1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * AppArmor security module
4
 *
5
 * This file contains AppArmor functions for unpacking policy loaded from
6
 * userspace.
7
 *
8
 * Copyright (C) 1998-2008 Novell/SUSE
9
 * Copyright 2009-2010 Canonical Ltd.
10
 *
11
 * AppArmor uses a serialized binary format for loading policy. To find
12
 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
13
 * All policy is validated before it is used.
14
 */
15

16
#include <linux/unaligned.h>
17
#include <kunit/visibility.h>
18
#include <linux/ctype.h>
19
#include <linux/errno.h>
20
#include <linux/zstd.h>
21

22
#include "include/apparmor.h"
23
#include "include/audit.h"
24
#include "include/cred.h"
25
#include "include/crypto.h"
26
#include "include/file.h"
27
#include "include/match.h"
28
#include "include/path.h"
29
#include "include/policy.h"
30
#include "include/policy_unpack.h"
31
#include "include/policy_compat.h"
32
#include "include/signal.h"
33

34
/* audit callback for unpack fields */
35
static void audit_cb(struct audit_buffer *ab, void *va)
36
{
37
	struct common_audit_data *sa = va;
38
	struct apparmor_audit_data *ad = aad(sa);
39

40
	if (ad->iface.ns) {
41
		audit_log_format(ab, " ns=");
42
		audit_log_untrustedstring(ab, ad->iface.ns);
43
	}
44
	if (ad->name) {
45
		audit_log_format(ab, " name=");
46
		audit_log_untrustedstring(ab, ad->name);
47
	}
48
	if (ad->iface.pos)
49
		audit_log_format(ab, " offset=%ld", ad->iface.pos);
50
}
51

52
/**
53
 * audit_iface - do audit message for policy unpacking/load/replace/remove
54
 * @new: profile if it has been allocated (MAYBE NULL)
55
 * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
56
 * @name: name of the profile being manipulated (MAYBE NULL)
57
 * @info: any extra info about the failure (MAYBE NULL)
58
 * @e: buffer position info
59
 * @error: error code
60
 *
61
 * Returns: %0 or error
62
 */
63
static int audit_iface(struct aa_profile *new, const char *ns_name,
64
		       const char *name, const char *info, struct aa_ext *e,
65
		       int error)
66
{
67
	struct aa_profile *profile = labels_profile(aa_current_raw_label());
68
	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
69
	if (e)
70
		ad.iface.pos = e->pos - e->start;
71
	ad.iface.ns = ns_name;
72
	if (new)
73
		ad.name = new->base.hname;
74
	else
75
		ad.name = name;
76
	ad.info = info;
77
	ad.error = error;
78

79
	return aa_audit(AUDIT_APPARMOR_STATUS, profile, &ad, audit_cb);
80
}
81

82
void __aa_loaddata_update(struct aa_loaddata *data, long revision)
83
{
84
	AA_BUG(!data);
85
	AA_BUG(!data->ns);
86
	AA_BUG(!mutex_is_locked(&data->ns->lock));
87
	AA_BUG(data->revision > revision);
88

89
	data->revision = revision;
90
	if ((data->dents[AAFS_LOADDATA_REVISION])) {
91
		struct inode *inode;
92

93
		inode = d_inode(data->dents[AAFS_LOADDATA_DIR]);
94
		inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
95

96
		inode = d_inode(data->dents[AAFS_LOADDATA_REVISION]);
97
		inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
98
	}
99
}
100

101
bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r)
102
{
103
	if (l->size != r->size)
104
		return false;
105
	if (l->compressed_size != r->compressed_size)
106
		return false;
107
	if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0)
108
		return false;
109
	return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0;
110
}
111

112
/*
113
 * need to take the ns mutex lock which is NOT safe most places that
114
 * put_loaddata is called, so we have to delay freeing it
115
 */
116
static void do_loaddata_free(struct work_struct *work)
117
{
118
	struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
119
	struct aa_ns *ns = aa_get_ns(d->ns);
120

121
	if (ns) {
122
		mutex_lock_nested(&ns->lock, ns->level);
123
		__aa_fs_remove_rawdata(d);
124
		mutex_unlock(&ns->lock);
125
		aa_put_ns(ns);
126
	}
127

128
	kfree_sensitive(d->hash);
129
	kfree_sensitive(d->name);
130
	kvfree(d->data);
131
	kfree_sensitive(d);
132
}
133

134
void aa_loaddata_kref(struct kref *kref)
135
{
136
	struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count);
137

138
	if (d) {
139
		INIT_WORK(&d->work, do_loaddata_free);
140
		schedule_work(&d->work);
141
	}
142
}
143

144
struct aa_loaddata *aa_loaddata_alloc(size_t size)
145
{
146
	struct aa_loaddata *d;
147

148
	d = kzalloc(sizeof(*d), GFP_KERNEL);
149
	if (d == NULL)
150
		return ERR_PTR(-ENOMEM);
151
	d->data = kvzalloc(size, GFP_KERNEL);
152
	if (!d->data) {
153
		kfree(d);
154
		return ERR_PTR(-ENOMEM);
155
	}
156
	kref_init(&d->count);
157
	INIT_LIST_HEAD(&d->list);
158

159
	return d;
160
}
161

162
/* test if read will be in packed data bounds */
163
VISIBLE_IF_KUNIT bool aa_inbounds(struct aa_ext *e, size_t size)
164
{
165
	return (size <= e->end - e->pos);
166
}
167
EXPORT_SYMBOL_IF_KUNIT(aa_inbounds);
168

169
/**
170
 * aa_unpack_u16_chunk - test and do bounds checking for a u16 size based chunk
171
 * @e: serialized data read head (NOT NULL)
172
 * @chunk: start address for chunk of data (NOT NULL)
173
 *
174
 * Returns: the size of chunk found with the read head at the end of the chunk.
175
 */
176
VISIBLE_IF_KUNIT size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk)
177
{
178
	size_t size = 0;
179
	void *pos = e->pos;
180

181
	if (!aa_inbounds(e, sizeof(u16)))
182
		goto fail;
183
	size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
184
	e->pos += sizeof(__le16);
185
	if (!aa_inbounds(e, size))
186
		goto fail;
187
	*chunk = e->pos;
188
	e->pos += size;
189
	return size;
190

191
fail:
192
	e->pos = pos;
193
	return 0;
194
}
195
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u16_chunk);
196

