LXR linux/security/apparmor/policy

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * AppArmor security module
   4 *
   5 * This file contains AppArmor functions for unpacking policy loaded from
   6 * userspace.
   7 *
   8 * Copyright (C) 1998-2008 Novell/SUSE
   9 * Copyright 2009-2010 Canonical Ltd.
  10 *
  11 * AppArmor uses a serialized binary format for loading policy. To find
  12 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
  13 * All policy is validated before it is used.
  14 */
  15
  16#include <asm/unaligned.h>
  17#include <linux/ctype.h>
  18#include <linux/errno.h>
  19
  20#include "include/apparmor.h"
  21#include "include/audit.h"
  22#include "include/cred.h"
  23#include "include/crypto.h"
  24#include "include/match.h"
  25#include "include/path.h"
  26#include "include/policy.h"
  27#include "include/policy_unpack.h"
  28
  29#define K_ABI_MASK 0x3ff
  30#define FORCE_COMPLAIN_FLAG 0x800
  31#define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK))
  32#define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK))
  33
  34#define v5      5       /* base version */
  35#define v6      6       /* per entry policydb mediation check */
  36#define v7      7
  37#define v8      8       /* full network masking */
  38
  39/*
  40 * The AppArmor interface treats data as a type byte followed by the
  41 * actual data.  The interface has the notion of a a named entry
  42 * which has a name (AA_NAME typecode followed by name string) followed by
  43 * the entries typecode and data.  Named types allow for optional
  44 * elements and extensions to be added and tested for without breaking
  45 * backwards compatibility.
  46 */
  47
  48enum aa_code {
  49        AA_U8,
  50        AA_U16,
  51        AA_U32,
  52        AA_U64,
  53        AA_NAME,                /* same as string except it is items name */
  54        AA_STRING,
  55        AA_BLOB,
  56        AA_STRUCT,
  57        AA_STRUCTEND,
  58        AA_LIST,
  59        AA_LISTEND,
  60        AA_ARRAY,
  61        AA_ARRAYEND,
  62};
  63
  64/*
  65 * aa_ext is the read of the buffer containing the serialized profile.  The
  66 * data is copied into a kernel buffer in apparmorfs and then handed off to
  67 * the unpack routines.
  68 */
  69struct aa_ext {
  70        void *start;
  71        void *end;
  72        void *pos;              /* pointer to current position in the buffer */
  73        u32 version;
  74};
  75
  76/* audit callback for unpack fields */
  77static void audit_cb(struct audit_buffer *ab, void *va)
  78{
  79        struct common_audit_data *sa = va;
  80
  81        if (aad(sa)->iface.ns) {
  82                audit_log_format(ab, " ns=");
  83                audit_log_untrustedstring(ab, aad(sa)->iface.ns);
  84        }
  85        if (aad(sa)->name) {
  86                audit_log_format(ab, " name=");
  87                audit_log_untrustedstring(ab, aad(sa)->name);
  88        }
  89        if (aad(sa)->iface.pos)
  90                audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos);
  91}
  92
  93/**
  94 * audit_iface - do audit message for policy unpacking/load/replace/remove
  95 * @new: profile if it has been allocated (MAYBE NULL)
  96 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
  97 * @name: name of the profile being manipulated (MAYBE NULL)
  98 * @info: any extra info about the failure (MAYBE NULL)
  99 * @e: buffer position info
 100 * @error: error code
 101 *
 102 * Returns: %0 or error
 103 */
 104static int audit_iface(struct aa_profile *new, const char *ns_name,
 105                       const char *name, const char *info, struct aa_ext *e,
 106                       int error)
 107{
 108        struct aa_profile *profile = labels_profile(aa_current_raw_label());
 109        DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, NULL);
 110        if (e)
 111                aad(&sa)->iface.pos = e->pos - e->start;
 112        aad(&sa)->iface.ns = ns_name;
 113        if (new)
 114                aad(&sa)->name = new->base.hname;
 115        else
 116                aad(&sa)->name = name;
 117        aad(&sa)->info = info;
 118        aad(&sa)->error = error;
 119
 120        return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb);
 121}
 122
 123void __aa_loaddata_update(struct aa_loaddata *data, long revision)
 124{
 125        AA_BUG(!data);
 126        AA_BUG(!data->ns);
 127        AA_BUG(!data->dents[AAFS_LOADDATA_REVISION]);
 128        AA_BUG(!mutex_is_locked(&data->ns->lock));
 129        AA_BUG(data->revision > revision);
 130
 131        data->revision = revision;
