f122a08b19
Back in 2008 we extended the capability bits from 32 to 64, and we did it by extending the single 32-bit capability word from one word to an array of two words. It was then obfuscated by hiding the "2" behind two macro expansions, with the reasoning being that maybe it gets extended further some day. That reasoning may have been valid at the time, but the last thing we want to do is to extend the capability set any more. And the array of values not only causes source code oddities (with loops to deal with it), but also results in worse code generation. It's a lose-lose situation. So just change the 'u32[2]' into a 'u64' and be done with it. We still have to deal with the fact that the user space interface is designed around an array of these 32-bit values, but that was the case before too, since the array layouts were different (ie user space doesn't use an array of 32-bit values for individual capability masks, but an array of 32-bit slices of multiple masks). So that marshalling of data is actually simplified too, even if it does remain somewhat obscure and odd. This was all triggered by my reaction to the new "cap_isidentical()" introduced recently. By just using a saner data structure, it went from unsigned __capi; CAP_FOR_EACH_U32(__capi) { if (a.cap[__capi] != b.cap[__capi]) return false; } return true; to just being return a.val == b.val; instead. Which is rather more obvious both to humans and to compilers. Cc: Mateusz Guzik <mjguzik@gmail.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Serge Hallyn <serge@hallyn.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1448 lines
34 KiB
C
1448 lines
34 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor functions for unpacking policy loaded from
|
|
* userspace.
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*
|
|
* AppArmor uses a serialized binary format for loading policy. To find
|
|
* policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
|
|
* All policy is validated before it is used.
|
|
*/
|
|
|
|
#include <asm/unaligned.h>
|
|
#include <kunit/visibility.h>
|
|
#include <linux/ctype.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/zstd.h>
|
|
|
|
#include "include/apparmor.h"
|
|
#include "include/audit.h"
|
|
#include "include/cred.h"
|
|
#include "include/crypto.h"
|
|
#include "include/file.h"
|
|
#include "include/match.h"
|
|
#include "include/path.h"
|
|
#include "include/policy.h"
|
|
#include "include/policy_unpack.h"
|
|
#include "include/policy_compat.h"
|
|
|
|
/* audit callback for unpack fields */
|
|
static void audit_cb(struct audit_buffer *ab, void *va)
|
|
{
|
|
struct common_audit_data *sa = va;
|
|
|
|
if (aad(sa)->iface.ns) {
|
|
audit_log_format(ab, " ns=");
|
|
audit_log_untrustedstring(ab, aad(sa)->iface.ns);
|
|
}
|
|
if (aad(sa)->name) {
|
|
audit_log_format(ab, " name=");
|
|
audit_log_untrustedstring(ab, aad(sa)->name);
|
|
}
|
|
if (aad(sa)->iface.pos)
|
|
audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos);
|
|
}
|
|
|
|
/**
|
|
* audit_iface - do audit message for policy unpacking/load/replace/remove
|
|
* @new: profile if it has been allocated (MAYBE NULL)
|
|
* @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
|
|
* @name: name of the profile being manipulated (MAYBE NULL)
|
|
* @info: any extra info about the failure (MAYBE NULL)
|
|
* @e: buffer position info
|
|
* @error: error code
|
|
*
|
|
* Returns: %0 or error
|
|
*/
|
|
static int audit_iface(struct aa_profile *new, const char *ns_name,
|
|
const char *name, const char *info, struct aa_ext *e,
|
|
int error)
|
|
{
|
|
struct aa_profile *profile = labels_profile(aa_current_raw_label());
|
|
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
|
|
if (e)
|
|
aad(&sa)->iface.pos = e->pos - e->start;
|
|
aad(&sa)->iface.ns = ns_name;
|
|
if (new)
|
|
aad(&sa)->name = new->base.hname;
|
|
else
|
|
aad(&sa)->name = name;
|
|
aad(&sa)->info = info;
|
|
aad(&sa)->error = error;
|
|
|
|
return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb);
|
|
}
|
|
|
|
void __aa_loaddata_update(struct aa_loaddata *data, long revision)
|
|
{
|
|
AA_BUG(!data);
|
|
AA_BUG(!data->ns);
|
|
AA_BUG(!mutex_is_locked(&data->ns->lock));
|
|
AA_BUG(data->revision > revision);
|
|
|
|
data->revision = revision;
|
|
if ((data->dents[AAFS_LOADDATA_REVISION])) {
|
|
d_inode(data->dents[AAFS_LOADDATA_DIR])->i_mtime =
|
|
current_time(d_inode(data->dents[AAFS_LOADDATA_DIR]));
|
|
d_inode(data->dents[AAFS_LOADDATA_REVISION])->i_mtime =
|
|
current_time(d_inode(data->dents[AAFS_LOADDATA_REVISION]));
|
|
}
|
|
}
|
|
|
|
bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r)
|
|
{
|
|
if (l->size != r->size)
|
|
return false;
|
|
if (l->compressed_size != r->compressed_size)
|
|
return false;
|
|
if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0)
|
|
return false;
|
|
return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0;
|
|
}
|
|
|
|
/*
|
|
* need to take the ns mutex lock which is NOT safe most places that
|
|
* put_loaddata is called, so we have to delay freeing it
|
|
*/
|
|
static void do_loaddata_free(struct work_struct *work)
|
|
{
|
|
struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
|
|
struct aa_ns *ns = aa_get_ns(d->ns);
|
|
|
|
if (ns) {
|
|
mutex_lock_nested(&ns->lock, ns->level);
|
|
__aa_fs_remove_rawdata(d);
|
|
mutex_unlock(&ns->lock);
|
|
aa_put_ns(ns);
|
|
}
|
|
|
|
kfree_sensitive(d->hash);
|
|
kfree_sensitive(d->name);
|
|
kvfree(d->data);
|
|
kfree_sensitive(d);
|
|
}
|
|
|
|
void aa_loaddata_kref(struct kref *kref)
|
|
{
|
|
struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count);
|
|
|
|
if (d) {
|
|
INIT_WORK(&d->work, do_loaddata_free);
|
|
schedule_work(&d->work);
|
|
}
|
|
}
|
|
|
|
struct aa_loaddata *aa_loaddata_alloc(size_t size)
|
|
{
|
|
struct aa_loaddata *d;
|
|
|
|
d = kzalloc(sizeof(*d), GFP_KERNEL);
|
|
if (d == NULL)
|
|
return ERR_PTR(-ENOMEM);
|
|
d->data = kvzalloc(size, GFP_KERNEL);
|
|
if (!d->data) {
|
|
kfree(d);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
kref_init(&d->count);
|
|
INIT_LIST_HEAD(&d->list);
|
|
|
|
return d;
|
|
}
|
|
|
|
/* test if read will be in packed data bounds */
|
|
VISIBLE_IF_KUNIT bool aa_inbounds(struct aa_ext *e, size_t size)
|
|
{
|
|
return (size <= e->end - e->pos);
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_inbounds);
|
|
|
|
/**
|
|
* aa_unpack_u16_chunk - test and do bounds checking for a u16 size based chunk
|
|
* @e: serialized data read head (NOT NULL)
|
|
* @chunk: start address for chunk of data (NOT NULL)
|
|
*
|
|
* Returns: the size of chunk found with the read head at the end of the chunk.
