xref: /openbmc/linux/security/apparmor/policy_unpack.c (revision 91db9311945f01901ddb9813ce11364de214a156)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor functions for unpacking policy loaded from
6  * userspace.
7  *
8  * Copyright (C) 1998-2008 Novell/SUSE
9  * Copyright 2009-2010 Canonical Ltd.
10  *
11  * AppArmor uses a serialized binary format for loading policy. To find
12  * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
13  * All policy is validated before it is used.
14  */
15 
16 #include <asm/unaligned.h>
17 #include <linux/ctype.h>
18 #include <linux/errno.h>
19 
20 #include "include/apparmor.h"
21 #include "include/audit.h"
22 #include "include/cred.h"
23 #include "include/crypto.h"
24 #include "include/match.h"
25 #include "include/path.h"
26 #include "include/policy.h"
27 #include "include/policy_unpack.h"
28 
29 #define K_ABI_MASK 0x3ff
30 #define FORCE_COMPLAIN_FLAG 0x800
31 #define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK))
32 #define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK))
33 
34 #define v5	5	/* base version */
35 #define v6	6	/* per entry policydb mediation check */
36 #define v7	7
37 #define v8	8	/* full network masking */
38 
39 /*
40  * The AppArmor interface treats data as a type byte followed by the
41  * actual data.  The interface has the notion of a a named entry
42  * which has a name (AA_NAME typecode followed by name string) followed by
43  * the entries typecode and data.  Named types allow for optional
44  * elements and extensions to be added and tested for without breaking
45  * backwards compatibility.
46  */
47 
48 enum aa_code {
49 	AA_U8,
50 	AA_U16,
51 	AA_U32,
52 	AA_U64,
53 	AA_NAME,		/* same as string except it is items name */
54 	AA_STRING,
55 	AA_BLOB,
56 	AA_STRUCT,
57 	AA_STRUCTEND,
58 	AA_LIST,
59 	AA_LISTEND,
60 	AA_ARRAY,
61 	AA_ARRAYEND,
62 };
63 
64 /*
65  * aa_ext is the read of the buffer containing the serialized profile.  The
66  * data is copied into a kernel buffer in apparmorfs and then handed off to
67  * the unpack routines.
68  */
69 struct aa_ext {
70 	void *start;
71 	void *end;
72 	void *pos;		/* pointer to current position in the buffer */
73 	u32 version;
74 };
75 
76 /* audit callback for unpack fields */
77 static void audit_cb(struct audit_buffer *ab, void *va)
78 {
79 	struct common_audit_data *sa = va;
80 
81 	if (aad(sa)->iface.ns) {
82 		audit_log_format(ab, " ns=");
83 		audit_log_untrustedstring(ab, aad(sa)->iface.ns);
84 	}
85 	if (aad(sa)->name) {
86 		audit_log_format(ab, " name=");
87 		audit_log_untrustedstring(ab, aad(sa)->name);
88 	}
89 	if (aad(sa)->iface.pos)
90 		audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos);
91 }
92 
93 /**
94  * audit_iface - do audit message for policy unpacking/load/replace/remove
95  * @new: profile if it has been allocated (MAYBE NULL)
96  * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
97  * @name: name of the profile being manipulated (MAYBE NULL)
98  * @info: any extra info about the failure (MAYBE NULL)
99  * @e: buffer position info
100  * @error: error code
101  *
102  * Returns: %0 or error
103  */
104 static int audit_iface(struct aa_profile *new, const char *ns_name,
105 		       const char *name, const char *info, struct aa_ext *e,
106 		       int error)
107 {
108 	struct aa_profile *profile = labels_profile(aa_current_raw_label());
109 	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, NULL);
110 	if (e)
111 		aad(&sa)->iface.pos = e->pos - e->start;
112 	aad(&sa)->iface.ns = ns_name;
113 	if (new)
114 		aad(&sa)->name = new->base.hname;
115 	else
116 		aad(&sa)->name = name;
117 	aad(&sa)->info = info;
118 	aad(&sa)->error = error;
119 
120 	return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb);
121 }
122 
123 void __aa_loaddata_update(struct aa_loaddata *data, long revision)
124 {
125 	AA_BUG(!data);
126 	AA_BUG(!data->ns);
127 	AA_BUG(!data->dents[AAFS_LOADDATA_REVISION]);
128 	AA_BUG(!mutex_is_locked(&data->ns->lock));
129 	AA_BUG(data->revision > revision);
130 
