linux/security/apparmor/policy_unpack.c
<<
>>
Prefs
   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor functions for unpacking policy loaded from
   5 * userspace.
   6 *
   7 * Copyright (C) 1998-2008 Novell/SUSE
   8 * Copyright 2009-2010 Canonical Ltd.
   9 *
  10 * This program is free software; you can redistribute it and/or
  11 * modify it under the terms of the GNU General Public License as
  12 * published by the Free Software Foundation, version 2 of the
  13 * License.
  14 *
  15 * AppArmor uses a serialized binary format for loading policy. To find
  16 * policy format documentation look in Documentation/security/apparmor.txt
  17 * All policy is validated before it is used.
  18 */
  19
  20#include <asm/unaligned.h>
  21#include <linux/ctype.h>
  22#include <linux/errno.h>
  23
  24#include "include/apparmor.h"
  25#include "include/audit.h"
  26#include "include/context.h"
  27#include "include/match.h"
  28#include "include/policy.h"
  29#include "include/policy_unpack.h"
  30#include "include/sid.h"
  31
  32/*
  33 * The AppArmor interface treats data as a type byte followed by the
  34 * actual data.  The interface has the notion of a a named entry
  35 * which has a name (AA_NAME typecode followed by name string) followed by
  36 * the entries typecode and data.  Named types allow for optional
  37 * elements and extensions to be added and tested for without breaking
  38 * backwards compatibility.
  39 */
  40
  41enum aa_code {
  42        AA_U8,
  43        AA_U16,
  44        AA_U32,
  45        AA_U64,
  46        AA_NAME,                /* same as string except it is items name */
  47        AA_STRING,
  48        AA_BLOB,
  49        AA_STRUCT,
  50        AA_STRUCTEND,
  51        AA_LIST,
  52        AA_LISTEND,
  53        AA_ARRAY,
  54        AA_ARRAYEND,
  55};
  56
  57/*
  58 * aa_ext is the read of the buffer containing the serialized profile.  The
  59 * data is copied into a kernel buffer in apparmorfs and then handed off to
  60 * the unpack routines.
  61 */
  62struct aa_ext {
  63        void *start;
  64        void *end;
  65        void *pos;              /* pointer to current position in the buffer */
  66        u32 version;
  67};
  68
  69/* audit callback for unpack fields */
  70static void audit_cb(struct audit_buffer *ab, void *va)
  71{
  72        struct common_audit_data *sa = va;
  73        if (sa->aad->iface.target) {
  74                struct aa_profile *name = sa->aad->iface.target;
  75                audit_log_format(ab, " name=");
  76                audit_log_untrustedstring(ab, name->base.hname);
  77        }
  78        if (sa->aad->iface.pos)
  79                audit_log_format(ab, " offset=%ld", sa->aad->iface.pos);
  80}
  81
  82/**
  83 * audit_iface - do audit message for policy unpacking/load/replace/remove
  84 * @new: profile if it has been allocated (MAYBE NULL)
  85 * @name: name of the profile being manipulated (MAYBE NULL)
  86 * @info: any extra info about the failure (MAYBE NULL)
  87 * @e: buffer position info
  88 * @error: error code
  89 *
  90 * Returns: %0 or error
  91 */
  92static int audit_iface(struct aa_profile *new, const char *name,
  93                       const char *info, struct aa_ext *e, int error)
  94{
  95        struct aa_profile *profile = __aa_current_profile();
  96        struct common_audit_data sa;
  97        struct apparmor_audit_data aad = {0,};
  98        sa.type = LSM_AUDIT_DATA_NONE;
  99        sa.aad = &aad;
 100        if (e)
 101                aad.iface.pos = e->pos - e->start;
 102        aad.iface.target = new;
 103        aad.name = name;
 104        aad.info = info;
 105        aad.error = error;
 106
 107        e" class="sref">name = 1 v2.6.16.36
  
  
  
  
  
  
  
  
  
