MAC/veriexec implements a verified execution environment using the MAC
framework. The code is organized into a few distinct pieces: * The meta-data store (in veriexec_metadata.c) which maps a file system identifier, file identifier, and generation key tuple to veriexec meta-data record. * Fingerprint management (in veriexec_fingerprint.c) which deals with calculating the cryptographic hash for a file and verifying it. It also manages the loadable fingerprint modules. * MAC policy implementation (in mac_veriexec.c) which implements the following MAC methods: mpo_init Initializes the veriexec state, meta-data store, fingerprint modules, and registers mount and unmount EVENTHANDLERs mpo_syscall Implements the following per-policy system calls: MAC_VERIEXEC_CHECK_FD_SYSCALL Check a file descriptor to see if the referenced file has a valid fingerprint. MAC_VERIEXEC_CHECK_PATH_SYSCALL Check a path to see if the referenced file has a valid fingerprint. mpo_kld_check_load Check if loading a kld is allowed. This checks if the referenced vnode has a valid fingerprint. mpo_mount_destroy_label Clears the veriexec slot data in a mount point label. mpo_mount_init_label Initializes the veriexec slot data in a mount point label. The file system identifier is saved in the veriexec slot data. mpo_priv_check Check if a process is allowed to write to /dev/kmem and /dev/mem devices. If a process is flagged as trusted, it is allowed to write. mpo_proc_check_debug Check if a process is allowed to be debugged. If a process is not flagged with VERIEXEC_NOTRACE, then debugging is allowed. mpo_vnode_check_exec Check is an exectuable is allowed to run. If veriexec is not enforcing or the executable has a valid fingerprint, then it is allowed to run. NOTE: veriexec will complain about mismatched fingerprints if it is active, regardless of the state of the enforcement. mpo_vnode_check_open Check is a file is allowed to be opened. If verification was not requested, veriexec is not enforcing, or the file has a valid fingerprint, then veriexec will allow the file to be opened. mpo_vnode_copy_label Copies the veriexec slot data from one label to another. mpo_vnode_destroy_label Clears the veriexec slot data in a vnode label. mpo_vnode_init_label Initializes the veriexec slot data in a vnode label. The fingerprint status for the file is stored in the veriexec slot data. * Some sysctls, under security.mac.veriexec, for setting debug level, fetching the current state in a human-readable form, and dumping the fingerprint database are implemented. * The MAC policy implementation source file also contains some utility functions. * A set of fingerprint modules for the following cryptographic hash algorithms: RIPEMD-160, SHA1, SHA2-256, SHA2-384, SHA2-512 * Loadable module builds for MAC/veriexec and fingerprint modules. WARNING: Using veriexec with NFS (or other network-based) file systems is not recommended as one cannot guarantee the integrity of the files served, nor the uniqueness of file system identifiers which are used as key in the meta-data store. Reviewed by: ian, jtl Obtained from: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D8554
This commit is contained in:
parent
ec82884e87
commit
fb47a3769c
@ -3424,6 +3424,7 @@ dev/videomode/videomode.c optional videomode
|
||||
dev/videomode/edid.c optional videomode
|
||||
dev/videomode/pickmode.c optional videomode
|
||||
dev/videomode/vesagtf.c optional videomode
|
||||
dev/veriexec/verified_exec.c optional veriexec mac_veriexec
|
||||
dev/vge/if_vge.c optional vge
|
||||
dev/viapm/viapm.c optional viapm pci
|
||||
dev/virtio/virtio.c optional virtio
|
||||
@ -4892,6 +4893,14 @@ security/mac_portacl/mac_portacl.c optional mac_portacl
|
||||
security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
|
||||
security/mac_stub/mac_stub.c optional mac_stub
|
||||
security/mac_test/mac_test.c optional mac_test
|
||||
security/mac_veriexec/mac_veriexec.c optional mac_veriexec
|
||||
security/mac_veriexec/veriexec_fingerprint.c optional mac_veriexec
|
||||
security/mac_veriexec/veriexec_metadata.c optional mac_veriexec
|
||||
security/mac_veriexec/mac_veriexec_rmd160.c optional mac_veriexec_rmd160
|
||||
security/mac_veriexec/mac_veriexec_sha1.c optional mac_veriexec_sha1
|
||||
security/mac_veriexec/mac_veriexec_sha256.c optional mac_veriexec_sha256
|
||||
security/mac_veriexec/mac_veriexec_sha384.c optional mac_veriexec_sha384
|
||||
security/mac_veriexec/mac_veriexec_sha512.c optional mac_veriexec_sha512
|
||||
teken/teken.c optional sc | vt
|
||||
ufs/ffs/ffs_alloc.c optional ffs
|
||||
ufs/ffs/ffs_balloc.c optional ffs
|
||||
|
@ -237,6 +237,12 @@ SUBDIR= \
|
||||
mac_seeotheruids \
|
||||
mac_stub \
|
||||
mac_test \
|
||||
mac_veriexec \
|
||||
mac_veriexec_rmd160 \
|
||||
mac_veriexec_sha1 \
|
||||
mac_veriexec_sha256 \
|
||||
mac_veriexec_sha384 \
|
||||
mac_veriexec_sha512 \
|
||||
malo \
|
||||
md \
|
||||
mdio \
|
||||
|
40
sys/modules/mac_veriexec/Makefile
Normal file
40
sys/modules/mac_veriexec/Makefile
Normal file
@ -0,0 +1,40 @@
|
||||
# $FreeBSD$
|
||||
|
||||
.PATH: ${.PARSEDIR:H:H}/security/mac_veriexec
|
||||
|
||||
KMOD = mac_veriexec
|
||||
SRCS = \
|
||||
bus_if.h \
|
||||
device_if.h \
|
||||
vnode_if.h
|
||||
SRCS += \
|
||||
opt_capsicum.h \
|
||||
opt_global.h \
|
||||
opt_mac.h \
|
||||
opt_veriexec.h
|
||||
SRCS += \
|
||||
mac_veriexec.c \
|
||||
veriexec_fingerprint.c \
|
||||
veriexec_metadata.c
|
||||
|
||||
EXPORT_SYMS+= ve_mutex \
|
||||
mac_veriexec_in_state \
|
||||
mac_veriexec_get_executable_flags
|
||||
|
||||
.if defined(KERNBUILDDIR)
|
||||
MKDEP= -include ${KERNBUILDDIR}/opt_global.h
|
||||
.else
|
||||
CFLAGS+= -include opt_global.h
|
||||
MKDEP= -include opt_global.h
|
||||
opt_mac.h:
|
||||
echo "#define MAC_DEBUG 1" >> ${.TARGET}
|
||||
opt_global.h:
|
||||
echo "#define MAC 1" > ${.TARGET}
|
||||
.endif
|
||||
|
||||
.ifndef WITHOUT_VERIEXEC_DEBUG
|
||||
CFLAGS+= -DVERIFIED_EXEC_DEBUG
|
||||
.endif
|
||||
|
||||
.include <bsd.kmod.mk>
|
||||
|
10
sys/modules/mac_veriexec_rmd160/Makefile
Normal file
10
sys/modules/mac_veriexec_rmd160/Makefile
Normal file
@ -0,0 +1,10 @@
|
||||
# $FreeBSD$
|
||||
|
||||
.PATH: ${.CURDIR}/../../security/mac_veriexec
|
||||
.PATH: ${.CURDIR}/../../opencrypto
|
||||
|
||||
KMOD= mac_veriexec_rmd160
|
||||
SRCS= mac_veriexec_rmd160.c rmd160.c
|
||||
|
||||
.include <bsd.kmod.mk>
|
||||
|
10
sys/modules/mac_veriexec_sha1/Makefile
Normal file
10
sys/modules/mac_veriexec_sha1/Makefile
Normal file
@ -0,0 +1,10 @@
|
||||
# $FreeBSD$
|
||||
|
||||
.PATH: ${.PARSEDIR:H:H}/security/mac_veriexec
|
||||
.PATH: ${.PARSEDIR:H:H}/crypto
|
||||
|
||||
KMOD= mac_veriexec_sha1
|
||||
SRCS= mac_veriexec_sha1.c sha1.c
|
||||
|
||||
.include <bsd.kmod.mk>
|
||||
|
10
sys/modules/mac_veriexec_sha256/Makefile
Normal file
10
sys/modules/mac_veriexec_sha256/Makefile
Normal file
@ -0,0 +1,10 @@
|
||||
# $FreeBSD$
|
||||
|
||||
.PATH: ${.CURDIR}/../../security/mac_veriexec
|
||||
.PATH: ${.CURDIR}/../../crypto/sha2
|
||||
|
||||
KMOD= mac_veriexec_sha256
|
||||
SRCS= mac_veriexec_sha256.c sha256c.c
|
||||
|
||||
.include <bsd.kmod.mk>
|
||||
|
10
sys/modules/mac_veriexec_sha384/Makefile
Normal file
10
sys/modules/mac_veriexec_sha384/Makefile
Normal file
@ -0,0 +1,10 @@
|
||||
# $FreeBSD$
|
||||
|
||||
.PATH: ${.CURDIR}/../../security/mac_veriexec
|
||||
.PATH: ${.CURDIR}/../../crypto/sha2
|
||||
|
||||
KMOD= mac_veriexec_sha384
|
||||
SRCS= mac_veriexec_sha384.c sha512c.c
|
||||
|
||||
.include <bsd.kmod.mk>
|
||||
|
10
sys/modules/mac_veriexec_sha512/Makefile
Normal file
10
sys/modules/mac_veriexec_sha512/Makefile
Normal file
@ -0,0 +1,10 @@
|
||||
# $FreeBSD$
|
||||
|
||||
.PATH: ${.CURDIR}/../../security/mac_veriexec
|
||||
.PATH: ${.CURDIR}/../../crypto/sha2
|
||||
|
||||
KMOD= mac_veriexec_sha512
|
||||
SRCS= mac_veriexec_sha512.c sha512c.c
|
||||
|
||||
.include <bsd.kmod.mk>
|
||||
|
803
sys/security/mac_veriexec/mac_veriexec.c
Normal file
803
sys/security/mac_veriexec/mac_veriexec.c
Normal file
@ -0,0 +1,803 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011, 2012, 2013, 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
#include "opt_capsicum.h"
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/capsicum.h>
|
||||
#include <sys/eventhandler.h>
|
||||
#include <sys/fcntl.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/filedesc.h>
|
||||
#include <sys/imgact.h>
|
||||
#include <sys/jail.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/namei.h>
|
||||
#include <sys/priv.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/sbuf.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/sysctl.h>
|
||||
#include <sys/vnode.h>
|
||||
#include <fs/nullfs/null.h>
|
||||
#include <security/mac/mac_policy.h>
|
||||
|
||||
#include "mac_veriexec.h"
|
||||
#include "mac_veriexec_internal.h"
|
||||
|
||||
#define SLOT(l) \
|
||||
mac_label_get((l), mac_veriexec_slot)
|
||||
#define SLOT_SET(l, v) \
|
||||
mac_label_set((l), mac_veriexec_slot, (v))
|
||||
|
||||
#ifdef MAC_DEBUG
|
||||
#define MAC_VERIEXEC_DBG(_lvl, _fmt, ...) \
|
||||
do { \
|
||||
VERIEXEC_DEBUG((_lvl), (MAC_VERIEXEC_FULLNAME ": " _fmt \
|
||||
"\n", ##__VA_ARGS__)); \
|
||||
} while(0)
|
||||
#else
|
||||
#define MAC_VERIEXEC_DBG(_lvl, _fmt, ...)
