocated profile or ERR_PTR | |
701 | * | |
702 | * Returns: profile else error pointer if fails to unpack | |
703 | */ | |
704 | struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns) | |
705 | { | |
706 | struct aa_profile *profile = NULL; | |
707 | int error; | |
708 | struct aa_ext e = { | |
709 | .start = udata, | |
710 | .end = udata + size, | |
711 | .pos = udata, | |
712 | }; | |
713 | ||
714 | error = verify_header(&e, ns); | |
715 | if (error) | |
716 | return ERR_PTR(error); | |
717 | ||
718 | profile = unpack_profile(&e); | |
719 | if (IS_ERR(profile)) | |
720 | return profile; | |
721 | ||
722 | error = verify_profile(profile); | |
723 | if (error) { | |
724 | aa_put_profile(profile); | |
725 | profile = ERR_PTR(error); | |
726 | } | |
727 | ||
728 | /* return refcount */ | |
729 | return profile; | |
730 | } |