0df34a645b
There are cases where the a special out of band transition that can not be triggered by input is useful in separating match conditions in the dfa encoding. The null_transition is currently used as an out of band transition for match conditions that can not contain a \0 in their input but apparmor needs an out of band transition for cases where the match condition is allowed to contain any input character. Achieve this by allowing for an explicit transition out of input range that can only be triggered by code. Signed-off-by: John Johansen <john.johansen@canonical.com>
197 lines
5.4 KiB
C
197 lines
5.4 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor policy dfa matching engine definitions.
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2012 Canonical Ltd.
|
|
*/
|
|
|
|
#ifndef __AA_MATCH_H
|
|
#define __AA_MATCH_H
|
|
|
|
#include <linux/kref.h>
|
|
|
|
#define DFA_NOMATCH 0
|
|
#define DFA_START 1
|
|
|
|
|
|
/**
|
|
* The format used for transition tables is based on the GNU flex table
|
|
* file format (--tables-file option; see Table File Format in the flex
|
|
* info pages and the flex sources for documentation). The magic number
|
|
* used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because
|
|
* new tables have been defined and others YY_ID_CHK (check) and YY_ID_DEF
|
|
* (default) tables are used slightly differently (see the apparmor-parser
|
|
* package).
|
|
*
|
|
*
|
|
* The data in the packed dfa is stored in network byte order, and the tables
|
|
* are arranged for flexibility. We convert the table data to host native
|
|
* byte order.
|
|
*
|
|
* The dfa begins with a table set header, and is followed by the actual
|
|
* tables.
|
|
*/
|
|
|
|
#define YYTH_MAGIC 0x1B5E783D
|
|
#define YYTH_FLAG_DIFF_ENCODE 1
|
|
#define YYTH_FLAG_OOB_TRANS 2
|
|
#define YYTH_FLAGS (YYTH_FLAG_DIFF_ENCODE | YYTH_FLAG_OOB_TRANS)
|
|
|
|
#define MAX_OOB_SUPPORTED 1
|
|
|
|
struct table_set_header {
|
|
u32 th_magic; /* YYTH_MAGIC */
|
|
u32 th_hsize;
|
|
u32 th_ssize;
|
|
u16 th_flags;
|
|
char th_version[];
|
|
};
|
|
|
|
/* The YYTD_ID are one less than flex table mappings. The flex id
|
|
* has 1 subtracted at table load time, this allows us to directly use the
|
|
* ID's as indexes.
|
|
*/
|
|
#define YYTD_ID_ACCEPT 0
|
|
#define YYTD_ID_BASE 1
|
|
#define YYTD_ID_CHK 2
|
|
#define YYTD_ID_DEF 3
|
|
#define YYTD_ID_EC 4
|
|
#define YYTD_ID_META 5
|
|
#define YYTD_ID_ACCEPT2 6
|
|
#define YYTD_ID_NXT 7
|
|
#define YYTD_ID_TSIZE 8
|
|
#define YYTD_ID_MAX 8
|
|
|
|
#define YYTD_DATA8 1
|
|
#define YYTD_DATA16 2
|
|
#define YYTD_DATA32 4
|
|
#define YYTD_DATA64 8
|
|
|
|
/* ACCEPT & ACCEPT2 tables gets 6 dedicated flags, YYTD_DATAX define the
|
|
* first flags
|
|
*/
|
|
#define ACCEPT1_FLAGS(X) ((X) & 0x3f)
|
|
#define ACCEPT2_FLAGS(X) ACCEPT1_FLAGS((X) >> YYTD_ID_ACCEPT2)
|
|
#define TO_ACCEPT1_FLAG(X) ACCEPT1_FLAGS(X)
|
|
#define TO_ACCEPT2_FLAG(X) (ACCEPT1_FLAGS(X) << YYTD_ID_ACCEPT2)
|
|
#define DFA_FLAG_VERIFY_STATES 0x1000
|
|
|
|
struct table_header {
|
|
u16 td_id;
|
|
u16 td_flags;
|
|
u32 td_hilen;
|
|
u32 td_lolen;
|
|
char td_data[];
|
|
};
|
|
|
|
#define DEFAULT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_DEF]->td_data))
|
|
#define BASE_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_BASE]->td_data))
|
|
