veriexec: add syscall to retrieve veriexec label
Needs ReviewPublic
Actions

Authored by sebastien.bini_stormshield.eu on Sep 9 2022, 2:02 PM.

Details

Reviewers

sjg
mw
wma

Summary

mac_veriexec supports adding a label (i.e. a bounded string) for each file it has in its metastore. Curiously enough, the functions to add a label to a verified file are there (from manifest parsing to syscall). However, it seems there are no function to read that label back.

This change adds to the existing ioctl on /dev/veriexec so we can retrieve the label of a given file. I further added an option to the veriexec binary so it can return the label.

We plan to use the label to further guarantee that the sensitive program we intend to execute is indeed the right one (and not a hard link to a verified /bin/true).

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 47307
Build 44194: arc lint + arc unit

Event Timeline

sebastien.bini_stormshield.eu created this revision.Sep 9 2022, 2:02 PM

Herald added subscribers: dab, imp. · View Herald TranscriptSep 9 2022, 2:02 PM

sebastien.bini_stormshield.eu requested review of this revision.Sep 9 2022, 2:02 PM

Harbormaster completed remote builds in B47304: Diff 110386.Sep 9 2022, 2:02 PM

sebastien.bini_stormshield.eu added reviewers: sjg, mw, wma.Sep 9 2022, 2:04 PM

fixed usage

Harbormaster completed remote builds in B47306: Diff 110388.Sep 9 2022, 2:12 PM

code improvement

Harbormaster completed remote builds in B47307: Diff 110392.Sep 9 2022, 3:14 PM

Sorry, I already have a methon in mac_veriexec to provide access to label - part of the changes for mac_grantbylabel, which don't appear to be committed to main.
Hmm if I had a patch for main I seem to have lost it.
Will have to get that sorted first.

Then I think an api in libveriexec would make more sense - you can have veriexec -l use that api.
mac_grantbylabel comes with such an api but only for its label not the raw label in mac_veriexec (which could apply to many modules),
I think it would be better if I address that.

sbin/veriexec/veriexec.c
58	-l comes before -x
153	please keep options in sorted order
166	Surely this would all be better as a function in libveriexec, so other apps can access the raw label too.
sys/dev/veriexec/verified_exec.c
97	This comment makes no sense here
116	Why are you not using the `mac_veriexec_metadata_get_file_label` oh! mac_grantbylabel has not yet been committed - still awaiting review I think. It introduces a method for getting file label.

See https://reviews.freebsd.org//D27364

In D36506#829337, @sjg wrote:

Sorry, I already have a methon in mac_veriexec to provide access to label - part of the changes for mac_grantbylabel, which don't appear to be committed to main.
Hmm if I had a patch for main I seem to have lost it.
Will have to get that sorted first.

Hmm yes, it would be better if we could go from your patch. Thank you for pointing it out. I would always find it weird to have code to set some label but never to retrieve it, and I'd figured some bits were not committed.

Then I think an api in libveriexec would make more sense - you can have veriexec -l use that api.
mac_grantbylabel comes with such an api but only for its label not the raw label in mac_veriexec (which could apply to many modules),
I think it would be better if I address that.

Agreed.

sebastien.bini_stormshield.eu mentioned this in D27364: mac_grantbylabel focused priv escallation via maclabel.Sep 12 2022, 9:44 AM

See D41431 - I will update it shortly to add veriexec_get_{path,pid}_label