• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * AppArmor security module
3  *
4  * This file contains AppArmor functions for unpacking policy loaded from
5  * userspace.
6  *
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2010 Canonical Ltd.
9  *
10  * This program is free software; you can redistribute it and/or
11  * modify it under the terms of the GNU General Public License as
12  * published by the Free Software Foundation, version 2 of the
13  * License.
14  *
15  * AppArmor uses a serialized binary format for loading policy. To find
16  * policy format documentation look in Documentation/security/apparmor.txt
17  * All policy is validated before it is used.
18  */
19 
20 #include <asm/unaligned.h>
21 #include <linux/ctype.h>
22 #include <linux/errno.h>
23 
24 #include "include/apparmor.h"
25 #include "include/audit.h"
26 #include "include/context.h"
27 #include "include/match.h"
28 #include "include/policy.h"
29 #include "include/policy_unpack.h"
30 #include "include/sid.h"
31 
32 /*
33  * The AppArmor interface treats data as a type byte followed by the
34  * actual data.  The interface has the notion of a a named entry
35  * which has a name (AA_NAME typecode followed by name string) followed by
36  * the entries typecode and data.  Named types allow for optional
37  * elements and extensions to be added and tested for without breaking
38  * backwards compatibility.
39  */
40 
41 enum aa_code {
42 	AA_U8,
43 	AA_U16,
44 	AA_U32,
45 	AA_U64,
46 	AA_NAME,		/* same as string except it is items name */
47 	AA_STRING,
48 	AA_BLOB,
49 	AA_STRUCT,
50 	AA_STRUCTEND,
51 	AA_LIST,
52 	AA_LISTEND,
53 	AA_ARRAY,
54 	AA_ARRAYEND,
55 };
56 
57 /*
58  * aa_ext is the read of the buffer containing the serialized profile.  The
59  * data is copied into a kernel buffer in apparmorfs and then handed off to
60  * the unpack routines.
61  */
62 struct aa_ext {
63 	void *start;
64 	void *end;
65 	void *pos;		/* pointer to current position in the buffer */
66 	u32 version;
67 };
68 
69 /* audit callback for unpack fields */
audit_cb(struct audit_buffer * ab,void * va)70 static void audit_cb(struct audit_buffer *ab, void *va)
71 {
72 	struct common_audit_data *sa = va;
73 	if (sa->aad->iface.target) {
74 		struct aa_profile *name = sa->aad->iface.target;
75 		audit_log_format(ab, " name=");
76 		audit_log_untrustedstring(ab, name->base.hname);
77 	}
78 	if (sa->aad->iface.pos)
79 		audit_log_format(ab, " offset=%ld", sa->aad->iface.pos);
80 }
81 
82 /**
83  * audit_iface - do audit message for policy unpacking/load/replace/remove
84  * @new: profile if it has been allocated (MAYBE NULL)
85  * @name: name of the profile being manipulated (MAYBE NULL)
86  * @info: any extra info about the failure (MAYBE NULL)
87  * @e: buffer position info
88  * @error: error code
89  *
90  * Returns: %0 or error
91  */
audit_iface(struct aa_profile * new,const char * name,const char * info,struct aa_ext * e,int error)92 static int audit_iface(struct aa_profile *new, const char *name,
93 		       const char *info, struct aa_ext *e, int error)
94 {
95 	struct aa_profile *profile = __aa_current_profile();
96 	struct common_audit_data sa;
97 	struct apparmor_audit_data aad = {0,};
98 	sa.type = LSM_AUDIT_DATA_NONE;
99 	sa.aad = &aad;
100 	if (e)
101 		aad.iface.pos = e->pos - e->start;
102 	aad.iface.target = new;
103 	aad.name = name;
104 	aad.info = info;
105 	aad.error = error;
106 
107 	return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa,
108 			audit_cb);
109 }
110 
111 /* test if read will be in packed data bounds */
inbounds(struct aa_ext * e,size_t size)112 static bool inbounds(struct aa_ext *e, size_t size)
113 {
114 	return (size <= e->end - e->pos);
115 }
116 
117 /**
118  * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
119  * @e: serialized data read head (NOT NULL)
120  * @chunk: start address for chunk of data (NOT NULL)
121  *
122  * Returns: the size of chunk found with the read head at the end of the chunk.
