1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor functions for unpacking policy loaded
6  * from userspace.
7  *
8  * Copyright (C) 1998-2008 Novell/SUSE
9  * Copyright 2009-2022 Canonical Ltd.
10  *
11  * Code to provide backwards compatibility with older policy versions,
12  * by converting/mapping older policy formats into the newer internal
13  * formats.
14  */
15 
16 #include <linux/ctype.h>
17 #include <linux/errno.h>
18 
19 #include "include/lib.h"
20 #include "include/policy_unpack.h"
21 #include "include/policy_compat.h"
22 
23 /* remap old accept table embedded permissions to separate permission table */
24 static u32 dfa_map_xindex(u16 mask)
25 {
26 	u16 old_index = (mask >> 10) & 0xf;
27 	u32 index = 0;
28 
29 	if (mask & 0x100)
30 		index |= AA_X_UNSAFE;
31 	if (mask & 0x200)
32 		index |= AA_X_INHERIT;
33 	if (mask & 0x80)
34 		index |= AA_X_UNCONFINED;
35 
36 	if (old_index == 1) {
37 		index |= AA_X_UNCONFINED;
38 	} else if (old_index == 2) {
39 		index |= AA_X_NAME;
40 	} else if (old_index == 3) {
41 		index |= AA_X_NAME | AA_X_CHILD;
42 	} else if (old_index) {
43 		index |= AA_X_TABLE;
44 		index |= old_index - 4;
45 	}
46 
47 	return index;
48 }
49 
50 /*
51  * map old dfa inline permissions to new format
52  */
53 #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
54 				    ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
55 #define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
56 #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
57 #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
58 #define dfa_user_xindex(dfa, state) \
59 	(dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
60 
61 #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
62 				      0x7f) |				\
63 				     ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
64 #define dfa_other_xbits(dfa, state) \
65 	((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f)
66 #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
67 #define dfa_other_quiet(dfa, state) \
68 	((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
69 #define dfa_other_xindex(dfa, state) \
70 	dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
71 
72 /**
73  * map_old_perms - map old file perms layout to the new layout
74  * @old: permission set in old mapping
75  *
76  * Returns: new permission mapping
77  */
78 static u32 map_old_perms(u32 old)
79 {
80 	u32 new = old & 0xf;
81 
82 	if (old & MAY_READ)
83 		new |= AA_MAY_GETATTR | AA_MAY_OPEN;
84 	if (old & MAY_WRITE)
85 		new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE |
86 		       AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN;
87 	if (old & 0x10)
88 		new |= AA_MAY_LINK;
89 	/* the old mapping lock and link_subset flags where overlaid
90 	 * and use was determined by part of a pair that they were in
91 	 */
92 	if (old & 0x20)
93 		new |= AA_MAY_LOCK | AA_LINK_SUBSET;
94 	if (old & 0x40)	/* AA_EXEC_MMAP */
95 		new |= AA_EXEC_MMAP;
96 
97 	return new;
98 }
99 
100 static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
101 				 aa_state_t state)
102 {
103 	perms->allow |= AA_MAY_GETATTR;
104 
105 	/* change_profile wasn't determined by ownership in old mapping */
106 	if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
107 		perms->allow |= AA_MAY_CHANGE_PROFILE;
108 	if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
109 		perms->allow |= AA_MAY_ONEXEC;
110 }
111 
112 static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
113 					   aa_state_t state)
114 {
115 	struct aa_perms perms = { };
116 
117 	perms.allow = map_old_perms(dfa_user_allow(dfa, state));
118 	perms.audit = map_old_perms(dfa_user_audit(dfa, state));
119 	perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
120 	perms.xindex = dfa_user_xindex(dfa, state);
121 
122 	compute_fperms_allow(&perms, dfa, state);
123 
124 	return perms;
125 }
126 
127 static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
128 					    aa_state_t state)
129 {
130 	struct aa_perms perms = { };
131 
132 	perms.allow = map_old_perms(dfa_other_allow(dfa, state));
133 	perms.audit = map_old_perms(dfa_other_audit(dfa, state));
134 	perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
135 	perms.xindex = dfa_other_xindex(dfa, state);
136 
137 	compute_fperms_allow(&perms, dfa, state);
138 
139 	return perms;
140 }
141 
142 /**
143  * compute_fperms - convert dfa compressed perms to internal perms and store
144  *		    them so they can be retrieved later.