 132        d_inode(data->dents[AAFS_LOADDATA_DIR])->i_mtime =
 133                current_time(d_inode(data->dents[AAFS_LOADDATA_DIR]));
 134        d_inode(data->dents[AAFS_LOADDATA_REVISION])->i_mtime =
 135                current_time(d_inode(data->dents[AAFS_LOADDATA_REVISION]));
 136}
 137
 138bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r)
 139{
 140        if (l->size != r->size)
 141                return false;
 142        if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0)
 143                return false;
 144        return memcmp(l->data, r->data, r->size) == 0;
 145}
 146
 147/*
 148 * need to take the ns mutex lock which is NOT safe most places that
 149 * put_loaddata is called, so we have to delay freeing it
 150 */
 151static void do_loaddata_free(struct work_struct *work)
 152{
 153        struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
 154        struct aa_ns *ns = aa_get_ns(d->ns);
 155
 156        if (ns) {
 157                mutex_lock_nested(&ns->lock, ns->level);
 158                __aa_fs_remove_rawdata(d);
 159                mutex_unlock(&ns->lock);
 160                aa_put_ns(ns);
 161        }
 162
 163        kzfree(d->hash);
 164        kzfree(d->name);
 165        kvfree(d->data);
 166        kzfree(d);
 167}
 168
 169void aa_loaddata_kref(struct kref *kref)
 170{
 171        struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count);
 172
 173        if (d) {
 174                INIT_WORK(&d->work, do_loaddata_free);
 175                schedule_work(&d->work);
 176        }
 177}
 178
 179struct aa_loaddata *aa_loaddata_alloc(size_t size)
 180{
 181        struct aa_loaddata *d;
 182
 183        d = kzalloc(sizeof(*d), GFP_KERNEL);
 184        if (d == NULL)
 185                return ERR_PTR(-ENOMEM);
 186        d->data = kvzalloc(size, GFP_KERNEL);
 187        if (!d->data) {
 188                kfree(d);
 189                return ERR_PTR(-ENOMEM);
 190        }
 191        kref_init(&d->count);
 192        INIT_LIST_HEAD(&d->list);
 193
 194        return d;
 195}
 196
 197/* test if read will be in packed data bounds */
 198static bool inbounds(struct aa_ext *e, size_t size)
 199{
 200        return (size <= e->end - e->pos);
 201}
 202
 203static void *kvmemdup(const void *src, size_t len)
 204{
 205        void *p = kvmalloc(len, GFP_KERNEL);
 206
 207        if (p)
 208                memcpy(p, src, len);
 209        return p;
 210}
 211
 212/**
 213 * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
 214 * @e: serialized data read head (NOT NULL)
 215 * @chunk: start address for chunk of data (NOT NULL)
 216 *
 217 * Returns: the size of chunk found with the read head at the end of the chunk.
 218 */
 219static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
 220{
 221        size_t size = 0;
 222        void *pos = e->pos;
 223
 224        if (!inbounds(e, sizeof(u16)))
 225                goto fail;
 226        size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
 227        e->pos += sizeof(__le16);
 228        if (!inbounds(e, size))
 229                goto fail;
 230        *chunk = e->pos;
 231        e->pos += size;
 232        return size;
 233
 234fail:
 235        e->pos = pos;
 236        return 0;
 237}
 238
 239/* unpack control byte */
 240static bool unpack_X(struct aa_ext *e, enum aa_code code)
 241{
 242        if (!inbounds(e, 1))
 243                return 0;
 244        if (*(u8 *) e->pos != code)
 245                return 0;
 246        e->pos++;
 247        return 1;
 248}
 249
 250/**
 251 * unpack_nameX - check is the next element is of type X with a name of @name
 252 * @e: serialized data extent information  (NOT NULL)
 253 * @code: type code
 254 * @name: name to match to the serialized element.  (MAYBE NULL)
 255 *
 256 * check that the next serialized data element is of type X and has a tag
 257 * name @name.  If @name is specified then there must be a matching
 258 * name element in the stream.  If @name is NULL any name element will be
 259 * skipped and only the typecode will be tested.
 260 *
 261 * Returns 1 on success (both type code and name tests match) and the read
 262 * head is advanced past the headers
 263 *
 264 * Returns: 0 if either match fails, the read head does not move
 265 */
 266static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
 267{
 268        /*
 269         * May need to reset pos if name or type doesn't match
 270         */
 271        void *pos = e->pos;
 272        /*
 273         * Check for presence of a tagname, and if present name size
 274         * AA_NAME tag value is a u16.
