2002-11-23 13:52:49 +03:00
|
|
|
%{
|
2006-12-09 02:22:19 +03:00
|
|
|
/* $NetBSD: veriexecctl_parse.y,v 1.20 2006/12/08 23:22:19 elad Exp $ */
|
2005-04-20 17:44:45 +04:00
|
|
|
|
|
|
|
/*-
|
2006-11-21 03:22:04 +03:00
|
|
|
* Copyright 2005 Elad Efrat <elad@NetBSD.org>
|
2005-04-20 17:44:45 +04:00
|
|
|
* Copyright 2005 Brett Lymn <blymn@netbsd.org>
|
|
|
|
*
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This code has been donated to The NetBSD Foundation by the Author.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. The name of the author may not be used to endorse or promote products
|
|
|
|
* derived from this software withough specific prior written permission
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
2002-11-23 13:52:49 +03:00
|
|
|
*
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2005-04-20 17:44:45 +04:00
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/ioctl.h>
|
|
|
|
#include <sys/statvfs.h>
|
|
|
|
#include <sys/mount.h>
|
|
|
|
|
|
|
|
#include <sys/verified_exec.h>
|
|
|
|
#include <ctype.h>
|
2002-11-23 13:52:49 +03:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <errno.h>
|
2005-04-20 17:44:45 +04:00
|
|
|
#include <err.h>
|
2002-11-23 13:52:49 +03:00
|
|
|
|
2006-11-29 01:22:02 +03:00
|
|
|
#include <prop/proplib.h>
|
|
|
|
|
2005-04-20 17:44:45 +04:00
|
|
|
#include "veriexecctl.h"
|
2002-11-23 13:52:49 +03:00
|
|
|
|
2006-11-29 01:22:02 +03:00
|
|
|
prop_dictionary_t load_params;
|
|
|
|
static size_t convert(u_char *, u_char *);
|
2002-11-23 13:52:49 +03:00
|
|
|
|
|
|
|
%}
|
|
|
|
|
|
|
|
%union {
|
2005-04-20 17:44:45 +04:00
|
|
|
char *string;
|
|
|
|
int intval;
|
2002-11-23 13:52:49 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
%token <string> PATH
|
|
|
|
%token <string> STRING
|
2005-06-13 19:18:44 +04:00
|
|
|
%token EOL TOKEN_COMMA
|
2002-11-23 13:52:49 +03:00
|
|
|
|
|
|
|
%%
|
|
|
|
|
2005-04-20 17:44:45 +04:00
|
|
|
statement : /* empty */
|
|
|
|
| statement path type fingerprint flags eol {
|
2005-04-21 16:45:12 +04:00
|
|
|
struct stat sb;
|
2005-05-21 00:06:34 +04:00
|
|
|
struct veriexec_up *p;
|
2006-09-05 17:02:16 +04:00
|
|
|
struct statvfs sf;
|
2005-04-20 17:44:45 +04:00
|
|
|
|
2005-04-21 16:45:12 +04:00
|
|
|
if (phase == 2) {
|
|
|
|
phase2_load();
|
|
|
|
goto phase_2_end;
|
|
|
|
}
|
|
|
|
|
2006-11-29 01:22:02 +03:00
|
|
|
if (stat(dict_gets(load_params, "file"), &sb) == -1) {
|
2005-04-21 16:45:12 +04:00
|
|
|
warnx("Line %lu: Can't stat `%s'",
|
2006-11-29 01:22:02 +03:00
|
|
|
(unsigned long)line, dict_gets(load_params, "file"));
|
2005-04-21 16:45:12 +04:00
|
|
|
goto phase_2_end;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Only regular files */
|
|
|
|
if (!S_ISREG(sb.st_mode)) {
|
|
|
|
warnx("Line %lu: %s is not a regular file",
|
2006-11-29 01:22:02 +03:00
|
|
|
(unsigned long)line, dict_gets(load_params, "file"));
|
2005-04-21 16:45:12 +04:00
|
|
|
goto phase_2_end;
|
|
|
|
}
|
|
|
|
|
2006-11-29 01:22:02 +03:00