|
||||
#endif
|
||||
|
||||
static int sysctl_mac_veriexec_state(SYSCTL_HANDLER_ARGS);
|
||||
static int sysctl_mac_veriexec_db(SYSCTL_HANDLER_ARGS);
|
||||
|
||||
SYSCTL_DECL(_security_mac);
|
||||
|
||||
SYSCTL_NODE(_security_mac, OID_AUTO, veriexec, CTLFLAG_RW, 0,
|
||||
"MAC/veriexec policy controls");
|
||||
|
||||
int mac_veriexec_debug;
|
||||
SYSCTL_INT(_security_mac_veriexec, OID_AUTO, debug, CTLFLAG_RW,
|
||||
&mac_veriexec_debug, 0, "Debug level");
|
||||
|
||||
static int mac_veriexec_state;
|
||||
SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, state,
|
||||
CTLTYPE_STRING | CTLFLAG_RD, 0, 0, sysctl_mac_veriexec_state, "A",
|
||||
"Verified execution subsystem state");
|
||||
|
||||
SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, db,
|
||||
CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_SKIP, 0, 0, sysctl_mac_veriexec_db,
|
||||
"A", "Verified execution fingerprint database");
|
||||
|
||||
static int mac_veriexec_slot;
|
||||
|
||||
MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data");
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Handler for security.mac.veriexec.db sysctl
|
||||
*
|
||||
* Display a human-readable form of the current fingerprint database.
|
||||
*/
|
||||
static int
|
||||
sysctl_mac_veriexec_db(SYSCTL_HANDLER_ARGS)
|
||||
{
|
||||
struct sbuf sb;
|
||||
int error;
|
||||
|
||||
error = sysctl_wire_old_buffer(req, 0);
|
||||
if (error != 0)
|
||||
return (error);
|
||||
|
||||
sbuf_new_for_sysctl(&sb, NULL, 1024, req);
|
||||
mac_veriexec_print_db(&sb);
|
||||
error = sbuf_finish(&sb);
|
||||
sbuf_delete(&sb);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Generate human-readable output about the current verified execution
|
||||
* state.
|
||||
*
|
||||
* @param sbp sbuf to write output to
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_print_state(struct sbuf *sbp)
|
||||
{
|
||||
|
||||
if (mac_veriexec_state & VERIEXEC_STATE_INACTIVE)
|
||||
sbuf_printf(sbp, "inactive ");
|
||||
if (mac_veriexec_state & VERIEXEC_STATE_LOADED)
|
||||
sbuf_printf(sbp, "loaded ");
|
||||
if (mac_veriexec_state & VERIEXEC_STATE_ACTIVE)
|
||||
sbuf_printf(sbp, "active ");
|
||||
if (mac_veriexec_state & VERIEXEC_STATE_ENFORCE)
|
||||
sbuf_printf(sbp, "enforce ");
|
||||
if (mac_veriexec_state & VERIEXEC_STATE_LOCKED)
|
||||
sbuf_printf(sbp, "locked ");
|
||||
if (mac_veriexec_state != 0)
|
||||
sbuf_trim(sbp);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Handler for security.mac.veriexec.state sysctl
|
||||
*
|
||||
* Display a human-readable form of the current verified execution subsystem
|
||||
* state.
|
||||
*/
|
||||
static int
|
||||
sysctl_mac_veriexec_state(SYSCTL_HANDLER_ARGS)
|
||||
{
|
||||
struct sbuf sb;
|
||||
int error;
|
||||
|
||||
sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND);
|
||||
mac_veriexec_print_state(&sb);
|
||||
sbuf_finish(&sb);
|
||||
|
||||
error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb));
|
||||
sbuf_delete(&sb);
|
||||
return (error);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Event handler called when a virtual file system is mounted.
|
||||
*
|
||||
* We need to record the file system identifier in the MAC per-policy slot
|
||||
* assigned to veriexec, so we have a key to use in order to reference the
|
||||
* mount point in the meta-data store.
|
||||
*
|
||||
* @param arg unused argument
|
||||
* @param mp mount point that is being mounted
|
||||
* @param fsrootvp vnode of the file system root
|
||||
* @param td calling thread
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_vfs_mounted(void *arg __unused, struct mount *mp,
|
||||
struct vnode *fsrootvp, struct thread *td)
|
||||
{
|
||||
struct vattr va;
|
||||
int error;
|
||||
|
||||
error = VOP_GETATTR(fsrootvp, &va, td->td_ucred);
|
||||
if (error)
|
||||
return;
|
||||
|
||||
SLOT_SET(mp->mnt_label, va.va_fsid);
|
||||
#ifdef MAC_DEBUG
|
||||
MAC_VERIEXEC_DBG(3, "set fsid to %u for mount %p", va.va_fsid, mp);
|
||||
#endif
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Event handler called when a virtual file system is unmounted.
|
||||
*
|
||||
* If we recorded a file system identifier in the MAC per-policy slot assigned
|
||||
* to veriexec, then we need to tell the meta-data store to clean up.
|
||||
*
|
||||
* @param arg unused argument
|
||||
* @param mp mount point that is being unmounted
|
||||
* @param td calling thread
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_vfs_unmounted(void *arg __unused, struct mount *mp,
|
||||
struct thread *td)
|
||||
{
|
||||
dev_t fsid;
|
||||
|
||||
fsid = SLOT(mp->mnt_label);
|
||||
if (fsid) {
|
||||
MAC_VERIEXEC_DBG(3, "fsid %u, cleaning up mount", fsid);
|
||||
mac_veriexec_metadata_unmounted(fsid, td);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief The mount point is being initialized, set the value in the MAC
|
||||
* per-policy slot for veriexec to zero.
|
||||
*
|
||||
* @note A value of zero in this slot indicates no file system identifier
|
||||
* is assigned.
|
||||
*
|
||||
* @param label the label that is being initialized
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_mount_init_label(struct label *label)
|
||||
{
|
||||
|
||||
SLOT_SET(label, 0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief The mount-point is being destroyed, reset the value in the MAC
|
||||
* per-policy slot for veriexec back to zero.
|
||||
*
|
||||
* @note A value of zero in this slot indicates no file system identifier
|
||||
* is assigned.
|
||||
*
|
||||
* @param label the label that is being destroyed
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_mount_destroy_label(struct label *label)
|
||||
{
|
||||
|
||||
SLOT_SET(label, 0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief The vnode label is being initialized, set the value in the MAC
|
||||
* per-policy slot for veriexec to @c FINGERPRINT_INVALID
|
||||
*
|
||||
* @note @c FINGERPRINT_INVALID indicates the fingerprint is invalid.
|
||||
*
|
||||
* @param label the label that is being initialized
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_vnode_init_label(struct label *label)
|
||||
{
|
||||
|
||||
SLOT_SET(label, FINGERPRINT_INVALID);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief The vnode label is being destroyed, reset the value in the MAC
|
||||
* per-policy slot for veriexec back to @c FINGERPRINT_INVALID
|
||||
*
|
||||
* @note @c FINGERPRINT_INVALID indicates the fingerprint is invalid.
|
||||
*
|
||||
* @param label the label that is being destroyed
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_vnode_destroy_label(struct label *label)
|
||||
{
|
||||
|
||||
SLOT_SET(label, FINGERPRINT_INVALID);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Copy the value in the MAC per-policy slot assigned to veriexec from
|
||||
* the @p src label to the @p dest label
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_copy_label(struct label *src, struct label *dest)
|
||||
{
|
||||
|
||||
SLOT_SET(dest, SLOT(src));
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Check if the requested process can be debugged
|
||||
*
|
||||
* @param cred credentials to use
|
||||
* @param p process to debug
|
||||
*
|
||||
* @return 0 if debugging is allowed, otherwise an error code.
|
||||
*/
|
||||
static int
|
||||
mac_veriexec_proc_check_debug(struct ucred *cred, struct proc *p)
|
||||
{
|
||||
int error, flags;
|
||||
|
||||
/* If we are not enforcing veriexec, nothing for us to check */
|
||||
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
|
||||
return (0);
|
||||
|
||||
error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0);
|
||||
if (error != 0)
|
||||
return (0);
|
||||
|
||||
return ((flags & VERIEXEC_NOTRACE) ? EACCES : 0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief A KLD load has been requested and needs to be validated.
|
||||
*
|
||||
* @param cred credentials to use
|
||||
* @param vp vnode of the KLD that has been requested
|
||||
* @param vlabel vnode label assigned to the vnode
|
||||
*
|
||||
* @return 0 if the KLD load is allowed, otherwise an error code.
|
||||
*/
|
||||
static int
|
||||
mac_veriexec_kld_check_load(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vlabel)
|
||||
{
|
||||
struct vattr va;
|
||||
struct thread *td = curthread;
|
||||
fingerprint_status_t status;
|
||||
int error;
|
||||
|
||||
/*
|
||||
* If we are not actively enforcing, allow it
|
||||
*/
|
||||
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
|
||||
return (0);
|
||||
|
||||
/* Get vnode attributes */
|
||||
error = VOP_GETATTR(vp, &va, cred);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
/*
|
||||
* Fetch the fingerprint status for the vnode
|
||||
* (starting with files first)
|
||||
*/
|
||||
error = mac_veriexec_metadata_fetch_fingerprint_status(vp, &va, td,
|
||||
VERIEXEC_FILES_FIRST);
|
||||
if (error && error != EAUTH)
|
||||
return (error);
|
||||
|
||||
/*
|
||||
* By now we should have status...
|
||||
*/
|
||||
status = mac_veriexec_get_fingerprint_status(vp);
|
||||
switch (status) {
|
||||
case FINGERPRINT_FILE:
|
||||
case FINGERPRINT_VALID:
|
||||
case FINGERPRINT_INDIRECT:
|
||||
if (error)
|
||||
return (error);
|
||||
break;
|
||||
default:
|
||||
/*
|
||||
* kldload should fail unless there is a valid fingerprint
|
||||
* registered.
|
||||
*/
|
||||
MAC_VERIEXEC_DBG(2, "fingerprint status is %d for dev %u, "
|
||||
"file %lu.%lu\n", status, va.va_fsid, va.va_fileid,
|
||||
va.va_gen);
|
||||
return (EAUTH);
|
||||
}
|
||||
|
||||
/* Everything is good, allow the KLD to be loaded */
|
||||
return (0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Check privileges that veriexec needs to be concerned about.
|
||||
*
|
||||
* The following privileges are checked by this function:
|
||||
* - PRIV_KMEM_WRITE\n
|
||||
* Check if writes to /dev/mem and /dev/kmem are allowed\n
|
||||
* (Only trusted processes are allowed)
|
||||
*
|
||||
* @param cred credentials to use
|
||||
* @param priv privilege to check
|
||||
*
|
||||
* @return 0 if the privilege is allowed, error code otherwise.
|
||||
*/
|
||||
static int
|
||||
mac_veriexec_priv_check(struct ucred *cred, int priv)
|
||||
{
|
||||
|
||||
/* If we are not enforcing veriexec, nothing for us to check */
|
||||
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
|
||||
return (0);
|
||||
|
||||
switch (priv) {
|
||||
case PRIV_KMEM_WRITE:
|
||||
if (!mac_veriexec_proc_is_trusted(cred, curproc))
|
||||
return (EPERM);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief A program is being executed and needs to be validated.
|
||||
*
|
||||
* @param cred credentials to use
|
||||
* @param vp vnode of the program that is being executed
|
||||
* @param label vnode label assigned to the vnode
|
||||
* @param imgp parameters for the image to be executed
|
||||
* @param execlabel optional exec label
|
||||
*
|
||||
* @return 0 if the program should be allowed to execute, otherwise an error
|
||||
* code.