|
|
*/
|
|
VISIBLE_IF_KUNIT size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk)
|
|
{
|
|
size_t size = 0;
|
|
void *pos = e->pos;
|
|
|
|
if (!aa_inbounds(e, sizeof(u16)))
|
|
goto fail;
|
|
size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
|
|
e->pos += sizeof(__le16);
|
|
if (!aa_inbounds(e, size))
|
|
goto fail;
|
|
*chunk = e->pos;
|
|
e->pos += size;
|
|
return size;
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u16_chunk);
|
|
|
|
/* unpack control byte */
|
|
VISIBLE_IF_KUNIT bool aa_unpack_X(struct aa_ext *e, enum aa_code code)
|
|
{
|
|
if (!aa_inbounds(e, 1))
|
|
return false;
|
|
if (*(u8 *) e->pos != code)
|
|
return false;
|
|
e->pos++;
|
|
return true;
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_X);
|
|
|
|
/**
|
|
* aa_unpack_nameX - check is the next element is of type X with a name of @name
|
|
* @e: serialized data extent information (NOT NULL)
|
|
* @code: type code
|
|
* @name: name to match to the serialized element. (MAYBE NULL)
|
|
*
|
|
* check that the next serialized data element is of type X and has a tag
|
|
* name @name. If @name is specified then there must be a matching
|
|
* name element in the stream. If @name is NULL any name element will be
|
|
* skipped and only the typecode will be tested.
|
|
*
|
|
* Returns true on success (both type code and name tests match) and the read
|
|
* head is advanced past the headers
|
|
*
|
|
* Returns: false if either match fails, the read head does not move
|
|
*/
|
|
VISIBLE_IF_KUNIT bool aa_unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
|
|
{
|
|
/*
|
|
* May need to reset pos if name or type doesn't match
|
|
*/
|
|
void *pos = e->pos;
|
|
/*
|
|
* Check for presence of a tagname, and if present name size
|
|
* AA_NAME tag value is a u16.
|
|
*/
|
|
if (aa_unpack_X(e, AA_NAME)) {
|
|
char *tag = NULL;
|
|
size_t size = aa_unpack_u16_chunk(e, &tag);
|
|
/* if a name is specified it must match. otherwise skip tag */
|
|
if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
|
|
goto fail;
|
|
} else if (name) {
|
|
/* if a name is specified and there is no name tag fail */
|
|
goto fail;
|
|
}
|
|
|
|
/* now check if type code matches */
|
|
if (aa_unpack_X(e, code))
|
|
return true;
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return false;
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_nameX);
|
|
|
|
static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
|
|
{
|
|
void *pos = e->pos;
|
|
|
|
if (aa_unpack_nameX(e, AA_U8, name)) {
|
|
if (!aa_inbounds(e, sizeof(u8)))
|
|
goto fail;
|
|
if (data)
|
|
*data = *((u8 *)e->pos);
|
|
e->pos += sizeof(u8);
|
|
return true;
|
|
}
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return false;
|
|
}
|
|
|
|
VISIBLE_IF_KUNIT bool aa_unpack_u32(struct aa_ext *e, u32 *data, const char *name)
|
|
{
|
|
void *pos = e->pos;
|
|
|
|
if (aa_unpack_nameX(e, AA_U32, name)) {
|
|
if (!aa_inbounds(e, sizeof(u32)))
|
|
goto fail;
|
|
if (data)
|
|
*data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
|
|
e->pos += sizeof(u32);
|
|
return true;
|
|
}
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return false;
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u32);
|
|
|
|
VISIBLE_IF_KUNIT bool aa_unpack_u64(struct aa_ext *e, u64 *data, const char *name)
|
|
{
|
|
void *pos = e->pos;
|
|
|
|
if (aa_unpack_nameX(e, AA_U64, name)) {
|
|
if (!aa_inbounds(e, sizeof(u64)))
|
|
goto fail;
|
|
if (data)
|
|
*data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
|
|
e->pos += sizeof(u64);
|
|
return true;
|
|
}
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return false;
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u64);
|
|
|
|
static bool aa_unpack_cap_low(struct aa_ext *e, kernel_cap_t *data, const char *name)
|
|
{
|
|
u32 val;
|
|
|
|
if (!aa_unpack_u32(e, &val, name))
|
|
return false;
|
|
data->val = val;
|
|
return true;
|
|
}
|
|
|
|
static bool aa_unpack_cap_high(struct aa_ext *e, kernel_cap_t *data, const char *name)