197
/* unpack control byte */
198
VISIBLE_IF_KUNIT bool aa_unpack_X(struct aa_ext *e, enum aa_code code)
199
{
200
	if (!aa_inbounds(e, 1))
201
		return false;
202
	if (*(u8 *) e->pos != code)
203
		return false;
204
	e->pos++;
205
	return true;
206
}
207
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_X);
208

209
/**
210
 * aa_unpack_nameX - check is the next element is of type X with a name of @name
211
 * @e: serialized data extent information  (NOT NULL)
212
 * @code: type code
213
 * @name: name to match to the serialized element.  (MAYBE NULL)
214
 *
215
 * check that the next serialized data element is of type X and has a tag
216
 * name @name.  If @name is specified then there must be a matching
217
 * name element in the stream.  If @name is NULL any name element will be
218
 * skipped and only the typecode will be tested.
219
 *
220
 * Returns true on success (both type code and name tests match) and the read
221
 * head is advanced past the headers
222
 *
223
 * Returns: false if either match fails, the read head does not move
224
 */
225
VISIBLE_IF_KUNIT bool aa_unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
226
{
227
	/*
228
	 * May need to reset pos if name or type doesn't match
229
	 */
230
	void *pos = e->pos;
231
	/*
232
	 * Check for presence of a tagname, and if present name size
233
	 * AA_NAME tag value is a u16.
234
	 */
235
	if (aa_unpack_X(e, AA_NAME)) {
236
		char *tag = NULL;
237
		size_t size = aa_unpack_u16_chunk(e, &tag);
238
		/* if a name is specified it must match. otherwise skip tag */
239
		if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
240
			goto fail;
241
	} else if (name) {
242
		/* if a name is specified and there is no name tag fail */
243
		goto fail;
244
	}
245

246
	/* now check if type code matches */
247
	if (aa_unpack_X(e, code))
248
		return true;
249

250
fail:
251
	e->pos = pos;
252
	return false;
253
}
254
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_nameX);
255

256
static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
257
{
258
	void *pos = e->pos;
259

260
	if (aa_unpack_nameX(e, AA_U8, name)) {
261
		if (!aa_inbounds(e, sizeof(u8)))
262
			goto fail;
263
		if (data)
264
			*data = *((u8 *)e->pos);
265
		e->pos += sizeof(u8);
266
		return true;
267
	}
268

269
fail:
270
	e->pos = pos;
271
	return false;
272
}
273

274
VISIBLE_IF_KUNIT bool aa_unpack_u32(struct aa_ext *e, u32 *data, const char *name)
275
{
276
	void *pos = e->pos;
277

278
	if (aa_unpack_nameX(e, AA_U32, name)) {
279
		if (!aa_inbounds(e, sizeof(u32)))
280
			goto fail;
281
		if (data)
282
			*data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
283
		e->pos += sizeof(u32);
284
		return true;
285
	}
286

287
fail:
288
	e->pos = pos;
289
	return false;
290
}
291
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u32);
292

293
VISIBLE_IF_KUNIT bool aa_unpack_u64(struct aa_ext *e, u64 *data, const char *name)
294
{
295
	void *pos = e->pos;
296

297
	if (aa_unpack_nameX(e, AA_U64, name)) {
298
		if (!aa_inbounds(e, sizeof(u64)))
299
			goto fail;
300
		if (data)
301
			*data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
302
		e->pos += sizeof(u64);
303
		return true;
304
	}
305

306
fail:
307
	e->pos = pos;
308
	return false;
309
}
310
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_u64);
311

312
static bool aa_unpack_cap_low(struct aa_ext *e, kernel_cap_t *data, const char *name)
313
{
314
	u32 val;
315

316
	if (!aa_unpack_u32(e, &val, name))
317
		return false;
318
	data->val = val;
319
	return true;
320
}
321

322
static bool aa_unpack_cap_high(struct aa_ext *e, kernel_cap_t *data, const char *name)
323
{
324
	u32 val;
325

326
	if (!aa_unpack_u32(e, &val, name))
327
		return false;
328
	data->val = (u32)data->val | ((u64)val << 32);
329
	return true;
330
}
331

332
VISIBLE_IF_KUNIT bool aa_unpack_array(struct aa_ext *e, const char *name, u16 *size)
333
{
334
	void *pos = e->pos;
335

336
	if (aa_unpack_nameX(e, AA_ARRAY, name)) {
337
		if (!aa_inbounds(e, sizeof(u16)))
338
			goto fail;
339
		*size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
340
		e->pos += sizeof(u16);
341
		return true;
342
	}
343

344
fail:
345
	e->pos = pos;
346
	return false;
347
}
348
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_array);
349

350
VISIBLE_IF_KUNIT size_t aa_unpack_blob(struct aa_ext *e, char **blob, const char *name)
351
{
352
	void *pos = e->pos;
353

354
	if (aa_unpack_nameX(e, AA_BLOB, name)) {
355
		u32 size;
356
		if (!aa_inbounds(e, sizeof(u32)))
357
			goto fail;
358
		size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
359
		e->pos += sizeof(u32);
360
		if (aa_inbounds(e, (size_t) size)) {
361
			*blob = e->pos;
362
			e->pos += size;
363
			return size;
364
		}
365
	}
366

367
fail:
368
	e->pos = pos;
369
	return 0;
370
}
371
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_blob);
372

373
VISIBLE_IF_KUNIT int aa_unpack_str(struct aa_ext *e, const char **string, const char *name)
374
{
375
	char *src_str;
376
	size_t size = 0;
377
	void *pos = e->pos;
378
	*string = NULL;
379
	if (aa_unpack_nameX(e, AA_STRING, name)) {
380
		size = aa_unpack_u16_chunk(e, &src_str);
381
		if (size) {
382
			/* strings are null terminated, length is size - 1 */
383
			if (src_str[size - 1] != 0)
384
				goto fail;
385
			*string = src_str;
386

387
			return size;
388
		}
389
	}
390

391
fail:
392
	e->pos = pos;
393
	return 0;
394
}
395
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_str);
396

397
VISIBLE_IF_KUNIT int aa_unpack_strdup(struct aa_ext *e, char **string, const char *name)
398
{
399
	const char *tmp;
400
	void *pos = e->pos;
401
	int res = aa_unpack_str(e, &tmp, name);
402
	*string = NULL;
403