|
||||
*/
|
||||
static int
|
||||
mac_veriexec_vnode_check_exec(struct ucred *cred __unused,
|
||||
struct vnode *vp __unused, struct label *label __unused,
|
||||
struct image_params *imgp, struct label *execlabel __unused)
|
||||
{
|
||||
struct thread *td = curthread;
|
||||
int error;
|
||||
|
||||
error = mac_veriexec_fingerprint_check_image(imgp, 0, td);
|
||||
return (error);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Check fingerprint for the specified vnode and validate it
|
||||
*
|
||||
* @param cred credentials to use
|
||||
* @param vp vnode of the file
|
||||
* @param accmode access mode to check (read, write, append, create,
|
||||
* verify, etc.)
|
||||
*
|
||||
* @return 0 if the file validated, otherwise an error code.
|
||||
*/
|
||||
static int
|
||||
mac_veriexec_check_vp(struct ucred *cred, struct vnode *vp, accmode_t accmode)
|
||||
{
|
||||
struct vattr va;
|
||||
struct thread *td = curthread;
|
||||
fingerprint_status_t status;
|
||||
int error;
|
||||
|
||||
/* Get vnode attributes */
|
||||
error = VOP_GETATTR(vp, &va, cred);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
/* Get the fingerprint status for the file */
|
||||
error = mac_veriexec_metadata_fetch_fingerprint_status(vp, &va, td,
|
||||
VERIEXEC_FILES_FIRST);
|
||||
if (error && error != EAUTH)
|
||||
return (error);
|
||||
|
||||
/*
|
||||
* By now we should have status...
|
||||
*/
|
||||
status = mac_veriexec_get_fingerprint_status(vp);
|
||||
if (accmode & VWRITE) {
|
||||
/*
|
||||
* If file has a fingerprint then deny the write request,
|
||||
* otherwise invalidate the status so we don't keep checking
|
||||
* for the file having a fingerprint.
|
||||
*/
|
||||
switch (status) {
|
||||
case FINGERPRINT_FILE:
|
||||
case FINGERPRINT_VALID:
|
||||
case FINGERPRINT_INDIRECT:
|
||||
MAC_VERIEXEC_DBG(2,
|
||||
"attempted write to fingerprinted file for dev "
|
||||
"%u, file %lu.%lu\n", va.va_fsid,
|
||||
va.va_fileid, va.va_gen);
|
||||
return (EPERM);
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (accmode & VVERIFY) {
|
||||
switch (status) {
|
||||
case FINGERPRINT_FILE:
|
||||
case FINGERPRINT_VALID:
|
||||
case FINGERPRINT_INDIRECT:
|
||||
if (error)
|
||||
return (error);
|
||||
break;
|
||||
default:
|
||||
/*
|
||||
* Caller wants open to fail unless there is a valid
|
||||
* fingerprint registered.
|
||||
*/
|
||||
MAC_VERIEXEC_DBG(2, "fingerprint status is %d for dev "
|
||||
"%u, file %lu.%lu\n", status, va.va_fsid,
|
||||
va.va_fileid, va.va_gen);
|
||||
return (EAUTH);
|
||||
}
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Opening a file has been requested and may need to be validated.
|
||||
*
|
||||
* @param cred credentials to use
|
||||
* @param vp vnode of the file to open
|
||||
* @param label vnode label assigned to the vnode
|
||||
* @param accmode access mode to use for opening the file (read, write,
|
||||
* append, create, verify, etc.)
|
||||
*
|
||||
* @return 0 if opening the file should be allowed, otherwise an error code.
|
||||
*/
|
||||
static int
|
||||
mac_veriexec_vnode_check_open(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label __unused, accmode_t accmode)
|
||||
{
|
||||
int error;
|
||||
|
||||
/*
|
||||
* Look for the file on the fingerprint lists iff it has not been seen
|
||||
* before.
|
||||
*/
|
||||
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
|
||||
return (0);
|
||||
|
||||
error = mac_veriexec_check_vp(cred, vp, accmode);
|
||||
return (error);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Initialize the mac_veriexec MAC policy
|
||||
*
|
||||
* @param mpc MAC policy configuration
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_init(struct mac_policy_conf *mpc __unused)
|
||||
{
|
||||
/* Initialize state */
|
||||
mac_veriexec_state = VERIEXEC_STATE_INACTIVE;
|
||||
|
||||
/* Initialize meta-data storage */
|
||||
mac_veriexec_metadata_init();
|
||||
|
||||
/* Initialize fingerprint ops */
|
||||
mac_veriexec_fingerprint_init();
|
||||
|
||||
/* Register event handlers */
|
||||
EVENTHANDLER_REGISTER(vfs_mounted, mac_veriexec_vfs_mounted, NULL,
|
||||
EVENTHANDLER_PRI_FIRST);
|
||||
EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL,
|
||||
EVENTHANDLER_PRI_LAST);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief MAC policy-specific syscall for mac_veriexec
|
||||
*
|
||||
* The following syscalls are implemented:
|
||||
* - @c MAC_VERIEXEC_CHECK_SYSCALL
|
||||
* Check if the file referenced by a file descriptor has a fingerprint
|
||||
* registered in the meta-data store.
|
||||
*
|
||||
* @param td calling thread
|
||||
* @param call system call number
|
||||
* @param arg arugments to the syscall
|
||||
*
|
||||
* @return 0 on success, otherwise an error code.
|
||||
*/
|
||||
static int
|
||||
mac_veriexec_syscall(struct thread *td, int call, void *arg)
|
||||
{
|
||||
struct image_params img;
|
||||
struct nameidata nd;
|
||||
cap_rights_t rights;
|
||||
struct vattr va;
|
||||
struct file *fp;
|
||||
int error;
|
||||
|
||||
switch (call) {
|
||||
case MAC_VERIEXEC_CHECK_FD_SYSCALL:
|
||||
/* Get the vnode associated with the file descriptor passed */
|
||||
error = getvnode(td, (uintptr_t) arg, cap_rights_init(&rights,
|
||||
CAP_READ), &fp);
|
||||
if (error)
|
||||
return (error);
|
||||
if (fp->f_type != DTYPE_VNODE) {
|
||||
MAC_VERIEXEC_DBG(3, "MAC_VERIEXEC_CHECK_SYSCALL: "
|
||||
"file is not vnode type (type=0x%x)",
|
||||
fp->f_type);
|
||||
error = EINVAL;
|
||||
goto cleanup_file;
|
||||
}
|
||||
|
||||
/*
|
||||
* setup the bits of image_params that are used by
|
||||
* mac_veriexec_check_fingerprint().
|
||||
*/
|
||||
bzero(&img, sizeof(img));
|
||||
img.proc = td->td_proc;
|
||||
img.vp = fp->f_vnode;
|
||||
img.attr = &va;
|
||||
|
||||
/*
|
||||
* Get vnode attributes
|
||||
* (need to obtain a lock on the vnode first)
|
||||
*/
|
||||
vn_lock(img.vp, LK_EXCLUSIVE | LK_RETRY);
|
||||
error = VOP_GETATTR(fp->f_vnode, &va, td->td_ucred);
|
||||
if (error)
|
||||
goto check_done;
|
||||
|
||||
MAC_VERIEXEC_DBG(2, "mac_veriexec_fingerprint_check_image: "
|
||||
"va_mode=%o, check_files=%d\n", va.va_mode,
|
||||
((va.va_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0));
|
||||
error = mac_veriexec_fingerprint_check_image(&img,
|
||||
((va.va_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0), td);
|
||||
check_done:
|
||||
/* Release the lock we obtained earlier */
|
||||
VOP_UNLOCK(img.vp, 0);
|
||||
cleanup_file:
|
||||
fdrop(fp, td);
|
||||
break;
|
||||
case MAC_VERIEXEC_CHECK_PATH_SYSCALL:
|
||||
/* Look up the path to get the vnode */
|
||||
NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1,
|
||||
UIO_USERSPACE, arg, td);
|
||||
error = namei(&nd);
|
||||
if (error != 0)
|
||||
break;
|
||||
NDFREE(&nd, NDF_ONLY_PNBUF);
|
||||
|
||||
/* Check the fingerprint status of the vnode */
|
||||
error = mac_veriexec_check_vp(td->td_ucred, nd.ni_vp, VVERIFY);
|
||||
vput(nd.ni_vp);
|
||||
break;
|
||||
default:
|
||||
error = EOPNOTSUPP;
|
||||
}
|
||||
return (error);
|
||||
}
|
||||
|
||||
static struct mac_policy_ops mac_veriexec_ops =
|
||||
{
|
||||
.mpo_init = mac_veriexec_init,
|
||||
.mpo_syscall = mac_veriexec_syscall,
|
||||
.mpo_kld_check_load = mac_veriexec_kld_check_load,
|
||||
.mpo_mount_destroy_label = mac_veriexec_mount_destroy_label,
|
||||
.mpo_mount_init_label = mac_veriexec_mount_init_label,
|
||||
.mpo_priv_check = mac_veriexec_priv_check,
|
||||
.mpo_proc_check_debug = mac_veriexec_proc_check_debug,
|
||||
.mpo_vnode_check_exec = mac_veriexec_vnode_check_exec,
|
||||
.mpo_vnode_check_open = mac_veriexec_vnode_check_open,
|
||||
.mpo_vnode_copy_label = mac_veriexec_copy_label,
|
||||
.mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label,
|
||||
.mpo_vnode_init_label = mac_veriexec_vnode_init_label,
|
||||
};
|
||||
|
||||
MAC_POLICY_SET(&mac_veriexec_ops, mac_veriexec, MAC_VERIEXEC_FULLNAME,
|
||||
MPC_LOADTIME_FLAG_NOTLATE, &mac_veriexec_slot);
|
||||
MODULE_VERSION(mac_veriexec, 1);
|
||||
|
||||
/**
|
||||
* @brief Get the fingerprint status set on a vnode.
|
||||
*
|
||||
* @param vp vnode to obtain fingerprint status from
|
||||
*
|
||||
* @return Fingerprint status assigned to the vnode.
|
||||
*/
|
||||
fingerprint_status_t
|
||||
mac_veriexec_get_fingerprint_status(struct vnode *vp)
|
||||
{
|
||||
fingerprint_status_t fps;
|
||||
|
||||
fps = SLOT(vp->v_label);
|
||||
switch (fps) {
|
||||
case FINGERPRINT_VALID:
|
||||
case FINGERPRINT_INDIRECT:
|
||||
case FINGERPRINT_FILE:
|
||||
break;
|
||||
default:
|
||||
/* we may need to recurse */
|
||||
if (strcmp(vp->v_tag, "null") == 0) {
|
||||
struct vnode *ldvp;
|
||||
|
||||
ldvp = NULLVPTOLOWERVP(vp);
|
||||
return mac_veriexec_get_fingerprint_status(ldvp);
|
||||
}
|
||||
break;
|
||||
}
|
||||
return fps;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Get the current verified execution subsystem state.
|
||||
*
|
||||
* @return Current set of verified execution subsystem state flags.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_get_state(void)
|
||||
{
|
||||
|
||||
return (mac_veriexec_state);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Determine if the verified execution subsystem state has specific
|
||||
* flags set.
|
||||
*
|
||||
* @param state mask of flags to check
|
||||
*
|
||||
* @return State flags set within the masked bits
|
||||
*/
|
||||
int
|
||||
mac_veriexec_in_state(int state)
|
||||
{
|
||||
|
||||
return (mac_veriexec_state & state);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Set the fingerprint status for a vnode
|
||||
*
|
||||
* Fingerprint status is stored in the MAC per-policy slot assigned to
|
||||
* mac_veriexec.
