Remove common code for returning supported fingerprints. This is done now
via sysctl(8) using kern.veriexec.algorithms. Also add an entry for the 'algorithms' variable in sysctl.8 forgotten in the last commit.
This commit is contained in:
parent
2ecd1730c0
commit
cd0c4134f1
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: sysctl.8,v 1.119 2005/05/19 20:16:19 elad Exp $
|
||||
.\" $NetBSD: sysctl.8,v 1.120 2005/05/20 19:52:52 elad Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2004 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
|
@ -365,6 +365,7 @@ privilege can change the value.
|
|||
.It kern.vdisable integer no
|
||||
.It kern.veriexec.verbose integer yes
|
||||
.It kern.veriexec.strict integer raise only
|
||||
.It kern.veriexec.algorithms string no
|
||||
.It kern.version string no
|
||||
.It machdep.console_device dev_t no
|
||||
.It net.bpf.maxbufsize integer yes
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: veriexecctl.8,v 1.11 2005/04/24 13:23:55 blymn Exp $
|
||||
.\" $NetBSD: veriexecctl.8,v 1.12 2005/05/20 19:52:52 elad Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 1999
|
||||
.\" Brett Lymn - blymn@baea.com.au, brett_lymn@yahoo.com.au
|
||||
|
@ -29,7 +29,7 @@
|
|||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $Id: veriexecctl.8,v 1.11 2005/04/24 13:23:55 blymn Exp $
|
||||
.\" $Id: veriexecctl.8,v 1.12 2005/05/20 19:52:52 elad Exp $
|
||||
.\"
|
||||
.Dd April 22, 2005
|
||||
.Dt VERIEXECCTL 8
|
||||
|
@ -50,26 +50,6 @@ Verified Exec must have been configured into the booted kernel for this
|
|||
commaned to work.
|
||||
.Sh COMMANDS
|
||||
.Bl -tag -width 25n
|
||||
.It Cm fingerprints
|
||||
Report the fingerprint methods that are available in the currently running
|
||||
kernel.
|
||||
This command will return a space separated list of supported fingerprint
|
||||
methods that will be accepted by the kernel.
|
||||
The default list is:
|
||||
.Bl -item -offset indent -compact
|
||||
.It
|
||||
MD5
|
||||
.It
|
||||
RMD160
|
||||
.It
|
||||
SHA1
|
||||
.It
|
||||
SHA256
|
||||
.It
|
||||
SHA384
|
||||
.It
|
||||
SHA512
|
||||
.El
|
||||
.It Cm load Ar veriexec.conf
|
||||
Load the fingerprint entries contained in
|
||||
.Ar veriexec.conf
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: veriexecctl.c,v 1.8 2005/04/21 12:45:12 christos Exp $ */
|
||||
/* $NetBSD: veriexecctl.c,v 1.9 2005/05/20 19:52:52 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright 2005 Elad Efrat <elad@bsd.org.il>
|
||||
|
@ -190,8 +190,8 @@ fingerprint_load(char *ifile)
|
|||
static void
|
||||
usage(void)
|
||||
{
|
||||
(void)fprintf(stderr, "Usage: %s [-v] [load <signature_file>] "
|
||||
"[fingerprints]", getprogname());
|
||||
(void)fprintf(stderr, "Usage: %s [-v] [load <signature_file>] ",
|
||||
getprogname());
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
@ -221,37 +221,13 @@ main(int argc, char **argv)
|
|||
if ((gfd = open(VERIEXEC_DEVICE, O_RDWR, 0)) == -1)
|
||||
err(1, "Cannot open `%s'", VERIEXEC_DEVICE);
|
||||
|
||||
/*
|
||||
* Handle the different commands we can do.
|
||||
*/
|
||||
/*
|
||||
* Handle the different commands we can do.