" id="L18"" class="line" name="L18"">  11 * unpacking/load/replace/remove
lude/asm--alpha/unaligned.h|includde/as11 class="line" name="L60">  60 */
audit_iface(urity/apparmor/policy_unpack.c#L88" id="L88" class="1uicy_unpackk.c#L13" id="L13" class=""lin12 name="L13">  13
class="comne"  atclass="omment"> chunknpack.c#L19" id="L19" class="line" name="L19">  19y/apparmo1r/include/apparmor.h" cl1ass="12class="line" name="L84">  84audit_buf1/apparmor1/policy_unpack.c#L25" id1="L251 classw, L77">  77  "ize_>.audit>u16_chunk.  94{
  94{
iface.profile =1pparmor/p1olicy_unpack.c#L27" id="1L27" 12="line" name="L67">  67}"ize_>.  81
  81
!lass="sref">sa  94{
  94{
,
iface.  81
  94{
linux/ct.  94{
,
 102        aa id="L81" class="line" namme="L81">  81
  24#include "!lass="sref">sae.  94{
,
aa_ext *, 
  94{
->start;

error;
e.
pcy_unpack1.c#L3127;ld",   8breaking


  84  141enum new, L77">  77parmor_auditXaudit>u16_chunk.  42          94{
,
common_audit_1armor/pol1icy_unpack.c#L43" id="L413" cl142po1m
!lass="sref">sa  94{
,
aa_ext *,   94{
,
 102        e  94{
,
 *, /* same as st1ring 1xcept it is items name */,
 102          8rmor/policy_unpack.c#L481" id=14
  