404
	if (!res)
405
		return 0;
406

407
	*string = kmemdup(tmp, res, GFP_KERNEL);
408
	if (!*string) {
409
		e->pos = pos;
410
		return 0;
411
	}
412

413
	return res;
414
}
415
EXPORT_SYMBOL_IF_KUNIT(aa_unpack_strdup);
416

417

418
/**
419
 * unpack_dfa - unpack a file rule dfa
420
 * @e: serialized data extent information (NOT NULL)
421
 * @flags: dfa flags to check
422
 *
423
 * returns dfa or ERR_PTR or NULL if no dfa
424
 */
425
static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags)
426
{
427
	char *blob = NULL;
428
	size_t size;
429
	struct aa_dfa *dfa = NULL;
430

431
	size = aa_unpack_blob(e, &blob, "aadfa");
432
	if (size) {
433
		/*
434
		 * The dfa is aligned with in the blob to 8 bytes
435
		 * from the beginning of the stream.
436
		 * alignment adjust needed by dfa unpack
437
		 */
438
		size_t sz = blob - (char *) e->start -
439
			((e->pos - e->start) & 7);
440
		size_t pad = ALIGN(sz, 8) - sz;
441
		if (aa_g_paranoid_load)
442
			flags |= DFA_FLAG_VERIFY_STATES;
443
		dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
444

445
		if (IS_ERR(dfa))
446
			return dfa;
447

448
	}
449

450
	return dfa;
451
}
452

453
/**
454
 * unpack_trans_table - unpack a profile transition table
455
 * @e: serialized data extent information  (NOT NULL)
456
 * @strs: str table to unpack to (NOT NULL)
457
 *
458
 * Returns: true if table successfully unpacked or not present
459
 */
460
static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs)
461
{
462
	void *saved_pos = e->pos;
463
	char **table = NULL;
464

465
	/* exec table is optional */
466
	if (aa_unpack_nameX(e, AA_STRUCT, "xtable")) {
467
		u16 size;
468
		int i;
469

470
		if (!aa_unpack_array(e, NULL, &size))
471
			/*
472
			 * Note: index into trans table array is a max
473
			 * of 2^24, but unpack array can only unpack
474
			 * an array of 2^16 in size atm so no need
475
			 * for size check here
476
			 */
477
			goto fail;
478
		table = kcalloc(size, sizeof(char *), GFP_KERNEL);
479
		if (!table)
480
			goto fail;
481

482
		strs->table = table;
483
		strs->size = size;
484
		for (i = 0; i < size; i++) {
485
			char *str;
486
			int c, j, pos, size2 = aa_unpack_strdup(e, &str, NULL);
487
			/* aa_unpack_strdup verifies that the last character is
488
			 * null termination byte.
489
			 */
490
			if (!size2)
491
				goto fail;
492
			table[i] = str;
493
			/* verify that name doesn't start with space */
494
			if (isspace(*str))
495
				goto fail;
496

497
			/* count internal #  of internal \0 */
498
			for (c = j = 0; j < size2 - 1; j++) {
499
				if (!str[j]) {
500
					pos = j;
501
					c++;
502
				}
503
			}
504
			if (*str == ':') {
505
				/* first character after : must be valid */
506
				if (!str[1])
507
					goto fail;
508
				/* beginning with : requires an embedded \0,
509
				 * verify that exactly 1 internal \0 exists
510
				 * trailing \0 already verified by aa_unpack_strdup
511
				 *
512
				 * convert \0 back to : for label_parse
513
				 */
514
				if (c == 1)
515
					str[pos] = ':';
516
				else if (c > 1)
517
					goto fail;
518
			} else if (c)
519
				/* fail - all other cases with embedded \0 */
520
				goto fail;
521
		}
522
		if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
523
			goto fail;
524
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
525
			goto fail;
526
	}
527
	return true;
528

529
fail:
530
	aa_free_str_table(strs);
531
	e->pos = saved_pos;
532
	return false;
533
}
534

535
static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
536
{
537
	void *pos = e->pos;
538

539
	if (aa_unpack_nameX(e, AA_STRUCT, "xattrs")) {
540
		u16 size;
541
		int i;
542

543
		if (!aa_unpack_array(e, NULL, &size))
544
			goto fail;
545
		profile->attach.xattr_count = size;
546
		profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
547
		if (!profile->attach.xattrs)
548
			goto fail;
549
		for (i = 0; i < size; i++) {
550
			if (!aa_unpack_strdup(e, &profile->attach.xattrs[i], NULL))
551
				goto fail;
552
		}
553
		if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
554
			goto fail;
555
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
556
			goto fail;
557
	}
558

559
	return true;
560

561
fail:
562
	e->pos = pos;
563
	return false;
564
}
565

566
static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules)
567
{
568
	void *pos = e->pos;
569
	u16 size;
570
	int i;
571

572
	if (aa_unpack_nameX(e, AA_STRUCT, "secmark")) {
573
		if (!aa_unpack_array(e, NULL, &size))
574
			goto fail;
575

576
		rules->secmark = kcalloc(size, sizeof(struct aa_secmark),
577
					   GFP_KERNEL);
578
		if (!rules->secmark)
579
			goto fail;
580

581
		rules->secmark_count = size;
582

583
		for (i = 0; i < size; i++) {
584
			if (!unpack_u8(e, &rules->secmark[i].audit, NULL))
585
				goto fail;
586
			if (!unpack_u8(e, &rules->secmark[i].deny, NULL))
587
				goto fail;
588
			if (!aa_unpack_strdup(e, &rules->secmark[i].label, NULL))
589
				goto fail;
590
		}
591
		if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
592
			goto fail;
593
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
594
			goto fail;
595
	}
596

597
	return true;
598

599
fail:
600
	if (rules->secmark) {
601
		for (i = 0; i < size; i++)
602
			kfree_sensitive(rules->secmark[i].label);
603
		kfree_sensitive(rules->secmark);
604
		rules->secmark_count = 0;
605
		rules->secmark = NULL;
606
	}
607

608
	e->pos = pos;
609
	return false;
610
}
611

612
static bool unpack_rlimits(struct aa_ext *e, struct aa_ruleset *rules)
613
{
614
	void *pos = e->pos;
615

616
	/* rlimits are optional */
617
	if (aa_unpack_nameX(e, AA_STRUCT, "rlimits")) {
618
		u16 size;
619
		int i;
620
		u32 tmp = 0;
621
		if (!aa_unpack_u32(e, &tmp, NULL))
622
			goto fail;
623
		rules->rlimits.mask = tmp;
624