 275         */
 276        if (unpack_X(e, AA_NAME)) {
 277                char *tag = NULL;
 278                size_t size = unpack_u16_chunk(e, &tag);
 279                /* if a name is specified it must match. otherwise skip tag */
 280                if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
 281                        goto fail;
 282        } else if (name) {
 283                /* if a name is specified and there is no name tag fail */
 284                goto fail;
 285        }
 286
 287        /* now check if type code matches */
 288        if (unpack_X(e, code))
 289                return 1;
 290
 291fail:
 292        e->pos = pos;
 293        return 0;
 294}
 295
 296static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
 297{
 298        void *pos = e->pos;
 299
 300        if (unpack_nameX(e, AA_U8, name)) {
 301                if (!inbounds(e, sizeof(u8)))
 302                        goto fail;
 303                if (data)
 304                        *data = get_unaligned((u8 *)e->pos);
 305                e->pos += sizeof(u8);
 306                return 1;
 307        }
 308
 309fail:
 310        e->pos = pos;
 311        return 0;
 312}
 313
 314static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
 315{
 316        void *pos = e->pos;
 317
 318        if (unpack_nameX(e, AA_U32, name)) {
 319                if (!inbounds(e, sizeof(u32)))
 320                        goto fail;
 321                if (data)
 322                        *data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
 323                e->pos += sizeof(u32);
 324                return 1;
 325        }
 326
 327fail:
 328        e->pos = pos;
 329        return 0;
 330}
 331
 332static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
 333{
 334        void *pos = e->pos;
 335
 336        if (unpack_nameX(e, AA_U64, name)) {
 337                if (!inbounds(e, sizeof(u64)))
 338                        goto fail;
 339                if (data)
 340                        *data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
 341                e->pos += sizeof(u64);
 342                return 1;
 343        }
 344
 345fail:
 346        e->pos = pos;
 347        return 0;
 348}
 349
 350static size_t unpack_array(struct aa_ext *e, const char *name)
 351{
 352        void *pos = e->pos;
 353
 354        if (unpack_nameX(e, AA_ARRAY, name)) {
 355                int size;
 356                if (!inbounds(e, sizeof(u16)))
 357                        goto fail;
 358                size = (int)le16_to_cpu(get_unaligned((__le16 *) e->pos));
 359                e->pos += sizeof(u16);
 360                return size;
 361        }
 362
 363fail:
 364        e->pos = pos;
 365        return 0;
 366}
 367
 368static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
 369{
 370        void *pos = e->pos;
 371
 372        if (unpack_nameX(e, AA_BLOB, name)) {
 373                u32 size;
 374                if (!inbounds(e, sizeof(u32)))
 375                        goto fail;
 376                size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
 377                e->pos += sizeof(u32);
 378                if (inbounds(e, (size_t) size)) {
 379                        *blob = e->pos;
 380                        e->pos += size;
 381                        return size;
 382                }
 383        }
 384
 385fail:
 386        e->pos = pos;
 387        return 0;
 388}
 389
 390static int unpack_str(struct aa_ext *e, const char **string, const char *name)
 391{
 392        char *src_str;
 393        size_t size = 0;
 394        void *pos = e->pos;
 395        *string = NULL;
 396        if (unpack_nameX(e, AA_STRING, name)) {
 397                size = unpack_u16_chunk(e, &src_str);
 398                if (size) {
 399                        /* strings are null terminated, length is size - 1 */
 400                        if (src_str[size - 1] != 0)
 401                                goto fail;
 402                        *string = src_str;
 403
 404                        return size;
 405                }
 406        }
 407
 408fail:
 409        e->pos = pos;
 410        return 0;
 411}
 412
 413static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
 414{
 415        const char *tmp;
 416        void *pos = e->pos;
 417        int res = unpack_str(e, &tmp, name);
 418        *string = NULL;
 419
 420        if (!res)
 421                return 0;
 422
 423        *string = kmemdup(tmp, res, GFP_KERNEL);
 424        if (!*string) {
 425                e->pos = pos;
 426                return 0;
 427        }
 428
 429        return res;
 430}
 431
 432
 433/**
 434 * unpack_dfa - unpack a file rule dfa
 435 * @e: serialized data extent information (NOT NULL)
 436 *
 437 * returns dfa or ERR_PTR or NULL if no dfa
 438 */
 439static struct aa_dfa *unpack_dfa(struct aa_ext *e)
 440{
 441        char *blob = NULL;
 442        size_t size;
 443        struct aa_dfa *dfa = NULL;
 444
 445        size = unpack_blob(e, &blob, "aadfa");
 446        if (size) {
 447                /*
 448                 * The dfa is aligned with in the blob to 8 bytes
 449                 * from the beginning of the stream.
