2 * AppArmor security module
4 * This file contains AppArmor dfa based regular expression matching engine
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2012 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/errno.h>
16 #include <linux/kernel.h>
18 #include <linux/slab.h>
19 #include <linux/vmalloc.h>
20 #include <linux/err.h>
21 #include <linux/kref.h>
23 #include "include/lib.h"
24 #include "include/match.h"
26 #define base_idx(X) ((X) & 0xffffff)
28 static char nulldfa_src[] = {
31 struct aa_dfa *nulldfa;
33 int aa_setup_dfa_engine(void)
37 nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src),
38 TO_ACCEPT1_FLAG(YYTD_DATA32) |
39 TO_ACCEPT2_FLAG(YYTD_DATA32));
43 error = PTR_ERR(nulldfa);
49 void aa_teardown_dfa_engine(void)
56 * unpack_table - unpack a dfa table (one of accept, default, base, next check)
57 * @blob: data to unpack (NOT NULL)
58 * @bsize: size of blob
60 * Returns: pointer to table else NULL on failure
62 * NOTE: must be freed by kvfree (not kfree)
64 static struct table_header *unpack_table(char *blob, size_t bsize)
66 struct table_header *table = NULL;
67 struct table_header th;
70 if (bsize < sizeof(struct table_header))
73 /* loaded td_id's start at 1, subtract 1 now to avoid doing
74 * it every time we use td_id as an index
76 th.td_id = be16_to_cpu(*(__be16 *) (blob)) - 1;
77 if (th.td_id > YYTD_ID_MAX)
79 th.td_flags = be16_to_cpu(*(__be16 *) (blob + 2));
80 th.td_lolen = be32_to_cpu(*(__be32 *) (blob + 8));
81 blob += sizeof(struct table_header);
83 if (!(th.td_flags == YYTD_DATA16 || th.td_flags == YYTD_DATA32 ||
84 th.td_flags == YYTD_DATA8))
87 tsize = table_size(th.td_lolen, th.td_flags);
91 table = kvzalloc(tsize, GFP_KERNEL);
93 table->td_id = th.td_id;
94 table->td_flags = th.td_flags;
95 table->td_lolen = th.td_lolen;
96 if (th.td_flags == YYTD_DATA8)
97 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
98 u8, u8, byte_to_byte);
99 else if (th.td_flags == YYTD_DATA16)
100 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
101 u16, __be16, be16_to_cpu);
102 else if (th.td_flags == YYTD_DATA32)
103 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
104 u32, __be32, be32_to_cpu);
107 /* if table was vmalloced make sure the page tables are synced
108 * before it is used, as it goes live to all cpus.
110 if (is_vmalloc_addr(table))
122 * verify_dfa - verify that transitions and states in the tables are in bounds.
123 * @dfa: dfa to test (NOT NULL)
124 * @flags: flags controlling what type of accept table are acceptable
126 * Assumes dfa has gone through the first pass verification done by unpacking
127 * NOTE: this does not valid accept table values
129 * Returns: %0 else error code on failure to verify
131 static int verify_dfa(struct aa_dfa *dfa, int flags)
133 size_t i, state_count, trans_count;
136 /* check that required tables exist */
137 if (!(dfa->tables[YYTD_ID_DEF] &&
138 dfa->tables[YYTD_ID_BASE] &&
139 dfa->tables[YYTD_ID_NXT] && dfa->tables[YYTD_ID_CHK]))
142 /* accept.size == default.size == base.size */
143 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
144 if (ACCEPT1_FLAGS(flags)) {
145 if (!dfa->tables[YYTD_ID_ACCEPT])
147 if (state_count != dfa->tables[YYTD_ID_ACCEPT]->td_lolen)
150 if (ACCEPT2_FLAGS(flags)) {
151 if (!dfa->tables[YYTD_ID_ACCEPT2])
153 if (state_count != dfa->tables[YYTD_ID_ACCEPT2]->td_lolen)
156 if (state_count != dfa->tables[YYTD_ID_DEF]->td_lolen)
159 /* next.size == chk.size */
160 trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
161 if (trans_count != dfa->tables[YYTD_ID_CHK]->td_lolen)
164 /* if equivalence classes then its table size must be 256 */
165 if (dfa->tables[YYTD_ID_EC] &&
166 dfa->tables[YYTD_ID_EC]->td_lolen != 256)
169 if (flags & DFA_FLAG_VERIFY_STATES) {
170 for (i = 0; i < state_count; i++) {
171 if (DEFAULT_TABLE(dfa)[i] >= state_count)
173 if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
174 printk(KERN_ERR "AppArmor DFA next/check upper "
180 for (i = 0; i < trans_count; i++) {
181 if (NEXT_TABLE(dfa)[i] >= state_count)
183 if (CHECK_TABLE(dfa)[i] >= state_count)
194 * dfa_free - free a dfa allocated by aa_dfa_unpack
195 * @dfa: the dfa to free (MAYBE NULL)
197 * Requires: reference count to dfa == 0
199 static void dfa_free(struct aa_dfa *dfa)
204 for (i = 0; i < ARRAY_SIZE(dfa->tables); i++) {
205 kvfree(dfa->tables[i]);
206 dfa->tables[i] = NULL;
213 * aa_dfa_free_kref - free aa_dfa by kref (called by aa_put_dfa)
214 * @kr: kref callback for freeing of a dfa (NOT NULL)
216 void aa_dfa_free_kref(struct kref *kref)
218 struct aa_dfa *dfa = container_of(kref, struct aa_dfa, count);
223 * aa_dfa_unpack - unpack the binary tables of a serialized dfa
224 * @blob: aligned serialized stream of data to unpack (NOT NULL)
225 * @size: size of data to unpack
226 * @flags: flags controlling what type of accept tables are acceptable
