2 * AppArmor security module
4 * This file contains AppArmor functions for unpacking policy loaded from
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
15 * AppArmor uses a serialized binary format for loading policy. To find
16 * policy format documentation look in Documentation/security/apparmor.txt
17 * All policy is validated before it is used.
20 #include <asm/unaligned.h>
21 #include <linux/ctype.h>
22 #include <linux/errno.h>
24 #include "include/apparmor.h"
25 #include "include/audit.h"
26 #include "include/context.h"
27 #include "include/match.h"
28 #include "include/policy.h"
29 #include "include/policy_unpack.h"
32 * The AppArmor interface treats data as a type byte followed by the
33 * actual data. The interface has the notion of a a named entry
34 * which has a name (AA_NAME typecode followed by name string) followed by
35 * the entries typecode and data. Named types allow for optional
36 * elements and extensions to be added and tested for without breaking
37 * backwards compatibility.
45 AA_NAME, /* same as string except it is items name */
57 * aa_ext is the read of the buffer containing the serialized profile. The
58 * data is copied into a kernel buffer in apparmorfs and then handed off to
59 * the unpack routines.
64 void *pos; /* pointer to current position in the buffer */
68 /* audit callback for unpack fields */
69 static void audit_cb(struct audit_buffer *ab, void *va)
71 struct common_audit_data *sa = va;
72 if (sa->aad->iface.target) {
73 struct aa_profile *name = sa->aad->iface.target;
74 audit_log_format(ab, " name=");
75 audit_log_untrustedstring(ab, name->base.hname);
77 if (sa->aad->iface.pos)
78 audit_log_format(ab, " offset=%ld", sa->aad->iface.pos);
82 * audit_iface - do audit message for policy unpacking/load/replace/remove
83 * @new: profile if it has been allocated (MAYBE NULL)
84 * @name: name of the profile being manipulated (MAYBE NULL)
85 * @info: any extra info about the failure (MAYBE NULL)
86 * @e: buffer position info
89 * Returns: %0 or error
91 static int audit_iface(struct aa_profile *new, const char *name,
92 const char *info, struct aa_ext *e, int error)
94 struct aa_profile *profile = __aa_current_profile();
95 struct common_audit_data sa;
96 struct apparmor_audit_data aad = {0,};
97 sa.type = LSM_AUDIT_DATA_NONE;
100 aad.iface.pos = e->pos - e->start;
101 aad.iface.target = new;
106 return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa,
110 /* test if read will be in packed data bounds */
111 static bool inbounds(struct aa_ext *e, size_t size)
113 return (size <= e->end - e->pos);
117 * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
118 * @e: serialized data read head (NOT NULL)
119 * @chunk: start address for chunk of data (NOT NULL)
121 * Returns: the size of chunk found with the read head at the end of the chunk.
123 static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
127 if (!inbounds(e, sizeof(u16)))
129 size = le16_to_cpu(get_unaligned((u16 *) e->pos));
130 e->pos += sizeof(u16);
131 if (!inbounds(e, size))
138 /* unpack control byte */
139 static bool unpack_X(struct aa_ext *e, enum aa_code code)
143 if (*(u8 *) e->pos != code)
150 * unpack_nameX - check is the next element is of type X with a name of @name
151 * @e: serialized data extent information (NOT NULL)
153 * @name: name to match to the serialized element. (MAYBE NULL)
155 * check that the next serialized data element is of type X and has a tag
156 * name @name. If @name is specified then there must be a matching
157 * name element in the stream. If @name is NULL any name element will be
158 * skipped and only the typecode will be tested.
160 * Returns 1 on success (both type code and name tests match) and the read
161 * head is advanced past the headers
163 * Returns: 0 if either match fails, the read head does not move
165 static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
168 * May need to reset pos if name or type doesn't match
172 * Check for presence of a tagname, and if present name size
173 * AA_NAME tag value is a u16.
