Lines Matching +full:- +full:e
1 // SPDX-License-Identifier: GPL-2.0-only
8 * Copyright (C) 1998-2008 Novell/SUSE
9 * Copyright 2009-2010 Canonical Ltd.
12 * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
39 if (ad->iface.ns) { in audit_cb()
41 audit_log_untrustedstring(ab, ad->iface.ns); in audit_cb()
43 if (ad->name) { in audit_cb()
45 audit_log_untrustedstring(ab, ad->name); in audit_cb()
47 if (ad->iface.pos) in audit_cb()
48 audit_log_format(ab, " offset=%ld", ad->iface.pos); in audit_cb()
52 * audit_iface - do audit message for policy unpacking/load/replace/remove
57 * @e: buffer position info
63 const char *name, const char *info, struct aa_ext *e, in audit_iface() argument
68 if (e) in audit_iface()
69 ad.iface.pos = e->pos - e->start; in audit_iface()
72 ad.name = new->base.hname; in audit_iface()
84 AA_BUG(!data->ns); in __aa_loaddata_update()
85 AA_BUG(!mutex_is_locked(&data->ns->lock)); in __aa_loaddata_update()
86 AA_BUG(data->revision > revision); in __aa_loaddata_update()
88 data->revision = revision; in __aa_loaddata_update()
89 if ((data->dents[AAFS_LOADDATA_REVISION])) { in __aa_loaddata_update()
92 inode = d_inode(data->dents[AAFS_LOADDATA_DIR]); in __aa_loaddata_update()
95 inode = d_inode(data->dents[AAFS_LOADDATA_REVISION]); in __aa_loaddata_update()
102 if (l->size != r->size) in aa_rawdata_eq()
104 if (l->compressed_size != r->compressed_size) in aa_rawdata_eq()
106 if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0) in aa_rawdata_eq()
108 return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0; in aa_rawdata_eq()
118 struct aa_ns *ns = aa_get_ns(d->ns); in do_loaddata_free()
121 mutex_lock_nested(&ns->lock, ns->level); in do_loaddata_free()
123 mutex_unlock(&ns->lock); in do_loaddata_free()
127 kfree_sensitive(d->hash); in do_loaddata_free()
128 kfree_sensitive(d->name); in do_loaddata_free()
129 kvfree(d->data); in do_loaddata_free()
138 INIT_WORK(&d->work, do_loaddata_free); in aa_loaddata_kref()
139 schedule_work(&d->work); in aa_loaddata_kref()
149 return ERR_PTR(-ENOMEM); in aa_loaddata_alloc()
150 d->data = kvzalloc(size, GFP_KERNEL); in aa_loaddata_alloc()
151 if (!d->data) { in aa_loaddata_alloc()
153 return ERR_PTR(-ENOMEM); in aa_loaddata_alloc()
155 kref_init(&d->count); in aa_loaddata_alloc()
156 INIT_LIST_HEAD(&d->list); in aa_loaddata_alloc()
162 VISIBLE_IF_KUNIT bool aa_inbounds(struct aa_ext *e, size_t size) in aa_inbounds() argument
164 return (size <= e->end - e->pos); in aa_inbounds()
169 * aa_unpack_u16_chunk - test and do bounds checking for a u16 size based chunk
170 * @e: serialized data read head (NOT NULL)
175 VISIBLE_IF_KUNIT size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk) in aa_unpack_u16_chunk() argument
178 void *pos = e->pos; in aa_unpack_u16_chunk()
180 if (!aa_inbounds(e, sizeof(u16))) in aa_unpack_u16_chunk()
182 size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); in aa_unpack_u16_chunk()
183 e->pos += sizeof(__le16); in aa_unpack_u16_chunk()
184 if (!aa_inbounds(e, size)) in aa_unpack_u16_chunk()
186 *chunk = e->pos; in aa_unpack_u16_chunk()
187 e->pos += size; in aa_unpack_u16_chunk()
191 e->pos = pos; in aa_unpack_u16_chunk()
197 VISIBLE_IF_KUNIT bool aa_unpack_X(struct aa_ext *e, enum aa_code code) in aa_unpack_X() argument
