Changeset View
Standalone View
sbin/veriexec/veriexec.c
Show All 27 Lines | |||||
#include <stdlib.h> | #include <stdlib.h> | ||||
#include <sysexits.h> | #include <sysexits.h> | ||||
#include <unistd.h> | #include <unistd.h> | ||||
#include <paths.h> | #include <paths.h> | ||||
#include <err.h> | #include <err.h> | ||||
#include <syslog.h> | #include <syslog.h> | ||||
#include <libsecureboot.h> | #include <libsecureboot.h> | ||||
#include <libveriexec.h> | #include <libveriexec.h> | ||||
#include <sys/types.h> | |||||
#include "veriexec.h" | #include "veriexec.h" | ||||
/* Globals that are shared with manifest_parser.c */ | |||||
int dev_fd = -1; | int dev_fd = -1; | ||||
int ForceFlags = 0; | int ForceFlags = 0; | ||||
int Verbose = 0; | int Verbose = 0; | ||||
int VeriexecVersion = 0; | int VeriexecVersion = 0; | ||||
const char *Cdir = NULL; | const char *Cdir = NULL; | ||||
/*! | |||||
* @brief Print help message describing program's usage | |||||
sjg: Can you please use the @brief format | |||||
* @param void | |||||
* @return always returns code 0 | |||||
*/ | |||||
static int | static int | ||||
veriexec_usage() | |||||
{ | |||||
printf("%s", | |||||
"Usage:\tveriexec [-h] [-i state] [-C] [-xv state|verbosity] [path]\n"); | |||||
return (0); | |||||
} | |||||
/*! | |||||
* @brief Load a veriexec manifest | |||||
* @param manifest Pointer to the location of the manifest file | |||||
* @retval the error code returned from the parser | |||||
*/ | |||||
static int | |||||
veriexec_load(const char *manifest) | veriexec_load(const char *manifest) | ||||
{ | { | ||||
unsigned char *content; | unsigned char *content; | ||||
int rc; | int rc; | ||||
content = verify_signed(manifest, VEF_VERBOSE); | content = verify_signed(manifest, VEF_VERBOSE); | ||||
if (!content) | if (!content) | ||||
errx(EX_USAGE, "cannot verify %s", manifest); | errx(EX_USAGE, "cannot verify %s", manifest); | ||||
if (manifest_open(manifest, content)) { | if (manifest_open(manifest, (const char *)content)) { | ||||
rc = yyparse(); | rc = yyparse(); | ||||
} else { | } else { | ||||
err(EX_NOINPUT, "cannot load %s", manifest); | err(EX_NOINPUT, "cannot load %s", manifest); | ||||
} | } | ||||
free(content); | free(content); | ||||
return (rc); | return (rc); | ||||
} | } | ||||
/*! | |||||
* @brief Get the veriexec state for the supplied argument | |||||
* @param arg_text String containing the argument to be processed | |||||
* @retval The veriexec state number for the specified argument | |||||
*/ | |||||
static uint32_t | |||||
veriexec_state_query(const char *arg_text) | |||||
{ | |||||
uint32_t state = 0; | |||||
unsigned long len; | |||||
Not Done Inline ActionsThis would break all our usage of veriexec for past 15+ years. sjg: This would break all our usage of veriexec for past 15+ years.
