1 // SPDX-License-Identifier: GPL-2.0-only
3 * AppArmor security module
5 * This file contains AppArmor dfa based regular expression matching engine
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2012 Canonical Ltd.
11 #include <linux/errno.h>
12 #include <linux/kernel.h>
14 #include <linux/slab.h>
15 #include <linux/vmalloc.h>
16 #include <linux/err.h>
17 #include <linux/kref.h>
19 #include "include/lib.h"
20 #include "include/match.h"
22 #define base_idx(X) ((X) & 0xffffff)
24 static char nulldfa_src[] = {
27 struct aa_dfa *nulldfa;
29 static char stacksplitdfa_src[] = {
30 #include "stacksplitdfa.in"
32 struct aa_dfa *stacksplitdfa;
34 int aa_setup_dfa_engine(void)
38 nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src),
39 TO_ACCEPT1_FLAG(YYTD_DATA32) |
40 TO_ACCEPT2_FLAG(YYTD_DATA32));
41 if (IS_ERR(nulldfa)) {
42 error = PTR_ERR(nulldfa);
47 stacksplitdfa = aa_dfa_unpack(stacksplitdfa_src,
48 sizeof(stacksplitdfa_src),
49 TO_ACCEPT1_FLAG(YYTD_DATA32) |
50 TO_ACCEPT2_FLAG(YYTD_DATA32));
51 if (IS_ERR(stacksplitdfa)) {
54 error = PTR_ERR(stacksplitdfa);
62 void aa_teardown_dfa_engine(void)
64 aa_put_dfa(stacksplitdfa);
69 * unpack_table - unpack a dfa table (one of accept, default, base, next check)
70 * @blob: data to unpack (NOT NULL)
71 * @bsize: size of blob
73 * Returns: pointer to table else NULL on failure
75 * NOTE: must be freed by kvfree (not kfree)
77 static struct table_header *unpack_table(char *blob, size_t bsize)
79 struct table_header *table = NULL;
80 struct table_header th;
83 if (bsize < sizeof(struct table_header))
86 /* loaded td_id's start at 1, subtract 1 now to avoid doing
87 * it every time we use td_id as an index
89 th.td_id = be16_to_cpu(*(__be16 *) (blob)) - 1;
90 if (th.td_id > YYTD_ID_MAX)
92 th.td_flags = be16_to_cpu(*(__be16 *) (blob + 2));
93 th.td_lolen = be32_to_cpu(*(__be32 *) (blob + 8));
94 blob += sizeof(struct table_header);
96 if (!(th.td_flags == YYTD_DATA16 || th.td_flags == YYTD_DATA32 ||
97 th.td_flags == YYTD_DATA8))
100 /* if we have a table it must have some entries */
101 if (th.td_lolen == 0)
103 tsize = table_size(th.td_lolen, th.td_flags);
107 table = kvzalloc(tsize, GFP_KERNEL);
109 table->td_id = th.td_id;
110 table->td_flags = th.td_flags;
111 table->td_lolen = th.td_lolen;
112 if (th.td_flags == YYTD_DATA8)
113 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
114 u8, u8, byte_to_byte);
115 else if (th.td_flags == YYTD_DATA16)
116 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
117 u16, __be16, be16_to_cpu);
118 else if (th.td_flags == YYTD_DATA32)
119 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
120 u32, __be32, be32_to_cpu);
123 /* if table was vmalloced make sure the page tables are synced
124 * before it is used, as it goes live to all cpus.
126 if (is_vmalloc_addr(table))
138 * verify_table_headers - verify that the tables headers are as expected
139 * @tables - array of dfa tables to check (NOT NULL)
140 * @flags: flags controlling what type of accept table are acceptable
142 * Assumes dfa has gone through the first pass verification done by unpacking
143 * NOTE: this does not valid accept table values
145 * Returns: %0 else error code on failure to verify
147 static int verify_table_headers(struct table_header **tables, int flags)
149 size_t state_count, trans_count;
152 /* check that required tables exist */
153 if (!(tables[YYTD_ID_DEF] && tables[YYTD_ID_BASE] &&
154 tables[YYTD_ID_NXT] && tables[YYTD_ID_CHK]))
157 /* accept.size == default.size == base.size */
158 state_count = tables[YYTD_ID_BASE]->td_lolen;
159 if (ACCEPT1_FLAGS(flags)) {
160 if (!tables[YYTD_ID_ACCEPT])
162 if (state_count != tables[YYTD_ID_ACCEPT]->td_lolen)
165 if (ACCEPT2_FLAGS(flags)) {
166 if (!tables[YYTD_ID_ACCEPT2])
168 if (state_count != tables[YYTD_ID_ACCEPT2]->td_lolen)
171 if (state_count != tables[YYTD_ID_DEF]->td_lolen)
174 /* next.size == chk.size */
175 trans_count = tables[YYTD_ID_NXT]->td_lolen;
176 if (trans_count != tables[YYTD_ID_CHK]->td_lolen)
179 /* if equivalence classes then its table size must be 256 */
180 if (tables[YYTD_ID_EC] && tables[YYTD_ID_EC]->td_lolen != 256)
189 * verify_dfa - verify that transitions and states in the tables are in bounds.