|
||||
*/
|
||||
if (argc == 2 && strcasecmp(argv[0], "load") == 0) {
|
||||
line = 0;
|
||||
filename = argv[1];
|
||||
fingerprint_load(argv[1]);
|
||||
} else if (argc == 1 && strcasecmp(argv[0], "fingerprints") == 0) {
|
||||
size = report.size = 100;
|
||||
if ((report.fingerprints = malloc(report.size)) == NULL)
|
||||
err(1, "malloc fingeprints");
|
||||
|
||||
if (ioctl(gfd, VERIEXEC_FINGERPRINTS, &report) == -1)
|
||||
err(1, "fingerprints ioctl");
|
||||
|
||||
if (size != report.size) {
|
||||
if (verbose)
|
||||
(void)printf("fingerprints: buffer too small, "
|
||||
"reallocating to %d bytes.\n",
|
||||
report.size);
|
||||
|
||||
/* fingerprint store was not large enough
|
||||
make more room and try again. */
|
||||
if ((newp = realloc(report.fingerprints, report.size))
|
||||
== NULL)
|
||||
err(1, "realloc fingeprints");
|
||||
if (ioctl(gfd, VERIEXEC_FINGERPRINTS,
|
||||
&report) == -1)
|
||||
err(1, "fingerprints ioctl");
|
||||
}
|
||||
printf("Supported fingerprints: %s\n", report.fingerprints);
|
||||
} else
|
||||
usage();
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: veriexec.4,v 1.5 2005/04/24 13:16:26 blymn Exp $
|
||||
.\" $NetBSD: veriexec.4,v 1.6 2005/05/20 19:52:52 elad Exp $
|
||||
.\"
|
||||
.\" Copyright 2005 Elad Efrat <elad@bsd.org.il>
|
||||
.\" Copyright 2005 Brett Lymn <blymn@netbsd.org>
|
||||
|
@ -26,7 +26,7 @@
|
|||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $Id: veriexec.4,v 1.5 2005/04/24 13:16:26 blymn Exp $
|
||||
.\" $Id: veriexec.4,v 1.6 2005/05/20 19:52:52 elad Exp $
|
||||
.\"
|
||||
.Dd March 24, 2005
|
||||
.Dt VERIEXEC 4
|
||||
|
@ -39,9 +39,8 @@
|
|||
The
|
||||
.Nm
|
||||
pseudo-device is used to interface the kernel's Veriexec data-structures.
|
||||
It is used to size the kernel data structures, load the Veriexec
|
||||
fingerprints into kernel memory and report the fingerprint methods
|
||||
supported by the currently running kernel.
|
||||
It is used to size the kernel data structures and load the Veriexec
|
||||
fingerprints into kernel memory.
|
||||
.Ss Veriexec file operations
|
||||
All the following operations are invoked using the
|
||||
.Xr ioctl 2
|
||||
|
@ -54,7 +53,7 @@ parameters.
|
|||
The following section lists the requests that can be made via
|
||||
.Xr ioctl 2 .
|
||||
.Ss Veriexec file request descriptions
|
||||
.Bl -tag -width VERIEXEC_FINGERPRINTS
|
||||
.Bl -tag -width VERIEXEC_TABLESIZE
|
||||
.It Dv VERIEXEC_TABLESIZE Fa struct veriexec_sizing_params
|
||||
Sizes the in kernel hash tables to accommodate the fingerprint entries.
|
||||
This request must be made prior to loading the fingerprints into the
|
||||
|
@ -99,20 +98,6 @@ fingerprint, this is used by the kernel to provide a simple sanity check
|
|||
on the fingerprint passed.
|
||||
Lastly, the fingerprint is a pointer to an
|
||||
array of characters that comprise the fingerprint for the file.
|
||||
.It Dv VERIEXEC_FINGERPRINTS Fa struct veriexec_fp_report
|
||||
Copies a string that contains the fingerprint methods supported by the
|
||||
kernel into the buffer pointed to in the argument structure.
|
||||
The argument structure also contains the size of the storage that has
|
||||
been allocated by the caller to hold the string.
|
||||
If the size of the storage is insufficient to hold the entire string,
|
||||
then the string will not be copied into the buffer by the kernel; instead
|
||||
the size field will be updated with the amount of storage required to hold
|
||||
the fingerprint string.
|
||||
After performing this request the caller must check the size field in the
|
||||
argument structure.
|
||||
If this field differs from what was set prior to the
|
||||
request then the caller should reallocate the storage with the updated size
|
||||
and perform the request again.