175 if (unpack_X(e, AA_NAME)) {
177 size_t size = unpack_u16_chunk(e, &tag);
178 /* if a name is specified it must match. otherwise skip tag */
179 if (name && (!size || strcmp(name, tag)))
182 /* if a name is specified and there is no name tag fail */
186 /* now check if type code matches */
187 if (unpack_X(e, code))
195 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
197 if (unpack_nameX(e, AA_U32, name)) {
198 if (!inbounds(e, sizeof(u32)))
201 *data = le32_to_cpu(get_unaligned((u32 *) e->pos));
202 e->pos += sizeof(u32);
208 static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
210 if (unpack_nameX(e, AA_U64, name)) {
211 if (!inbounds(e, sizeof(u64)))
214 *data = le64_to_cpu(get_unaligned((u64 *) e->pos));
215 e->pos += sizeof(u64);
221 static size_t unpack_array(struct aa_ext *e, const char *name)
223 if (unpack_nameX(e, AA_ARRAY, name)) {
225 if (!inbounds(e, sizeof(u16)))
227 size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos));
228 e->pos += sizeof(u16);
234 static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
236 if (unpack_nameX(e, AA_BLOB, name)) {
238 if (!inbounds(e, sizeof(u32)))
240 size = le32_to_cpu(get_unaligned((u32 *) e->pos));
241 e->pos += sizeof(u32);
242 if (inbounds(e, (size_t) size)) {
251 static int unpack_str(struct aa_ext *e, const char **string, const char *name)
257 if (unpack_nameX(e, AA_STRING, name)) {
258 size = unpack_u16_chunk(e, &src_str);
260 /* strings are null terminated, length is size - 1 */
261 if (src_str[size - 1] != 0)
273 static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
277 int res = unpack_str(e, &tmp, name);
283 *string = kmemdup(tmp, res, GFP_KERNEL);
292 #define DFA_VALID_PERM_MASK 0xffffffff
293 #define DFA_VALID_PERM2_MASK 0xffffffff
296 * verify_accept - verify the accept tables of a dfa
297 * @dfa: dfa to verify accept tables of (NOT NULL)
298 * @flags: flags governing dfa
300 * Returns: 1 if valid accept tables else 0 if error
302 static bool verify_accept(struct aa_dfa *dfa, int flags)
306 /* verify accept permissions */
307 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
308 int mode = ACCEPT_TABLE(dfa)[i];
310 if (mode & ~DFA_VALID_PERM_MASK)
313 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
320 * unpack_dfa - unpack a file rule dfa
321 * @e: serialized data extent information (NOT NULL)
323 * returns dfa or ERR_PTR or NULL if no dfa
325 static struct aa_dfa *unpack_dfa(struct aa_ext *e)
329 struct aa_dfa *dfa = NULL;
331 size = unpack_blob(e, &blob, "aadfa");
334 * The dfa is aligned with in the blob to 8 bytes
335 * from the beginning of the stream.
336 * alignment adjust needed by dfa unpack
338 size_t sz = blob - (char *) e->start -
339 ((e->pos - e->start) & 7);
340 size_t pad = ALIGN(sz, 8) - sz;
341 int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
342 TO_ACCEPT2_FLAG(YYTD_DATA32);
345 if (aa_g_paranoid_load)
346 flags |= DFA_FLAG_VERIFY_STATES;
348 dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
353 if (!verify_accept(dfa, flags))
361 return ERR_PTR(-EPROTO);
365 * unpack_trans_table - unpack a profile transition table
366 * @e: serialized data extent information (NOT NULL)
367 * @profile: profile to add the accept table to (NOT NULL)
369 * Returns: 1 if table successfully unpacked
371 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
375 /* exec table is optional */
376 if (unpack_nameX(e, AA_STRUCT, "xtable")) {
379 size = unpack_array(e, NULL);
380 /* currently 4 exec bits and entries 0-3 are reserved iupcx */
383 profile->file.trans.table = kzalloc(sizeof(char *) * size,
385 if (!profile->file.trans.table)
388 profile->file.trans.size = size;
389 for (i = 0; i < size; i++) {
391 int c, j, size2 = unpack_strdup(e, &str, NULL);
392 /* unpack_strdup verifies that the last character is
393 * null termination byte.