190 * @dfa: dfa to test (NOT NULL)
192 * Assumes dfa has gone through the first pass verification done by unpacking
193 * NOTE: this does not valid accept table values
195 * Returns: %0 else error code on failure to verify
197 static int verify_dfa(struct aa_dfa *dfa)
199 size_t i, state_count, trans_count;
202 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
203 trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
204 if (state_count == 0)
206 for (i = 0; i < state_count; i++) {
207 if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&
208 (DEFAULT_TABLE(dfa)[i] >= state_count))
210 if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
211 pr_err("AppArmor DFA next/check upper bounds error\n");
216 for (i = 0; i < trans_count; i++) {
217 if (NEXT_TABLE(dfa)[i] >= state_count)
219 if (CHECK_TABLE(dfa)[i] >= state_count)
223 /* Now that all the other tables are verified, verify diffencoding */
224 for (i = 0; i < state_count; i++) {
228 (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) &&
229 !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE);
231 k = DEFAULT_TABLE(dfa)[j];
235 break; /* already verified */
236 BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE;
246 * dfa_free - free a dfa allocated by aa_dfa_unpack
247 * @dfa: the dfa to free (MAYBE NULL)
249 * Requires: reference count to dfa == 0
251 static void dfa_free(struct aa_dfa *dfa)
256 for (i = 0; i < ARRAY_SIZE(dfa->tables); i++) {
257 kvfree(dfa->tables[i]);
258 dfa->tables[i] = NULL;
265 * aa_dfa_free_kref - free aa_dfa by kref (called by aa_put_dfa)
266 * @kr: kref callback for freeing of a dfa (NOT NULL)
268 void aa_dfa_free_kref(struct kref *kref)
270 struct aa_dfa *dfa = container_of(kref, struct aa_dfa, count);
275 * aa_dfa_unpack - unpack the binary tables of a serialized dfa
276 * @blob: aligned serialized stream of data to unpack (NOT NULL)
277 * @size: size of data to unpack
278 * @flags: flags controlling what type of accept tables are acceptable
280 * Unpack a dfa that has been serialized. To find information on the dfa
281 * format look in Documentation/admin-guide/LSM/apparmor.rst
282 * Assumes the dfa @blob stream has been aligned on a 8 byte boundary
284 * Returns: an unpacked dfa ready for matching or ERR_PTR on failure
286 struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags)
291 struct table_header *table = NULL;
292 struct aa_dfa *dfa = kzalloc(sizeof(struct aa_dfa), GFP_KERNEL);
296 kref_init(&dfa->count);
300 /* get dfa table set header */
301 if (size < sizeof(struct table_set_header))
304 if (ntohl(*(__be32 *) data) != YYTH_MAGIC)
307 hsize = ntohl(*(__be32 *) (data + 4));
311 dfa->flags = ntohs(*(__be16 *) (data + 12));
312 if (dfa->flags != 0 && dfa->flags != YYTH_FLAG_DIFF_ENCODE)
319 table = unpack_table(data, size);
323 switch (table->td_id) {
325 if (!(table->td_flags & ACCEPT1_FLAGS(flags)))
328 case YYTD_ID_ACCEPT2:
329 if (!(table->td_flags & ACCEPT2_FLAGS(flags)))
333 if (table->td_flags != YYTD_DATA32)
339 if (table->td_flags != YYTD_DATA16)
343 if (table->td_flags != YYTD_DATA8)
349 /* check for duplicate table entry */
350 if (dfa->tables[table->td_id])
352 dfa->tables[table->td_id] = table;
353 data += table_size(table->td_lolen, table->td_flags);
354 size -= table_size(table->td_lolen, table->td_flags);
357 error = verify_table_headers(dfa->tables, flags);
361 if (flags & DFA_FLAG_VERIFY_STATES) {
362 error = verify_dfa(dfa);
372 return ERR_PTR(error);
375 #define match_char(state, def, base, next, check, C) \
377 u32 b = (base)[(state)]; \
378 unsigned int pos = base_idx(b) + (C); \
379 if ((check)[pos] != (state)) { \
380 (state) = (def)[(state)]; \
381 if (b & MATCH_FLAG_DIFF_ENCODE) \
385 (state) = (next)[pos]; \
390 * aa_dfa_match_len - traverse @dfa to find state @str stops at
391 * @dfa: the dfa to match @str against (NOT NULL)
392 * @start: the state of the dfa to start matching in
393 * @str: the string of bytes to match against the dfa (NOT NULL)
394 * @len: length of the string of bytes to match
396 * aa_dfa_match_len will match @str against the dfa and return the state it
397 * finished matching in. The final state can be used to look up the accepting
398 * label, or as the start state of a continuing match.