 450                 * alignment adjust needed by dfa unpack
 451                 */
 452                size_t sz = blob - (char *) e->start -
 453                        ((e->pos - e->start) & 7);
 454                size_t pad = ALIGN(sz, 8) - sz;
 455                int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
 456                        TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES;
 457                dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
 458
 459                if (IS_ERR(dfa))
 460                        return dfa;
 461
 462        }
 463
 464        return dfa;
 465}
 466
 467/**
 468 * unpack_trans_table - unpack a profile transition table
 469 * @e: serialized data extent information  (NOT NULL)
 470 * @profile: profile to add the accept table to (NOT NULL)
 471 *
 472 * Returns: 1 if table successfully unpacked
 473 */
 474static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
 475{
 476        void *saved_pos = e->pos;
 477
 478        /* exec table is optional */
 479        if (unpack_nameX(e, AA_STRUCT, "xtable")) {
 480                int i, size;
 481
 482                size = unpack_array(e, NULL);
 483                /* currently 4 exec bits and entries 0-3 are reserved iupcx */
 484                if (size > 16 - 4)
 485                        goto fail;
 486                profile->file.trans.table = kcalloc(size, sizeof(char *),
 487                                                    GFP_KERNEL);
 488                if (!profile->file.trans.table)
 489                        goto fail;
 490
 491                profile->file.trans.size = size;
 492                for (i = 0; i < size; i++) {
 493                        char *str;
 494                        int c, j, pos, size2 = unpack_strdup(e, &str, NULL);
 495                        /* unpack_strdup verifies that the last character is
 496                         * null termination byte.
 497                         */
 498                        if (!size2)
 499                                goto fail;
 500                        profile->file.trans.table[i] = str;
 501                        /* verify that name doesn't start with space */
 502                        if (isspace(*str))
 503                                goto fail;
 504
 505                        /* count internal #  of internal \0 */
 506                        for (c = j = 0; j < size2 - 1; j++) {
 507                                if (!str[j]) {
 508                                        pos = j;
 509                                        c++;
 510                                }
 511                        }
 512                        if (*str == ':') {
 513                                /* first character after : must be valid */
 514                                if (!str[1])
 515                                        goto fail;
 516                                /* beginning with : requires an embedded \0,
 517                                 * verify that exactly 1 internal \0 exists
 518                                 * trailing \0 already verified by unpack_strdup
 519                                 *
 520                                 * convert \0 back to : for label_parse
 521                                 */
 522                                if (c == 1)
 523                                        str[pos] = ':';
 524                                else if (c > 1)
 525                                        goto fail;
 526                        } else if (c)
 527                                /* fail - all other cases with embedded \0 */
 528                                goto fail;
 529                }
 530                if (!unpack_nameX(e, AA_ARRAYEND, NULL))
 531                        goto fail;
 532                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
 533                        goto fail;
 534        }
 535        return 1;
 536
 537fail:
 538        aa_free_domain_entries(&profile->file.trans);
 539        e->pos = saved_pos;
 540        return 0;
 541}
 542
 543static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
 544{
 545        void *pos = e->pos;
 546
 547        if (unpack_nameX(e, AA_STRUCT, "xattrs")) {
 548                int i, size;
 549
 550                size = unpack_array(e, NULL);
 551                profile->xattr_count = size;
 552                profile->xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
 553                if (!profile->xattrs)
 554                        goto fail;
 555                for (i = 0; i < size; i++) {
 556                        if (!unpack_strdup(e, &profile->xattrs[i], NULL))
 557                                goto fail;
 558                }
 559                if (!unpack_nameX(e, AA_ARRAYEND, NULL))
 560                        goto fail;
 561                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
 562                        goto fail;
 563        }
 564
 565        return 1;
 566
 567fail:
 568        e->pos = pos;
 569        return 0;
 570}
 571
 572static bool unpack_secmark(struct aa_ext *e, struct aa_profile *profile)