131 	data->revision = revision;
132 	d_inode(data->dents[AAFS_LOADDATA_DIR])->i_mtime =
133 		current_time(d_inode(data->dents[AAFS_LOADDATA_DIR]));
134 	d_inode(data->dents[AAFS_LOADDATA_REVISION])->i_mtime =
135 		current_time(d_inode(data->dents[AAFS_LOADDATA_REVISION]));
136 }
137 
138 bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r)
139 {
140 	if (l->size != r->size)
141 		return false;
142 	if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0)
143 		return false;
144 	return memcmp(l->data, r->data, r->size) == 0;
145 }
146 
147 /*
148  * need to take the ns mutex lock which is NOT safe most places that
149  * put_loaddata is called, so we have to delay freeing it
150  */
151 static void do_loaddata_free(struct work_struct *work)
152 {
153 	struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
154 	struct aa_ns *ns = aa_get_ns(d->ns);
155 
156 	if (ns) {
157 		mutex_lock_nested(&ns->lock, ns->level);
158 		__aa_fs_remove_rawdata(d);
159 		mutex_unlock(&ns->lock);
160 		aa_put_ns(ns);
161 	}
162 
163 	kzfree(d->hash);
164 	kzfree(d->name);
165 	kvfree(d->data);
166 	kzfree(d);
167 }
168 
169 void aa_loaddata_kref(struct kref *kref)
170 {
171 	struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count);
172 
173 	if (d) {
174 		INIT_WORK(&d->work, do_loaddata_free);
175 		schedule_work(&d->work);
176 	}
177 }
178 
179 struct aa_loaddata *aa_loaddata_alloc(size_t size)
180 {
181 	struct aa_loaddata *d;
182 
183 	d = kzalloc(sizeof(*d), GFP_KERNEL);
184 	if (d == NULL)
185 		return ERR_PTR(-ENOMEM);
186 	d->data = kvzalloc(size, GFP_KERNEL);
187 	if (!d->data) {
188 		kfree(d);
189 		return ERR_PTR(-ENOMEM);
190 	}
191 	kref_init(&d->count);
192 	INIT_LIST_HEAD(&d->list);
193 
194 	return d;
195 }
196 
197 /* test if read will be in packed data bounds */
198 static bool inbounds(struct aa_ext *e, size_t size)
199 {
200 	return (size <= e->end - e->pos);
201 }
202 
203 static void *kvmemdup(const void *src, size_t len)
204 {
205 	void *p = kvmalloc(len, GFP_KERNEL);
206 
207 	if (p)
208 		memcpy(p, src, len);
209 	return p;
210 }
211 
212 /**
213  * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
214  * @e: serialized data read head (NOT NULL)
215  * @chunk: start address for chunk of data (NOT NULL)
216  *
217  * Returns: the size of chunk found with the read head at the end of the chunk.
218  */
219 static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
220 {
221 	size_t size = 0;
222 	void *pos = e->pos;
223 
224 	if (!inbounds(e, sizeof(u16)))
225 		goto fail;
226 	size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
227 	e->pos += sizeof(__le16);
228 	if (!inbounds(e, size))
229 		goto fail;
230 	*chunk = e->pos;
231 	e->pos += size;
232 	return size;
233 
234 fail:
235 	e->pos = pos;
236 	return 0;
237 }
238 
239 /* unpack control byte */
240 static bool unpack_X(struct aa_ext *e, enum aa_code code)
241 {
242 	if (!inbounds(e, 1))
243 		return 0;
244 	if (*(u8 *) e->pos != code)
245 		return 0;
246 	e->pos++;
247 	return 1;
248 }
249 
250 /**
251  * unpack_nameX - check is the next element is of type X with a name of @name
252  * @e: serialized data extent information  (NOT NULL)
253  * @code: type code
254  * @name: name to match to the serialized element.  (MAYBE NULL)
255  *
256  * check that the next serialized data element is of type X and has a tag
257  * name @name.  If @name is specified then there must be a matching
258  * name element in the stream.  If @name is NULL any name element will be
259  * skipped and only the typecode will be tested.
260  *
261  * Returns 1 on success (both type code and name tests match) and the read
262  * head is advanced past the headers
263  *
264  * Returns: 0 if either match fails, the read head does not move
265  */
266 static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
267 {
268 	/*
269 	 * May need to reset pos if name or type doesn't match
270 	 */
271 	void *pos = e->pos;
272 	/*
273 	 * Check for presence of a tagname, and if present name size
274 	 * AA_NAME tag value is a u16.
