search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 3.11-rc3
[cris-mirror.git] / security / apparmor / policy_unpack.c
blob6dac7d77cb4d53c1241402d7a267466c31dbb613
1 /*
2 * AppArmor security module
3 *
4 * This file contains AppArmor functions for unpacking policy loaded from
5 * userspace.
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
13 * License.
14 *
15 * AppArmor uses a serialized binary format for loading policy. To find
16 * policy format documentation look in Documentation/security/apparmor.txt
17 * All policy is validated before it is used.
18 */
19
20 #include <asm/unaligned.h>
21 #include <linux/ctype.h>
22 #include <linux/errno.h>
23
24 #include "include/apparmor.h"
25 #include "include/audit.h"
26 #include "include/context.h"
27 #include "include/match.h"
28 #include "include/policy.h"
29 #include "include/policy_unpack.h"
30
31 /*
32 * The AppArmor interface treats data as a type byte followed by the
33 * actual data. The interface has the notion of a a named entry
34 * which has a name (AA_NAME typecode followed by name string) followed by
35 * the entries typecode and data. Named types allow for optional
36 * elements and extensions to be added and tested for without breaking
37 * backwards compatibility.
38 */
39
40 enum aa_code {
41 AA_U8,
42 AA_U16,
43 AA_U32,
44 AA_U64,
45 AA_NAME, /* same as string except it is items name */
46 AA_STRING,
47 AA_BLOB,
48 AA_STRUCT,
49 AA_STRUCTEND,
50 AA_LIST,
51 AA_LISTEND,
52 AA_ARRAY,
53 AA_ARRAYEND,
54 };
55
56 /*
57 * aa_ext is the read of the buffer containing the serialized profile. The
58 * data is copied into a kernel buffer in apparmorfs and then handed off to
59 * the unpack routines.
60 */
61 struct aa_ext {
62 void *start;
63 void *end;
64 void *pos; /* pointer to current position in the buffer */
65 u32 version;
66 };
67
68 /* audit callback for unpack fields */
69 static void audit_cb(struct audit_buffer *ab, void *va)
70 {
71 struct common_audit_data *sa = va;
72 if (sa->aad->iface.target) {
73 struct aa_profile *name = sa->aad->iface.target;
74 audit_log_format(ab, " name=");
75 audit_log_untrustedstring(ab, name->base.hname);
76 }
77 if (sa->aad->iface.pos)
78 audit_log_format(ab, " offset=%ld", sa->aad->iface.pos);
79 }
80
81 /**
82 * audit_iface - do audit message for policy unpacking/load/replace/remove
83 * @new: profile if it has been allocated (MAYBE NULL)
84 * @name: name of the profile being manipulated (MAYBE NULL)
85 * @info: any extra info about the failure (MAYBE NULL)
86 * @e: buffer position info
87 * @error: error code
88 *
89 * Returns: %0 or error
90 */
91 static int audit_iface(struct aa_profile *new, const char *name,
92 const char *info, struct aa_ext *e, int error)
93 {
94 struct aa_profile *profile = __aa_current_profile();
95 struct common_audit_data sa;
96 struct apparmor_audit_data aad = {0,};
97 sa.type = LSM_AUDIT_DATA_NONE;
98 sa.aad = &aad;
99 if (e)
100 aad.iface.pos = e->pos - e->start;
101 aad.iface.target = new;
102 aad.name = name;
103 aad.info = info;
104 aad.error = error;
105
106 return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa,
107 audit_cb);
108 }
109
110 /* test if read will be in packed data bounds */
111 static bool inbounds(struct aa_ext *e, size_t size)
112 {
113 return (size <= e->end - e->pos);
114 }
115
116 /**
117 * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
118 * @e: serialized data read head (NOT NULL)
119 * @chunk: start address for chunk of data (NOT NULL)
120 *
121 * Returns: the size of chunk found with the read head at the end of the chunk.