199 if (!aa_inbounds(e, 1)) in aa_unpack_X()
201 if (*(u8 *) e->pos != code) in aa_unpack_X()
203 e->pos++; in aa_unpack_X()
209 * aa_unpack_nameX - check is the next element is of type X with a name of @name
210 * @e: serialized data extent information (NOT NULL)
224 VISIBLE_IF_KUNIT bool aa_unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) in aa_unpack_nameX() argument
229 void *pos = e->pos; in aa_unpack_nameX()
234 if (aa_unpack_X(e, AA_NAME)) { in aa_unpack_nameX()
236 size_t size = aa_unpack_u16_chunk(e, &tag); in aa_unpack_nameX()
238 if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) in aa_unpack_nameX()
246 if (aa_unpack_X(e, code)) in aa_unpack_nameX()
250 e->pos = pos; in aa_unpack_nameX()
255 static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name) in unpack_u8() argument
257 void *pos = e->pos; in unpack_u8()
259 if (aa_unpack_nameX(e, AA_U8, name)) { in unpack_u8()
260 if (!aa_inbounds(e, sizeof(u8))) in unpack_u8()
263 *data = *((u8 *)e->pos); in unpack_u8()
264 e->pos += sizeof(u8); in unpack_u8()
269 e->pos = pos; in unpack_u8()
273 VISIBLE_IF_KUNIT bool aa_unpack_u32(struct aa_ext *e, u32 *data, const char *name) in aa_unpack_u32() argument
275 void *pos = e->pos; in aa_unpack_u32()
277 if (aa_unpack_nameX(e, AA_U32, name)) { in aa_unpack_u32()
278 if (!aa_inbounds(e, sizeof(u32))) in aa_unpack_u32()
281 *data = le32_to_cpu(get_unaligned((__le32 *) e->pos)); in aa_unpack_u32()
282 e->pos += sizeof(u32); in aa_unpack_u32()
287 e->pos = pos; in aa_unpack_u32()
292 VISIBLE_IF_KUNIT bool aa_unpack_u64(struct aa_ext *e, u64 *data, const char *name) in aa_unpack_u64() argument
294 void *pos = e->pos; in aa_unpack_u64()
296 if (aa_unpack_nameX(e, AA_U64, name)) { in aa_unpack_u64()
297 if (!aa_inbounds(e, sizeof(u64))) in aa_unpack_u64()
300 *data = le64_to_cpu(get_unaligned((__le64 *) e->pos)); in aa_unpack_u64()
301 e->pos += sizeof(u64); in aa_unpack_u64()
306 e->pos = pos; in aa_unpack_u64()
311 static bool aa_unpack_cap_low(struct aa_ext *e, kernel_cap_t *data, const char *name) in aa_unpack_cap_low() argument
315 if (!aa_unpack_u32(e, &val, name)) in aa_unpack_cap_low()
317 data->val = val; in aa_unpack_cap_low()
321 static bool aa_unpack_cap_high(struct aa_ext *e, kernel_cap_t *data, const char *name) in aa_unpack_cap_high() argument
325 if (!aa_unpack_u32(e, &val, name)) in aa_unpack_cap_high()
327 data->val = (u32)data->val | ((u64)val << 32); in aa_unpack_cap_high()
331 VISIBLE_IF_KUNIT bool aa_unpack_array(struct aa_ext *e, const char *name, u16 *size) in aa_unpack_array() argument
333 void *pos = e->pos; in aa_unpack_array()
335 if (aa_unpack_nameX(e, AA_ARRAY, name)) { in aa_unpack_array()
336 if (!aa_inbounds(e, sizeof(u16))) in aa_unpack_array()
338 *size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); in aa_unpack_array()
339 e->pos += sizeof(u16); in aa_unpack_array()
344 e->pos = pos; in aa_unpack_array()
349 VISIBLE_IF_KUNIT size_t aa_unpack_blob(struct aa_ext *e, char **blob, const char *name) in aa_unpack_blob() argument
351 void *pos = e->pos; in aa_unpack_blob()
353 if (aa_unpack_nameX(e, AA_BLOB, name)) { in aa_unpack_blob()
355 if (!aa_inbounds(e, sizeof(u32))) in aa_unpack_blob()