123  */
unpack_u16_chunk(struct aa_ext * e,char ** chunk)124 static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
125 {
126 	size_t size = 0;
127 
128 	if (!inbounds(e, sizeof(u16)))
129 		return 0;
130 	size = le16_to_cpu(get_unaligned((u16 *) e->pos));
131 	e->pos += sizeof(u16);
132 	if (!inbounds(e, size))
133 		return 0;
134 	*chunk = e->pos;
135 	e->pos += size;
136 	return size;
137 }
138 
139 /* unpack control byte */
unpack_X(struct aa_ext * e,enum aa_code code)140 static bool unpack_X(struct aa_ext *e, enum aa_code code)
141 {
142 	if (!inbounds(e, 1))
143 		return 0;
144 	if (*(u8 *) e->pos != code)
145 		return 0;
146 	e->pos++;
147 	return 1;
148 }
149 
150 /**
151  * unpack_nameX - check is the next element is of type X with a name of @name
152  * @e: serialized data extent information  (NOT NULL)
153  * @code: type code
154  * @name: name to match to the serialized element.  (MAYBE NULL)
155  *
156  * check that the next serialized data element is of type X and has a tag
157  * name @name.  If @name is specified then there must be a matching
158  * name element in the stream.  If @name is NULL any name element will be
159  * skipped and only the typecode will be tested.
160  *
161  * Returns 1 on success (both type code and name tests match) and the read
162  * head is advanced past the headers
163  *
164  * Returns: 0 if either match fails, the read head does not move
165  */
unpack_nameX(struct aa_ext * e,enum aa_code code,const char * name)166 static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
167 {
168 	/*
169 	 * May need to reset pos if name or type doesn't match
170 	 */
171 	void *pos = e->pos;
172 	/*
173 	 * Check for presence of a tagname, and if present name size
174 	 * AA_NAME tag value is a u16.
175 	 */
176 	if (unpack_X(e, AA_NAME)) {
177 		char *tag = NULL;
178 		size_t size = unpack_u16_chunk(e, &tag);
179 		/* if a name is specified it must match. otherwise skip tag */
180 		if (name && (!size || strcmp(name, tag)))
181 			goto fail;
182 	} else if (name) {
183 		/* if a name is specified and there is no name tag fail */
184 		goto fail;
185 	}
186 
187 	/* now check if type code matches */
188 	if (unpack_X(e, code))
189 		return 1;
190 
191 fail:
192 	e->pos = pos;
193 	return 0;
194 }
195 
unpack_u32(struct aa_ext * e,u32 * data,const char * name)196 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
197 {
198 	if (unpack_nameX(e, AA_U32, name)) {
199 		if (!inbounds(e, sizeof(u32)))
200 			return 0;
201 		if (data)
202 			*data = le32_to_cpu(get_unaligned((u32 *) e->pos));
203 		e->pos += sizeof(u32);
204 		return 1;
205 	}
206 	return 0;
207 }
208 
unpack_u64(struct aa_ext * e,u64 * data,const char * name)209 static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
210 {
211 	if (unpack_nameX(e, AA_U64, name)) {
212 		if (!inbounds(e, sizeof(u64)))
213 			return 0;
214 		if (data)
215 			*data = le64_to_cpu(get_unaligned((u64 *) e->pos));
216 		e->pos += sizeof(u64);
217 		return 1;
218 	}
219 	return 0;
220 }
221 