 573{
 574        void *pos = e->pos;
 575        int i, size;
 576
 577        if (unpack_nameX(e, AA_STRUCT, "secmark")) {
 578                size = unpack_array(e, NULL);
 579
 580                profile->secmark = kcalloc(size, sizeof(struct aa_secmark),
 581                                           GFP_KERNEL);
 582                if (!profile->secmark)
 583                        goto fail;
 584
 585                profile->secmark_count = size;
 586
 587                for (i = 0; i < size; i++) {
 588                        if (!unpack_u8(e, &profile->secmark[i].audit, NULL))
 589                                goto fail;
 590                        if (!unpack_u8(e, &profile->secmark[i].deny, NULL))
 591                                goto fail;
 592                        if (!unpack_strdup(e, &profile->secmark[i].label, NULL))
 593                                goto fail;
 594                }
 595                if (!unpack_nameX(e, AA_ARRAYEND, NULL))
 596                        goto fail;
 597                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
 598                        goto fail;
 599        }
 600
 601        return 1;
 602
 603fail:
 604        if (profile->secmark) {
 605                for (i = 0; i < size; i++)
 606                        kfree(profile->secmark[i].label);
 607                kfree(profile->secmark);
 608                profile->secmark_count = 0;
 609                profile->secmark = NULL;
 610        }
 611
 612        e->pos = pos;
 613        return 0;
 614}
 615
 616static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
 617{
 618        void *pos = e->pos;
 619
 620        /* rlimits are optional */
 621        if (unpack_nameX(e, AA_STRUCT, "rlimits")) {
 622                int i, size;
 623                u32 tmp = 0;
 624                if (!unpack_u32(e, &tmp, NULL))
 625                        goto fail;
 626                profile->rlimits.mask = tmp;
 627
 628                size = unpack_array(e, NULL);
 629                if (size > RLIM_NLIMITS)
 630                        goto fail;
 631                for (i = 0; i < size; i++) {
 632                        u64 tmp2 = 0;
 633                        int a = aa_map_resource(i);
 634                        if (!unpack_u64(e, &tmp2, NULL))
 635                                goto fail;
 636                        profile->rlimits.limits[a].rlim_max = tmp2;
 637                }
 638                if (!unpack_nameX(e, AA_ARRAYEND, NULL))
 639                        goto fail;
 640                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
 641                        goto fail;
 642        }
 643        return 1;
 644
 645fail:
 646        e->pos = pos;
 647        return 0;
 648}
 649
 650static u32 strhash(const void *data, u32 len, u32 seed)
 651{
 652        const char * const *key = data;
 653
 654        return jhash(*key, strlen(*key), seed);
 655}
 656
 657static int datacmp(struct rhashtable_compare_arg *arg, const void *obj)
 658{
 659        const struct aa_data *data = obj;
 660        const char * const *key = arg->key;
 661
 662        return strcmp(data->key, *key);
 663}
 664
 665/**
 666 * unpack_profile - unpack a serialized profile
 667 * @e: serialized data extent information (NOT NULL)
 668 *
 669 * NOTE: unpack profile sets audit struct if there is a failure
 670 */
 671static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 672{
 673        struct aa_profile *profile = NULL;
 674        const char *tmpname, *tmpns = NULL, *name = NULL;
 675        const char *info = "failed to unpack profile";
 676        size_t ns_len;
 677        struct rhashtable_params params = { 0 };
 678        char *key = NULL;
 679        struct aa_data *data;
 680        int i, error = -EPROTO;
 681        kernel_cap_t tmpcap;
 682        u32 tmp;
 683
 684        *ns_name = NULL;
 685
 686        /* check that we have the right struct being passed */
 687        if (!unpack_nameX(e, AA_STRUCT, "profile"))
 688                goto fail;
 689        if (!unpack_str(e, &name, NULL))
 690                goto fail;
 691        if (*name == '\0')
 692                goto fail;
 693
 694        tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
 695        if (tmpns) {
 696                *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
 697                if (!*ns_name) {
 698                        info = "out of memory";
 699                        goto fail;
 700                }
 701                name = tmpname;
 702        }
 703
 704        profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
 705        if (!profile)
 706                return ERR_PTR(-ENOMEM);
 707
 708        /* profile renaming is optional */
 709        (void) unpack_str(e, &profile->rename, "rename");
 710
 711        /* attachment string is optional */
 712        (void) unpack_str(e, &profile->attach, "attach");
 713
 714        /* xmatch is optional and may be NULL */
 715        profile->xmatch = unpack_dfa(e);
 716        if (IS_ERR(profile->xmatch)) {
