AppArmor: policy routines for loading and unpacking policy

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

AppArmor policy is loaded in a platform independent flattened binary
stream. Verify and unpack the data converting it to the internal
format needed for enforcement.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>

authored by

John Johansen and committed by

James Morris 15 years ago 736ec752 0ed3b28a

+723

2 changed files

expand all

security

apparmor

include

policy_unpack.h

policy_unpack.c

+20

security/apparmor/include/policy_unpack.h

··· 1 + /* 2 + * AppArmor security module 3 + * 4 + * This file contains AppArmor policy loading interface function definitions. 5 + * 6 + * Copyright (C) 1998-2008 Novell/SUSE 7 + * Copyright 2009-2010 Canonical Ltd. 8 + * 9 + * This program is free software; you can redistribute it and/or 10 + * modify it under the terms of the GNU General Public License as 11 + * published by the Free Software Foundation, version 2 of the 12 + * License. 13 + */ 14 + 15 + #ifndef __POLICY_INTERFACE_H 16 + #define __POLICY_INTERFACE_H 17 + 18 + struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns); 19 + 20 + #endif /* __POLICY_INTERFACE_H */

+703

security/apparmor/policy_unpack.c

··· 1 + /* 2 + * AppArmor security module 3 + * 4 + * This file contains AppArmor functions for unpacking policy loaded from 5 + * userspace. 6 + * 7 + * Copyright (C) 1998-2008 Novell/SUSE 8 + * Copyright 2009-2010 Canonical Ltd. 9 + * 10 + * This program is free software; you can redistribute it and/or 11 + * modify it under the terms of the GNU General Public License as 12 + * published by the Free Software Foundation, version 2 of the 13 + * License. 14 + * 15 + * AppArmor uses a serialized binary format for loading policy. 16 + * To find policy format documentation look in Documentation/apparmor.txt 17 + * All policy is validated before it is used. 18 + */ 19 + 20 + #include <asm/unaligned.h> 21 + #include <linux/ctype.h> 22 + #include <linux/errno.h> 23 + 24 + #include "include/apparmor.h" 25 + #include "include/audit.h" 26 + #include "include/context.h" 27 + #include "include/match.h" 28 + #include "include/policy.h" 29 + #include "include/policy_unpack.h" 30 + #include "include/sid.h" 31 + 32 + /* 33 + * The AppArmor interface treats data as a type byte followed by the 34 + * actual data. The interface has the notion of a a named entry 35 + * which has a name (AA_NAME typecode followed by name string) followed by 36 + * the entries typecode and data. Named types allow for optional 37 + * elements and extensions to be added and tested for without breaking 38 + * backwards compatibility. 39 + */ 40 + 41 + enum aa_code { 42 + AA_U8, 43 + AA_U16, 44 + AA_U32, 45 + AA_U64, 46 + AA_NAME, /* same as string except it is items name */ 47 + AA_STRING, 48 + AA_BLOB, 49 + AA_STRUCT, 50 + AA_STRUCTEND, 51 + AA_LIST, 52 + AA_LISTEND, 53 + AA_ARRAY, 54 + AA_ARRAYEND, 55 + }; 56 + 57 + /* 58 + * aa_ext is the read of the buffer containing the serialized profile. The 59 + * data is copied into a kernel buffer in apparmorfs and then handed off to 60 + * the unpack routines. 