|
||||
*
|
||||
* @param vp vnode to store the fingerprint status on
|
||||
* @param fp_status fingerprint status to store
|
||||
*/
|
||||
void
|
||||
mac_veriexec_set_fingerprint_status(struct vnode *vp,
|
||||
fingerprint_status_t fp_status)
|
||||
{
|
||||
|
||||
/* recurse until we find the real storage */
|
||||
if (strcmp(vp->v_tag, "null") == 0) {
|
||||
struct vnode *ldvp;
|
||||
|
||||
ldvp = NULLVPTOLOWERVP(vp);
|
||||
mac_veriexec_set_fingerprint_status(ldvp, fp_status);
|
||||
return;
|
||||
}
|
||||
SLOT_SET(vp->v_label, fp_status);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Set verified execution subsystem state flags
|
||||
*
|
||||
* @note Flags can only be added to the current state, not removed.
|
||||
*
|
||||
* @param state state flags to add to the current state
|
||||
*/
|
||||
void
|
||||
mac_veriexec_set_state(int state)
|
||||
{
|
||||
|
||||
mac_veriexec_state |= state;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Determine if the process is trusted
|
||||
*
|
||||
* @param cred credentials to use
|
||||
* @param p the process in question
|
||||
*
|
||||
* @return 1 if the process is trusted, otherwise 0.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p)
|
||||
{
|
||||
int error, flags;
|
||||
|
||||
error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0);
|
||||
|
||||
/* Any errors, deny access */
|
||||
if (error != 0)
|
||||
return (0);
|
||||
|
||||
/* Check that the trusted flag is set */
|
||||
return ((flags & VERIEXEC_TRUSTED) == VERIEXEC_TRUSTED);
|
||||
}
|
161
sys/security/mac_veriexec/mac_veriexec.h
Normal file
161
sys/security/mac_veriexec/mac_veriexec.h
Normal file
@ -0,0 +1,161 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011, 2012, 2013, 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef _SECURITY_MAC_VERIEXEC_H
|
||||
#define _SECURITY_MAC_VERIEXEC_H
|
||||
|
||||
#ifdef _KERNEL
|
||||
#include <sys/types.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/queue.h>
|
||||
#include <sys/module.h>
|
||||
#endif
|
||||
|
||||
/**
|
||||
* Name of the MAC module
|
||||
*/
|
||||
#define MAC_VERIEXEC_NAME "mac_veriexec"
|
||||
|
||||
/* MAC/veriexec syscalls */
|
||||
#define MAC_VERIEXEC_CHECK_FD_SYSCALL 1
|
||||
#define MAC_VERIEXEC_CHECK_PATH_SYSCALL 2
|
||||
|
||||
/**
|
||||
* Enough room for the largest signature...
|
||||
*/
|
||||
#define MAXFINGERPRINTLEN 64 /* enough room for largest signature */
|
||||
|
||||
/*
|
||||
* Types of veriexec inodes we can have
|
||||
*/
|
||||
#define VERIEXEC_INDIRECT (1<<0) /* Only allow indirect execution */
|
||||
#define VERIEXEC_FILE (1<<1) /* Fingerprint of a plain file */
|
||||
#define VERIEXEC_NOTRACE (1<<2) /**< PTRACE not allowed */
|
||||
#define VERIEXEC_TRUSTED (1<<3) /**< Safe to write /dev/mem */
|
||||
/* XXX these are currently unimplemented */
|
||||
#define VERIEXEC_NOFIPS (1<<4) /**< Not allowed in FIPS mode */
|
||||
|
||||
#define VERIEXEC_STATE_INACTIVE 0 /**< Ignore */
|
||||
#define VERIEXEC_STATE_LOADED (1<<0) /**< Sigs have been loaded */
|
||||
#define VERIEXEC_STATE_ACTIVE (1<<1) /**< Pay attention to it */
|
||||
#define VERIEXEC_STATE_ENFORCE (1<<2) /**< Fail execs for files that do not
|
||||
match signature */
|
||||
#define VERIEXEC_STATE_LOCKED (1<<3) /**< Do not allow further changes */
|
||||
|
||||
#ifdef _KERNEL
|
||||
/**
|
||||
* Version of the MAC/veriexec module
|
||||
*/
|
||||
#define MAC_VERIEXEC_VERSION 1
|
||||
|
||||
/* Valid states for the fingerprint flag - if signed exec is being used */
|
||||
typedef enum fingerprint_status {
|
||||
FINGERPRINT_INVALID, /**< Fingerprint has not been evaluated */
|
||||
FINGERPRINT_VALID, /**< Fingerprint evaluated and matches list */
|
||||
FINGERPRINT_INDIRECT, /**< Fingerprint eval'd/matched but only
|
||||
indirect execs allowed */
|
||||
FINGERPRINT_FILE, /**< Fingerprint evaluated/matched but
|
||||
not executable */
|
||||
FINGERPRINT_NOMATCH, /**< Fingerprint evaluated but does not match */
|
||||
FINGERPRINT_NOENTRY, /**< Fingerprint evaluated but no list entry */
|
||||
FINGERPRINT_NODEV, /**< Fingerprint evaluated but no dev list */
|
||||
} fingerprint_status_t;
|
||||
|
||||
typedef void (*mac_veriexec_fpop_init_t)(void *);
|
||||
typedef void (*mac_veriexec_fpop_update_t)(void *, const uint8_t *, size_t);
|
||||
typedef void (*mac_veriexec_fpop_final_t)(uint8_t *, void *);
|
||||
|
||||
struct mac_veriexec_fpops {
|
||||
const char *type;
|
||||
size_t digest_len;
|
||||
size_t context_size;
|
||||
mac_veriexec_fpop_init_t init;
|
||||
mac_veriexec_fpop_update_t update;
|
||||
mac_veriexec_fpop_final_t final;
|
||||
LIST_ENTRY(mac_veriexec_fpops) entries;
|
||||
};
|
||||
|
||||
/**
|
||||
* Verified execution subsystem debugging level
|
||||
*/
|
||||
extern int mac_veriexec_debug;
|
||||
|
||||
/**
|
||||
* @brief Define a fingerprint module.
|
||||
*
|
||||
* @param _name Name of the fingerprint module
|
||||
* @param _digest_len Length of the digest string, in number of characters
|
||||
* @param _context_size Size of the context structure, in bytes
|
||||
* @param _init Initialization function of type
|
||||
* mac_veriexec_fpop_init_t
|
||||
* @param _update Update function of type mac_veriexec_fpop_update_t
|
||||
* @param _final Finalize function of type mac_veriexec_fpop_final_t
|
||||
* @param _vers Module version
|
||||
*/
|
||||
#define MAC_VERIEXEC_FPMOD(_name, _digest_len, _context_size, _init, \
|
||||
_update, _final, _vers) \
|
||||
static struct mac_veriexec_fpops \
|
||||
mac_veriexec_##_name##_fpops = { \
|
||||
.type = #_name, \
|
||||
.digest_len = _digest_len, \
|
||||
.context_size = _context_size, \
|
||||
.init = _init, \
|
||||
.update = _update, \
|
||||
.final = _final, \
|
||||
}; \
|
||||
static moduledata_t mac_veriexec_##_name##_mod = { \
|
||||
"mac_veriexec/" #_name, \
|
||||
mac_veriexec_fingerprint_modevent, \
|
||||
&(mac_veriexec_##_name##_fpops) \
|
||||
}; \
|
||||
MODULE_VERSION(mac_veriexec_##_name, _vers); \
|
||||
DECLARE_MODULE(mac_veriexec_##_name, \
|
||||
mac_veriexec_##_name##_mod, SI_SUB_MAC_POLICY, \
|
||||
SI_ORDER_ANY); \
|
||||
MODULE_DEPEND(mac_veriexec_##_name, mac_veriexec, \
|
||||
MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION, \
|
||||
MAC_VERIEXEC_VERSION)
|
||||
|
||||
/*
|
||||
* The following function should not be called directly. The prototype is
|
||||
* included here to satisfy the compiler when using the macro above.
|
||||
*/
|
||||
int mac_veriexec_fingerprint_modevent(module_t mod, int type, void *data);
|
||||
|
||||
/*
|
||||
* Public functions
|
||||
*/
|
||||
int mac_veriexec_metadata_add_file(int file_dev, dev_t fsid, long fileid,
|
||||
unsigned long gen, unsigned char fingerprint[MAXFINGERPRINTLEN],
|
||||
int flags, const char *fp_type, int override);
|
||||
int mac_veriexec_metadata_has_file(dev_t fsid, long fileid,
|
||||
unsigned long gen);
|
||||
int mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p);
|
||||
#endif
|
||||
|
||||
#endif /* _SECURITY_MAC_VERIEXEC_H */
|
103
sys/security/mac_veriexec/mac_veriexec_internal.h
Normal file
103
sys/security/mac_veriexec/mac_veriexec_internal.h
Normal file
@ -0,0 +1,103 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011, 2012, 2013, 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef _SECURITY_MAC_VERIEXEC_INTERNAL_H
|
||||
#define _SECURITY_MAC_VERIEXEC_INTERNAL_H
|
||||
|
||||
#ifndef _KERNEL
|
||||
#error "no user-serviceable parts inside"
|
||||
#endif
|
||||
|
||||
#include <sys/queue.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#define MAC_VERIEXEC_FULLNAME "MAC/veriexec"
|
||||
|
||||
#define VERIEXEC_FILES_FIRST 1
|
||||
|
||||
#if defined(VERIFIED_EXEC_DEBUG) || defined(VERIFIED_EXEC_DEBUG_VERBOSE)
|
||||
# define VERIEXEC_DEBUG(n, x) if (mac_veriexec_debug > (n)) printf x
|
||||
#else
|
||||
# define VERIEXEC_DEBUG(n, x)
|
||||
#endif
|
||||
|
||||
struct mac_veriexec_file_info
|
||||
{
|
||||
int flags;
|
||||
long fileid;
|
||||
unsigned long gen;
|
||||
struct mac_veriexec_fpops *ops;
|
||||
unsigned char fingerprint[MAXFINGERPRINTLEN];
|
||||
LIST_ENTRY(mac_veriexec_file_info) entries;
|
||||
};
|
||||
|
||||
MALLOC_DECLARE(M_VERIEXEC);
|
||||
|
||||
SYSCTL_DECL(_security_mac_veriexec);
|
||||
|
||||
struct cred;
|
||||
struct image_params;
|
||||
struct proc;
|
||||
struct sbuf;
|
||||
struct thread;
|
||||
struct ucred;
|
||||
struct vattr;
|
||||
struct vnode;
|
||||
|
||||
int mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp,
|
||||
struct vattr *vap, struct thread *td, int check_files);
|
||||
int mac_veriexec_metadata_get_executable_flags(struct ucred *cred,
|
||||
struct proc *p, int *flags, int check_files);
|
||||
int mac_veriexec_metadata_get_file_flags(dev_t fsid, long fileid,
|
||||
unsigned long gen, int *flags, int check_files);
|
||||
void mac_veriexec_metadata_init(void);
|
||||
void mac_veriexec_metadata_print_db(struct sbuf *sbp);
|
||||
int mac_veriexec_metadata_unmounted(dev_t fsid, struct thread *td);
|
||||
|
||||
int mac_veriexec_fingerprint_add_ops(struct mac_veriexec_fpops *fpops);
|
||||
|
||||
int mac_veriexec_fingerprint_check_image(struct image_params *imgp,
|
||||
int check_files, struct thread *td);
|
||||
int mac_veriexec_fingerprint_check_vnode(struct vnode *vp,
|
||||
struct mac_veriexec_file_info *ip, struct thread *td,
|
||||
off_t file_size, unsigned char *fingerprint);
|
||||
void mac_veriexec_fingerprint_init(void);
|
||||
struct mac_veriexec_fpops *
|
||||
mac_veriexec_fingerprint_lookup_ops(const char *type);
|
||||
|
||||
fingerprint_status_t
|
||||
mac_veriexec_get_fingerprint_status(struct vnode *vp);
|
||||
int mac_veriexec_get_state(void);
|
||||
int mac_veriexec_in_state(int state);
|
||||
void mac_veriexec_print_db(struct sbuf *);
|
||||