|
|
{
|
|
u32 val;
|
|
|
|
if (!aa_unpack_u32(e, &val, name))
|
|
return false;
|
|
data->val = (u32)data->val | ((u64)val << 32);
|
|
return true;
|
|
}
|
|
|
|
VISIBLE_IF_KUNIT bool aa_unpack_array(struct aa_ext *e, const char *name, u16 *size)
|
|
{
|
|
void *pos = e->pos;
|
|
|
|
if (aa_unpack_nameX(e, AA_ARRAY, name)) {
|
|
if (!aa_inbounds(e, sizeof(u16)))
|
|
goto fail;
|
|
*size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
|
|
e->pos += sizeof(u16);
|
|
return true;
|
|
}
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return false;
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_array);
|
|
|
|
VISIBLE_IF_KUNIT size_t aa_unpack_blob(struct aa_ext *e, char **blob, const char *name)
|
|
{
|
|
void *pos = e->pos;
|
|
|
|
if (aa_unpack_nameX(e, AA_BLOB, name)) {
|
|
u32 size;
|
|
if (!aa_inbounds(e, sizeof(u32)))
|
|
goto fail;
|
|
size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
|
|
e->pos += sizeof(u32);
|
|
if (aa_inbounds(e, (size_t) size)) {
|
|
*blob = e->pos;
|
|
e->pos += size;
|
|
return size;
|
|
}
|
|
}
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_blob);
|
|
|
|
VISIBLE_IF_KUNIT int aa_unpack_str(struct aa_ext *e, const char **string, const char *name)
|
|
{
|
|
char *src_str;
|
|
size_t size = 0;
|
|
void *pos = e->pos;
|
|
*string = NULL;
|
|
if (aa_unpack_nameX(e, AA_STRING, name)) {
|
|
size = aa_unpack_u16_chunk(e, &src_str);
|
|
if (size) {
|
|
/* strings are null terminated, length is size - 1 */
|
|
if (src_str[size - 1] != 0)
|
|
goto fail;
|
|
*string = src_str;
|
|
|
|
return size;
|
|
}
|
|
}
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_str);
|
|
|
|
VISIBLE_IF_KUNIT int aa_unpack_strdup(struct aa_ext *e, char **string, const char *name)
|
|
{
|
|
const char *tmp;
|
|
void *pos = e->pos;
|
|
int res = aa_unpack_str(e, &tmp, name);
|
|
*string = NULL;
|
|
|
|
if (!res)
|
|
return 0;
|
|
|
|
*string = kmemdup(tmp, res, GFP_KERNEL);
|
|
if (!*string) {
|
|
e->pos = pos;
|
|
return 0;
|
|
}
|
|
|
|
return res;
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_strdup);
|
|
|
|
|
|
/**
|
|
* unpack_dfa - unpack a file rule dfa
|
|
* @e: serialized data extent information (NOT NULL)
|
|
* @flags: dfa flags to check
|
|
*
|
|
* returns dfa or ERR_PTR or NULL if no dfa
|
|
*/
|
|
static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags)
|
|
{
|
|
char *blob = NULL;
|
|
size_t size;
|
|
struct aa_dfa *dfa = NULL;
|
|
|
|
size = aa_unpack_blob(e, &blob, "aadfa");
|
|
if (size) {
|
|
/*
|
|
* The dfa is aligned with in the blob to 8 bytes
|
|
* from the beginning of the stream.
|
|
* alignment adjust needed by dfa unpack
|
|
*/
|
|
size_t sz = blob - (char *) e->start -
|
|
((e->pos - e->start) & 7);
|
|
size_t pad = ALIGN(sz, 8) - sz;
|
|
if (aa_g_paranoid_load)
|
|
flags |= DFA_FLAG_VERIFY_STATES;
|
|
dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
|
|
|
|
if (IS_ERR(dfa))
|
|
return dfa;
|
|
|
|
}
|
|
|
|
return dfa;
|
|
}
|
|
|
|
/**
|
|
* unpack_trans_table - unpack a profile transition table
|
|
* @e: serialized data extent information (NOT NULL)
|
|
* @table: str table to unpack to (NOT NULL)
|
|
*
|
|
* Returns: true if table successfully unpacked or not present
|
|
*/
|
|
static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs)
|
|
{
|
|
void *saved_pos = e->pos;
|
|
char **table = NULL;
|
|
|
|
/* exec table is optional */
|
|
if (aa_unpack_nameX(e, AA_STRUCT, "xtable")) {
|
|
u16 size;
|
|
int i;
|
|
|
|
if (!aa_unpack_array(e, NULL, &size))
|
|
/*
|
|
* Note: index into trans table array is a max
|
|
* of 2^24, but unpack array can only unpack
|
|
* an array of 2^16 in size atm so no need
|
|
* for size check here
|
|
*/
|
|
goto fail;
|
|
table = kcalloc(size, sizeof(char *), GFP_KERNEL);
|
|
if (!table)
|
|
goto fail;
|
|
|
|
for (i = 0; i < size; i++) {
|
|
char *str;
|
|
int c, j, pos, size2 = aa_unpack_strdup(e, &str, NULL);
|
|
/* aa_unpack_strdup verifies that the last character is
|
|
* null termination byte.