61 + */ 62 + struct aa_ext { 63 + void *start; 64 + void *end; 65 + void *pos; /* pointer to current position in the buffer */ 66 + u32 version; 67 + }; 68 + 69 + /* audit callback for unpack fields */ 70 + static void audit_cb(struct audit_buffer *ab, void *va) 71 + { 72 + struct common_audit_data *sa = va; 73 + if (sa->aad.iface.target) { 74 + struct aa_profile *name = sa->aad.iface.target; 75 + audit_log_format(ab, " name="); 76 + audit_log_untrustedstring(ab, name->base.hname); 77 + } 78 + if (sa->aad.iface.pos) 79 + audit_log_format(ab, " offset=%ld", sa->aad.iface.pos); 80 + } 81 + 82 + /** 83 + * audit_iface - do audit message for policy unpacking/load/replace/remove 84 + * @new: profile if it has been allocated (MAYBE NULL) 85 + * @name: name of the profile being manipulated (MAYBE NULL) 86 + * @info: any extra info about the failure (MAYBE NULL) 87 + * @e: buffer position info (NOT NULL) 88 + * @error: error code 89 + * 90 + * Returns: %0 or error 91 + */ 92 + static int audit_iface(struct aa_profile *new, const char *name, 93 + const char *info, struct aa_ext *e, int error) 94 + { 95 + struct aa_profile *profile = __aa_current_profile(); 96 + struct common_audit_data sa; 97 + COMMON_AUDIT_DATA_INIT(&sa, NONE); 98 + sa.aad.iface.pos = e->pos - e->start; 99 + sa.aad.iface.target = new; 100 + sa.aad.name = name; 101 + sa.aad.info = info; 102 + sa.aad.error = error; 103 + 104 + return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa, 105 + audit_cb); 106 + } 107 + 108 + /* test if read will be in packed data bounds */ 109 + static bool inbounds(struct aa_ext *e, size_t size) 110 + { 111 + return (size <= e->end - e->pos); 112 + } 113 + 114 + /** 115 + * aa_u16_chunck - test and do bounds checking for a u16 size based chunk 116 + * @e: serialized data read head (NOT NULL) 117 + * @chunk: start address for chunk of data (NOT NULL) 118 + * 119 + * Returns: the size of chunk found with the read head at the end of the chunk. 120 + */ 121 + static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) 122 + { 123 + size_t size = 0; 124 + 125 + if (!inbounds(e, sizeof(u16))) 126 + return 0; 127 + size = le16_to_cpu(get_unaligned((u16 *) e->pos)); 128 + e->pos += sizeof(u16); 129 + if (!inbounds(e, size)) 130 + return 0; 131 + *chunk = e->pos; 132 + e->pos += size; 133 + return size; 134 + } 135 + 136 + /* unpack control byte */ 137 + static bool unpack_X(struct aa_ext *e, enum aa_code code) 138 + { 139 + if (!inbounds(e, 1)) 140 + return 0; 141 + if (*(u8 *) e->pos != code) 142 + return 0; 143 + e->pos++; 144 + return 1; 145 + } 146 + 147 + /** 148 + * unpack_nameX - check is the next element is of type X with a name of @name 149 + * @e: serialized data extent information (NOT NULL) 150 + * @code: type code 151 + * @name: name to match to the serialized element. (MAYBE NULL) 152 + * 153 + * check that the next serialized data element is of type X and has a tag 154 + * name @name. If @name is specified then there must be a matching 155 + * name element in the stream. If @name is NULL any name element will be 156 + * skipped and only the typecode will be tested. 157 + * 158 + * Returns 1 on success (both type code and name tests match) and the read 159 + * head is advanced past the headers 160 + * 161 + * Returns: 0 if either match fails, the read head does not move 162 + */ 163 + static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) 164 + { 165 + /* 166 + * May need to reset pos if name or type doesn't match 167 + */ 168 + void *pos = e->pos; 169 + /* 170 + * Check for presence of a tagname, and if present name size 171 + * AA_NAME tag value is a u16. 