void mac_veriexec_set_fingerprint_status(struct vnode *vp,
|
||||
fingerprint_status_t fp_status);
|
||||
void mac_veriexec_set_state(int state);
|
||||
|
||||
#endif /* !_SECURITY_MAC_VERIEXEC_INTERNAL_H */
|
45
sys/security/mac_veriexec/mac_veriexec_rmd160.c
Normal file
45
sys/security/mac_veriexec/mac_veriexec_rmd160.c
Normal file
@ -0,0 +1,45 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
||||
#include <opencrypto/rmd160.h>
|
||||
|
||||
#include <security/mac_veriexec/mac_veriexec.h>
|
||||
|
||||
#ifndef RMD160_DIGEST_LENGTH
|
||||
#define RMD160_DIGEST_LENGTH 20
|
||||
#endif
|
||||
|
||||
MAC_VERIEXEC_FPMOD(RMD160, RMD160_DIGEST_LENGTH, sizeof(RMD160_CTX),
|
||||
(mac_veriexec_fpop_init_t) RMD160Init,
|
||||
(mac_veriexec_fpop_update_t) RMD160Update,
|
||||
(mac_veriexec_fpop_final_t) RMD160Final, 1);
|
49
sys/security/mac_veriexec/mac_veriexec_sha1.c
Normal file
49
sys/security/mac_veriexec/mac_veriexec_sha1.c
Normal file
@ -0,0 +1,49 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011, 2012, 2013, 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
||||
#include <crypto/sha1.h>
|
||||
|
||||
#include <security/mac_veriexec/mac_veriexec.h>
|
||||
|
||||
#define SHA1_Init (mac_veriexec_fpop_init_t) sha1_init
|
||||
#define SHA1_Update (mac_veriexec_fpop_update_t) sha1_loop
|
||||
|
||||
static void
|
||||
SHA1_Final(unsigned char *buf, void *ctx)
|
||||
{
|
||||
|
||||
sha1_result((SHA1_CTX *) ctx, (caddr_t) buf);
|
||||
}
|
||||
|
||||
MAC_VERIEXEC_FPMOD(SHA1, SHA1_RESULTLEN, sizeof(SHA1_CTX), SHA1_Init,
|
||||
SHA1_Update, SHA1_Final, 1);
|
41
sys/security/mac_veriexec/mac_veriexec_sha256.c
Normal file
41
sys/security/mac_veriexec/mac_veriexec_sha256.c
Normal file
@ -0,0 +1,41 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011, 2012, 2013, 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
||||
#include <crypto/sha2/sha256.h>
|
||||
|
||||
#include <security/mac_veriexec/mac_veriexec.h>
|
||||
|
||||
MAC_VERIEXEC_FPMOD(SHA256, SHA256_DIGEST_LENGTH, sizeof(SHA256_CTX),
|
||||
(mac_veriexec_fpop_init_t) SHA256_Init,
|
||||
(mac_veriexec_fpop_update_t) SHA256_Update,
|
||||
(mac_veriexec_fpop_final_t) SHA256_Final, 1);
|
41
sys/security/mac_veriexec/mac_veriexec_sha384.c
Normal file
41
sys/security/mac_veriexec/mac_veriexec_sha384.c
Normal file
@ -0,0 +1,41 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011, 2012, 2013, 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
||||
#include <crypto/sha2/sha384.h>
|
||||
|
||||
#include <security/mac_veriexec/mac_veriexec.h>
|
||||
|
||||
MAC_VERIEXEC_FPMOD(SHA384, SHA384_DIGEST_LENGTH, sizeof(SHA384_CTX),
|
||||
(mac_veriexec_fpop_init_t) SHA384_Init,
|
||||
(mac_veriexec_fpop_update_t) SHA384_Update,
|
||||
(mac_veriexec_fpop_final_t) SHA384_Final, 1);
|
41
sys/security/mac_veriexec/mac_veriexec_sha512.c
Normal file
41
sys/security/mac_veriexec/mac_veriexec_sha512.c
Normal file
@ -0,0 +1,41 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011, 2012, 2013, 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
||||
#include <crypto/sha2/sha512.h>
|
||||
|
||||
#include <security/mac_veriexec/mac_veriexec.h>
|
||||
|
||||
MAC_VERIEXEC_FPMOD(SHA512, SHA512_DIGEST_LENGTH, sizeof(SHA512_CTX),
|
||||
(mac_veriexec_fpop_init_t) SHA512_Init,
|
||||
(mac_veriexec_fpop_update_t) SHA512_Update,
|
||||
(mac_veriexec_fpop_final_t) SHA512_Final, 1);
|
443
sys/security/mac_veriexec/veriexec_fingerprint.c
Normal file
443
sys/security/mac_veriexec/veriexec_fingerprint.c
Normal file
@ -0,0 +1,443 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011, 2012, 2013, 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Originally derived from:
|
||||
* $NetBSD: kern_verifiedexec.c,v 1.7 2003/11/18 13:13:03 martin Exp $
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/imgact.h>
|
||||
#include <sys/jail.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/sbuf.h>
|
||||
#include <sys/syslog.h>
|
||||
#include <sys/vnode.h>
|
||||
|
||||
#include "mac_veriexec.h"
|
||||
#include "mac_veriexec_internal.h"
|
||||
|
||||
/**
|
||||
* @var fpops_list
|
||||
* @internal
|
||||
* @brief Fingerprint operations list
|
||||
*
|
||||
* This is essentially the list of fingerprint modules currently loaded
|
||||
*/
|
||||
static LIST_HEAD(fpopshead, mac_veriexec_fpops) fpops_list;
|
||||
|
||||
static int mac_veriexec_late;
|
||||
|
||||
static int sysctl_mac_veriexec_algorithms(SYSCTL_HANDLER_ARGS);
|
||||
|
||||
SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, algorithms,
|
||||
CTLTYPE_STRING | CTLFLAG_RD, 0, 0, sysctl_mac_veriexec_algorithms, "A",
|
||||
"Verified execution supported hashing algorithms");
|
||||
|
||||
static int
|
||||
sysctl_mac_veriexec_algorithms(SYSCTL_HANDLER_ARGS)
|
||||
{
|
||||
struct sbuf sb;
|
||||
struct mac_veriexec_fpops *fpops;
|
||||
int algorithms, error;
|
||||
|
||||
algorithms = 0;
|
||||
sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND);
|
||||
LIST_FOREACH(fpops, &fpops_list, entries) {
|
||||
if (algorithms++)
|
||||
sbuf_printf(&sb, " ");
|
||||
sbuf_printf(&sb, "%s", fpops->type);
|
||||
}
|
||||
sbuf_finish(&sb);
|
||||
error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb));
|
||||
sbuf_delete(&sb);
|
||||
return (error);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Consistently identify file encountering errors
|
||||
*
|
||||
* @param imgp image params to display
|
||||
* @param td calling thread
|
||||
* @param msg message to display
|
||||
*
|
||||
* @return String form of the information stored in @p imgp
|
||||
*/
|
||||
static void
|
||||
identify_error (struct image_params *imgp, struct thread *td, const char *msg)
|
||||
{
|
||||
struct proc *parent;
|
||||
pid_t ppid, gppid;
|
||||
|
||||
parent = imgp->proc->p_pptr;
|
||||
ppid = (parent != NULL) ? parent->p_pid : 0;
|
||||
gppid = (parent != NULL && parent->p_pptr != NULL) ?
|
||||
parent->p_pptr->p_pid : 0;
|
||||
|
||||
log(LOG_ERR, MAC_VERIEXEC_FULLNAME ": %s (file=%s fsid=%lu fileid=%lu "
|
||||
"gen=%lu uid=%u pid=%u ppid=%u gppid=%u)", msg,
|
||||
(imgp->args != NULL) ? imgp->args->fname : "",
|
||||
imgp->attr->va_fsid, imgp->attr->va_fileid, imgp->attr->va_gen,
|
||||
td->td_ucred->cr_ruid, imgp->proc->p_pid, ppid, gppid);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Check the fingerprint type for the given file and evaluate the
|
||||
* fingerprint for that file.
|
||||
*
|
||||
* It is assumed that @p fingerprint has sufficient storage to hold the
|
||||
* resulting fingerprint string.
|
||||
*
|
||||
* @param vp vnode to check
|
||||
* @param ip file info from the meta-data store
|
||||
* @param td calling thread
|
||||
* @param file_size size of the file to read
|
||||
* @param fingerprint resulting fingerprint
|
||||
*
|
||||
* @return 0 on success, otherwise an error code.
|
||||
*/
|
||||
static int
|
||||
evaluate_fingerprint(struct vnode *vp, struct mac_veriexec_file_info *ip,
|
||||
struct thread *td, off_t file_size, unsigned char *fingerprint)
|
||||
{
|
||||
uint8_t *filebuf;
|
||||
void *ctx;
|
||||
off_t offset;
|
||||
size_t count, nread, resid;
|
||||
int error = EINVAL;
|
||||
|
||||
filebuf = malloc(PAGE_SIZE, M_VERIEXEC, M_WAITOK);
|
||||
ctx = malloc(ip->ops->context_size, M_VERIEXEC, M_WAITOK);
|
||||
|
||||
(ip->ops->init)(ctx);
|
||||
for (offset = 0; offset < file_size; offset += nread) {
|
||||
if ((offset + PAGE_SIZE) > file_size)
|
||||
count = file_size - offset;
|
||||
else
|
||||
count = PAGE_SIZE;
|
||||
|
||||
error = vn_rdwr_inchunks(UIO_READ, vp, filebuf, count, offset,
|
||||
UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, &resid,
|
||||
td);
|
||||
if (error)
|
||||
goto failed;
|
||||
|
||||
nread = count - resid;
|
||||
(ip->ops->update)(ctx, filebuf, nread);
|
||||
}
|
||||
(ip->ops->final)(fingerprint, ctx);
|
||||
|
||||
#ifdef DEBUG_VERIEXEC_FINGERPRINT
|
||||
for (offset = 0; offset < ip->ops->digest_len; offset++)
|
||||
printf("%02x", fingerprint[offset]);
|
||||
printf("\n");
|
||||
#endif
|
||||
|
||||
failed:
|
||||
free(ctx, M_VERIEXEC);
|
||||
free(filebuf, M_VERIEXEC);
|
||||
return (error);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Compare the two given fingerprints to see if they are the same.
|
||||
*
|
||||
* Differing fingerprint methods may have differing lengths which
|
||||
* is handled by this routine.
|
||||
*
|
||||
* @param ip file info from the meta-data store
|
||||
* @param digest digest to compare
|
||||
*
|
||||
* @return 0 if the fingerprints match and non-zero if they do not.
|
||||
*/
|
||||
static int
|
||||
fingerprintcmp(struct mac_veriexec_file_info *ip, unsigned char *digest)
|
||||
{
|
||||
|
||||
return memcmp(ip->fingerprint, digest, ip->ops->digest_len);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Check if @p fingerprint matches the one associated with the vnode
|
||||
* @p vp
|
||||
*
|
||||
* @param vp vnode to check
|
||||
* @param ip file info from the meta-data store
|
||||
* @param td calling thread
|
||||
* @param file_size size of the file to read
|
||||
* @param fingerprint fingerprint to compare
|
||||
*
|
||||
* @return 0 if they match, otherwise an error code.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_fingerprint_check_vnode(struct vnode *vp,
|
||||
struct mac_veriexec_file_info *ip, struct thread *td, off_t file_size,
|
||||
unsigned char *fingerprint)
|
||||
{
|
||||
int error;
|
||||
|
||||
/* reject fingerprint if writers are active */
|
||||
if (vp->v_writecount)
|
||||
return (ETXTBSY);
|
||||
|
||||
if ((vp->v_mount->mnt_flag & MNT_VERIFIED) != 0) {
|
||||
VERIEXEC_DEBUG(2, ("file %lu.%lu on verified %s mount\n",
|
||||
ip->fileid, ip->gen, vp->v_mount->mnt_vfc->vfc_name));
|
||||
|
||||
/*
|
||||
* The VFS is backed by a file which has been verified.
