From 6e4a854552439240ee0fae6c0a9e259ef50cb5fa Mon Sep 17 00:00:00 2001 From: elad Date: Tue, 2 Aug 2005 16:14:10 +0000 Subject: [PATCH] Support multiple entry types. Direct, indirect, and file can now be combined in the signatures file using commas. --- sbin/veriexecctl/veriexecctl_parse.y | 35 ++++------------------------ sys/kern/kern_verifiedexec.c | 6 ++--- sys/sys/verified_exec.h | 10 ++++---- 3 files changed, 12 insertions(+), 39 deletions(-) diff --git a/sbin/veriexecctl/veriexecctl_parse.y b/sbin/veriexecctl/veriexecctl_parse.y index 78ef0c94cce3..6074ba70c433 100644 --- a/sbin/veriexecctl/veriexecctl_parse.y +++ b/sbin/veriexecctl/veriexecctl_parse.y @@ -1,5 +1,5 @@ %{ -/* $NetBSD: veriexecctl_parse.y,v 1.10 2005/06/13 15:18:44 elad Exp $ */ +/* $NetBSD: veriexecctl_parse.y,v 1.11 2005/08/02 16:14:10 elad Exp $ */ /*- * Copyright 2005 Elad Efrat @@ -48,9 +48,6 @@ struct veriexec_params params; static int convert(u_char *, u_char *); -int have_type = 0; - -#define FIELD_TYPE 1 %} %union { @@ -103,7 +100,6 @@ statement : /* empty */ dev_add(sb.st_dev); phase_2_end: (void)memset(¶ms, 0, sizeof(params)); - have_type = 0; } | statement eol | statement error eol { @@ -158,39 +154,16 @@ flags_spec : flag_spec flag_spec : STRING { if (phase == 2) { - int field; - int value; - - /* - * XXXEE: It might be a good idea to change this into - * XXXEE: something less hard-coded. Perhaps loop on - * XXXEE: tuples of (name, field, value)? - */ if (strcasecmp($1, "direct") == 0) { - field = FIELD_TYPE; - value = VERIEXEC_DIRECT; + params.type |= VERIEXEC_DIRECT; } else if (strcasecmp($1, "indirect") == 0) { - field = FIELD_TYPE; - value = VERIEXEC_INDIRECT; + params.type |= VERIEXEC_INDIRECT; } else if (strcasecmp($1, "file") == 0) { - field = FIELD_TYPE; - value = VERIEXEC_FILE; + params.type |= VERIEXEC_FILE; } else { yyerror("Bad flag"); YYERROR; } - - switch (field) { - case FIELD_TYPE: - if (have_type) { - yyerror("Mulitple type definitions"); - YYERROR; - } - - params.type = value; - have_type = 1; - break; - } } } diff --git a/sys/kern/kern_verifiedexec.c b/sys/kern/kern_verifiedexec.c index a8b7ab4b5a61..1129c2ef4bdf 100644 --- a/sys/kern/kern_verifiedexec.c +++ b/sys/kern/kern_verifiedexec.c @@ -1,4 +1,4 @@ -/* $NetBSD: kern_verifiedexec.c,v 1.32 2005/07/16 22:47:18 christos Exp $ */ +/* $NetBSD: kern_verifiedexec.c,v 1.33 2005/08/02 16:14:10 elad Exp $ */ /*- * Copyright 2005 Elad Efrat @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.32 2005/07/16 22:47:18 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.33 2005/08/02 16:14:10 elad Exp $"); #include "opt_verified_exec.h" @@ -391,7 +391,7 @@ veriexec_verify(struct proc *p, struct vnode *vp, struct vattr *va, free(digest, M_TEMP); } - if (flag != vhe->type) { + if (!(vhe->type & flag)) { veriexec_report("Incorrect access type.", name, va, p, REPORT_NOVERBOSE, REPORT_ALARM, REPORT_NOPANIC); diff --git a/sys/sys/verified_exec.h b/sys/sys/verified_exec.h index 721d1aa73087..00e4794f1787 100644 --- a/sys/sys/verified_exec.h +++ b/sys/sys/verified_exec.h @@ -1,4 +1,4 @@ -/* $NetBSD: verified_exec.h,v 1.15 2005/07/01 19:50:04 elad Exp $ */ +/* $NetBSD: verified_exec.h,v 1.16 2005/08/02 16:14:10 elad Exp $ */ /*- * Copyright 2005 Elad Efrat @@ -41,7 +41,7 @@ #include #include -__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.15 2005/07/01 19:50:04 elad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.16 2005/08/02 16:14:10 elad Exp $"); /* Max length of the fingerprint type string, including terminating \0 char */ #define VERIEXEC_TYPE_MAXLEN 9 @@ -63,9 +63,9 @@ struct veriexec_sizing_params { * Types of veriexec inodes we can have. Ordered from less strict to * most strict -- this is enforced if a duplicate entry is loaded. */ -#define VERIEXEC_DIRECT 0 /* Allow direct execution */ -#define VERIEXEC_INDIRECT 1 /* Only allow indirect execution */ -#define VERIEXEC_FILE 2 /* Fingerprint of a plain file */ +#define VERIEXEC_DIRECT 0x01 /* Direct execution (exec) */ +#define VERIEXEC_INDIRECT 0x02 /* Indirect execution (#!) */ +#define VERIEXEC_FILE 0x04 /* Plain file (open) */ #define VERIEXEC_LOAD _IOW('S', 0x1, struct veriexec_params) #define VERIEXEC_TABLESIZE _IOW('S', 0x2, struct veriexec_sizing_params)