228 * Unpack a dfa that has been serialized. To find information on the dfa
229 * format look in Documentation/admin-guide/LSM/apparmor.rst
230 * Assumes the dfa @blob stream has been aligned on a 8 byte boundary
232 * Returns: an unpacked dfa ready for matching or ERR_PTR on failure
234 struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags)
239 struct table_header *table = NULL;
240 struct aa_dfa *dfa = kzalloc(sizeof(struct aa_dfa), GFP_KERNEL);
244 kref_init(&dfa->count);
248 /* get dfa table set header */
249 if (size < sizeof(struct table_set_header))
252 if (ntohl(*(__be32 *) data) != YYTH_MAGIC)
255 hsize = ntohl(*(__be32 *) (data + 4));
259 dfa->flags = ntohs(*(__be16 *) (data + 12));
264 table = unpack_table(data, size);
268 switch (table->td_id) {
270 if (!(table->td_flags & ACCEPT1_FLAGS(flags)))
273 case YYTD_ID_ACCEPT2:
274 if (!(table->td_flags & ACCEPT2_FLAGS(flags)))
278 if (table->td_flags != YYTD_DATA32)
284 if (table->td_flags != YYTD_DATA16)
288 if (table->td_flags != YYTD_DATA8)
294 /* check for duplicate table entry */
295 if (dfa->tables[table->td_id])
297 dfa->tables[table->td_id] = table;
298 data += table_size(table->td_lolen, table->td_flags);
299 size -= table_size(table->td_lolen, table->td_flags);
303 error = verify_dfa(dfa, flags);
312 return ERR_PTR(error);
316 * aa_dfa_match_len - traverse @dfa to find state @str stops at
317 * @dfa: the dfa to match @str against (NOT NULL)
318 * @start: the state of the dfa to start matching in
319 * @str: the string of bytes to match against the dfa (NOT NULL)
320 * @len: length of the string of bytes to match
322 * aa_dfa_match_len will match @str against the dfa and return the state it
323 * finished matching in. The final state can be used to look up the accepting
324 * label, or as the start state of a continuing match.
326 * This function will happily match again the 0 byte and only finishes
327 * when @len input is consumed.
329 * Returns: final state reached after input is consumed
331 unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
332 const char *str, int len)
334 u16 *def = DEFAULT_TABLE(dfa);
335 u32 *base = BASE_TABLE(dfa);
336 u16 *next = NEXT_TABLE(dfa);
337 u16 *check = CHECK_TABLE(dfa);
338 unsigned int state = start, pos;
343 /* current state is <state>, matching character *str */
344 if (dfa->tables[YYTD_ID_EC]) {
345 /* Equivalence class table defined */
346 u8 *equiv = EQUIV_TABLE(dfa);
347 /* default is direct to next state */
349 pos = base_idx(base[state]) + equiv[(u8) *str++];
350 if (check[pos] == state)
356 /* default is direct to next state */
358 pos = base_idx(base[state]) + (u8) *str++;
359 if (check[pos] == state)
370 * aa_dfa_match - traverse @dfa to find state @str stops at
371 * @dfa: the dfa to match @str against (NOT NULL)
372 * @start: the state of the dfa to start matching in
373 * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
375 * aa_dfa_match will match @str against the dfa and return the state it
376 * finished matching in. The final state can be used to look up the accepting
377 * label, or as the start state of a continuing match.
379 * Returns: final state reached after input is consumed
381 unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
384 u16 *def = DEFAULT_TABLE(dfa);
385 u32 *base = BASE_TABLE(dfa);
386 u16 *next = NEXT_TABLE(dfa);
387 u16 *check = CHECK_TABLE(dfa);
388 unsigned int state = start, pos;
393 /* current state is <state>, matching character *str */
394 if (dfa->tables[YYTD_ID_EC]) {
395 /* Equivalence class table defined */
396 u8 *equiv = EQUIV_TABLE(dfa);
397 /* default is direct to next state */
399 pos = base_idx(base[state]) + equiv[(u8) *str++];
400 if (check[pos] == state)
406 /* default is direct to next state */
408 pos = base_idx(base[state]) + (u8) *str++;
409 if (check[pos] == state)
420 * aa_dfa_next - step one character to the next state in the dfa
421 * @dfa: the dfa to tranverse (NOT NULL)
422 * @state: the state to start in
423 * @c: the input character to transition on
425 * aa_dfa_match will step through the dfa by one input character @c
427 * Returns: state reach after input @c
429 unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
432 u16 *def = DEFAULT_TABLE(dfa);
433 u32 *base = BASE_TABLE(dfa);
434 u16 *next = NEXT_TABLE(dfa);
435 u16 *check = CHECK_TABLE(dfa);
438 /* current state is <state>, matching character *str */
439 if (dfa->tables[YYTD_ID_EC]) {
440 /* Equivalence class table defined */
441 u8 *equiv = EQUIV_TABLE(dfa);
442 /* default is direct to next state */
444 pos = base_idx(base[state]) + equiv[(u8) c];
445 if (check[pos] == state)
450 /* default is direct to next state */
451 pos = base_idx(base[state]) + (u8) c;
452 if (check[pos] == state)
git.samba.org / sfrench / cifs-2.6.git / blob