357 size = le32_to_cpu(get_unaligned((__le32 *) e->pos)); in aa_unpack_blob()
358 e->pos += sizeof(u32); in aa_unpack_blob()
359 if (aa_inbounds(e, (size_t) size)) { in aa_unpack_blob()
360 *blob = e->pos; in aa_unpack_blob()
361 e->pos += size; in aa_unpack_blob()
367 e->pos = pos; in aa_unpack_blob()
372 VISIBLE_IF_KUNIT int aa_unpack_str(struct aa_ext *e, const char **string, const char *name) in aa_unpack_str() argument
376 void *pos = e->pos; in aa_unpack_str()
378 if (aa_unpack_nameX(e, AA_STRING, name)) { in aa_unpack_str()
379 size = aa_unpack_u16_chunk(e, &src_str); in aa_unpack_str()
381 /* strings are null terminated, length is size - 1 */ in aa_unpack_str()
382 if (src_str[size - 1] != 0) in aa_unpack_str()
391 e->pos = pos; in aa_unpack_str()
396 VISIBLE_IF_KUNIT int aa_unpack_strdup(struct aa_ext *e, char **string, const char *name) in aa_unpack_strdup() argument
399 void *pos = e->pos; in aa_unpack_strdup()
400 int res = aa_unpack_str(e, &tmp, name); in aa_unpack_strdup()
408 e->pos = pos; in aa_unpack_strdup()
418 * unpack_dfa - unpack a file rule dfa
419 * @e: serialized data extent information (NOT NULL)
424 static struct aa_dfa *unpack_dfa(struct aa_ext *e, int flags) in unpack_dfa() argument
430 size = aa_unpack_blob(e, &blob, "aadfa"); in unpack_dfa()
437 size_t sz = blob - (char *) e->start - in unpack_dfa()
438 ((e->pos - e->start) & 7); in unpack_dfa()
439 size_t pad = ALIGN(sz, 8) - sz; in unpack_dfa()
442 dfa = aa_dfa_unpack(blob + pad, size - pad, flags); in unpack_dfa()
453 * unpack_trans_table - unpack a profile transition table
454 * @e: serialized data extent information (NOT NULL)
459 static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs) in unpack_trans_table() argument
461 void *saved_pos = e->pos; in unpack_trans_table()
465 if (aa_unpack_nameX(e, AA_STRUCT, "xtable")) { in unpack_trans_table()
469 if (!aa_unpack_array(e, NULL, &size)) in unpack_trans_table()
481 strs->table = table; in unpack_trans_table()
482 strs->size = size; in unpack_trans_table()
485 int c, j, pos, size2 = aa_unpack_strdup(e, &str, NULL); in unpack_trans_table()
497 for (c = j = 0; j < size2 - 1; j++) { in unpack_trans_table()
518 /* fail - all other cases with embedded \0 */ in unpack_trans_table()
521 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) in unpack_trans_table()
523 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) in unpack_trans_table()
530 e->pos = saved_pos; in unpack_trans_table()
534 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile) in unpack_xattrs() argument
536 void *pos = e->pos; in unpack_xattrs()
538 if (aa_unpack_nameX(e, AA_STRUCT, "xattrs")) { in unpack_xattrs()
542 if (!aa_unpack_array(e, NULL, &size)) in unpack_xattrs()
544 profile->attach.xattr_count = size; in unpack_xattrs()
545 profile->attach.xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL); in unpack_xattrs()
546 if (!profile->attach.xattrs) in unpack_xattrs()
549 if (!aa_unpack_strdup(e, &profile->attach.xattrs[i], NULL)) in unpack_xattrs()
552 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) in unpack_xattrs()
554 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) in unpack_xattrs()
561 e->pos = pos; in unpack_xattrs()