275 	 */
276 	if (unpack_X(e, AA_NAME)) {
277 		char *tag = NULL;
278 		size_t size = unpack_u16_chunk(e, &tag);
279 		/* if a name is specified it must match. otherwise skip tag */
280 		if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
281 			goto fail;
282 	} else if (name) {
283 		/* if a name is specified and there is no name tag fail */
284 		goto fail;
285 	}
286 
287 	/* now check if type code matches */
288 	if (unpack_X(e, code))
289 		return 1;
290 
291 fail:
292 	e->pos = pos;
293 	return 0;
294 }
295 
296 static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
297 {
298 	void *pos = e->pos;
299 
300 	if (unpack_nameX(e, AA_U8, name)) {
301 		if (!inbounds(e, sizeof(u8)))
302 			goto fail;
303 		if (data)
304 			*data = get_unaligned((u8 *)e->pos);
305 		e->pos += sizeof(u8);
306 		return 1;
307 	}
308 
309 fail:
310 	e->pos = pos;
311 	return 0;
312 }
313 
314 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
315 {
316 	void *pos = e->pos;
317 
318 	if (unpack_nameX(e, AA_U32, name)) {
319 		if (!inbounds(e, sizeof(u32)))
320 			goto fail;
321 		if (data)
322 			*data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
323 		e->pos += sizeof(u32);
324 		return 1;
325 	}
326 
327 fail:
328 	e->pos = pos;
329 	return 0;
330 }
331 
332 static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
333 {
334 	void *pos = e->pos;
335 
336 	if (unpack_nameX(e, AA_U64, name)) {
337 		if (!inbounds(e, sizeof(u64)))
338 			goto fail;
339 		if (data)
340 			*data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
341 		e->pos += sizeof(u64);
342 		return 1;
343 	}
344 
345 fail:
346 	e->pos = pos;
347 	return 0;
348 }
349 
350 static size_t unpack_array(struct aa_ext *e, const char *name)
351 {
352 	void *pos = e->pos;
353 
354 	if (unpack_nameX(e, AA_ARRAY, name)) {
355 		int size;
356 		if (!inbounds(e, sizeof(u16)))
357 			goto fail;
358 		size = (int)le16_to_cpu(get_unaligned((__le16 *) e->pos));
359 		e->pos += sizeof(u16);
360 		return size;
361 	}
362 
363 fail:
364 	e->pos = pos;
365 	return 0;
366 }
367 
368 static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
369 {
370 	void *pos = e->pos;
371 
372 	if (unpack_nameX(e, AA_BLOB, name)) {
373 		u32 size;
374 		if (!inbounds(e, sizeof(u32)))
375 			goto fail;
376 		size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
377 		e->pos += sizeof(u32);
378 		if (inbounds(e, (size_t) size)) {
379 			*blob = e->pos;
380 			e->pos += size;
381 			return size;
382 		}
383 	}
384 
385 fail:
386 	e->pos = pos;
387 	return 0;
388 }
389 
390 static int unpack_str(struct aa_ext *e, const char **string, const char *name)
391 {
392 	char *src_str;
393 	size_t size = 0;
394 	void *pos = e->pos;
395 	*string = NULL;
396 	if (unpack_nameX(e, AA_STRING, name)) {
397 		size = unpack_u16_chunk(e, &src_str);
398 		if (size) {
399 			/* strings are null terminated, length is size - 1 */
400 			if (src_str[size - 1] != 0)
401 				goto fail;
402 			*string = src_str;
403 
404 			return size;
405 		}
406 	}
407 
408 fail:
409 	e->pos = pos;
410 	return 0;
411 }
412 
413 static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
414 {
415 	const char *tmp;
416 	void *pos = e->pos;
417 	int res = unpack_str(e, &tmp, name);
418 	*string = NULL;
419 
420 	if (!res)
421 		return 0;
422 
423 	*string = kmemdup(tmp, res, GFP_KERNEL);
424 	if (!*string) {
425 		e->pos = pos;
426 		return 0;
427 	}
428 
429 	return res;
430 }
431 
432 
433 /**
434  * unpack_dfa - unpack a file rule dfa
435  * @e: serialized data extent information (NOT NULL)
436  *
437  * returns dfa or ERR_PTR or NULL if no dfa
438  */
439 static struct aa_dfa *unpack_dfa(struct aa_ext *e)
440 {
441 	char *blob = NULL;
442 	size_t size;
443 	struct aa_dfa *dfa = NULL;
444 
445 	size = unpack_blob(e, &blob, "aadfa");
446 	if (size) {
447 		/*
448 		 * The dfa is aligned with in the blob to 8 bytes
449 		 * from the beginning of the stream.
