Pretending to be Elad's keyboard:

fileassoc.diff adds a fileassoc_table_run() routine that allows you to pass a callback to be called with every entry on a given mount. veriexec.diff adds some raw device access policies: if raw disk is opened at strict level 1, all fingerprints on this disk will be invalidated as a safety measure. level 2 will not allow opening disk for raw writing if we monitor it, and prevent raw writes to memory. level 3 will not allow opening any disk for raw writing. both update all relevant documentation. veriexec concept is okay blymn@.
2006-08-11 19:17:47 +00:00 · 2006-08-11 19:17:47 +00:00 · ce0ef6cfc4
commit ce0ef6cfc4
parent 67a75c5772
8 changed files with 147 additions and 16 deletions
--- a/lib/libc/gen/sysctl.3
+++ b/lib/libc/gen/sysctl.3
@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.3,v 1.177 2006/07/24 21:48:13 wiz Exp $
+.\"	$NetBSD: sysctl.3,v 1.178 2006/08/11 19:17:47 christos Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -29,7 +29,7 @@
 .\"
 .\"	@(#)sysctl.3	8.4 (Berkeley) 5/9/95
 .\"
-.Dd July 24, 2006
+.Dd August 10, 2006
 .Dt SYSCTL 3
 .Os
 .Sh NAME
@ -960,26 +960,38 @@ Under each node there will be three variables, indicating the mount
 point, the file-system type, and the number of entries.
 .It Li VERIEXEC_STRICT
 Controls the strict level of Veriexec.
-The strict level defines how
-Veriexec will treat various situations.
+The strict level defines how Veriexec will treat various situations.
+.Pp
 In strict level 0, the system is in learning mode and will only warn about
-fingerprint mismatches, aswell as allow removal of fingerprinted files.
+fingerprint mismatches, as well as allow removal of fingerprinted files.
 It is the only level where fingerprints can be loaded.
+.Pp
 In strict level 1, the system is in IDS mode.
 It will deny access to files with mismatched fingerprints.
 Write access to monitored files will be permitted, but once modified, further
 access to them will be denied.
 Monitored files cannot be removed.
+If a disk will be opened for raw writing, Veriexec will invalidate all
+fingerprints on that disk, if it is monitored.
+.Pp
 In strict level 2, the system is in IPS mode.
 It has all effects of
 strict level 1, plus it will deny write access to monitored files and enforce
 access type (direct, indirect, file).
 Execution of non-monitored files is denied.
+Opening of raw disks for writing will be denied if the disk is monitored.
+Attempts to write to kernel memory, either via
+.Pa /dev/mem
+or
+.Pa /dev/kmem ,
+will be denied to protect Veriexec's internal data-structures.
+.Pp
 Strict level 3 operates as lockdown mode.
 It will have all effects of
 strict level 2, but it will also prevent access to non-monitored files.
 Furthermore, it will prevent addition of new files to the system, and
 allow writing only to files opened before the strict level was raised.
+All attempts to open a disk for raw writing will be denied.
 .It Li VERIEXEC_VERBOSE
 Controls the verbosity level of Veriexec.
 If 0, only the minimal
--- a/share/man/man9/fileassoc.9
+++ b/share/man/man9/fileassoc.9
@ -1,4 +1,4 @@
-.\" $NetBSD: fileassoc.9,v 1.6 2006/07/20 18:50:46 wiz Exp $
+.\" $NetBSD: fileassoc.9,v 1.7 2006/08/11 19:17:47 christos Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 .\" All rights reserved.
@ -28,7 +28,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd July 20, 2006
+.Dd August 10, 2006
 .Dt FILEASSOC 9
 .Os
 .Sh NAME
@ -193,6 +193,20 @@ Clear table-wide fileassoc-specific data in
 .Ar mp
 for
 .Ar id .
+.It Ft int Fn fileassoc_table_run "struct mount *mp" "fileassoc_t id" \
+"fileassoc_cb_t cb"
+For each entry for
+.Ar id ,
+call
+.Ar cb
+with the entry being the argument.
+.Pp
+.Ar cb
+is a function returning
+.Ft void
+and receiving one
+.Ft "void *"
+parameter.
 .El
 .Ss File-specific Routines
 .Bl -tag -width "123456"
--- a/share/man/man9/veriexec.9
+++ b/share/man/man9/veriexec.9
@ -1,4 +1,4 @@
-.\" $NetBSD: veriexec.9,v 1.3 2006/07/29 23:47:01 wiz Exp $
+.\" $NetBSD: veriexec.9,v 1.4 2006/08/11 19:17:47 christos Exp $
 .\"
 .\" Copyright 2006 Elad Efrat <elad@NetBSD.org>
 .\" Copyright 2006 Brett Lymn <blymn@NetBSD.org>
@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd July 26, 2006
+.Dd August 10, 2006
 .Dt VERIEXEC 9
 .Os
 .Sh NAME
@ -246,6 +246,11 @@ using the common fingerprint ops in
 .Ar ops .
 .Pp
 Two fingerprints must have been generated by the same algorithm.
+.It Ft void Fn veriexec_purge "struct veriexec_file_entry *vfe"
+Purge the file entry
+.Ar vfe .
+This invalidates the fingerprint so it will be evaluated next time the file
+is accessed.
 .El
 .Ss Table Management Routines
 .Bl -tag -width "123456"
@ -310,6 +315,10 @@ is responsible for garbage collection of unnecessary
 .Nm
 objects.
 It is not meant to be called directly.
+.It Ft int Fn veriexec_rawchk "struct vnode *vp"
+Enforce raw disk access policy.
+.Ar vp
+is the vnode of the mount-point for the disk, if any.
 .El
 .Sh FILES
 .Pa src/sys/dev/verified_exec.c
--- a/sys/kern/kern_fileassoc.c
+++ b/sys/kern/kern_fileassoc.c
@ -1,4 +1,4 @@
-/* $NetBSD: kern_fileassoc.c,v 1.5 2006/07/23 22:06:11 ad Exp $ */
+/* $NetBSD: kern_fileassoc.c,v 1.6 2006/08/11 19:17:47 christos Exp $ */