|
|
*/
|
|
if (!size2)
|
|
goto fail;
|
|
table[i] = str;
|
|
/* verify that name doesn't start with space */
|
|
if (isspace(*str))
|
|
goto fail;
|
|
|
|
/* count internal # of internal \0 */
|
|
for (c = j = 0; j < size2 - 1; j++) {
|
|
if (!str[j]) {
|
|
pos = j;
|
|
c++;
|
|
}
|
|
}
|
|
if (*str == ':') {
|
|
/* first character after : must be valid */
|
|
if (!str[1])
|
|
goto fail;
|
|
/* beginning with : requires an embedded \0,
|
|
* verify that exactly 1 internal \0 exists
|
|
* trailing \0 already verified by aa_unpack_strdup
|
|
*
|
|
* convert \0 back to : for label_parse
|
|
*/
|
|
if (c == 1)
|
|
str[pos] = ':';
|
|
else if (c > 1)
|
|
goto fail;
|
|
} else if (c)
|
|
/* fail - all other cases with embedded \0 */
|
|
goto fail;
|
|
}
|
|
if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
|
goto fail;
|
|
|
|
strs->table = table;
|
|
strs->size = size;
|
|
}
|
|
return true;
|
|
|
|
fail:
|
|
kfree_sensitive(table);
|
|
e->pos = saved_pos;
|
|
return false;
|
|
}
|
|
|
|
static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
|
|
{
|
|
void *pos = e->pos;
|
|
|
|
if (aa_unpack_nameX(e, AA_STRUCT, "xattrs")) {
|
|
u16 size;
|
|
int i;
|
|
|
|
if (!aa_unpack_array(e, NULL, &size))
|
|
goto fail;
|
|
profile->attach.xattr_count = size;
|
|
profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
|
|
if (!profile->attach.xattrs)
|
|
goto fail;
|
|
for (i = 0; i < size; i++) {
|
|
if (!aa_unpack_strdup(e, &profile->attach.xattrs[i], NULL))
|
|
goto fail;
|
|
}
|
|
if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
|
goto fail;
|
|
}
|
|
|
|
return true;
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return false;
|
|
}
|
|
|
|
static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules)
|
|
{
|
|
void *pos = e->pos;
|
|
u16 size;
|
|
int i;
|
|
|
|
if (aa_unpack_nameX(e, AA_STRUCT, "secmark")) {
|
|
if (!aa_unpack_array(e, NULL, &size))
|
|
goto fail;
|
|
|
|
rules->secmark = kcalloc(size, sizeof(struct aa_secmark),
|
|
GFP_KERNEL);
|
|
if (!rules->secmark)
|
|
goto fail;
|
|
|
|
rules->secmark_count = size;
|
|
|
|
for (i = 0; i < size; i++) {
|
|
if (!unpack_u8(e, &rules->secmark[i].audit, NULL))
|
|
goto fail;
|
|
if (!unpack_u8(e, &rules->secmark[i].deny, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_strdup(e, &rules->secmark[i].label, NULL))
|
|
goto fail;
|
|
}
|
|
if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
|
goto fail;
|
|
}
|
|
|
|
return true;
|
|
|
|
fail:
|
|
if (rules->secmark) {
|
|
for (i = 0; i < size; i++)
|
|
kfree(rules->secmark[i].label);
|
|
kfree(rules->secmark);
|
|
rules->secmark_count = 0;
|
|
rules->secmark = NULL;
|
|
}
|
|
|
|
e->pos = pos;
|
|
return false;
|
|
}
|
|
|
|
static bool unpack_rlimits(struct aa_ext *e, struct aa_ruleset *rules)
|
|
{
|
|
void *pos = e->pos;
|
|
|
|
/* rlimits are optional */
|
|
if (aa_unpack_nameX(e, AA_STRUCT, "rlimits")) {
|
|
u16 size;
|
|
int i;
|
|
u32 tmp = 0;
|
|
if (!aa_unpack_u32(e, &tmp, NULL))
|
|
goto fail;
|
|
rules->rlimits.mask = tmp;
|
|
|
|
if (!aa_unpack_array(e, NULL, &size) ||
|
|
size > RLIM_NLIMITS)
|
|
goto fail;
|
|
for (i = 0; i < size; i++) {
|
|
u64 tmp2 = 0;
|
|
int a = aa_map_resource(i);
|
|
if (!aa_unpack_u64(e, &tmp2, NULL))
|
|
goto fail;
|
|
rules->rlimits.limits[a].rlim_max = tmp2;
|
|
}
|
|
if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
|
goto fail;
|
|
}
|
|
return true;
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return false;
|
|
}
|
|
|
|
static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm)
|
|
{
|
|
if (version != 1)
|
|
return false;
|
|
|
|
return aa_unpack_u32(e, &perm->allow, NULL) &&
|
|
aa_unpack_u32(e, &perm->allow, NULL) &&
|
|
aa_unpack_u32(e, &perm->deny, NULL) &&
|
|
aa_unpack_u32(e, &perm->subtree, NULL) &&
|
|
aa_unpack_u32(e, &perm->cond, NULL) &&
|
|
aa_unpack_u32(e, &perm->kill, NULL) &&
|
|
aa_unpack_u32(e, &perm->complain, NULL) &&
|
|
aa_unpack_u32(e, &perm->prompt, NULL) &&
|
|
aa_unpack_u32(e, &perm->audit, NULL) &&
|
|
aa_unpack_u32(e, &perm->quiet, NULL) &&
|
|
aa_unpack_u32(e, &perm->hide, NULL) &&
|
|
aa_unpack_u32(e, &perm->xindex, NULL) &&
|
|
aa_unpack_u32(e, &perm->tag, NULL) &&
|
|
aa_unpack_u32(e, &perm->label, NULL);
|
|
}
|
|
|
|
static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms)
|
|
{
|
|
void *pos = e->pos;
|
|
u16 size = 0;
|
|
|
|
AA_BUG(!perms);
|
|
/*
|
|
* policy perms are optional, in which case perms are embedded
|
|
* in the dfa accept table
|
|
*/
|
|
if (aa_unpack_nameX(e, AA_STRUCT, "perms")) {
|
|
int i;
|
|
u32 version;
|
|
|
|
if (!aa_unpack_u32(e, &version, "version"))
|
|
goto fail_reset;
|
|
if (!aa_unpack_array(e, NULL, &size))
|
|
goto fail_reset;
|
|
*perms = kcalloc(size, sizeof(struct aa_perms), GFP_KERNEL);
|
|
if (!*perms)
|
|
goto fail_reset;
|
|
for (i = 0; i < size; i++) {
|
|
if (!unpack_perm(e, version, &(*perms)[i]))
|
|
goto fail;
|
|
}
|
|
if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
|
goto fail;
|
|
} else
|
|
*perms = NULL;
|
|
|
|
return size;
|
|
|
|
fail:
|
|
kfree(*perms);
|
|
fail_reset:
|
|
e->pos = pos;
|
|
return -EPROTO;
|
|
}
|
|
|
|
static int unpack_pdb(struct aa_ext *e, struct aa_policydb *policy,
|
|
bool required_dfa, bool required_trans,
|
|
const char **info)
|
|
{
|
|
void *pos = e->pos;
|
|
int i, flags, error = -EPROTO;
|
|
ssize_t size;
|
|
|
|
size = unpack_perms_table(e, &policy->perms);
|
|
if (size < 0) {
|
|
error = size;
|
|
policy->perms = NULL;
|
|
*info = "failed to unpack - perms";
|
|
goto fail;
|
|
}
|
|
policy->size = size;
|
|
|
|
if (policy->perms) {
|
|
/* perms table present accept is index */
|
|
