^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) /* SPDX-License-Identifier: GPL-2.0-only */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * AppArmor security module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * This file contains AppArmor policy dfa matching engine definitions.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Copyright (C) 1998-2008 Novell/SUSE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * Copyright 2009-2012 Canonical Ltd.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #ifndef __AA_MATCH_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #define __AA_MATCH_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/kref.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #define DFA_NOMATCH 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #define DFA_START 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * The format used for transition tables is based on the GNU flex table
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) * file format (--tables-file option; see Table File Format in the flex
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * info pages and the flex sources for documentation). The magic number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) * used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * new tables have been defined and others YY_ID_CHK (check) and YY_ID_DEF
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) * (default) tables are used slightly differently (see the apparmor-parser
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) * package).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) * The data in the packed dfa is stored in network byte order, and the tables
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) * are arranged for flexibility. We convert the table data to host native
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) * byte order.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) * The dfa begins with a table set header, and is followed by the actual
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) * tables.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) #define YYTH_MAGIC 0x1B5E783D
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) #define YYTH_FLAG_DIFF_ENCODE 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) #define YYTH_FLAG_OOB_TRANS 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) #define YYTH_FLAGS (YYTH_FLAG_DIFF_ENCODE | YYTH_FLAG_OOB_TRANS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) #define MAX_OOB_SUPPORTED 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) struct table_set_header {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) u32 th_magic; /* YYTH_MAGIC */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) u32 th_hsize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) u32 th_ssize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) u16 th_flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) char th_version[];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) /* The YYTD_ID are one less than flex table mappings. The flex id
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) * has 1 subtracted at table load time, this allows us to directly use the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) * ID's as indexes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) #define YYTD_ID_ACCEPT 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) #define YYTD_ID_BASE 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) #define YYTD_ID_CHK 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) #define YYTD_ID_DEF 3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) #define YYTD_ID_EC 4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) #define YYTD_ID_META 5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) #define YYTD_ID_ACCEPT2 6
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) #define YYTD_ID_NXT 7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) #define YYTD_ID_TSIZE 8
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) #define YYTD_ID_MAX 8
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) #define YYTD_DATA8 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) #define YYTD_DATA16 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) #define YYTD_DATA32 4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) #define YYTD_DATA64 8
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) /* ACCEPT & ACCEPT2 tables gets 6 dedicated flags, YYTD_DATAX define the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) * first flags
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) #define ACCEPT1_FLAGS(X) ((X) & 0x3f)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) #define ACCEPT2_FLAGS(X) ACCEPT1_FLAGS((X) >> YYTD_ID_ACCEPT2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) #define TO_ACCEPT1_FLAG(X) ACCEPT1_FLAGS(X)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) #define TO_ACCEPT2_FLAG(X) (ACCEPT1_FLAGS(X) << YYTD_ID_ACCEPT2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) #define DFA_FLAG_VERIFY_STATES 0x1000
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) struct table_header {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) u16 td_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) u16 td_flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) u32 td_hilen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) u32 td_lolen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) char td_data[];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) #define DEFAULT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_DEF]->td_data))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) #define BASE_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_BASE]->td_data))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) #define NEXT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_NXT]->td_data))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) #define CHECK_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_CHK]->td_data))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) #define EQUIV_TABLE(DFA) ((u8 *)((DFA)->tables[YYTD_ID_EC]->td_data))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) #define ACCEPT_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT]->td_data))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) #define ACCEPT_TABLE2(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT2]->td_data))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) struct aa_dfa {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) struct kref count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) u16 flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) u32 max_oob;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) struct table_header *tables[YYTD_ID_TSIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) extern struct aa_dfa *nulldfa;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) extern struct aa_dfa *stacksplitdfa;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) #define byte_to_byte(X) (X)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) #define UNPACK_ARRAY(TABLE, BLOB, LEN, TTYPE, BTYPE, NTOHX) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) do { \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) typeof(LEN) __i; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) TTYPE *__t = (TTYPE *) TABLE; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) BTYPE *__b = (BTYPE *) BLOB; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) for (__i = 0; __i < LEN; __i++) { \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) __t[__i] = NTOHX(__b[__i]); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) } \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) } while (0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) static inline size_t table_size(size_t len, size_t el_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) return ALIGN(sizeof(struct table_header) + len * el_size, 8);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) int aa_setup_dfa_engine(void);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) void aa_teardown_dfa_engine(void);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) const char *str, int len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) const char *str);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) const char c);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) unsigned int state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) const char *str, const char **retpos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) const char *str, int n, const char **retpos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) void aa_dfa_free_kref(struct kref *kref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) #define WB_HISTORY_SIZE 24
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) struct match_workbuf {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) unsigned int count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) unsigned int pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) unsigned int len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) unsigned int size; /* power of 2, same as history size */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) unsigned int history[WB_HISTORY_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) #define DEFINE_MATCH_WB(N) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) struct match_workbuf N = { \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) .count = 0, \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) .pos = 0, \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) .len = 0, \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) const char *str, unsigned int *count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) * aa_get_dfa - increment refcount on dfa @p
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) * @dfa: dfa (MAYBE NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) * Returns: pointer to @dfa if @dfa is NULL will return NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) * Requires: @dfa must be held with valid refcount when called
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) static inline struct aa_dfa *aa_get_dfa(struct aa_dfa *dfa)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) if (dfa)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) kref_get(&(dfa->count));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) return dfa;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) * aa_put_dfa - put a dfa refcount
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) * @dfa: dfa to put refcount (MAYBE NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) * Requires: if @dfa != NULL that a valid refcount be held
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) static inline void aa_put_dfa(struct aa_dfa *dfa)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) if (dfa)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) kref_put(&dfa->count, aa_dfa_free_kref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) #define MATCH_FLAG_DIFF_ENCODE 0x80000000
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) #define MARK_DIFF_ENCODE 0x40000000
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) #define MATCH_FLAG_OOB_TRANSITION 0x20000000
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) #define MATCH_FLAGS_MASK 0xff000000
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) #define MATCH_FLAGS_VALID (MATCH_FLAG_DIFF_ENCODE | MATCH_FLAG_OOB_TRANSITION)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) #define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) #endif /* __AA_MATCH_H */
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags