| Andrew Scull | b4b6d4a | 2019-01-02 15:54:55 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * AppArmor security module |
| 3 | * |
| 4 | * This file contains AppArmor policy loading interface function definitions. |
| 5 | * |
| 6 | * Copyright 2013 Canonical Ltd. |
| 7 | * |
| 8 | * This program is free software; you can redistribute it and/or |
| 9 | * modify it under the terms of the GNU General Public License as |
| 10 | * published by the Free Software Foundation, version 2 of the |
| 11 | * License. |
| 12 | * |
| 13 | * Fns to provide a checksum of policy that has been loaded this can be |
| 14 | * compared to userspace policy compiles to check loaded policy is what |
| 15 | * it should be. |
| 16 | */ |
| 17 | |
| 18 | #include <crypto/hash.h> |
| 19 | |
| 20 | #include "include/apparmor.h" |
| 21 | #include "include/crypto.h" |
| 22 | |
| 23 | static unsigned int apparmor_hash_size; |
| 24 | |
| 25 | static struct crypto_shash *apparmor_tfm; |
| 26 | |
| 27 | unsigned int aa_hash_size(void) |
| 28 | { |
| 29 | return apparmor_hash_size; |
| 30 | } |
| 31 | |
| 32 | char *aa_calc_hash(void *data, size_t len) |
| 33 | { |
| 34 | SHASH_DESC_ON_STACK(desc, apparmor_tfm); |
| 35 | char *hash = NULL; |
| 36 | int error = -ENOMEM; |
| 37 | |
| 38 | if (!apparmor_tfm) |
| 39 | return NULL; |
| 40 | |
| 41 | hash = kzalloc(apparmor_hash_size, GFP_KERNEL); |
| 42 | if (!hash) |
| 43 | goto fail; |
| 44 | |
| 45 | desc->tfm = apparmor_tfm; |
| 46 | desc->flags = 0; |
| 47 | |
| 48 | error = crypto_shash_init(desc); |
| 49 | if (error) |
| 50 | goto fail; |
| 51 | error = crypto_shash_update(desc, (u8 *) data, len); |
| 52 | if (error) |
| 53 | goto fail; |
| 54 | error = crypto_shash_final(desc, hash); |
| 55 | if (error) |
| 56 | goto fail; |
| 57 | |
| 58 | return hash; |
| 59 | |
| 60 | fail: |
| 61 | kfree(hash); |
| 62 | |
| 63 | return ERR_PTR(error); |
| 64 | } |
| 65 | |
| 66 | int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start, |
| 67 | size_t len) |
| 68 | { |
| 69 | SHASH_DESC_ON_STACK(desc, apparmor_tfm); |
| 70 | int error = -ENOMEM; |
| 71 | __le32 le32_version = cpu_to_le32(version); |
| 72 | |
| 73 | if (!aa_g_hash_policy) |
| 74 | return 0; |
| 75 | |
| 76 | if (!apparmor_tfm) |
| 77 | return 0; |
| 78 | |
| 79 | profile->hash = kzalloc(apparmor_hash_size, GFP_KERNEL); |
| 80 | if (!profile->hash) |
| 81 | goto fail; |
| 82 | |
| 83 | desc->tfm = apparmor_tfm; |
| 84 | desc->flags = 0; |
| 85 | |
| 86 | error = crypto_shash_init(desc); |
| 87 | if (error) |
| 88 | goto fail; |
| 89 | error = crypto_shash_update(desc, (u8 *) &le32_version, 4); |
| 90 | if (error) |
| 91 | goto fail; |
| 92 | error = crypto_shash_update(desc, (u8 *) start, len); |
| 93 | if (error) |
| 94 | goto fail; |
| 95 | error = crypto_shash_final(desc, profile->hash); |
| 96 | if (error) |
| 97 | goto fail; |
| 98 | |
| 99 | return 0; |
| 100 | |
| 101 | fail: |
| 102 | kfree(profile->hash); |
| 103 | profile->hash = NULL; |
| 104 | |
| 105 | return error; |
| 106 | } |
| 107 | |
| 108 | static int __init init_profile_hash(void) |
| 109 | { |
| 110 | struct crypto_shash *tfm; |
| 111 | |
| 112 | if (!apparmor_initialized) |
| 113 | return 0; |
| 114 | |
| 115 | tfm = crypto_alloc_shash("sha1", 0, CRYPTO_ALG_ASYNC); |
| 116 | if (IS_ERR(tfm)) { |
| 117 | int error = PTR_ERR(tfm); |
| 118 | AA_ERROR("failed to setup profile sha1 hashing: %d\n", error); |
| 119 | return error; |
| 120 | } |
| 121 | apparmor_tfm = tfm; |
| 122 | apparmor_hash_size = crypto_shash_digestsize(apparmor_tfm); |
| 123 | |
| 124 | aa_info_message("AppArmor sha1 policy hashing enabled"); |
| 125 | |
| 126 | return 0; |
| 127 | } |
| 128 | |
| 129 | late_initcall(init_profile_hash); |