1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor functions for unpacking policy loaded 6 * from userspace. 7 * 8 * Copyright (C) 1998-2008 Novell/SUSE 9 * Copyright 2009-2022 Canonical Ltd. 10 * 11 * Code to provide backwards compatibility with older policy versions, 12 * by converting/mapping older policy formats into the newer internal 13 * formats. 14 */ 15 16 #include <linux/ctype.h> 17 #include <linux/errno.h> 18 19 #include "include/lib.h" 20 #include "include/policy_unpack.h" 21 #include "include/policy_compat.h" 22 23 /* remap old accept table embedded permissions to separate permission table */ dfa_map_xindex(u16 mask)24 static u32 dfa_map_xindex(u16 mask) 25 { 26 u16 old_index = (mask >> 10) & 0xf; 27 u32 index = 0; 28 29 if (mask & 0x100) 30 index |= AA_X_UNSAFE; 31 if (mask & 0x200) 32 index |= AA_X_INHERIT; 33 if (mask & 0x80) 34 index |= AA_X_UNCONFINED; 35 36 if (old_index == 1) { 37 index |= AA_X_UNCONFINED; 38 } else if (old_index == 2) { 39 index |= AA_X_NAME; 40 } else if (old_index == 3) { 41 index |= AA_X_NAME | AA_X_CHILD; 42 } else if (old_index) { 43 index |= AA_X_TABLE; 44 index |= old_index - 4; 45 } 46 47 return index; 48 } 49 50 /* 51 * map old dfa inline permissions to new format 52 */ 53 #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \ 54 ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) 55 #define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f) 56 #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f) 57 #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f) 58 #define dfa_user_xindex(dfa, state) \ 59 (dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff)) 60 61 #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \ 62 0x7f) | \ 63 ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) 64 #define dfa_other_xbits(dfa, state) \ 65 ((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f) 66 #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f) 67 #define dfa_other_quiet(dfa, state) \ 68 ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f) 69 #define dfa_other_xindex(dfa, state) \ 70 dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff) 71 72 /** 73 * map_old_perms - map old file perms layout to the new layout 74 * @old: permission set in old mapping 75 * 76 * Returns: new permission mapping 77 */ map_old_perms(u32 old)78 static u32 map_old_perms(u32 old) 79 { 80 u32 new = old & 0xf; 81 82 if (old & MAY_READ) 83 new |= AA_MAY_GETATTR | AA_MAY_OPEN; 84 if (old & MAY_WRITE) 85 new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE | 86 AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN; 87 if (old & 0x10) 88 new |= AA_MAY_LINK; 89 /* the old mapping lock and link_subset flags where overlaid 90 * and use was determined by part of a pair that they were in 91 */ 92 if (old & 0x20) 93 new |= AA_MAY_LOCK | AA_LINK_SUBSET; 94 if (old & 0x40) /* AA_EXEC_MMAP */ 95 new |= AA_EXEC_MMAP; 96 97 return new; 98 } 99 compute_fperms_allow(struct aa_perms * perms,struct aa_dfa * dfa,aa_state_t state)100 static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa, 101 aa_state_t state) 102 { 103 perms->allow |= AA_MAY_GETATTR; 104 105 /* change_profile wasn't determined by ownership in old mapping */ 106 if (ACCEPT_TABLE(dfa)[state] & 0x80000000) 107 perms->allow |= AA_MAY_CHANGE_PROFILE; 108 if (ACCEPT_TABLE(dfa)[state] & 0x40000000) 109 perms->allow |= AA_MAY_ONEXEC; 110 } 111 compute_fperms_user(struct aa_dfa * dfa,aa_state_t state)112 static struct aa_perms compute_fperms_user(struct aa_dfa *dfa, 113 aa_state_t state) 114 { 115 struct aa_perms perms = { }; 116 117 perms.allow = map_old_perms(dfa_user_allow(dfa, state)); 118 perms.audit = map_old_perms(dfa_user_audit(dfa, state)); 119 perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); 120 perms.xindex = dfa_user_xindex(dfa, state); 121 122 compute_fperms_allow(&perms, dfa, state); 123 124 return perms; 125 } 126 compute_fperms_other(struct aa_dfa * dfa,aa_state_t state)127 static struct aa_perms compute_fperms_other(struct aa_dfa *dfa, 128 aa_state_t state) 129 { 130 struct aa_perms perms = { }; 131 132 perms.allow = map_old_perms(dfa_other_allow(dfa, state)); 133 perms.audit = map_old_perms(dfa_other_audit(dfa, state)); 134 perms.quiet = map_old_perms(dfa_other_quiet(dfa, state)); 135 perms.xindex = dfa_other_xindex(dfa, state); 136 137 compute_fperms_allow(&perms, dfa, state); 138 139 return perms; 140 } 141 142 /** 143 * compute_fperms - convert dfa compressed perms to internal perms and store 144 * them so they can be retrieved later. 