  
  1cy_unpack1.c#L3127;ld",   11 * unpacking/apparmor1/policy_unpack.c#L52" id1="L5215parmor/policy_unpack.c#L12" idr_auditL52"X - class" id="L5nL59"8" id="" id  @i>  11 * unpacking/rmor/pol1parmor/policy_unpack.c#L153" i15s="1uicy_unpackk.c#L13" id="L1.h|includde/as11 clalass=tnt"> =sa"mmenef="sec@chunkanaifacrds respan>
 *
 * @e: buffer position info
1  56
/15icy_unpack.c#L87" id="L87" claclass"thappnto nL59"ncludde/as11 clal" id="" id  @i>1 58 * backwards compatibility.
ne" ncode"l" id=""e=ine" * backwards compatibility.
  38onlline" ="line" ne=ine" n
class="comne"  atclass="omment"> chunknpack.c#rmor/poli1cy_unpack.c#L61" id="L611" cla1s="line" name="L61">  61
class="comne"  atclass="omment"> chunknpack.c#rapparmor1"L62" class="line" name=1"L62"1  62struct  >  38="lint/a>s t;
class="comne"  atclass="omment"> chunknpack.c#rrmor/pol1olicy_unpack.c#L63" id="1L63" 16s="1uicy_unpackk.c#L13" id="L1rity/ idadvanclassasppnto rityer * published by the Free Software Foundation, version ty/apparm1or/policy_unpack.c#L64" 1id="L16/a> * This file contains AppArmor functions for unpacking p1pparmor/p1olicy_unpack.c#L65" id="1L65" 16cy_unpack.c#L85" id="L85" clas3" class=0a=icei clr t;< t"> * @new: profile if it has been allocated (MAYBE NULL1class="co1mment">/* pointer to cur1rent 16r/policy_unpack.c#L86" id="L8mor.h" cl1ass="12class="line" name="L84">  84version;
new, L77">  77parmor_auditL52"Xaudit>u16_chunk.  42          93                       const eofr4">  94{
,
1  68
common_audit_1="L69">  169/16T_DATA_NONE" c * aa_ext is the read of the buffer containing the se1="securit1y/apparmor/policy_unpack1.c#L71" id="L70" class="line" namea * a=ic="linersp>
a17="line" name="L61">  61< *  84 1 72        struct 
start;
sa =  * aa_ext is the read of the buffer containing the se1class="sr1ef">aad-> *  *17cy_unpack.c#L85" id="L85" cl * chunknpack.c#mat(<1a href="+code=ab" class=1"sref17r/policy_unpack.c#L86" id="L *  84 101     r_auditXcode=ize_>parmor_auditXaudit"sref">sae
aa_profile  78        i1f (  93  eaghref="security/ta * /p/a>->href="security/nt">/polcy_unpack1.c#L3127;ld",   1ef">aad->  67}"ize_>.  77  "ize_>.audit"sref">sa(<1a href="+code=ab" class=1"sref1>ab,   84 1 81
 101     4" id="L104" class="line" nak.c#Lk.c#Lcy_unpack.c#L29" iize_>.  67}"itrcmp>.sa  67}"eaghref="security/ta * /p4aeofr4">  94{
,
  182/18e=pos" class="sref">pppppppppgo o L67">  67}"an chref="security/an c/polcy_unpack1.c#L3127;ld", sa =  101     4" id="L104" class="line" nref="+code=aa_profile" class="sref">aa_profile
aa_ext *
  84  67}"an chref="security/an c/polcy_unpack1.c#L3127;ld", (<1span>
 = 1/policy_unpack.c#L17" id=="L1711n valapparmor/1policy_unpack.c#L88" id=1"L88"1848" class="lin>
 >t;iface.parmor_auditXaudit"sref">sae  94{
,
18e=pomlude/asm-y/apparmor/pol1cy_unpack1.c#L3127;ld",   67}"an chref="security/an c/pol:olicy_unppack.c#L11" id="L11" classs="l11ty/ap#L83" id=1+code=aa_profile" class=1"sref19" class="sref">target = ,
 102          77  "ef="security/apparmor/polcy_unpack1.c#L3127;ld", , struc1t aa_extmor/policy_unpack1.c#L3127;ld",  1 95        struct 1profi1e rmor/pollicy_unpack.c#L16" id="L116" c1ass="l=r)1new, L77">  77u16_chunk., L77">  77  93                       const eofr4">  94{
,
common_audit_1sref">typ1e = iface.parmor_auditL52"Xaudit"sref">sae        104        aa_profileaad<1/a> = &!lass="sref">sa  94{
  94{
,
aa_extmor/policy_unpack1.c#L3127;ld", iface.p"sref">iface.  94{
,
sa  94{
linux/ct.  94{
,
 102        aa id="L81" class="line" namm2ss="sref"2name = aa_ext *target = ,
 102        aa id="L81" class="line" namm2s4="sref"2n95        struct  = error =  107        e" cla2s="sr20> =1pparmor/pion>
  icy_unpack1.c#L3127;ld",  2anew, L77">  77audit>u16_chunk, L77">  77  93                       const eofr4">  94{
,
  82aa_profileiface.parmor_auditL52"Xaudit"sref">sae        104        aa_profileaudi21" class="srefffffffff=icy_unpack.c#L29" id="L219" cl12os" class="sref">!lass="sref">sa  94{
  94{
,
iface.aa_ext *pr2file<21me = iface.  94{
,
  21
 *sa  94{
linux/ct.  94{
,
 102        aa id="L81" class="line" namm2"L82">  82ab,  102        aa id="L81" class="line" namm2"7me="L1026.35"
	  >
  v2.6.16.35<2optio21ref="+code=saaaaaaaaamor/pol1cy_unpack1.c#L3127;ld", 

  icy_unpack1.c#L3127;ld", 
  77  "ize_>.parmor_auditarrayaudit>u16_chunk.  93                       const eofr4">  94{
,
  22e=po>  14< *<
iface.parmor_auditL52"Xaudit"sref">sae/a>         104        aa_profileiface. *  94ize_>.pr2file<22=ab" class="sref">ab<=icy_unpack.c#L29" id="L219" cl12os" class="sref">!lass="sref">sa  94{
  94{
,
  21

  icy_unpack1.c#L3127;ld", 
.  94{
linux/ct.  94{
,
 102        aa id="L81" span>, iface.,
 102          24#include "  21

