66  * aa_ext is the read of the buffer containing the serialized profile.  The
96  * @new: profile if it has been allocated (MAYBE NULL)
97  * @ns_name: name of the ns the profile is to be loaded to (MAY BE NULL)
98  * @name: name of the profile being manipulated (MAYBE NULL)
109 	struct aa_profile *profile = labels_profile(aa_current_raw_label());  in audit_iface()  local
121 	return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb);  in audit_iface()
474  * unpack_trans_table - unpack a profile transition table
476  * @profile: profile to add the accept table to (NOT NULL)
480 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)  in unpack_trans_table()  argument
492 		profile->file.trans.table = kcalloc(size, sizeof(char *),  in unpack_trans_table()
494 		if (!profile->file.trans.table)  in unpack_trans_table()
497 		profile->file.trans.size = size;  in unpack_trans_table()
506 			profile->file.trans.table[i] = str;  in unpack_trans_table()
544 	aa_free_domain_entries(&profile->file.trans);  in unpack_trans_table()
549 static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)  in unpack_xattrs()  argument
557 		profile->xattr_count = size;  in unpack_xattrs()
558 		profile->xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);  in unpack_xattrs()
559 		if (!profile->xattrs)  in unpack_xattrs()
562 			if (!unpack_strdup(e, &profile->xattrs[i], NULL))  in unpack_xattrs()
578 static bool unpack_secmark(struct aa_ext *e, struct aa_profile *profile)  in unpack_secmark()  argument
586 		profile->secmark = kcalloc(size, sizeof(struct aa_secmark),  in unpack_secmark()
588 		if (!profile->secmark)  in unpack_secmark()
591 		profile->secmark_count = size;  in unpack_secmark()
594 			if (!unpack_u8(e, &profile->secmark[i].audit, NULL))  in unpack_secmark()
596 			if (!unpack_u8(e, &profile->secmark[i].deny, NULL))  in unpack_secmark()
598 			if (!unpack_strdup(e, &profile->secmark[i].label, NULL))  in unpack_secmark()
610 	if (profile->secmark) {  in unpack_secmark()
612 			kfree(profile->secmark[i].label);  in unpack_secmark()
613 		kfree(profile->secmark);  in unpack_secmark()
614 		profile->secmark_count = 0;  in unpack_secmark()
615 		profile->secmark = NULL;  in unpack_secmark()
622 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)  in unpack_rlimits()  argument
632 		profile->rlimits.mask = tmp;  in unpack_rlimits()
642 			profile->rlimits.limits[a].rlim_max = tmp2;  in unpack_rlimits()
672  * unpack_profile - unpack a serialized profile
676  * NOTE: unpack profile sets audit struct if there is a failure
680 	struct aa_profile *profile = NULL;  in unpack_profile()  local
682 	const char *info = "failed to unpack profile";  in unpack_profile()
694 	if (!unpack_nameX(e, AA_STRUCT, "profile"))  in unpack_profile()
711 	profile = aa_alloc_profile(name, NULL, GFP_KERNEL);  in unpack_profile()
712 	if (!profile)  in unpack_profile()
715 	/* profile renaming is optional */  in unpack_profile()
716 	(void) unpack_str(e, &profile->rename, "rename");  in unpack_profile()
719 	(void) unpack_str(e, &profile->attach, "attach");  in unpack_profile()
722 	profile->xmatch = unpack_dfa(e);  in unpack_profile()
723 	if (IS_ERR(profile->xmatch)) {  in unpack_profile()
724 		error = PTR_ERR(profile->xmatch);  in unpack_profile()
725 		profile->xmatch = NULL;  in unpack_profile()
730 	if (profile->xmatch) {  in unpack_profile()
735 		profile->xmatch_len = tmp;  in unpack_profile()
739 	(void) unpack_str(e, &profile->disconnected, "disconnected");  in unpack_profile()
741 	/* per profile debug flags (complain, audit) */  in unpack_profile()
743 		info = "profile missing flags";  in unpack_profile()
746 	info = "failed to unpack profile flags";  in unpack_profile()
750 		profile->label.flags |= FLAG_HAT;  in unpack_profile()
752 		profile->label.flags |= FLAG_DEBUG1;  in unpack_profile()
754 		profile->label.flags |= FLAG_DEBUG2;  in unpack_profile()
758 		profile->mode = APPARMOR_COMPLAIN;  in unpack_profile()
760 		profile->mode = APPARMOR_ENFORCE;  in unpack_profile()
762 		profile->mode = APPARMOR_KILL;  in unpack_profile()
764 		profile->mode = APPARMOR_UNCONFINED;  in unpack_profile()
765 		profile->label.flags |= FLAG_UNCONFINED;  in unpack_profile()
772 		profile->audit = AUDIT_ALL;  in unpack_profile()
778 	if (unpack_u32(e, &profile->path_flags, "path_flags"))  in unpack_profile()
779 		profile->path_flags |= profile->label.flags &  in unpack_profile()
783 		profile->path_flags = PATH_MEDIATE_DELETED;  in unpack_profile()
785 	info = "failed to unpack profile capabilities";  in unpack_profile()
786 	if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))  in unpack_profile()
788 	if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))  in unpack_profile()