flags = TO_ACCEPT1_FLAG(YYTD_DATA32);
|
|
} else {
|
|
/* packed perms in accept1 and accept2 */
|
|
flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
|
|
TO_ACCEPT2_FLAG(YYTD_DATA32);
|
|
}
|
|
|
|
policy->dfa = unpack_dfa(e, flags);
|
|
if (IS_ERR(policy->dfa)) {
|
|
error = PTR_ERR(policy->dfa);
|
|
policy->dfa = NULL;
|
|
*info = "failed to unpack - dfa";
|
|
goto fail;
|
|
} else if (!policy->dfa) {
|
|
if (required_dfa) {
|
|
*info = "missing required dfa";
|
|
goto fail;
|
|
}
|
|
goto out;
|
|
}
|
|
|
|
/*
|
|
* only unpack the following if a dfa is present
|
|
*
|
|
* sadly start was given different names for file and policydb
|
|
* but since it is optional we can try both
|
|
*/
|
|
if (!aa_unpack_u32(e, &policy->start[0], "start"))
|
|
/* default start state */
|
|
policy->start[0] = DFA_START;
|
|
if (!aa_unpack_u32(e, &policy->start[AA_CLASS_FILE], "dfa_start")) {
|
|
/* default start state for xmatch and file dfa */
|
|
policy->start[AA_CLASS_FILE] = DFA_START;
|
|
} /* setup class index */
|
|
for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
|
|
policy->start[i] = aa_dfa_next(policy->dfa, policy->start[0],
|
|
i);
|
|
}
|
|
if (!unpack_trans_table(e, &policy->trans) && required_trans) {
|
|
*info = "failed to unpack profile transition table";
|
|
goto fail;
|
|
}
|
|
|
|
/* TODO: move compat mapping here, requires dfa merging first */
|
|
/* TODO: move verify here, it has to be done after compat mappings */
|
|
out:
|
|
return 0;
|
|
|
|
fail:
|
|
e->pos = pos;
|
|
return error;
|
|
}
|
|
|
|
static u32 strhash(const void *data, u32 len, u32 seed)
|
|
{
|
|
const char * const *key = data;
|
|
|
|
return jhash(*key, strlen(*key), seed);
|
|
}
|
|
|
|
static int datacmp(struct rhashtable_compare_arg *arg, const void *obj)
|
|
{
|
|
const struct aa_data *data = obj;
|
|
const char * const *key = arg->key;
|
|
|
|
return strcmp(data->key, *key);
|
|
}
|
|
|
|
/**
|
|
* unpack_profile - unpack a serialized profile
|
|
* @e: serialized data extent information (NOT NULL)
|
|
* @ns_name: pointer of newly allocated copy of %NULL in case of error
|
|
*
|
|
* NOTE: unpack profile sets audit struct if there is a failure
|
|
*/
|
|
static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
|
{
|
|
struct aa_ruleset *rules;
|
|
struct aa_profile *profile = NULL;
|
|
const char *tmpname, *tmpns = NULL, *name = NULL;
|
|
const char *info = "failed to unpack profile";
|
|
size_t ns_len;
|
|
struct rhashtable_params params = { 0 };
|
|
char *key = NULL;
|
|
struct aa_data *data;
|
|
int error = -EPROTO;
|
|
kernel_cap_t tmpcap;
|
|
u32 tmp;
|
|
|
|
*ns_name = NULL;
|
|
|
|
/* check that we have the right struct being passed */
|
|
if (!aa_unpack_nameX(e, AA_STRUCT, "profile"))
|
|
goto fail;
|
|
if (!aa_unpack_str(e, &name, NULL))
|
|
goto fail;
|
|
if (*name == '\0')
|
|
goto fail;
|
|
|
|
tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
|
|
if (tmpns) {
|
|
*ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
|
|
if (!*ns_name) {
|
|
info = "out of memory";
|
|
error = -ENOMEM;
|
|
goto fail;
|
|
}
|
|
name = tmpname;
|
|
}
|
|
|
|
profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
|
|
if (!profile) {
|
|
info = "out of memory";
|
|
error = -ENOMEM;
|
|
goto fail;
|
|
}
|
|
rules = list_first_entry(&profile->rules, typeof(*rules), list);
|
|
|
|
/* profile renaming is optional */
|
|
(void) aa_unpack_str(e, &profile->rename, "rename");
|
|
|
|
/* attachment string is optional */
|
|
(void) aa_unpack_str(e, &profile->attach.xmatch_str, "attach");
|
|
|
|
/* xmatch is optional and may be NULL */
|
|
error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info);
|
|
if (error) {
|
|
info = "bad xmatch";
|
|
goto fail;
|
|
}
|
|
|
|
/* neither xmatch_len not xmatch_perms are optional if xmatch is set */
|
|
if (profile->attach.xmatch.dfa) {
|
|
if (!aa_unpack_u32(e, &tmp, NULL)) {
|
|
info = "missing xmatch len";
|
|
goto fail;
|
|
}
|
|
profile->attach.xmatch_len = tmp;
|
|
profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START;
|
|
error = aa_compat_map_xmatch(&profile->attach.xmatch);
|
|
if (error) {
|
|
info = "failed to convert xmatch permission table";
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
/* disconnected attachment string is optional */
|
|
(void) aa_unpack_str(e, &profile->disconnected, "disconnected");
|
|
|
|
/* per profile debug flags (complain, audit) */
|
|
if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) {
|
|
info = "profile missing flags";
|
|
goto fail;
|
|
}
|
|
info = "failed to unpack profile flags";
|
|
if (!aa_unpack_u32(e, &tmp, NULL))
|
|
goto fail;
|
|
if (tmp & PACKED_FLAG_HAT)
|
|
profile->label.flags |= FLAG_HAT;
|
|
if (tmp & PACKED_FLAG_DEBUG1)
|
|
profile->label.flags |= FLAG_DEBUG1;
|
|
if (tmp & PACKED_FLAG_DEBUG2)
|
|
profile->label.flags |= FLAG_DEBUG2;
|
|
if (!aa_unpack_u32(e, &tmp, NULL))
|
|
goto fail;
|
|
if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
|
|
profile->mode = APPARMOR_COMPLAIN;
|
|
} else if (tmp == PACKED_MODE_ENFORCE) {
|
|
profile->mode = APPARMOR_ENFORCE;
|
|
} else if (tmp == PACKED_MODE_KILL) {
|
|
profile->mode = APPARMOR_KILL;
|
|
} else if (tmp == PACKED_MODE_UNCONFINED) {
|
|
profile->mode = APPARMOR_UNCONFINED;
|
|
profile->label.flags |= FLAG_UNCONFINED;
|
|
} else if (tmp == PACKED_MODE_USER) {
|
|
profile->mode = APPARMOR_USER;
|
|
} else {
|
|
goto fail;
|
|
}
|
|
if (!aa_unpack_u32(e, &tmp, NULL))
|
|
goto fail;
|
|
if (tmp)
|
|
profile->audit = AUDIT_ALL;
|
|
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
|
goto fail;
|
|
|
|
/* path_flags is optional */
|
|
if (aa_unpack_u32(e, &profile->path_flags, "path_flags"))
