1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * AppArmor security module
4
 *
5
 * This file contains AppArmor functions for unpacking policy loaded
6
 * from userspace.
7
 *
8
 * Copyright (C) 1998-2008 Novell/SUSE
9
 * Copyright 2009-2022 Canonical Ltd.
10
 *
11
 * Code to provide backwards compatibility with older policy versions,
12
 * by converting/mapping older policy formats into the newer internal
13
 * formats.
14
 */
15

16
#include <linux/ctype.h>
17
#include <linux/errno.h>
18

19
#include "include/lib.h"
20
#include "include/policy_unpack.h"
21
#include "include/policy_compat.h"
22

23
/* remap old accept table embedded permissions to separate permission table */
24
static u32 dfa_map_xindex(u16 mask)
25
{
26
	u16 old_index = (mask >> 10) & 0xf;
27
	u32 index = 0;
28

29
	if (mask & 0x100)
30
		index |= AA_X_UNSAFE;
31
	if (mask & 0x200)
32
		index |= AA_X_INHERIT;
33
	if (mask & 0x80)
34
		index |= AA_X_UNCONFINED;
35

36
	if (old_index == 1) {
37
		index |= AA_X_UNCONFINED;
38
	} else if (old_index == 2) {
39
		index |= AA_X_NAME;
40
	} else if (old_index == 3) {
41
		index |= AA_X_NAME | AA_X_CHILD;
42
	} else if (old_index) {
43
		index |= AA_X_TABLE;
44
		index |= old_index - 4;
45
	}
46

47
	return index;
48
}
49

50
/*
51
 * map old dfa inline permissions to new format
52
 */
53
#define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
54
				    ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
55
#define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
56
#define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
57
#define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
58
#define dfa_user_xindex(dfa, state) \
59
	(dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
60

61
#define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
62
				      0x7f) |				\
63
				     ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
64
#define dfa_other_xbits(dfa, state) \
65
	((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f)
66
#define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
67
#define dfa_other_quiet(dfa, state) \
68
	((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
69
#define dfa_other_xindex(dfa, state) \
70
	dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
71

72
/**
73
 * map_old_perms - map old file perms layout to the new layout
74
 * @old: permission set in old mapping
75
 *
76
 * Returns: new permission mapping
77
 */
78
static u32 map_old_perms(u32 old)
79
{
80
	u32 new = old & 0xf;
81

82
	if (old & MAY_READ)
83
		new |= AA_MAY_GETATTR | AA_MAY_OPEN;
84
	if (old & MAY_WRITE)
85
		new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE |
86
		       AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN;
87
	if (old & 0x10)
88
		new |= AA_MAY_LINK;
89
	/* the old mapping lock and link_subset flags where overlaid
90
	 * and use was determined by part of a pair that they were in
91
	 */
92
	if (old & 0x20)
93
		new |= AA_MAY_LOCK | AA_LINK_SUBSET;
94
	if (old & 0x40)	/* AA_EXEC_MMAP */
95
		new |= AA_EXEC_MMAP;
96

97
	return new;
98
}
99

100
static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
101
				 aa_state_t state)
102
{
103
	perms->allow |= AA_MAY_GETATTR;
104

105
	/* change_profile wasn't determined by ownership in old mapping */
106
	if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
107
		perms->allow |= AA_MAY_CHANGE_PROFILE;
108
	if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
109
		perms->allow |= AA_MAY_ONEXEC;
110
}
111

112
static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
113
					   aa_state_t state)
114
{
115
	struct aa_perms perms = { };
116

117
	perms.allow = map_old_perms(dfa_user_allow(dfa, state));
118
	perms.audit = map_old_perms(dfa_user_audit(dfa, state));
119
	perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
120
	perms.xindex = dfa_user_xindex(dfa, state);
121

122
	compute_fperms_allow(&perms, dfa, state);
123

124
	return perms;
125
}
126

127
static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
128
					    aa_state_t state)
129
{
130
	struct aa_perms perms = { };
131

132
	perms.allow = map_old_perms(dfa_other_allow(dfa, state));
133
	perms.audit = map_old_perms(dfa_other_audit(dfa, state));
134
	perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
135
	perms.xindex = dfa_other_xindex(dfa, state);
136

137
	compute_fperms_allow(&perms, dfa, state);
138

139
	return perms;
140
}
141

142
/**
143
 * compute_fperms - convert dfa compressed perms to internal perms and store
144
 *		    them so they can be retrieved later.
145
 * @dfa: a dfa using fperms to remap to internal permissions
146
 * @size: Returns the permission table size
147
 *
148
 * Returns: remapped perm table
149
 */
150
static struct aa_perms *compute_fperms(struct aa_dfa *dfa,
151
				       u32 *size)
152
{
153
	aa_state_t state;
154
	unsigned int state_count;
155
	struct aa_perms *table;
156

157
	AA_BUG(!dfa);
158

159
	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
160
	/* DFAs are restricted from having a state_count of less than 2 */
161
	table = kvcalloc(state_count * 2, sizeof(struct aa_perms), GFP_KERNEL);
162
	if (!table)
163
		return NULL;
164
	*size = state_count * 2;
165

166
	for (state = 0; state < state_count; state++) {
167
		table[state * 2] = compute_fperms_user(dfa, state);
168
		table[state * 2 + 1] = compute_fperms_other(dfa, state);
169
	}
170

