veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32

We need to handle old ioctl from old binary. Add some missing ioctls. Obtained from: Juniper Networks, Inc.
2023-04-02 14:58:27 -07:00 · 2023-04-02 14:58:27 -07:00 · bd4742c970
commit bd4742c970
parent d195f39d1d
2 changed files with 32 additions and 10 deletions
--- a/sys/dev/veriexec/veriexec_ioctl.h
+++ b/sys/dev/veriexec/veriexec_ioctl.h
@ -36,6 +36,14 @@

 #include <security/mac_veriexec/mac_veriexec.h>

+/* for backwards compatability */
+struct verified_exec_params32  {
+	unsigned char flags;
+	char fp_type[VERIEXEC_FPTYPELEN];	/* type of fingerprint */
+	char file[MAXPATHLEN];
+	unsigned char fingerprint[32];
+};
+
 struct verified_exec_params  {
 	unsigned char flags;
 	char fp_type[VERIEXEC_FPTYPELEN];	/* type of fingerprint */
@ -55,9 +63,11 @@ struct verified_exec_label_params  {
 #define VERIEXEC_DEBUG_ON	_IOWR('S', 0x5, int) /* set/get debug level */
 #define VERIEXEC_DEBUG_OFF 	_IO('S', 0x6)	/* reset debug */
 #define VERIEXEC_GETSTATE 	_IOR('S', 0x7, int) /* get state */
-#define VERIEXEC_SIGNED_LOAD	_IOW('S', 0x8, struct verified_exec_params)
-#define VERIEXEC_GETVERSION	_IOR('S', 0x9, int) /* get version */
-#define VERIEXEC_LABEL_LOAD	_IOW('S', 0xa, struct verified_exec_label_params)
+#define	VERIEXEC_SIGNED_LOAD32	_IOW('S', 0x8, struct verified_exec_params32)
+#define	VERIEXEC_VERIFIED_FILD	_IOW('S', 0x9, int) /* fd */
+#define VERIEXEC_GETVERSION	_IOR('S', 0xa, int) /* get version */
+#define VERIEXEC_LABEL_LOAD	_IOW('S', 0xb, struct verified_exec_label_params)
+#define	VERIEXEC_SIGNED_LOAD	_IOW('S', 0xc, struct verified_exec_params)

 #define	_PATH_DEV_VERIEXEC	_PATH_DEV "veriexec"

--- a/sys/dev/veriexec/verified_exec.c
+++ b/sys/dev/veriexec/verified_exec.c
@ -1,7 +1,7 @@
 /*
 * $FreeBSD$
 *
- * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc.
+ * Copyright (c) 2011-2023, Juniper Networks, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -69,7 +69,7 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
 	struct nameidata nid;
 	struct vattr vattr;
 	struct verified_exec_label_params *lparams;
-	struct verified_exec_params *params;
+	struct verified_exec_params *params, params_;
 	int error = 0;

 	/*
@ -104,10 +104,18 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
 		return (error);

 	lparams = (struct verified_exec_label_params *)data;
-	if (cmd == VERIEXEC_LABEL_LOAD)
+	switch (cmd) {
+	case VERIEXEC_LABEL_LOAD:
 		params = &lparams->params;
-	else
+		break;
+	case VERIEXEC_SIGNED_LOAD32:
+		params = &params_;
+		memcpy(params, data, sizeof(struct verified_exec_params32));
+		break;
+	default:
 		params = (struct verified_exec_params *)data;
+		break;
+	}

 	switch (cmd) {
 	case VERIEXEC_ACTIVE:
@ -187,6 +195,13 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
 			int flags = FREAD;
 			int override = (cmd != VERIEXEC_LOAD);

+			if (params->flags & VERIEXEC_LABEL) {
+				labellen = strnlen(lparams->label,
+				    MAXLABELLEN) + 1;
+				if (labellen > MAXLABELLEN)
+					return (EINVAL);
+			}
+
 			/*
 			 * Get the attributes for the file name passed
 			 * stash the file's device id and inode number
@ -228,9 +243,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
 			    FINGERPRINT_INVALID);
 			VOP_UNLOCK(nid.ni_vp);
 			(void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td);
-			if (params->flags & VERIEXEC_LABEL)
-				labellen = strnlen(lparams->label,
-				    sizeof(lparams->label) - 1) + 1;

 			mtx_lock(&ve_mutex);
 			error = mac_veriexec_metadata_add_file(