diff options
author | John Johansen <john.johansen@canonical.com> | 2022-08-26 22:32:34 +0200 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2022-10-03 23:49:03 +0200 |
commit | 670f31774ab6bf8e2d756f27444b035b9be8a0c9 (patch) | |
tree | dda8d742b73282bf83314b5647a04d29f71f1634 /security | |
parent | apparmor: add the ability for policy to specify a permission table (diff) | |
download | linux-670f31774ab6bf8e2d756f27444b035b9be8a0c9.tar.xz linux-670f31774ab6bf8e2d756f27444b035b9be8a0c9.zip |
apparmor: verify permission table indexes
While the dfa xindex's are verified, the indexes in the permission
table are not currently verified. Fix this.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/policy_unpack.c | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index b85dbdde8939..312bd632a472 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -781,8 +781,9 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb *policy, *info = "failed to unpack profile transition table"; goto fail; } - /* TODO: move compat mapping here, requires dfa merging first */ + /* TODO: move compat mapping here, requires dfa merging first */ + /* TODO: move verify here, it has to be done after compat mappings */ out: return 0; @@ -1149,6 +1150,22 @@ static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) return true; } +static bool verify_perm_indexes(struct aa_policydb *pdb) +{ + int i; + + for (i = 0; i < pdb->size; i++) { + if (pdb->perms[i].xindex >= pdb->trans.size) + return false; + if (pdb->perms[i].tag >= pdb->trans.size) + return false; + if (pdb->perms[i].label >= pdb->trans.size) + return false; + } + + return true; +} + /** * verify_profile - Do post unpack analysis to verify profile consistency * @profile: profile to verify (NOT NULL) @@ -1170,6 +1187,22 @@ static int verify_profile(struct aa_profile *profile) return -EPROTO; } + if (!verify_perm_indexes(&profile->file)) { + audit_iface(profile, NULL, NULL, + "Unpack: Invalid perm index", NULL, -EPROTO); + return -EPROTO; + } + if (!verify_perm_indexes(&profile->policy)) { + audit_iface(profile, NULL, NULL, + "Unpack: Invalid perm index", NULL, -EPROTO); + return -EPROTO; + } + if (!verify_perm_indexes(&profile->xmatch)) { + audit_iface(profile, NULL, NULL, + "Unpack: Invalid perm index", NULL, -EPROTO); + return -EPROTO; + } + return 0; } |