450 		 * alignment adjust needed by dfa unpack
451 		 */
452 		size_t sz = blob - (char *) e->start -
453 			((e->pos - e->start) & 7);
454 		size_t pad = ALIGN(sz, 8) - sz;
455 		int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
456 			TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES;
457 		dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
458 
459 		if (IS_ERR(dfa))
460 			return dfa;
461 
462 	}
463 
464 	return dfa;
465 }
466 
467 /**
468  * unpack_trans_table - unpack a profile transition table
469  * @e: serialized data extent information  (NOT NULL)
470  * @profile: profile to add the accept table to (NOT NULL)
471  *
472  * Returns: 1 if table successfully unpacked
473  */
474 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
475 {
476 	void *saved_pos = e->pos;
477 
478 	/* exec table is optional */
479 	if (unpack_nameX(e, AA_STRUCT, "xtable")) {
480 		int i, size;
481 
482 		size = unpack_array(e, NULL);
483 		/* currently 4 exec bits and entries 0-3 are reserved iupcx */
484 		if (size > 16 - 4)
485 			goto fail;
486 		profile->file.trans.table = kcalloc(size, sizeof(char *),
487 						    GFP_KERNEL);
488 		if (!profile->file.trans.table)
489 			goto fail;
490 
491 		profile->file.trans.size = size;
492 		for (i = 0; i < size; i++) {
493 			char *str;
494 			int c, j, pos, size2 = unpack_strdup(e, &str, NULL);
495 			/* unpack_strdup verifies that the last character is
496 			 * null termination byte.
497 			 */
498 			if (!size2)
499 				goto fail;
500 			profile->file.trans.table[i] = str;
501 			/* verify that name doesn't start with space */
502 			if (isspace(*str))
503 				goto fail;
504 
505 			/* count internal #  of internal \0 */
506 			for (c = j = 0; j < size2 - 1; j++) {
507 				if (!str[j]) {
508 					pos = j;
509 					c++;
510 				}
511 			}
512 			if (*str == ':') {
513 				/* first character after : must be valid */
514 				if (!str[1])
515 					goto fail;
516 				/* beginning with : requires an embedded \0,
517 				 * verify that exactly 1 internal \0 exists
518 				 * trailing \0 already verified by unpack_strdup
519 				 *
520 				 * convert \0 back to : for label_parse
521 				 */
522 				if (c == 1)
523 					str[pos] = ':';
524 				else if (c > 1)
525 					goto fail;
526 			} else if (c)
527 				/* fail - all other cases with embedded \0 */
528 				goto fail;
529 		}
530 		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
531 			goto fail;
532 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
533 			goto fail;
534 	}
535 	return 1;
536 
537 fail:
538 	aa_free_domain_entries(&profile->file.trans);
539 	e->pos = saved_pos;
540 	return 0;
541 }
542 
543 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
544 {
545 	void *pos = e->pos;
546 
547 	if (unpack_nameX(e, AA_STRUCT, "xattrs")) {
548 		int i, size;
549 
550 		size = unpack_array(e, NULL);
551 		profile->xattr_count = size;
552 		profile->xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
553 		if (!profile->xattrs)
554 			goto fail;
555 		for (i = 0; i < size; i++) {
556 			if (!unpack_strdup(e, &profile->xattrs[i], NULL))
557 				goto fail;
558 		}
559 		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
560 			goto fail;
561 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
562 			goto fail;
563 	}
564 
565 	return 1;
566 
567 fail:
568 	e->pos = pos;
569 	return 0;
570 }
571 
572 static bool unpack_secmark(struct aa_ext *e, struct aa_profile *profile)
573 {
574 	void *pos = e->pos;
575 	int i, size;
576 
577 	if (unpack_nameX(e, AA_STRUCT, "secmark")) {
578 		size = unpack_array(e, NULL);
579 
580 		profile->secmark = kcalloc(size, sizeof(struct aa_secmark),
581 					   GFP_KERNEL);