625
		if (!aa_unpack_array(e, NULL, &size) ||
626
		    size > RLIM_NLIMITS)
627
			goto fail;
628
		for (i = 0; i < size; i++) {
629
			u64 tmp2 = 0;
630
			int a = aa_map_resource(i);
631
			if (!aa_unpack_u64(e, &tmp2, NULL))
632
				goto fail;
633
			rules->rlimits.limits[a].rlim_max = tmp2;
634
		}
635
		if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
636
			goto fail;
637
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
638
			goto fail;
639
	}
640
	return true;
641

642
fail:
643
	e->pos = pos;
644
	return false;
645
}
646

647
static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm)
648
{
649
	u32 reserved;
650

651
	if (version != 1)
652
		return false;
653

654
	/* reserved entry is for later expansion, discard for now */
655
	return	aa_unpack_u32(e, &reserved, NULL) &&
656
		aa_unpack_u32(e, &perm->allow, NULL) &&
657
		aa_unpack_u32(e, &perm->deny, NULL) &&
658
		aa_unpack_u32(e, &perm->subtree, NULL) &&
659
		aa_unpack_u32(e, &perm->cond, NULL) &&
660
		aa_unpack_u32(e, &perm->kill, NULL) &&
661
		aa_unpack_u32(e, &perm->complain, NULL) &&
662
		aa_unpack_u32(e, &perm->prompt, NULL) &&
663
		aa_unpack_u32(e, &perm->audit, NULL) &&
664
		aa_unpack_u32(e, &perm->quiet, NULL) &&
665
		aa_unpack_u32(e, &perm->hide, NULL) &&
666
		aa_unpack_u32(e, &perm->xindex, NULL) &&
667
		aa_unpack_u32(e, &perm->tag, NULL) &&
668
		aa_unpack_u32(e, &perm->label, NULL);
669
}
670

671
static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms)
672
{
673
	void *pos = e->pos;
674
	u16 size = 0;
675

676
	AA_BUG(!perms);
677
	/*
678
	 * policy perms are optional, in which case perms are embedded
679
	 * in the dfa accept table
680
	 */
681
	if (aa_unpack_nameX(e, AA_STRUCT, "perms")) {
682
		int i;
683
		u32 version;
684

685
		if (!aa_unpack_u32(e, &version, "version"))
686
			goto fail_reset;
687
		if (!aa_unpack_array(e, NULL, &size))
688
			goto fail_reset;
689
		*perms = kcalloc(size, sizeof(struct aa_perms), GFP_KERNEL);
690
		if (!*perms)
691
			goto fail_reset;
692
		for (i = 0; i < size; i++) {
693
			if (!unpack_perm(e, version, &(*perms)[i]))
694
				goto fail;
695
		}
696
		if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL))
697
			goto fail;
698
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
699
			goto fail;
700
	} else
701
		*perms = NULL;
702

703
	return size;
704

705
fail:
706
	kfree(*perms);
707
fail_reset:
708
	e->pos = pos;
709
	return -EPROTO;
710
}
711

712
static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
713
		      bool required_dfa, bool required_trans,
714
		      const char **info)
715
{
716
	struct aa_policydb *pdb;
717
	void *pos = e->pos;
718
	int i, flags, error = -EPROTO;
719
	ssize_t size;
720
	u32 version = 0;
721

722
	pdb = aa_alloc_pdb(GFP_KERNEL);
723
	if (!pdb)
724
		return -ENOMEM;
725

726
	size = unpack_perms_table(e, &pdb->perms);
727
	if (size < 0) {
728
		error = size;
729
		pdb->perms = NULL;
730
		*info = "failed to unpack - perms";
731
		goto fail;
732
	}
733
	pdb->size = size;
734

735
	if (pdb->perms) {
736
		/* perms table present accept is index */
737
		flags = TO_ACCEPT1_FLAG(YYTD_DATA32);
738
		if (aa_unpack_u32(e, &version, "permsv") && version > 2)
739
			/* accept2 used for dfa flags */
740
			flags |= TO_ACCEPT2_FLAG(YYTD_DATA32);
741
	} else {
742
		/* packed perms in accept1 and accept2 */
743
		flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
744
			TO_ACCEPT2_FLAG(YYTD_DATA32);
745
	}
746

747
	pdb->dfa = unpack_dfa(e, flags);
748
	if (IS_ERR(pdb->dfa)) {
749
		error = PTR_ERR(pdb->dfa);
750
		pdb->dfa = NULL;
751
		*info = "failed to unpack - dfa";
752
		goto fail;
753
	} else if (!pdb->dfa) {
754
		if (required_dfa) {
755
			*info = "missing required dfa";
756
			goto fail;
757
		}
758
	} else {
759
		/*
760
		 * only unpack the following if a dfa is present
761
		 *
762
		 * sadly start was given different names for file and policydb
763
		 * but since it is optional we can try both
764
		 */
765
		if (!aa_unpack_u32(e, &pdb->start[0], "start"))
766
			/* default start state */
767
			pdb->start[0] = DFA_START;
768
		if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) {
769
			/* default start state for xmatch and file dfa */
770
			pdb->start[AA_CLASS_FILE] = DFA_START;
771
		}	/* setup class index */
772
		for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
773
			pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],
774
						    i);
775
		}
776
	}
777

778
	/* accept2 is in some cases being allocated, even with perms */
779
	if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
780
		/* add dfa flags table missing in v2 */
781
		u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen;
782
		u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags;
783
		size_t tsize = table_size(noents, tdflags);
784

785
		pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, GFP_KERNEL);
786
		if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
787
			*info = "failed to alloc dfa flags table";
788
			goto out;
789
		}
790
		pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents;
791
		pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags;
792
	}
793
	/*
794
	 * Unfortunately due to a bug in earlier userspaces, a
795
	 * transition table may be present even when the dfa is
796
	 * not. For compatibility reasons unpack and discard.
797
	 */
798
	if (!unpack_trans_table(e, &pdb->trans) && required_trans) {
799
		*info = "failed to unpack profile transition table";
800
		goto fail;
801
	}
802

803
	if (!pdb->dfa && pdb->trans.table)
804
		aa_free_str_table(&pdb->trans);
805

