Commit Graph

32 Commits

Author SHA1 Message Date
elad
228eae7a90 add missing vrele(), from blymn@. 2006-05-06 13:25:36 +00:00
elad
a9505be892 Add and document a "query" keyword to veriexecctl. Usage:
/sbin/veriexecctl query /path/to/file

will print out filename, device, inode, evaluation status, entry flags,
fingerprint, and fingerprinting algorithm.
2005-12-12 21:47:58 +00:00
elad
6590e0e201 Catch up with ktrace-lwp merge.
While I'm here, stop using cur{lwp,proc}.
2005-12-12 16:26:33 +00:00
christos
95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
elad
f39afe3e47 Add and document a VERIEXEC_DELETE operation for Veriexec.
We can now delete an entry from the tables using

	veriexecctl delete /path/to/file

or remove an entire table using

	veriexecctl delete /mount_point

(any directory will work for the mount point it's on)
2005-12-10 02:10:00 +00:00
elad
b302da6341 Refactor the code that creates a new table and loads entries to its own
functions (veriexec_newtable and veriexec_load). No functional change.
2005-12-10 01:04:17 +00:00
elad
d51a16a060 Remove few no longer needed XXX comments about fsid/fileid being
not the same type as dev_t/ino_t.
2005-11-25 12:02:09 +00:00
elad
2de72bfe34 Various fixes from blymn@ and myself.
Also, put genfs changes under #if 0, and don't do per-page fingerprints
until this is properly discussed, as requested by yamt@.
2005-10-07 18:07:46 +00:00
elad
8fc0d7a9c3 Introduce per-page fingerprints in Veriexec.
This closes a hole pointed out by Thor Lancelot Simon on tech-kern ~3
years ago.

The problem was with running binaries from remote storage, where our
kernel (and Veriexec) has no control over any changes to files.

An attacker could, after the fingerprint has been verified and
program loaded to memory, inject malicious code into the backing
store on the remote storage, followed by a forced flush, causing
a page-in of the malicious data from backing store, bypassing
integrity checks.

Initial implementation by Brett Lymn.
2005-10-05 13:48:48 +00:00
christos
b33f6da979 more 64 bit inode lossage. 2005-08-19 16:58:29 +00:00
elad
1ea04d9351 Oops. Put back braces... 2005-08-13 13:06:35 +00:00
elad
c62f8b0f18 The veriexec API uses dev_t and ino_t for device and inode numbers.
VOP_GETATTR() fills a struct vattr, where va_fsid and va_fileid (device
and inode..) are typed as long.

Add some casts when using these values and surround them with XXXs about
the potential size mismatch, as long can be 64 bits but dev_t and ino_t
are always 32 bits. This is safe because *for now* we're still using
32 bit inode numbers.

Discussed with blymn@.
2005-08-13 12:56:44 +00:00
elad
79b2f66712 Fix printing formats.
- size_t is %zu
  - dev_t is uint32_t is %u
  - long is %ld
2005-08-13 12:08:34 +00:00
elad
5b5c5125f4 Change how we handle duplicates in the signatures file.
Just give collision information (filename, device, inode, old and new
entry type and algorithm, and note if the fingerprint is the same or not.
2005-08-03 18:05:16 +00:00
elad
ced2e2a09a Remove veriexec_dprintf() calls forgotten in last commit. 2005-06-20 15:32:29 +00:00
elad
0e4dfe1792 - Use more calls to veriexec_report() where possible.
- Change #ifdef VERIFIED_EXEC_VERBOSE to another verbose level, 2. Add
  sysctl(3) bits.

- Simplify access type conflict handling during load. This depends on
  the values of access type defines to be ordered from least to most
  'strict'.
2005-06-20 15:06:18 +00:00
elad
c3caa55d4d - Avoid pollution of struct vnode. Save the fingerprint evaluation status
in the veriexec table entry; the lookups are very cheap now. Suggested
  by Chuq.

- Handle non-regular (!VREG) files correctly).

- Remove (no longer needed) FINGERPRINT_NOENTRY.
2005-06-19 18:22:36 +00:00
elad
ad7b01f7d0 More veriexec changes:
- Better organize strict level. Now we have 4 levels:
  - Level 0, learning mode: Warnings only about anything that might've
      resulted in 'access denied' or similar in a higher strict level.

  - Level 1, IDS mode:
    - Deny access on fingerprint mismatch.
    - Deny modification of veriexec tables.

