/* $NetBSD: kern_verifiedexec.c,v 1.99 2007/05/15 19:47:45 elad Exp $ */ /*- * Copyright (c) 2005, 2006 Elad Efrat * Copyright (c) 2005, 2006 Brett Lymn * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the authors may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include __KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.99 2007/05/15 19:47:45 elad Exp $"); #include "opt_veriexec.h" #include #include #include #include #include #include #include #include #include #include #include #include #if defined(__FreeBSD__) # include # include # include # include # include #else # include # include # include #endif #include #include #include #include #include #include #include #include MALLOC_DEFINE(M_VERIEXEC, "Veriexec", "Veriexec data-structures"); /* Readable values for veriexec_file_report(). */ #define REPORT_ALWAYS 0x01 /* Always print */ #define REPORT_VERBOSE 0x02 /* Print when verbose >= 1 */ #define REPORT_DEBUG 0x04 /* Print when verbose >= 2 (debug) */ #define REPORT_PANIC 0x08 /* Call panic() */ #define REPORT_ALARM 0x10 /* Alarm - also print pid/uid/.. */ #define REPORT_LOGMASK (REPORT_ALWAYS|REPORT_VERBOSE|REPORT_DEBUG) struct veriexec_fpops { const char *type; size_t hash_len; size_t context_size; veriexec_fpop_init_t init; veriexec_fpop_update_t update; veriexec_fpop_final_t final; LIST_ENTRY(veriexec_fpops) entries; }; /* Veriexec per-file entry data. */ struct veriexec_file_entry { u_char *filename; /* File name. */ u_char type; /* Entry type. */ u_char status; /* Evaluation status. */ u_char page_fp_status; /* Per-page FP status. */ u_char *fp; /* Fingerprint. */ void *page_fp; /* Per-page fingerprints */ size_t npages; /* Number of pages. */ size_t last_page_size; /* To support < PAGE_SIZE */ struct veriexec_fpops *ops; /* Fingerprint ops vector*/ }; /* Veriexec per-table data. */ struct veriexec_table_entry { uint64_t vte_count; /* Number of Veriexec entries. */ const struct sysctlnode *vte_node; }; static int veriexec_verbose; int veriexec_strict; static char *veriexec_fp_names; static size_t veriexec_name_max; static const struct sysctlnode *veriexec_count_node; static fileassoc_t veriexec_hook; static specificdata_key_t veriexec_mountspecific_key; static LIST_HEAD(, veriexec_fpops) veriexec_fpops_list; static int veriexec_raw_cb(kauth_cred_t, kauth_action_t, void *, void *, void *, void *, void *); static struct veriexec_fpops *veriexec_fpops_lookup(const char *); static void veriexec_file_free(struct veriexec_file_entry *); static unsigned int veriexec_tablecount = 0; /* * Sysctl helper routine for Veriexec. */ static int sysctl_kern_veriexec(SYSCTLFN_ARGS) { int newval, error; int *var = NULL, raise_only = 0; struct sysctlnode node; node = *rnode; if (strcmp(rnode->sysctl_name, "strict") == 0) { raise_only = 1; var = &veriexec_strict; } else if (strcmp(rnode->sysctl_name, "algorithms") == 0) { node.sysctl_data = veriexec_fp_names; node.sysctl_size = strlen(veriexec_fp_names) + 1; return (sysctl_lookup(SYSCTLFN_CALL(&node))); } else { return (EINVAL); } newval = *var; node.sysctl_data = &newval; error = sysctl_lookup(SYSCTLFN_CALL(&node)); if (error || newp == NULL) { return (error); } if (raise_only && (newval < *var)) return (EPERM); *var = newval; return (error); } SYSCTL_SETUP(sysctl_kern_veriexec_setup, "sysctl kern.veriexec setup") { const struct sysctlnode *rnode = NULL; sysctl_createv(clog, 0, NULL, &rnode, CTLFLAG_PERMANENT, CTLTYPE_NODE, "kern", NULL, NULL, 0, NULL, 0, CTL_KERN, CTL_EOL); sysctl_createv(clog, 0, &rnode, &rnode, CTLFLAG_PERMANENT, CTLTYPE_NODE, "veriexec", SYSCTL_DESCR("Veriexec"), NULL, 0, NULL, 0, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "verbose", SYSCTL_DESCR("Veriexec verbose level"), NULL, 0, &veriexec_verbose, 0, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "strict", SYSCTL_DESCR("Veriexec strict level"), sysctl_kern_veriexec, 0, NULL, 0, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, NULL, CTLFLAG_PERMANENT, CTLTYPE_STRING, "algorithms", SYSCTL_DESCR("Veriexec supported hashing " "algorithms"), sysctl_kern_veriexec, 0, NULL, 0, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, &veriexec_count_node, CTLFLAG_PERMANENT, CTLTYPE_NODE, "count", SYSCTL_DESCR("Number of fingerprints on mount(s)"), NULL, 0, NULL, 0, CTL_CREATE, CTL_EOL); } /* * Add ops to the fignerprint ops vector list. */ int veriexec_fpops_add(const char *fp_type, size_t hash_len, size_t ctx_size, veriexec_fpop_init_t init, veriexec_fpop_update_t update, veriexec_fpop_final_t final) { struct veriexec_fpops *ops; char *newp; unsigned int new_max; /* Sanity check all parameters. */ if ((fp_type == NULL) || (hash_len == 0) || (ctx_size == 0) || (init == NULL) || (update == NULL) || (final == NULL)) return (EFAULT); if (veriexec_fpops_lookup(fp_type) != NULL) return (EEXIST); ops = malloc(sizeof(*ops), M_VERIEXEC, M_WAITOK); ops->type = fp_type; ops->hash_len = hash_len; ops->context_size = ctx_size; ops->init = init; ops->update = update; ops->final = final; LIST_INSERT_HEAD(&veriexec_fpops_list, ops, entries); /* * If we don't have space for any names, allocate enough for six * which should be sufficient. (it's also enough for all algorithms * we can support at the moment) */ if (veriexec_fp_names == NULL) { veriexec_name_max = 64; veriexec_fp_names = malloc(veriexec_name_max, M_VERIEXEC, M_WAITOK|M_ZERO); } /* * If we're running out of space for storing supported algorithms, * extend the buffer with space for four names. */ while (veriexec_name_max - (strlen(veriexec_fp_names) + 1) < strlen(fp_type)) { /* Add space for four algorithm names. */ new_max = veriexec_name_max + 64; newp = realloc(veriexec_fp_names, new_max, M_VERIEXEC, M_WAITOK|M_ZERO); veriexec_fp_names = newp; veriexec_name_max = new_max; } if (*veriexec_fp_names != '\0') strlcat(veriexec_fp_names, " ", veriexec_name_max); strlcat(veriexec_fp_names, fp_type, veriexec_name_max); return (0); } static void veriexec_mountspecific_dtor(void *v) { struct veriexec_table_entry *vte = v; if (vte == NULL) { return; } sysctl_free(__UNCONST(vte->vte_node)); veriexec_tablecount--; free(vte, M_VERIEXEC); } /* * Initialise Veriexec. */ void veriexec_init(void) { int error; /* Register a fileassoc for Veriexec. */ error = fileassoc_register("veriexec", (fileassoc_cleanup_cb_t)veriexec_file_free, &veriexec_hook); if (error) panic("Veriexec: Can't register fileassoc: error=%d", error); /* Register listener to handle raw disk access. */ if (kauth_listen_scope(KAUTH_SCOPE_DEVICE, veriexec_raw_cb, NULL) == NULL) panic("Veriexec: Can't listen on device scope"); error = mount_specific_key_create(&veriexec_mountspecific_key, veriexec_mountspecific_dtor); if (error) panic("Veriexec: Can't create mountspecific key"); LIST_INIT(&veriexec_fpops_list); veriexec_fp_names = NULL; veriexec_name_max = 0; #define FPOPS_ADD(a, b, c, d, e, f) \ veriexec_fpops_add(a, b, c, (veriexec_fpop_init_t)d, \ (veriexec_fpop_update_t)e, (veriexec_fpop_final_t)f) #ifdef VERIFIED_EXEC_FP_RMD160 FPOPS_ADD("RMD160", RMD160_DIGEST_LENGTH, sizeof(RMD160_CTX), RMD160Init, RMD160Update, RMD160Final); #endif /* VERIFIED_EXEC_FP_RMD160 */ #ifdef VERIFIED_EXEC_FP_SHA256 FPOPS_ADD("SHA256", SHA256_DIGEST_LENGTH, sizeof(SHA256_CTX), SHA256_Init, SHA256_Update, SHA256_Final); #endif /* VERIFIED_EXEC_FP_SHA256 */ #ifdef VERIFIED_EXEC_FP_SHA384 FPOPS_ADD("SHA384", SHA384_DIGEST_LENGTH, sizeof(SHA384_CTX), SHA384_Init, SHA384_Update, SHA384_Final); #endif /* VERIFIED_EXEC_FP_SHA384 */ #ifdef VERIFIED_EXEC_FP_SHA512 FPOPS_ADD("SHA512", SHA512_DIGEST_LENGTH, sizeof(SHA512_CTX), SHA512_Init, SHA512_Update, SHA512_Final); #endif /* VERIFIED_EXEC_FP_SHA512 */ #ifdef VERIFIED_EXEC_FP_SHA1 FPOPS_ADD("SHA1", SHA1_DIGEST_LENGTH, sizeof(SHA1_CTX), SHA1Init, SHA1Update, SHA1Final); #endif /* VERIFIED_EXEC_FP_SHA1 */ #ifdef VERIFIED_EXEC_FP_MD5 FPOPS_ADD("MD5", MD5_DIGEST_LENGTH, sizeof(MD5_CTX), MD5Init, MD5Update, MD5Final); #endif /* VERIFIED_EXEC_FP_MD5 */ #undef FPOPS_ADD } static struct veriexec_fpops * veriexec_fpops_lookup(const char *name) { struct veriexec_fpops *ops; if (name == NULL) return (NULL); LIST_FOREACH(ops, &veriexec_fpops_list, entries) { if (strcasecmp(name, ops->type) == 0) return (ops); } return (NULL); } /* * Calculate fingerprint. Information on hash length and routines used is * extracted from veriexec_hash_list according to the hash type. */ static int veriexec_fp_calc(struct lwp *l, struct vnode *vp, struct veriexec_file_entry *vfe, u_char *fp) { struct vattr va; void *ctx, *page_ctx; u_char *buf, *page_fp; off_t offset, len; size_t resid, npages; int error, do_perpage, pagen; error = VOP_GETATTR(vp, &va, l->l_cred, l); if (error) return (error); #ifdef notyet /* XXX - for now */ if ((vfe->type & VERIEXEC_UNTRUSTED) && (vfe->page_fp_status == PAGE_FP_NONE)) do_perpage = 1; else #endif /* notyet */ do_perpage = 0; ctx = (void *) malloc(vfe->ops->context_size, M_VERIEXEC, M_WAITOK); buf = (u_char *) malloc(PAGE_SIZE, M_VERIEXEC, M_WAITOK); page_ctx = NULL; page_fp = NULL; npages = 0; if (do_perpage) { npages = (va.va_size >> PAGE_SHIFT) + 1; page_fp = (u_char *) malloc(vfe->ops->hash_len * npages, M_VERIEXEC, M_WAITOK|M_ZERO); vfe->page_fp = page_fp; page_ctx = (void *) malloc(vfe->ops->context_size, M_VERIEXEC, M_WAITOK); } (vfe->ops->init)(ctx); len = 0; error = 0; pagen = 0; for (offset = 0; offset < va.va_size; offset += PAGE_SIZE) { len = ((va.va_size - offset) < PAGE_SIZE) ? (va.va_size - offset) : PAGE_SIZE; error = vn_rdwr(UIO_READ, vp, buf, len, offset, UIO_SYSSPACE, #ifdef __FreeBSD__ IO_NODELOCKED, #else 0, #endif l->l_cred, &resid, NULL); if (error) { if (do_perpage) { free(vfe->page_fp, M_VERIEXEC); vfe->page_fp = NULL; } goto bad; } (vfe->ops->update)(ctx, buf, (unsigned int) len); if (do_perpage) { (vfe->ops->init)(page_ctx); (vfe->ops->update)(page_ctx, buf, (unsigned int)len); (vfe->ops->final)(page_fp, page_ctx); if (veriexec_verbose >= 2) { int i; printf("hash for page %d: ", pagen); for (i = 0; i < vfe->ops->hash_len; i++) printf("%02x", page_fp[i]); printf("\n"); } page_fp += vfe->ops->hash_len; pagen++; } if (len != PAGE_SIZE) break; } (vfe->ops->final)(fp, ctx); if (do_perpage) { vfe->last_page_size = len; vfe->page_fp_status = PAGE_FP_READY; vfe->npages = npages; } bad: if (do_perpage) free(page_ctx, M_VERIEXEC); free(ctx, M_VERIEXEC); free(buf, M_VERIEXEC); return (error); } /* Compare two fingerprints of the same type. */ static int veriexec_fp_cmp(struct veriexec_fpops *ops, u_char *fp1, u_char *fp2) { if (veriexec_verbose >= 2) { int i; printf("comparing hashes...\n"); printf("fp1: "); for (i = 0; i < ops->hash_len; i++) { printf("%02x", fp1[i]); } printf("\nfp2: "); for (i = 0; i < ops->hash_len; i++) { printf("%02x", fp2[i]); } printf("\n"); } return (memcmp(fp1, fp2, ops->hash_len)); } static struct veriexec_table_entry * veriexec_table_lookup(struct mount *mp) { /* XXX: From raidframe init */ if (mp == NULL) return NULL; return mount_getspecific(mp, veriexec_mountspecific_key); } static struct veriexec_file_entry * veriexec_get(struct vnode *vp) { return (fileassoc_lookup(vp, veriexec_hook)); } bool veriexec_lookup(struct vnode *vp) { return (veriexec_get(vp) == NULL ? false : true); } /* * Routine for maintaining mostly consistent message formats in Veriexec. */ static void veriexec_file_report(struct veriexec_file_entry *vfe, const u_char *msg, const u_char *filename, struct lwp *l, int f) { if (msg == NULL) return; if (vfe != NULL && vfe->filename != NULL) filename = vfe->filename; if (filename == NULL) return; if (((f & REPORT_LOGMASK) >> 1) <= veriexec_verbose) { if (!(f & REPORT_ALARM) || (l == NULL)) log(LOG_NOTICE, "Veriexec: %s [%s]\n", msg, filename); else log(LOG_ALERT, "Veriexec: %s [%s, prog=%s pid=%u, " "uid=%u, gid=%u]\n", msg, filename, l->l_proc->p_comm, l->l_proc->p_pid, kauth_cred_getuid(l->l_cred), kauth_cred_getgid(l->l_cred)); } if (f & REPORT_PANIC) panic("Veriexec: Unrecoverable error."); } /* * Verify the fingerprint of the given file. If we're called directly from * sys_execve(), 'flag' will be