565 static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules) in unpack_secmark() argument
567 void *pos = e->pos; in unpack_secmark()
571 if (aa_unpack_nameX(e, AA_STRUCT, "secmark")) { in unpack_secmark()
572 if (!aa_unpack_array(e, NULL, &size)) in unpack_secmark()
575 rules->secmark = kcalloc(size, sizeof(struct aa_secmark), in unpack_secmark()
577 if (!rules->secmark) in unpack_secmark()
580 rules->secmark_count = size; in unpack_secmark()
583 if (!unpack_u8(e, &rules->secmark[i].audit, NULL)) in unpack_secmark()
585 if (!unpack_u8(e, &rules->secmark[i].deny, NULL)) in unpack_secmark()
587 if (!aa_unpack_strdup(e, &rules->secmark[i].label, NULL)) in unpack_secmark()
590 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) in unpack_secmark()
592 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) in unpack_secmark()
599 if (rules->secmark) { in unpack_secmark()
601 kfree(rules->secmark[i].label); in unpack_secmark()
602 kfree(rules->secmark); in unpack_secmark()
603 rules->secmark_count = 0; in unpack_secmark()
604 rules->secmark = NULL; in unpack_secmark()
607 e->pos = pos; in unpack_secmark()
611 static bool unpack_rlimits(struct aa_ext *e, struct aa_ruleset *rules) in unpack_rlimits() argument
613 void *pos = e->pos; in unpack_rlimits()
616 if (aa_unpack_nameX(e, AA_STRUCT, "rlimits")) { in unpack_rlimits()
620 if (!aa_unpack_u32(e, &tmp, NULL)) in unpack_rlimits()
622 rules->rlimits.mask = tmp; in unpack_rlimits()
624 if (!aa_unpack_array(e, NULL, &size) || in unpack_rlimits()
630 if (!aa_unpack_u64(e, &tmp2, NULL)) in unpack_rlimits()
632 rules->rlimits.limits[a].rlim_max = tmp2; in unpack_rlimits()
634 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) in unpack_rlimits()
636 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) in unpack_rlimits()
642 e->pos = pos; in unpack_rlimits()
646 static bool unpack_perm(struct aa_ext *e, u32 version, struct aa_perms *perm) in unpack_perm() argument
651 return aa_unpack_u32(e, &perm->allow, NULL) && in unpack_perm()
652 aa_unpack_u32(e, &perm->allow, NULL) && in unpack_perm()
653 aa_unpack_u32(e, &perm->deny, NULL) && in unpack_perm()
654 aa_unpack_u32(e, &perm->subtree, NULL) && in unpack_perm()
655 aa_unpack_u32(e, &perm->cond, NULL) && in unpack_perm()
656 aa_unpack_u32(e, &perm->kill, NULL) && in unpack_perm()
657 aa_unpack_u32(e, &perm->complain, NULL) && in unpack_perm()
658 aa_unpack_u32(e, &perm->prompt, NULL) && in unpack_perm()
659 aa_unpack_u32(e, &perm->audit, NULL) && in unpack_perm()
660 aa_unpack_u32(e, &perm->quiet, NULL) && in unpack_perm()
661 aa_unpack_u32(e, &perm->hide, NULL) && in unpack_perm()
662 aa_unpack_u32(e, &perm->xindex, NULL) && in unpack_perm()
663 aa_unpack_u32(e, &perm->tag, NULL) && in unpack_perm()
664 aa_unpack_u32(e, &perm->label, NULL); in unpack_perm()
667 static ssize_t unpack_perms_table(struct aa_ext *e, struct aa_perms **perms) in unpack_perms_table() argument
669 void *pos = e->pos; in unpack_perms_table()
677 if (aa_unpack_nameX(e, AA_STRUCT, "perms")) { in unpack_perms_table()
681 if (!aa_unpack_u32(e, &version, "version")) in unpack_perms_table()
683 if (!aa_unpack_array(e, NULL, &size)) in unpack_perms_table()
689 if (!unpack_perm(e, version, &(*perms)[i])) in unpack_perms_table()