172 + */ 173 + if (unpack_X(e, AA_NAME)) { 174 + char *tag = NULL; 175 + size_t size = unpack_u16_chunk(e, &tag); 176 + /* if a name is specified it must match. otherwise skip tag */ 177 + if (name && (!size || strcmp(name, tag))) 178 + goto fail; 179 + } else if (name) { 180 + /* if a name is specified and there is no name tag fail */ 181 + goto fail; 182 + } 183 + 184 + /* now check if type code matches */ 185 + if (unpack_X(e, code)) 186 + return 1; 187 + 188 + fail: 189 + e->pos = pos; 190 + return 0; 191 + } 192 + 193 + static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) 194 + { 195 + if (unpack_nameX(e, AA_U32, name)) { 196 + if (!inbounds(e, sizeof(u32))) 197 + return 0; 198 + if (data) 199 + *data = le32_to_cpu(get_unaligned((u32 *) e->pos)); 200 + e->pos += sizeof(u32); 201 + return 1; 202 + } 203 + return 0; 204 + } 205 + 206 + static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) 207 + { 208 + if (unpack_nameX(e, AA_U64, name)) { 209 + if (!inbounds(e, sizeof(u64))) 210 + return 0; 211 + if (data) 212 + *data = le64_to_cpu(get_unaligned((u64 *) e->pos)); 213 + e->pos += sizeof(u64); 214 + return 1; 215 + } 216 + return 0; 217 + } 218 + 219 + static size_t unpack_array(struct aa_ext *e, const char *name) 220 + { 221 + if (unpack_nameX(e, AA_ARRAY, name)) { 222 + int size; 223 + if (!inbounds(e, sizeof(u16))) 224 + return 0; 225 + size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos)); 226 + e->pos += sizeof(u16); 227 + return size; 228 + } 229 + return 0; 230 + } 231 + 232 + static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) 233 + { 234 + if (unpack_nameX(e, AA_BLOB, name)) { 235 + u32 size; 236 + if (!inbounds(e, sizeof(u32))) 237 + return 0; 238 + size = le32_to_cpu(get_unaligned((u32 *) e->pos)); 239 + e->pos += sizeof(u32); 240 + if (inbounds(e, (size_t) size)) { 241 + *blob = e->pos; 242 + e->pos += size; 243 + return size; 244 + } 245 + } 246 + return 0; 247 + } 248 + 249 + static int unpack_str(struct aa_ext *e, const char **string, const char *name) 250 + { 251 + char *src_str; 252 + size_t size = 0; 253 + void *pos = e->pos; 254 + *string = NULL; 255 + if (unpack_nameX(e, AA_STRING, name)) { 256 + size = unpack_u16_chunk(e, &src_str); 257 + if (size) { 258 + /* strings are null terminated, length is size - 1 */ 259 + if (src_str[size - 1] != 0) 260 + goto fail; 261 + *string = src_str; 262 + } 263 + } 264 + return size; 265 + 266 + fail: 267 + e->pos = pos; 268 + return 0; 269 + } 270 + 271 + static int unpack_strdup(struct aa_ext *e, char **string, const char *name) 272 + { 273 + const char *tmp; 274 + void *pos = e->pos; 275 + int res = unpack_str(e, &tmp, name); 276 + *string = NULL; 277 + 278 + if (!res) 279 + return 0; 280 + 281 + *string = kmemdup(tmp, res, GFP_KERNEL); 282 + if (!*string) { 283 + e->pos = pos; 284 + return 0; 285 + } 286 + 287 + return res; 288 + } 289 + 290 + /** 291 + * verify_accept - verify the accept tables of a dfa 292 + * @dfa: dfa to verify accept tables of (NOT NULL) 293 + * @flags: flags governing dfa 294 + * 295 + * Returns: 1 if valid accept tables else 0 if error 296 + */ 297 + static bool verify_accept(struct aa_dfa *dfa, int flags) 298 + { 299 + int i; 300 + 301 + /* verify accept permissions */ 302 + for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 303 + int mode = ACCEPT_TABLE(dfa)[i]; 304 + 305 + if (mode & ~DFA_VALID_PERM_MASK) 306 + return 0; 307 + 308 + if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) 309 + return 0; 310 + } 311 + return 1; 312 + } 313 + 314 + /** 315 + * unpack_dfa - unpack a file rule dfa 316 + * @e: serialized data extent information (NOT NULL) 317 + * 318 + * returns dfa or ERR_PTR or NULL if no dfa 319 + */ 320 + static struct aa_dfa *unpack_dfa(struct aa_ext *e) 321 + { 322 + char *blob = NULL; 323 + size_t size; 324 + struct aa_dfa *dfa = NULL; 325 + 326 + size = unpack_blob(e, &blob, "aadfa"); 327 + if (size) { 328 + /* 329 + * The dfa is aligned with in the blob to 8 bytes 330 + * from the beginning of the stream. 