1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * AppArmor security module
4 *
5 * This file contains AppArmor functions for unpacking policy loaded
6 * from userspace.
7 *
8 * Copyright (C) 1998-2008 Novell/SUSE
9 * Copyright 2009-2022 Canonical Ltd.
10 *
11 * Code to provide backwards compatibility with older policy versions,
12 * by converting/mapping older policy formats into the newer internal
13 * formats.
14 */
15
16#include <linux/ctype.h>
17#include <linux/errno.h>
18
19#include "include/lib.h"
20#include "include/policy_unpack.h"
21#include "include/policy_compat.h"
22
23/* remap old accept table embedded permissions to separate permission table */
24static u32 dfa_map_xindex(u16 mask)
25{
26 u16 old_index = (mask >> 10) & 0xf;
27 u32 index = 0;
28
29 if (mask & 0x100)
30 index |= AA_X_UNSAFE;
31 if (mask & 0x200)
32 index |= AA_X_INHERIT;
33 if (mask & 0x80)
34 index |= AA_X_UNCONFINED;
35
36 if (old_index == 1) {
37 index |= AA_X_UNCONFINED;
38 } else if (old_index == 2) {
39 index |= AA_X_NAME;
40 } else if (old_index == 3) {
41 index |= AA_X_NAME | AA_X_CHILD;
42 } else if (old_index) {
43 index |= AA_X_TABLE;
44 index |= old_index - 4;
45 }
46
47 return index;
48}
49
50/*
51 * map old dfa inline permissions to new format
52 */
53#define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
54 ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
55#define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
56#define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
57#define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
58#define dfa_user_xindex(dfa, state) \
59 (dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
60
61#define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
62 0x7f) | \
63 ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
64#define dfa_other_xbits(dfa, state) \
65 ((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f)
66#define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
67#define dfa_other_quiet(dfa, state) \
68 ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
69#define dfa_other_xindex(dfa, state) \
70 dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
71
72/**
73 * map_old_perms - map old file perms layout to the new layout
74 * @old: permission set in old mapping
75 *
76 * Returns: new permission mapping
77 */
78static u32 map_old_perms(u32 old)
79{
80 u32 new = old & 0xf;
81
82 if (old & MAY_READ)
83 new |= AA_MAY_GETATTR | AA_MAY_OPEN;
84 if (old & MAY_WRITE)
85 new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE |
86 AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN;
87 if (old & 0x10)
88 new |= AA_MAY_LINK;
89 /* the old mapping lock and link_subset flags where overlaid
90 * and use was determined by part of a pair that they were in
91 */
92 if (old & 0x20)
93 new |= AA_MAY_LOCK | AA_LINK_SUBSET;
94 if (old & 0x40) /* AA_EXEC_MMAP */
95 new |= AA_EXEC_MMAP;
96
97 return new;
98}
99
100static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
101 aa_state_t state)
102{
103 perms->allow |= AA_MAY_GETATTR;
104
105 /* change_profile wasn't determined by ownership in old mapping */
106 if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
107 perms->allow |= AA_MAY_CHANGE_PROFILE;
108 if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
109 perms->allow |= AA_MAY_ONEXEC;
110}
111
112static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
113 aa_state_t state)
114{
115 struct aa_perms perms = { };
116
117 perms.allow = map_old_perms(dfa_user_allow(dfa, state));
118 perms.audit = map_old_perms(dfa_user_audit(dfa, state));
119 perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
120 perms.xindex = dfa_user_xindex(dfa, state);
121
122 compute_fperms_allow(perms: &perms, dfa, state);
123
124 return perms;
125}
126
127static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
128 aa_state_t state)
129{
130 struct aa_perms perms = { };
131
132 perms.allow = map_old_perms(dfa_other_allow(dfa, state));
133 perms.audit = map_old_perms(dfa_other_audit(dfa, state));
134 perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
135 perms.xindex = dfa_other_xindex(dfa, state);
136
137 compute_fperms_allow(perms: &perms, dfa, state);
138
139 return perms;
140}
141
142/**
143 * compute_fperms - convert dfa compressed perms to internal perms and store
144 * them so they can be retrieved later.
