Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-5.4 / 57fa1e18091e66b7e1002816523cb218196a882e / . / security / apparmor / policy_unpack.c
blob: c50634b724b5118d007e1cbac05fd10874ec8252 [file] [log] [blame]
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor functions for unpacking policy loaded from
5 * userspace.
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
13 * License.
14 *
Randy Dunlapd410fa4e2011-05-19 15:59:38 -0700[diff] [blame]15 * AppArmor uses a serialized binary format for loading policy. To find
16 * policy format documentation look in Documentation/security/apparmor.txt
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]17 * All policy is validated before it is used.
18 */
19
20#include <asm/unaligned.h>
21#include <linux/ctype.h>
22#include <linux/errno.h>
23
24#include "include/apparmor.h"
25#include "include/audit.h"
26#include "include/context.h"
27#include "include/match.h"
28#include "include/policy.h"
29#include "include/policy_unpack.h"
30#include "include/sid.h"
31
32/*
33 * The AppArmor interface treats data as a type byte followed by the
34 * actual data. The interface has the notion of a a named entry
35 * which has a name (AA_NAME typecode followed by name string) followed by
36 * the entries typecode and data. Named types allow for optional
37 * elements and extensions to be added and tested for without breaking
38 * backwards compatibility.
39 */
40
41enum aa_code {
42 AA_U8,
43 AA_U16,
44 AA_U32,
45 AA_U64,
46 AA_NAME, /* same as string except it is items name */
47 AA_STRING,
48 AA_BLOB,
49 AA_STRUCT,
50 AA_STRUCTEND,
51 AA_LIST,
52 AA_LISTEND,
53 AA_ARRAY,
54 AA_ARRAYEND,
55};
56
57/*
58 * aa_ext is the read of the buffer containing the serialized profile. The
59 * data is copied into a kernel buffer in apparmorfs and then handed off to
60 * the unpack routines.
61 */
62struct aa_ext {
63 void *start;
64 void *end;
65 void *pos; /* pointer to current position in the buffer */
66 u32 version;
67};
68
69/* audit callback for unpack fields */
70static void audit_cb(struct audit_buffer *ab, void *va)
71{
72 struct common_audit_data *sa = va;
73 if (sa->aad.iface.target) {
74 struct aa_profile *name = sa->aad.iface.target;
75 audit_log_format(ab, " name=");
76 audit_log_untrustedstring(ab, name->base.hname);
77 }
78 if (sa->aad.iface.pos)
79 audit_log_format(ab, " offset=%ld", sa->aad.iface.pos);
80}
81
82/**
83 * audit_iface - do audit message for policy unpacking/load/replace/remove
84 * @new: profile if it has been allocated (MAYBE NULL)
85 * @name: name of the profile being manipulated (MAYBE NULL)
86 * @info: any extra info about the failure (MAYBE NULL)
John Johansenb1b4bc22012-03-10 11:25:30 -0800[diff] [blame]87 * @e: buffer position info
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]88 * @error: error code
89 *
90 * Returns: %0 or error
91 */
92static int audit_iface(struct aa_profile *new, const char *name,
93 const char *info, struct aa_ext *e, int error)
94{
95 struct aa_profile *profile = __aa_current_profile();
96 struct common_audit_data sa;
97 COMMON_AUDIT_DATA_INIT(&sa, NONE);
John Johansenb1b4bc22012-03-10 11:25:30 -0800[diff] [blame]98 if (e)
99 sa.aad.iface.pos = e->pos - e->start;
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]100 sa.aad.iface.target = new;
101 sa.aad.name = name;
102 sa.aad.info = info;
103 sa.aad.error = error;
104
105 return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa,
106 audit_cb);
107}
108
109/* test if read will be in packed data bounds */
110static bool inbounds(struct aa_ext *e, size_t size)
111{
112 return (size <= e->end - e->pos);
113}
114
115/**
116 * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
117 * @e: serialized data read head (NOT NULL)
118 * @chunk: start address for chunk of data (NOT NULL)
119 *
120 * Returns: the size of chunk found with the read head at the end of the chunk.