unpack_array(struct aa_ext * e,const char * name)222 static size_t unpack_array(struct aa_ext *e, const char *name)
223 {
224 	if (unpack_nameX(e, AA_ARRAY, name)) {
225 		int size;
226 		if (!inbounds(e, sizeof(u16)))
227 			return 0;
228 		size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos));
229 		e->pos += sizeof(u16);
230 		return size;
231 	}
232 	return 0;
233 }
234 
unpack_blob(struct aa_ext * e,char ** blob,const char * name)235 static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
236 {
237 	if (unpack_nameX(e, AA_BLOB, name)) {
238 		u32 size;
239 		if (!inbounds(e, sizeof(u32)))
240 			return 0;
241 		size = le32_to_cpu(get_unaligned((u32 *) e->pos));
242 		e->pos += sizeof(u32);
243 		if (inbounds(e, (size_t) size)) {
244 			*blob = e->pos;
245 			e->pos += size;
246 			return size;
247 		}
248 	}
249 	return 0;
250 }
251 
unpack_str(struct aa_ext * e,const char ** string,const char * name)252 static int unpack_str(struct aa_ext *e, const char **string, const char *name)
253 {
254 	char *src_str;
255 	size_t size = 0;
256 	void *pos = e->pos;
257 	*string = NULL;
258 	if (unpack_nameX(e, AA_STRING, name)) {
259 		size = unpack_u16_chunk(e, &src_str);
260 		if (size) {
261 			/* strings are null terminated, length is size - 1 */
262 			if (src_str[size - 1] != 0)
263 				goto fail;
264 			*string = src_str;
265 		}
266 	}
267 	return size;
268 
269 fail:
270 	e->pos = pos;
271 	return 0;
272 }
273 
unpack_strdup(struct aa_ext * e,char ** string,const char * name)274 static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
275 {
276 	const char *tmp;
277 	void *pos = e->pos;
278 	int res = unpack_str(e, &tmp, name);
279 	*string = NULL;
280 
281 	if (!res)
282 		return 0;
283 
284 	*string = kmemdup(tmp, res, GFP_KERNEL);
285 	if (!*string) {
286 		e->pos = pos;
287 		return 0;
288 	}
289 
290 	return res;
291 }
292 
293 /**
294  * verify_accept - verify the accept tables of a dfa
295  * @dfa: dfa to verify accept tables of (NOT NULL)
296  * @flags: flags governing dfa
297  *
298  * Returns: 1 if valid accept tables else 0 if error
299  */
verify_accept(struct aa_dfa * dfa,int flags)300 static bool verify_accept(struct aa_dfa *dfa, int flags)
301 {
302 	int i;
303 
304 	/* verify accept permissions */
305 	for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
306 		int mode = ACCEPT_TABLE(dfa)[i];
307 
308 		if (mode & ~DFA_VALID_PERM_MASK)
309 			return 0;
310 
311 		if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
312 			return 0;
313 	}
314 	return 1;
315 }
316 
317 /**
318  * unpack_dfa - unpack a file rule dfa
319  * @e: serialized data extent information (NOT NULL)
320  *
321  * returns dfa or ERR_PTR or NULL if no dfa
322  */
unpack_dfa(struct aa_ext * e)323 static struct aa_dfa *unpack_dfa(struct aa_ext *e)
324 {
325 	char *blob = NULL;
326 	size_t size;
327 	struct aa_dfa *dfa = NULL;
328 
329 	size = unpack_blob(e, &blob, "aadfa");
330 	if (size) {
331 		/*
332 		 * The dfa is aligned with in the blob to 8 bytes
333 		 * from the beginning of the stream.