145  * @dfa: a dfa using fperms to remap to internal permissions
146  *
147  * Returns: remapped perm table
148  */
149 static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
150 {
151 	aa_state_t state;
152 	unsigned int state_count;
153 	struct aa_perms *table;
154 
155 	AA_BUG(!dfa);
156 
157 	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
158 	/* DFAs are restricted from having a state_count of less than 2 */
159 	table = kvcalloc(state_count * 2, sizeof(struct aa_perms), GFP_KERNEL);
160 	if (!table)
161 		return NULL;
162 
163 	for (state = 0; state < state_count; state++) {
164 		table[state * 2] = compute_fperms_user(dfa, state);
165 		table[state * 2 + 1] = compute_fperms_other(dfa, state);
166 	}
167 
168 	return table;
169 }
170 
171 static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch)
172 {
173 	struct aa_perms *perms;
174 	int state;
175 	int state_count;
176 
177 	AA_BUG(!xmatch);
178 
179 	state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
180 	/* DFAs are restricted from having a state_count of less than 2 */
181 	perms = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
182 
183 	/* zero init so skip the trap state (state == 0) */
184 	for (state = 1; state < state_count; state++)
185 		perms[state].allow = dfa_user_allow(xmatch, state);
186 
187 	return perms;
188 }
189 
190 static u32 map_other(u32 x)
191 {
192 	return ((x & 0x3) << 8) |	/* SETATTR/GETATTR */
193 		((x & 0x1c) << 18) |	/* ACCEPT/BIND/LISTEN */
194 		((x & 0x60) << 19);	/* SETOPT/GETOPT */
195 }
196 
197 static u32 map_xbits(u32 x)
198 {
199 	return ((x & 0x1) << 7) |
200 		((x & 0x7e) << 9);
201 }
202 
203 static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
204 					   aa_state_t state,
205 					   u32 version)
206 {
207 	struct aa_perms perms = { };
208 
209 	perms.allow = dfa_user_allow(dfa, state);
210 	perms.audit = dfa_user_audit(dfa, state);
211 	perms.quiet = dfa_user_quiet(dfa, state);
212 
213 	/*
214 	 * This mapping is convulated due to history.
215 	 * v1-v4: only file perms, which are handled by compute_fperms
216 	 * v5: added policydb which dropped user conditional to gain new
217 	 *     perm bits, but had to map around the xbits because the
218 	 *     userspace compiler was still munging them.
219 	 * v9: adds using the xbits in policydb because the compiler now
220 	 *     supports treating policydb permission bits different.
221 	 *     Unfortunately there is no way to force auditing on the
222 	 *     perms represented by the xbits
223 	 */
224 	perms.allow |= map_other(dfa_other_allow(dfa, state));
225 	if (VERSION_LE(version, v8))
226 		perms.allow |= AA_MAY_LOCK;
227 	else
228 		perms.allow |= map_xbits(dfa_user_xbits(dfa, state));
229 
230 	/*
231 	 * for v5-v9 perm mapping in the policydb, the other set is used
232 	 * to extend the general perm set
233 	 */
234 	perms.audit |= map_other(dfa_other_audit(dfa, state));
235 	perms.quiet |= map_other(dfa_other_quiet(dfa, state));
236 	if (VERSION_GT(version, v8))
237 		perms.quiet |= map_xbits(dfa_other_xbits(dfa, state));
238 
239 	return perms;
240 }
241 
242 static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version)
243 {
244 	unsigned int state;
245 	unsigned int state_count;
246 	struct aa_perms *table;
247 
248 	AA_BUG(!dfa);
249 
250 	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
251 	/* DFAs are restricted from having a state_count of less than 2 */
252 	table = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
253 	if (!table)
254 		return NULL;
255 
256 	/* zero init so skip the trap state (state == 0) */
257 	for (state = 1; state < state_count; state++)
258 		table[state] = compute_perms_entry(dfa, state, version);
259 
260 	return table;
261 }
262 
263 /**
264  * remap_dfa_accept - remap old dfa accept table to be an index
265  * @dfa: dfa to do the remapping on
266  * @factor: scaling factor for the index conversion.
267  *
268  * Used in conjunction with compute_Xperms, it converts old style perms
269  * that are encoded in the dfa accept tables to the new style where
270  * there is a permission table and the accept table is an index into
271  * the permission table.
272  */
273 static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor)
274 {
275 	unsigned int state;
276 	unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
277 
278 	AA_BUG(!dfa);
279 
280 	for (state = 0; state < state_count; state++)
281 		ACCEPT_TABLE(dfa)[state] = state * factor;
282 	kvfree(dfa->tables[YYTD_ID_ACCEPT2]);
283 	dfa->tables[YYTD_ID_ACCEPT2] = NULL;
284 }
285 
286 /* TODO: merge different dfa mappings into single map_policy fn */
287 int aa_compat_map_xmatch(struct aa_policydb *policy)
288 {
289 	policy->perms = compute_xmatch_perms(policy->dfa);
290 	if (!policy->perms)
291 		return -ENOMEM;
292 
293 	remap_dfa_accept(policy->dfa, 1);
294 
295 	return 0;
296 }
297 
298 int aa_compat_map_policy(struct aa_policydb *policy, u32 version)
299 {
300 	policy->perms = compute_perms(policy->dfa, version);
301 	if (!policy->perms)
302 		return -ENOMEM;
303 
304 	remap_dfa_accept(policy->dfa, 1);
305 
306 	return 0;
307 }
308 
309 int aa_compat_map_file(struct aa_policydb *policy)
310 {
311 	policy->perms = compute_fperms(policy->dfa);
312 	if (!policy->perms)
313 		return -ENOMEM;
314 
315 	remap_dfa_accept(policy->dfa, 2);
316 
317 	return 0;
318 }
319