There is no need to pass more… | |||||
Not Done Inline ActionsWell, veriexec(8) do not document it as the expected usage: The possible states are: loaded set automatically when first manifest has been loaded. active mac_veriexec(4) will begin checking files. This state can only be entered from the loaded state. enforce mac_veriexec(4) will fail attempts to exec(2) or open(2) files with O_VERIFY unless verified. locked prevent loading of any more manifests. And, to be honest, this behavior is quite surprising (for example, mtree(8) wants keywords, not keyword-abbreviations) that's why we felt it would need to be adjusted. Could we agree on something in-between like strcmp(arg_text, "a") == 0 || strcmp(arg_text, "active") == 0 (and adjust the man accordingly)? stephane.rochoy_stormshield.eu: Well, `veriexec(8)` do not document it as the expected usage:
The possible states are… | |||||
Not Done Inline ActionsI'm happy to update the man page to explain that a non-ambiguous prefix match is sufficient. Note strcmp would never be a suitable method of matching, if more than a single character is needed, then strncmp would be useful eg. if (strncmp("active", arg_text, strlen(arg_text) == 0) sjg: I'm happy to update the man page to explain that a non-ambiguous prefix match is sufficient. | |||||
Not Done Inline ActionsI believe this parameter parsing should be improved:
Personally I find the unambiguous prefix matching a bit overkill for such a small program. I suggest the following: each status can be matched either by a long string ("activate", "locked") or a shortcut string ("a" for "activate", "lock" for "locked", etc...). sebastien.bini_stormshield.eu: I believe this parameter parsing should be improved:
- `veriexec -i a && veriexec -i active &&… | |||||
Not Done Inline ActionsFWIW the 'locked' state is something we have never used, it is a hold over from the original NetBSD implementation which relied on manifests loaded during single user and then state locked - the only way to update was to reboot. The use of strncmp as I described earlier is a simple way to allow better matching without breaking backwards compatability. sjg: FWIW the 'locked' state is something we have never used, it is a hold over from the original… | |||||
len = strlen(arg_text); | |||||
if (strncmp(arg_text, "active", len) == 0) | |||||
state |= VERIEXEC_STATE_ACTIVE; | |||||
else if (strncmp(arg_text, "enforce", len) == 0) | |||||
state |= VERIEXEC_STATE_ENFORCE; | |||||
if (strncmp(arg_text, "loaded", len) == 0) | |||||
state |= VERIEXEC_STATE_LOADED; | |||||
if (strncmp(arg_text, "locked", len) == 0) | |||||
state |= VERIEXEC_STATE_LOCKED; | |||||
Not Done Inline Actions"l" and "lo" resolve to "loaded" while it should yield an error. sebastien.bini_stormshield.eu: "l" and "lo" resolve to "loaded" while it should yield an error. | |||||
if (state == 0 || __bitcount(state) > 1) | |||||
errx(EX_USAGE, "Unknown state \'%s\'", arg_text); | |||||
return (state); | |||||
} | |||||
/*! | |||||
* @brief Get the veriexec command state for the supplied argument | |||||
* @param arg_text String containing the argument to be processed | |||||
* @retval The veriexec command state for the specified argument | |||||
*/ | |||||
static uint32_t | |||||
veriexec_state_modify(const char *arg_text) | |||||
{ | |||||
uint32_t state = 0; | |||||
unsigned long len; | |||||
len = strlen(arg_text); | |||||
