2003-07-14 19:47:00 +04:00
|
|
|
/* $NetBSD: verified_exec.c,v 1.4 2003/07/14 15:47:04 lukem Exp $ */
|
2002-10-29 15:31:20 +03:00
|
|
|
|
|
|
|
/*-
|
|
|
|
* Copyright (c) 1998-1999 Brett Lymn
|
|
|
|
* (blymn@baea.com.au, brett_lymn@yahoo.com.au)
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This code has been donated to The NetBSD Foundation by the Author.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. The name of the author may not be used to endorse or promote products
|
|
|
|
* derived from this software withough specific prior written permission
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2003-07-14 19:47:00 +04:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.4 2003/07/14 15:47:04 lukem Exp $");
|
|
|
|
|
2002-10-29 15:31:20 +03:00
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/systm.h>
|
|
|
|
#include <sys/proc.h>
|
|
|
|
#include <sys/errno.h>
|
|
|
|
#include <sys/verified_exec.h>
|
|
|
|
#include <sys/buf.h>
|
|
|
|
#include <sys/malloc.h>
|
|
|
|
#include <sys/ioctl.h>
|
|
|
|
#include <sys/device.h>
|
|
|
|
#include <sys/conf.h>
|
|
|
|
#include <sys/lock.h>
|
|
|
|
#include <sys/queue.h>
|
|
|
|
#include <sys/vnode.h>
|
|
|
|
#include <sys/fcntl.h>
|
|
|
|
#include <sys/namei.h>
|
|
|
|
|
|
|
|
struct verified_exec_softc {
|
|
|
|
struct device veriexec_dev;
|
|
|
|
};
|
|
|
|
|
|
|
|
const struct cdevsw verifiedexec_cdevsw = {
|
|
|
|
verifiedexecopen, verifiedexecclose, noread, nowrite,
|
|
|
|
verifiedexecioctl, nostop, notty, nopoll, nommap, nokqfilter,
|
|
|
|
};
|
|
|
|
|
|
|
|
/* internal structures */
|
|
|
|
LIST_HEAD(veriexec_devhead, veriexec_dev_list) veriexec_dev_head;
|
|
|
|
/*LIST_HEAD(veriexec_file_devhead, veriexec_dev_list) veriexec_file_dev_head;*/
|
|
|
|
struct veriexec_devhead veriexec_file_dev_head;
|
|
|
|
|
|
|
|
/* Autoconfiguration glue */
|
|
|
|
void verifiedexecattach(struct device *parent, struct device *self,
|
|
|
|
void *aux);
|
|
|
|
int verifiedexecopen(dev_t dev, int flags, int fmt, struct proc *p);
|
|
|
|
int verifiedexecclose(dev_t dev, int flags, int fmt, struct proc *p);
|
|
|
|
int verifiedexecioctl(dev_t dev, u_long cmd, caddr_t data, int flags,
|
|
|
|
struct proc *p);
|
|
|
|
void add_veriexec_inode(struct veriexec_dev_list *list, unsigned long inode,
|
|
|
|
unsigned char fingerprint[MAXFINGERPRINTLEN],
|
|
|
|
unsigned char type, unsigned char fp_type);
|
|
|
|
struct veriexec_dev_list *find_veriexec_dev(unsigned long dev,
|
|
|
|
struct veriexec_devhead *head);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Attach for autoconfig to find. Initialise the lists and return...
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
verifiedexecattach(struct device *parent, struct device *self, void *aux)
|
|
|
|
{
|
|
|
|
LIST_INIT(&veriexec_dev_head);
|
|
|
|
LIST_INIT(&veriexec_file_dev_head);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
verifiedexecopen(dev_t dev, int flags, int fmt, struct proc *p)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
verifiedexecclose(dev_t dev, int flags, int fmt, struct proc *p)
|
|
|
|
{
|
|
|
|
#ifdef VERIFIED_EXEC_DEBUG_VERBOSE
|
|
|
|
struct veriexec_dev_list *lp;
|
|
|
|
struct veriexec_inode_list *ip;
|
|
|
|
|
|
|
|
printf("Loaded exec fingerprint list is:\n");
|
|
|
|
for (lp = LIST_FIRST(&veriexec_dev_head); lp != NULL;
|
|
|
|
lp = LIST_NEXT(lp, entries)) {
|
|
|
|
for (ip = LIST_FIRST(&(lp->inode_head)); ip != NULL;
|
|
|
|
ip = LIST_NEXT(ip, entries)) {
|
|
|
|
printf("Got loaded fingerprint for dev %lu, inode %lu\n",
|
|
|
|
lp->id, ip->inode);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
printf("\n\nLoaded file fingerprint list is:\n");
|
|
|
|
for (lp = LIST_FIRST(&veriexec_file_dev_head); lp != NULL;
|
|
|
|
lp = LIST_NEXT(lp, entries)) {
|
|
|
|
for (ip = LIST_FIRST(&(lp->inode_head)); ip != NULL;
|
|
|
|
ip = LIST_NEXT(ip, entries)) {
|
|
|
|
printf("Got loaded fingerprint for dev %lu, inode %lu\n",
|
|
|
|
lp->id, ip->inode);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Search the list of devices looking for the one given. If it is not
|
|
|
|
* in the list then add it.