|
|
profile->path_flags |= profile->label.flags &
|
|
PATH_MEDIATE_DELETED;
|
|
else
|
|
/* set a default value if path_flags field is not present */
|
|
profile->path_flags = PATH_MEDIATE_DELETED;
|
|
|
|
info = "failed to unpack profile capabilities";
|
|
if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_cap_low(e, &rules->caps.audit, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_cap_low(e, &rules->caps.quiet, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_cap_low(e, &tmpcap, NULL))
|
|
goto fail;
|
|
|
|
info = "failed to unpack upper profile capabilities";
|
|
if (aa_unpack_nameX(e, AA_STRUCT, "caps64")) {
|
|
/* optional upper half of 64 bit caps */
|
|
if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_cap_high(e, &rules->caps.audit, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_cap_high(e, &rules->caps.quiet, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_cap_high(e, &tmpcap, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
|
goto fail;
|
|
}
|
|
|
|
info = "failed to unpack extended profile capabilities";
|
|
if (aa_unpack_nameX(e, AA_STRUCT, "capsx")) {
|
|
/* optional extended caps mediation mask */
|
|
if (!aa_unpack_cap_low(e, &rules->caps.extended, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_cap_high(e, &rules->caps.extended, NULL))
|
|
goto fail;
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
|
goto fail;
|
|
}
|
|
|
|
if (!unpack_xattrs(e, profile)) {
|
|
info = "failed to unpack profile xattrs";
|
|
goto fail;
|
|
}
|
|
|
|
if (!unpack_rlimits(e, rules)) {
|
|
info = "failed to unpack profile rlimits";
|
|
goto fail;
|
|
}
|
|
|
|
if (!unpack_secmark(e, rules)) {
|
|
info = "failed to unpack profile secmark rules";
|
|
goto fail;
|
|
}
|
|
|
|
if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) {
|
|
/* generic policy dfa - optional and may be NULL */
|
|
info = "failed to unpack policydb";
|
|
error = unpack_pdb(e, &rules->policy, true, false,
|
|
&info);
|
|
if (error)
|
|
goto fail;
|
|
/* Fixup: drop when we get rid of start array */
|
|
if (aa_dfa_next(rules->policy.dfa, rules->policy.start[0],
|
|
AA_CLASS_FILE))
|
|
rules->policy.start[AA_CLASS_FILE] =
|
|
aa_dfa_next(rules->policy.dfa,
|
|
rules->policy.start[0],
|
|
AA_CLASS_FILE);
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
|
goto fail;
|
|
error = aa_compat_map_policy(&rules->policy, e->version);
|
|
if (error) {
|
|
info = "failed to remap policydb permission table";
|
|
goto fail;
|
|
}
|
|
} else
|
|
rules->policy.dfa = aa_get_dfa(nulldfa);
|
|
|
|
/* get file rules */
|
|
error = unpack_pdb(e, &rules->file, false, true, &info);
|
|
if (error) {
|
|
goto fail;
|
|
} else if (rules->file.dfa) {
|
|
error = aa_compat_map_file(&rules->file);
|
|
if (error) {
|
|
info = "failed to remap file permission table";
|
|
goto fail;
|
|
}
|
|
} else if (rules->policy.dfa &&
|
|
rules->policy.start[AA_CLASS_FILE]) {
|
|
rules->file.dfa = aa_get_dfa(rules->policy.dfa);
|
|
rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE];
|
|
} else
|
|
rules->file.dfa = aa_get_dfa(nulldfa);
|
|
|
|
error = -EPROTO;
|
|
if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
|
|
info = "out of memory";
|
|
profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL);
|
|
if (!profile->data) {
|
|
error = -ENOMEM;
|
|
goto fail;
|
|
}
|
|
params.nelem_hint = 3;
|
|
params.key_len = sizeof(void *);
|
|
params.key_offset = offsetof(struct aa_data, key);
|
|
params.head_offset = offsetof(struct aa_data, head);
|
|
params.hashfn = strhash;
|
|
params.obj_cmpfn = datacmp;
|
|
|
|
if (rhashtable_init(profile->data, ¶ms)) {
|
|
info = "failed to init key, value hash table";
|
|
goto fail;
|
|
}
|
|
|
|
while (aa_unpack_strdup(e, &key, NULL)) {
|
|
data = kzalloc(sizeof(*data), GFP_KERNEL);
|
|
if (!data) {
|
|
kfree_sensitive(key);
|
|
error = -ENOMEM;
|
|
goto fail;
|
|
}
|
|
|
|
data->key = key;
|
|
data->size = aa_unpack_blob(e, &data->data, NULL);
|
|
data->data = kvmemdup(data->data, data->size, GFP_KERNEL);
|
|
if (data->size && !data->data) {
|
|
kfree_sensitive(data->key);
|
|
kfree_sensitive(data);
|
|
error = -ENOMEM;
|
|
goto fail;
|
|
}
|
|
|
|
rhashtable_insert_fast(profile->data, &data->head,
|
|
profile->data->p);
|
|
}
|
|
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
|
|
info = "failed to unpack end of key, value data table";
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
|
|
info = "failed to unpack end of profile";
|
|
goto fail;
|
|
}
|
|
|
|
return profile;
|
|
|
|
fail:
|
|
if (error == 0)
|
|
/* default error covers most cases */
|
|
error = -EPROTO;
|
|
if (*ns_name) {
|
|
kfree(*ns_name);
|
|
*ns_name = NULL;
|
|
}
|
|
if (profile)
|
|
name = NULL;
|
|
else if (!name)
|
|
name = "unknown";
|
|
audit_iface(profile, NULL, name, info, e, error);
|
|
aa_free_profile(profile);
|
|
|
|
return ERR_PTR(error);
|
|
}
|
|
|
|
/**
|
|
* verify_header - unpack serialized stream header
|
|
* @e: serialized data read head (NOT NULL)
|
|
* @required: whether the header is required or optional
|
|
* @ns: Returns - namespace if one is specified else NULL (NOT NULL)
|
|
*
|
|
* Returns: error or 0 if header is good
|
|
*/
|
|
static int verify_header(struct aa_ext *e, int required, const char **ns)
|
|
{
|
|
int error = -EPROTONOSUPPORT;
|
|
const char *name = NULL;
|
|
*ns = NULL;
|
|
|
|
/* get the interface version */
|
|
if (!aa_unpack_u32(e, &e->version, "version")) {
|
|
if (required) {
|
|
audit_iface(NULL, NULL, NULL, "invalid profile format",
|
|
e, error);
|
|
return error;
|
|
}
|
|
}
|
|
|
|
/* Check that the interface version is currently supported.