692 if (!aa_unpack_nameX(e, AA_ARRAYEND, NULL)) in unpack_perms_table()
694 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) in unpack_perms_table()
704 e->pos = pos; in unpack_perms_table()
705 return -EPROTO; in unpack_perms_table()
708 static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, in unpack_pdb() argument
713 void *pos = e->pos; in unpack_pdb()
714 int i, flags, error = -EPROTO; in unpack_pdb()
719 return -ENOMEM; in unpack_pdb()
721 size = unpack_perms_table(e, &pdb->perms); in unpack_pdb()
724 pdb->perms = NULL; in unpack_pdb()
725 *info = "failed to unpack - perms"; in unpack_pdb()
728 pdb->size = size; in unpack_pdb()
730 if (pdb->perms) { in unpack_pdb()
739 pdb->dfa = unpack_dfa(e, flags); in unpack_pdb()
740 if (IS_ERR(pdb->dfa)) { in unpack_pdb()
741 error = PTR_ERR(pdb->dfa); in unpack_pdb()
742 pdb->dfa = NULL; in unpack_pdb()
743 *info = "failed to unpack - dfa"; in unpack_pdb()
745 } else if (!pdb->dfa) { in unpack_pdb()
759 if (!aa_unpack_u32(e, &pdb->start[0], "start")) in unpack_pdb()
761 pdb->start[0] = DFA_START; in unpack_pdb()
762 if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) { in unpack_pdb()
764 pdb->start[AA_CLASS_FILE] = DFA_START; in unpack_pdb()
767 pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0], in unpack_pdb()
770 if (!unpack_trans_table(e, &pdb->trans) && required_trans) { in unpack_pdb()
783 e->pos = pos; in unpack_pdb()
797 const char * const *key = arg->key; in datacmp()
799 return strcmp(data->key, *key); in datacmp()
803 * unpack_profile - unpack a serialized profile
804 * @e: serialized data extent information (NOT NULL)
809 static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) in unpack_profile() argument
819 int error = -EPROTO; in unpack_profile()
826 if (!aa_unpack_nameX(e, AA_STRUCT, "profile")) in unpack_profile()
828 if (!aa_unpack_str(e, &name, NULL)) in unpack_profile()
842 error = -ENOMEM; in unpack_profile()
851 error = -ENOMEM; in unpack_profile()
854 rules = list_first_entry(&profile->rules, typeof(*rules), list); in unpack_profile()
857 (void) aa_unpack_str(e, &profile->rename, "rename"); in unpack_profile()
860 (void) aa_unpack_str(e, &profile->attach.xmatch_str, "attach"); in unpack_profile()
863 error = unpack_pdb(e, &profile->attach.xmatch, false, false, &info); in unpack_profile()
870 if (profile->attach.xmatch->dfa) { in unpack_profile()
871 if (!aa_unpack_u32(e, &tmp, NULL)) { in unpack_profile()
875 profile->attach.xmatch_len = tmp; in unpack_profile()
876 profile->attach.xmatch->start[AA_CLASS_XMATCH] = DFA_START; in unpack_profile()
877 if (!profile->attach.xmatch->perms) { in unpack_profile()
878 error = aa_compat_map_xmatch(profile->attach.xmatch); in unpack_profile()
887 (void) aa_unpack_strdup(e, &disconnected, "disconnected"); in unpack_profile()
888 profile->disconnected = disconnected; in unpack_profile()
891 if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) { in unpack_profile()
896 if (!aa_unpack_u32(e, &tmp, NULL)) in unpack_profile()
899 profile->label.flags |= FLAG_HAT; in unpack_profile()
901 profile->label.flags |= FLAG_DEBUG1; in unpack_profile()
903 profile->label.flags |= FLAG_DEBUG2; in unpack_profile()
904 if (!aa_unpack_u32(e, &tmp, NULL)) in unpack_profile()