|
||||
* No need to waste time here.
|
||||
*/
|
||||
return (0);
|
||||
}
|
||||
|
||||
error = evaluate_fingerprint(vp, ip, td, file_size, fingerprint);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
if (fingerprintcmp(ip, fingerprint) != 0)
|
||||
return (EAUTH);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Check a file signature and validate it.
|
||||
*
|
||||
* @param imgp parameters for the image to check
|
||||
* @param check_files if 1, check the files list first, otherwise check the
|
||||
* exectuables list first
|
||||
* @param td calling thread
|
||||
*
|
||||
* @note Called with imgp->vp locked.
|
||||
*
|
||||
* @return 0 if the signature is valid, otherwise an error code.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_fingerprint_check_image(struct image_params *imgp,
|
||||
int check_files, struct thread *td)
|
||||
{
|
||||
struct vnode *vp = imgp->vp;
|
||||
int error;
|
||||
fingerprint_status_t status;
|
||||
|
||||
if (!mac_veriexec_in_state(VERIEXEC_STATE_ACTIVE))
|
||||
return 0;
|
||||
|
||||
error = mac_veriexec_metadata_fetch_fingerprint_status(vp, imgp->attr,
|
||||
td, check_files);
|
||||
if (error && error != EAUTH)
|
||||
return (error);
|
||||
|
||||
/*
|
||||
* By now status is set.
|
||||
*/
|
||||
status = mac_veriexec_get_fingerprint_status(vp);
|
||||
switch (status) {
|
||||
case FINGERPRINT_INVALID: /* should not happen */
|
||||
identify_error(imgp, td, "got unexpected FINGERPRINT_INVALID");
|
||||
error = EPERM;
|
||||
break;
|
||||
|
||||
case FINGERPRINT_FILE:
|
||||
if (!check_files) {
|
||||
if (prison0.pr_securelevel > 1 ||
|
||||
mac_veriexec_in_state(VERIEXEC_STATE_ENFORCE))
|
||||
error = EPERM;
|
||||
}
|
||||
break;
|
||||
|
||||
case FINGERPRINT_VALID: /* is ok - report so if debug is on */
|
||||
VERIEXEC_DEBUG(4, ("Fingerprint matches\n"));
|
||||
break;
|
||||
|
||||
case FINGERPRINT_INDIRECT: /* fingerprint ok but need to check
|
||||
for direct execution */
|
||||
if (!imgp->interpreted) {
|
||||
identify_error(imgp, td, "attempted direct execution");
|
||||
if (prison0.pr_securelevel > 1 ||
|
||||
mac_veriexec_in_state(VERIEXEC_STATE_ENFORCE))
|
||||
error = EPERM;
|
||||
}
|
||||
break;
|
||||
|
||||
case FINGERPRINT_NOMATCH: /* does not match - whine about it */
|
||||
identify_error(imgp, td,
|
||||
"fingerprint does not match loaded value");
|
||||
if (prison0.pr_securelevel > 1 ||
|
||||
mac_veriexec_in_state(VERIEXEC_STATE_ENFORCE))
|
||||
error = EAUTH;
|
||||
break;
|
||||
|
||||
case FINGERPRINT_NOENTRY: /* no entry in the list, complain */
|
||||
identify_error(imgp, td, "no fingerprint");
|
||||
if (prison0.pr_securelevel > 1 ||
|
||||
mac_veriexec_in_state(VERIEXEC_STATE_ENFORCE))
|
||||
error = EAUTH;
|
||||
break;
|
||||
|
||||
case FINGERPRINT_NODEV: /* no signatures for the device, complain */
|
||||
identify_error(imgp, td, "no signatures for device");
|
||||
if (prison0.pr_securelevel > 1 ||
|
||||
mac_veriexec_in_state(VERIEXEC_STATE_ENFORCE))
|
||||
error = EAUTH;
|
||||
break;
|
||||
|
||||
default: /* this should never happen. */
|
||||
identify_error(imgp, td, "invalid status field for vnode");
|
||||
error = EPERM;
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Look up the fingerprint operations for a specific digest type
|
||||
*
|
||||
* @return A pointer to fingerprint operations, if found, or else @c NULL.
|
||||
*/
|
||||
struct mac_veriexec_fpops *
|
||||
mac_veriexec_fingerprint_lookup_ops(const char *type)
|
||||
{
|
||||
struct mac_veriexec_fpops *fpops;
|
||||
|
||||
if (type == NULL)
|
||||
return (NULL);
|
||||
|
||||
LIST_FOREACH(fpops, &fpops_list, entries) {
|
||||
if (!strcasecmp(type, fpops->type))
|
||||
break;
|
||||
}
|
||||
return (fpops);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Add fingerprint operations for a specific digest type
|
||||
*
|
||||
* Any attempts to add a duplicate digest type results in an error.
|
||||
*
|
||||
* @return 0 if the ops were added successfully, otherwise an error code.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_fingerprint_add_ops(struct mac_veriexec_fpops *fpops)
|
||||
{
|
||||
|
||||
/* Sanity check the ops */
|
||||
if (fpops->type == NULL || fpops->digest_len == 0 ||
|
||||
fpops->context_size == 0 || fpops->init == NULL ||
|
||||
fpops->update == NULL || fpops->final == NULL)
|
||||
return (EINVAL);
|
||||
|
||||
/* Make sure we do not already have ops for this digest type */
|
||||
if (mac_veriexec_fingerprint_lookup_ops(fpops->type))
|
||||
return (EEXIST);
|
||||
|
||||
/* Add the ops to the list */
|
||||
LIST_INSERT_HEAD(&fpops_list, fpops, entries);
|
||||
|
||||
printf("MAC/veriexec fingerprint module loaded: %s\n", fpops->type);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Initialize the fingerprint operations list
|
||||
*/
|
||||
void
|
||||
mac_veriexec_fingerprint_init(void)
|
||||
{
|
||||
|
||||
LIST_INIT(&fpops_list);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Handle fingerprint module events
|
||||
*
|
||||
* This function is called by the @c MAC_VERIEXEC_FPMOD macro.
|
||||
*
|
||||
* @param mod module information
|
||||
* @param type event type
|
||||
* @param data event-specific data
|
||||
*
|
||||
* @return On @c MOD_LOAD, 0 if the fingerprint ops were added successfully,
|
||||
* otherwise an error code. All other event types result in an error code.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_fingerprint_modevent(module_t mod, int type, void *data)
|
||||
{
|
||||
struct mac_veriexec_fpops *fpops;
|
||||
int error;
|
||||
|
||||
error = 0;
|
||||
fpops = (struct mac_veriexec_fpops *) data;
|
||||
|
||||
switch (type) {
|
||||
case MOD_LOAD:
|
||||
/* We do not allow late loading of fingerprint modules */
|
||||
if (mac_veriexec_late) {
|
||||
printf("%s: can't load %s fingerprint module after "
|
||||
"booting\n", __func__, fpops->type);
|
||||
error = EBUSY;
|
||||
break;
|
||||
}
|
||||
error = mac_veriexec_fingerprint_add_ops(fpops);
|
||||
break;
|
||||
case MOD_UNLOAD:
|
||||
error = EBUSY;
|
||||
break;
|
||||
default:
|
||||
error = EOPNOTSUPP;
|
||||
break;
|
||||
}
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Mark veriexec late initialization flag
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_late_init(void)
|
||||
{
|
||||
|
||||
mac_veriexec_late = 1;
|
||||
}
|
||||
|
||||
SYSINIT(mac_veriexec_late, SI_SUB_MAC_LATE, SI_ORDER_ANY,
|
||||
mac_veriexec_late_init, NULL);
|
727
sys/security/mac_veriexec/veriexec_metadata.c
Normal file
727
sys/security/mac_veriexec/veriexec_metadata.c
Normal file
@ -0,0 +1,727 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011, 2012, 2013, 2015, 2016, Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Originally derived from:
|
||||
* $NetBSD: kern_verifiedexec.c,v 1.7 2003/11/18 13:13:03 martin Exp $
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/exec.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/sbuf.h>
|
||||
#include <sys/vnode.h>
|
||||
|
||||
#include "mac_veriexec.h"
|
||||
#include "mac_veriexec_internal.h"
|
||||
|
||||
/**
|
||||
* @brief per-device meta-data storage
|
||||
*/
|
||||
struct veriexec_dev_list {
|
||||
dev_t fsid; /**< file system identifier of the mount point */
|
||||
LIST_HEAD(filehead, mac_veriexec_file_info) file_head;
|
||||
/**< list of per-file meta-data information */
|
||||
LIST_ENTRY(veriexec_dev_list) entries;
|
||||
/**< next entries in the device list */
|
||||
};
|
||||
|
||||
typedef LIST_HEAD(veriexec_devhead, veriexec_dev_list) veriexec_devhead_t;
|
||||
|
||||
/**
|
||||
* @brief Mutex to protect the meta-data store lists
|
||||
*/
|
||||
struct mtx ve_mutex;
|
||||
|
||||
/**
|
||||
* @brief Executables meta-data storage
|
||||
*
|
||||
* This is used to store the fingerprints for potentially-executable files.
|
||||
*/
|
||||
veriexec_devhead_t veriexec_dev_head;
|
||||
|
||||
/**
|
||||
* @brief Plain file meta-data storage
|
||||
*
|
||||
* This is used for files that are not allowed to be executed, but should
|
||||
* have fingerprint validation available.
|
||||
*/
|
||||
veriexec_devhead_t veriexec_file_dev_head;
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Search the @p head meta-data list for the specified file identifier
|
||||
* @p fileid in the file system identified by @p fsid
|
||||
*
|
||||
* If meta-data exists for file system identified by @p fsid, it has a
|
||||
* fingerprint list, and @p found_dev is not @c NULL then store true in the
|
||||
* location pointed to by @p found_dev
|
||||
*
|
||||
* @param head meta-data list to search
|
||||
* @param fsid file system identifier to look for
|
||||
* @param fileid file to look for
|
||||
* @param gen generation of file
|
||||
* @param found_dev indicator that an entry for the file system was found
|
||||
*
|
||||
* @return A pointer to the meta-data inforation if meta-data exists for
|
||||
* the specified file identifier, otherwise @c NULL
|
||||
*/
|
||||
static struct mac_veriexec_file_info *
|
||||
get_veriexec_file(struct veriexec_devhead *head, dev_t fsid, long fileid,
|
||||
unsigned long gen, int *found_dev)
|
||||
{
|
||||
struct veriexec_dev_list *lp;
|
||||
struct mac_veriexec_file_info *ip, *tip;
|
||||
|
||||
ip = NULL;
|
||||
|
||||
/* Initialize the value found_dev, if non-NULL */
|
||||
if (found_dev != NULL)
|
||||
*found_dev = 0;
|
||||
|
||||
VERIEXEC_DEBUG(3, ("searching for file %lu.%lu on device %lu,"
|
||||
" files=%d\n", fileid, gen, (unsigned long)fsid,
|
||||
(head == &veriexec_file_dev_head)));
|
||||
|
||||
/* Get a lock to access the list */
|
||||
mtx_lock(&ve_mutex);
|
||||
|
||||
/* First, look for the file system */
|
||||
for (lp = LIST_FIRST(head); lp != NULL; lp = LIST_NEXT(lp, entries))
|
||||
if (lp->fsid == fsid)
|
||||
break;
|
||||
|
||||
/* We found the file system in the list */
|
||||
if (lp != NULL) {
|
||||
VERIEXEC_DEBUG(3, ("found matching dev number %lu\n",
|
||||
lp->fsid));
|
||||
|
||||
/* If found_dev is non-NULL, store true there */
|
||||
if (found_dev != NULL)
|
||||
*found_dev = 1;
|
||||
|
||||
/* Next, look for the meta-data information for the file */
|
||||
LIST_FOREACH_SAFE(ip, &(lp->file_head), entries, tip) {
|
||||
if (ip->fileid == fileid) {
|
||||
if (ip->gen == gen)
|
||||
break;
|
||||
/* we need to garbage collect */
|
||||
LIST_REMOVE(ip, entries);
|
||||
free(ip, M_VERIEXEC);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* Release the lock we obtained earlier */
|
||||
mtx_unlock(&ve_mutex);
|
||||
|
||||
/* Return the meta-data information we found, if anything */
|
||||
return (ip);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Search the meta-data store for information on the specified file.