if (strncmp(arg_text, "active", len) == 0) | |||||
state = VERIEXEC_ACTIVE; | |||||
else if (strncmp(arg_text, "enforce", len) == 0) | |||||
state = VERIEXEC_ENFORCE; | |||||
else if (strncmp(arg_text, "getstate", len) == 0) | |||||
state = VERIEXEC_GETSTATE; | |||||
else if (strncmp(arg_text, "lock", len) == 0) | |||||
state = VERIEXEC_LOCK; | |||||
else | |||||
errx(EX_USAGE, "Unknown command \'%s\'", arg_text); | |||||
return (state); | |||||
} | |||||
int | int | ||||
main(int argc, char *argv[]) | main(int argc, char *argv[]) | ||||
{ | { | ||||
unsigned long ctl; | long long converted_int; | ||||
int c; | uint32_t state; | ||||
char c; | |||||
int x; | int x; | ||||
if (argc < 2) | |||||
return (veriexec_usage()); | |||||
dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0); | dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0); | ||||
while ((c = getopt(argc, argv, "C:i:xvz:")) != -1) { | while ((c = getopt(argc, argv, "hC:i:xvz:")) != -1) { | ||||
switch (c) { | switch (c) { | ||||
case 'h': | |||||
/* Print usage info */ | |||||
return (veriexec_usage()); | |||||
case 'C': | case 'C': | ||||
/* Get the provided directory argument */ | |||||
Cdir = optarg; | Cdir = optarg; | ||||
break; | break; | ||||
case 'i': | case 'i': | ||||
/* Query the current state */ | |||||
Not Done Inline Actionsie. current state Is? sjg: ie. current state Is? | |||||
if (dev_fd < 0) { | if (dev_fd < 0) { | ||||
err(EX_UNAVAILABLE, "cannot open veriexec"); | err(EX_UNAVAILABLE, "cannot open veriexec"); | ||||
} | } | ||||
if (ioctl(dev_fd, VERIEXEC_GETSTATE, &x)) { | if (ioctl(dev_fd, VERIEXEC_GETSTATE, &x)) { | ||||
err(EX_UNAVAILABLE, | err(EX_UNAVAILABLE, | ||||
"Cannot get veriexec state"); | "Cannot get veriexec state"); | ||||
} | } | ||||
switch (optarg[0]) { | |||||
case 'a': /* active */ | state = veriexec_state_query(optarg); | ||||
ctl = VERIEXEC_STATE_ACTIVE; | |||||
exit((x & state) == 0); | |||||
break; | break; | ||||
case 'e': /* enforce */ | |||||
ctl = VERIEXEC_STATE_ENFORCE; | |||||
break; | |||||
case 'l': /* loaded/locked */ | |||||
ctl = (strncmp(optarg, "lock", 4) == 0) ? | |||||
VERIEXEC_STATE_LOCKED : | |||||
VERIEXEC_STATE_LOADED; | |||||
break; | |||||
default: | |||||
errx(EX_USAGE, "unknown state %s", optarg); | |||||
break; | |||||
} | |||||
exit((x & ctl) == 0); | |||||
break; | |||||
case 'v': | case 'v': | ||||
/* Increase the verbosity */ | |||||
Verbose++; | Verbose++; | ||||
break; | break; | ||||
case 'x': | case 'x': | ||||
/* Check veriexec paths */ | |||||
/* | /* | ||||
* -x says all other args are paths to check. | * -x says all other args are paths to check. | ||||
*/ | */ | ||||
for (x = 0; optind < argc; optind++) { | for (x = EX_OK; optind < argc; optind++) { | ||||
if (veriexec_check_path(argv[optind])) { | if (veriexec_check_path(argv[optind])) { | ||||
warn("%s", argv[optind]); | warn("%s", argv[optind]); | ||||
x = 2; | x = 2; | ||||
} | } | ||||
} | } | ||||
exit(x); | exit(x); | ||||
break; | break; | ||||
case 'z': | case 'z': | ||||
switch (optarg[0]) { | /* Modify the state */ | ||||
case 'a': /* active */ | |||||
ctl = VERIEXEC_ACTIVE; | if (strncmp(optarg, "debug", strlen(optarg)) == 0) { | ||||
Not Done Inline Actionsagain the requirement to fully spell out debug vs 'd' is a step backwards. sjg: again the requirement to fully spell out debug vs 'd' is a step backwards. | |||||
break; | const char *error; | ||||