906 if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) { in unpack_profile()
907 profile->mode = APPARMOR_COMPLAIN; in unpack_profile()
909 profile->mode = APPARMOR_ENFORCE; in unpack_profile()
911 profile->mode = APPARMOR_KILL; in unpack_profile()
913 profile->mode = APPARMOR_UNCONFINED; in unpack_profile()
914 profile->label.flags |= FLAG_UNCONFINED; in unpack_profile()
916 profile->mode = APPARMOR_USER; in unpack_profile()
920 if (!aa_unpack_u32(e, &tmp, NULL)) in unpack_profile()
923 profile->audit = AUDIT_ALL; in unpack_profile()
925 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) in unpack_profile()
929 if (aa_unpack_u32(e, &profile->path_flags, "path_flags")) in unpack_profile()
930 profile->path_flags |= profile->label.flags & in unpack_profile()
934 profile->path_flags = PATH_MEDIATE_DELETED; in unpack_profile()
937 if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL)) in unpack_profile()
939 if (!aa_unpack_cap_low(e, &rules->caps.audit, NULL)) in unpack_profile()
941 if (!aa_unpack_cap_low(e, &rules->caps.quiet, NULL)) in unpack_profile()
943 if (!aa_unpack_cap_low(e, &tmpcap, NULL)) in unpack_profile()
947 if (aa_unpack_nameX(e, AA_STRUCT, "caps64")) { in unpack_profile()
949 if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL)) in unpack_profile()
951 if (!aa_unpack_cap_high(e, &rules->caps.audit, NULL)) in unpack_profile()
953 if (!aa_unpack_cap_high(e, &rules->caps.quiet, NULL)) in unpack_profile()
955 if (!aa_unpack_cap_high(e, &tmpcap, NULL)) in unpack_profile()
957 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) in unpack_profile()
962 if (aa_unpack_nameX(e, AA_STRUCT, "capsx")) { in unpack_profile()
964 if (!aa_unpack_cap_low(e, &rules->caps.extended, NULL)) in unpack_profile()
966 if (!aa_unpack_cap_high(e, &rules->caps.extended, NULL)) in unpack_profile()
968 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) in unpack_profile()
972 if (!unpack_xattrs(e, profile)) { in unpack_profile()
977 if (!unpack_rlimits(e, rules)) { in unpack_profile()
982 if (!unpack_secmark(e, rules)) { in unpack_profile()
987 if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) { in unpack_profile()
988 /* generic policy dfa - optional and may be NULL */ in unpack_profile()
990 error = unpack_pdb(e, &rules->policy, true, false, in unpack_profile()
995 if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0], in unpack_profile()
997 rules->policy->start[AA_CLASS_FILE] = in unpack_profile()
998 aa_dfa_next(rules->policy->dfa, in unpack_profile()
999 rules->policy->start[0], in unpack_profile()
1001 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) in unpack_profile()
1003 if (!rules->policy->perms) { in unpack_profile()
1004 error = aa_compat_map_policy(rules->policy, in unpack_profile()
1005 e->version); in unpack_profile()
1012 rules->policy = aa_get_pdb(nullpdb); in unpack_profile()
1015 error = unpack_pdb(e, &rules->file, false, true, &info); in unpack_profile()
1018 } else if (rules->file->dfa) { in unpack_profile()
1019 if (!rules->file->perms) { in unpack_profile()
1020 error = aa_compat_map_file(rules->file); in unpack_profile()
1026 } else if (rules->policy->dfa && in unpack_profile()
1027 rules->policy->start[AA_CLASS_FILE]) { in unpack_profile()