331 + */ 332 + size_t sz = blob - (char *)e->start; 333 + size_t pad = ALIGN(sz, 8) - sz; 334 + int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | 335 + TO_ACCEPT2_FLAG(YYTD_DATA32); 336 + 337 + 338 + if (aa_g_paranoid_load) 339 + flags |= DFA_FLAG_VERIFY_STATES; 340 + 341 + dfa = aa_dfa_unpack(blob + pad, size - pad, flags); 342 + 343 + if (IS_ERR(dfa)) 344 + return dfa; 345 + 346 + if (!verify_accept(dfa, flags)) 347 + goto fail; 348 + } 349 + 350 + return dfa; 351 + 352 + fail: 353 + aa_put_dfa(dfa); 354 + return ERR_PTR(-EPROTO); 355 + } 356 + 357 + /** 358 + * unpack_trans_table - unpack a profile transition table 359 + * @e: serialized data extent information (NOT NULL) 360 + * @profile: profile to add the accept table to (NOT NULL) 361 + * 362 + * Returns: 1 if table succesfully unpacked 363 + */ 364 + static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) 365 + { 366 + void *pos = e->pos; 367 + 368 + /* exec table is optional */ 369 + if (unpack_nameX(e, AA_STRUCT, "xtable")) { 370 + int i, size; 371 + 372 + size = unpack_array(e, NULL); 373 + /* currently 4 exec bits and entries 0-3 are reserved iupcx */ 374 + if (size > 16 - 4) 375 + goto fail; 376 + profile->file.trans.table = kzalloc(sizeof(char *) * size, 377 + GFP_KERNEL); 378 + if (!profile->file.trans.table) 379 + goto fail; 380 + 381 + profile->file.trans.size = size; 382 + for (i = 0; i < size; i++) { 383 + char *str; 384 + int c, j, size = unpack_strdup(e, &str, NULL); 385 + /* unpack_strdup verifies that the last character is 386 + * null termination byte. 387 + */ 388 + if (!size) 389 + goto fail; 390 + profile->file.trans.table[i] = str; 391 + /* verify that name doesn't start with space */ 392 + if (isspace(*str)) 393 + goto fail; 394 + 395 + /* count internal # of internal \0 */ 396 + for (c = j = 0; j < size - 2; j++) { 397 + if (!str[j]) 398 + c++; 399 + } 400 + if (*str == ':') { 401 + /* beginning with : requires an embedded \0, 402 + * verify that exactly 1 internal \0 exists 403 + * trailing \0 already verified by unpack_strdup 404 + */ 405 + if (c != 1) 406 + goto fail; 407 + /* first character after : must be valid */ 408 + if (!str[1]) 409 + goto fail; 410 + } else if (c) 411 + /* fail - all other cases with embedded \0 */ 412 + goto fail; 413 + } 414 + if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 415 + goto fail; 416 + if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 417 + goto fail; 418 + } 419 + return 1; 420 + 421 + fail: 422 + aa_free_domain_entries(&profile->file.trans); 423 + e->pos = pos; 424 + return 0; 425 + } 426 + 427 + static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) 428 + { 429 + void *pos = e->pos; 430 + 431 + /* rlimits are optional */ 432 + if (unpack_nameX(e, AA_STRUCT, "rlimits")) { 433 + int i, size; 434 + u32 tmp = 0; 435 + if (!unpack_u32(e, &tmp, NULL)) 436 + goto fail; 437 + profile->rlimits.mask = tmp; 438 + 439 + size = unpack_array(e, NULL); 440 + if (size > RLIM_NLIMITS) 441 + goto fail; 442 + for (i = 0; i < size; i++) { 443 + u64 tmp = 0; 444 + int a = aa_map_resource(i); 445 + if (!unpack_u64(e, &tmp, NULL)) 446 + goto fail; 447 + profile->rlimits.limits[a].rlim_max = tmp; 448 + } 449 + if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 450 + goto fail; 451 + if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 452 + goto fail; 453 + } 454 + return 1; 455 + 456 + fail: 457 + e->pos = pos; 458 + return 0; 459 + } 460 + 461 + /** 462 + * unpack_profile - unpack a serialized profile 463 + * @e: serialized data extent information (NOT NULL) 464 + * 465 + * NOTE: unpack profile sets audit struct if there is a failure 466 + */ 467 + static struct aa_profile *unpack_profile(struct aa_ext *e) 468 + { 469 + struct aa_profile *profile = NULL; 470 + const char *name = NULL; 471 + int error = -EPROTO; 472 + kernel_cap_t tmpcap; 473 + u32 tmp; 474 + 475 + /* check that we have the right struct being passed */ 476 + if (!unpack_nameX(e, AA_STRUCT, "profile")) 477 + goto fail; 478 + if (!unpack_str(e, &name, NULL)) 479 + goto fail; 480 + 481 + profile = aa_alloc_profile(name); 482 + if (!profile) 483 + return ERR_PTR(-ENOMEM); 484 + 485 + /* profile renaming is optional */ 486 + (void) unpack_str(e, &profile->rename, "rename"); 487 + 488 + /* xmatch is optional and may be NULL */ 489 + profile->xmatch = unpack_dfa(e); 490 + if (IS_ERR(profile->xmatch)) { 491 + error = PTR_ERR(profile->xmatch); 492 + profile->xmatch = NULL; 493 + goto fail; 494 + } 495 + /* xmatch_len is not optional if xmatch is set */ 496 + if (profile->xmatch) { 497 + if (!unpack_u32(e, &tmp, NULL)) 498 + goto fail; 499 + profile->xmatch_len = tmp; 500 + } 501 + 502 + /* per profile debug flags (complain, audit) */ 503 + if (!unpack_nameX(e, AA_STRUCT, "flags")) 504 + goto fail; 505 + if (!unpack_u32(e, &tmp, NULL)) 506 + goto fail; 507 + if (tmp) 508 + profile->flags |= PFLAG_HAT; 509 + if (!unpack_u32(e, &tmp, NULL)) 510 + goto fail; 511 + if (tmp) 512 + profile->mode = APPARMOR_COMPLAIN; 513 + if (!unpack_u32(e, &tmp, NULL)) 514 + goto fail; 515 + if (tmp) 516 + profile->audit = AUDIT_ALL; 517 + 518 + if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 519 + goto fail; 520 + 521 + /* path_flags is optional */ 522 + if (unpack_u32(e, &profile->path_flags, "path_flags")) 523 + profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED; 524 + else 525 + /* set a default value if path_flags field is not present */ 526 + profile->path_flags = PFLAG_MEDIATE_DELETED; 527 + 528 + if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) 529 + goto fail; 530 + if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) 531 + goto fail; 532 + if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) 533 + goto fail; 534 + if (!unpack_u32(e, &tmpcap.cap[0], NULL)) 535 + goto fail; 536 + 537 + if (unpack_nameX(e, AA_STRUCT, "caps64")) { 538 + /* optional upper half of 64 bit caps */ 539 + if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) 540 + goto fail; 541 + if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) 542 + goto fail; 543 + if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) 544 + goto fail; 545 + if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) 546 + goto fail; 547 + if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 548 + goto fail; 549 + } 550 + 551 + if (unpack_nameX(e, AA_STRUCT, "capsx")) { 552 + /* optional extended caps mediation mask */ 553 + if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) 554 + goto fail; 555 + if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) 556 + goto fail; 557 + } 558 + 559 + if (!unpack_rlimits(e, profile)) 560 + goto fail; 561 + 562 + /* get file rules */ 563 + profile->file.dfa = unpack_dfa(e); 564 + if (IS_ERR(profile->file.dfa)) { 565 + error = PTR_ERR(profile->file.dfa); 566 + profile->file.dfa = NULL; 567 + goto fail; 568 + } 569 + 570 + if (!unpack_u32(e, &profile->file.start, "dfa_start")) 571 + /* default start state */ 572 + profile->file.start = DFA_START; 573 + 574 + if (!unpack_trans_table(e, profile)) 