400 * This function will happily match again the 0 byte and only finishes
401 * when @len input is consumed.
403 * Returns: final state reached after input is consumed
405 unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
406 const char *str, int len)
408 u16 *def = DEFAULT_TABLE(dfa);
409 u32 *base = BASE_TABLE(dfa);
410 u16 *next = NEXT_TABLE(dfa);
411 u16 *check = CHECK_TABLE(dfa);
412 unsigned int state = start;
417 /* current state is <state>, matching character *str */
418 if (dfa->tables[YYTD_ID_EC]) {
419 /* Equivalence class table defined */
420 u8 *equiv = EQUIV_TABLE(dfa);
422 match_char(state, def, base, next, check,
425 /* default is direct to next state */
427 match_char(state, def, base, next, check, (u8) *str++);
434 * aa_dfa_match - traverse @dfa to find state @str stops at
435 * @dfa: the dfa to match @str against (NOT NULL)
436 * @start: the state of the dfa to start matching in
437 * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
439 * aa_dfa_match will match @str against the dfa and return the state it
440 * finished matching in. The final state can be used to look up the accepting
441 * label, or as the start state of a continuing match.
443 * Returns: final state reached after input is consumed
445 unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
448 u16 *def = DEFAULT_TABLE(dfa);
449 u32 *base = BASE_TABLE(dfa);
450 u16 *next = NEXT_TABLE(dfa);
451 u16 *check = CHECK_TABLE(dfa);
452 unsigned int state = start;
457 /* current state is <state>, matching character *str */
458 if (dfa->tables[YYTD_ID_EC]) {
459 /* Equivalence class table defined */
460 u8 *equiv = EQUIV_TABLE(dfa);
461 /* default is direct to next state */
463 match_char(state, def, base, next, check,
466 /* default is direct to next state */
468 match_char(state, def, base, next, check, (u8) *str++);
475 * aa_dfa_next - step one character to the next state in the dfa
476 * @dfa: the dfa to traverse (NOT NULL)
477 * @state: the state to start in
478 * @c: the input character to transition on
480 * aa_dfa_match will step through the dfa by one input character @c
482 * Returns: state reach after input @c
484 unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
487 u16 *def = DEFAULT_TABLE(dfa);
488 u32 *base = BASE_TABLE(dfa);
489 u16 *next = NEXT_TABLE(dfa);
490 u16 *check = CHECK_TABLE(dfa);
492 /* current state is <state>, matching character *str */
493 if (dfa->tables[YYTD_ID_EC]) {
494 /* Equivalence class table defined */
495 u8 *equiv = EQUIV_TABLE(dfa);
496 match_char(state, def, base, next, check, equiv[(u8) c]);
498 match_char(state, def, base, next, check, (u8) c);
504 * aa_dfa_match_until - traverse @dfa until accept state or end of input
505 * @dfa: the dfa to match @str against (NOT NULL)
506 * @start: the state of the dfa to start matching in
507 * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
508 * @retpos: first character in str after match OR end of string
510 * aa_dfa_match will match @str against the dfa and return the state it
511 * finished matching in. The final state can be used to look up the accepting
512 * label, or as the start state of a continuing match.