806
	/* TODO:
807
	 * - move compat mapping here, requires dfa merging first
808
	 * - move verify here, it has to be done after compat mappings
809
	 * - move free of unneeded trans table here, has to be done
810
	 *   after perm mapping.
811
	 */
812
out:
813
	*policy = pdb;
814
	return 0;
815

816
fail:
817
	aa_put_pdb(pdb);
818
	e->pos = pos;
819
	return error;
820
}
821

822
static u32 strhash(const void *data, u32 len, u32 seed)
823
{
824
	const char * const *key = data;
825

826
	return jhash(*key, strlen(*key), seed);
827
}
828

829
static int datacmp(struct rhashtable_compare_arg *arg, const void *obj)
830
{
831
	const struct aa_data *data = obj;
832
	const char * const *key = arg->key;
833

834
	return strcmp(data->key, *key);
835
}
836

837
/**
838
 * unpack_profile - unpack a serialized profile
839
 * @e: serialized data extent information (NOT NULL)
840
 * @ns_name: pointer of newly allocated copy of %NULL in case of error
841
 *
842
 * NOTE: unpack profile sets audit struct if there is a failure
843
 */
844
static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
845
{
846
	struct aa_ruleset *rules;
847
	struct aa_profile *profile = NULL;
848
	const char *tmpname, *tmpns = NULL, *name = NULL;
849
	const char *info = "failed to unpack profile";
850
	size_t ns_len;
851
	struct rhashtable_params params = { 0 };
852
	char *key = NULL, *disconnected = NULL;
853
	struct aa_data *data;
854
	int error = -EPROTO;
855
	kernel_cap_t tmpcap;
856
	u32 tmp;
857

858
	*ns_name = NULL;
859

860
	/* check that we have the right struct being passed */
861
	if (!aa_unpack_nameX(e, AA_STRUCT, "profile"))
862
		goto fail;
863
	if (!aa_unpack_str(e, &name, NULL))
864
		goto fail;
865
	if (*name == '\0')
866
		goto fail;
867

868
	tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
869
	if (tmpns) {
870
		if (!tmpname) {
871
			info = "empty profile name";
872
			goto fail;
873
		}
874
		*ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
875
		if (!*ns_name) {
876
			info = "out of memory";
877
			error = -ENOMEM;
878
			goto fail;
879
		}
880
		name = tmpname;
881
	}
882

883
	profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
884
	if (!profile) {
885
		info = "out of memory";
886
		error = -ENOMEM;
887
		goto fail;
888
	}
889
	rules = profile->label.rules[0];
890

891
	/* profile renaming is optional */
892
	(void) aa_unpack_str(e, &profile->rename, "rename");
893

894
	/* attachment string is optional */
895
	(void) aa_unpack_str(e, &profile->attach.xmatch_str, "attach");
896

897
	/* xmatch is optional and may be NULL */
898
	error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info);
899
	if (error) {
900
		info = "bad xmatch";
901
		goto fail;
902
	}
903

904
	/* neither xmatch_len not xmatch_perms are optional if xmatch is set */
905
	if (profile->attach.xmatch->dfa) {
906
		if (!aa_unpack_u32(e, &tmp, NULL)) {
907
			info = "missing xmatch len";
908
			goto fail;
909
		}
910
		profile->attach.xmatch_len = tmp;
911
		profile->attach.xmatch->start[AA_CLASS_XMATCH] = DFA_START;
912
		if (!profile->attach.xmatch->perms) {
913
			error = aa_compat_map_xmatch(profile->attach.xmatch);
914
			if (error) {
915
				info = "failed to convert xmatch permission table";
916
				goto fail;
917
			}
918
		}
919
	}
920

921
	/* disconnected attachment string is optional */
922
	(void) aa_unpack_strdup(e, &disconnected, "disconnected");
923
	profile->disconnected = disconnected;
924

925
	/* optional */
926
	(void) aa_unpack_u32(e, &profile->signal, "kill");
927
	if (profile->signal < 1 || profile->signal > MAXMAPPED_SIG) {
928
		info = "profile kill.signal invalid value";
929
		goto fail;
930
	}
931
	/* per profile debug flags (complain, audit) */
932
	if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) {
933
		info = "profile missing flags";
934
		goto fail;
935
	}
936
	info = "failed to unpack profile flags";
937
	if (!aa_unpack_u32(e, &tmp, NULL))
938
		goto fail;
939
	if (tmp & PACKED_FLAG_HAT)
940
		profile->label.flags |= FLAG_HAT;
941
	if (tmp & PACKED_FLAG_DEBUG1)
942
		profile->label.flags |= FLAG_DEBUG1;
943
	if (tmp & PACKED_FLAG_DEBUG2)
944
		profile->label.flags |= FLAG_DEBUG2;
945
	if (!aa_unpack_u32(e, &tmp, NULL))
946
		goto fail;
947
	if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
948
		profile->mode = APPARMOR_COMPLAIN;
949
	} else if (tmp == PACKED_MODE_ENFORCE) {
950
		profile->mode = APPARMOR_ENFORCE;
951
	} else if (tmp == PACKED_MODE_KILL) {
952
		profile->mode = APPARMOR_KILL;
953
	} else if (tmp == PACKED_MODE_UNCONFINED) {
954
		profile->mode = APPARMOR_UNCONFINED;
955
		profile->label.flags |= FLAG_UNCONFINED;
956
	} else if (tmp == PACKED_MODE_USER) {
957
		profile->mode = APPARMOR_USER;
958
	} else {
959
		goto fail;
960
	}
961
	if (!aa_unpack_u32(e, &tmp, NULL))
962
		goto fail;
963
	if (tmp)
964
		profile->audit = AUDIT_ALL;
965

966
	if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
967
		goto fail;
968

969
	/* path_flags is optional */
970
	if (aa_unpack_u32(e, &profile->path_flags, "path_flags"))
971
		profile->path_flags |= profile->label.flags &
972
			PATH_MEDIATE_DELETED;
973
	else
974
		/* set a default value if path_flags field is not present */
975
		profile->path_flags = PATH_MEDIATE_DELETED;
976

977
	info = "failed to unpack profile capabilities";
978
	if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL))
979
		goto fail;
980
	if (!aa_unpack_cap_low(e, &rules->caps.audit, NULL))
981
		goto fail;
982
	if (!aa_unpack_cap_low(e, &rules->caps.quiet, NULL))
983
		goto fail;
984
	if (!aa_unpack_cap_low(e, &tmpcap, NULL))
985
		goto fail;
986

