- Use more calls to veriexec_report() where possible.
- Change #ifdef VERIFIED_EXEC_VERBOSE to another verbose level, 2. Add sysctl(3) bits. - Simplify access type conflict handling during load. This depends on the values of access type defines to be ordered from least to most 'strict'.
This commit is contained in:
elad
parent
5fb9715482
commit
0e4dfe1792
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: sysctl.3,v 1.151 2005/06/17 18:19:39 wiz Exp $
|
||||
.\" $NetBSD: sysctl.3,v 1.152 2005/06/20 15:06:18 elad Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 1993
|
||||
.\" The Regents of the University of California. All rights reserved.
|
||||
|
|
@ -29,7 +29,7 @@
|
|||
.\"
|
||||
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
|
||||
.\"
|
||||
.Dd June 17, 2005
|
||||
.Dd June 20, 2005
|
||||
.Dt SYSCTL 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -892,6 +892,7 @@ mismatches, removal of entries from the tables, modification of a
|
|||
fingerprinted file.
|
||||
If 1, more messages will be printed (ie., when a file with a valid
|
||||
fingerprint is accessed).
|
||||
Verbose level 2 is debug mode.
|
||||
.It Li VERIEXEC_STRICT
|
||||
Controls the strict level of Verified Exec.
|
||||
The strict level defines how
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: verified_exec.c,v 1.16 2005/06/19 18:22:36 elad Exp $ */
|
||||
/* $NetBSD: verified_exec.c,v 1.17 2005/06/20 15:06:18 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright 2005 Elad Efrat <elad@bsd.org.il>
|
||||
|
|
@ -31,9 +31,9 @@
|
|||
|
||||
#include <sys/cdefs.h>
|
||||
#if defined(__NetBSD__)
|
||||
__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.16 2005/06/19 18:22:36 elad Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.17 2005/06/20 15:06:18 elad Exp $");
|
||||
#else
|
||||
__RCSID("$Id: verified_exec.c,v 1.16 2005/06/19 18:22:36 elad Exp $\n$NetBSD: verified_exec.c,v 1.16 2005/06/19 18:22:36 elad Exp $");
|
||||
__RCSID("$Id: verified_exec.c,v 1.17 2005/06/20 15:06:18 elad Exp $\n$NetBSD: verified_exec.c,v 1.17 2005/06/20 15:06:18 elad Exp $");
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
|
@ -121,11 +121,11 @@ int
|
|||
veriexecopen(dev_t dev __unused, int flags __unused,
|
||||
int fmt __unused, struct proc *p __unused)
|
||||
{
|
||||
#ifdef VERIFIED_EXEC_DEBUG_VERBOSE
|
||||
printf("Veriexec: veriexecopen: Veriexec load device open attempt by "
|
||||
"uid=%u, pid=%u. (dev=%d)\n", p->p_ucred->cr_uid,
|
||||
p->p_pid, dev);
|
||||
#endif
|
||||
if (veriexec_verbose >= 2) {
|
||||
printf("Veriexec: veriexecopen: Veriexec load device "
|
||||
"open attempt by uid=%u, pid=%u. (dev=%d)\n",
|
||||
p->p_ucred->cr_uid, p->p_pid, dev);
|
||||
}
|
||||
|
||||
if (suser(p->p_ucred, &p->p_acflag) != 0)
|
||||
return (EPERM);
|
||||
|
|
@ -207,6 +207,7 @@ veriexecioctl(dev_t dev __unused, u_long cmd, caddr_t data,
|
|||
error = namei(&nid);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
/* Add only regular files. */
|
||||
if (nid.ni_vp->v_type != VREG) {
|
||||
printf("Veriexec: veriexecioctl: Not adding \"%s\": "
|
||||
|
|
@ -232,32 +233,28 @@ veriexecioctl(dev_t dev __unused, u_long cmd, caddr_t data,
|
|||
hh = veriexec_lookup(va.va_fsid, va.va_fileid);
|
||||
if (hh != NULL) {
|
||||
/*
|
||||
* Duplicate entry. Still check the type to
|
||||
* ensure enforcement of a stricter policy.
|
||||
* I.e. if original entry was direct exec but
|
||||
* the new params flag the file as indirect or
|
||||
* file then update the hash entry to the new
|
||||
* type to ensure duplicate entries do not
|
||||
* degrade the security policy...