VERIEXEC_DIRECT. If we're called from * exec_script(), 'flag' will be VERIEXEC_INDIRECT. If we are called from * vn_open(), 'flag' will be VERIEXEC_FILE. */ static int veriexec_file_verify(struct lwp *l, struct vnode *vp, const u_char *name, int flag, struct veriexec_file_entry **vfep) { struct veriexec_file_entry *vfe; int error; if (vp->v_type != VREG) return (0); /* Lookup veriexec table entry, save pointer if requested. */ vfe = veriexec_get(vp); if (vfep != NULL) *vfep = vfe; if (vfe == NULL) goto out; /* Evaluate fingerprint if needed. */ error = 0; if ((vfe->status == FINGERPRINT_NOTEVAL) || (vfe->type & VERIEXEC_UNTRUSTED)) { u_char *digest; /* Calculate fingerprint for on-disk file. */ digest = malloc(vfe->ops->hash_len, M_VERIEXEC, M_WAITOK | M_ZERO); error = veriexec_fp_calc(l, vp, vfe, digest); if (error) { veriexec_file_report(vfe, "Fingerprint calculation error.", name, NULL, REPORT_ALWAYS); free(digest, M_VERIEXEC); return (error); } /* Compare fingerprint with loaded data. */ if (veriexec_fp_cmp(vfe->ops, vfe->fp, digest) == 0) vfe->status = FINGERPRINT_VALID; else vfe->status = FINGERPRINT_NOMATCH; free(digest, M_VERIEXEC); } if (!(vfe->type & flag)) { veriexec_file_report(vfe, "Incorrect access type.", name, l, REPORT_ALWAYS|REPORT_ALARM); /* IPS mode: Enforce access type. */ if (veriexec_strict >= VERIEXEC_IPS) return (EPERM); } out: /* No entry in the veriexec tables. */ if (vfe == NULL) { veriexec_file_report(NULL, "No entry.", name, l, REPORT_VERBOSE); /* * Lockdown mode: Deny access to non-monitored files. * IPS mode: Deny execution of non-monitored files. */ if ((veriexec_strict >= VERIEXEC_LOCKDOWN) || ((veriexec_strict >= VERIEXEC_IPS) && (flag != VERIEXEC_FILE))) return (EPERM); return (0); } switch (vfe->status) { case FINGERPRINT_NOTEVAL: /* Should not happen. */ veriexec_file_report(vfe, "Not-evaluated status " "post evaluation; inconsistency detected.", name, NULL, REPORT_ALWAYS|REPORT_PANIC); /*NOTREACHED*/ case FINGERPRINT_VALID: /* Valid fingerprint. */ veriexec_file_report(vfe, "Match.", name, NULL, REPORT_VERBOSE); break; case FINGERPRINT_NOMATCH: /* Fingerprint mismatch. */ veriexec_file_report(vfe, "Mismatch.", name, NULL, REPORT_ALWAYS|REPORT_ALARM); /* IDS mode: Deny access on fingerprint mismatch. */ if (veriexec_strict >= VERIEXEC_IDS) error = EPERM; break; default: /* Should never happen. */ veriexec_file_report(vfe, "Invalid status " "post evaluation.", name, NULL, REPORT_ALWAYS|REPORT_PANIC); } return (error); } int veriexec_verify(struct lwp *l, struct vnode *vp, const u_char *name, int flag, bool *found) { struct veriexec_file_entry *vfe; int r; r = veriexec_file_verify(l, vp, name, flag, &vfe); if (found != NULL) *found = (vfe != NULL) ? true : false; return (r); } #ifdef notyet /* * Evaluate per-page fingerprints. */ int veriexec_page_verify(struct veriexec_file_entry *vfe, struct vm_page *pg, size_t idx, struct lwp *l) { void *ctx; u_char *fp; u_char *page_fp; int error; vaddr_t kva; if (vfe->page_fp_status == PAGE_FP_NONE) return (0); if (vfe->page_fp_status == PAGE_FP_FAIL) return (EPERM); if (idx >= vfe->npages) return (0); ctx = malloc(vfe->ops->context_size, M_VERIEXEC, M_WAITOK); fp = malloc(vfe->ops->hash_len, M_VERIEXEC, M_WAITOK); kva = uvm_km_alloc(kernel_map, PAGE_SIZE, 0, UVM_KMF_VAONLY | UVM_KMF_WAITVA); pmap_kenter_pa(kva, VM_PAGE_TO_PHYS(pg), VM_PROT_READ); page_fp = (u_char *) vfe->page_fp + (vfe->ops->hash_len * idx); (vfe->ops->init)(ctx); (vfe->ops->update)(ctx, (void *) kva, ((vfe->npages - 1) == idx) ? vfe->last_page_size : PAGE_SIZE); (vfe->ops->final)(fp, ctx); pmap_kremove(kva, PAGE_SIZE); uvm_km_free(kernel_map, kva, PAGE_SIZE, UVM_KMF_VAONLY); error = veriexec_fp_cmp(vfe->ops, page_fp, fp); if (error) { const char *msg; if (veriexec_strict > VERIEXEC_LEARNING) { msg = "Pages modified: Killing process."; } else { msg = "Pages modified."; error = 0; } veriexec_file_report(msg, "[page_in]", l, REPORT_ALWAYS|REPORT_ALARM); if (error) { ksiginfo_t ksi; KSI_INIT(&ksi); ksi.ksi_signo = SIGKILL; ksi.ksi_code = SI_NOINFO; ksi.ksi_pid = l->l_proc->p_pid; ksi.ksi_uid = 0; kpsignal(l->l_proc, &ksi, NULL); } } free(ctx, M_VERIEXEC); free(fp, M_VERIEXEC); return (error); } #endif /* notyet */ /* * Veriexec remove policy code. */ int veriexec_removechk(struct vnode *vp, const char *pathbuf, struct lwp *l) { struct veriexec_file_entry *vfe; vfe = veriexec_get(vp); if (vfe == NULL) { /* Lockdown mode: Deny access to non-monitored files. */ if (veriexec_strict >= VERIEXEC_LOCKDOWN) return (EPERM); return (0); } veriexec_file_report(vfe, "Remove request.", pathbuf, l, REPORT_ALWAYS|REPORT_ALARM); /* IDS mode: Deny removal of monitored files. */ if (veriexec_strict >= VERIEXEC_IDS) return (EPERM); return (veriexec_file_delete(l, vp)); } /* * Veriexe rename policy. * * XXX: Once there's a way to hook after a successful rename, it would be * XXX: nice to update vfe->filename to the new name if it's not NULL and * XXX: the new name is absolute (ie., starts with a slash). */ int veriexec_renamechk(struct vnode *fromvp, const char *fromname, struct vnode *tovp, const char *toname, struct lwp *l) { struct veriexec_file_entry *vfe, *tvfe; if (veriexec_strict >= VERIEXEC_LOCKDOWN) { log(LOG_ALERT, "Veriexec: Preventing rename of `%s' to " "`%s', uid=%u, pid=%u: Lockdown mode.\n", fromname, toname, kauth_cred_geteuid(l->l_cred), l->l_proc->p_pid); return (EPERM); } vfe = veriexec_get(fromvp); tvfe = NULL; if (tovp != NULL) tvfe = veriexec_get(tovp); if ((vfe != NULL) || (tvfe != NULL)) { if (veriexec_strict >= VERIEXEC_IPS) { log(LOG_ALERT, "Veriexec: Preventing rename of `%s' " "to `%s', uid=%u, pid=%u: IPS mode, %s " "monitored.\n", fromname, toname, kauth_cred_geteuid(l->l_cred), l->l_proc->p_pid, (vfe != NULL && tvfe != NULL) ? "files" : "file"); return (EPERM); } /* * Monitored file is renamed; filename no longer relevant. * * XXX: We could keep the buffer, and when (and if) updating the * XXX: filename post-rename, re-allocate it only if it's not * XXX: big enough for the new filename. */ if (vfe != NULL) { free(vfe->filename, M_VERIEXEC); vfe->filename = NULL; } /* * Monitored file is overwritten. Remove the entry. */ if (tvfe != NULL) (void)veriexec_file_delete(l, tovp); log(LOG_NOTICE, "Veriexec: %s file `%s' renamed to " "%s file `%s', uid=%u, pid=%u.