121 */
122static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
123{
124 size_t size = 0;
125
126 if (!inbounds(e, sizeof(u16)))
127 return 0;
128 size = le16_to_cpu(get_unaligned((u16 *) e->pos));
129 e->pos += sizeof(u16);
130 if (!inbounds(e, size))
131 return 0;
132 *chunk = e->pos;
133 e->pos += size;
134 return size;
135}
136
137/* unpack control byte */
138static bool unpack_X(struct aa_ext *e, enum aa_code code)
139{
140 if (!inbounds(e, 1))
141 return 0;
142 if (*(u8 *) e->pos != code)
143 return 0;
144 e->pos++;
145 return 1;
146}
147
148/**
149 * unpack_nameX - check is the next element is of type X with a name of @name
150 * @e: serialized data extent information (NOT NULL)
151 * @code: type code
152 * @name: name to match to the serialized element. (MAYBE NULL)
153 *
154 * check that the next serialized data element is of type X and has a tag
155 * name @name. If @name is specified then there must be a matching
156 * name element in the stream. If @name is NULL any name element will be
157 * skipped and only the typecode will be tested.
158 *
159 * Returns 1 on success (both type code and name tests match) and the read
160 * head is advanced past the headers
161 *
162 * Returns: 0 if either match fails, the read head does not move
163 */
164static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
165{
166 /*
167 * May need to reset pos if name or type doesn't match
168 */
169 void *pos = e->pos;
170 /*
171 * Check for presence of a tagname, and if present name size
172 * AA_NAME tag value is a u16.
173 */
174 if (unpack_X(e, AA_NAME)) {
175 char *tag = NULL;
176 size_t size = unpack_u16_chunk(e, &tag);
177 /* if a name is specified it must match. otherwise skip tag */
178 if (name && (!size || strcmp(name, tag)))
179 goto fail;
180 } else if (name) {
181 /* if a name is specified and there is no name tag fail */
182 goto fail;
183 }
184
185 /* now check if type code matches */
186 if (unpack_X(e, code))
187 return 1;
188
189fail:
190 e->pos = pos;
191 return 0;
192}
193
194static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
195{
196 if (unpack_nameX(e, AA_U32, name)) {
197 if (!inbounds(e, sizeof(u32)))
198 return 0;
199 if (data)
200 *data = le32_to_cpu(get_unaligned((u32 *) e->pos));
201 e->pos += sizeof(u32);
202 return 1;
203 }
204 return 0;
205}
206
207static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
208{
209 if (unpack_nameX(e, AA_U64, name)) {
210 if (!inbounds(e, sizeof(u64)))
211 return 0;
212 if (data)
213 *data = le64_to_cpu(get_unaligned((u64 *) e->pos));
214 e->pos += sizeof(u64);
215 return 1;
216 }
217 return 0;
218}
219
220static size_t unpack_array(struct aa_ext *e, const char *name)
221{
222 if (unpack_nameX(e, AA_ARRAY, name)) {
223 int size;
224 if (!inbounds(e, sizeof(u16)))
225 return 0;
226 size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos));
227 e->pos += sizeof(u16);
228 return size;
229 }
230 return 0;
231}
232
233static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
234{
235 if (unpack_nameX(e, AA_BLOB, name)) {
236 u32 size;
237 if (!inbounds(e, sizeof(u32)))
238 return 0;
239 size = le32_to_cpu(get_unaligned((u32 *) e->pos));
240 e->pos += sizeof(u32);
241 if (inbounds(e, (size_t) size)) {
242 *blob = e->pos;
243 e->pos += size;
244 return size;
245 }
246 }
247 return 0;
248}
249
250static int unpack_str(struct aa_ext *e, const char **string, const char *name)
251{
252 char *src_str;