 717                error = PTR_ERR(profile->xmatch);
 718                profile->xmatch = NULL;
 719                info = "bad xmatch";
 720                goto fail;
 721        }
 722        /* xmatch_len is not optional if xmatch is set */
 723        if (profile->xmatch) {
 724                if (!unpack_u32(e, &tmp, NULL)) {
 725                        info = "missing xmatch len";
 726                        goto fail;
 727                }
 728                profile->xmatch_len = tmp;
 729        }
 730
 731        /* disconnected attachment string is optional */
 732        (void) unpack_str(e, &profile->disconnected, "disconnected");
 733
 734        /* per profile debug flags (complain, audit) */
 735        if (!unpack_nameX(e, AA_STRUCT, "flags")) {
 736                info = "profile missing flags";
 737                goto fail;
 738        }
 739        info = "failed to unpack profile flags";
 740        if (!unpack_u32(e, &tmp, NULL))
 741                goto fail;
 742        if (tmp & PACKED_FLAG_HAT)
 743                profile->label.flags |= FLAG_HAT;
 744        if (!unpack_u32(e, &tmp, NULL))
 745                goto fail;
 746        if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG))
 747                profile->mode = APPARMOR_COMPLAIN;
 748        else if (tmp == PACKED_MODE_KILL)
 749                profile->mode = APPARMOR_KILL;
 750        else if (tmp == PACKED_MODE_UNCONFINED)
 751                profile->mode = APPARMOR_UNCONFINED;
 752        if (!unpack_u32(e, &tmp, NULL))
 753                goto fail;
 754        if (tmp)
 755                profile->audit = AUDIT_ALL;
 756
 757        if (!unpack_nameX(e, AA_STRUCTEND, NULL))
 758                goto fail;
 759
 760        /* path_flags is optional */
 761        if (unpack_u32(e, &profile->path_flags, "path_flags"))
 762                profile->path_flags |= profile->label.flags &
 763                        PATH_MEDIATE_DELETED;
 764        else
 765                /* set a default value if path_flags field is not present */
 766                profile->path_flags = PATH_MEDIATE_DELETED;
 767
 768        info = "failed to unpack profile capabilities";
 769        if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
 770                goto fail;
 771        if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
 772                goto fail;
 773        if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))
 774                goto fail;
 775        if (!unpack_u32(e, &tmpcap.cap[0], NULL))
 776                goto fail;
 777
 778        info = "failed to unpack upper profile capabilities";
 779        if (unpack_nameX(e, AA_STRUCT, "caps64")) {
 780                /* optional upper half of 64 bit caps */
 781                if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
 782                        goto fail;
 783                if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))
 784                        goto fail;
 785                if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))
 786                        goto fail;
 787                if (!unpack_u32(e, &(tmpcap.cap[1]), NULL))
 788                        goto fail;
 789                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
 790                        goto fail;
 791        }
 792
 793        info = "failed to unpack extended profile capabilities";
 794        if (unpack_nameX(e, AA_STRUCT, "capsx")) {
 795                /* optional extended caps mediation mask */
 796                if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
 797                        goto fail;
 798                if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
 799                        goto fail;
 800                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
 801                        goto fail;
 802        }
 803
 804        if (!unpack_xattrs(e, profile)) {
 805                info = "failed to unpack profile xattrs";
 806                goto fail;
 807        }
 808
 809        if (!unpack_rlimits(e, profile)) {
 810                info = "failed to unpack profile rlimits";
 811                goto fail;
 812        }
 813
 814        if (!unpack_secmark(e, profile)) {
 815                info = "failed to unpack profile secmark rules";
 816                goto fail;
 817        }
 818
 819        if (unpack_nameX(e, AA_STRUCT, "policydb")) {
 820                /* generic policy dfa - optional and may be NULL */
 821                info = "failed to unpack policydb";
 822                profile->policy.dfa = unpack_dfa(e);
 823                if (IS_ERR(profile->policy.dfa)) {
 824                        error = PTR_ERR(profile->policy.dfa);
 825                        profile->policy.dfa = NULL;
 826                        goto fail;
 827                } else if (!profile->policy.dfa) {
 828                        error = -EPROTO;
 829                        goto fail;
 830                }
 831                if (!unpack_u32(e, &profile->policy.start[0], "start"))
 832                        /* default start state */