514 * Returns: final state reached after input is consumed
516 unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
517 const char *str, const char **retpos)
519 u16 *def = DEFAULT_TABLE(dfa);
520 u32 *base = BASE_TABLE(dfa);
521 u16 *next = NEXT_TABLE(dfa);
522 u16 *check = CHECK_TABLE(dfa);
523 u32 *accept = ACCEPT_TABLE(dfa);
524 unsigned int state = start, pos;
529 /* current state is <state>, matching character *str */
530 if (dfa->tables[YYTD_ID_EC]) {
531 /* Equivalence class table defined */
532 u8 *equiv = EQUIV_TABLE(dfa);
533 /* default is direct to next state */
535 pos = base_idx(base[state]) + equiv[(u8) *str++];
536 if (check[pos] == state)
544 /* default is direct to next state */
546 pos = base_idx(base[state]) + (u8) *str++;
547 if (check[pos] == state)
561 * aa_dfa_matchn_until - traverse @dfa until accept or @n bytes consumed
562 * @dfa: the dfa to match @str against (NOT NULL)
563 * @start: the state of the dfa to start matching in
564 * @str: the string of bytes to match against the dfa (NOT NULL)
565 * @n: length of the string of bytes to match
566 * @retpos: first character in str after match OR str + n
568 * aa_dfa_match_len will match @str against the dfa and return the state it
569 * finished matching in. The final state can be used to look up the accepting
570 * label, or as the start state of a continuing match.
572 * This function will happily match again the 0 byte and only finishes
573 * when @n input is consumed.
575 * Returns: final state reached after input is consumed
577 unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
578 const char *str, int n, const char **retpos)
580 u16 *def = DEFAULT_TABLE(dfa);
581 u32 *base = BASE_TABLE(dfa);
582 u16 *next = NEXT_TABLE(dfa);
583 u16 *check = CHECK_TABLE(dfa);
584 u32 *accept = ACCEPT_TABLE(dfa);
585 unsigned int state = start, pos;
591 /* current state is <state>, matching character *str */
592 if (dfa->tables[YYTD_ID_EC]) {
593 /* Equivalence class table defined */
594 u8 *equiv = EQUIV_TABLE(dfa);
595 /* default is direct to next state */
597 pos = base_idx(base[state]) + equiv[(u8) *str++];
598 if (check[pos] == state)
606 /* default is direct to next state */
608 pos = base_idx(base[state]) + (u8) *str++;
609 if (check[pos] == state)
622 #define inc_wb_pos(wb) \
624 wb->pos = (wb->pos + 1) & (wb->size - 1); \
625 wb->len = (wb->len + 1) & (wb->size - 1); \
628 /* For DFAs that don't support extended tagging of states */
629 static bool is_loop(struct match_workbuf *wb, unsigned int state,
630 unsigned int *adjust)
632 unsigned int pos = wb->pos;
635 if (wb->history[pos] < state)
638 for (i = 0; i <= wb->len; i++) {
639 if (wb->history[pos] == state) {
652 static unsigned int leftmatch_fb(struct aa_dfa *dfa, unsigned int start,
653 const char *str, struct match_workbuf *wb,
656 u16 *def = DEFAULT_TABLE(dfa);
657 u32 *base = BASE_TABLE(dfa);
658 u16 *next = NEXT_TABLE(dfa);
659 u16 *check = CHECK_TABLE(dfa);
660 unsigned int state = start, pos;
671 /* current state is <state>, matching character *str */
672 if (dfa->tables[YYTD_ID_EC]) {
673 /* Equivalence class table defined */
674 u8 *equiv = EQUIV_TABLE(dfa);
675 /* default is direct to next state */
679 wb->history[wb->pos] = state;
680 pos = base_idx(base[state]) + equiv[(u8) *str++];
681 if (check[pos] == state)
685 if (is_loop(wb, state, &adjust)) {
686 state = aa_dfa_match(dfa, state, str);
694 /* default is direct to next state */
698 wb->history[wb->pos] = state;
699 pos = base_idx(base[state]) + (u8) *str++;
700 if (check[pos] == state)
704 if (is_loop(wb, state, &adjust)) {
705 state = aa_dfa_match(dfa, state, str);
721 * aa_dfa_leftmatch - traverse @dfa to find state @str stops at
722 * @dfa: the dfa to match @str against (NOT NULL)
723 * @start: the state of the dfa to start matching in
724 * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
725 * @count: current count of longest left.
727 * aa_dfa_match will match @str against the dfa and return the state it
728 * finished matching in. The final state can be used to look up the accepting
729 * label, or as the start state of a continuing match.
731 * Returns: final state reached after input is consumed
733 unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
734 const char *str, unsigned int *count)
738 /* TODO: match for extended state dfas */
740 return leftmatch_fb(dfa, start, str, &wb, count);