|
|
* if not specified use previous version
|
|
* Mask off everything that is not kernel abi version
|
|
*/
|
|
if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) {
|
|
audit_iface(NULL, NULL, NULL, "unsupported interface version",
|
|
e, error);
|
|
return error;
|
|
}
|
|
|
|
/* read the namespace if present */
|
|
if (aa_unpack_str(e, &name, "namespace")) {
|
|
if (*name == '\0') {
|
|
audit_iface(NULL, NULL, NULL, "invalid namespace name",
|
|
e, error);
|
|
return error;
|
|
}
|
|
if (*ns && strcmp(*ns, name)) {
|
|
audit_iface(NULL, NULL, NULL, "invalid ns change", e,
|
|
error);
|
|
} else if (!*ns) {
|
|
*ns = kstrdup(name, GFP_KERNEL);
|
|
if (!*ns)
|
|
return -ENOMEM;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static bool verify_xindex(int xindex, int table_size)
|
|
{
|
|
int index, xtype;
|
|
xtype = xindex & AA_X_TYPE_MASK;
|
|
index = xindex & AA_X_INDEX_MASK;
|
|
if (xtype == AA_X_TABLE && index >= table_size)
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
/* verify dfa xindexes are in range of transition tables */
|
|
static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
|
|
{
|
|
int i;
|
|
for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
|
|
if (!verify_xindex(ACCEPT_TABLE(dfa)[i], table_size))
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
static bool verify_perm(struct aa_perms *perm)
|
|
{
|
|
/* TODO: allow option to just force the perms into a valid state */
|
|
if (perm->allow & perm->deny)
|
|
return false;
|
|
if (perm->subtree & ~perm->allow)
|
|
return false;
|
|
if (perm->cond & (perm->allow | perm->deny))
|
|
return false;
|
|
if (perm->kill & perm->allow)
|
|
return false;
|
|
if (perm->complain & (perm->allow | perm->deny))
|
|
return false;
|
|
if (perm->prompt & (perm->allow | perm->deny))
|
|
return false;
|
|
if (perm->complain & perm->prompt)
|
|
return false;
|
|
if (perm->hide & perm->allow)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool verify_perms(struct aa_policydb *pdb)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < pdb->size; i++) {
|
|
if (!verify_perm(&pdb->perms[i]))
|
|
return false;
|
|
/* verify indexes into str table */
|
|
if (pdb->perms[i].xindex >= pdb->trans.size)
|
|
return false;
|
|
if (pdb->perms[i].tag >= pdb->trans.size)
|
|
return false;
|
|
if (pdb->perms[i].label >= pdb->trans.size)
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* verify_profile - Do post unpack analysis to verify profile consistency
|
|
* @profile: profile to verify (NOT NULL)
|
|
*
|
|
* Returns: 0 if passes verification else error
|
|
*
|
|
* This verification is post any unpack mapping or changes
|
|
*/
|
|
static int verify_profile(struct aa_profile *profile)
|
|
{
|
|
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
|
typeof(*rules), list);
|
|
if (!rules)
|
|
return 0;
|
|
|
|
if ((rules->file.dfa && !verify_dfa_xindex(rules->file.dfa,
|
|
rules->file.trans.size)) ||
|
|
(rules->policy.dfa &&
|
|
!verify_dfa_xindex(rules->policy.dfa, rules->policy.trans.size))) {
|
|
audit_iface(profile, NULL, NULL,
|
|
"Unpack: Invalid named transition", NULL, -EPROTO);
|
|
return -EPROTO;
|
|
}
|
|
|
|
if (!verify_perms(&rules->file)) {
|
|
audit_iface(profile, NULL, NULL,
|
|
"Unpack: Invalid perm index", NULL, -EPROTO);
|
|
return -EPROTO;
|
|
}
|
|
if (!verify_perms(&rules->policy)) {
|
|
audit_iface(profile, NULL, NULL,
|
|
"Unpack: Invalid perm index", NULL, -EPROTO);
|
|
return -EPROTO;
|
|
}
|
|
if (!verify_perms(&profile->attach.xmatch)) {
|
|
audit_iface(profile, NULL, NULL,
|
|
"Unpack: Invalid perm index", NULL, -EPROTO);
|
|
return -EPROTO;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
void aa_load_ent_free(struct aa_load_ent *ent)
|
|
{
|
|
if (ent) {
|
|
aa_put_profile(ent->rename);
|
|
aa_put_profile(ent->old);
|
|
aa_put_profile(ent->new);
|
|
kfree(ent->ns_name);
|
|
kfree_sensitive(ent);
|
|
}
|
|
}
|
|
|
|
struct aa_load_ent *aa_load_ent_alloc(void)
|
|
{
|
|
struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL);
|
|
if (ent)
|
|
INIT_LIST_HEAD(&ent->list);
|
|
return ent;
|
|
}
|
|
|
|
static int compress_zstd(const char *src, size_t slen, char **dst, size_t *dlen)
|
|
{
|
|
#ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
|
|
const zstd_parameters params =
|