#define NEXT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_NXT]->td_data))
|
|
#define CHECK_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_CHK]->td_data))
|
|
#define EQUIV_TABLE(DFA) ((u8 *)((DFA)->tables[YYTD_ID_EC]->td_data))
|
|
#define ACCEPT_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT]->td_data))
|
|
#define ACCEPT_TABLE2(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT2]->td_data))
|
|
|
|
struct aa_dfa {
|
|
struct kref count;
|
|
u16 flags;
|
|
u32 max_oob;
|
|
struct table_header *tables[YYTD_ID_TSIZE];
|
|
};
|
|
|
|
extern struct aa_dfa *nulldfa;
|
|
extern struct aa_dfa *stacksplitdfa;
|
|
|
|
#define byte_to_byte(X) (X)
|
|
|
|
#define UNPACK_ARRAY(TABLE, BLOB, LEN, TTYPE, BTYPE, NTOHX) \
|
|
do { \
|
|
typeof(LEN) __i; \
|
|
TTYPE *__t = (TTYPE *) TABLE; \
|
|
BTYPE *__b = (BTYPE *) BLOB; \
|
|
for (__i = 0; __i < LEN; __i++) { \
|
|
__t[__i] = NTOHX(__b[__i]); \
|
|
} \
|
|
} while (0)
|
|
|
|
static inline size_t table_size(size_t len, size_t el_size)
|
|
{
|
|
return ALIGN(sizeof(struct table_header) + len * el_size, 8);
|
|
}
|
|
|
|
int aa_setup_dfa_engine(void);
|
|
void aa_teardown_dfa_engine(void);
|
|
|
|
struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);
|
|
unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
|
|
const char *str, int len);
|
|
unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
|
|
const char *str);
|
|
unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
|
|
const char c);
|
|
unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa,
|
|
unsigned int state);
|
|
unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
|
|
const char *str, const char **retpos);
|
|
unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
|
|
const char *str, int n, const char **retpos);
|
|
|
|
void aa_dfa_free_kref(struct kref *kref);
|
|
|
|
#define WB_HISTORY_SIZE 24
|
|
struct match_workbuf {
|
|
unsigned int count;
|
|
unsigned int pos;
|
|
unsigned int len;
|
|
unsigned int size; /* power of 2, same as history size */
|
|
unsigned int history[WB_HISTORY_SIZE];
|
|
};
|
|
#define DEFINE_MATCH_WB(N) \
|
|
struct match_workbuf N = { \
|
|
.count = 0, \
|
|
.pos = 0, \
|
|
.len = 0, \
|
|
}
|
|
|
|
unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
|
|
const char *str, unsigned int *count);
|
|
|
|
/**
|
|
* aa_get_dfa - increment refcount on dfa @p
|
|
* @dfa: dfa (MAYBE NULL)
|
|
*
|
|
* Returns: pointer to @dfa if @dfa is NULL will return NULL
|
|
* Requires: @dfa must be held with valid refcount when called
|
|
*/
|
|
static inline struct aa_dfa *aa_get_dfa(struct aa_dfa *dfa)
|
|
{
|
|
if (dfa)
|
|
kref_get(&(dfa->count));
|
|
|
|
return dfa;
|
|
}
|
|
|
|
/**
|
|
* aa_put_dfa - put a dfa refcount
|
|
* @dfa: dfa to put refcount (MAYBE NULL)
|
|
*
|
|
* Requires: if @dfa != NULL that a valid refcount be held
|
|
*/
|
|
static inline void aa_put_dfa(struct aa_dfa *dfa)
|
|
{
|
|
if (dfa)
|
|
kref_put(&dfa->count, aa_dfa_free_kref);
|
|
}
|
|
|
|
#define MATCH_FLAG_DIFF_ENCODE 0x80000000
|
|
#define MARK_DIFF_ENCODE 0x40000000
|
|
#define MATCH_FLAG_OOB_TRANSITION 0x20000000
|
|
#define MATCH_FLAGS_MASK 0xff000000
|
|
#define MATCH_FLAGS_VALID (MATCH_FLAG_DIFF_ENCODE | MATCH_FLAG_OOB_TRANSITION)
|
|
#define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID)
|
|
|
|
#endif /* __AA_MATCH_H */
|