2 * AppArmor security module
4 * This file contains AppArmor dfa based regular expression matching engine
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2012 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/errno.h>
16 #include <linux/kernel.h>
18 #include <linux/slab.h>
19 #include <linux/vmalloc.h>
20 #include <linux/err.h>
21 #include <linux/kref.h>
23 #include "include/apparmor.h"
24 #include "include/match.h"
27 * unpack_table - unpack a dfa table (one of accept, default, base, next check)
28 * @blob: data to unpack (NOT NULL)
29 * @bsize: size of blob
31 * Returns: pointer to table else NULL on failure
33 * NOTE: must be freed by kvfree (not kfree)
35 static struct table_header *unpack_table(char *blob, size_t bsize)
37 struct table_header *table = NULL;
38 struct table_header th;
41 if (bsize < sizeof(struct table_header))
44 /* loaded td_id's start at 1, subtract 1 now to avoid doing
45 * it every time we use td_id as an index
47 th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
48 th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
49 th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
50 blob += sizeof(struct table_header);
52 if (!(th.td_flags == YYTD_DATA16 || th.td_flags == YYTD_DATA32 ||
53 th.td_flags == YYTD_DATA8))
56 tsize = table_size(th.td_lolen, th.td_flags);
60 table = kvzalloc(tsize);
63 if (th.td_flags == YYTD_DATA8)
64 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
66 else if (th.td_flags == YYTD_DATA16)
67 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
69 else if (th.td_flags == YYTD_DATA32)
70 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
77 /* if table was vmalloced make sure the page tables are synced
78 * before it is used, as it goes live to all cpus.
80 if (is_vmalloc_addr(table))
89 * verify_dfa - verify that transitions and states in the tables are in bounds.
90 * @dfa: dfa to test (NOT NULL)
91 * @flags: flags controlling what type of accept table are acceptable
93 * Assumes dfa has gone through the first pass verification done by unpacking
94 * NOTE: this does not valid accept table values
96 * Returns: %0 else error code on failure to verify
98 static int verify_dfa(struct aa_dfa *dfa, int flags)
100 size_t i, state_count, trans_count;
103 /* check that required tables exist */
104 if (!(dfa->tables[YYTD_ID_DEF] &&
105 dfa->tables[YYTD_ID_BASE] &&
106 dfa->tables[YYTD_ID_NXT] && dfa->tables[YYTD_ID_CHK]))
109 /* accept.size == default.size == base.size */
110 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
111 if (ACCEPT1_FLAGS(flags)) {
112 if (!dfa->tables[YYTD_ID_ACCEPT])
114 if (state_count != dfa->tables[YYTD_ID_ACCEPT]->td_lolen)
117 if (ACCEPT2_FLAGS(flags)) {
118 if (!dfa->tables[YYTD_ID_ACCEPT2])
120 if (state_count != dfa->tables[YYTD_ID_ACCEPT2]->td_lolen)
123 if (state_count != dfa->tables[YYTD_ID_DEF]->td_lolen)
126 /* next.size == chk.size */
127 trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
128 if (trans_count != dfa->tables[YYTD_ID_CHK]->td_lolen)
131 /* if equivalence classes then its table size must be 256 */
132 if (dfa->tables[YYTD_ID_EC] &&
133 dfa->tables[YYTD_ID_EC]->td_lolen != 256)
136 if (flags & DFA_FLAG_VERIFY_STATES) {
137 for (i = 0; i < state_count; i++) {
138 if (DEFAULT_TABLE(dfa)[i] >= state_count)
140 if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
141 printk(KERN_ERR "AppArmor DFA next/check upper "
147 for (i = 0; i < trans_count; i++) {
148 if (NEXT_TABLE(dfa)[i] >= state_count)
150 if (CHECK_TABLE(dfa)[i] >= state_count)
161 * dfa_free - free a dfa allocated by aa_dfa_unpack
162 * @dfa: the dfa to free (MAYBE NULL)
164 * Requires: reference count to dfa == 0
166 static void dfa_free(struct aa_dfa *dfa)
171 for (i = 0; i < ARRAY_SIZE(dfa->tables); i++) {
172 kvfree(dfa->tables[i]);
173 dfa->tables[i] = NULL;
180 * aa_dfa_free_kref - free aa_dfa by kref (called by aa_put_dfa)
181 * @kr: kref callback for freeing of a dfa (NOT NULL)
183 void aa_dfa_free_kref(struct kref *kref)
185 struct aa_dfa *dfa = container_of(kref, struct aa_dfa, count);
190 * aa_dfa_unpack - unpack the binary tables of a serialized dfa
191 * @blob: aligned serialized stream of data to unpack (NOT NULL)
192 * @size: size of data to unpack
193 * @flags: flags controlling what type of accept tables are acceptable
195 * Unpack a dfa that has been serialized. To find information on the dfa
196 * format look in Documentation/security/apparmor.txt
197 * Assumes the dfa @blob stream has been aligned on a 8 byte boundary