122 */
123 static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
124 {
125 size_t size = 0;
126
127 if (!inbounds(e, sizeof(u16)))
128 return 0;
129 size = le16_to_cpu(get_unaligned((u16 *) e->pos));
130 e->pos += sizeof(u16);
131 if (!inbounds(e, size))
132 return 0;
133 *chunk = e->pos;
134 e->pos += size;
135 return size;
136 }
137
138 /* unpack control byte */
139 static bool unpack_X(struct aa_ext *e, enum aa_code code)
140 {
141 if (!inbounds(e, 1))
142 return 0;
143 if (*(u8 *) e->pos != code)
144 return 0;
145 e->pos++;
146 return 1;
147 }
148
149 /**
150 * unpack_nameX - check is the next element is of type X with a name of @name
151 * @e: serialized data extent information (NOT NULL)
152 * @code: type code
153 * @name: name to match to the serialized element. (MAYBE NULL)
154 *
155 * check that the next serialized data element is of type X and has a tag
156 * name @name. If @name is specified then there must be a matching
157 * name element in the stream. If @name is NULL any name element will be
158 * skipped and only the typecode will be tested.
159 *
160 * Returns 1 on success (both type code and name tests match) and the read
161 * head is advanced past the headers
162 *
163 * Returns: 0 if either match fails, the read head does not move
164 */
165 static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
166 {
167 /*
168 * May need to reset pos if name or type doesn't match
169 */
170 void *pos = e->pos;
171 /*
172 * Check for presence of a tagname, and if present name size
173 * AA_NAME tag value is a u16.
174 */
175 if (unpack_X(e, AA_NAME)) {
176 char *tag = NULL;
177 size_t size = unpack_u16_chunk(e, &tag);
178 /* if a name is specified it must match. otherwise skip tag */
179 if (name && (!size || strcmp(name, tag)))
180 goto fail;
181 } else if (name) {
182 /* if a name is specified and there is no name tag fail */
183 goto fail;
184 }
185
186 /* now check if type code matches */
187 if (unpack_X(e, code))
188 return 1;
189
190 fail:
191 e->pos = pos;
192 return 0;
193 }
194
195 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
196 {
197 if (unpack_nameX(e, AA_U32, name)) {
198 if (!inbounds(e, sizeof(u32)))
199 return 0;
200 if (data)
201 *data = le32_to_cpu(get_unaligned((u32 *) e->pos));
202 e->pos += sizeof(u32);
203 return 1;
204 }
205 return 0;
206 }
207
208 static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
209 {
210 if (unpack_nameX(e, AA_U64, name)) {
211 if (!inbounds(e, sizeof(u64)))
212 return 0;
213 if (data)
214 *data = le64_to_cpu(get_unaligned((u64 *) e->pos));
215 e->pos += sizeof(u64);
216 return 1;
217 }
218 return 0;
219 }
220
221 static size_t unpack_array(struct aa_ext *e, const char *name)
222 {
223 if (unpack_nameX(e, AA_ARRAY, name)) {
224 int size;
225 if (!inbounds(e, sizeof(u16)))
226 return 0;
227 size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos));
228 e->pos += sizeof(u16);
229 return size;
230 }
231 return 0;
232 }
233
234 static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
235 {
236 if (unpack_nameX(e, AA_BLOB, name)) {
237 u32 size;
238 if (!inbounds(e, sizeof(u32)))
239 return 0;
240 size = le32_to_cpu(get_unaligned((u32 *) e->pos));
241 e->pos += sizeof(u32);
242 if (inbounds(e, (size_t) size)) {
243 *blob = e->pos;
244 e->pos += size;
245 return size;
246 }
247 }
248 return 0;
249 }
250
251 static int unpack_str(struct aa_ext *e, const char **string, const char *name)