145 * @dfa: a dfa using fperms to remap to internal permissions 146 * 147 * Returns: remapped perm table 148 */ compute_fperms(struct aa_dfa * dfa)149 static struct aa_perms *compute_fperms(struct aa_dfa *dfa) 150 { 151 aa_state_t state; 152 unsigned int state_count; 153 struct aa_perms *table; 154 155 AA_BUG(!dfa); 156 157 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; 158 /* DFAs are restricted from having a state_count of less than 2 */ 159 table = kvcalloc(state_count * 2, sizeof(struct aa_perms), GFP_KERNEL); 160 if (!table) 161 return NULL; 162 163 for (state = 0; state < state_count; state++) { 164 table[state * 2] = compute_fperms_user(dfa, state); 165 table[state * 2 + 1] = compute_fperms_other(dfa, state); 166 } 167 168 return table; 169 } 170 compute_xmatch_perms(struct aa_dfa * xmatch)171 static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch) 172 { 173 struct aa_perms *perms; 174 int state; 175 int state_count; 176 177 AA_BUG(!xmatch); 178 179 state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen; 180 /* DFAs are restricted from having a state_count of less than 2 */ 181 perms = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL); 182 183 /* zero init so skip the trap state (state == 0) */ 184 for (state = 1; state < state_count; state++) 185 perms[state].allow = dfa_user_allow(xmatch, state); 186 187 return perms; 188 } 189 map_other(u32 x)190 static u32 map_other(u32 x) 191 { 192 return ((x & 0x3) << 8) | /* SETATTR/GETATTR */ 193 ((x & 0x1c) << 18) | /* ACCEPT/BIND/LISTEN */ 194 ((x & 0x60) << 19); /* SETOPT/GETOPT */ 195 } 196 map_xbits(u32 x)197 static u32 map_xbits(u32 x) 198 { 199 return ((x & 0x1) << 7) | 200 ((x & 0x7e) << 9); 201 } 202 compute_perms_entry(struct aa_dfa * dfa,aa_state_t state,u32 version)203 static struct aa_perms compute_perms_entry(struct aa_dfa *dfa, 204 aa_state_t state, 205 u32 version) 206 { 207 struct aa_perms perms = { }; 208 209 perms.allow = dfa_user_allow(dfa, state); 210 perms.audit = dfa_user_audit(dfa, state); 211 perms.quiet = dfa_user_quiet(dfa, state); 212 213 /* 214 * This mapping is convulated due to history. 215 * v1-v4: only file perms, which are handled by compute_fperms 216 * v5: added policydb which dropped user conditional to gain new 217 * perm bits, but had to map around the xbits because the 218 * userspace compiler was still munging them. 219 * v9: adds using the xbits in policydb because the compiler now 220 * supports treating policydb permission bits different. 221 * Unfortunately there is no way to force auditing on the 222 * perms represented by the xbits 223 */ 224 perms.allow |= map_other(dfa_other_allow(dfa, state)); 225 if (VERSION_LE(version, v8)) 226 perms.allow |= AA_MAY_LOCK; 227 else 228 perms.allow |= map_xbits(dfa_user_xbits(dfa, state)); 229 230 /* 231 * for v5-v9 perm mapping in the policydb, the other set is used 232 * to extend the general perm set 233 */ 234 perms.audit |= map_other(dfa_other_audit(dfa, state)); 235 perms.quiet |= map_other(dfa_other_quiet(dfa, state)); 236 if (VERSION_GT(version, v8)) 237 perms.quiet |= map_xbits(dfa_other_xbits(dfa, state)); 238 239 return perms; 240 } 241 compute_perms(struct aa_dfa * dfa,u32 version)242 static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version) 243 { 244 unsigned int state; 245 unsigned int state_count; 246 struct aa_perms *table; 247 248 AA_BUG(!dfa); 249 250 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; 251 /* DFAs are restricted from having a state_count of less than 2 */ 252 table = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL); 253 if (!table) 254 return NULL; 255 256 /* zero init so skip the trap state (state == 0) */ 257 for (state = 1; state < state_count; state++) 258 table[state] = compute_perms_entry(dfa, state, version); 259 260 return table; 261 } 262 263 /** 264 * remap_dfa_accept - remap old dfa accept table to be an index 265 * @dfa: dfa to do the remapping on 266 * @factor: scaling factor for the index conversion. 267 * 268 * Used in conjunction with compute_Xperms, it converts old style perms 269 * that are encoded in the dfa accept tables to the new style where 270 * there is a permission table and the accept table is an index into 271 * the permission table. 272 */ remap_dfa_accept(struct aa_dfa * dfa,unsigned int factor)273 static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor) 274 { 275 unsigned int state; 276 unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; 277 278 AA_BUG(!dfa); 279 280 for (state = 0; state < state_count; state++) 281 ACCEPT_TABLE(dfa)[state] = state * factor; 282 kvfree(dfa->tables[YYTD_ID_ACCEPT2]); 283 dfa->tables[YYTD_ID_ACCEPT2] = NULL; 284 } 285 286 /* TODO: merge different dfa mappings into single map_policy fn */ aa_compat_map_xmatch(struct aa_policydb * policy)287 int aa_compat_map_xmatch(struct aa_policydb *policy) 288 { 289 policy->perms = compute_xmatch_perms(policy->dfa); 290 if (!policy->perms) 291 return -ENOMEM; 292 293 remap_dfa_accept(policy->dfa, 1); 294 295 return 0; 296 } 297 aa_compat_map_policy(struct aa_policydb * policy,u32 version)298 int aa_compat_map_policy(struct aa_policydb *policy, u32 version) 299 { 300 policy->perms = compute_perms(policy->dfa, version); 301 if (!policy->perms) 302 return -ENOMEM; 303 304 remap_dfa_accept(policy->dfa, 1); 305 306 return 0; 307 } 308 aa_compat_map_file(struct aa_policydb * policy)309 int aa_compat_map_file(struct aa_policydb *policy) 310 { 311 policy->perms = compute_fperms(policy->dfa); 312 if (!policy->perms) 313 return -ENOMEM; 314 315 remap_dfa_accept(policy->dfa, 2); 316 317 return 0; 318 } 319