  - Level 2, IPS mode:
    - All implications of strict level 1.
    - Deny write access to monitored files.
    - Prevent removal of monitored files.
    - Enforce access type - 'direct', 'indirect', or 'file'.

  - Level 3, lockdown mode:
    - All implications of strict level 2.
    - Prevent creation of new files.
    - Deny access to non-monitored files.

- Update sysctl(3) man-page with above. (date bumped too :)

- Remove FINGERPRINT_INDIRECT from possible fp_status values; it's no
  longer needed.

- Simplify veriexec_removechk() in light of new strict level policies.

- Eliminate use of 'securelevel'; veriexec now behaves according to
  its strict level only.
2005-06-17 17:46:18 +00:00
elad
a3c81f769c Since NetBSD operates in securelevel -1 by default, don't rely on the
securelevel alone when checking if the veriexec tables can be modified;
also check if the strict level is above 0.
2005-06-16 15:45:48 +00:00
elad
27cb371b94 Don't allow unprivileged users to open the veriexec device.
While I'm here, explicit 'int' for 'veriexec_device_usage'.
2005-06-16 15:41:36 +00:00
christos
d1ff4d2f00 fix a printf format argument type. 2005-06-06 02:48:20 +00:00
elad
055b86e224 Don't create duplicate tables for the same device. 2005-06-03 13:21:35 +00:00
elad
a2c658e922 Add indication for number of fingerprinted files on each device.
When a table is created for a new device, a new variable is created
under the kern.veriexec.count node named "dev_<id>". For example,
dev_0, dev_3, etc.
2005-05-22 22:34:01 +00:00
elad
cd0c4134f1 Remove common code for returning supported fingerprints. This is done now
via sysctl(8) using kern.veriexec.algorithms.

Also add an entry for the 'algorithms' variable in sysctl.8 forgotten in
the last commit.
2005-05-20 19:52:52 +00:00
elad
5888b16eef Some changes in veriexec.
New features:

  - Add a veriexec_report() routine to make most reporting consistent and
    remove some common code.
  - Add 'strict' mode that controls how veriexec behaves.
  - Add sysctl knobs:
     o kern.veriexec.verbose controls verbosity levels. Value: 0, 1.
     o kern.veriexec.strict controls strict level. Values: 0, 1, 2. See
       documentation in sysctl(3) for details.
     o kern.veriexec.algorithms returns a string with a space separated
       list of supported hashing algorithms in veriexec.
  - Updated documentation in man pages for sysctl(3) and sysctl(8).

Bug fixes:

  - veriexec_removechk(): Code cleanup + handle FINGERPRINT_NOTEVAL
    correctly.
  - exec_script(): Don't pass 0 as flag when executing a script; use the
    defined VERIEXEC_INDIRECT - which is 1. Makes indirect execution
    enforcement work.
  - Fix some printing formats and types..
2005-05-19 20:16:19 +00:00
blymn
8387760ed1 Rototill of the verified exec functionality.
* We now use hash tables instead of a list to store the in kernel
    fingerprints.
  * Fingerprint methods handling has been made more flexible, it is now
    even simpler to add new methods.
  * the loader no longer passes in magic numbers representing the
    fingerprint method so veriexecctl is not longer kernel specific.
  * fingerprint methods can be tailored out using options in the kernel
    config file.
  * more fingerprint methods added - rmd160, sha256/384/512
  * veriexecctl can now report the fingerprint methods supported by the
    running kernel.
  * regularised the naming of some portions of veriexec.
2005-04-20 13:44:45 +00:00
martin
b14ee41fe5 Use UIO_SYSSPACE for NDINIT. Found by Eike Dehling. 2005-04-03 17:29:15 +00:00
perry
f31bd063e9 nuke trailing whitespace 2005-02-27 00:26:58 +00:00
lukem
365cbd9428 add missing __KERNEL_RCSID() 2003-07-14 15:47:00 +00:00
fvdl
d5aece61d6 Back out the lwp/ktrace changes. They contained a lot of colateral damage,
and need to be examined and discussed more.
2003-06-29 22:28:00 +00:00
darrenr
960df3c8d1 Pass lwp pointers throughtout the kernel, as required, so that the lwpid can
be inserted into ktrace records.  The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.

Bump the kernel rev up to 1.6V
2003-06-28 14:20:43 +00:00
blymn
29b7b4241f Added support for fingerprinted executables aka verified exec 2002-10-29 12:31:20 +00:00