987
	info = "failed to unpack upper profile capabilities";
988
	if (aa_unpack_nameX(e, AA_STRUCT, "caps64")) {
989
		/* optional upper half of 64 bit caps */
990
		if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL))
991
			goto fail;
992
		if (!aa_unpack_cap_high(e, &rules->caps.audit, NULL))
993
			goto fail;
994
		if (!aa_unpack_cap_high(e, &rules->caps.quiet, NULL))
995
			goto fail;
996
		if (!aa_unpack_cap_high(e, &tmpcap, NULL))
997
			goto fail;
998
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
999
			goto fail;
1000
	}
1001

1002
	info = "failed to unpack extended profile capabilities";
1003
	if (aa_unpack_nameX(e, AA_STRUCT, "capsx")) {
1004
		/* optional extended caps mediation mask */
1005
		if (!aa_unpack_cap_low(e, &rules->caps.extended, NULL))
1006
			goto fail;
1007
		if (!aa_unpack_cap_high(e, &rules->caps.extended, NULL))
1008
			goto fail;
1009
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1010
			goto fail;
1011
	}
1012

1013
	if (!unpack_xattrs(e, profile)) {
1014
		info = "failed to unpack profile xattrs";
1015
		goto fail;
1016
	}
1017

1018
	if (!unpack_rlimits(e, rules)) {
1019
		info = "failed to unpack profile rlimits";
1020
		goto fail;
1021
	}
1022

1023
	if (!unpack_secmark(e, rules)) {
1024
		info = "failed to unpack profile secmark rules";
1025
		goto fail;
1026
	}
1027

1028
	if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) {
1029
		/* generic policy dfa - optional and may be NULL */
1030
		info = "failed to unpack policydb";
1031
		error = unpack_pdb(e, &rules->policy, true, false,
1032
				   &info);
1033
		if (error)
1034
			goto fail;
1035
		/* Fixup: drop when we get rid of start array */
1036
		if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0],
1037
				AA_CLASS_FILE))
1038
			rules->policy->start[AA_CLASS_FILE] =
1039
			  aa_dfa_next(rules->policy->dfa,
1040
				      rules->policy->start[0],
1041
				      AA_CLASS_FILE);
1042
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
1043
			goto fail;
1044
		if (!rules->policy->perms) {
1045
			error = aa_compat_map_policy(rules->policy,
1046
						     e->version);
1047
			if (error) {
1048
				info = "failed to remap policydb permission table";
1049
				goto fail;
1050
			}
1051
		}
1052
	} else {
1053
		rules->policy = aa_get_pdb(nullpdb);
1054
	}
1055
	/* get file rules */
1056
	error = unpack_pdb(e, &rules->file, false, true, &info);
1057
	if (error) {
1058
		goto fail;
1059
	} else if (rules->file->dfa) {
1060
		if (!rules->file->perms) {
1061
			error = aa_compat_map_file(rules->file);
1062
			if (error) {
1063
				info = "failed to remap file permission table";
1064
				goto fail;
1065
			}
1066
		}
1067
	} else if (rules->policy->dfa &&
1068
		   rules->policy->start[AA_CLASS_FILE]) {
1069
		aa_put_pdb(rules->file);
1070
		rules->file = aa_get_pdb(rules->policy);
1071
	} else {
1072
		aa_put_pdb(rules->file);
1073
		rules->file = aa_get_pdb(nullpdb);
1074
	}
1075
	error = -EPROTO;
1076
	if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
1077
		info = "out of memory";
1078
		profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL);
1079
		if (!profile->data) {
1080
			error = -ENOMEM;
1081
			goto fail;
1082
		}
1083
		params.nelem_hint = 3;
1084
		params.key_len = sizeof(void *);
1085
		params.key_offset = offsetof(struct aa_data, key);
1086
		params.head_offset = offsetof(struct aa_data, head);
1087
		params.hashfn = strhash;
1088
		params.obj_cmpfn = datacmp;
1089

1090
		if (rhashtable_init(profile->data, &params)) {
1091
			info = "failed to init key, value hash table";
1092
			goto fail;
1093
		}
1094

1095
		while (aa_unpack_strdup(e, &key, NULL)) {
1096
			data = kzalloc(sizeof(*data), GFP_KERNEL);
1097
			if (!data) {
1098
				kfree_sensitive(key);
1099
				error = -ENOMEM;
1100
				goto fail;
1101
			}
1102

1103
			data->key = key;
1104
			data->size = aa_unpack_blob(e, &data->data, NULL);
1105
			data->data = kvmemdup(data->data, data->size, GFP_KERNEL);
1106
			if (data->size && !data->data) {
1107
				kfree_sensitive(data->key);
1108
				kfree_sensitive(data);
1109
				error = -ENOMEM;
1110
				goto fail;
1111
			}
1112

1113
			if (rhashtable_insert_fast(profile->data, &data->head,
1114
						   profile->data->p)) {
1115
				kvfree_sensitive(data->data, data->size);
1116
				kfree_sensitive(data->key);
1117
				kfree_sensitive(data);
1118
				info = "failed to insert data to table";
1119
				goto fail;
1120
			}
1121
		}
1122

1123
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
1124
			info = "failed to unpack end of key, value data table";
1125
			goto fail;
1126
		}
1127
	}
1128

1129
	if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) {
1130
		info = "failed to unpack end of profile";
1131
		goto fail;
1132
	}
1133

1134
	aa_compute_profile_mediates(profile);
1135

1136
	return profile;
1137

1138
fail:
1139
	if (error == 0)
1140
		/* default error covers most cases */
1141
		error = -EPROTO;
1142
	if (*ns_name) {
1143
		kfree(*ns_name);
1144
		*ns_name = NULL;
1145
	}
1146
	if (profile)
1147
		name = NULL;
1148
	else if (!name)
1149
		name = "unknown";
1150
	audit_iface(profile, NULL, name, info, e, error);
1151
	aa_free_profile(profile);
1152

1153
	return ERR_PTR(error);
1154
}
1155

1156
/**
1157
 * verify_header - unpack serialized stream header
1158
 * @e: serialized data read head (NOT NULL)
1159
 * @required: whether the header is required or optional
1160
 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
1161
 *
1162
 * Returns: error or 0 if header is good
1163
 */
1164
static int verify_header(struct aa_ext *e, int required, const char **ns)
1165
{
1166
	int error = -EPROTONOSUPPORT;
1167
	const char *name = NULL;
1168
	*ns = NULL;
1169