1028 aa_put_pdb(rules->file); in unpack_profile()
1029 rules->file = aa_get_pdb(rules->policy); in unpack_profile()
1031 aa_put_pdb(rules->file); in unpack_profile()
1032 rules->file = aa_get_pdb(nullpdb); in unpack_profile()
1034 error = -EPROTO; in unpack_profile()
1035 if (aa_unpack_nameX(e, AA_STRUCT, "data")) { in unpack_profile()
1037 profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL); in unpack_profile()
1038 if (!profile->data) { in unpack_profile()
1039 error = -ENOMEM; in unpack_profile()
1049 if (rhashtable_init(profile->data, ¶ms)) { in unpack_profile()
1054 while (aa_unpack_strdup(e, &key, NULL)) { in unpack_profile()
1058 error = -ENOMEM; in unpack_profile()
1062 data->key = key; in unpack_profile()
1063 data->size = aa_unpack_blob(e, &data->data, NULL); in unpack_profile()
1064 data->data = kvmemdup(data->data, data->size, GFP_KERNEL); in unpack_profile()
1065 if (data->size && !data->data) { in unpack_profile()
1066 kfree_sensitive(data->key); in unpack_profile()
1068 error = -ENOMEM; in unpack_profile()
1072 if (rhashtable_insert_fast(profile->data, &data->head, in unpack_profile()
1073 profile->data->p)) { in unpack_profile()
1074 kfree_sensitive(data->key); in unpack_profile()
1081 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) { in unpack_profile()
1087 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) { in unpack_profile()
1097 error = -EPROTO; in unpack_profile()
1106 audit_iface(profile, NULL, name, info, e, error); in unpack_profile()
1113 * verify_header - unpack serialized stream header
1114 * @e: serialized data read head (NOT NULL)
1116 * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
1120 static int verify_header(struct aa_ext *e, int required, const char **ns) in verify_header() argument
1122 int error = -EPROTONOSUPPORT; in verify_header()
1127 if (!aa_unpack_u32(e, &e->version, "version")) { in verify_header()
1130 e, error); in verify_header()
1139 if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) { in verify_header()
1141 e, error); in verify_header()
1146 if (aa_unpack_str(e, &name, "namespace")) { in verify_header()
1149 e, error); in verify_header()
1153 audit_iface(NULL, NULL, NULL, "invalid ns change", e, in verify_header()
1158 return -ENOMEM; in verify_header()
1166 * verify_dfa_accept_index - verify accept indexes are in range of perms table
1173 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { in verify_dfa_accept_index()
1183 if (perm->allow & perm->deny) in verify_perm()
1185 if (perm->subtree & ~perm->allow) in verify_perm()
1187 if (perm->cond & (perm->allow | perm->deny)) in verify_perm()
1189 if (perm->kill & perm->allow) in verify_perm()
1191 if (perm->complain & (perm->allow | perm->deny)) in verify_perm()
1193 if (perm->prompt & (perm->allow | perm->deny)) in verify_perm()
1195 if (perm->complain & perm->prompt) in verify_perm()
1197 if (perm->hide & perm->allow) in verify_perm()
1207 for (i = 0; i < pdb->size; i++) { in verify_perms()
1208 if (!verify_perm(&pdb->perms[i])) in verify_perms()
1211 if ((pdb->perms[i].xindex & AA_X_TYPE_MASK) == AA_X_TABLE && in verify_perms()
1212 (pdb->perms[i].xindex & AA_X_INDEX_MASK) >= pdb->trans.size) in verify_perms()