582 		if (!profile->secmark)
583 			goto fail;
584 
585 		profile->secmark_count = size;
586 
587 		for (i = 0; i < size; i++) {
588 			if (!unpack_u8(e, &profile->secmark[i].audit, NULL))
589 				goto fail;
590 			if (!unpack_u8(e, &profile->secmark[i].deny, NULL))
591 				goto fail;
592 			if (!unpack_strdup(e, &profile->secmark[i].label, NULL))
593 				goto fail;
594 		}
595 		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
596 			goto fail;
597 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
598 			goto fail;
599 	}
600 
601 	return 1;
602 
603 fail:
604 	if (profile->secmark) {
605 		for (i = 0; i < size; i++)
606 			kfree(profile->secmark[i].label);
607 		kfree(profile->secmark);
608 		profile->secmark_count = 0;
609 		profile->secmark = NULL;
610 	}
611 
612 	e->pos = pos;
613 	return 0;
614 }
615 
616 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
617 {
618 	void *pos = e->pos;
619 
620 	/* rlimits are optional */
621 	if (unpack_nameX(e, AA_STRUCT, "rlimits")) {
622 		int i, size;
623 		u32 tmp = 0;
624 		if (!unpack_u32(e, &tmp, NULL))
625 			goto fail;
626 		profile->rlimits.mask = tmp;
627 
628 		size = unpack_array(e, NULL);
629 		if (size > RLIM_NLIMITS)
630 			goto fail;
631 		for (i = 0; i < size; i++) {
632 			u64 tmp2 = 0;
633 			int a = aa_map_resource(i);
634 			if (!unpack_u64(e, &tmp2, NULL))
635 				goto fail;
636 			profile->rlimits.limits[a].rlim_max = tmp2;
637 		}
638 		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
639 			goto fail;
640 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
641 			goto fail;
642 	}
643 	return 1;
644 
645 fail:
646 	e->pos = pos;
647 	return 0;
648 }
649 
650 static u32 strhash(const void *data, u32 len, u32 seed)
651 {
652 	const char * const *key = data;
653 
654 	return jhash(*key, strlen(*key), seed);
655 }
656 
657 static int datacmp(struct rhashtable_compare_arg *arg, const void *obj)
658 {
659 	const struct aa_data *data = obj;
660 	const char * const *key = arg->key;
661 
662 	return strcmp(data->key, *key);
663 }
664 
665 /**
666  * unpack_profile - unpack a serialized profile
667  * @e: serialized data extent information (NOT NULL)
668  *
669  * NOTE: unpack profile sets audit struct if there is a failure
670  */
671 static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
672 {
673 	struct aa_profile *profile = NULL;
674 	const char *tmpname, *tmpns = NULL, *name = NULL;
675 	const char *info = "failed to unpack profile";
676 	size_t ns_len;
677 	struct rhashtable_params params = { 0 };
678 	char *key = NULL;
679 	struct aa_data *data;
680 	int i, error = -EPROTO;
681 	kernel_cap_t tmpcap;
682 	u32 tmp;
683 
684 	*ns_name = NULL;
685 
686 	/* check that we have the right struct being passed */
687 	if (!unpack_nameX(e, AA_STRUCT, "profile"))
688 		goto fail;
689 	if (!unpack_str(e, &name, NULL))
690 		goto fail;
691 	if (*name == '\0')
692 		goto fail;
693 
694 	tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
695 	if (tmpns) {
696 		*ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
697 		if (!*ns_name) {
698 			info = "out of memory";
699 			goto fail;
700 		}
701 		name = tmpname;
702 	}
703 
704 	profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
705 	if (!profile)
706 		return ERR_PTR(-ENOMEM);
707 
708 	/* profile renaming is optional */
709 	(void) unpack_str(e, &profile->rename, "rename");
710 
711 	/* attachment string is optional */
712 	(void) unpack_str(e, &profile->attach, "attach");
713 
714 	/* xmatch is optional and may be NULL */
715 	profile->xmatch = unpack_dfa(e);
716 	if (IS_ERR(profile->xmatch)) {
717 		error = PTR_ERR(profile->xmatch);
718 		profile->xmatch = NULL;
719 		info = "bad xmatch";