1170
	/* get the interface version */
1171
	if (!aa_unpack_u32(e, &e->version, "version")) {
1172
		if (required) {
1173
			audit_iface(NULL, NULL, NULL, "invalid profile format",
1174
				    e, error);
1175
			return error;
1176
		}
1177
	}
1178

1179
	/* Check that the interface version is currently supported.
1180
	 * if not specified use previous version
1181
	 * Mask off everything that is not kernel abi version
1182
	 */
1183
	if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) {
1184
		audit_iface(NULL, NULL, NULL, "unsupported interface version",
1185
			    e, error);
1186
		return error;
1187
	}
1188

1189
	/* read the namespace if present */
1190
	if (aa_unpack_str(e, &name, "namespace")) {
1191
		if (*name == '\0') {
1192
			audit_iface(NULL, NULL, NULL, "invalid namespace name",
1193
				    e, error);
1194
			return error;
1195
		}
1196
		if (*ns && strcmp(*ns, name)) {
1197
			audit_iface(NULL, NULL, NULL, "invalid ns change", e,
1198
				    error);
1199
		} else if (!*ns) {
1200
			*ns = kstrdup(name, GFP_KERNEL);
1201
			if (!*ns)
1202
				return -ENOMEM;
1203
		}
1204
	}
1205

1206
	return 0;
1207
}
1208

1209
/**
1210
 * verify_dfa_accept_index - verify accept indexes are in range of perms table
1211
 * @dfa: the dfa to check accept indexes are in range
1212
 * @table_size: the permission table size the indexes should be within
1213
 */
1214
static bool verify_dfa_accept_index(struct aa_dfa *dfa, int table_size)
1215
{
1216
	int i;
1217
	for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
1218
		if (ACCEPT_TABLE(dfa)[i] >= table_size)
1219
			return false;
1220
	}
1221
	return true;
1222
}
1223

1224
static bool verify_perm(struct aa_perms *perm)
1225
{
1226
	/* TODO: allow option to just force the perms into a valid state */
1227
	if (perm->allow & perm->deny)
1228
		return false;
1229
	if (perm->subtree & ~perm->allow)
1230
		return false;
1231
	if (perm->cond & (perm->allow | perm->deny))
1232
		return false;
1233
	if (perm->kill & perm->allow)
1234
		return false;
1235
	if (perm->complain & (perm->allow | perm->deny))
1236
		return false;
1237
	if (perm->prompt & (perm->allow | perm->deny))
1238
		return false;
1239
	if (perm->complain & perm->prompt)
1240
		return false;
1241
	if (perm->hide & perm->allow)
1242
		return false;
1243

1244
	return true;
1245
}
1246

1247
static bool verify_perms(struct aa_policydb *pdb)
1248
{
1249
	int i;
1250
	int xidx, xmax = -1;
1251

1252
	for (i = 0; i < pdb->size; i++) {
1253
		if (!verify_perm(&pdb->perms[i]))
1254
			return false;
1255
		/* verify indexes into str table */
1256
		if ((pdb->perms[i].xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
1257
			xidx = pdb->perms[i].xindex & AA_X_INDEX_MASK;
1258
			if (xidx >= pdb->trans.size)
1259
				return false;
1260
			if (xmax < xidx)
1261
				xmax = xidx;
1262
		}
1263
		if (pdb->perms[i].tag && pdb->perms[i].tag >= pdb->trans.size)
1264
			return false;
1265
		if (pdb->perms[i].label &&
1266
		    pdb->perms[i].label >= pdb->trans.size)
1267
			return false;
1268
	}
1269
	/* deal with incorrectly constructed string tables */
1270
	if (xmax == -1) {
1271
		aa_free_str_table(&pdb->trans);
1272
	} else if (pdb->trans.size > xmax + 1) {
1273
		if (!aa_resize_str_table(&pdb->trans, xmax + 1, GFP_KERNEL))
1274
			return false;
1275
	}
1276
	return true;
1277
}
1278

1279
/**
1280
 * verify_profile - Do post unpack analysis to verify profile consistency
1281
 * @profile: profile to verify (NOT NULL)
1282
 *
1283
 * Returns: 0 if passes verification else error
1284
 *
1285
 * This verification is post any unpack mapping or changes
1286
 */
1287
static int verify_profile(struct aa_profile *profile)
1288
{
1289
	struct aa_ruleset *rules = profile->label.rules[0];
1290

1291
	if (!rules)
1292
		return 0;
1293

1294
	if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa,
1295
							rules->file->size)) {
1296
		audit_iface(profile, NULL, NULL,
1297
			    "Unpack: file Invalid named transition", NULL,
1298
			    -EPROTO);
1299
		return -EPROTO;
1300
	}
1301
	if (rules->policy->dfa &&
1302
	    !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) {
1303
		audit_iface(profile, NULL, NULL,
1304
			    "Unpack: policy Invalid named transition", NULL,
1305
			    -EPROTO);
1306
		return -EPROTO;
1307
	}
1308

1309
	if (!verify_perms(rules->file)) {
1310
		audit_iface(profile, NULL, NULL,
1311
			    "Unpack: Invalid perm index", NULL, -EPROTO);
1312
		return -EPROTO;
1313
	}
1314
	if (!verify_perms(rules->policy)) {
1315
		audit_iface(profile, NULL, NULL,
1316
			    "Unpack: Invalid perm index", NULL, -EPROTO);
1317
		return -EPROTO;
1318
	}
1319
	if (!verify_perms(profile->attach.xmatch)) {
1320
		audit_iface(profile, NULL, NULL,
1321
			    "Unpack: Invalid perm index", NULL, -EPROTO);
1322
		return -EPROTO;
1323
	}
1324

1325
	return 0;
1326
}
1327

1328
void aa_load_ent_free(struct aa_load_ent *ent)
1329
{
1330
	if (ent) {
1331
		aa_put_profile(ent->rename);
1332
		aa_put_profile(ent->old);
1333
		aa_put_profile(ent->new);
1334
		kfree(ent->ns_name);
1335
		kfree_sensitive(ent);
1336
	}
1337
}
1338

1339
struct aa_load_ent *aa_load_ent_alloc(void)
1340
{
1341
	struct aa_load_ent *ent = kzalloc(sizeof(*ent), GFP_KERNEL);
1342
	if (ent)
1343
		INIT_LIST_HEAD(&ent->list);
1344
	return ent;
1345
}
1346

