apparmor: refcount the pdb

With the move to permission tables the dfa is no longer a stand alone entity when used, needing a minimum of a permission table. However it still could be shared among different pdbs each using a different permission table. Instead of duping the permission table when sharing a pdb, add a refcount to the pdb so it can be easily shared. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2023-04-28 05:32:52 -0700
committer: John Johansen <john.johansen@canonical.com> 2023-10-18 15:30:47 -0700
commit: 98b824ff8984fd523fc264fbb13208098ab09da3 (patch)
tree: 35f60b9788d10a556442d1ad5c5bfe4c4a26252d /security/apparmor/policy_unpack.c
parent: 75c77e9e0713fddbe99a21a036aa6482402f9e34 (diff)
1 files changed, 48 insertions, 60 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 1eb98d6994e8..3fad34b68fdc 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -703,24 +703,29 @@ fail_reset:
 	return -EPROTO;
 }
 
-static int unpack_pdb(struct aa_ext *e, struct aa_policydb *policy,
+static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
 		      bool required_dfa, bool required_trans,
 		      const char **info)
 {
+	struct aa_policydb *pdb;
 	void *pos = e->pos;
 	int i, flags, error = -EPROTO;
 	ssize_t size;
 
-	size = unpack_perms_table(e, &policy->perms);
+	pdb = aa_alloc_pdb(GFP_KERNEL);
+	if (!pdb)
+		return -ENOMEM;
+
+	size = unpack_perms_table(e, &pdb->perms);
 	if (size < 0) {
 		error = size;
-		policy->perms = NULL;
+		pdb->perms = NULL;
 		*info = "failed to unpack - perms";
 		goto fail;
 	}
-	policy->size = size;
+	pdb->size = size;
 
-	if (policy->perms) {
+	if (pdb->perms) {
 		/* perms table present accept is index */
 		flags = TO_ACCEPT1_FLAG(YYTD_DATA32);
 	} else {
@@ -729,13 +734,13 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb *policy,
 			TO_ACCEPT2_FLAG(YYTD_DATA32);
 	}
 
-	policy->dfa = unpack_dfa(e, flags);
-	if (IS_ERR(policy->dfa)) {
-		error = PTR_ERR(policy->dfa);
-		policy->dfa = NULL;
+	pdb->dfa = unpack_dfa(e, flags);
+	if (IS_ERR(pdb->dfa)) {
+		error = PTR_ERR(pdb->dfa);
+		pdb->dfa = NULL;
 		*info = "failed to unpack - dfa";
 		goto fail;
-	} else if (!policy->dfa) {
+	} else if (!pdb->dfa) {
 		if (required_dfa) {
 			*info = "missing required dfa";
 			goto fail;
@@ -749,18 +754,18 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb *policy,
 	 * sadly start was given different names for file and policydb
 	 * but since it is optional we can try both
 	 */
-	if (!aa_unpack_u32(e, &policy->start[0], "start"))
+	if (!aa_unpack_u32(e, &pdb->start[0], "start"))
 		/* default start state */
-		policy->start[0] = DFA_START;
-	if (!aa_unpack_u32(e, &policy->start[AA_CLASS_FILE], "dfa_start")) {
+		pdb->start[0] = DFA_START;
+	if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) {
 		/* default start state for xmatch and file dfa */
-		policy->start[AA_CLASS_FILE] = DFA_START;
+		pdb->start[AA_CLASS_FILE] = DFA_START;
 	}	/* setup class index */
 	for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
-		policy->start[i] = aa_dfa_next(policy->dfa, policy->start[0],
+		pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],
 					       i);
 	}
-	if (!unpack_trans_table(e, &policy->trans) && required_trans) {
+	if (!unpack_trans_table(e, &pdb->trans) && required_trans) {
 		*info = "failed to unpack profile transition table";
 		goto fail;
 	}
@@ -768,9 +773,11 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb *policy,
 	/* TODO: move compat mapping here, requires dfa merging first */
 	/* TODO: move verify here, it has to be done after compat mappings */
 out:
+	*policy = pdb;
 	return 0;
 
 fail:
+	aa_put_pdb(pdb);
 	e->pos = pos;
 	return error;
 }
@@ -854,15 +861,15 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 	}
 