720 		goto fail;
721 	}
722 	/* xmatch_len is not optional if xmatch is set */
723 	if (profile->xmatch) {
724 		if (!unpack_u32(e, &tmp, NULL)) {
725 			info = "missing xmatch len";
726 			goto fail;
727 		}
728 		profile->xmatch_len = tmp;
729 	}
730 
731 	/* disconnected attachment string is optional */
732 	(void) unpack_str(e, &profile->disconnected, "disconnected");
733 
734 	/* per profile debug flags (complain, audit) */
735 	if (!unpack_nameX(e, AA_STRUCT, "flags")) {
736 		info = "profile missing flags";
737 		goto fail;
738 	}
739 	info = "failed to unpack profile flags";
740 	if (!unpack_u32(e, &tmp, NULL))
741 		goto fail;
742 	if (tmp & PACKED_FLAG_HAT)
743 		profile->label.flags |= FLAG_HAT;
744 	if (!unpack_u32(e, &tmp, NULL))
745 		goto fail;
746 	if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG))
747 		profile->mode = APPARMOR_COMPLAIN;
748 	else if (tmp == PACKED_MODE_KILL)
749 		profile->mode = APPARMOR_KILL;
750 	else if (tmp == PACKED_MODE_UNCONFINED)
751 		profile->mode = APPARMOR_UNCONFINED;
752 	if (!unpack_u32(e, &tmp, NULL))
753 		goto fail;
754 	if (tmp)
755 		profile->audit = AUDIT_ALL;
756 
757 	if (!unpack_nameX(e, AA_STRUCTEND, NULL))
758 		goto fail;
759 
760 	/* path_flags is optional */
761 	if (unpack_u32(e, &profile->path_flags, "path_flags"))
762 		profile->path_flags |= profile->label.flags &
763 			PATH_MEDIATE_DELETED;
764 	else
765 		/* set a default value if path_flags field is not present */
766 		profile->path_flags = PATH_MEDIATE_DELETED;
767 
768 	info = "failed to unpack profile capabilities";
769 	if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
770 		goto fail;
771 	if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
772 		goto fail;
773 	if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))
774 		goto fail;
775 	if (!unpack_u32(e, &tmpcap.cap[0], NULL))
776 		goto fail;
777 
778 	info = "failed to unpack upper profile capabilities";
779 	if (unpack_nameX(e, AA_STRUCT, "caps64")) {
780 		/* optional upper half of 64 bit caps */
781 		if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
782 			goto fail;
783 		if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))
784 			goto fail;
785 		if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))
786 			goto fail;
787 		if (!unpack_u32(e, &(tmpcap.cap[1]), NULL))
788 			goto fail;
789 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
790 			goto fail;
791 	}
792 
793 	info = "failed to unpack extended profile capabilities";
794 	if (unpack_nameX(e, AA_STRUCT, "capsx")) {
795 		/* optional extended caps mediation mask */
796 		if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
797 			goto fail;
798 		if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
799 			goto fail;
800 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
801 			goto fail;
802 	}
803 
804 	if (!unpack_xattrs(e, profile)) {
805 		info = "failed to unpack profile xattrs";
806 		goto fail;
807 	}
808 
809 	if (!unpack_rlimits(e, profile)) {
810 		info = "failed to unpack profile rlimits";
811 		goto fail;
812 	}
813 
814 	if (!unpack_secmark(e, profile)) {
815 		info = "failed to unpack profile secmark rules";
816 		goto fail;
817 	}
818 
819 	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
820 		/* generic policy dfa - optional and may be NULL */
821 		info = "failed to unpack policydb";
822 		profile->policy.dfa = unpack_dfa(e);
823 		if (IS_ERR(profile->policy.dfa)) {
824 			error = PTR_ERR(profile->policy.dfa);
825 			profile->policy.dfa = NULL;
826 			goto fail;
827 		} else if (!profile->policy.dfa) {
828 			error = -EPROTO;
829 			goto fail;
830 		}
831 		if (!unpack_u32(e, &profile->policy.start[0], "start"))