|
|
|
if (statvfs(dict_gets(load_params, "file"), &sf) == -1)
|
|
|
|
err(1, "Cannot statvfs `%s'", dict_gets(load_params, "file"));
|
2006-09-05 17:02:16 +04:00
|
|
|
|
|
|
|
if ((p = dev_lookup(sf.f_mntonname)) != NULL) {
|
2006-11-29 01:22:02 +03:00
|
|
|
uint64_t n;
|
|
|
|
|
|
|
|
prop_dictionary_get_uint64(p->vu_preload, "count", &n);
|
|
|
|
n++;
|
|
|
|
prop_dictionary_set_uint64(p->vu_preload, "count", n);
|
|
|
|
|
|
|
|
goto phase_2_end;
|
2005-04-21 16:45:12 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
if (verbose) {
|
2006-09-05 17:02:16 +04:00
|
|
|
(void)printf( " => Adding mount `%s'.\n", sf.f_mntonname);
|
2005-04-21 16:45:12 +04:00
|
|
|
}
|
2006-09-05 17:02:16 +04:00
|
|
|
|
|
|
|
dev_add(sf.f_mntonname);
|
|
|
|
|
2005-04-20 17:44:45 +04:00
|
|
|
phase_2_end:
|
2006-11-29 01:22:02 +03:00
|
|
|
load_params = NULL;
|
2005-04-21 16:45:12 +04:00
|
|
|
}
|
2005-04-20 17:44:45 +04:00
|
|
|
| statement eol
|
|
|
|
| statement error eol {
|
2005-04-21 16:45:12 +04:00
|
|
|
yyerrok;
|
|
|
|
}
|
2005-04-20 17:44:45 +04:00
|
|
|
;
|
2002-11-23 13:52:49 +03:00
|
|
|
|
2005-04-20 17:44:45 +04:00
|
|
|
path : PATH {
|
2006-11-29 01:22:02 +03:00
|
|
|
if (load_params == NULL)
|
|
|
|
load_params = prop_dictionary_create();
|
|
|
|
|
|
|
|
dict_sets(load_params, "file", $1);
|
2005-04-21 16:45:12 +04:00
|
|
|
}
|
2005-04-20 17:44:45 +04:00
|
|
|
;
|
|
|
|
|
|
|
|
type : STRING {
|
2005-06-13 19:18:44 +04:00
|
|
|
if (phase == 2) {
|
2006-11-29 01:22:02 +03:00
|
|
|
dict_sets(load_params, "fp-type", $1);
|
2005-04-21 16:45:12 +04:00
|
|
|
}
|
|
|
|
}
|
2005-04-20 17:44:45 +04:00
|
|
|
;
|
|
|
|
|
|
|
|
|
|
|
|
fingerprint : STRING {
|
2005-06-13 19:18:44 +04:00
|
|
|
if (phase == 2) {
|
2006-11-29 01:22:02 +03:00
|
|
|
char *fp;
|
|
|
|
size_t n;
|
|
|
|
|
|
|
|
fp = malloc(strlen($1) / 2);
|
|
|
|
if (fp == NULL)
|
2005-04-21 16:45:12 +04:00
|
|
|
err(1, "Fingerprint mem alloc failed");
|
2006-11-29 01:22:02 +03:00
|
|
|
|
|
|
|
n = convert($1, fp);
|
|
|
|
if (n == -1) {
|
|
|
|
free(fp);
|
2005-04-21 16:45:12 +04:00
|
|
|
yyerror("Bad fingerprint");
|
|
|
|
YYERROR;
|
|
|
|
}
|
2006-11-29 01:22:02 +03:00
|
|
|
|
|
|
|
dict_setd(load_params, "fp", fp, n);
|
|
|
|
free(fp);
|
2005-04-21 16:45:12 +04:00
|
|
|
}
|
2005-04-20 17:44:45 +04:00
|
|
|
|
2005-04-21 16:45:12 +04:00
|
|
|
}
|
|
|
|
;
|
2002-11-23 13:52:49 +03:00
|
|
|
|
2005-10-05 17:48:48 +04:00
|
|
|
flags : /* empty */
|
2005-06-13 19:18:44 +04:00
|
|
|
| flags_spec
|
|
|
|
;
|
|
|
|
|
|
|
|
flags_spec : flag_spec
|
|
|
|
| flags_spec TOKEN_COMMA flag_spec
|
2005-04-20 17:44:45 +04:00
|
|
|
;
|
|
|
|
|
|
|
|
flag_spec : STRING {
|
2005-06-13 19:18:44 +04:00
|
|
|
if (phase == 2) {
|
2006-11-29 01:22:02 +03:00
|
|
|
uint8_t t = 0;
|
|
|
|
|
2006-12-09 02:22:19 +03:00
|
|
|
prop_dictionary_get_uint8(load_params, "entry-type", &t);
|
|
|
|
|
2005-06-13 19:18:44 +04:00
|
|
|
if (strcasecmp($1, "direct") == 0) {
|
2006-11-29 01:22:02 +03:00
|
|
|