397 profile->file.trans.table[i] = str;
398 /* verify that name doesn't start with space */
402 /* count internal # of internal \0 */
403 for (c = j = 0; j < size2 - 2; j++) {
408 /* beginning with : requires an embedded \0,
409 * verify that exactly 1 internal \0 exists
410 * trailing \0 already verified by unpack_strdup
414 /* first character after : must be valid */
418 /* fail - all other cases with embedded \0 */
421 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
423 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
429 aa_free_domain_entries(&profile->file.trans);
434 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
438 /* rlimits are optional */
439 if (unpack_nameX(e, AA_STRUCT, "rlimits")) {
442 if (!unpack_u32(e, &tmp, NULL))
444 profile->rlimits.mask = tmp;
446 size = unpack_array(e, NULL);
447 if (size > RLIM_NLIMITS)
449 for (i = 0; i < size; i++) {
451 int a = aa_map_resource(i);
452 if (!unpack_u64(e, &tmp2, NULL))
454 profile->rlimits.limits[a].rlim_max = tmp2;
456 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
458 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
469 * unpack_profile - unpack a serialized profile
470 * @e: serialized data extent information (NOT NULL)
472 * NOTE: unpack profile sets audit struct if there is a failure
474 static struct aa_profile *unpack_profile(struct aa_ext *e)
476 struct aa_profile *profile = NULL;
477 const char *name = NULL;
478 int i, error = -EPROTO;
482 /* check that we have the right struct being passed */
483 if (!unpack_nameX(e, AA_STRUCT, "profile"))
485 if (!unpack_str(e, &name, NULL))
488 profile = aa_alloc_profile(name);
490 return ERR_PTR(-ENOMEM);
492 /* profile renaming is optional */
493 (void) unpack_str(e, &profile->rename, "rename");
495 /* xmatch is optional and may be NULL */
496 profile->xmatch = unpack_dfa(e);
497 if (IS_ERR(profile->xmatch)) {
498 error = PTR_ERR(profile->xmatch);
499 profile->xmatch = NULL;
502 /* xmatch_len is not optional if xmatch is set */
503 if (profile->xmatch) {
504 if (!unpack_u32(e, &tmp, NULL))
506 profile->xmatch_len = tmp;
509 /* per profile debug flags (complain, audit) */
510 if (!unpack_nameX(e, AA_STRUCT, "flags"))
512 if (!unpack_u32(e, &tmp, NULL))
515 profile->flags |= PFLAG_HAT;
516 if (!unpack_u32(e, &tmp, NULL))
519 profile->mode = APPARMOR_COMPLAIN;
520 if (!unpack_u32(e, &tmp, NULL))
523 profile->audit = AUDIT_ALL;
525 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
528 /* path_flags is optional */
529 if (unpack_u32(e, &profile->path_flags, "path_flags"))
530 profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
532 /* set a default value if path_flags field is not present */
533 profile->path_flags = PFLAG_MEDIATE_DELETED;
535 if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
537 if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
539 if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))
541 if (!unpack_u32(e, &tmpcap.cap[0], NULL))
544 if (unpack_nameX(e, AA_STRUCT, "caps64")) {
545 /* optional upper half of 64 bit caps */
546 if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
548 if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))
550 if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))
552 if (!unpack_u32(e, &(tmpcap.cap[1]), NULL))
554 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
558 if (unpack_nameX(e, AA_STRUCT, "capsx")) {
559 /* optional extended caps mediation mask */
560 if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
562 if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
564 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
568 if (!unpack_rlimits(e, profile))
571 if (unpack_nameX(e, AA_STRUCT, "policydb")) {
572 /* generic policy dfa - optional and may be NULL */
573 profile->policy.dfa = unpack_dfa(e);
574 if (IS_ERR(profile->policy.dfa)) {
575 error = PTR_ERR(profile->policy.dfa);
576 profile->policy.dfa = NULL;
579 if (!unpack_u32(e, &profile->policy.start[0], "start"))
580 /* default start state */
581 profile->policy.start[0] = DFA_START;
582 /* setup class index */
583 for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) {
584 profile->policy.start[i] =
585 aa_dfa_next(profile->policy.dfa,
586 profile->policy.start[0],
589 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
594 profile->file.dfa = unpack_dfa(e);
595 if (IS_ERR(profile->file.dfa)) {
596 error = PTR_ERR(profile->file.dfa);
597 profile->file.dfa = NULL;
601 if (!unpack_u32(e, &profile->file.start, "dfa_start"))
602 /* default start state */
603 profile->file.start = DFA_START;
605 if (!unpack_trans_table(e, profile))
608 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
618 audit_iface(profile, name, "failed to unpack profile", e, error);
619 aa_put_profile(profile);
621 return ERR_PTR(error);
625 * verify_head - unpack serialized stream header
626 * @e: serialized data read head (NOT NULL)
627 * @required: whether the header is required or optional
628 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
630 * Returns: error or 0 if header is good
632 static int verify_header(struct aa_ext *e, int required, const char **ns)
634 int error = -EPROTONOSUPPORT;
635 const char *name = NULL;
638 /* get the interface version */
639 if (!unpack_u32(e, &e->version, "version")) {
641 audit_iface(NULL, NULL, "invalid profile format", e,
646 /* check that the interface version is currently supported */
647 if (e->version != 5) {
648 audit_iface(NULL, NULL, "unsupported interface version",
655 /* read the namespace if present */
656 if (unpack_str(e, &name, "namespace")) {
657 if (*ns && strcmp(*ns, name))
658 audit_iface(NULL, NULL, "invalid ns change", e, error);
666 static bool verify_xindex(int xindex, int table_size)
669 xtype = xindex & AA_X_TYPE_MASK;
670 index = xindex & AA_X_INDEX_MASK;
671 if (xtype == AA_X_TABLE && index > table_size)
676 /* verify dfa xindexes are in range of transition tables */
677 static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
680 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
681 if (!verify_xindex(dfa_user_xindex(dfa, i), table_size))
683 if (!verify_xindex(dfa_other_xindex(dfa, i), table_size))
690 * verify_profile - Do post unpack analysis to verify profile consistency
691 * @profile: profile to verify (NOT NULL)
693 * Returns: 0 if passes verification else error
695 static int verify_profile(struct aa_profile *profile)
697 if (aa_g_paranoid_load) {
698 if (profile->file.dfa &&
699 !verify_dfa_xindex(profile->file.dfa,
700 profile->file.trans.size)) {
701 audit_iface(profile, NULL, "Invalid named transition",
710 void aa_load_ent_free(struct aa_load_ent *ent)
713 aa_put_profile(ent->rename);
714 aa_put_profile(ent->old);
715 aa_put_profile(ent->new);
720 struct aa_load_ent *aa_load_ent_alloc(void)
722 struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL);
724 INIT_LIST_HEAD(&ent->list);
729 * aa_unpack - unpack packed binary profile(s) data loaded from user space
730 * @udata: user data copied to kmem (NOT NULL)
731 * @size: the size of the user data
732 * @lh: list to place unpacked profiles in a aa_repl_ws
733 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
735 * Unpack user data and return refcounted allocated profile(s) stored in
736 * @lh in order of discovery, with the list chain stored in base.list
739 * Returns: profile(s) on @lh else error pointer if fails to unpack
741 int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns)
743 struct aa_load_ent *tmp, *ent;
744 struct aa_profile *profile = NULL;
753 while (e.pos < e.end) {
754 error = verify_header(&e, e.pos == e.start, ns);
758 profile = unpack_profile(&e);
759 if (IS_ERR(profile)) {
760 error = PTR_ERR(profile);
764 error = verify_profile(profile);
766 aa_put_profile(profile);
770 ent = aa_load_ent_alloc();
773 aa_put_profile(profile);
778 list_add_tail(&ent->list, lh);
784 list_for_each_entry_safe(ent, tmp, lh, list) {
785 list_del_init(&ent->list);
786 aa_load_ent_free(ent);