575 + goto fail; 576 + 577 + if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 578 + goto fail; 579 + 580 + return profile; 581 + 582 + fail: 583 + if (profile) 584 + name = NULL; 585 + else if (!name) 586 + name = "unknown"; 587 + audit_iface(profile, name, "failed to unpack profile", e, error); 588 + aa_put_profile(profile); 589 + 590 + return ERR_PTR(error); 591 + } 592 + 593 + /** 594 + * verify_head - unpack serialized stream header 595 + * @e: serialized data read head (NOT NULL) 596 + * @ns: Returns - namespace if one is specified else NULL (NOT NULL) 597 + * 598 + * Returns: error or 0 if header is good 599 + */ 600 + static int verify_header(struct aa_ext *e, const char **ns) 601 + { 602 + int error = -EPROTONOSUPPORT; 603 + /* get the interface version */ 604 + if (!unpack_u32(e, &e->version, "version")) { 605 + audit_iface(NULL, NULL, "invalid profile format", e, error); 606 + return error; 607 + } 608 + 609 + /* check that the interface version is currently supported */ 610 + if (e->version != 5) { 611 + audit_iface(NULL, NULL, "unsupported interface version", e, 612 + error); 613 + return error; 614 + } 615 + 616 + /* read the namespace if present */ 617 + if (!unpack_str(e, ns, "namespace")) 618 + *ns = NULL; 619 + 620 + return 0; 621 + } 622 + 623 + static bool verify_xindex(int xindex, int table_size) 624 + { 625 + int index, xtype; 626 + xtype = xindex & AA_X_TYPE_MASK; 627 + index = xindex & AA_X_INDEX_MASK; 628 + if (xtype == AA_X_TABLE && index > table_size) 629 + return 0; 630 + return 1; 631 + } 632 + 633 + /* verify dfa xindexes are in range of transition tables */ 634 + static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) 635 + { 636 + int i; 637 + for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 638 + if (!verify_xindex(dfa_user_xindex(dfa, i), table_size)) 639 + return 0; 640 + if (!verify_xindex(dfa_other_xindex(dfa, i), table_size)) 641 + return 0; 642 + } 643 + return 1; 644 + } 645 + 646 + /** 647 + * verify_profile - Do post unpack analysis to verify profile consistency 648 + * @profile: profile to verify (NOT NULL) 649 + * 650 + * Returns: 0 if passes verification else error 651 + */ 652 + static int verify_profile(struct aa_profile *profile) 653 + { 654 + if (aa_g_paranoid_load) { 655 + if (profile->file.dfa && 656 + !verify_dfa_xindex(profile->file.dfa, 657 + profile->file.trans.size)) { 658 + audit_iface(profile, NULL, "Invalid named transition", 659 + NULL, -EPROTO); 660 + return -EPROTO; 661 + } 662 + } 663 + 664 + return 0; 665 + } 666 + 667 + /** 668 + * aa_unpack - unpack packed binary profile data loaded from user space 669 + * @udata: user data copied to kmem (NOT NULL) 670 + * @size: the size of the user data 671 + * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) 672 + * 673 + * Unpack user data and return refcounted allocated profile or ERR_PTR 674 + * 675 + * Returns: profile else error pointer if fails to unpack 676 + */ 677 + struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns) 678 + { 679 + struct aa_profile *profile = NULL; 680 + int error; 681 + struct aa_ext e = { 682 + .start = udata, 683 + .end = udata + size, 684 + .pos = udata, 685 + }; 686 + 687 + error = verify_header(&e, ns); 688 + if (error) 689 + return ERR_PTR(error); 690 + 691 + profile = unpack_profile(&e); 692 + if (IS_ERR(profile)) 693 + return profile; 694 + 695 + error = verify_profile(profile); 696 + if (error) { 697 + aa_put_profile(profile); 698 + profile = ERR_PTR(error); 699 + } 700 + 701 + /* return refcount */ 702 + return profile; 703 + }