case 'd': /* debug* */ | |||||
ctl = (strstr(optarg, "off")) ? | if (optind >= argc) | ||||
VERIEXEC_DEBUG_OFF : VERIEXEC_DEBUG_ON; | errx(EX_USAGE, | ||||
if (optind < argc && ctl == VERIEXEC_DEBUG_ON) { | "Missing mac_veriexec verbosity level \'N\', veriexec -z debug N, where N is \'off\' or the value 0 or greater"); | ||||
x = atoi(argv[optind]); | |||||
if (strncmp(argv[optind], "off", strlen(argv[optind])) == 0) { | |||||
state = VERIEXEC_DEBUG_OFF; | |||||
x = 0; | |||||
} else { | |||||
state = VERIEXEC_DEBUG_ON; | |||||
converted_int = strtonum(argv[optind], 0, INT_MAX, &error); | |||||
if (error != NULL) | |||||
errx(EX_USAGE, "Conversion error for argument \'%s\' : %s", | |||||
argv[optind], error); | |||||
x = (int) converted_int; | |||||
if (x == 0) | if (x == 0) | ||||
ctl = VERIEXEC_DEBUG_OFF; | state = VERIEXEC_DEBUG_OFF; | ||||
} | } | ||||
} else | |||||
state = veriexec_state_modify(optarg); | |||||
if (dev_fd < 0) | |||||
err(EX_UNAVAILABLE, "Cannot open veriexec"); | |||||
if (ioctl(dev_fd, state, &x)) | |||||
err(EX_UNAVAILABLE, "Cannot %s veriexec", optarg); | |||||
if (state == VERIEXEC_DEBUG_ON || state == VERIEXEC_DEBUG_OFF) | |||||
printf("mac_veriexec debug verbosity level: %d\n", x); | |||||
else if (state == VERIEXEC_GETSTATE) | |||||
printf("Veriexec state (octal) : %#o\n", x); | |||||
exit(EX_OK); | |||||
break; | break; | ||||
case 'e': /* enforce */ | |||||
ctl = VERIEXEC_ENFORCE; | |||||
break; | |||||
case 'g': | |||||
ctl = VERIEXEC_GETSTATE; /* get state */ | |||||
break; | |||||
case 'l': /* lock */ | |||||
ctl = VERIEXEC_LOCK; | |||||
break; | |||||
default: | default: | ||||
errx(EX_USAGE, "unknown command %s", optarg); | |||||
/* Missing argument, print usage info.*/ | |||||
veriexec_usage(); | |||||
exit(EX_USAGE); | |||||
break; | break; | ||||
} | } | ||||
if (dev_fd < 0) { | |||||
err(EX_UNAVAILABLE, "cannot open veriexec"); | |||||
} | } | ||||
if (ioctl(dev_fd, ctl, &x)) { | |||||
err(EX_UNAVAILABLE, "cannot %s veriexec", optarg); | if (Verbose) | ||||
Not Done Inline Actionsspace before ( sjg: space before `(` | |||||
} | printf("Verbosity level : %d\n", Verbose); | ||||
if (ctl == VERIEXEC_DEBUG_ON || | |||||
ctl == VERIEXEC_DEBUG_OFF) { | if (dev_fd < 0) | ||||
printf("debug is: %d\n", x); | err(EX_UNAVAILABLE, "Cannot open veriexec"); | ||||
} else if (ctl == VERIEXEC_GETSTATE) { | |||||
printf("%#o\n", x); | |||||
} | |||||
exit(EX_OK); | |||||
break; | |||||
} | |||||
} | |||||
openlog(getprogname(), LOG_PID, LOG_AUTH); | openlog(getprogname(), LOG_PID, LOG_AUTH); | ||||
if (ve_trust_init() < 1) | if (ve_trust_init() < 1) | ||||
errx(EX_OSFILE, "cannot initialize trust store"); | errx(EX_OSFILE, "cannot initialize trust store"); | ||||
#ifdef VERIEXEC_GETVERSION | #ifdef VERIEXEC_GETVERSION | ||||
if (ioctl(dev_fd, VERIEXEC_GETVERSION, &VeriexecVersion)) { | if (ioctl(dev_fd, VERIEXEC_GETVERSION, &VeriexecVersion)) { | ||||
VeriexecVersion = 0; /* unknown */ | VeriexecVersion = 0; /* unknown */ | ||||
} | } | ||||
#endif | #endif | ||||
for (; optind < argc; optind++) { | for (; optind < argc; optind++) { | ||||
if (veriexec_load(argv[optind])) { | if (veriexec_load(argv[optind])) { | ||||
err(EX_DATAERR, "cannot load %s", argv[optind]); | err(EX_DATAERR, "cannot load %s", argv[optind]); | ||||
} | } | ||||
} | } | ||||
exit(EX_OK); | exit(EX_OK); | ||||
} | } |
Can you please use the @brief format