|
||||
*
|
||||
* @param fsid file system identifier to look for
|
||||
* @param fileid file to look for
|
||||
* @param gen generation of file
|
||||
* @param found_dev indicator that an entry for the file system was found
|
||||
* @param check_files if 1, check the files list first, otherwise check the
|
||||
* exectuables list first
|
||||
*
|
||||
* @return A pointer to the meta-data inforation if meta-data exists for
|
||||
* the specified file identifier, otherwise @c NULL
|
||||
*/
|
||||
static struct mac_veriexec_file_info *
|
||||
find_veriexec_file(dev_t fsid, long fileid, unsigned long gen, int *found_dev,
|
||||
int check_files)
|
||||
{
|
||||
struct veriexec_devhead *search[3];
|
||||
struct mac_veriexec_file_info *ip;
|
||||
int x;
|
||||
|
||||
/* Determine the order of the lists to search */
|
||||
if (check_files) {
|
||||
search[0] = &veriexec_file_dev_head;
|
||||
search[1] = &veriexec_dev_head;
|
||||
} else {
|
||||
search[0] = &veriexec_dev_head;
|
||||
search[1] = &veriexec_file_dev_head;
|
||||
}
|
||||
search[2] = NULL;
|
||||
|
||||
VERIEXEC_DEBUG(3, ("%s: searching for dev %lu, file %lu\n",
|
||||
__func__, fsid, fileid));
|
||||
|
||||
/* Search for the specified file */
|
||||
for (ip = NULL, x = 0; ip == NULL && search[x]; x++)
|
||||
ip = get_veriexec_file(search[x], fsid, fileid, gen, found_dev);
|
||||
|
||||
return (ip);
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Display the fingerprint for each entry in the device list
|
||||
*
|
||||
* @param sbp sbuf to write output to
|
||||
* @param lp pointer to device list
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_print_db_dev_list(struct sbuf *sbp, struct veriexec_dev_list *lp)
|
||||
{
|
||||
struct mac_veriexec_file_info *ip;
|
||||
|
||||
#define FPB(i) (ip->fingerprint[i])
|
||||
for (ip = LIST_FIRST(&(lp->file_head)); ip != NULL;
|
||||
ip = LIST_NEXT(ip, entries))
|
||||
sbuf_printf(sbp, " %ld: %u %ld [%02x %02x %02x %02x %02x "
|
||||
"%02x %02x %02x...]\n", ip->fileid, ip->flags, ip->gen,
|
||||
FPB(0), FPB(1), FPB(2), FPB(3), FPB(4), FPB(5), FPB(6),
|
||||
FPB(7));
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Display the device list
|
||||
*
|
||||
* @param sbp sbuf to write output to
|
||||
* @param head pointer to head of the device list
|
||||
*/
|
||||
static void
|
||||
mac_veriexec_print_db_head(struct sbuf *sbp, struct veriexec_devhead *head)
|
||||
{
|
||||
struct veriexec_dev_list *lp;
|
||||
|
||||
for (lp = LIST_FIRST(head); lp != NULL; lp = LIST_NEXT(lp, entries)) {
|
||||
sbuf_printf(sbp, " FS id: %lu\n", lp->fsid);
|
||||
mac_veriexec_print_db_dev_list(sbp, lp);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* @internal
|
||||
* @brief Generate human-readable output for the current fingerprint database
|
||||
*
|
||||
* @param sbp sbuf to write output to
|
||||
*/
|
||||
void
|
||||
mac_veriexec_metadata_print_db(struct sbuf *sbp)
|
||||
{
|
||||
struct {
|
||||
struct veriexec_devhead *h;
|
||||
const char *name;
|
||||
} fpdbs[] = {
|
||||
{ &veriexec_file_dev_head, "regular files" },
|
||||
{ &veriexec_dev_head, "executable files" },
|
||||
};
|
||||
int i;
|
||||
|
||||
mtx_lock(&ve_mutex);
|
||||
for (i = 0; i < sizeof(fpdbs)/sizeof(fpdbs[0]); i++) {
|
||||
sbuf_printf(sbp, "%s fingerprint db:\n", fpdbs[i].name);
|
||||
mac_veriexec_print_db_head(sbp, fpdbs[i].h);
|
||||
}
|
||||
mtx_unlock(&ve_mutex);
|
||||
}
|
||||
/**
|
||||
* @brief Determine if the meta-data store has an entry for the specified file.
|
||||
*
|
||||
* @param fsid file system identifier to look for
|
||||
* @param fileid file to look for
|
||||
* @param gen generation of file
|
||||
*
|
||||
* @return 1 if there is an entry in the meta-data store, 0 otherwise.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_metadata_has_file(dev_t fsid, long fileid, unsigned long gen)
|
||||
{
|
||||
|
||||
return (find_veriexec_file(fsid, fileid, gen, NULL,
|
||||
VERIEXEC_FILES_FIRST) != NULL);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Search the list of devices looking for the one given, in order to
|
||||
* release the resources used by it.
|
||||
*
|
||||
* If found, free all file entries for it, and remove it from the list.
|
||||
*
|
||||
* @note Called with @a ve_mutex held
|
||||
*
|
||||
* @param fsid file system identifier to look for
|
||||
* @param head meta-data list to search
|
||||
*
|
||||
* @return 0 if the device entry was freed, otherwise an error code
|
||||
*/
|
||||
static int
|
||||
free_veriexec_dev(dev_t fsid, struct veriexec_devhead *head)
|
||||
{
|
||||
struct veriexec_dev_list *lp;
|
||||
struct mac_veriexec_file_info *ip, *nip;
|
||||
|
||||
/* Look for the file system */
|
||||
for (lp = LIST_FIRST(head); lp != NULL;
|
||||
lp = LIST_NEXT(lp, entries))
|
||||
if (lp->fsid == fsid) break;
|
||||
|
||||
/* If lp is NULL, we did not find it */
|
||||
if (lp == NULL)
|
||||
return ENOENT;
|
||||
|
||||
/* Unhook lp, before we free it and its content */
|
||||
LIST_REMOVE(lp, entries);
|
||||
|
||||
/* Release the lock */
|
||||
mtx_unlock(&ve_mutex);
|
||||
|
||||
/* Free the file entries in the list */
|
||||
for (ip = LIST_FIRST(&(lp->file_head)); ip != NULL; ip = nip) {
|
||||
nip = LIST_NEXT(ip, entries);
|
||||
LIST_REMOVE(ip, entries);
|
||||
free(ip, M_VERIEXEC);
|
||||
}
|
||||
|
||||
/* Free the meta-data entry for the device */
|
||||
free(lp, M_VERIEXEC);
|
||||
|
||||
/* Re-acquire the lock */
|
||||
mtx_lock(&ve_mutex);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Search the list of devices looking for the one given.
|
||||
*
|
||||
* If it is not in the list then add it.
|
||||
*
|
||||
* @note Called with @a ve_mutex held
|
||||
*
|
||||
* @param fsid file system identifier to look for
|
||||
* @param head meta-data list to search
|
||||
*
|
||||
* @return A pointer to the meta-data entry for the device, if found or added,
|
||||
* otherwise @c NULL
|
||||
*/
|
||||
static struct veriexec_dev_list *
|
||||
find_veriexec_dev(dev_t fsid, struct veriexec_devhead *head)
|
||||
{
|
||||
struct veriexec_dev_list *lp;
|
||||
struct veriexec_dev_list *np = NULL;
|
||||
|
||||
search:
|
||||
/* Look for the file system */
|
||||
for (lp = LIST_FIRST(head); lp != NULL;
|
||||
lp = LIST_NEXT(lp, entries))
|
||||
if (lp->fsid == fsid) break;
|
||||
|
||||
if (lp == NULL) {
|
||||
if (np == NULL) {
|
||||
/*
|
||||
* If pointer is null then entry not there,
|
||||
* add a new one, first try to malloc while
|
||||
* we hold mutex - should work most of the time.
|
||||
*/
|
||||
np = malloc(sizeof(struct veriexec_dev_list),
|
||||
M_VERIEXEC, M_NOWAIT);
|
||||
if (np == NULL) {
|
||||
/*
|
||||
* So much for that plan, dop the mutex
|
||||
* and repeat...
|
||||
*/
|
||||
mtx_unlock(&ve_mutex);
|
||||
np = malloc(sizeof(struct veriexec_dev_list),
|
||||
M_VERIEXEC, M_WAITOK);
|
||||
mtx_lock(&ve_mutex);
|
||||
/*
|
||||
* Repeat the seach, in case someone
|
||||
* added this while we slept.
|
||||
*/
|
||||
goto search;
|
||||
}
|
||||
}
|
||||
if (np) {
|
||||
/* Add the entry to the list */
|
||||
lp = np;
|
||||
LIST_INIT(&(lp->file_head));
|
||||
lp->fsid = fsid;
|
||||
LIST_INSERT_HEAD(head, lp, entries);
|
||||
}
|
||||
} else if (np) {
|
||||
/*
|
||||
* Someone else did it while we slept.
|
||||
*/
|
||||
mtx_unlock(&ve_mutex);
|
||||
free(np, M_VERIEXEC);
|
||||
mtx_lock(&ve_mutex);
|
||||
}
|
||||
|
||||
return (lp);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief When a device is unmounted, we want to toss the signatures recorded
|
||||
* against it.
|
||||
*
|
||||
* We are being called from unmount() with the root vnode just before it is
|
||||
* freed.
|
||||
*
|
||||
* @param fsid file system identifier to look for
|
||||
* @param td calling thread
|
||||
*
|
||||
* @return 0 on success, otherwise an error code.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_metadata_unmounted(dev_t fsid, struct thread *td)
|
||||
{
|
||||
int error;
|
||||
|
||||
/*
|
||||
* The device can have entries on both lists.
|
||||
*/
|
||||
mtx_lock(&ve_mutex);
|
||||
error = free_veriexec_dev(fsid, &veriexec_dev_head);
|
||||
if (error && error != ENOENT) {
|
||||
mtx_unlock(&ve_mutex);
|
||||
return error;
|
||||
}
|
||||
error = free_veriexec_dev(fsid, &veriexec_file_dev_head);
|
||||
mtx_unlock(&ve_mutex);
|
||||
if (error && error != ENOENT) {
|
||||
return error;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Return the flags assigned to the file identified by file system
|
||||
* identifier @p fsid and file identifier @p fileid.
