1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3 * AppArmor security module
4 *
5 * This file contains AppArmor policy dfa matching engine definitions.
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2012 Canonical Ltd.
9 */
10
11 #ifndef __AA_MATCH_H
12 #define __AA_MATCH_H
13
14 #include <linux/kref.h>
15
16 #define DFA_NOMATCH 0
17 #define DFA_START 1
18
19
20 /**
21 * The format used for transition tables is based on the GNU flex table
22 * file format (--tables-file option; see Table File Format in the flex
23 * info pages and the flex sources for documentation). The magic number
24 * used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because
25 * new tables have been defined and others YY_ID_CHK (check) and YY_ID_DEF
26 * (default) tables are used slightly differently (see the apparmor-parser
27 * package).
28 *
29 *
30 * The data in the packed dfa is stored in network byte order, and the tables
31 * are arranged for flexibility. We convert the table data to host native
32 * byte order.
33 *
34 * The dfa begins with a table set header, and is followed by the actual
35 * tables.
36 */
37
38 #define YYTH_MAGIC 0x1B5E783D
39 #define YYTH_FLAG_DIFF_ENCODE 1
40 #define YYTH_FLAG_OOB_TRANS 2
41 #define YYTH_FLAGS (YYTH_FLAG_DIFF_ENCODE | YYTH_FLAG_OOB_TRANS)
42
43 #define MAX_OOB_SUPPORTED 1
44
45 struct table_set_header {
46 u32 th_magic; /* YYTH_MAGIC */
47 u32 th_hsize;
48 u32 th_ssize;
49 u16 th_flags;
50 char th_version[];
51 };
52
53 /* The YYTD_ID are one less than flex table mappings. The flex id
54 * has 1 subtracted at table load time, this allows us to directly use the
55 * ID's as indexes.
56 */
57 #define YYTD_ID_ACCEPT 0
58 #define YYTD_ID_BASE 1
59 #define YYTD_ID_CHK 2
60 #define YYTD_ID_DEF 3
61 #define YYTD_ID_EC 4
62 #define YYTD_ID_META 5
63 #define YYTD_ID_ACCEPT2 6
64 #define YYTD_ID_NXT 7
65 #define YYTD_ID_TSIZE 8
66 #define YYTD_ID_MAX 8
67
68 #define YYTD_DATA8 1
69 #define YYTD_DATA16 2
70 #define YYTD_DATA32 4
71 #define YYTD_DATA64 8
72
73 /* ACCEPT & ACCEPT2 tables gets 6 dedicated flags, YYTD_DATAX define the
74 * first flags
75 */
76 #define ACCEPT1_FLAGS(X) ((X) & 0x3f)
77 #define ACCEPT2_FLAGS(X) ACCEPT1_FLAGS((X) >> YYTD_ID_ACCEPT2)
78 #define TO_ACCEPT1_FLAG(X) ACCEPT1_FLAGS(X)
79 #define TO_ACCEPT2_FLAG(X) (ACCEPT1_FLAGS(X) << YYTD_ID_ACCEPT2)
80 #define DFA_FLAG_VERIFY_STATES 0x1000
81
82 struct table_header {
83 u16 td_id;
84 u16 td_flags;
85 u32 td_hilen;
86 u32 td_lolen;
87 char td_data[];
88 };
89
90 #define DEFAULT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_DEF]->td_data))
91 #define BASE_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_BASE]->td_data))
92 #define NEXT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_NXT]->td_data))
93 #define CHECK_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_CHK]->td_data))
94 #define EQUIV_TABLE(DFA) ((u8 *)((DFA)->tables[YYTD_ID_EC]->td_data))
95 #define ACCEPT_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT]->td_data))
96 #define ACCEPT_TABLE2(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT2]->td_data))
97
98 struct aa_dfa {
99 struct kref count;
100 u16 flags;
101 u32 max_oob;
102 struct table_header *tables[YYTD_ID_TSIZE];
103 };
104
105 #define byte_to_byte(X) (X)
106
107 #define UNPACK_ARRAY(TABLE, BLOB, LEN, TTYPE, BTYPE, NTOHX) \
108 do { \
109 typeof(LEN) __i; \
110 TTYPE *__t = (TTYPE *) TABLE; \
111 BTYPE *__b = (BTYPE *) BLOB; \
112 for (__i = 0; __i < LEN; __i++) { \
113 __t[__i] = NTOHX(__b[__i]); \
114 } \
115 } while (0)
116
117 static inline size_t table_size(size_t len, size_t el_size)
118 {
119 return ALIGN(sizeof(struct table_header) + len * el_size, 8);
120 }
121
122 #define aa_state_t unsigned int
123
124 struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);
125 aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start,
126 const char *str, int len);
127 aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start,
128 const char *str);
129 aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c);
130 aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state);
131 aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start,
132 const char *str, const char **retpos);
133 aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
134 const char *str, int n, const char **retpos);
135
136 void aa_dfa_free_kref(struct kref *kref);
137
138 #define WB_HISTORY_SIZE 24
139 struct match_workbuf {
140 unsigned int count;
141 unsigned int pos;
142 unsigned int len;
143 unsigned int size; /* power of 2, same as history size */
144 unsigned int history[WB_HISTORY_SIZE];
145 };
146 #define DEFINE_MATCH_WB(N) \
147 struct match_workbuf N = { \
148 .count = 0, \
149 .pos = 0, \
150 .len = 0, \
151 }
152
153 aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start,
154 const char *str, unsigned int *count);
155
156 /**
157 * aa_get_dfa - increment refcount on dfa @p
158 * @dfa: dfa (MAYBE NULL)
159 *
160 * Returns: pointer to @dfa if @dfa is NULL will return NULL
161 * Requires: @dfa must be held with valid refcount when called
162 */
163 static inline struct aa_dfa *aa_get_dfa(struct aa_dfa *dfa)
164 {
165 if (dfa)
166 kref_get(&(dfa->count));
167
168 return dfa;
169 }
170
171 /**
172 * aa_put_dfa - put a dfa refcount
173 * @dfa: dfa to put refcount (MAYBE NULL)
174 *
175 * Requires: if @dfa != NULL that a valid refcount be held
176 */
177 static inline void aa_put_dfa(struct aa_dfa *dfa)
178 {
179 if (dfa)
180 kref_put(&dfa->count, aa_dfa_free_kref);
181 }
182
183 #define MATCH_FLAG_DIFF_ENCODE 0x80000000
184 #define MARK_DIFF_ENCODE 0x40000000
185 #define MATCH_FLAG_OOB_TRANSITION 0x20000000
186 #define MATCH_FLAGS_MASK 0xff000000
187 #define MATCH_FLAGS_VALID (MATCH_FLAG_DIFF_ENCODE | MATCH_FLAG_OOB_TRANSITION)
188 #define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID)
189
190 #endif /* __AA_MATCH_H */
191
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.