Path: blob/master/security/apparmor/include/match.h
10820 views
/*1* AppArmor security module2*3* This file contains AppArmor policy dfa matching engine definitions.4*5* Copyright (C) 1998-2008 Novell/SUSE6* Copyright 2009-2010 Canonical Ltd.7*8* This program is free software; you can redistribute it and/or9* modify it under the terms of the GNU General Public License as10* published by the Free Software Foundation, version 2 of the11* License.12*/1314#ifndef __AA_MATCH_H15#define __AA_MATCH_H1617#include <linux/kref.h>18#include <linux/workqueue.h>1920#define DFA_NOMATCH 021#define DFA_START 12223#define DFA_VALID_PERM_MASK 0xffffffff24#define DFA_VALID_PERM2_MASK 0xffffffff2526/**27* The format used for transition tables is based on the GNU flex table28* file format (--tables-file option; see Table File Format in the flex29* info pages and the flex sources for documentation). The magic number30* used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because31* the YY_ID_CHK (check) and YY_ID_DEF (default) tables are used32* slightly differently (see the apparmor-parser package).33*/3435#define YYTH_MAGIC 0x1B5E783D36#define YYTH_DEF_RECURSE 0x1 /* DEF Table is recursive */3738struct table_set_header {39u32 th_magic; /* YYTH_MAGIC */40u32 th_hsize;41u32 th_ssize;42u16 th_flags;43char th_version[];44};4546/* The YYTD_ID are one less than flex table mappings. The flex id47* has 1 subtracted at table load time, this allows us to directly use the48* ID's as indexes.49*/50#define YYTD_ID_ACCEPT 051#define YYTD_ID_BASE 152#define YYTD_ID_CHK 253#define YYTD_ID_DEF 354#define YYTD_ID_EC 455#define YYTD_ID_META 556#define YYTD_ID_ACCEPT2 657#define YYTD_ID_NXT 758#define YYTD_ID_TSIZE 85960#define YYTD_DATA8 161#define YYTD_DATA16 262#define YYTD_DATA32 463#define YYTD_DATA64 86465/* Each ACCEPT2 table gets 6 dedicated flags, YYTD_DATAX define the66* first flags67*/68#define ACCEPT1_FLAGS(X) ((X) & 0x3f)69#define ACCEPT2_FLAGS(X) ACCEPT1_FLAGS((X) >> YYTD_ID_ACCEPT2)70#define TO_ACCEPT1_FLAG(X) ACCEPT1_FLAGS(X)71#define TO_ACCEPT2_FLAG(X) (ACCEPT1_FLAGS(X) << YYTD_ID_ACCEPT2)72#define DFA_FLAG_VERIFY_STATES 0x10007374struct table_header {75u16 td_id;76u16 td_flags;77u32 td_hilen;78u32 td_lolen;79char td_data[];80};8182#define DEFAULT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_DEF]->td_data))83#define BASE_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_BASE]->td_data))84#define NEXT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_NXT]->td_data))85#define CHECK_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_CHK]->td_data))86#define EQUIV_TABLE(DFA) ((u8 *)((DFA)->tables[YYTD_ID_EC]->td_data))87#define ACCEPT_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT]->td_data))88#define ACCEPT_TABLE2(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT2]->td_data))8990struct aa_dfa {91struct kref count;92u16 flags;93struct table_header *tables[YYTD_ID_TSIZE];94};9596#define byte_to_byte(X) (X)9798#define UNPACK_ARRAY(TABLE, BLOB, LEN, TYPE, NTOHX) \99do { \100typeof(LEN) __i; \101TYPE *__t = (TYPE *) TABLE; \102TYPE *__b = (TYPE *) BLOB; \103for (__i = 0; __i < LEN; __i++) { \104__t[__i] = NTOHX(__b[__i]); \105} \106} while (0)107108static inline size_t table_size(size_t len, size_t el_size)109{110return ALIGN(sizeof(struct table_header) + len * el_size, 8);111}112113struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);114unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,115const char *str, int len);116unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,117const char *str);118void aa_dfa_free_kref(struct kref *kref);119120/**121* aa_put_dfa - put a dfa refcount122* @dfa: dfa to put refcount (MAYBE NULL)123*124* Requires: if @dfa != NULL that a valid refcount be held125*/126static inline void aa_put_dfa(struct aa_dfa *dfa)127{128if (dfa)129kref_put(&dfa->count, aa_dfa_free_kref);130}131132#endif /* __AA_MATCH_H */133134135