|
zstd_get_params(aa_g_rawdata_compression_level, slen);
|
|
const size_t wksp_len = zstd_cctx_workspace_bound(¶ms.cParams);
|
|
void *wksp = NULL;
|
|
zstd_cctx *ctx = NULL;
|
|
size_t out_len = zstd_compress_bound(slen);
|
|
void *out = NULL;
|
|
int ret = 0;
|
|
|
|
out = kvzalloc(out_len, GFP_KERNEL);
|
|
if (!out) {
|
|
ret = -ENOMEM;
|
|
goto cleanup;
|
|
}
|
|
|
|
wksp = kvzalloc(wksp_len, GFP_KERNEL);
|
|
if (!wksp) {
|
|
ret = -ENOMEM;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx = zstd_init_cctx(wksp, wksp_len);
|
|
if (!ctx) {
|
|
ret = -EINVAL;
|
|
goto cleanup;
|
|
}
|
|
|
|
out_len = zstd_compress_cctx(ctx, out, out_len, src, slen, ¶ms);
|
|
if (zstd_is_error(out_len) || out_len >= slen) {
|
|
ret = -EINVAL;
|
|
goto cleanup;
|
|
}
|
|
|
|
if (is_vmalloc_addr(out)) {
|
|
*dst = kvzalloc(out_len, GFP_KERNEL);
|
|
if (*dst) {
|
|
memcpy(*dst, out, out_len);
|
|
kvfree(out);
|
|
out = NULL;
|
|
}
|
|
} else {
|
|
/*
|
|
* If the staging buffer was kmalloc'd, then using krealloc is
|
|
* probably going to be faster. The destination buffer will
|
|
* always be smaller, so it's just shrunk, avoiding a memcpy
|
|
*/
|
|
*dst = krealloc(out, out_len, GFP_KERNEL);
|
|
}
|
|
|
|
if (!*dst) {
|
|
ret = -ENOMEM;
|
|
goto cleanup;
|
|
}
|
|
|
|
*dlen = out_len;
|
|
|
|
cleanup:
|
|
if (ret) {
|
|
kvfree(out);
|
|
*dst = NULL;
|
|
}
|
|
|
|
kvfree(wksp);
|
|
return ret;
|
|
#else
|
|
*dlen = slen;
|
|
return 0;
|
|
#endif
|
|
}
|
|
|
|
static int compress_loaddata(struct aa_loaddata *data)
|
|
{
|
|
AA_BUG(data->compressed_size > 0);
|
|
|
|
/*
|
|
* Shortcut the no compression case, else we increase the amount of
|
|
* storage required by a small amount
|
|
*/
|
|
if (aa_g_rawdata_compression_level != 0) {
|
|
void *udata = data->data;
|
|
int error = compress_zstd(udata, data->size, &data->data,
|
|
&data->compressed_size);
|
|
if (error) {
|
|
data->compressed_size = data->size;
|
|
return error;
|
|
}
|
|
if (udata != data->data)
|
|
kvfree(udata);
|
|
} else
|
|
data->compressed_size = data->size;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* aa_unpack - unpack packed binary profile(s) data loaded from user space
|
|
* @udata: user data copied to kmem (NOT NULL)
|
|
* @lh: list to place unpacked profiles in a aa_repl_ws
|
|
* @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
|
|
*
|
|
* Unpack user data and return refcounted allocated profile(s) stored in
|
|
* @lh in order of discovery, with the list chain stored in base.list
|
|
* or error
|
|
*
|
|
* Returns: profile(s) on @lh else error pointer if fails to unpack
|
|
*/
|
|
int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
|
|
const char **ns)
|
|
{
|
|
struct aa_load_ent *tmp, *ent;
|
|
struct aa_profile *profile = NULL;
|
|
char *ns_name = NULL;
|
|
int error;
|
|
struct aa_ext e = {
|
|
.start = udata->data,
|
|
.end = udata->data + udata->size,
|
|
.pos = udata->data,
|
|
};
|
|
|
|
*ns = NULL;
|
|
while (e.pos < e.end) {
|
|
void *start;
|
|
error = verify_header(&e, e.pos == e.start, ns);
|
|
if (error)
|
|
goto fail;
|
|
|
|
start = e.pos;
|
|
profile = unpack_profile(&e, &ns_name);
|
|
if (IS_ERR(profile)) {
|
|
error = PTR_ERR(profile);
|
|
goto fail;
|
|
}
|
|
|
|
error = verify_profile(profile);
|
|
if (error)
|
|
goto fail_profile;
|
|
|
|
if (aa_g_hash_policy)
|
|
error = aa_calc_profile_hash(profile, e.version, start,
|
|
e.pos - start);
|
|
if (error)
|
|
goto fail_profile;
|
|
|
|
ent = aa_load_ent_alloc();
|
|
if (!ent) {
|
|
error = -ENOMEM;
|
|
goto fail_profile;
|
|
}
|
|
|
|
ent->new = profile;
|
|
ent->ns_name = ns_name;
|
|
ns_name = NULL;
|
|
list_add_tail(&ent->list, lh);
|
|
}
|
|
udata->abi = e.version & K_ABI_MASK;
|
|
if (aa_g_hash_policy) {
|
|
udata->hash = aa_calc_hash(udata->data, udata->size);
|
|
if (IS_ERR(udata->hash)) {
|
|
error = PTR_ERR(udata->hash);
|
|
udata->hash = NULL;
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
if (aa_g_export_binary) {
|
|
error = compress_loaddata(udata);
|
|
if (error)
|
|
goto fail;
|
|
}
|
|
return 0;
|
|
|
|
fail_profile:
|
|
kfree(ns_name);
|
|
aa_put_profile(profile);
|
|
|
|
fail:
|
|
list_for_each_entry_safe(ent, tmp, lh, list) {
|
|
list_del_init(&ent->list);
|
|
aa_load_ent_free(ent);
|
|
}
|
|
|
|
return error;
|
|
}
|