334 		 */
335 		size_t sz = blob - (char *)e->start;
336 		size_t pad = ALIGN(sz, 8) - sz;
337 		int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
338 			TO_ACCEPT2_FLAG(YYTD_DATA32);
339 
340 
341 		if (aa_g_paranoid_load)
342 			flags |= DFA_FLAG_VERIFY_STATES;
343 
344 		dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
345 
346 		if (IS_ERR(dfa))
347 			return dfa;
348 
349 		if (!verify_accept(dfa, flags))
350 			goto fail;
351 	}
352 
353 	return dfa;
354 
355 fail:
356 	aa_put_dfa(dfa);
357 	return ERR_PTR(-EPROTO);
358 }
359 
360 /**
361  * unpack_trans_table - unpack a profile transition table
362  * @e: serialized data extent information  (NOT NULL)
363  * @profile: profile to add the accept table to (NOT NULL)
364  *
365  * Returns: 1 if table successfully unpacked
366  */
unpack_trans_table(struct aa_ext * e,struct aa_profile * profile)367 static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
368 {
369 	void *pos = e->pos;
370 
371 	/* exec table is optional */
372 	if (unpack_nameX(e, AA_STRUCT, "xtable")) {
373 		int i, size;
374 
375 		size = unpack_array(e, NULL);
376 		/* currently 4 exec bits and entries 0-3 are reserved iupcx */
377 		if (size > 16 - 4)
378 			goto fail;
379 		profile->file.trans.table = kzalloc(sizeof(char *) * size,
380 						    GFP_KERNEL);
381 		if (!profile->file.trans.table)
382 			goto fail;
383 
384 		profile->file.trans.size = size;
385 		for (i = 0; i < size; i++) {
386 			char *str;
387 			int c, j, size2 = unpack_strdup(e, &str, NULL);
388 			/* unpack_strdup verifies that the last character is
389 			 * null termination byte.
390 			 */
391 			if (!size2)
392 				goto fail;
393 			profile->file.trans.table[i] = str;
394 			/* verify that name doesn't start with space */
395 			if (isspace(*str))
396 				goto fail;
397 
398 			/* count internal #  of internal \0 */
399 			for (c = j = 0; j < size2 - 2; j++) {
400 				if (!str[j])
401 					c++;
402 			}
403 			if (*str == ':') {
404 				/* beginning with : requires an embedded \0,
405 				 * verify that exactly 1 internal \0 exists
406 				 * trailing \0 already verified by unpack_strdup
407 				 */
408 				if (c != 1)
409 					goto fail;
410 				/* first character after : must be valid */
411 				if (!str[1])
412 					goto fail;
413 			} else if (c)
414 				/* fail - all other cases with embedded \0 */
415 				goto fail;
416 		}
417 		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
418 			goto fail;
419 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
420 			goto fail;
421 	}
422 	return 1;
423 
424 fail:
425 	aa_free_domain_entries(&profile->file.trans);
426 	e->pos = pos;
427 	return 0;
428 }
429 
unpack_rlimits(struct aa_ext * e,struct aa_profile * profile)430 static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
431 {
432 	void *pos = e->pos;
433 
434 	/* rlimits are optional */
435 	if (unpack_nameX(e, AA_STRUCT, "rlimits")) {
436 		int i, size;
437 		u32 tmp = 0;
438 		if (!unpack_u32(e, &tmp, NULL))
439 			goto fail;
440 		profile->rlimits.mask = tmp;
441 
442 		size = unpack_array(e, NULL);
443 		if (size > RLIM_NLIMITS)
444 			goto fail;
445 		for (i = 0; i < size; i++) {
446 			u64 tmp2 = 0;
447 			int a = aa_map_resource(i);
448 			if (!unpack_u64(e, &tmp2, NULL))
449 				goto fail;
450 			profile->rlimits.limits[a].rlim_max = tmp2;
451 		}
452 		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
453 			goto fail;
454 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
455 			goto fail;
456 	}
457 	return 1;
458 
459 fail:
460 	e->pos = pos;
461 	return 0;
462 }
463 
464 /**
465  * unpack_profile - unpack a serialized profile
466  * @e: serialized data extent information (NOT NULL)
467  *
468  * NOTE: unpack profile sets audit struct if there is a failure
469  */
unpack_profile(struct aa_ext * e)470 static struct aa_profile *unpack_profile(struct aa_ext *e)
471 {
