ficl pfopen: verify file
If the file is verified - do not allow write otherwise do not allow read. Add O_ACCMODE to stand.h Reviewed by: stevek, mindal_semihalf.com MFC after: 3 days Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20387
This commit is contained in:
parent
d3f78f00db
commit
2ef9ff7dd3
@ -16,3 +16,7 @@ CFLAGS+= -fPIC
|
||||
|
||||
CFLAGS+= -I${FICLSRC} -I${FICLSRC}/${FICL_CPUARCH} -I${LDRSRC}
|
||||
CFLAGS+= -DBF_DICTSIZE=15000
|
||||
|
||||
.if ${MK_LOADER_VERIEXEC} != "no"
|
||||
CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h
|
||||
.endif
|
||||
|
@ -502,6 +502,23 @@ static void pfopen(FICL_VM *pVM)
|
||||
|
||||
/* open the file */
|
||||
fd = open(name, mode);
|
||||
#ifdef LOADER_VERIEXEC
|
||||
if (fd >= 0) {
|
||||
if (verify_file(fd, name, 0, VE_GUESS) < 0) {
|
||||
/* not verified writing ok but reading is not */
|
||||
if ((mode & O_ACCMODE) != O_WRONLY) {
|
||||
close(fd);
|
||||
fd = -1;
|
||||
}
|
||||
} else {
|
||||
/* verified reading ok but writing is not */
|
||||
if ((mode & O_ACCMODE) != O_RDONLY) {
|
||||
close(fd);
|
||||
fd = -1;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
free(name);
|
||||
stackPushINT(pVM->pStack, fd);
|
||||
return;
|
||||
|
@ -286,6 +286,7 @@ extern int open(const char *, int);
|
||||
#define O_RDONLY 0x0
|
||||
#define O_WRONLY 0x1
|
||||
#define O_RDWR 0x2
|
||||
#define O_ACCMODE 0x3
|
||||
/* NOT IMPLEMENTED */
|
||||
#define O_CREAT 0x0200 /* create if nonexistent */
|
||||
#define O_TRUNC 0x0400 /* truncate to zero length */
|
||||
|
Loading…
Reference in New Issue
Block a user