1347
static int compress_zstd(const char *src, size_t slen, char **dst, size_t *dlen)
1348
{
1349
#ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
1350
	const zstd_parameters params =
1351
		zstd_get_params(aa_g_rawdata_compression_level, slen);
1352
	const size_t wksp_len = zstd_cctx_workspace_bound(&params.cParams);
1353
	void *wksp = NULL;
1354
	zstd_cctx *ctx = NULL;
1355
	size_t out_len = zstd_compress_bound(slen);
1356
	void *out = NULL;
1357
	int ret = 0;
1358

1359
	out = kvzalloc(out_len, GFP_KERNEL);
1360
	if (!out) {
1361
		ret = -ENOMEM;
1362
		goto cleanup;
1363
	}
1364

1365
	wksp = kvzalloc(wksp_len, GFP_KERNEL);
1366
	if (!wksp) {
1367
		ret = -ENOMEM;
1368
		goto cleanup;
1369
	}
1370

1371
	ctx = zstd_init_cctx(wksp, wksp_len);
1372
	if (!ctx) {
1373
		ret = -EINVAL;
1374
		goto cleanup;
1375
	}
1376

1377
	out_len = zstd_compress_cctx(ctx, out, out_len, src, slen, &params);
1378
	if (zstd_is_error(out_len) || out_len >= slen) {
1379
		ret = -EINVAL;
1380
		goto cleanup;
1381
	}
1382

1383
	if (is_vmalloc_addr(out)) {
1384
		*dst = kvzalloc(out_len, GFP_KERNEL);
1385
		if (*dst) {
1386
			memcpy(*dst, out, out_len);
1387
			kvfree(out);
1388
			out = NULL;
1389
		}
1390
	} else {
1391
		/*
1392
		 * If the staging buffer was kmalloc'd, then using krealloc is
1393
		 * probably going to be faster. The destination buffer will
1394
		 * always be smaller, so it's just shrunk, avoiding a memcpy
1395
		 */
1396
		*dst = krealloc(out, out_len, GFP_KERNEL);
1397
	}
1398

1399
	if (!*dst) {
1400
		ret = -ENOMEM;
1401
		goto cleanup;
1402
	}
1403

1404
	*dlen = out_len;
1405

1406
cleanup:
1407
	if (ret) {
1408
		kvfree(out);
1409
		*dst = NULL;
1410
	}
1411

1412
	kvfree(wksp);
1413
	return ret;
1414
#else
1415
	*dlen = slen;
1416
	return 0;
1417
#endif
1418
}
1419

1420
static int compress_loaddata(struct aa_loaddata *data)
1421
{
1422
	AA_BUG(data->compressed_size > 0);
1423

1424
	/*
1425
	 * Shortcut the no compression case, else we increase the amount of
1426
	 * storage required by a small amount
1427
	 */
1428
	if (aa_g_rawdata_compression_level != 0) {
1429
		void *udata = data->data;
1430
		int error = compress_zstd(udata, data->size, &data->data,
1431
					  &data->compressed_size);
1432
		if (error) {
1433
			data->compressed_size = data->size;
1434
			return error;
1435
		}
1436
		if (udata != data->data)
1437
			kvfree(udata);
1438
	} else
1439
		data->compressed_size = data->size;
1440

1441
	return 0;
1442
}
1443

1444
/**
1445
 * aa_unpack - unpack packed binary profile(s) data loaded from user space
1446
 * @udata: user data copied to kmem  (NOT NULL)
1447
 * @lh: list to place unpacked profiles in a aa_repl_ws
1448
 * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
1449
 *
1450
 * Unpack user data and return refcounted allocated profile(s) stored in
1451
 * @lh in order of discovery, with the list chain stored in base.list
1452
 * or error
1453
 *
1454
 * Returns: profile(s) on @lh else error pointer if fails to unpack
1455
 */
1456
int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
1457
	      const char **ns)
1458
{
1459
	struct aa_load_ent *tmp, *ent;
1460
	struct aa_profile *profile = NULL;
1461
	char *ns_name = NULL;
1462
	int error;
1463
	struct aa_ext e = {
1464
		.start = udata->data,
1465
		.end = udata->data + udata->size,
1466
		.pos = udata->data,
1467
	};
1468

1469
	*ns = NULL;
1470
	while (e.pos < e.end) {
1471
		void *start;
1472
		error = verify_header(&e, e.pos == e.start, ns);
1473
		if (error)
1474
			goto fail;
1475

1476
		start = e.pos;
1477
		profile = unpack_profile(&e, &ns_name);
1478
		if (IS_ERR(profile)) {
1479
			error = PTR_ERR(profile);
1480
			goto fail;
1481
		}
1482

1483
		error = verify_profile(profile);
1484
		if (error)
1485
			goto fail_profile;
1486

1487
		if (aa_g_hash_policy)
1488
			error = aa_calc_profile_hash(profile, e.version, start,
1489
						     e.pos - start);
1490
		if (error)
1491
			goto fail_profile;
1492

1493
		ent = aa_load_ent_alloc();
1494
		if (!ent) {
1495
			error = -ENOMEM;
1496
			goto fail_profile;
1497
		}
1498

1499
		ent->new = profile;
1500
		ent->ns_name = ns_name;
1501
		ns_name = NULL;
1502
		list_add_tail(&ent->list, lh);
1503
	}
1504
	udata->abi = e.version & K_ABI_MASK;
1505
	if (aa_g_hash_policy) {
1506
		udata->hash = aa_calc_hash(udata->data, udata->size);
1507
		if (IS_ERR(udata->hash)) {
1508
			error = PTR_ERR(udata->hash);
1509
			udata->hash = NULL;
1510
			goto fail;
1511
		}
1512
	}
1513

1514
	if (aa_g_export_binary) {
1515
		error = compress_loaddata(udata);
1516
		if (error)
1517
			goto fail;
1518
	}
1519
	return 0;
1520

1521
fail_profile:
1522
	kfree(ns_name);
1523
	aa_put_profile(profile);
1524

1525
fail:
1526
	list_for_each_entry_safe(ent, tmp, lh, list) {
1527
		list_del_init(&ent->list);
1528
		aa_load_ent_free(ent);
1529
	}
1530

1531
	return error;
1532
}
1533

1534