|
||||
*
|
||||
* @param fsid file system identifier
|
||||
* @param fileid file identifier within the file system
|
||||
* @param gen generation of file
|
||||
* @param flags pointer to location to store the flags
|
||||
* @param check_files if 1, check the files list first, otherwise check the
|
||||
* exectuables list first
|
||||
*
|
||||
* @return 0 on success, otherwise an error code.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_metadata_get_file_flags(dev_t fsid, long fileid, unsigned long gen,
|
||||
int *flags, int check_files)
|
||||
{
|
||||
struct mac_veriexec_file_info *ip;
|
||||
int found_dev;
|
||||
|
||||
ip = find_veriexec_file(fsid, fileid, gen, &found_dev, check_files);
|
||||
if (ip == NULL)
|
||||
return (ENOENT);
|
||||
|
||||
*flags = ip->flags;
|
||||
return (0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief get the files for the specified process
|
||||
*
|
||||
* @param cred credentials to use
|
||||
* @param p process to get the flags for
|
||||
* @param flags where to store the flags
|
||||
* @param check_files if 1, check the files list first, otherwise check the
|
||||
* exectuables list first
|
||||
*
|
||||
* @return 0 if the process has an entry in the meta-data store, otherwise an
|
||||
* error code
|
||||
*/
|
||||
int
|
||||
mac_veriexec_metadata_get_executable_flags(struct ucred *cred, struct proc *p,
|
||||
int *flags, int check_files)
|
||||
{
|
||||
struct vnode *proc_vn;
|
||||
struct vattr vap;
|
||||
int error;
|
||||
|
||||
/* Get the text vnode for the process */
|
||||
proc_vn = p->p_textvp;
|
||||
if (proc_vn == NULL)
|
||||
return EINVAL;
|
||||
|
||||
/* Get vnode attributes */
|
||||
error = VOP_GETATTR(proc_vn, &vap, cred);
|
||||
if (error)
|
||||
return error;
|
||||
|
||||
error = mac_veriexec_metadata_get_file_flags(vap.va_fsid,
|
||||
vap.va_fileid, vap.va_gen, flags,
|
||||
(check_files == VERIEXEC_FILES_FIRST));
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Ensure the fingerprint status for the vnode @p vp is assigned to its
|
||||
* MAC label.
|
||||
*
|
||||
* @param vp vnode to check
|
||||
* @param vap vnode attributes to use
|
||||
* @param td calling thread
|
||||
* @param check_files if 1, check the files list first, otherwise check the
|
||||
* exectuables list first
|
||||
*
|
||||
* @return 0 on success, otherwise an error code.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp,
|
||||
struct vattr *vap, struct thread *td, int check_files)
|
||||
{
|
||||
unsigned char digest[MAXFINGERPRINTLEN];
|
||||
struct mac_veriexec_file_info *ip;
|
||||
int error, found_dev;
|
||||
fingerprint_status_t status;
|
||||
|
||||
error = 0;
|
||||
ip = NULL;
|
||||
|
||||
status = mac_veriexec_get_fingerprint_status(vp);
|
||||
if (status == FINGERPRINT_INVALID || status == FINGERPRINT_NODEV) {
|
||||
found_dev = 0;
|
||||
ip = find_veriexec_file(vap->va_fsid, vap->va_fileid,
|
||||
vap->va_gen, &found_dev, check_files);
|
||||
if (ip == NULL) {
|
||||
status = (found_dev) ? FINGERPRINT_NOENTRY :
|
||||
FINGERPRINT_NODEV;
|
||||
VERIEXEC_DEBUG(3,
|
||||
("fingerprint status is %d for dev %lu, file "
|
||||
"%lu.%lu\n", status, vap->va_fsid, vap->va_fileid,
|
||||
vap->va_gen));
|
||||
} else {
|
||||
/*
|
||||
* evaluate and compare fingerprint
|
||||
*/
|
||||
error = mac_veriexec_fingerprint_check_vnode(vp, ip,
|
||||
td, vap->va_size, digest);
|
||||
switch (error) {
|
||||
case 0:
|
||||
/* Process flags */
|
||||
if ((ip->flags & VERIEXEC_INDIRECT))
|
||||
status = FINGERPRINT_INDIRECT;
|
||||
else if ((ip->flags & VERIEXEC_FILE))
|
||||
status = FINGERPRINT_FILE;
|
||||
else
|
||||
status = FINGERPRINT_VALID;
|
||||
VERIEXEC_DEBUG(2,
|
||||
("%sfingerprint matches for dev %lu, file "
|
||||
"%lu.%lu\n",
|
||||
(status == FINGERPRINT_INDIRECT) ?
|
||||
"indirect " :
|
||||
(status == FINGERPRINT_FILE) ?
|
||||
"file " : "", vap->va_fsid,
|
||||
vap->va_fileid, vap->va_gen));
|
||||
break;
|
||||
|
||||
case EAUTH:
|
||||
#ifdef VERIFIED_EXEC_DEBUG_VERBOSE
|
||||
{
|
||||
char have[MAXFINGERPRINTLEN * 2 + 1];
|
||||
char want[MAXFINGERPRINTLEN * 2 + 1];
|
||||
int i, len;
|
||||
|
||||
len = ip->ops->digest_len;
|
||||
for (i = 0; i < len; i++) {
|
||||
sprintf(&want[i * 2], "%02x",
|
||||
ip->fingerprint[i]);
|
||||
sprintf(&have[i * 2], "%02x",
|
||||
digest[i]);
|
||||
}
|
||||
log(LOG_ERR, MAC_VERIEXEC_FULLNAME
|
||||
": fingerprint for dev %lu, file "
|
||||
"%lu.%lu %s != %s\n", vap->va_fsid,
|
||||
vap->va_fileid, vap->va_gen,
|
||||
have, want);
|
||||
}
|
||||
#endif
|
||||
status = FINGERPRINT_NOMATCH;
|
||||
break;
|
||||
default:
|
||||
VERIEXEC_DEBUG(2,
|
||||
("fingerprint status error %d\n", error));
|
||||
break;
|
||||
}
|
||||
}
|
||||
mac_veriexec_set_fingerprint_status(vp, status);
|
||||
}
|
||||
return (error);
|
||||
}
|
||||
|
||||
/**
|
||||
* Add a file and its fingerprint to the list of files attached
|
||||
* to the device @p fsid.
|
||||
*
|
||||
* Only add the entry if it is not already on the list.
|
||||
*
|
||||
* @note Called with @a ve_mutex held
|
||||
*
|
||||
* @param file_dev if 1, the entry should be added on the file list,
|
||||
* otherwise it should be added on the executable list
|
||||
* @param fsid file system identifier of device
|
||||
* @param fileid file to add
|
||||
* @param gen generation of file
|
||||
* @param fingerprint fingerprint to add to the store
|
||||
* @param flags flags to set in the store
|
||||
* @param fp_type digest type
|
||||
* @param override if 1, override any values already stored
|
||||
*
|
||||
* @return 0 on success, otherwise an error code.
|
||||
*/
|
||||
int
|
||||
mac_veriexec_metadata_add_file(int file_dev, dev_t fsid, long fileid,
|
||||
unsigned long gen, unsigned char fingerprint[MAXFINGERPRINTLEN],
|
||||
int flags, const char *fp_type, int override)
|
||||
{
|
||||
struct mac_veriexec_fpops *fpops;
|
||||
struct veriexec_dev_list *lp;
|
||||
struct veriexec_devhead *head;
|
||||
struct mac_veriexec_file_info *ip;
|
||||
struct mac_veriexec_file_info *np = NULL;
|
||||
|
||||
/* Look up the device entry */
|
||||
if (file_dev)
|
||||
head = &veriexec_file_dev_head;
|
||||
else
|
||||
head = &veriexec_dev_head;
|
||||
lp = find_veriexec_dev(fsid, head);
|
||||
|
||||
/* Look up the fingerprint operations for the digest type */
|
||||
fpops = mac_veriexec_fingerprint_lookup_ops(fp_type);
|
||||
if (fpops == NULL)
|
||||
return (EOPNOTSUPP);
|
||||
|
||||
search:
|
||||
for (ip = LIST_FIRST(&(lp->file_head)); ip != NULL;
|
||||
ip = LIST_NEXT(ip, entries)) {
|
||||
/* check for a dupe file in the list, skip if an entry
|
||||
* exists for this file except for when the flags contains
|
||||
* VERIEXEC_INDIRECT, always set the flags when it is so
|
||||
* we don't get a hole caused by conflicting flags on
|
||||
* hardlinked files. XXX maybe we should validate
|
||||
* fingerprint is same and complain if it is not...
|
||||
*/
|
||||
if (ip->fileid == fileid && ip->gen == gen) {
|
||||
if (override) {
|
||||
/*
|
||||
* for a signed load we allow overrides,
|
||||
* otherwise fingerpints needed for pkg loads
|
||||
* can fail (the files are on temp device).
|
||||
*/
|
||||
ip->flags = flags;
|
||||
ip->ops = fpops;
|
||||
memcpy(ip->fingerprint, fingerprint,
|
||||
fpops->digest_len);
|
||||
} else if ((flags & (VERIEXEC_INDIRECT|VERIEXEC_FILE)))
|
||||
ip->flags |= flags;
|
||||
|
||||
if (np) {
|
||||
/* unlikely but... we don't need it now. */
|
||||
mtx_unlock(&ve_mutex);
|
||||
free(np, M_VERIEXEC);
|
||||
mtx_lock(&ve_mutex);
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* We may have been past here before...
|
||||
*/
|
||||
if (np == NULL) {
|
||||
/*
|
||||
* We first try with mutex held and nowait.
|
||||
*/
|
||||
np = malloc(sizeof(struct mac_veriexec_file_info), M_VERIEXEC,
|
||||
M_NOWAIT);
|
||||
if (np == NULL) {
|
||||
/*
|
||||
* It was worth a try, now
|
||||
* drop mutex while we malloc.
|
||||
*/
|
||||
mtx_unlock(&ve_mutex);
|
||||
np = malloc(sizeof(struct mac_veriexec_file_info),
|
||||
M_VERIEXEC, M_WAITOK);
|
||||
mtx_lock(&ve_mutex);
|
||||
/*
|
||||
* We now have to repeat our search!
|
||||
*/
|
||||
goto search;
|
||||
}
|
||||
}
|
||||
|
||||
/* Set up the meta-data entry */
|
||||
ip = np;
|
||||
ip->flags = flags;
|
||||
ip->ops = fpops;
|
||||
ip->fileid = fileid;
|
||||
ip->gen = gen;
|
||||
memcpy(ip->fingerprint, fingerprint, fpops->digest_len);
|
||||
|
||||
VERIEXEC_DEBUG(3, ("add file %lu.%lu (files=%d)\n", ip->fileid,
|
||||
ip->gen, file_dev));
|
||||
|
||||
/* Add the entry to the list */
|
||||
LIST_INSERT_HEAD(&(lp->file_head), ip, entries);
|
||||
#ifdef DEBUG_VERIEXEC_FINGERPRINT
|
||||
{
|
||||
off_t offset;
|
||||
|
||||
printf("Stored %s fingerprint:\n", fp_type);
|
||||
for (offset = 0; offset < fpops->digest_len; offset++)
|
||||
printf("%02x", fingerprint[offset]);
|
||||
printf("\n");
|
||||
}
|
||||
#endif
|
||||
return (0);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Intialize the meta-data store
|
||||
*/
|
||||
void
|
||||
mac_veriexec_metadata_init(void)
|
||||
{
|
||||
|
||||
mtx_init(&ve_mutex, "veriexec lock", NULL, MTX_DEF);
|
||||
LIST_INIT(&veriexec_dev_head);
|
||||
LIST_INIT(&veriexec_file_dev_head);
|
||||
}
|
Loading…
Reference in New Issue
Block a user