253 size_t size = 0;
254 void *pos = e->pos;
255 *string = NULL;
256 if (unpack_nameX(e, AA_STRING, name)) {
257 size = unpack_u16_chunk(e, &src_str);
258 if (size) {
259 /* strings are null terminated, length is size - 1 */
260 if (src_str[size - 1] != 0)
261 goto fail;
262 *string = src_str;
263 }
264 }
265 return size;
266
267fail:
268 e->pos = pos;
269 return 0;
270}
271
272static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
273{
274 const char *tmp;
275 void *pos = e->pos;
276 int res = unpack_str(e, &tmp, name);
277 *string = NULL;
278
279 if (!res)
280 return 0;
281
282 *string = kmemdup(tmp, res, GFP_KERNEL);
283 if (!*string) {
284 e->pos = pos;
285 return 0;
286 }
287
288 return res;
289}
290
291/**
292 * verify_accept - verify the accept tables of a dfa
293 * @dfa: dfa to verify accept tables of (NOT NULL)
294 * @flags: flags governing dfa
295 *
296 * Returns: 1 if valid accept tables else 0 if error
297 */
298static bool verify_accept(struct aa_dfa *dfa, int flags)
299{
300 int i;
301
302 /* verify accept permissions */
303 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
304 int mode = ACCEPT_TABLE(dfa)[i];
305
306 if (mode & ~DFA_VALID_PERM_MASK)
307 return 0;
308
309 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
310 return 0;
311 }
312 return 1;
313}
314
315/**
316 * unpack_dfa - unpack a file rule dfa
317 * @e: serialized data extent information (NOT NULL)
318 *
319 * returns dfa or ERR_PTR or NULL if no dfa
320 */
321static struct aa_dfa *unpack_dfa(struct aa_ext *e)
322{
323 char *blob = NULL;
324 size_t size;
325 struct aa_dfa *dfa = NULL;
326
327 size = unpack_blob(e, &blob, "aadfa");
328 if (size) {
329 /*
330 * The dfa is aligned with in the blob to 8 bytes
331 * from the beginning of the stream.
332 */
333 size_t sz = blob - (char *)e->start;
334 size_t pad = ALIGN(sz, 8) - sz;
335 int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
336 TO_ACCEPT2_FLAG(YYTD_DATA32);
337
338
339 if (aa_g_paranoid_load)
340 flags |= DFA_FLAG_VERIFY_STATES;
341
342 dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
343
344 if (IS_ERR(dfa))
345 return dfa;
346
347 if (!verify_accept(dfa, flags))
348 goto fail;
349 }
350
351 return dfa;
352
353fail:
354 aa_put_dfa(dfa);
355 return ERR_PTR(-EPROTO);
356}
357
358/**
359 * unpack_trans_table - unpack a profile transition table
360 * @e: serialized data extent information (NOT NULL)
361 * @profile: profile to add the accept table to (NOT NULL)
362 *
Lucas De Marchi25985ed2011-03-30 22:57:33 -0300[diff] [blame]363 * Returns: 1 if table successfully unpacked
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]364 */
365static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
366{
367 void *pos = e->pos;
368
369 /* exec table is optional */
370 if (unpack_nameX(e, AA_STRUCT, "xtable")) {
371 int i, size;
372
373 size = unpack_array(e, NULL);
374 /* currently 4 exec bits and entries 0-3 are reserved iupcx */
375 if (size > 16 - 4)
376 goto fail;
377 profile->file.trans.table = kzalloc(sizeof(char *) * size,
378 GFP_KERNEL);
379 if (!profile->file.trans.table)
380 goto fail;
381
382 profile->file.trans.size = size;
383 for (i = 0; i < size; i++) {
384 char *str;
James Morris7ee95852011-08-29 11:43:02 +1000[diff] [blame]385 int c, j, size2 = unpack_strdup(e, &str, NULL);
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]386 /* unpack_strdup verifies that the last character is
387 * null termination byte.