832 			/* default start state */
833 			profile->policy.start[0] = DFA_START;
834 		/* setup class index */
835 		for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) {
836 			profile->policy.start[i] =
837 				aa_dfa_next(profile->policy.dfa,
838 					    profile->policy.start[0],
839 					    i);
840 		}
841 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
842 			goto fail;
843 	} else
844 		profile->policy.dfa = aa_get_dfa(nulldfa);
845 
846 	/* get file rules */
847 	profile->file.dfa = unpack_dfa(e);
848 	if (IS_ERR(profile->file.dfa)) {
849 		error = PTR_ERR(profile->file.dfa);
850 		profile->file.dfa = NULL;
851 		info = "failed to unpack profile file rules";
852 		goto fail;
853 	} else if (profile->file.dfa) {
854 		if (!unpack_u32(e, &profile->file.start, "dfa_start"))
855 			/* default start state */
856 			profile->file.start = DFA_START;
857 	} else if (profile->policy.dfa &&
858 		   profile->policy.start[AA_CLASS_FILE]) {
859 		profile->file.dfa = aa_get_dfa(profile->policy.dfa);
860 		profile->file.start = profile->policy.start[AA_CLASS_FILE];
861 	} else
862 		profile->file.dfa = aa_get_dfa(nulldfa);
863 
864 	if (!unpack_trans_table(e, profile)) {
865 		info = "failed to unpack profile transition table";
866 		goto fail;
867 	}
868 
869 	if (unpack_nameX(e, AA_STRUCT, "data")) {
870 		info = "out of memory";
871 		profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL);
872 		if (!profile->data)
873 			goto fail;
874 
875 		params.nelem_hint = 3;
876 		params.key_len = sizeof(void *);
877 		params.key_offset = offsetof(struct aa_data, key);
878 		params.head_offset = offsetof(struct aa_data, head);
879 		params.hashfn = strhash;
880 		params.obj_cmpfn = datacmp;
881 
882 		if (rhashtable_init(profile->data, &params)) {
883 			info = "failed to init key, value hash table";
884 			goto fail;
885 		}
886 
887 		while (unpack_strdup(e, &key, NULL)) {
888 			data = kzalloc(sizeof(*data), GFP_KERNEL);
889 			if (!data) {
890 				kzfree(key);
891 				goto fail;
892 			}
893 
894 			data->key = key;
895 			data->size = unpack_blob(e, &data->data, NULL);
896 			data->data = kvmemdup(data->data, data->size);
897 			if (data->size && !data->data) {
898 				kzfree(data->key);
899 				kzfree(data);
900 				goto fail;
901 			}
902 
903 			rhashtable_insert_fast(profile->data, &data->head,
904 					       profile->data->p);
905 		}
906 
907 		if (!unpack_nameX(e, AA_STRUCTEND, NULL)) {
908 			info = "failed to unpack end of key, value data table";
909 			goto fail;
910 		}
911 	}
912 
913 	if (!unpack_nameX(e, AA_STRUCTEND, NULL)) {
914 		info = "failed to unpack end of profile";
915 		goto fail;
916 	}
917 
918 	return profile;
919 
920 fail:
921 	if (profile)
922 		name = NULL;
923 	else if (!name)
924 		name = "unknown";
925 	audit_iface(profile, NULL, name, info, e, error);
926 	aa_free_profile(profile);
927 
928 	return ERR_PTR(error);
929 }
930 
931 /**
932  * verify_head - unpack serialized stream header
933  * @e: serialized data read head (NOT NULL)
934  * @required: whether the header is required or optional
935  * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
936  *
937  * Returns: error or 0 if header is good
938  */
939 static int verify_header(struct aa_ext *e, int required, const char **ns)
940 {
941 	int error = -EPROTONOSUPPORT;
942 	const char *name = NULL;
943 	*ns = NULL;
944 
945 	/* get the interface version */
946 	if (!unpack_u32(e, &e->version, "version")) {
947 		if (required) {
948 			audit_iface(NULL, NULL, NULL, "invalid profile format",
949 				    e, error);
950 			return error;
951 		}
952 	}
953 
954 	/* Check that the interface version is currently supported.