  
    21
 =1
  77  "ize_>.e-ize_>.u16_chunk.  94{
e-blosaudi" line" name="L93">  93                       const eofr4">  94{
,

aa_profile  2breaking
iface.parmor_auditL52"Xaudit"sref">saeBLOB       104        aa_profile.!lass="sref">sa  94{
  94{
,
  241enum aa_extmor/policy_unpack1.c#L3127;ld", pos = sa  94{
linux/ct.  94{
,
 102        aa id="L81" span>,  102        aa id="L81" class="line" namm2pparmor/p2olicy_unpack.c#L44" id="2L44" 24"sref">aa_ext *iface.!lass="sref">sa * AppArmor  L25" id1="L251 classw,  hrr4">  94{
ize_>.aa_profile =   94{
e-blosaudi/a>->start;
 *target = ,
 102        pcy_unpack1.c#L3127;ld", /* same as st2ring 24=ab" class="sref">ab<">aa_extmor/pol
    2rmor/policy_unpack.c#L482" id=24ref="+code=saaaaaaaaaolicy_unpack.c#L82" id="L82" class="line" name2ppparmor/2/policy_unpack.c#L49" id2="L4924iface" class=armor/pollicy_unpack.c#L16" id="L116" c1ass="l2rity/appa2rmor/policy_unpack.c#L502" id=24e=pomlude/asmion>
  icy_unpack1.c#L3127;ld",  *audit>u16_chunk  93                       const eofr4">  94{
,
 *<
 =   93  srct>u1code=ize_>parmosrct>u1e_>pcy_unpack1.c#L3127;ld", 2  56
error;
<#L27" id="1L27" 12="line" name="L67">  67}"ize_>./25=ab" class="s buffer */
start;
25ref="+code=sarity/apparmor/poaad.href="security/nt">/polcy_unpack1.c#L3127;ld", 
iface.parmor_auditL52"Xaudit"sref">saeSTRING       104        aa_profile
, parm77">  77  "ize_>.audit"sref">sau1code=ize_>parmosrct>u1e_>p4ad" class="sref">aa id="L81" class="line" namm2rmor/poli2cy_unpack.c#L61" id="L612" cla260b,  101     ize_>.aa_profilepppppppppn>
 101     irct>u1code=ize_>parmosrct>u1e_>p[/a>, pa- 1] !IS0eofr4">  94{
,
aa_ext *  67}"an chref="security/an c/polcy_unpack1.c#L3127;ld",  =   94{
.u1code=ize_>parmosrct>u1e_>pcy_unpack1.c#L3127;ld", /* pointer to cur2rent 26ass="line" na *version;

  
    269/26audit callback for unpack fields */
  67}"an chref="security/an c/pol:olicy_unppack.c#L11" id="L11" classs="l11ty/a2amor/poli2=audit_buffer" class="sr2ef">a27/po1policy_un1pack.c#L31" id,
 102          77  "ef="security/apparmor/polcy_unpack1.c#L3127;ld",  2 72        struct 
  icy_unpack1.c#L3127;ld",  2*saaad->27buf1/apparmoa> *u1dupaudit>u16_chunk.  94{
.  93                       const eofr4">  94{
,
(  93  tmp>.  78        i2f (
start;
  2ef">aad-> *parm77">  77  "ize_>.<>u1code=ize_>parmor_audit>u1audit"sref">sa. 104        ab, .href="security/nt">/polcy_unpack1.c#L3127;ld",  2 81
  282/28e=pos" class="sre_unpack.c#L29" ire="security/apparre=e_>peofr4">  94{
,
->sa. 104pcy_unpack.c#LL96" class="line" name="L96">  96policy_unp)cy_unpack1.c#L3127;ld", (<2span>
.aa_profile2
ab,  102          77  "ef="security/apparmor/polcy_unpack1.c#L3127;ld", ,   2_unpack.c#L89" id="L89" 2class28iface" class=armor/pollicy_unpack.c#L16" id="L116" c1ass="l2=at(<2L90" class="line" name="2L90">28big=include/asm-alpha/unaligned.h|include/asm-arm/2apparmor/2policy_unpack.c#L91" id=2"L91"29/po1policy_union>
  
  
Thaor igiecurLXR softwre>ibythe>u.c#L63" ihttp://sourceforge.net/projects/lxef>LXR 3mesacurersuddeabyt.c#L63" imailto:lxe@valux.no">lxe@valux.noofire
lxe.valux.no kindly hosedhrbyt.c#L63" ihttp://www.redpill-valpro.no">Redpill Lalpro AS">sa