|
|
|
|
*/
|
|
|
|
struct veriexec_dev_list *
|
|
|
|
find_veriexec_dev(unsigned long dev, struct veriexec_devhead *head)
|
|
|
|
{
|
|
|
|
struct veriexec_dev_list *lp;
|
|
|
|
|
|
|
|
for (lp = LIST_FIRST(head); lp != NULL;
|
|
|
|
lp = LIST_NEXT(lp, entries))
|
|
|
|
if (lp->id == dev) break;
|
|
|
|
|
|
|
|
if (lp == NULL) {
|
|
|
|
/* if pointer is null then entry not there, add a new one */
|
|
|
|
MALLOC(lp, struct veriexec_dev_list *,
|
|
|
|
sizeof(struct veriexec_dev_list), M_TEMP, M_WAITOK);
|
|
|
|
LIST_INIT(&(lp->inode_head));
|
|
|
|
lp->id = dev;
|
|
|
|
LIST_INSERT_HEAD(head, lp, entries);
|
|
|
|
}
|
|
|
|
|
|
|
|
return lp;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Add a file's inode and fingerprint to the list of inodes attached
|
|
|
|
* to the device id. Only add the entry if it is not already on the
|
|
|
|
* list.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
add_veriexec_inode(struct veriexec_dev_list *list, unsigned long inode,
|
|
|
|
unsigned char fingerprint[MAXFINGERPRINTLEN],
|
|
|
|
unsigned char type, unsigned char fp_type)
|
|
|
|
{
|
|
|
|
struct veriexec_inode_list *ip;
|
|
|
|
|
|
|
|
for (ip = LIST_FIRST(&(list->inode_head)); ip != NULL;
|
|
|
|
ip = LIST_NEXT(ip, entries))
|
|
|
|
/* check for a dupe inode in the list, skip if an entry
|
|
|
|
* exists for this inode except for when the type is
|
|
|
|
* VERIEXEC_INDIRECT, always set the type when it is so
|
|
|
|
* we don't get a hole caused by conflicting types on
|
|
|
|
* hardlinked files. XXX maybe we should validate
|
|
|
|
* fingerprint is same and complain if it is not...
|
|
|
|
*/
|
|
|
|
if (ip->inode == inode) {
|
|
|
|
if (type == VERIEXEC_INDIRECT)
|
|
|
|
ip->type = type;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
MALLOC(ip, struct veriexec_inode_list *, sizeof(struct veriexec_inode_list),
|
|
|
|
M_TEMP, M_WAITOK);
|
|
|
|
ip->type = type;
|
|
|
|
ip->fp_type = fp_type;
|
|
|
|
ip->inode = inode;
|
|
|
|
memcpy(ip->fingerprint, fingerprint, sizeof(ip->fingerprint));
|
|
|
|
LIST_INSERT_HEAD(&(list->inode_head), ip, entries);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Handle the ioctl for the device
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
verifiedexecioctl(dev_t dev, u_long cmd, caddr_t data, int flags,
|
2003-06-30 02:28:00 +04:00
|
|
|
struct proc *p)
|
2002-10-29 15:31:20 +03:00
|
|
|
{
|
|
|
|
int error = 0;
|
2003-06-30 02:28:00 +04:00
|
|
|
struct verified_exec_params *params = (struct verified_exec_params *)data;
|
2002-10-29 15:31:20 +03:00
|
|
|
struct nameidata nid;
|
|
|
|
struct vattr vattr;
|
|
|
|
struct veriexec_dev_list *dlp;
|
|
|
|
|
|
|
|
#ifdef VERIFIED_EXEC_DEBUG
|
|
|
|
printf("veriexec_ioctl: got cmd 0x%lx for file %s\n", cmd, params->file);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case VERIEXECLOAD:
|
|
|
|
if (securelevel > 0) {
|
|
|
|
/* don't allow updates when secure */
|
|
|
|
error = EPERM;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Get the attributes for the file name passed
|
|
|
|
* stash the file's device id and inode number
|
|
|
|
* along with it's fingerprint in a list for
|
|
|
|
* exec to use later.
|
|
|
|
*/
|
|
|
|
NDINIT(&nid, LOOKUP, FOLLOW, UIO_USERSPACE,
|
2003-06-30 02:28:00 +04:00
|
|
|
params->file, p);
|
2002-10-29 15:31:20 +03:00
|
|
|
if ((error = vn_open(&nid, FREAD, 0)) != 0) {
|
|
|
|
return(error);
|
|
|
|
}
|
|
|
|
error = VOP_GETATTR(nid.ni_vp, &vattr, p->p_ucred, p);
|
|
|
|
if (error) {
|
|
|
|
nid.ni_vp->fp_status = FINGERPRINT_INVALID;
|
|
|
|
VOP_UNLOCK(nid.ni_vp, 0);
|
|
|
|
(void) vn_close(nid.ni_vp, FREAD,
|
|
|
|
p->p_ucred, p);
|
|
|
|
return(error);
|
|
|
|
}
|
|
|
|
/* invalidate the node fingerprint status
|
|
|
|
* which will have been set in the vn_open
|
|
|
|
* and would always be FINGERPRINT_NOTFOUND
|
|
|
|
*/
|
|
|
|
nid.ni_vp->fp_status = FINGERPRINT_INVALID;
|
|
|
|
VOP_UNLOCK(nid.ni_vp, 0);
|
|
|
|
(void) vn_close(nid.ni_vp, FREAD, p->p_ucred, p);
|
|
|
|
/* vattr.va_fsid = dev, vattr.va_fileid = inode */
|
|
|
|
if (params->type == VERIEXEC_FILE) {
|
|
|
|
dlp = find_veriexec_dev(vattr.va_fsid,
|
|
|
|
&veriexec_file_dev_head);
|
|
|
|
} else {
|
|
|
|
dlp = find_veriexec_dev(vattr.va_fsid,
|
|
|
|
&veriexec_dev_head);
|
|
|
|
}
|
|
|
|
|
|
|
|
add_veriexec_inode(dlp, vattr.va_fileid,
|
|
|
|
params->fingerprint, params->type,
|
|
|
|
params->fp_type);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
error = ENODEV;
|
|
|
|
}
|
|
|
|
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|