199 * Returns: an unpacked dfa ready for matching or ERR_PTR on failure
201 struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags)
206 struct table_header *table = NULL;
207 struct aa_dfa *dfa = kzalloc(sizeof(struct aa_dfa), GFP_KERNEL);
211 kref_init(&dfa->count);
215 /* get dfa table set header */
216 if (size < sizeof(struct table_set_header))
219 if (ntohl(*(u32 *) data) != YYTH_MAGIC)
222 hsize = ntohl(*(u32 *) (data + 4));
226 dfa->flags = ntohs(*(u16 *) (data + 12));
231 table = unpack_table(data, size);
235 switch (table->td_id) {
237 if (!(table->td_flags & ACCEPT1_FLAGS(flags)))
240 case YYTD_ID_ACCEPT2:
241 if (!(table->td_flags & ACCEPT2_FLAGS(flags)))
245 if (table->td_flags != YYTD_DATA32)
251 if (table->td_flags != YYTD_DATA16)
255 if (table->td_flags != YYTD_DATA8)
261 /* check for duplicate table entry */
262 if (dfa->tables[table->td_id])
264 dfa->tables[table->td_id] = table;
265 data += table_size(table->td_lolen, table->td_flags);
266 size -= table_size(table->td_lolen, table->td_flags);
270 error = verify_dfa(dfa, flags);
279 return ERR_PTR(error);
283 * aa_dfa_match_len - traverse @dfa to find state @str stops at
284 * @dfa: the dfa to match @str against (NOT NULL)
285 * @start: the state of the dfa to start matching in
286 * @str: the string of bytes to match against the dfa (NOT NULL)
287 * @len: length of the string of bytes to match
289 * aa_dfa_match_len will match @str against the dfa and return the state it
290 * finished matching in. The final state can be used to look up the accepting
291 * label, or as the start state of a continuing match.
293 * This function will happily match again the 0 byte and only finishes
294 * when @len input is consumed.
296 * Returns: final state reached after input is consumed
298 unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
299 const char *str, int len)
301 u16 *def = DEFAULT_TABLE(dfa);
302 u32 *base = BASE_TABLE(dfa);
303 u16 *next = NEXT_TABLE(dfa);
304 u16 *check = CHECK_TABLE(dfa);
305 unsigned int state = start, pos;
310 /* current state is <state>, matching character *str */
311 if (dfa->tables[YYTD_ID_EC]) {
312 /* Equivalence class table defined */
313 u8 *equiv = EQUIV_TABLE(dfa);
314 /* default is direct to next state */
316 pos = base[state] + equiv[(u8) *str++];
317 if (check[pos] == state)
323 /* default is direct to next state */
325 pos = base[state] + (u8) *str++;
326 if (check[pos] == state)
337 * aa_dfa_match - traverse @dfa to find state @str stops at
338 * @dfa: the dfa to match @str against (NOT NULL)
339 * @start: the state of the dfa to start matching in
340 * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
342 * aa_dfa_match will match @str against the dfa and return the state it
343 * finished matching in. The final state can be used to look up the accepting
344 * label, or as the start state of a continuing match.
346 * Returns: final state reached after input is consumed
348 unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
351 u16 *def = DEFAULT_TABLE(dfa);
352 u32 *base = BASE_TABLE(dfa);
353 u16 *next = NEXT_TABLE(dfa);
354 u16 *check = CHECK_TABLE(dfa);
355 unsigned int state = start, pos;
360 /* current state is <state>, matching character *str */
361 if (dfa->tables[YYTD_ID_EC]) {
362 /* Equivalence class table defined */
363 u8 *equiv = EQUIV_TABLE(dfa);
364 /* default is direct to next state */
366 pos = base[state] + equiv[(u8) *str++];
367 if (check[pos] == state)
373 /* default is direct to next state */
375 pos = base[state] + (u8) *str++;
376 if (check[pos] == state)
387 * aa_dfa_next - step one character to the next state in the dfa
388 * @dfa: the dfa to tranverse (NOT NULL)
389 * @state: the state to start in
390 * @c: the input character to transition on
392 * aa_dfa_match will step through the dfa by one input character @c
394 * Returns: state reach after input @c
396 unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
399 u16 *def = DEFAULT_TABLE(dfa);
400 u32 *base = BASE_TABLE(dfa);
401 u16 *next = NEXT_TABLE(dfa);
402 u16 *check = CHECK_TABLE(dfa);
405 /* current state is <state>, matching character *str */
406 if (dfa->tables[YYTD_ID_EC]) {
407 /* Equivalence class table defined */
408 u8 *equiv = EQUIV_TABLE(dfa);
409 /* default is direct to next state */
411 pos = base[state] + equiv[(u8) c];
412 if (check[pos] == state)
417 /* default is direct to next state */
418 pos = base[state] + (u8) c;
419 if (check[pos] == state)