171
	return table;
172
}
173

174
static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch,
175
				      u32 *size)
176
{
177
	struct aa_perms *perms;
178
	int state;
179
	int state_count;
180

181
	AA_BUG(!xmatch);
182

183
	state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
184
	/* DFAs are restricted from having a state_count of less than 2 */
185
	perms = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
186
	if (!perms)
187
		return NULL;
188
	*size = state_count;
189

190
	/* zero init so skip the trap state (state == 0) */
191
	for (state = 1; state < state_count; state++)
192
		perms[state].allow = dfa_user_allow(xmatch, state);
193

194
	return perms;
195
}
196

197
static u32 map_other(u32 x)
198
{
199
	return ((x & 0x3) << 8) |	/* SETATTR/GETATTR */
200
		((x & 0x1c) << 18) |	/* ACCEPT/BIND/LISTEN */
201
		((x & 0x60) << 19);	/* SETOPT/GETOPT */
202
}
203

204
static u32 map_xbits(u32 x)
205
{
206
	return ((x & 0x1) << 7) |
207
		((x & 0x7e) << 9);
208
}
209

210
static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
211
					   aa_state_t state,
212
					   u32 version)
213
{
214
	struct aa_perms perms = { };
215

216
	perms.allow = dfa_user_allow(dfa, state);
217
	perms.audit = dfa_user_audit(dfa, state);
218
	perms.quiet = dfa_user_quiet(dfa, state);
219

220
	/*
221
	 * This mapping is convulated due to history.
222
	 * v1-v4: only file perms, which are handled by compute_fperms
223
	 * v5: added policydb which dropped user conditional to gain new
224
	 *     perm bits, but had to map around the xbits because the
225
	 *     userspace compiler was still munging them.
226
	 * v9: adds using the xbits in policydb because the compiler now
227
	 *     supports treating policydb permission bits different.
228
	 *     Unfortunately there is no way to force auditing on the
229
	 *     perms represented by the xbits
230
	 */
231
	perms.allow |= map_other(dfa_other_allow(dfa, state));
232
	if (VERSION_LE(version, v8))
233
		perms.allow |= AA_MAY_LOCK;
234
	else
235
		perms.allow |= map_xbits(dfa_user_xbits(dfa, state));
236

237
	/*
238
	 * for v5-v9 perm mapping in the policydb, the other set is used
239
	 * to extend the general perm set
240
	 */
241
	perms.audit |= map_other(dfa_other_audit(dfa, state));
242
	perms.quiet |= map_other(dfa_other_quiet(dfa, state));
243
	if (VERSION_GT(version, v8))
244
		perms.quiet |= map_xbits(dfa_other_xbits(dfa, state));
245

246
	return perms;
247
}
248

249
static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version,
250
				      u32 *size)
251
{
252
	unsigned int state;
253
	unsigned int state_count;
254
	struct aa_perms *table;
255

256
	AA_BUG(!dfa);
257

258
	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
259
	/* DFAs are restricted from having a state_count of less than 2 */
260
	table = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
261
	if (!table)
262
		return NULL;
263
	*size = state_count;
264

265
	/* zero init so skip the trap state (state == 0) */
266
	for (state = 1; state < state_count; state++)
267
		table[state] = compute_perms_entry(dfa, state, version);
268

269
	return table;
270
}
271

272
/**
273
 * remap_dfa_accept - remap old dfa accept table to be an index
274
 * @dfa: dfa to do the remapping on
275
 * @factor: scaling factor for the index conversion.
276
 *
277
 * Used in conjunction with compute_Xperms, it converts old style perms
278
 * that are encoded in the dfa accept tables to the new style where
279
 * there is a permission table and the accept table is an index into
280
 * the permission table.
281
 */
282
static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor)
283
{
284
	unsigned int state;
285
	unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
286

287
	AA_BUG(!dfa);
288

289
	for (state = 0; state < state_count; state++) {
290
		ACCEPT_TABLE(dfa)[state] = state * factor;
291
		ACCEPT_TABLE2(dfa)[state] = factor > 1 ? ACCEPT_FLAG_OWNER : 0;
292
	}
293
}
294

295
/* TODO: merge different dfa mappings into single map_policy fn */
296
int aa_compat_map_xmatch(struct aa_policydb *policy)
297
{
298
	policy->perms = compute_xmatch_perms(policy->dfa, &policy->size);
299
	if (!policy->perms)
300
		return -ENOMEM;
301

302
	remap_dfa_accept(policy->dfa, 1);
303

304
	return 0;
305
}
306

307
int aa_compat_map_policy(struct aa_policydb *policy, u32 version)
308
{
309
	policy->perms = compute_perms(policy->dfa, version, &policy->size);
310
	if (!policy->perms)
311
		return -ENOMEM;
312

313
	remap_dfa_accept(policy->dfa, 1);
314

315
	return 0;
316
}
317

318
int aa_compat_map_file(struct aa_policydb *policy)
319
{
320
	policy->perms = compute_fperms(policy->dfa, &policy->size);
321
	if (!policy->perms)
322
		return -ENOMEM;
323

324
	remap_dfa_accept(policy->dfa, 2);
325

326
	return 0;
327
}
328

329