|
||||
* Duplicate entry; handle access type conflict
|
||||
* and enforce 'FILE' over 'INDIRECT' over
|
||||
* 'DIRECT'.
|
||||
*/
|
||||
|
||||
if ((hh->type != params->type) &&
|
||||
((params->type == VERIEXEC_INDIRECT) ||
|
||||
(params->type == VERIEXEC_FILE))) {
|
||||
if (hh->type < params->type) {
|
||||
hh->type = params->type;
|
||||
printf("Veriexec: veriexecioctl: Duplicate "
|
||||
"entry for %s, (dev=%lu, inode=%lu) "
|
||||
"but type mismatched. "
|
||||
"Updating type to stricter one.\n",
|
||||
params->file, va.va_fsid, va.va_fileid);
|
||||
|
||||
veriexec_report("Duplicate entry with "
|
||||
"access type mismatch. "
|
||||
"Updating to stricter "
|
||||
"type.", params->file,
|
||||
&va, NULL,
|
||||
REPORT_NOVERBOSE,
|
||||
REPORT_NOALARM,
|
||||
REPORT_NOPANIC);
|
||||
} else {
|
||||
veriexec_report("Duplicate entry.",
|
||||
params->file, &va, NULL,
|
||||
REPORT_VERBOSE_HIGH,
|
||||
REPORT_NOALARM,
|
||||
REPORT_NOPANIC);
|
||||
}
|
||||
|
||||
#ifdef VERIFIED_EXEC_DEBUG_VERBOSE
|
||||
printf("Veriexec: veriexecioctl: Duplicate "
|
||||
"entry for %s. (dev=%lu, inode=%lu) "
|
||||
"Ignoring.\n", params->file,
|
||||
va.va_fsid, va.va_fileid);
|
||||
#endif
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: kern_verifiedexec.c,v 1.28 2005/06/19 18:22:36 elad Exp $ */
|
||||
/* $NetBSD: kern_verifiedexec.c,v 1.29 2005/06/20 15:06:18 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright 2005 Elad Efrat <elad@bsd.org.il>
|
||||
|
|
@ -30,7 +30,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.28 2005/06/19 18:22:36 elad Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.29 2005/06/20 15:06:18 elad Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/mount.h>
|
||||
|
|
@ -260,10 +260,9 @@ bad:
|
|||
int
|
||||
veriexec_fp_cmp(struct veriexec_fp_ops *ops, u_char *fp1, u_char *fp2)
|
||||
{
|
||||
#ifdef VERIFIED_EXEC_DEBUG
|
||||
int i;
|
||||
if (veriexec_verbose >= 2) {
|
||||
int i;
|
||||
|
||||
if (veriexec_verbose > 1) {
|
||||
printf("comparing hashes...\n");
|
||||
printf("fp1: ");
|
||||
for (i = 0; i < ops->hash_len; i++) {
|
||||
|
|
@ -275,7 +274,6 @@ veriexec_fp_cmp(struct veriexec_fp_ops *ops, u_char *fp1, u_char *fp2)
|
|||
}
|
||||
printf("\n");
|
||||
}
|
||||
#endif
|
||||
|
||||
return (memcmp(fp1, fp2, ops->hash_len));
|
||||
}
|
||||
|
|
@ -357,7 +355,6 @@ veriexec_verify(struct proc *p, struct vnode *vp, struct vattr *va,
|
|||
u_char *digest = NULL;
|
||||
int error = 0;
|
||||
|
||||
/* XXXEE Ignore non-VREG files. */
|
||||
if (vp->v_type != VREG)
|
||||
return (0);
|
||||
|
||||
|
|
@ -375,7 +372,9 @@ veriexec_verify(struct proc *p, struct vnode *vp, struct vattr *va,
|
|||
M_WAITOK);
|
||||
error = veriexec_fp_calc(p, vp, vhe, va->va_size, digest);
|
||||
if (error) {
|
||||
/* XXXEE verbose+ printf here */
|
||||
veriexec_report("Fingerprint calculation error.",
|
||||
name, va, NULL, REPORT_NOVERBOSE,
|
||||
REPORT_NOALARM, REPORT_NOPANIC);
|
||||
free(digest, M_TEMP);
|
||||
return (error);
|
||||
}
|
||||
|
|
@ -510,8 +509,8 @@ veriexec_removechk(struct proc *p, struct vnode *vp, const char *pathbuf)
|
|||
*/
|
||||
void
|
||||