|
||||
.El
|
||||
.Pp
|
||||
Note that the requests
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: verified_exec.c,v 1.8 2005/05/19 20:16:19 elad Exp $ */
|
||||
/* $NetBSD: verified_exec.c,v 1.9 2005/05/20 19:52:52 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright 2005 Elad Efrat <elad@bsd.org.il>
|
||||
|
@ -31,9 +31,9 @@
|
|||
|
||||
#include <sys/cdefs.h>
|
||||
#if defined(__NetBSD__)
|
||||
__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.8 2005/05/19 20:16:19 elad Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.9 2005/05/20 19:52:52 elad Exp $");
|
||||
#else
|
||||
__RCSID("$Id: verified_exec.c,v 1.8 2005/05/19 20:16:19 elad Exp $\n$NetBSD: verified_exec.c,v 1.8 2005/05/19 20:16:19 elad Exp $");
|
||||
__RCSID("$Id: verified_exec.c,v 1.9 2005/05/20 19:52:52 elad Exp $\n$NetBSD: verified_exec.c,v 1.9 2005/05/20 19:52:52 elad Exp $");
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
@ -154,11 +154,9 @@ veriexecioctl(dev_t dev __unused, u_long cmd, caddr_t data,
|
|||
u_long hashmask;
|
||||
|
||||
/*
|
||||
* Don't allow updates in multi-user mode, but we will allow
|
||||
* queries of supported fingerprints.
|
||||
*
|
||||
* Don't allow updates in multi-user mode.
|
||||
*/
|
||||
if ((securelevel >= 1) && (cmd != VERIEXEC_FINGERPRINTS)) {
|
||||
if (securelevel >= 1) {
|
||||
printf("Veriexec: veriexecioctl: Securelevel raised, loading"
|
||||
"fingerprints is not permitted\n");
|
||||
|
||||
|
@ -293,20 +291,6 @@ veriexecioctl(dev_t dev __unused, u_long cmd, caddr_t data,
|
|||
break;
|
||||
}
|
||||
|
||||
case VERIEXEC_FINGERPRINTS: {
|
||||
struct veriexec_fp_report *params =
|
||||
(struct veriexec_fp_report *) data;
|
||||
|
||||
if (strlen(veriexec_fp_names) >= params->size) {
|
||||
params->size = strlen(veriexec_fp_names) + 1;
|
||||
} else {
|
||||
strlcpy(params->fingerprints, veriexec_fp_names,
|
||||
params->size);
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
/* Invalid operation. */
|
||||
error = ENODEV;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: verified_exec.h,v 1.8 2005/05/19 20:16:19 elad Exp $ */
|
||||
/* $NetBSD: verified_exec.h,v 1.9 2005/05/20 19:52:52 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright 2005 Elad Efrat <elad@bsd.org.il>
|
||||
|
@ -30,7 +30,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.8 2005/05/19 20:16:19 elad Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.9 2005/05/20 19:52:52 elad Exp $");
|
||||
|
||||
/*
|
||||
*
|
||||
|
@ -60,12 +60,6 @@ struct veriexec_sizing_params {
|
|||
size_t hash_size;
|
||||
};
|
||||
|
||||
struct veriexec_fp_report {
|
||||
unsigned int size;
|
||||
unsigned char *fingerprints;
|
||||
};
|
||||
|
||||
|
||||
/*
|
||||
* Types of veriexec inodes we can have
|
||||
*/
|
||||
|
@ -75,7 +69,6 @@ struct veriexec_fp_report {
|
|||
|
||||
#define VERIEXEC_LOAD _IOW('S', 0x1, struct veriexec_params)
|
||||
#define VERIEXEC_TABLESIZE _IOW('S', 0x2, struct veriexec_sizing_params)
|
||||
#define VERIEXEC_FINGERPRINTS _IOWR('S', 0x3, struct veriexec_fp_report)
|
||||
|
||||
/* Verified exec sysctl objects. */
|
||||
#define VERIEXEC_VERBOSE 1 /* Verbosity level. */
|
||||
|
|
Loading…
Reference in New Issue