t |= VERIEXEC_DIRECT;
|
2005-06-13 19:18:44 +04:00
|
|
|
} else if (strcasecmp($1, "indirect") == 0) {
|
2006-11-29 01:22:02 +03:00
|
|
|
t |= VERIEXEC_INDIRECT;
|
2005-06-13 19:18:44 +04:00
|
|
|
} else if (strcasecmp($1, "file") == 0) {
|
2006-11-29 01:22:02 +03:00
|
|
|
t |= VERIEXEC_FILE;
|
2005-08-06 13:00:20 +04:00
|
|
|
} else if (strcasecmp($1, "program") == 0) {
|
2006-11-29 01:22:02 +03:00
|
|
|
t |= VERIEXEC_DIRECT;
|
2005-08-06 13:00:20 +04:00
|
|
|
} else if (strcasecmp($1, "interpreter") == 0) {
|
2006-11-29 01:22:02 +03:00
|
|
|
t |= VERIEXEC_INDIRECT;
|
2005-08-06 13:00:20 +04:00
|
|
|
} else if (strcasecmp($1, "script") == 0) {
|
2006-11-29 01:22:02 +03:00
|
|
|
t |= (VERIEXEC_FILE | VERIEXEC_DIRECT);
|
2005-08-06 13:00:20 +04:00
|
|
|
} else if (strcasecmp($1, "library") == 0) {
|
2006-11-29 01:22:02 +03:00
|
|
|
t |= (VERIEXEC_FILE | VERIEXEC_INDIRECT);
|
2005-10-05 17:48:48 +04:00
|
|
|
} else if (strcasecmp($1, "untrusted") == 0) {
|
2006-11-29 01:22:02 +03:00
|
|
|
t |= VERIEXEC_UNTRUSTED;
|
2005-06-13 19:18:44 +04:00
|
|
|
} else {
|
|
|
|
yyerror("Bad flag");
|
2005-04-21 16:45:12 +04:00
|
|
|
YYERROR;
|
|
|
|
}
|
2006-11-29 01:22:02 +03:00
|
|
|
|
|
|
|
prop_dictionary_set_uint8(load_params, "entry-type", t);
|
2005-04-21 16:45:12 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|
2005-04-20 17:44:45 +04:00
|
|
|
;
|
2002-11-23 13:52:49 +03:00
|
|
|
|
2005-04-20 17:44:45 +04:00
|
|
|
eol : EOL
|
|
|
|
;
|
2002-11-23 13:52:49 +03:00
|
|
|
|
|
|
|
%%
|
|
|
|
|
|
|
|
/*
|
2005-04-20 17:44:45 +04:00
|
|
|
* Takes the hexadecimal string pointed to by "fp" and converts it to a
|
|
|
|
* "count" byte binary number which is stored in the array pointed to
|
|
|
|
* by "out". Returns the number of bytes converted or -1 if the conversion
|
|
|
|
* fails.
|
2002-11-23 13:52:49 +03:00
|
|
|
*/
|
2006-11-29 01:22:02 +03:00
|
|
|
static size_t
|
2005-04-21 16:45:12 +04:00
|
|
|
convert(u_char *fp, u_char *out)
|
|
|
|
{
|
|
|
|
size_t i, count;
|
|
|
|
u_char value;
|
2002-11-23 13:52:49 +03:00
|
|
|
|
2005-04-20 17:44:45 +04:00
|
|
|
count = strlen(fp);
|
|
|
|
|
2005-04-21 16:45:12 +04:00
|
|
|
/*
|
|
|
|
* if there are not an even number of hex digits then there is
|
|
|
|
* not an integral number of bytes in the fingerprint.
|
|
|
|
*/
|
2005-04-20 17:44:45 +04:00
|
|
|
if ((count % 2) != 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
count /= 2;
|
|
|
|
|
2005-04-21 16:45:12 +04:00
|
|
|
#define cvt(cv) \
|
|
|
|
if (isdigit(cv)) \
|
|
|
|
value += (cv) - '0'; \
|
|
|
|
else if (isxdigit(cv)) \
|
|
|
|
value += 10 + tolower(cv) - 'a'; \
|
|
|
|
else \
|
|
|
|
return -1
|
2005-04-20 17:44:45 +04:00
|
|
|
|
2005-04-21 16:45:12 +04:00
|
|
|
for (i = 0; i < count; i++) {
|
|
|
|
value = 0;
|
|
|
|
cvt(fp[2 * i]);
|
|
|
|
value <<= 4;
|
|
|
|
cvt(fp[2 * i + 1]);
|
2005-04-20 17:44:45 +04:00
|
|
|
out[i] = value;
|
|
|
|
}
|
|
|
|
|
2005-04-21 16:45:12 +04:00
|
|
|
return count;
|
2002-11-23 13:52:49 +03:00
|
|
|
}
|