xref: /kernel/linux/linux-5.10/security/apparmor/policy_unpack.c

66  * aa_ext is the read of the buffer containing the serialized profile.  The
96  * @new: profile if it has been allocated (MAYBE NULL)
97  * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
98  * @name: name of the profile being manipulated (MAYBE NULL)
109 	struct aa_profile *profile = labels_profile(aa_current_raw_label());
121 	return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb);
471  * unpack_trans_table - unpack a profile transition table
473  * @profile: profile to add the accept table to (NOT NULL)
477 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
489 		profile->file.trans.table = kcalloc(size, sizeof(char *),
491 		if (!profile->file.trans.table)
494 		profile->file.trans.size = size;
503 			profile->file.trans.table[i] = str;
541 	aa_free_domain_entries(&profile->file.trans);
546 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
554 		profile->xattr_count = size;
555 		profile->xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
556 		if (!profile->xattrs)
559 			if (!unpack_strdup(e, &profile->xattrs[i], NULL))
575 static bool unpack_secmark(struct aa_ext *e, struct aa_profile *profile)
583 		profile->secmark = kcalloc(size, sizeof(struct aa_secmark),
585 		if (!profile->secmark)
588 		profile->secmark_count = size;
591 			if (!unpack_u8(e, &profile->secmark[i].audit, NULL))
593 			if (!unpack_u8(e, &profile->secmark[i].deny, NULL))
595 			if (!unpack_strdup(e, &profile->secmark[i].label, NULL))
607 	if (profile->secmark) {
609 			kfree(profile->secmark[i].label);
610 		kfree(profile->secmark);
611 		profile->secmark_count = 0;
612 		profile->secmark = NULL;
619 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
629 		profile->rlimits.mask = tmp;
639 			profile->rlimits.limits[a].rlim_max = tmp2;
669  * unpack_profile - unpack a serialized profile
672  * NOTE: unpack profile sets audit struct if there is a failure
676 	struct aa_profile *profile = NULL;
678 	const char *info = "failed to unpack profile";
690 	if (!unpack_nameX(e, AA_STRUCT, "profile"))
700 			info = "empty profile name";
711 	profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
712 	if (!profile)
715 	/* profile renaming is optional */
716 	(void) unpack_str(e, &profile->rename, "rename");
719 	(void) unpack_str(e, &profile->attach, "attach");
722 	profile->xmatch = unpack_dfa(e);
723 	if (IS_ERR(profile->xmatch)) {
724 		error = PTR_ERR(profile->xmatch);
725 		profile->xmatch = NULL;
730 	if (profile->xmatch) {
735 		profile->xmatch_len = tmp;
739 	(void) unpack_str(e, &profile->disconnected, "disconnected");
741 	/* per profile debug flags (complain, audit) */
743 		info = "profile missing flags";
746 	info = "failed to unpack profile flags";
750 		profile->label.flags |= FLAG_HAT;
754 		profile->mode = APPARMOR_COMPLAIN;
756 		profile->mode = APPARMOR_ENFORCE;
758 		profile->mode = APPARMOR_KILL;
760 		profile->mode = APPARMOR_UNCONFINED;
761 		profile->label.flags |= FLAG_UNCONFINED;
768 		profile->audit = AUDIT_ALL;
774 	if (unpack_u32(e, &profile->path_flags, "path_flags"))
775 		profile->path_flags |= profile->label.flags &
779 		profile->path_flags = PATH_MEDIATE_DELETED;
781 	info = "failed to unpack profile capabilities";
782 	if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
784 	if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
786 	if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))
791 	info = "failed to unpack upper profile capabilities";
794 		if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
796 		if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))
798 		if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))
806 	info = "failed to unpack extended profile capabilities";
809 		if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
811 		if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
817 	if (!unpack_xattrs(e, profile)) {
818 		info = "failed to unpack profile xattrs";
822 	if (!unpack_rlimits(e, profile)) {
823 		info = "failed to unpack profile rlimits";
827 	if (!unpack_secmark(e, profile)) {
828 		info = "failed to unpack profile secmark rules";
835 		profile->policy.dfa = unpack_dfa(e);
836 		if (IS_ERR(profile->policy.dfa)) {
837 			error = PTR_ERR(profile->policy.dfa);
838 			profile->policy.dfa = NULL;
840 		} else if (!profile->policy.dfa) {
844 		if (!unpack_u32(e, &profile->policy.start[0], "start"))
846 			profile->policy.start[0] = DFA_START;
849 			profile->policy.start[i] =
850 				aa_dfa_next(profile->policy.dfa,
851 					    profile->policy.start[0],
857 		profile->policy.dfa = aa_get_dfa(nulldfa);
860 	profile->file.dfa = unpack_dfa(e);
861 	if (IS_ERR(profile->file.dfa)) {
862 		error = PTR_ERR(profile->file.dfa);
863 		profile->file.dfa = NULL;
864 		info = "failed to unpack profile file rules";
866 	} else if (profile->file.dfa) {
867 		if (!unpack_u32(e, &profile->file.start, "dfa_start"))
869 			profile->file.start = DFA_START;
870 	} else if (profile->policy.dfa &&
871 		   profile->policy.start[AA_CLASS_FILE]) {
872 		profile->file.dfa = aa_get_dfa(profile->policy.dfa);
873 		profile->file.start = profile->policy.start[AA_CLASS_FILE];
875 		profile->file.dfa = aa_get_dfa(nulldfa);
877 	if (!unpack_trans_table(e, profile)) {
878 		info = "failed to unpack profile transition table";
884 		profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL);
885 		if (!profile->data)
895 		if (rhashtable_init(profile->data, &params)) {
916 			if (rhashtable_insert_fast(profile->data, &data->head,
917 						   profile->data->p)) {
932 		info = "failed to unpack end of profile";
936 	return profile;
939 	if (profile)
943 	audit_iface(profile, NULL, name, info, e, error);
944 	aa_free_profile(profile);
966 			audit_iface(NULL, NULL, NULL, "invalid profile format",
1026  * verify_profile - Do post unpack analysis to verify profile consistency
1027  * @profile: profile to verify (NOT NULL)
1031 static int verify_profile(struct aa_profile *profile)
1033 	if (profile->file.dfa &&
1034 	    !verify_dfa_xindex(profile->file.dfa,
1035 			       profile->file.trans.size)) {
1036 		audit_iface(profile, NULL, NULL, "Invalid named transition",
1163  * aa_unpack - unpack packed binary profile(s) data loaded from user space
1166  * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
1168  * Unpack user data and return refcounted allocated profile(s) stored in
1172  * Returns: profile(s) on @lh else error pointer if fails to unpack
1178 	struct aa_profile *profile = NULL;
1195 		profile = unpack_profile(&e, &ns_name);
1196 		if (IS_ERR(profile)) {
1197 			error = PTR_ERR(profile);
1201 		error = verify_profile(profile);
1206 			error = aa_calc_profile_hash(profile, e.version, start,
1217 		ent->new = profile;
1236 	aa_put_profile(profile);

Indexes created Thu Nov 07 10:32:03 CST 2024