veriexec_report(const u_char *msg, const u_char *filename,
|
||||
struct vattr *va, struct proc *p, int verbose_only,
|
||||
int alarm, int die)
|
||||
struct vattr *va, struct proc *p, int verbose, int alarm,
|
||||
int die)
|
||||
{
|
||||
void (*f)(const char *, ...);
|
||||
|
||||
|
|
@ -523,7 +522,7 @@ veriexec_report(const u_char *msg, const u_char *filename,
|
|||
else
|
||||
f = (void (*)(const char *, ...)) printf;
|
||||
|
||||
if (!verbose_only || veriexec_verbose) {
|
||||
if (!verbose || (verbose == veriexec_verbose)) {
|
||||
if (!alarm || p == NULL)
|
||||
f("veriexec: %s [%s, %d:%u%s", msg, filename,
|
||||
va->va_fsid, va->va_fileid,
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: verified_exec.h,v 1.13 2005/06/19 18:22:37 elad Exp $ */
|
||||
/* $NetBSD: verified_exec.h,v 1.14 2005/06/20 15:06:18 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright 2005 Elad Efrat <elad@bsd.org.il>
|
||||
|
|
@ -29,27 +29,26 @@
|
|||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.13 2005/06/19 18:22:37 elad Exp $");
|
||||
|
||||
/*
|
||||
*
|
||||
* Definitions for the Verified Executables kernel function.
|
||||
*
|
||||
*/
|
||||
#ifndef _SYS_VERIFIED_EXEC_H_
|
||||
#define _SYS_VERIFIED_EXEC_H_
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/hash.h>
|
||||
|
||||
#ifndef V_EXEC_H
|
||||
#define V_EXEC_H 1
|
||||
__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.14 2005/06/20 15:06:18 elad Exp $");
|
||||
|
||||
/* Max length of the fingerprint type string, including terminating \0 char */
|
||||
#define VERIEXEC_TYPE_MAXLEN 9
|
||||
|
||||
struct veriexec_params {
|
||||
unsigned char type;
|
||||
unsigned char fp_type[VERIEXEC_TYPE_MAXLEN]; /* type of fingerprint
|
||||
this is */
|
||||
unsigned char fp_type[VERIEXEC_TYPE_MAXLEN];
|
||||
char file[MAXPATHLEN];
|
||||
unsigned int size; /* number of bytes in the fingerprint */
|
||||
unsigned char *fingerprint;
|
||||
|
|
@ -61,7 +60,8 @@ struct veriexec_sizing_params {
|
|||
};
|
||||
|
||||
/*
|
||||
* Types of veriexec inodes we can have
|
||||
* Types of veriexec inodes we can have. Ordered from less strict to
|
||||
* most strict -- this is enforced if a duplicate entry is loaded.
|
||||
*/
|
||||
#define VERIEXEC_DIRECT 0 /* Allow direct execution */
|
||||
#define VERIEXEC_INDIRECT 1 /* Only allow indirect execution */
|
||||
|
|
@ -150,6 +150,7 @@ LIST_HEAD(, veriexec_hashtbl) veriexec_tables;
|
|||
/* Readable values for veriexec_report(). */
|
||||
#define REPORT_NOVERBOSE 0
|
||||
#define REPORT_VERBOSE 1
|
||||
#define REPORT_VERBOSE_HIGH 2
|
||||
#define REPORT_NOPANIC 0
|
||||
#define REPORT_PANIC 1
|
||||
#define REPORT_NOALARM 0
|
||||
|
|
@ -191,12 +192,6 @@ void veriexec_init_fp_ops(void);
|
|||
void veriexec_report(const u_char *, const u_char *, struct vattr *,
|
||||
struct proc *, int, int, int);
|
||||
|
||||
#endif
|
||||
#endif /* _KERNEL */
|
||||
|
||||
#ifdef VERIFIED_EXEC_DEBUG
|
||||
#define veriexec_dprintf(x) printf x
|
||||
#else
|
||||
#define veriexec_dprintf(x)
|
||||
#endif /* VERIFIED_EXEC_DEBUG */
|
||||
|
||||
#endif
|
||||
#endif /* _SYS_VERIFIED_EXEC_H_ */
|
||||
|
|
|
|||
Loading…
Reference in New Issue