252 {
253 char *src_str;
254 size_t size = 0;
255 void *pos = e->pos;
256 *string = NULL;
257 if (unpack_nameX(e, AA_STRING, name)) {
258 size = unpack_u16_chunk(e, &src_str);
259 if (size) {
260 /* strings are null terminated, length is size - 1 */
261 if (src_str[size - 1] != 0)
262 goto fail;
263 *string = src_str;
264 }
265 }
266 return size;
267
268 fail:
269 e->pos = pos;
270 return 0;
271 }
272
273 static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
274 {
275 const char *tmp;
276 void *pos = e->pos;
277 int res = unpack_str(e, &tmp, name);
278 *string = NULL;
279
280 if (!res)
281 return 0;
282
283 *string = kmemdup(tmp, res, GFP_KERNEL);
284 if (!*string) {
285 e->pos = pos;
286 return 0;
287 }
288
289 return res;
290 }
291
292 #define DFA_VALID_PERM_MASK 0xffffffff
293 #define DFA_VALID_PERM2_MASK 0xffffffff
294
295 /**
296 * verify_accept - verify the accept tables of a dfa
297 * @dfa: dfa to verify accept tables of (NOT NULL)
298 * @flags: flags governing dfa
299 *
300 * Returns: 1 if valid accept tables else 0 if error
301 */
302 static bool verify_accept(struct aa_dfa *dfa, int flags)
303 {
304 int i;
305
306 /* verify accept permissions */
307 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
308 int mode = ACCEPT_TABLE(dfa)[i];
309
310 if (mode & ~DFA_VALID_PERM_MASK)
311 return 0;
312
313 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
314 return 0;
315 }
316 return 1;
317 }
318
319 /**
320 * unpack_dfa - unpack a file rule dfa
321 * @e: serialized data extent information (NOT NULL)
322 *
323 * returns dfa or ERR_PTR or NULL if no dfa
324 */
325 static struct aa_dfa *unpack_dfa(struct aa_ext *e)
326 {
327 char *blob = NULL;
328 size_t size;
329 struct aa_dfa *dfa = NULL;
330
331 size = unpack_blob(e, &blob, "aadfa");
332 if (size) {
333 /*
334 * The dfa is aligned with in the blob to 8 bytes
335 * from the beginning of the stream.
336 */
337 size_t sz = blob - (char *)e->start;
338 size_t pad = ALIGN(sz, 8) - sz;
339 int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
340 TO_ACCEPT2_FLAG(YYTD_DATA32);
341
342
343 if (aa_g_paranoid_load)
344 flags |= DFA_FLAG_VERIFY_STATES;
345
346 dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
347
348 if (IS_ERR(dfa))
349 return dfa;
350
351 if (!verify_accept(dfa, flags))
352 goto fail;
353 }
354
355 return dfa;
356
357 fail:
358 aa_put_dfa(dfa);
359 return ERR_PTR(-EPROTO);
360 }
361
362 /**
363 * unpack_trans_table - unpack a profile transition table
364 * @e: serialized data extent information (NOT NULL)
365 * @profile: profile to add the accept table to (NOT NULL)
366 *
367 * Returns: 1 if table successfully unpacked
368 */
369 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
370 {
371 void *pos = e->pos;
372
373 /* exec table is optional */
374 if (unpack_nameX(e, AA_STRUCT, "xtable")) {
375 int i, size;
376
377 size = unpack_array(e, NULL);
378 /* currently 4 exec bits and entries 0-3 are reserved iupcx */
379 if (size > 16 - 4)
380 goto fail;
381 profile->file.trans.table = kzalloc(sizeof(char *) * size,
382 GFP_KERNEL);
383 if (!profile->file.trans.table)
384 goto fail;
385
386 profile->file.trans.size = size;
387 for (i = 0; i < size; i++) {
388 char *str;
389 int c, j, size2 = unpack_strdup(e, &str, NULL);
390 /* unpack_strdup verifies that the last character is
391 * null termination byte.