472 	struct aa_profile *profile = NULL;
473 	const char *name = NULL;
474 	int i, error = -EPROTO;
475 	kernel_cap_t tmpcap;
476 	u32 tmp;
477 
478 	/* check that we have the right struct being passed */
479 	if (!unpack_nameX(e, AA_STRUCT, "profile"))
480 		goto fail;
481 	if (!unpack_str(e, &name, NULL))
482 		goto fail;
483 
484 	profile = aa_alloc_profile(name);
485 	if (!profile)
486 		return ERR_PTR(-ENOMEM);
487 
488 	/* profile renaming is optional */
489 	(void) unpack_str(e, &profile->rename, "rename");
490 
491 	/* xmatch is optional and may be NULL */
492 	profile->xmatch = unpack_dfa(e);
493 	if (IS_ERR(profile->xmatch)) {
494 		error = PTR_ERR(profile->xmatch);
495 		profile->xmatch = NULL;
496 		goto fail;
497 	}
498 	/* xmatch_len is not optional if xmatch is set */
499 	if (profile->xmatch) {
500 		if (!unpack_u32(e, &tmp, NULL))
501 			goto fail;
502 		profile->xmatch_len = tmp;
503 	}
504 
505 	/* per profile debug flags (complain, audit) */
506 	if (!unpack_nameX(e, AA_STRUCT, "flags"))
507 		goto fail;
508 	if (!unpack_u32(e, &tmp, NULL))
509 		goto fail;
510 	if (tmp)
511 		profile->flags |= PFLAG_HAT;
512 	if (!unpack_u32(e, &tmp, NULL))
513 		goto fail;
514 	if (tmp)
515 		profile->mode = APPARMOR_COMPLAIN;
516 	if (!unpack_u32(e, &tmp, NULL))
517 		goto fail;
518 	if (tmp)
519 		profile->audit = AUDIT_ALL;
520 
521 	if (!unpack_nameX(e, AA_STRUCTEND, NULL))
522 		goto fail;
523 
524 	/* path_flags is optional */
525 	if (unpack_u32(e, &profile->path_flags, "path_flags"))
526 		profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
527 	else
528 		/* set a default value if path_flags field is not present */
529 		profile->path_flags = PFLAG_MEDIATE_DELETED;
530 
531 	if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
532 		goto fail;
533 	if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
534 		goto fail;
535 	if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))
536 		goto fail;
537 	if (!unpack_u32(e, &tmpcap.cap[0], NULL))
538 		goto fail;
539 
540 	if (unpack_nameX(e, AA_STRUCT, "caps64")) {
541 		/* optional upper half of 64 bit caps */
542 		if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
543 			goto fail;
544 		if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))
545 			goto fail;
546 		if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))
547 			goto fail;
548 		if (!unpack_u32(e, &(tmpcap.cap[1]), NULL))
549 			goto fail;
550 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
551 			goto fail;
552 	}
553 
554 	if (unpack_nameX(e, AA_STRUCT, "capsx")) {
555 		/* optional extended caps mediation mask */
556 		if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
557 			goto fail;
558 		if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
559 			goto fail;
560 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
561 			goto fail;
562 	}
563 
564 	if (!unpack_rlimits(e, profile))
565 		goto fail;
566 
567 	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
568 		/* generic policy dfa - optional and may be NULL */
569 		profile->policy.dfa = unpack_dfa(e);
570 		if (IS_ERR(profile->policy.dfa)) {
571 			error = PTR_ERR(profile->policy.dfa);
572 			profile->policy.dfa = NULL;
573 			goto fail;
574 		}
575 		if (!unpack_u32(e, &profile->policy.start[0], "start"))
576 			/* default start state */
577 			profile->policy.start[0] = DFA_START;
578 		/* setup class index */
579 		for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) {
580 			profile->policy.start[i] =
581 				aa_dfa_next(profile->policy.dfa,
582 					    profile->policy.start[0],
583 					    i);
584 		}
585 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
586 			goto fail;
587 	}
588 
589 	/* get file rules */
590 	profile->file.dfa = unpack_dfa(e);
591 	if (IS_ERR(profile->file.dfa)) {
592 		error = PTR_ERR(profile->file.dfa);
593 		profile->file.dfa = NULL;
