summaryrefslogtreecommitdiff
path: root/security/apparmor
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2022-08-26 13:32:34 -0700
committerJohn Johansen <john.johansen@canonical.com>2022-10-03 14:49:03 -0700
commit670f31774ab6bf8e2d756f27444b035b9be8a0c9 (patch)
treedda8d742b73282bf83314b5647a04d29f71f1634 /security/apparmor
parentfd1b2b95a21177eaa9e26989637e477be4d93b2f (diff)
apparmor: verify permission table indexes
While the dfa xindex's are verified, the indexes in the permission table are not currently verified. Fix this. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/policy_unpack.c35
1 files changed, 34 insertions, 1 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index b85dbdde8939..312bd632a472 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -781,8 +781,9 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb *policy,
*info = "failed to unpack profile transition table";
goto fail;
}
- /* TODO: move compat mapping here, requires dfa merging first */
+ /* TODO: move compat mapping here, requires dfa merging first */
+ /* TODO: move verify here, it has to be done after compat mappings */
out:
return 0;
@@ -1149,6 +1150,22 @@ static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
return true;
}
+static bool verify_perm_indexes(struct aa_policydb *pdb)
+{
+ int i;
+
+ for (i = 0; i < pdb->size; i++) {
+ if (pdb->perms[i].xindex >= pdb->trans.size)
+ return false;
+ if (pdb->perms[i].tag >= pdb->trans.size)
+ return false;
+ if (pdb->perms[i].label >= pdb->trans.size)
+ return false;
+ }
+
+ return true;
+}
+
/**
* verify_profile - Do post unpack analysis to verify profile consistency
* @profile: profile to verify (NOT NULL)
@@ -1170,6 +1187,22 @@ static int verify_profile(struct aa_profile *profile)
return -EPROTO;
}
+ if (!verify_perm_indexes(&profile->file)) {
+ audit_iface(profile, NULL, NULL,
+ "Unpack: Invalid perm index", NULL, -EPROTO);
+ return -EPROTO;
+ }
+ if (!verify_perm_indexes(&profile->policy)) {
+ audit_iface(profile, NULL, NULL,
+ "Unpack: Invalid perm index", NULL, -EPROTO);
+ return -EPROTO;
+ }
+ if (!verify_perm_indexes(&profile->xmatch)) {
+ audit_iface(profile, NULL, NULL,
+ "Unpack: Invalid perm index", NULL, -EPROTO);
+ return -EPROTO;
+ }
+
return 0;
}