392 */
393 if (!size2)
394 goto fail;
395 profile->file.trans.table[i] = str;
396 /* verify that name doesn't start with space */
397 if (isspace(*str))
398 goto fail;
399
400 /* count internal # of internal \0 */
401 for (c = j = 0; j < size2 - 2; j++) {
402 if (!str[j])
403 c++;
404 }
405 if (*str == ':') {
406 /* beginning with : requires an embedded \0,
407 * verify that exactly 1 internal \0 exists
408 * trailing \0 already verified by unpack_strdup
409 */
410 if (c != 1)
411 goto fail;
412 /* first character after : must be valid */
413 if (!str[1])
414 goto fail;
415 } else if (c)
416 /* fail - all other cases with embedded \0 */
417 goto fail;
418 }
419 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
420 goto fail;
421 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
422 goto fail;
423 }
424 return 1;
425
426 fail:
427 aa_free_domain_entries(&profile->file.trans);
428 e->pos = pos;
429 return 0;
430 }
431
432 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
433 {
434 void *pos = e->pos;
435
436 /* rlimits are optional */
437 if (unpack_nameX(e, AA_STRUCT, "rlimits")) {
438 int i, size;
439 u32 tmp = 0;
440 if (!unpack_u32(e, &tmp, NULL))
441 goto fail;
442 profile->rlimits.mask = tmp;
443
444 size = unpack_array(e, NULL);
445 if (size > RLIM_NLIMITS)
446 goto fail;
447 for (i = 0; i < size; i++) {
448 u64 tmp2 = 0;
449 int a = aa_map_resource(i);
450 if (!unpack_u64(e, &tmp2, NULL))
451 goto fail;
452 profile->rlimits.limits[a].rlim_max = tmp2;
453 }
454 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
455 goto fail;
456 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
457 goto fail;
458 }
459 return 1;
460
461 fail:
462 e->pos = pos;
463 return 0;
464 }
465
466 /**
467 * unpack_profile - unpack a serialized profile
468 * @e: serialized data extent information (NOT NULL)
469 *
470 * NOTE: unpack profile sets audit struct if there is a failure
471 */
472 static struct aa_profile *unpack_profile(struct aa_ext *e)
473 {
474 struct aa_profile *profile = NULL;
475 const char *name = NULL;
476 int i, error = -EPROTO;
477 kernel_cap_t tmpcap;
478 u32 tmp;
479
480 /* check that we have the right struct being passed */
481 if (!unpack_nameX(e, AA_STRUCT, "profile"))
482 goto fail;
483 if (!unpack_str(e, &name, NULL))
484 goto fail;
485
486 profile = aa_alloc_profile(name);
487 if (!profile)
488 return ERR_PTR(-ENOMEM);
489
490 /* profile renaming is optional */
491 (void) unpack_str(e, &profile->rename, "rename");
492
493 /* xmatch is optional and may be NULL */
494 profile->xmatch = unpack_dfa(e);
495 if (IS_ERR(profile->xmatch)) {
496 error = PTR_ERR(profile->xmatch);
497 profile->xmatch = NULL;
498 goto fail;
499 }
500 /* xmatch_len is not optional if xmatch is set */
501 if (profile->xmatch) {
502 if (!unpack_u32(e, &tmp, NULL))
503 goto fail;
504 profile->xmatch_len = tmp;
505 }
506
507 /* per profile debug flags (complain, audit) */
508 if (!unpack_nameX(e, AA_STRUCT, "flags"))
509 goto fail;
510 if (!unpack_u32(e, &tmp, NULL))
511 goto fail;
512 if (tmp)
513 profile->flags |= PFLAG_HAT;
514 if (!unpack_u32(e, &tmp, NULL))
515 goto fail;
516 if (tmp)
517 profile->mode = APPARMOR_COMPLAIN;
518 if (!unpack_u32(e, &tmp, NULL))
519 goto fail;
520 if (tmp)
521 profile->audit = AUDIT_ALL;
522
523 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
524 goto fail;
525
526 /* path_flags is optional */
527 if (unpack_u32(e, &profile->path_flags, "path_flags"))
528 profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
529 else
530 /* set a default value if path_flags field is not present */
531 profile->path_flags = PFLAG_MEDIATE_DELETED;
532
533 if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
534 goto fail;
535 if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
536 goto fail;
537 if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))
538 goto fail;
539 if (!unpack_u32(e, &tmpcap.cap[0], NULL))
540 goto fail;
541
542 if (unpack_nameX(e, AA_STRUCT, "caps64")) {
543 /* optional upper half of 64 bit caps */
544 if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
545 goto fail;
546 if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))
547 goto fail;
548 if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))
549 goto fail;
550 if (!unpack_u32(e, &(tmpcap.cap[1]), NULL))
551 goto fail;
552 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
553 goto fail;
554 }
555
556 if (unpack_nameX(e, AA_STRUCT, "capsx")) {
557 /* optional extended caps mediation mask */
558 if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
559 goto fail;