594 		goto fail;
595 	}
596 
597 	if (!unpack_u32(e, &profile->file.start, "dfa_start"))
598 		/* default start state */
599 		profile->file.start = DFA_START;
600 
601 	if (!unpack_trans_table(e, profile))
602 		goto fail;
603 
604 	if (!unpack_nameX(e, AA_STRUCTEND, NULL))
605 		goto fail;
606 
607 	return profile;
608 
609 fail:
610 	if (profile)
611 		name = NULL;
612 	else if (!name)
613 		name = "unknown";
614 	audit_iface(profile, name, "failed to unpack profile", e, error);
615 	aa_put_profile(profile);
616 
617 	return ERR_PTR(error);
618 }
619 
620 /**
621  * verify_head - unpack serialized stream header
622  * @e: serialized data read head (NOT NULL)
623  * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
624  *
625  * Returns: error or 0 if header is good
626  */
verify_header(struct aa_ext * e,const char ** ns)627 static int verify_header(struct aa_ext *e, const char **ns)
628 {
629 	int error = -EPROTONOSUPPORT;
630 	/* get the interface version */
631 	if (!unpack_u32(e, &e->version, "version")) {
632 		audit_iface(NULL, NULL, "invalid profile format", e, error);
633 		return error;
634 	}
635 
636 	/* check that the interface version is currently supported */
637 	if (e->version != 5) {
638 		audit_iface(NULL, NULL, "unsupported interface version", e,
639 			    error);
640 		return error;
641 	}
642 
643 	/* read the namespace if present */
644 	if (!unpack_str(e, ns, "namespace"))
645 		*ns = NULL;
646 
647 	return 0;
648 }
649 
verify_xindex(int xindex,int table_size)650 static bool verify_xindex(int xindex, int table_size)
651 {
652 	int index, xtype;
653 	xtype = xindex & AA_X_TYPE_MASK;
654 	index = xindex & AA_X_INDEX_MASK;
655 	if (xtype == AA_X_TABLE && index > table_size)
656 		return 0;
657 	return 1;
658 }
659 
660 /* verify dfa xindexes are in range of transition tables */
verify_dfa_xindex(struct aa_dfa * dfa,int table_size)661 static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
662 {
663 	int i;
664 	for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
665 		if (!verify_xindex(dfa_user_xindex(dfa, i), table_size))
666 			return 0;
667 		if (!verify_xindex(dfa_other_xindex(dfa, i), table_size))
668 			return 0;
669 	}
670 	return 1;
671 }
672 
673 /**
674  * verify_profile - Do post unpack analysis to verify profile consistency
675  * @profile: profile to verify (NOT NULL)
676  *
677  * Returns: 0 if passes verification else error
678  */
verify_profile(struct aa_profile * profile)679 static int verify_profile(struct aa_profile *profile)
680 {
681 	if (aa_g_paranoid_load) {
682 		if (profile->file.dfa &&
683 		    !verify_dfa_xindex(profile->file.dfa,
684 				       profile->file.trans.size)) {
685 			audit_iface(profile, NULL, "Invalid named transition",
686 				    NULL, -EPROTO);
687 			return -EPROTO;
688 		}
689 	}
690 
691 	return 0;
692 }
693 
694 /**
695  * aa_unpack - unpack packed binary profile data loaded from user space
696  * @udata: user data copied to kmem  (NOT NULL)
697  * @size: the size of the user data
698  * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
699  *
700  * Unpack user data and return refcounted allocated profile or ERR_PTR
701  *
702  * Returns: profile else error pointer if fails to unpack
703  */
aa_unpack(void * udata,size_t size,const char ** ns)704 struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns)
705 {
706 	struct aa_profile *profile = NULL;
707 	int error;
708 	struct aa_ext e = {
709 		.start = udata,
710 		.end = udata + size,
711 		.pos = udata,
712 	};
713 
714 	error = verify_header(&e, ns);
715 	if (error)
716 		return ERR_PTR(error);
717 
718 	profile = unpack_profile(&e);
719 	if (IS_ERR(profile))
720 		return profile;
721 
722 	error = verify_profile(profile);
723 	if (error) {
724 		aa_put_profile(profile);
725 		profile = ERR_PTR(error);
726 	}
727 
728 	/* return refcount */
729 	return profile;
730 }
731