diff --git a/sys/dev/veriexec/veriexec_ioctl.h b/sys/dev/veriexec/veriexec_ioctl.h index 1409ebb9f40f..fdb9cbcbe1af 100644 --- a/sys/dev/veriexec/veriexec_ioctl.h +++ b/sys/dev/veriexec/veriexec_ioctl.h @@ -1,64 +1,74 @@ /* * $FreeBSD$ * * Copyright (c) 2011-2023, Juniper Networks, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * * Definitions for the Verified Executables kernel function. * */ #ifndef _DEV_VERIEXEC_VERIEXEC_IOCTL_H #define _DEV_VERIEXEC_VERIEXEC_IOCTL_H #include +/* for backwards compatability */ +struct verified_exec_params32 { + unsigned char flags; + char fp_type[VERIEXEC_FPTYPELEN]; /* type of fingerprint */ + char file[MAXPATHLEN]; + unsigned char fingerprint[32]; +}; + struct verified_exec_params { unsigned char flags; char fp_type[VERIEXEC_FPTYPELEN]; /* type of fingerprint */ char file[MAXPATHLEN]; unsigned char fingerprint[MAXFINGERPRINTLEN]; }; struct verified_exec_label_params { struct verified_exec_params params; char label[MAXLABELLEN]; }; #define VERIEXEC_LOAD _IOW('S', 0x1, struct verified_exec_params) #define VERIEXEC_ACTIVE _IO('S', 0x2) /* start checking */ #define VERIEXEC_ENFORCE _IO('S', 0x3) /* fail exec */ #define VERIEXEC_LOCK _IO('S', 0x4) /* don't allow new sigs */ #define VERIEXEC_DEBUG_ON _IOWR('S', 0x5, int) /* set/get debug level */ #define VERIEXEC_DEBUG_OFF _IO('S', 0x6) /* reset debug */ #define VERIEXEC_GETSTATE _IOR('S', 0x7, int) /* get state */ -#define VERIEXEC_SIGNED_LOAD _IOW('S', 0x8, struct verified_exec_params) -#define VERIEXEC_GETVERSION _IOR('S', 0x9, int) /* get version */ -#define VERIEXEC_LABEL_LOAD _IOW('S', 0xa, struct verified_exec_label_params) +#define VERIEXEC_SIGNED_LOAD32 _IOW('S', 0x8, struct verified_exec_params32) +#define VERIEXEC_VERIFIED_FILD _IOW('S', 0x9, int) /* fd */ +#define VERIEXEC_GETVERSION _IOR('S', 0xa, int) /* get version */ +#define VERIEXEC_LABEL_LOAD _IOW('S', 0xb, struct verified_exec_label_params) +#define VERIEXEC_SIGNED_LOAD _IOW('S', 0xc, struct verified_exec_params) #define _PATH_DEV_VERIEXEC _PATH_DEV "veriexec" #endif diff --git a/sys/dev/veriexec/verified_exec.c b/sys/dev/veriexec/verified_exec.c index c00aa49c2f6c..908b54138212 100644 --- a/sys/dev/veriexec/verified_exec.c +++ b/sys/dev/veriexec/verified_exec.c @@ -1,269 +1,281 @@ /* * $FreeBSD$ * - * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc. + * Copyright (c) 2011-2023, Juniper Networks, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "veriexec_ioctl.h" /* * We need a mutex while updating lists etc. */ extern struct mtx ve_mutex; /* * Handle the ioctl for the device */ static int verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, int flags, struct thread *td) { struct nameidata nid; struct vattr vattr; struct verified_exec_label_params *lparams; - struct verified_exec_params *params; + struct verified_exec_params *params, params_; int error = 0; /* * These commands are considered safe requests for anyone who has * permission to access to device node. */ switch (cmd) { case VERIEXEC_GETSTATE: { int *ip = (int *)data; if (ip) *ip = mac_veriexec_get_state(); else error = EINVAL; return (error); } break; default: break; } /* * Anything beyond this point is considered dangerous, so we need to * only allow processes that have kmem write privs to do them. * * MAC/veriexec will grant kmem write privs to "trusted" processes. */ error = priv_check(td, PRIV_VERIEXEC_CONTROL); if (error) return (error); lparams = (struct verified_exec_label_params *)data; - if (cmd == VERIEXEC_LABEL_LOAD) + switch (cmd) { + case VERIEXEC_LABEL_LOAD: params = &lparams->params; - else + break; + case VERIEXEC_SIGNED_LOAD32: + params = ¶ms_; + memcpy(params, data, sizeof(struct verified_exec_params32)); + break; + default: params = (struct verified_exec_params *)data; + break; + } switch (cmd) { case VERIEXEC_ACTIVE: mtx_lock(&ve_mutex); if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE); else error = EINVAL; mtx_unlock(&ve_mutex); break; case VERIEXEC_DEBUG_ON: mtx_lock(&ve_mutex); { int *ip = (int *)data; mac_veriexec_debug++; if (ip) { if (*ip > 0) mac_veriexec_debug = *ip; *ip = mac_veriexec_debug; } } mtx_unlock(&ve_mutex); break; case VERIEXEC_DEBUG_OFF: mac_veriexec_debug = 0; break; case VERIEXEC_ENFORCE: mtx_lock(&ve_mutex); if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE | VERIEXEC_STATE_ENFORCE); else error = EINVAL; mtx_unlock(&ve_mutex); break; case VERIEXEC_GETVERSION: { int *ip = (int *)data; if (ip) *ip = MAC_VERIEXEC_VERSION; else error = EINVAL; } break; case VERIEXEC_LOCK: mtx_lock(&ve_mutex); mac_veriexec_set_state(VERIEXEC_STATE_LOCKED); mtx_unlock(&ve_mutex); break; case VERIEXEC_LOAD: if (prison0.pr_securelevel > 0) return (EPERM); /* no updates when secure */ /* FALLTHROUGH */ case VERIEXEC_LABEL_LOAD: case VERIEXEC_SIGNED_LOAD: /* * If we use a loader that will only use a * digitally signed hash list - which it verifies. * We can load fingerprints provided veriexec is not locked. */ if (prison0.pr_securelevel > 0 && !mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) { /* * If securelevel has been raised and we * do not have any fingerprints loaded, * it would dangerous to do so now. */ return (EPERM); } if (mac_veriexec_in_state(VERIEXEC_STATE_LOCKED)) error = EPERM; else { size_t labellen = 0; int flags = FREAD; int override = (cmd != VERIEXEC_LOAD); + if (params->flags & VERIEXEC_LABEL) { + labellen = strnlen(lparams->label, + MAXLABELLEN) + 1; + if (labellen > MAXLABELLEN) + return (EINVAL); + } + /* * Get the attributes for the file name passed * stash the file's device id and inode number * along with it's fingerprint in a list for * exec to use later. */ /* * FreeBSD seems to copy the args to kernel space */ NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, params->file); if ((error = vn_open(&nid, &flags, 0, NULL)) != 0) return (error); error = VOP_GETATTR(nid.ni_vp, &vattr, td->td_ucred); if (error != 0) { mac_veriexec_set_fingerprint_status(nid.ni_vp, FINGERPRINT_INVALID); VOP_UNLOCK(nid.ni_vp); (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td); return (error); } if (override) { /* * If the file is on a "verified" filesystem * someone may be playing games. */ if ((nid.ni_vp->v_mount->mnt_flag & MNT_VERIFIED) != 0) override = 0; } /* * invalidate the node fingerprint status * which will have been set in the vn_open * and would always be FINGERPRINT_NOTFOUND */ mac_veriexec_set_fingerprint_status(nid.ni_vp, FINGERPRINT_INVALID); VOP_UNLOCK(nid.ni_vp); (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td); - if (params->flags & VERIEXEC_LABEL) - labellen = strnlen(lparams->label, - sizeof(lparams->label) - 1) + 1; mtx_lock(&ve_mutex); error = mac_veriexec_metadata_add_file( ((params->flags & VERIEXEC_FILE) != 0), vattr.va_fsid, vattr.va_fileid, vattr.va_gen, params->fingerprint, (params->flags & VERIEXEC_LABEL) ? lparams->label : NULL, labellen, params->flags, params->fp_type, override); mac_veriexec_set_state(VERIEXEC_STATE_LOADED); mtx_unlock(&ve_mutex); } break; default: error = ENODEV; } return (error); } struct cdevsw veriexec_cdevsw = { .d_version = D_VERSION, .d_ioctl = verifiedexecioctl, .d_name = "veriexec", }; static void veriexec_drvinit(void *unused __unused) { make_dev(&veriexec_cdevsw, 0, UID_ROOT, GID_WHEEL, 0600, "veriexec"); } SYSINIT(veriexec, SI_SUB_PSEUDO, SI_ORDER_ANY, veriexec_drvinit, NULL); MODULE_DEPEND(veriexec, mac_veriexec, MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION);