Changeset View
Changeset View
Standalone View
Standalone View
sys/security/mac_veriexec_parser/mac_veriexec_parser.c
Show First 20 Lines • Show All 59 Lines • ▼ Show 20 Lines | |||||
static const struct fingerprint_type fp_table[] = { | static const struct fingerprint_type fp_table[] = { | ||||
{"sha256=", SHA256_DIGEST_LENGTH}, | {"sha256=", SHA256_DIGEST_LENGTH}, | ||||
#if MAXFINGERPRINTLEN >= SHA384_DIGEST_LENGTH | #if MAXFINGERPRINTLEN >= SHA384_DIGEST_LENGTH | ||||
{"sha384=", SHA384_DIGEST_LENGTH}, | {"sha384=", SHA384_DIGEST_LENGTH}, | ||||
#endif | #endif | ||||
#if MAXFINGERPRINTLEN >= SHA512_DIGEST_LENGTH | #if MAXFINGERPRINTLEN >= SHA512_DIGEST_LENGTH | ||||
{"sha512=", SHA512_DIGEST_LENGTH}, | {"sha512=", SHA512_DIGEST_LENGTH}, | ||||
#endif | #endif | ||||
{"no_hash", 0}, | |||||
{NULL, 0} | {NULL, 0} | ||||
}; | }; | ||||
static const struct fp_flag flags_table[] = { | static const struct fp_flag flags_table[] = { | ||||
{"indirect", VERIEXEC_INDIRECT}, | {"indirect", VERIEXEC_INDIRECT}, | ||||
{"no_ptrace", VERIEXEC_NOTRACE}, | {"no_ptrace", VERIEXEC_NOTRACE}, | ||||
{"trusted", VERIEXEC_TRUSTED}, | {"trusted", VERIEXEC_TRUSTED}, | ||||
{"no_fips", VERIEXEC_NOFIPS}, | {"no_fips", VERIEXEC_NOFIPS}, | ||||
▲ Show 20 Lines • Show All 116 Lines • ▼ Show 20 Lines | if (fp_type != NULL) { | ||||
*/ | */ | ||||
if (*delimiter == ' ' && flags != NULL) | if (*delimiter == ' ' && flags != NULL) | ||||
*flags = get_flags(delimiter); | *flags = get_flags(delimiter); | ||||
/* | /* | ||||
* Split entry into three parts: | * Split entry into three parts: | ||||
* path, fp_type and digest. | * path, fp_type and digest. | ||||
*/ | */ | ||||
if (local_digest[-1] == '=') | |||||
local_digest[-1] = '\0'; | local_digest[-1] = '\0'; | ||||
*delimiter = '\0'; | *delimiter = '\0'; | ||||
fp_type[-1] = '\0'; | fp_type[-1] = '\0'; | ||||
break; | break; | ||||
} | } | ||||
} | } | ||||
if (fp_type == NULL) | if (fp_type == NULL) | ||||
return (EINVAL); | return (EINVAL); | ||||
▲ Show 20 Lines • Show All 117 Lines • ▼ Show 20 Lines | parse_entry(char *entry, char *prefix) | ||||
fp_type = NULL; | fp_type = NULL; | ||||
digest = NULL; | digest = NULL; | ||||
flags = 0; | flags = 0; | ||||
rc = get_fp(entry, &fp_type, &digest, &flags); | rc = get_fp(entry, &fp_type, &digest, &flags); | ||||
if (rc != 0) | if (rc != 0) | ||||
return (rc); | return (rc); | ||||
if (strcmp(fp_type, "no_hash") == 0) | |||||
return (0); | |||||
rc = hexstring_to_bin(digest); | rc = hexstring_to_bin(digest); | ||||
if (rc != 0) | if (rc != 0) | ||||
return (rc); | return (rc); | ||||
if (strnlen(entry, MAXPATHLEN) == MAXPATHLEN) | if (strnlen(entry, MAXPATHLEN) == MAXPATHLEN) | ||||
return (EINVAL); | return (EINVAL); | ||||
/* If the path is not absolute prepend it with a prefix */ | /* If the path is not absolute prepend it with a prefix */ | ||||
if (prefix != NULL && entry[0] != '/') { | if (prefix != NULL && entry[0] != '/') { | ||||
rc = snprintf(path, MAXPATHLEN, "%s/%s", | rc = snprintf(path, MAXPATHLEN, "%s/%s", | ||||
prefix, entry); | prefix, entry); | ||||
if (rc < 0) | if (rc < 0) | ||||
return (-rc); | return (-rc); | ||||
} else { | } else { | ||||
strcpy(path, entry); | strcpy(path, entry); | ||||
} | } | ||||
rc = open_file(path, &nid); | rc = open_file(path, &nid); | ||||
NDFREE(&nid, NDF_ONLY_PNBUF); | NDFREE(&nid, NDF_ONLY_PNBUF); | ||||
if (rc != 0) | if (rc != 0) { | ||||
if (rc == ENOENT) { | |||||
strlcat(path, ".gz", sizeof(path)); | |||||
rc = open_file(path, &nid); | |||||
NDFREE(&nid, NDF_ONLY_PNBUF); | |||||
if (rc == 0) { | |||||
/* | |||||
* A compressed version of this entry exists. | |||||
* These can't be loaded by kldload anyway, | |||||
* so just ignore this entry. | |||||
*/ | |||||
goto out; | |||||
} | |||||
rc = ENOENT; | |||||
} | |||||
return (rc); | return (rc); | ||||
} | |||||
rc = VOP_GETATTR(nid.ni_vp, &va, curthread->td_ucred); | rc = VOP_GETATTR(nid.ni_vp, &va, curthread->td_ucred); | ||||
if (rc != 0) | if (rc != 0) | ||||
goto out; | goto out; | ||||
is_exec = (va.va_mode & VEXEC); | is_exec = (va.va_mode & VEXEC); | ||||
mtx_lock(&ve_mutex); | mtx_lock(&ve_mutex); | ||||
▲ Show 20 Lines • Show All 113 Lines • Show Last 20 Lines |