790 	if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))  in unpack_profile()
795 	info = "failed to unpack upper profile capabilities";  in unpack_profile()
798 		if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))  in unpack_profile()
800 		if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))  in unpack_profile()
802 		if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))  in unpack_profile()
810 	info = "failed to unpack extended profile capabilities";  in unpack_profile()
813 		if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))  in unpack_profile()
815 		if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))  in unpack_profile()
821 	if (!unpack_xattrs(e, profile)) {  in unpack_profile()
822 		info = "failed to unpack profile xattrs";  in unpack_profile()
826 	if (!unpack_rlimits(e, profile)) {  in unpack_profile()
827 		info = "failed to unpack profile rlimits";  in unpack_profile()
831 	if (!unpack_secmark(e, profile)) {  in unpack_profile()
832 		info = "failed to unpack profile secmark rules";  in unpack_profile()
839 		profile->policy.dfa = unpack_dfa(e);  in unpack_profile()
840 		if (IS_ERR(profile->policy.dfa)) {  in unpack_profile()
841 			error = PTR_ERR(profile->policy.dfa);  in unpack_profile()
842 			profile->policy.dfa = NULL;  in unpack_profile()
844 		} else if (!profile->policy.dfa) {  in unpack_profile()
848 		if (!unpack_u32(e, &profile->policy.start[0], "start"))  in unpack_profile()
850 			profile->policy.start[0] = DFA_START;  in unpack_profile()
853 			profile->policy.start[i] =  in unpack_profile()
854 				aa_dfa_next(profile->policy.dfa,  in unpack_profile()
855 					    profile->policy.start[0],  in unpack_profile()
861 		profile->policy.dfa = aa_get_dfa(nulldfa);  in unpack_profile()
864 	profile->file.dfa = unpack_dfa(e);  in unpack_profile()
865 	if (IS_ERR(profile->file.dfa)) {  in unpack_profile()
866 		error = PTR_ERR(profile->file.dfa);  in unpack_profile()
867 		profile->file.dfa = NULL;  in unpack_profile()
868 		info = "failed to unpack profile file rules";  in unpack_profile()
870 	} else if (profile->file.dfa) {  in unpack_profile()
871 		if (!unpack_u32(e, &profile->file.start, "dfa_start"))  in unpack_profile()
873 			profile->file.start = DFA_START;  in unpack_profile()
874 	} else if (profile->policy.dfa &&  in unpack_profile()
875 		   profile->policy.start[AA_CLASS_FILE]) {  in unpack_profile()
876 		profile->file.dfa = aa_get_dfa(profile->policy.dfa);  in unpack_profile()
877 		profile->file.start = profile->policy.start[AA_CLASS_FILE];  in unpack_profile()
879 		profile->file.dfa = aa_get_dfa(nulldfa);  in unpack_profile()
881 	if (!unpack_trans_table(e, profile)) {  in unpack_profile()
882 		info = "failed to unpack profile transition table";  in unpack_profile()
888 		profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL);  in unpack_profile()
889 		if (!profile->data)  in unpack_profile()
899 		if (rhashtable_init(profile->data, &params)) {  in unpack_profile()
920 			rhashtable_insert_fast(profile->data, &data->head,  in unpack_profile()
921 					       profile->data->p);  in unpack_profile()
931 		info = "failed to unpack end of profile";  in unpack_profile()
935 	return profile;  in unpack_profile()
938 	if (profile)  in unpack_profile()
942 	audit_iface(profile, NULL, name, info, e, error);  in unpack_profile()
943 	aa_free_profile(profile);  in unpack_profile()
965 			audit_iface(NULL, NULL, NULL, "invalid profile format",  in verify_header()
1025  * verify_profile - Do post unpack analysis to verify profile consistency
1026  * @profile: profile to verify (NOT NULL)
1030 static int verify_profile(struct aa_profile *profile)  in verify_profile()  argument
1032 	if (profile->file.dfa &&  in verify_profile()
1033 	    !verify_dfa_xindex(profile->file.dfa,  in verify_profile()
1034 			       profile->file.trans.size)) {  in verify_profile()
1035 		audit_iface(profile, NULL, NULL, "Invalid named transition",  in verify_profile()
1168  * aa_unpack - unpack packed binary profile(s) data loaded from user space
1171  * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
1173  * Unpack user data and return refcounted allocated profile(s) stored in
1177  * Returns: profile(s) on @lh else error pointer if fails to unpack
1183 	struct aa_profile *profile = NULL;  in aa_unpack()  local
1200 		profile = unpack_profile(&e, &ns_name);  in aa_unpack()
1201 		if (IS_ERR(profile)) {  in aa_unpack()
1202 			error = PTR_ERR(profile);  in aa_unpack()
1206 		error = verify_profile(profile);  in aa_unpack()
1211 			error = aa_calc_profile_hash(profile, e.version, start,  in aa_unpack()
1222 		ent->new = profile;  in aa_unpack()
1244 	aa_put_profile(profile);  in aa_unpack()