 	/* neither xmatch_len not xmatch_perms are optional if xmatch is set */
-	if (profile->attach.xmatch.dfa) {
+	if (profile->attach.xmatch->dfa) {
 		if (!aa_unpack_u32(e, &tmp, NULL)) {
 			info = "missing xmatch len";
 			goto fail;
 		}
 		profile->attach.xmatch_len = tmp;
-		profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START;
-		if (!profile->attach.xmatch.perms) {
-			error = aa_compat_map_xmatch(&profile->attach.xmatch);
+		profile->attach.xmatch->start[AA_CLASS_XMATCH] = DFA_START;
+		if (!profile->attach.xmatch->perms) {
+			error = aa_compat_map_xmatch(profile->attach.xmatch);
 			if (error) {
 				info = "failed to convert xmatch permission table";
 				goto fail;
@@ -979,16 +986,16 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		if (error)
 			goto fail;
 		/* Fixup: drop when we get rid of start array */
-		if (aa_dfa_next(rules->policy.dfa, rules->policy.start[0],
+		if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0],
 				AA_CLASS_FILE))
-			rules->policy.start[AA_CLASS_FILE] =
-			  aa_dfa_next(rules->policy.dfa,
-				      rules->policy.start[0],
+			rules->policy->start[AA_CLASS_FILE] =
+			  aa_dfa_next(rules->policy->dfa,
+				      rules->policy->start[0],
 				      AA_CLASS_FILE);
 		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
 			goto fail;
-		if (!rules->policy.perms) {
-			error = aa_compat_map_policy(&rules->policy,
+		if (!rules->policy->perms) {
+			error = aa_compat_map_policy(rules->policy,
 						     e->version);
 			if (error) {
 				info = "failed to remap policydb permission table";
@@ -996,44 +1003,25 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 			}
 		}
 	} else {
-		rules->policy.dfa = aa_get_dfa(nulldfa);
-		rules->policy.perms = kcalloc(2, sizeof(struct aa_perms),
-					      GFP_KERNEL);
-		if (!rules->policy.perms)
-			goto fail;
-		rules->policy.size = 2;
+		rules->policy = aa_get_pdb(nullpdb);
 	}
 	/* get file rules */
 	error = unpack_pdb(e, &rules->file, false, true, &info);
 	if (error) {
 		goto fail;
-	} else if (rules->file.dfa) {
-		if (!rules->file.perms) {
-			error = aa_compat_map_file(&rules->file);
+	} else if (rules->file->dfa) {
+		if (!rules->file->perms) {
+			error = aa_compat_map_file(rules->file);
 			if (error) {
 				info = "failed to remap file permission table";
 				goto fail;
 			}
 		}
-	} else if (rules->policy.dfa &&
-		   rules->policy.start[AA_CLASS_FILE]) {
-		rules->file.dfa = aa_get_dfa(rules->policy.dfa);
-		rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE];
-		rules->file.perms = kcalloc(rules->policy.size,
-					    sizeof(struct aa_perms),
-					    GFP_KERNEL);
-		if (!rules->file.perms)
-			goto fail;
-		memcpy(rules->file.perms, rules->policy.perms,
-		       rules->policy.size * sizeof(struct aa_perms));
-		rules->file.size = rules->policy.size;
+	} else if (rules->policy->dfa &&
+		   rules->policy->start[AA_CLASS_FILE]) {
+		rules->file = aa_get_pdb(rules->policy);
 	} else {
-		rules->file.dfa = aa_get_dfa(nulldfa);
-		rules->file.perms = kcalloc(2, sizeof(struct aa_perms),
-					    GFP_KERNEL);
-		if (!rules->file.perms)
-			goto fail;
-		rules->file.size = 2;
+		rules->file = aa_get_pdb(nullpdb);
 	}
 	error = -EPROTO;
 	if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
@@ -1240,32 +1228,32 @@ static int verify_profile(struct aa_profile *profile)
 	if (!rules)
 		return 0;
 
-	if (rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,
-							rules->file.size)) {
+	if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa,
+							rules->file->size)) {
 		audit_iface(profile, NULL, NULL,
 			    "Unpack: file Invalid named transition", NULL,
 			    -EPROTO);
 		return -EPROTO;
 	}
-	if (rules->policy.dfa &&
-	    !verify_dfa_accept_index(rules->policy.dfa, rules->policy.size)) {
+	if (rules->policy->dfa &&
+	    !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) {
 		audit_iface(profile, NULL, NULL,
 			    "Unpack: policy Invalid named transition", NULL,
 			    -EPROTO);
 		return -EPROTO;
 	}
 
-	if (!verify_perms(&rules->file)) {
+	if (!verify_perms(rules->file)) {
 		audit_iface(profile, NULL, NULL,
 			    "Unpack: Invalid perm index", NULL, -EPROTO);
 		return -EPROTO;
 	}
-	if (!verify_perms(&rules->policy)) {
+	if (!verify_perms(rules->policy)) {
 		audit_iface(profile, NULL, NULL,
 			    "Unpack: Invalid perm index", NULL, -EPROTO);
 		return -EPROTO;
 	}
-	if (!verify_perms(&profile->attach.xmatch)) {
+	if (!verify_perms(profile->attach.xmatch)) {
 		audit_iface(profile, NULL, NULL,
 			    "Unpack: Invalid perm index", NULL, -EPROTO);
 		return -EPROTO;
author	John Johansen <john.johansen@canonical.com>	2023-04-28 05:32:52 -0700
committer	John Johansen <john.johansen@canonical.com>	2023-10-18 15:30:47 -0700
commit	98b824ff8984fd523fc264fbb13208098ab09da3 (patch)
tree	35f60b9788d10a556442d1ad5c5bfe4c4a26252d /security/apparmor/policy_unpack.c
parent	75c77e9e0713fddbe99a21a036aa6482402f9e34 (diff)