 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
@ -270,6 +270,33 @@ fileassoc_table_delete(struct mount *mp)
 	return (0);
 }

+/*
+ * Run a callback for each hook entry in a table.
+ */
+int
+fileassoc_table_run(struct mount *mp, fileassoc_t id, fileassoc_cb_t cb)
+{
+	struct fileassoc_table *tbl;
+	struct fileassoc_hashhead *hh;
+	u_long i;
+
+	tbl = fileassoc_table_lookup(mp);
+	if (tbl == NULL)
+		return (EEXIST);
+
+	hh = tbl->hash_tbl;
+	for (i = 0; i < tbl->hash_size; i++) {
+		struct fileassoc_hash_entry *mhe;
+
+		LIST_FOREACH(mhe, &hh[i], entries) {
+			if (mhe->hooks[id] != NULL)
+				cb(mhe->hooks[id]);
+		}
+	}
+
+	return (0);
+}
+
 /*
 * Clear a table for a given hook.
 */
--- a/sys/kern/kern_verifiedexec.c
+++ b/sys/kern/kern_verifiedexec.c
@ -1,4 +1,4 @@
-/*	$NetBSD: kern_verifiedexec.c,v 1.65 2006/07/26 16:34:07 elad Exp $	*/
+/*	$NetBSD: kern_verifiedexec.c,v 1.66 2006/08/11 19:17:47 christos Exp $	*/

 /*-
 * Copyright 2005 Elad Efrat <elad@NetBSD.org>
@ -30,7 +30,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.65 2006/07/26 16:34:07 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.66 2006/08/11 19:17:47 christos Exp $");

 #include "opt_veriexec.h"

@ -687,3 +687,44 @@ veriexec_clear(void *data, int file_specific)
 			free(vte, M_TEMP);
 	}
 }
+
+/*
+ * Invalidate a Veriexec file entry.
+ * XXX: This should be updated when per-page fingerprints are added.
+ */
+void
+veriexec_purge(struct veriexec_file_entry *vfe)
+{
+	vfe->status = FINGERPRINT_NOTEVAL;
+}
+
+/*
+ * Enforce raw disk access policy.
+ *
+ * IDS mode: Invalidate fingerprints on a mount if it's opened for writing.
+ * IPS mode: Don't allow raw writing to disks we monitor.
+ * Lockdown mode: Don't allow raw writing to all disks.
+ */
+int
+veriexec_rawchk(struct vnode *vp)
+{
+	int monitored;
+
+	monitored = (vp && veriexec_tblfind(vp));
+
+	switch (veriexec_strict) {
+	case VERIEXEC_IDS:
+		if (monitored)
+			fileassoc_table_run(vp->v_mount, veriexec_hook,
+			    (fileassoc_cb_t)veriexec_purge);
+		break;
+	case VERIEXEC_IPS:
+		if (monitored)
+			return (EPERM);
+		break;
+	case VERIEXEC_LOCKDOWN:
+		return (EPERM);
+	}
+
+	return (0);
+}
--- a/sys/miscfs/specfs/spec_vnops.c
+++ b/sys/miscfs/specfs/spec_vnops.c
@ -1,4 +1,4 @@
-/*	$NetBSD: spec_vnops.c,v 1.87 2006/05/14 21:32:21 elad Exp $	*/
+/*	$NetBSD: spec_vnops.c,v 1.88 2006/08/11 19:17:47 christos Exp $	*/