 833                        profile->policy.start[0] = DFA_START;
 834                /* setup class index */
 835                for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) {
 836                        profile->policy.start[i] =
 837                                aa_dfa_next(profile->policy.dfa,
 838                                            profile->policy.start[0],
 839                                            i);
 840                }
 841                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
 842                        goto fail;
 843        } else
 844                profile->policy.dfa = aa_get_dfa(nulldfa);
 845
 846        /* get file rules */
 847        profile->file.dfa = unpack_dfa(e);
 848        if (IS_ERR(profile->file.dfa)) {
 849                error = PTR_ERR(profile->file.dfa);
 850                profile->file.dfa = NULL;
 851                info = "failed to unpack profile file rules";
 852                goto fail;
 853        } else if (profile->file.dfa) {
 854                if (!unpack_u32(e, &profile->file.start, "dfa_start"))
 855                        /* default start state */
 856                        profile->file.start = DFA_START;
 857        } else if (profile->policy.dfa &&
 858                   profile->policy.start[AA_CLASS_FILE]) {
 859                profile->file.dfa = aa_get_dfa(profile->policy.dfa);
 860                profile->file.start = profile->policy.start[AA_CLASS_FILE];
 861        } else
 862                profile->file.dfa = aa_get_dfa(nulldfa);
 863
 864        if (!unpack_trans_table(e, profile)) {
 865                info = "failed to unpack profile transition table";
 866                goto fail;
 867        }
 868
 869        if (unpack_nameX(e, AA_STRUCT, "data")) {
 870                info = "out of memory";
 871                profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL);
 872                if (!profile->data)
 873                        goto fail;
 874
 875                params.nelem_hint = 3;
 876                params.key_len = sizeof(void *);
 877                params.key_offset = offsetof(struct aa_data, key);
 878                params.head_offset = offsetof(struct aa_data, head);
 879                params.hashfn = strhash;
 880                params.obj_cmpfn = datacmp;
 881
 882                if (rhashtable_init(profile->data, &params)) {
 883                        info = "failed to init key, value hash table";
 884                        goto fail;
 885                }
 886
 887                while (unpack_strdup(e, &key, NULL)) {
 888                        data = kzalloc(sizeof(*data), GFP_KERNEL);
 889                        if (!data) {
 890                                kzfree(key);
 891                                goto fail;
 892                        }
 893
 894                        data->key = key;
 895                        data->size = unpack_blob(e, &data->data, NULL);
 896                        data->data = kvmemdup(data->data, data->size);
 897                        if (data->size && !data->data) {
 898                                kzfree(data->key);
 899                                kzfree(data);
 900                                goto fail;
 901                        }
 902
 903                        rhashtable_insert_fast(profile->data, &data->head,
 904                                               profile->data->p);
 905                }
 906
 907                if (!unpack_nameX(e, AA_STRUCTEND, NULL)) {
 908                        info = "failed to unpack end of key, value data table";
 909                        goto fail;
 910                }
 911        }
 912
 913        if (!unpack_nameX(e, AA_STRUCTEND, NULL)) {
 914                info = "failed to unpack end of profile";
 915                goto fail;
 916        }
 917
 918        return profile;
 919
 920fail:
 921        if (profile)
 922                name = NULL;
 923        else if (!name)
 924                name = "unknown";
 925        audit_iface(profile, NULL, name, info, e, error);
 926        aa_free_profile(profile);
 927
 928        return ERR_PTR(error);
 929}
 930
 931/**
 932 * verify_head - unpack serialized stream header
 933 * @e: serialized data read head (NOT NULL)
 934 * @required: whether the header is required or optional
 935 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
 936 *
 937 * Returns: error or 0 if header is good
 938 */
 939static int verify_header(struct aa_ext *e, int required, const char **ns)
 940{
 941        int error = -EPROTONOSUPPORT;
 942        const char *name = NULL;
 943        *ns = NULL;
 944
 945        /* get the interface version */
 946        if (!unpack_u32(e, &e->version, "version")) {
 947                if (required) {
 948                        audit_iface(NULL, NULL, NULL, "invalid profile format",
 949                                    e, error);
 950                        return error;
 951                }
 952        }
 953
 954        /* Check that the interface version is currently supported.