145 * @dfa: a dfa using fperms to remap to internal permissions
146 * @size: Returns the permission table size
147 *
148 * Returns: remapped perm table
149 */
150static struct aa_perms *compute_fperms(struct aa_dfa *dfa,
151 u32 *size)
152{
153 aa_state_t state;
154 unsigned int state_count;
155 struct aa_perms *table;
156
157 AA_BUG(!dfa);
158
159 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
160 /* DFAs are restricted from having a state_count of less than 2 */
161 table = kvcalloc(n: state_count * 2, size: sizeof(struct aa_perms), GFP_KERNEL);
162 if (!table)
163 return NULL;
164 *size = state_count * 2;
165
166 for (state = 0; state < state_count; state++) {
167 table[state * 2] = compute_fperms_user(dfa, state);
168 table[state * 2 + 1] = compute_fperms_other(dfa, state);
169 }
170
171 return table;
172}
173
174static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch,
175 u32 *size)
176{
177 struct aa_perms *perms;
178 int state;
179 int state_count;
180
181 AA_BUG(!xmatch);
182
183 state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
184 /* DFAs are restricted from having a state_count of less than 2 */
185 perms = kvcalloc(n: state_count, size: sizeof(struct aa_perms), GFP_KERNEL);
186 if (!perms)
187 return NULL;
188 *size = state_count;
189
190 /* zero init so skip the trap state (state == 0) */
191 for (state = 1; state < state_count; state++)
192 perms[state].allow = dfa_user_allow(xmatch, state);
193
194 return perms;
195}
196
197static u32 map_other(u32 x)
198{
199 return ((x & 0x3) << 8) | /* SETATTR/GETATTR */
200 ((x & 0x1c) << 18) | /* ACCEPT/BIND/LISTEN */
201 ((x & 0x60) << 19); /* SETOPT/GETOPT */
202}
203
204static u32 map_xbits(u32 x)
205{
206 return ((x & 0x1) << 7) |
207 ((x & 0x7e) << 9);
208}
209
210static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
211 aa_state_t state,
212 u32 version)
213{
214 struct aa_perms perms = { };
215
216 perms.allow = dfa_user_allow(dfa, state);
217 perms.audit = dfa_user_audit(dfa, state);
218 perms.quiet = dfa_user_quiet(dfa, state);
219
220 /*
221 * This mapping is convulated due to history.
222 * v1-v4: only file perms, which are handled by compute_fperms
223 * v5: added policydb which dropped user conditional to gain new
224 * perm bits, but had to map around the xbits because the
225 * userspace compiler was still munging them.
226 * v9: adds using the xbits in policydb because the compiler now
227 * supports treating policydb permission bits different.
228 * Unfortunately there is no way to force auditing on the
229 * perms represented by the xbits
230 */
231 perms.allow |= map_other(dfa_other_allow(dfa, state));
232 if (VERSION_LE(version, v8))
233 perms.allow |= AA_MAY_LOCK;
234 else
235 perms.allow |= map_xbits(dfa_user_xbits(dfa, state));
236
237 /*
238 * for v5-v9 perm mapping in the policydb, the other set is used
239 * to extend the general perm set
240 */
241 perms.audit |= map_other(dfa_other_audit(dfa, state));
242 perms.quiet |= map_other(dfa_other_quiet(dfa, state));
243 if (VERSION_GT(version, v8))
244 perms.quiet |= map_xbits(dfa_other_xbits(dfa, state));
245
246 return perms;
247}
248
249static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version,
250 u32 *size)
251{
252 unsigned int state;
253 unsigned int state_count;
254 struct aa_perms *table;
255
256 AA_BUG(!dfa);
257
258 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
259 /* DFAs are restricted from having a state_count of less than 2 */
260 table = kvcalloc(n: state_count, size: sizeof(struct aa_perms), GFP_KERNEL);
261 if (!table)
262 return NULL;
263 *size = state_count;
264
265 /* zero init so skip the trap state (state == 0) */
266 for (state = 1; state < state_count; state++)
267 table[state] = compute_perms_entry(dfa, state, version);
268
269 return table;
270}
271
272/**
273 * remap_dfa_accept - remap old dfa accept table to be an index
274 * @dfa: dfa to do the remapping on
275 * @factor: scaling factor for the index conversion.
276 *
277 * Used in conjunction with compute_Xperms, it converts old style perms
278 * that are encoded in the dfa accept tables to the new style where
279 * there is a permission table and the accept table is an index into
280 * the permission table.
281 */
282static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor)
283{
284 unsigned int state;
285 unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
286
287 AA_BUG(!dfa);
288
289 for (state = 0; state < state_count; state++)
290 ACCEPT_TABLE(dfa)[state] = state * factor;
291 kvfree(addr: dfa->tables[YYTD_ID_ACCEPT2]);
292 dfa->tables[YYTD_ID_ACCEPT2] = NULL;
293}
294
295/* TODO: merge different dfa mappings into single map_policy fn */
296int aa_compat_map_xmatch(struct aa_policydb *policy)
297{
298 policy->perms = compute_xmatch_perms(xmatch: policy->dfa, size: &policy->size);
299 if (!policy->perms)
300 return -ENOMEM;
301
302 remap_dfa_accept(dfa: policy->dfa, factor: 1);
303
304 return 0;
305}
306
307int aa_compat_map_policy(struct aa_policydb *policy, u32 version)
308{
309 policy->perms = compute_perms(dfa: policy->dfa, version, size: &policy->size);
310 if (!policy->perms)
311 return -ENOMEM;
312
313 remap_dfa_accept(dfa: policy->dfa, factor: 1);
314
315 return 0;
316}
317
318int aa_compat_map_file(struct aa_policydb *policy)
319{
320 policy->perms = compute_fperms(dfa: policy->dfa, size: &policy->size);
321 if (!policy->perms)
322 return -ENOMEM;
323
324 remap_dfa_accept(dfa: policy->dfa, factor: 2);
325
326 return 0;
327}
328

source code of linux/security/apparmor/policy_compat.c