388 */
James Morris7ee95852011-08-29 11:43:02 +1000[diff] [blame]389 if (!size2)
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]390 goto fail;
391 profile->file.trans.table[i] = str;
392 /* verify that name doesn't start with space */
393 if (isspace(*str))
394 goto fail;
395
396 /* count internal # of internal \0 */
James Morris7ee95852011-08-29 11:43:02 +1000[diff] [blame]397 for (c = j = 0; j < size2 - 2; j++) {
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]398 if (!str[j])
399 c++;
400 }
401 if (*str == ':') {
402 /* beginning with : requires an embedded \0,
403 * verify that exactly 1 internal \0 exists
404 * trailing \0 already verified by unpack_strdup
405 */
406 if (c != 1)
407 goto fail;
408 /* first character after : must be valid */
409 if (!str[1])
410 goto fail;
411 } else if (c)
412 /* fail - all other cases with embedded \0 */
413 goto fail;
414 }
415 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
416 goto fail;
417 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
418 goto fail;
419 }
420 return 1;
421
422fail:
423 aa_free_domain_entries(&profile->file.trans);
424 e->pos = pos;
425 return 0;
426}
427
428static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
429{
430 void *pos = e->pos;
431
432 /* rlimits are optional */
433 if (unpack_nameX(e, AA_STRUCT, "rlimits")) {
434 int i, size;
435 u32 tmp = 0;
436 if (!unpack_u32(e, &tmp, NULL))
437 goto fail;
438 profile->rlimits.mask = tmp;
439
440 size = unpack_array(e, NULL);
441 if (size > RLIM_NLIMITS)
442 goto fail;
443 for (i = 0; i < size; i++) {
James Morris7ee95852011-08-29 11:43:02 +1000[diff] [blame]444 u64 tmp2 = 0;
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]445 int a = aa_map_resource(i);
James Morris7ee95852011-08-29 11:43:02 +1000[diff] [blame]446 if (!unpack_u64(e, &tmp2, NULL))
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]447 goto fail;
James Morris7ee95852011-08-29 11:43:02 +1000[diff] [blame]448 profile->rlimits.limits[a].rlim_max = tmp2;
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]449 }
450 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
451 goto fail;
452 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
453 goto fail;
454 }
455 return 1;
456
457fail:
458 e->pos = pos;
459 return 0;
460}
461
462/**
463 * unpack_profile - unpack a serialized profile
464 * @e: serialized data extent information (NOT NULL)
465 *
466 * NOTE: unpack profile sets audit struct if there is a failure
467 */
468static struct aa_profile *unpack_profile(struct aa_ext *e)
469{
470 struct aa_profile *profile = NULL;
471 const char *name = NULL;
472 int error = -EPROTO;
473 kernel_cap_t tmpcap;
474 u32 tmp;
475
476 /* check that we have the right struct being passed */
477 if (!unpack_nameX(e, AA_STRUCT, "profile"))
478 goto fail;
479 if (!unpack_str(e, &name, NULL))
480 goto fail;
481
482 profile = aa_alloc_profile(name);
483 if (!profile)
484 return ERR_PTR(-ENOMEM);
485
486 /* profile renaming is optional */
487 (void) unpack_str(e, &profile->rename, "rename");
488
489 /* xmatch is optional and may be NULL */
490 profile->xmatch = unpack_dfa(e);
491 if (IS_ERR(profile->xmatch)) {
492 error = PTR_ERR(profile->xmatch);
493 profile->xmatch = NULL;
494 goto fail;
495 }
496 /* xmatch_len is not optional if xmatch is set */
497 if (profile->xmatch) {
498 if (!unpack_u32(e, &tmp, NULL))
499 goto fail;
500 profile->xmatch_len = tmp;
501 }
502
503 /* per profile debug flags (complain, audit) */
504 if (!unpack_nameX(e, AA_STRUCT, "flags"))
505 goto fail;
506 if (!unpack_u32(e, &tmp, NULL))
507 goto fail;
508 if (tmp)
509 profile->flags |= PFLAG_HAT;
510 if (!unpack_u32(e, &tmp, NULL))
511 goto fail;
512 if (tmp)
513 profile->mode = APPARMOR_COMPLAIN;
514 if (!unpack_u32(e, &tmp, NULL))
515 goto fail;
516 if (tmp)
517 profile->audit = AUDIT_ALL;
518
519 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
520 goto fail;
521
522 /* path_flags is optional */
523 if (unpack_u32(e, &profile->path_flags, "path_flags"))
524 profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
525 else
526 /* set a default value if path_flags field is not present */
527 profile->path_flags = PFLAG_MEDIATE_DELETED;
528
529 if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
530 goto fail;
531 if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
532 goto fail;
533 if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))
534 goto fail;
535 if (!unpack_u32(e, &tmpcap.cap[0], NULL))
536 goto fail;
537
538 if (unpack_nameX(e, AA_STRUCT, "caps64")) {
539 /* optional upper half of 64 bit caps */
540 if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
541 goto fail;
542 if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))
543 goto fail;
544 if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))
545 goto fail;
546 if (!unpack_u32(e, &(tmpcap.cap[1]), NULL))
547 goto fail;
548 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
549 goto fail;
550 }
551
552 if (unpack_nameX(e, AA_STRUCT, "capsx")) {
553 /* optional extended caps mediation mask */
554 if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
555 goto fail;
556 if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
557 goto fail;
John Johansencdbd2882012-02-16 07:06:41 -0800[diff] [blame]558 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
559 goto fail;
John Johansen736ec7522010-07-29 14:48:02 -0700[diff] [blame]560 }
561
562 if (!unpack_rlimits(e, profile))
563 goto fail;
564
565 /* get file rules */
566 profile->file.dfa = unpack_dfa(e);
567 if (IS_ERR(profile->file.dfa)) {
568 error = PTR_ERR(profile->file.dfa);
569 profile->file.dfa = NULL;
570 goto fail;
571 }
572
573 if (!unpack_u32(e, &profile->file.start, "dfa_start"))
574 /* default start state */
575 profile->file.start = DFA_START;
576
577 if (!unpack_trans_table(e, profile))
578 goto fail;
579
580 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
581 goto fail;
582
583 return profile;
584
585fail:
586 if (profile)
587 name = NULL;
588 else if (!name)
589 name = "unknown";
590 audit_iface(profile, name, "failed to unpack profile", e, error);
591 aa_put_profile(profile);
592
593 return ERR_PTR(error);
594}
595
596/**
597 * verify_head - unpack serialized stream header
598 * @e: serialized data read head (NOT NULL)
599 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
600 *
601 * Returns: error or 0 if header is good
602 */
603static int verify_header(struct aa_ext *e, const char **ns)
604{
605 int error = -EPROTONOSUPPORT;
606 /* get the interface version */
607 if (!unpack_u32(e, &e->version, "version")) {
608 audit_iface(NULL, NULL, "invalid profile format", e, error);
609 return error;
610 }
611
612 /* check that the interface version is currently supported */
613 if (e->version != 5) {
614 audit_iface(NULL, NULL, "unsupported interface version", e,
615 error);
616 return error;
617 }
618
619 /* read the namespace if present */
620 if (!unpack_str(e, ns, "namespace"))
621 *ns = NULL;
622
623 return 0;
624}
625
626static bool verify_xindex(int xindex, int table_size)
627{
628 int index, xtype;
629 xtype = xindex & AA_X_TYPE_MASK;
630 index = xindex & AA_X_INDEX_MASK;
631 if (xtype == AA_X_TABLE && index > table_size)
632 return 0;
633 return 1;
634}
635
636/* verify dfa xindexes are in range of transition tables */
637static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
638{
639 int i;
640 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
641 if (!verify_xindex(dfa_user_xindex(dfa, i), table_size))
642 return 0;
643 if (!verify_xindex(dfa_other_xindex(dfa, i), table_size))
644 return 0;
645 }
646 return 1;
647}
648
649/**
650 * verify_profile - Do post unpack analysis to verify profile consistency
651 * @profile: profile to verify (NOT NULL)
652 *
653 * Returns: 0 if passes verification else error
654 */
655static int verify_profile(struct aa_profile *profile)
656{
657 if (aa_g_paranoid_load) {
658 if (profile->file.dfa &&
659 !verify_dfa_xindex(profile->file.dfa,
660 profile->file.trans.size)) {
661 audit_iface(profile, NULL, "Invalid named transition",
662 NULL, -EPROTO);
663 return -EPROTO;
664 }
665 }
666
667 return 0;
668}
669
670/**
671 * aa_unpack - unpack packed binary profile data loaded from user space
672 * @udata: user data copied to kmem (NOT NULL)
673 * @size: the size of the user data
674 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
675 *
676 * Unpack user data and return refcounted allocated profile or ERR_PTR
677 *
678 * Returns: profile else error pointer if fails to unpack
679 */
680struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns)
681{
682 struct aa_profile *profile = NULL;
683 int error;
684 struct aa_ext e = {
685 .start = udata,
686 .end = udata + size,
687 .pos = udata,
688 };
689
690 error = verify_header(&e, ns);
691 if (error)
692 return ERR_PTR(error);
693
694 profile = unpack_profile(&e);
695 if (IS_ERR(profile))
696 return profile;
697
698 error = verify_profile(profile);
699 if (error) {
700 aa_put_profile(profile);
701 profile = ERR_PTR(error);
702 }
703
704 /* return refcount */
705 return profile;
706}