560 if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
561 goto fail;
562 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
563 goto fail;
564 }
565
566 if (!unpack_rlimits(e, profile))
567 goto fail;
568
569 if (unpack_nameX(e, AA_STRUCT, "policydb")) {
570 /* generic policy dfa - optional and may be NULL */
571 profile->policy.dfa = unpack_dfa(e);
572 if (IS_ERR(profile->policy.dfa)) {
573 error = PTR_ERR(profile->policy.dfa);
574 profile->policy.dfa = NULL;
575 goto fail;
576 }
577 if (!unpack_u32(e, &profile->policy.start[0], "start"))
578 /* default start state */
579 profile->policy.start[0] = DFA_START;
580 /* setup class index */
581 for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) {
582 profile->policy.start[i] =
583 aa_dfa_next(profile->policy.dfa,
584 profile->policy.start[0],
585 i);
586 }
587 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
588 goto fail;
589 }
590
591 /* get file rules */
592 profile->file.dfa = unpack_dfa(e);
593 if (IS_ERR(profile->file.dfa)) {
594 error = PTR_ERR(profile->file.dfa);
595 profile->file.dfa = NULL;
596 goto fail;
597 }
598
599 if (!unpack_u32(e, &profile->file.start, "dfa_start"))
600 /* default start state */
601 profile->file.start = DFA_START;
602
603 if (!unpack_trans_table(e, profile))
604 goto fail;
605
606 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
607 goto fail;
608
609 return profile;
610
611 fail:
612 if (profile)
613 name = NULL;
614 else if (!name)
615 name = "unknown";
616 audit_iface(profile, name, "failed to unpack profile", e, error);
617 aa_put_profile(profile);
618
619 return ERR_PTR(error);
620 }
621
622 /**
623 * verify_head - unpack serialized stream header
624 * @e: serialized data read head (NOT NULL)
625 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
626 *
627 * Returns: error or 0 if header is good
628 */
629 static int verify_header(struct aa_ext *e, const char **ns)
630 {
631 int error = -EPROTONOSUPPORT;
632 /* get the interface version */
633 if (!unpack_u32(e, &e->version, "version")) {
634 audit_iface(NULL, NULL, "invalid profile format", e, error);
635 return error;
636 }
637
638 /* check that the interface version is currently supported */
639 if (e->version != 5) {
640 audit_iface(NULL, NULL, "unsupported interface version", e,
641 error);
642 return error;
643 }
644
645 /* read the namespace if present */
646 if (!unpack_str(e, ns, "namespace"))
647 *ns = NULL;
648
649 return 0;
650 }
651
652 static bool verify_xindex(int xindex, int table_size)
653 {
654 int index, xtype;
655 xtype = xindex & AA_X_TYPE_MASK;
656 index = xindex & AA_X_INDEX_MASK;
657 if (xtype == AA_X_TABLE && index > table_size)
658 return 0;
659 return 1;
660 }
661
662 /* verify dfa xindexes are in range of transition tables */
663 static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
664 {
665 int i;
666 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
667 if (!verify_xindex(dfa_user_xindex(dfa, i), table_size))
668 return 0;
669 if (!verify_xindex(dfa_other_xindex(dfa, i), table_size))
670 return 0;
671 }
672 return 1;
673 }
674
675 /**
676 * verify_profile - Do post unpack analysis to verify profile consistency
677 * @profile: profile to verify (NOT NULL)
678 *
679 * Returns: 0 if passes verification else error
680 */
681 static int verify_profile(struct aa_profile *profile)
682 {
683 if (aa_g_paranoid_load) {
684 if (profile->file.dfa &&
685 !verify_dfa_xindex(profile->file.dfa,
686 profile->file.trans.size)) {
687 audit_iface(profile, NULL, "Invalid named transition",
688 NULL, -EPROTO);
689 return -EPROTO;
690 }
691 }
692
693 return 0;
694 }
695
696 /**
697 * aa_unpack - unpack packed binary profile data loaded from user space
698 * @udata: user data copied to kmem (NOT NULL)
699 * @size: the size of the user data
700 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
701 *
702 * Unpack user data and return refcounted allocated profile or ERR_PTR
703 *
704 * Returns: profile else error pointer if fails to unpack
705 */
706 struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns)
707 {
708 struct aa_profile *profile = NULL;
709 int error;
710 struct aa_ext e = {
711 .start = udata,
712 .end = udata + size,
713 .pos = udata,
714 };
715
716 error = verify_header(&e, ns);
717 if (error)
718 return ERR_PTR(error);
719
720 profile = unpack_profile(&e);
721 if (IS_ERR(profile))
722 return profile;
723
724 error = verify_profile(profile);
725 if (error) {
726 aa_put_profile(profile);
727 profile = ERR_PTR(error);
728 }
729
730 /* return refcount */
731 return profile;
732 }
CRIS linux kernel tree