Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support multiple entry types. Direct, indirect, and file can now be

Browse Source 
combined in the signatures file using commas.
This commit is contained in:
elad 2005-08-02 16:14:10 +00:00
parent 2310089ccf
commit 6e4a854552
3 changed files with 12 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
sbin/veriexecctl/veriexecctl_parse.y
View File

@ -1,5 +1,5 @@
%{
/* $NetBSD: veriexecctl_parse.y,v 1.10 2005/06/13 15:18:44 elad Exp $ */
/* $NetBSD: veriexecctl_parse.y,v 1.11 2005/08/02 16:14:10 elad Exp $ */
/*-
* Copyright 2005 Elad Efrat <elad@bsd.org.il>
@ -48,9 +48,6 @@
struct veriexec_params params;
static int convert(u_char *, u_char *);
int have_type = 0;
#define FIELD_TYPE 1
%}
%union {
@ -103,7 +100,6 @@ statement : /* empty */
dev_add(sb.st_dev);
phase_2_end:
(void)memset(&params, 0, sizeof(params));
have_type = 0;
}
| statement eol
| statement error eol {
@ -158,39 +154,16 @@ flags_spec : flag_spec
flag_spec : STRING {
if (phase == 2) {
int field;
int value;
/*
* XXXEE: It might be a good idea to change this into
* XXXEE: something less hard-coded. Perhaps loop on
* XXXEE: tuples of (name, field, value)?
*/
if (strcasecmp($1, "direct") == 0) {
field = FIELD_TYPE;
value = VERIEXEC_DIRECT;
params.type |= VERIEXEC_DIRECT;
} else if (strcasecmp($1, "indirect") == 0) {
field = FIELD_TYPE;
value = VERIEXEC_INDIRECT;
params.type |= VERIEXEC_INDIRECT;
} else if (strcasecmp($1, "file") == 0) {
field = FIELD_TYPE;
value = VERIEXEC_FILE;
params.type |= VERIEXEC_FILE;
} else {
yyerror("Bad flag");
YYERROR;
}
switch (field) {
case FIELD_TYPE:
if (have_type) {
yyerror("Mulitple type definitions");
YYERROR;
}
params.type = value;
have_type = 1;
break;
}
}
}

6
sys/kern/kern_verifiedexec.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_verifiedexec.c,v 1.32 2005/07/16 22:47:18 christos Exp $ */
/* $NetBSD: kern_verifiedexec.c,v 1.33 2005/08/02 16:14:10 elad Exp $ */
/*-
* Copyright 2005 Elad Efrat <elad@bsd.org.il>
@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.32 2005/07/16 22:47:18 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.33 2005/08/02 16:14:10 elad Exp $");
#include "opt_verified_exec.h"
@ -391,7 +391,7 @@ veriexec_verify(struct proc *p, struct vnode *vp, struct vattr *va,
free(digest, M_TEMP);
}
if (flag != vhe->type) {
if (!(vhe->type & flag)) {
veriexec_report("Incorrect access type.", name, va, p,
REPORT_NOVERBOSE, REPORT_ALARM,
REPORT_NOPANIC);

10
sys/sys/verified_exec.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: verified_exec.h,v 1.15 2005/07/01 19:50:04 elad Exp $ */
/* $NetBSD: verified_exec.h,v 1.16 2005/08/02 16:14:10 elad Exp $ */
/*-
* Copyright 2005 Elad Efrat <elad@bsd.org.il>
@ -41,7 +41,7 @@
#include <sys/param.h>
#include <sys/hash.h>
__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.15 2005/07/01 19:50:04 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.16 2005/08/02 16:14:10 elad Exp $");
/* Max length of the fingerprint type string, including terminating \0 char */
#define VERIEXEC_TYPE_MAXLEN 9
@ -63,9 +63,9 @@ struct veriexec_sizing_params {
* Types of veriexec inodes we can have. Ordered from less strict to
* most strict -- this is enforced if a duplicate entry is loaded.
*/
#define VERIEXEC_DIRECT 0 /* Allow direct execution */
#define VERIEXEC_INDIRECT 1 /* Only allow indirect execution */
#define VERIEXEC_FILE 2 /* Fingerprint of a plain file */
#define VERIEXEC_DIRECT 0x01 /* Direct execution (exec) */
#define VERIEXEC_INDIRECT 0x02 /* Indirect execution (#!) */
#define VERIEXEC_FILE 0x04 /* Plain file (open) */
#define VERIEXEC_LOAD _IOW('S', 0x1, struct veriexec_params)
#define VERIEXEC_TABLESIZE _IOW('S', 0x2, struct veriexec_sizing_params)