HomeFreeBSD

MAC/veriexec implements a verified execution environment using the MAC

Description

MAC/veriexec implements a verified execution environment using the MAC
framework.

The code is organized into a few distinct pieces:

  • The meta-data store (in veriexec_metadata.c) which maps a file system identifier, file identifier, and generation key tuple to veriexec meta-data record.
  • Fingerprint management (in veriexec_fingerprint.c) which deals with calculating the cryptographic hash for a file and verifying it. It also manages the loadable fingerprint modules.
  • MAC policy implementation (in mac_veriexec.c) which implements the following MAC methods:

mpo_init

Initializes the veriexec state, meta-data store, fingerprint modules,
and registers mount and unmount EVENTHANDLERs

mpo_syscall

Implements the following per-policy system calls:
MAC_VERIEXEC_CHECK_FD_SYSCALL
  Check a file descriptor to see if the referenced file has a valid
  fingerprint.
MAC_VERIEXEC_CHECK_PATH_SYSCALL
  Check a path to see if the referenced file has a valid fingerprint.

mpo_kld_check_load

Check if loading a kld is allowed. This checks if the referenced vnode
has a valid fingerprint.

mpo_mount_destroy_label

Clears the veriexec slot data in a mount point label.

mpo_mount_init_label

Initializes the veriexec slot data in a mount point label.
The file system identifier is saved in the veriexec slot data.

mpo_priv_check

Check if a process is allowed to write to /dev/kmem and /dev/mem
devices.
If a process is flagged as trusted, it is allowed to write.

mpo_proc_check_debug

Check if a process is allowed to be debugged. If a process is not
flagged with VERIEXEC_NOTRACE, then debugging is allowed.

mpo_vnode_check_exec

Check is an exectuable is allowed to run. If veriexec is not enforcing
or the executable has a valid fingerprint, then it is allowed to run.
NOTE: veriexec will complain about mismatched fingerprints if it is
active, regardless of the state of the enforcement.

mpo_vnode_check_open

Check is a file is allowed to be opened. If verification was not
requested, veriexec is not enforcing, or the file has a valid
fingerprint, then veriexec will allow the file to be opened.

mpo_vnode_copy_label

Copies the veriexec slot data from one label to another.

mpo_vnode_destroy_label

Clears the veriexec slot data in a vnode label.

mpo_vnode_init_label

Initializes the veriexec slot data in a vnode label.
The fingerprint status for the file is stored in the veriexec slot data.
  • Some sysctls, under security.mac.veriexec, for setting debug level, fetching the current state in a human-readable form, and dumping the fingerprint database are implemented.
  • The MAC policy implementation source file also contains some utility functions.
  • A set of fingerprint modules for the following cryptographic hash algorithms: RIPEMD-160, SHA1, SHA2-256, SHA2-384, SHA2-512
  • Loadable module builds for MAC/veriexec and fingerprint modules.

    WARNING: Using veriexec with NFS (or other network-based) file systems is not recommended as one cannot guarantee the integrity of the files served, nor the uniqueness of file system identifiers which are used as key in the meta-data store.

Reviewed by: ian, jtl
Obtained from: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D8554

Details

Committed
stevekJun 20 2018, 12:41 AM
Reviewer
ian
Differential Revision
D8554: Verified execution (veriexec) as a MAC module.
Parents
rS335398: Revert r335276
Branches
Unknown
Tags
Unknown