 955         * if not specified use previous version
 956         * Mask off everything that is not kernel abi version
 957         */
 958        if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v7)) {
 959                audit_iface(NULL, NULL, NULL, "unsupported interface version",
 960                            e, error);
 961                return error;
 962        }
 963
 964        /* read the namespace if present */
 965        if (unpack_str(e, &name, "namespace")) {
 966                if (*name == '\0') {
 967                        audit_iface(NULL, NULL, NULL, "invalid namespace name",
 968                                    e, error);
 969                        return error;
 970                }
 971                if (*ns && strcmp(*ns, name))
 972                        audit_iface(NULL, NULL, NULL, "invalid ns change", e,
 973                                    error);
 974                else if (!*ns)
 975                        *ns = name;
 976        }
 977
 978        return 0;
 979}
 980
 981static bool verify_xindex(int xindex, int table_size)
 982{
 983        int index, xtype;
 984        xtype = xindex & AA_X_TYPE_MASK;
 985        index = xindex & AA_X_INDEX_MASK;
 986        if (xtype == AA_X_TABLE && index >= table_size)
 987                return 0;
 988        return 1;
 989}
 990
 991/* verify dfa xindexes are in range of transition tables */
 992static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
 993{
 994        int i;
 995        for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
 996                if (!verify_xindex(dfa_user_xindex(dfa, i), table_size))
 997                        return 0;
 998                if (!verify_xindex(dfa_other_xindex(dfa, i), table_size))
 999                        return 0;
1000        }

1001        return 1;
1002}
1003
1004/**
1005 * verify_profile - Do post unpack analysis to verify profile consistency
1006 * @profile: profile to verify (NOT NULL)
1007 *
1008 * Returns: 0 if passes verification else error
1009 */
1010static int verify_profile(struct aa_profile *profile)
1011{
1012        if (profile->file.dfa &&
1013            !verify_dfa_xindex(profile->file.dfa,
1014                               profile->file.trans.size)) {
1015                audit_iface(profile, NULL, NULL, "Invalid named transition",
1016                            NULL, -EPROTO);
1017                return -EPROTO;
1018        }
1019
1020        return 0;
1021}
1022
1023void aa_load_ent_free(struct aa_load_ent *ent)
1024{
1025        if (ent) {
1026                aa_put_profile(ent->rename);
1027                aa_put_profile(ent->old);
1028                aa_put_profile(ent->new);
1029                kfree(ent->ns_name);
1030                kzfree(ent);
1031        }
1032}
1033
1034struct aa_load_ent *aa_load_ent_alloc(void)
1035{
1036        struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL);
1037        if (ent)
1038                INIT_LIST_HEAD(&ent->list);
1039        return ent;
1040}
1041
1042/**
1043 * aa_unpack - unpack packed binary profile(s) data loaded from user space
1044 * @udata: user data copied to kmem  (NOT NULL)
1045 * @lh: list to place unpacked profiles in a aa_repl_ws
1046 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
1047 *
1048 * Unpack user data and return refcounted allocated profile(s) stored in
1049 * @lh in order of discovery, with the list chain stored in base.list
1050 * or error
1051 *
1052 * Returns: profile(s) on @lh else error pointer if fails to unpack
1053 */
1054int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
1055              const char **ns)
1056{
1057        struct aa_load_ent *tmp, *ent;
1058        struct aa_profile *profile = NULL;
1059        int error;
1060        struct aa_ext e = {
1061                .start = udata->data,
1062                .end = udata->data + udata->size,
1063                .pos = udata->data,
1064        };
1065
1066        *ns = NULL;
1067        while (e.pos < e.end) {
1068                char *ns_name = NULL;
1069                void *start;
1070                error = verify_header(&e, e.pos == e.start, ns);
1071                if (error)
1072                        goto fail;
1073
1074                start = e.pos;
1075                profile = unpack_profile(&e, &ns_name);
1076                if (IS_ERR(profile)) {
1077                        error = PTR_ERR(profile);
1078                        goto fail;
1079                }
1080
1081                error = verify_profile(profile);
1082                if (error)
1083                        goto fail_profile;
1084
1085                if (aa_g_hash_policy)
1086                        error = aa_calc_profile_hash(profile, e.version, start,
1087                                                     e.pos - start);
1088                if (error)
1089                        goto fail_profile;
1090
1091                ent = aa_load_ent_alloc();
1092                if (!ent) {
1093                        error = -ENOMEM;
1094                        goto fail_profile;
1095                }
1096
1097                ent->new = profile;
1098                ent->ns_name = ns_name;
1099                list_add_tail(&ent->list, lh);
1100        }
1101        udata->abi = e.version & K_ABI_MASK;
1102        if (aa_g_hash_policy) {
1103                udata->hash = aa_calc_hash(udata->data, udata->size);
1104                if (IS_ERR(udata->hash)) {
1105                        error = PTR_ERR(udata->hash);
1106                        udata->hash = NULL;
1107                        goto fail;
1108                }
1109        }
1110        return 0;
1111
1112fail_profile:
1113        aa_put_profile(profile);
1114
1115fail:
1116        list_for_each_entry_safe(ent, tmp, lh, list) {
1117                list_del_init(&ent->list);
1118                aa_load_ent_free(ent);
1119        }
1120
1121        return error;
1122}
1123