D56287.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D56287.diff
View Options

	diff --git a/stand/common/commands.c b/stand/common/commands.c
	--- a/stand/common/commands.c
	+++ b/stand/common/commands.c
	@@ -291,63 +291,6 @@
	return (CMD_OK);
	}

	-#ifdef LOADER_VERIEXEC
	-static int
	-is_restricted_var(const char *var)
	-{
	- /*
	- * We impose restrictions if input is not verified
	- * allowing for exceptions.
	- * These entries should include the '='
	- */
	- const char *allowed[] = {
	- "boot_function=",
	- "boot_phase=",
	- "boot_recover_cli=",
	- "boot_recover_volume=",
	- "boot_safe=",
	- "boot_set=",
	- "boot_single=",
	- "boot_verbose=",
	- NULL,
	- };
	- const char *restricted[] = {
	- "boot",
	- "init",
	- "loader.ve.",
	- "rootfs",
	- "secur",
	- "vfs.",
	- NULL,
	- };
	- const char **cp;
	- int ok = -1;
	-
	-#ifdef LOADER_VERIEXEC_TESTING
	- printf("Checking: %s\n", var);
	-#endif
	- for (cp = restricted; *cp; cp++) {
	- if (strncmp(var, cp, strlen(cp)) == 0) {
	- ok = 0;
	- break;
	- }
	- }
	- if (!ok) {
	- /*
	- * Check for exceptions.
	- * These should match up to '='.
	- */
	- for (cp = allowed; *cp; cp++) {
	- if (strncmp(var, cp, strlen(cp)) == 0) {
	- ok = 1;
	- break;
	- }
	- }
	- }
	- return (ok == 0);
	-}
	-#endif
	-
	COMMAND_SET(set, "set", "set a variable", command_set);

	static int
	@@ -364,6 +307,9 @@

	ves = ve_status_get(-1);
	if (ves == VE_UNVERIFIED_OK) {
	+#ifdef LOADER_VERIEXEC_TESTING
	+ printf("Checking: %s\n", var);
	+#endif
	if (is_restricted_var(argv[1])) {
	printf("Ignoring restricted variable: %s\n",
	argv[1]);
	diff --git a/stand/efi/loader/main.c b/stand/efi/loader/main.c
	--- a/stand/efi/loader/main.c
	+++ b/stand/efi/loader/main.c
	@@ -1242,6 +1242,11 @@
	/* Report the RSDP early. */
	acpi_detect();

	+#ifdef LOADER_VERIEXEC
	+ /* tell boot_setenv to be careful */
	+ set_check_restricted(true);
	+#endif
	+
	/*
	* Chicken-and-egg problem; we want to have console output early, but
	* some console attributes may depend on reading from eg. the boot
	diff --git a/stand/libsa/environment.c b/stand/libsa/environment.c
	--- a/stand/libsa/environment.c
	+++ b/stand/libsa/environment.c
	@@ -222,6 +222,82 @@
	return (EPERM);
	}

	+bool
	+is_restricted_var(const char *name)
	+{
	+ /*
	+ * We impose restrictions if input is not verified/trusted
	+ * allowing for exceptions.
	+ * These entries should probably include the '='
	+ */
	+ const char *allowed[] = {
	+ "boot_function=",
	+ "boot_phase=",
	+ "boot_recover_cli=",
	+ "boot_recover_volume=",
	+ "boot_safe=",
	+ "boot_set=",
	+ "boot_single=",
	+ "boot_verbose=",
	+#ifdef ENV_IS_RESTRICTED_ALLOWED_LIST
	+ ENV_IS_RESTRICTED_ALLOWED_LIST,
	+#endif
	+ NULL,
	+ };
	+ /*
	+ * These are prefixes we want to be careful with.
	+ */
	+ const char *restricted[] = {
	+ "boot",
	+ "init",
	+ "loader.ve.",
	+ "rootfs",
	+ "secur",
	+ "vfs.",
	+#ifdef ENV_IS_RESTRICTED_LIST
	+ ENV_IS_RESTRICTED_LIST,
	+#endif
	+ NULL,
	+ };
	+ const char **cp;
	+ int ok = -1;
	+
	+ for (cp = restricted; *cp; cp++) {
	+ if (strncmp(name, cp, strlen(cp)) == 0) {
	+ ok = 0;
	+ break;
	+ }
	+ }
	+ if (!ok) {
	+ for (cp = allowed; *cp; cp++) {
	+ if (strncmp(name, cp, strlen(cp)) == 0) {
	+ ok = 1;
	+ break;
	+ }
	+ }
	+ }
	+ return (ok == 0);
	+}
	+
	+static bool check_restricted = false;
	+
	+void
	+set_check_restricted(bool b)
	+{
	+ check_restricted = b;
	+}
	+
	+/* called from subr_boot with not quite trusted input */
	+int
	+boot_setenv(const char name, const char value)
	+{
	+ if (check_restricted && is_restricted_var(name)) {
	+ errno = EPERM;
	+ return -1;
	+ }
	+ return setenv(name, value, 1);
	+}
	+
	int
	env_nounset(struct env_var *ev __unused)
	{
	diff --git a/stand/libsa/stand.h b/stand/libsa/stand.h
	--- a/stand/libsa/stand.h
	+++ b/stand/libsa/stand.h
	@@ -381,6 +381,9 @@
	int overwrite);
	extern int putenv(char *string);
	extern int unsetenv(const char *name);
	+extern bool is_restricted_var(const char *name);
	+extern void set_check_restricted(bool);
	+extern int boot_setenv(const char name, const char value);

	extern ev_sethook_t env_noset; /* refuse set operation */
	extern ev_unsethook_t env_nounset; /* refuse unset operation */
	diff --git a/sys/kern/subr_boot.c b/sys/kern/subr_boot.c
	--- a/sys/kern/subr_boot.c
	+++ b/sys/kern/subr_boot.c
	@@ -53,7 +53,7 @@
	#define GETENV(k) kern_getenv(k)
	#define FREE(v) freeenv(v)
	#else /* Boot loader */
	-#define SETENV(k, v) setenv(k, v, 1)
	+#define SETENV(k, v) boot_setenv(k, v)
	#define GETENV(k) getenv(k)
	#define FREE(v)
	#endif

File Metadata

Mime Type: text/plain
Expires: Mon, Apr 13, 6:45 AM (16 h, 42 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31382024
Default Alt Text: D56287.diff (4 KB)

D56287.diffNo OneTemporaryActions

D56287.diffView Options

File Metadata

Event Timeline

D56287.diff
No OneTemporary
Actions

D56287.diff
View Options