955 	 * if not specified use previous version
956 	 * Mask off everything that is not kernel abi version
957 	 */
958 	if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v7)) {
959 		audit_iface(NULL, NULL, NULL, "unsupported interface version",
960 			    e, error);
961 		return error;
962 	}
963 
964 	/* read the namespace if present */
965 	if (unpack_str(e, &name, "namespace")) {
966 		if (*name == '\0') {
967 			audit_iface(NULL, NULL, NULL, "invalid namespace name",
968 				    e, error);
969 			return error;
970 		}
971 		if (*ns && strcmp(*ns, name))
972 			audit_iface(NULL, NULL, NULL, "invalid ns change", e,
973 				    error);
974 		else if (!*ns)
975 			*ns = name;
976 	}
977 
978 	return 0;
979 }
980 
981 static bool verify_xindex(int xindex, int table_size)
982 {
983 	int index, xtype;
984 	xtype = xindex & AA_X_TYPE_MASK;
985 	index = xindex & AA_X_INDEX_MASK;
986 	if (xtype == AA_X_TABLE && index >= table_size)
987 		return 0;
988 	return 1;
989 }
990 
991 /* verify dfa xindexes are in range of transition tables */
992 static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
993 {
994 	int i;
995 	for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
996 		if (!verify_xindex(dfa_user_xindex(dfa, i), table_size))
997 			return 0;
998 		if (!verify_xindex(dfa_other_xindex(dfa, i), table_size))
999 			return 0;
1000 	}
1001 	return 1;
1002 }
1003 
1004 /**
1005  * verify_profile - Do post unpack analysis to verify profile consistency
1006  * @profile: profile to verify (NOT NULL)
1007  *
1008  * Returns: 0 if passes verification else error
1009  */
1010 static int verify_profile(struct aa_profile *profile)
1011 {
1012 	if (profile->file.dfa &&
1013 	    !verify_dfa_xindex(profile->file.dfa,
1014 			       profile->file.trans.size)) {
1015 		audit_iface(profile, NULL, NULL, "Invalid named transition",
1016 			    NULL, -EPROTO);
1017 		return -EPROTO;
1018 	}
1019 
1020 	return 0;
1021 }
1022 
1023 void aa_load_ent_free(struct aa_load_ent *ent)
1024 {
1025 	if (ent) {
1026 		aa_put_profile(ent->rename);
1027 		aa_put_profile(ent->old);
1028 		aa_put_profile(ent->new);
1029 		kfree(ent->ns_name);
1030 		kzfree(ent);
1031 	}
1032 }
1033 
1034 struct aa_load_ent *aa_load_ent_alloc(void)
1035 {
1036 	struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL);
1037 	if (ent)
1038 		INIT_LIST_HEAD(&ent->list);
1039 	return ent;
1040 }
1041 
1042 /**
1043  * aa_unpack - unpack packed binary profile(s) data loaded from user space
1044  * @udata: user data copied to kmem  (NOT NULL)
1045  * @lh: list to place unpacked profiles in a aa_repl_ws
1046  * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
1047  *
1048  * Unpack user data and return refcounted allocated profile(s) stored in
1049  * @lh in order of discovery, with the list chain stored in base.list
1050  * or error
1051  *
1052  * Returns: profile(s) on @lh else error pointer if fails to unpack
1053  */
1054 int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
1055 	      const char **ns)
1056 {
1057 	struct aa_load_ent *tmp, *ent;
1058 	struct aa_profile *profile = NULL;
1059 	int error;
1060 	struct aa_ext e = {
1061 		.start = udata->data,
1062 		.end = udata->data + udata->size,
1063 		.pos = udata->data,
1064 	};
1065 
1066 	*ns = NULL;
1067 	while (e.pos < e.end) {
1068 		char *ns_name = NULL;
1069 		void *start;
1070 		error = verify_header(&e, e.pos == e.start, ns);
1071 		if (error)
1072 			goto fail;
1073 
1074 		start = e.pos;
1075 		profile = unpack_profile(&e, &ns_name);
1076 		if (IS_ERR(profile)) {
1077 			error = PTR_ERR(profile);
1078 			goto fail;
1079 		}
1080 
1081 		error = verify_profile(profile);
1082 		if (error)
1083 			goto fail_profile;
1084 
1085 		if (aa_g_hash_policy)
1086 			error = aa_calc_profile_hash(profile, e.version, start,
1087 						     e.pos - start);
1088 		if (error)
1089 			goto fail_profile;
1090 
1091 		ent = aa_load_ent_alloc();
1092 		if (!ent) {
1093 			error = -ENOMEM;
1094 			goto fail_profile;
1095 		}
1096 
1097 		ent->new = profile;
1098 		ent->ns_name = ns_name;
1099 		list_add_tail(&ent->list, lh);
1100 	}
1101 	udata->abi = e.version & K_ABI_MASK;
1102 	if (aa_g_hash_policy) {
1103 		udata->hash = aa_calc_hash(udata->data, udata->size);
1104 		if (IS_ERR(udata->hash)) {
1105 			error = PTR_ERR(udata->hash);
1106 			udata->hash = NULL;
1107 			goto fail;
1108 		}
1109 	}
1110 	return 0;
1111 
1112 fail_profile:
1113 	aa_put_profile(profile);
1114 
1115 fail:
1116 	list_for_each_entry_safe(ent, tmp, lh, list) {
1117 		list_del_init(&ent->list);
1118 		aa_load_ent_free(ent);
1119 	}
1120 
1121 	return error;
1122 }
1123