 /*
 * Copyright (c) 1989, 1993
@ -31,8 +31,12 @@
 *	@(#)spec_vnops.c	8.15 (Berkeley) 7/14/95
 */

+#if defined(_KERNEL_OPT)
+#include "veriexec.h"
+#endif
+
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: spec_vnops.c,v 1.87 2006/05/14 21:32:21 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: spec_vnops.c,v 1.88 2006/08/11 19:17:47 christos Exp $");

 #include <sys/param.h>
 #include <sys/proc.h>
@ -56,6 +60,10 @@ __KERNEL_RCSID(0, "$NetBSD: spec_vnops.c,v 1.87 2006/05/14 21:32:21 elad Exp $")
 #include <miscfs/genfs/genfs.h>
 #include <miscfs/specfs/specdev.h>

+#if NVERIEXEC > 0
+#include <sys/verified_exec.h>
+#endif /* NVERIEXEC > 0 */
+
 /* symbolic sleep message strings for devices */
 const char	devopn[] = "devopn";
 const char	devio[] = "devio";
@ -204,6 +212,7 @@ spec_open(v)
 			 * devices whose corresponding block devices are
 			 * currently mounted.
 			 */
+			bvp = NULL;
 			if (securelevel >= 1) {
 				blkdev = devsw_chr2blk(dev);
 				if (blkdev != (dev_t)NODEV &&
@ -213,6 +222,14 @@ spec_open(v)
 				if (iskmemdev(dev))
 					return (EPERM);
 			}
+
+#if NVERIEXEC > 0
+			if (veriexec_strict >= VERIEXEC_IPS && iskmemdev(dev))
+				return (error);
+			error = veriexec_rawchk(bvp);
+			if (error)
+				return (error);
+#endif /* NVERIEXEC > 0 */
 		}
 		if (cdev->d_type == D_TTY)
 			vp->v_flag |= VISTTY;
@ -241,6 +258,13 @@ spec_open(v)
 		 */
 		if ((error = vfs_mountedon(vp)) != 0)
 			return (error);
+
+#if NVERIEXEC > 0
+		error = veriexec_rawchk(vp);
+		if (error)
+			return (error);
+#endif /* NVERIEXEC > 0 */
+
 		error = (*bdev->d_open)(dev, ap->a_mode, S_IFBLK, l);
 		d_ioctl = bdev->d_ioctl;
 		break;
--- a/sys/sys/fileassoc.h
+++ b/sys/sys/fileassoc.h
@ -1,4 +1,4 @@
-/* $NetBSD: fileassoc.h,v 1.2 2006/07/16 19:37:55 elad Exp $ */
+/* $NetBSD: fileassoc.h,v 1.3 2006/08/11 19:17:47 christos Exp $ */

 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
@ -47,6 +47,7 @@

 typedef int fileassoc_t;
 typedef void (*fileassoc_cleanup_cb_t)(void *, int);
+typedef void (*fileassoc_cb_t)(void *);

 #define	FILEASSOC_CLEANUP_TABLE	0
 #define	FILEASSOC_CLEANUP_FILE	1
@ -64,5 +65,6 @@ int fileassoc_tabledata_clear(struct mount *, fileassoc_t);
 int fileassoc_file_delete(struct vnode *);
 int fileassoc_add(struct vnode *, fileassoc_t, void *);
 int fileassoc_clear(struct vnode *, fileassoc_t);
+int fileassoc_table_run(struct mount *, fileassoc_t, fileassoc_cb_t);

 #endif /* !_SYS_FILEASSOC_H_ */
--- a/sys/sys/verified_exec.h
+++ b/sys/sys/verified_exec.h
@ -1,4 +1,4 @@
-/*	$NetBSD: verified_exec.h,v 1.38 2006/07/26 16:34:07 elad Exp $	*/
+/*	$NetBSD: verified_exec.h,v 1.39 2006/08/11 19:17:47 christos Exp $	*/

 /*-
 * Copyright 2005 Elad Efrat <elad@NetBSD.org>
@ -199,6 +199,8 @@ int veriexec_load(struct veriexec_params *, struct lwp *);
 int veriexec_delete(struct veriexec_delete_params *, struct lwp *);
 int veriexec_query(struct veriexec_query_params *, struct lwp *);
 void veriexec_clear(void *, int);
+void veriexec_purge(struct veriexec_file_entry *);
+int veriexec_rawchk(struct vnode *vp);

 #endif /* _KERNEL */