1214 if (pdb->perms[i].tag && pdb->perms[i].tag >= pdb->trans.size) in verify_perms()
1216 if (pdb->perms[i].label && in verify_perms()
1217 pdb->perms[i].label >= pdb->trans.size) in verify_perms()
1225 * verify_profile - Do post unpack analysis to verify profile consistency
1234 struct aa_ruleset *rules = list_first_entry(&profile->rules, in verify_profile()
1239 if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa, in verify_profile()
1240 rules->file->size)) { in verify_profile()
1243 -EPROTO); in verify_profile()
1244 return -EPROTO; in verify_profile()
1246 if (rules->policy->dfa && in verify_profile()
1247 !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) { in verify_profile()
1250 -EPROTO); in verify_profile()
1251 return -EPROTO; in verify_profile()
1254 if (!verify_perms(rules->file)) { in verify_profile()
1256 "Unpack: Invalid perm index", NULL, -EPROTO); in verify_profile()
1257 return -EPROTO; in verify_profile()
1259 if (!verify_perms(rules->policy)) { in verify_profile()
1261 "Unpack: Invalid perm index", NULL, -EPROTO); in verify_profile()
1262 return -EPROTO; in verify_profile()
1264 if (!verify_perms(profile->attach.xmatch)) { in verify_profile()
1266 "Unpack: Invalid perm index", NULL, -EPROTO); in verify_profile()
1267 return -EPROTO; in verify_profile()
1276 aa_put_profile(ent->rename); in aa_load_ent_free()
1277 aa_put_profile(ent->old); in aa_load_ent_free()
1278 aa_put_profile(ent->new); in aa_load_ent_free()
1279 kfree(ent->ns_name); in aa_load_ent_free()
1288 INIT_LIST_HEAD(&ent->list); in aa_load_ent_alloc()
1306 ret = -ENOMEM; in compress_zstd()
1312 ret = -ENOMEM; in compress_zstd()
1318 ret = -EINVAL; in compress_zstd()
1324 ret = -EINVAL; in compress_zstd()
1345 ret = -ENOMEM; in compress_zstd()
1367 AA_BUG(data->compressed_size > 0); in compress_loaddata()
1374 void *udata = data->data; in compress_loaddata()
1375 int error = compress_zstd(udata, data->size, &data->data, in compress_loaddata()
1376 &data->compressed_size); in compress_loaddata()
1378 data->compressed_size = data->size; in compress_loaddata()
1381 if (udata != data->data) in compress_loaddata()
1384 data->compressed_size = data->size; in compress_loaddata()
1390 * aa_unpack - unpack packed binary profile(s) data loaded from user space
1408 struct aa_ext e = { in aa_unpack() local
1409 .start = udata->data, in aa_unpack()
1410 .end = udata->data + udata->size, in aa_unpack()
1411 .pos = udata->data, in aa_unpack()
1415 while (e.pos < e.end) { in aa_unpack()
1417 error = verify_header(&e, e.pos == e.start, ns); in aa_unpack()
1421 start = e.pos; in aa_unpack()
1422 profile = unpack_profile(&e, &ns_name); in aa_unpack()
1433 error = aa_calc_profile_hash(profile, e.version, start, in aa_unpack()
1434 e.pos - start); in aa_unpack()
1440 error = -ENOMEM; in aa_unpack()
1444 ent->new = profile; in aa_unpack()
1445 ent->ns_name = ns_name; in aa_unpack()
1447 list_add_tail(&ent->list, lh); in aa_unpack()
1449 udata->abi = e.version & K_ABI_MASK; in aa_unpack()
1451 udata->hash = aa_calc_hash(udata->data, udata->size); in aa_unpack()
1452 if (IS_ERR(udata->hash)) { in aa_unpack()
1453 error = PTR_ERR(udata->hash); in aa_unpack()
1454 udata->hash = NULL; in aa_unpack()
1472 list_del_init(&ent->list); in aa_unpack()