\n", (vfe != NULL) ? "Monitored" : "Non-monitored", fromname, (tvfe != NULL) ? "monitored" : "non-monitored", toname, kauth_cred_geteuid(l->l_cred), l->l_proc->p_pid); } return (0); } static void veriexec_file_free(struct veriexec_file_entry *vfe) { if (vfe != NULL) { if (vfe->fp != NULL) free(vfe->fp, M_VERIEXEC); if (vfe->page_fp != NULL) free(vfe->page_fp, M_VERIEXEC); if (vfe->filename != NULL) free(vfe->filename, M_VERIEXEC); free(vfe, M_VERIEXEC); } } static void veriexec_file_purge(struct veriexec_file_entry *vfe) { if (vfe == NULL) return; vfe->status = FINGERPRINT_NOTEVAL; } static void veriexec_file_purge_cb(struct veriexec_file_entry *vfe, void *cookie) { veriexec_file_purge(vfe); } /* * Invalidate a Veriexec file entry. * XXX: This should be updated when per-page fingerprints are added. */ void veriexec_purge(struct vnode *vp) { veriexec_file_purge(veriexec_get(vp)); } /* * Enforce raw disk access policy. * * IDS mode: Invalidate fingerprints on a mount if it's opened for writing. * IPS mode: Don't allow raw writing to disks we monitor. * Lockdown mode: Don't allow raw writing to all disks. * * XXX: This is bogus. There's an obvious race condition between the time * XXX: the disk is open for writing, in which an attacker can access a * XXX: monitored file to get its signature cached again, and when the raw * XXX: file is overwritten on disk. * XXX: * XXX: To solve this, we need something like the following: * XXX: open raw disk: * XXX: - raise refcount, * XXX: - invalidate fingerprints, * XXX: - mark all entries for that disk with "no cache" flag * XXX: * XXX: veriexec_verify: * XXX: - if "no cache", don't cache evaluation result * XXX: * XXX: close raw disk: * XXX: - lower refcount, * XXX: - if refcount == 0, remove "no cache" flag from all entries */ static int veriexec_raw_cb(kauth_cred_t cred, kauth_action_t action, void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) { int result; enum kauth_device_req req; struct veriexec_table_entry *vte; result = KAUTH_RESULT_DENY; req = (enum kauth_device_req)arg0; switch (action) { case KAUTH_DEVICE_RAWIO_SPEC: { struct vnode *vp, *bvp; dev_t dev; int d_type; if (req == KAUTH_REQ_DEVICE_RAWIO_SPEC_READ) { result = KAUTH_RESULT_DEFER; break; } vp = arg1; KASSERT(vp != NULL); dev = vp->v_un.vu_specinfo->si_rdev; d_type = D_OTHER; bvp = NULL; /* Handle /dev/mem and /dev/kmem. */ if ((vp->v_type == VCHR) && iskmemdev(dev)) { if (veriexec_strict < VERIEXEC_IPS) result = KAUTH_RESULT_DEFER; break; } switch (vp->v_type) { case VCHR: { const struct cdevsw *cdev; cdev = cdevsw_lookup(dev); if (cdev != NULL) { dev_t blkdev; blkdev = devsw_chr2blk(dev); if (blkdev != NODEV) { vfinddev(blkdev, VBLK, &bvp); if (bvp != NULL) d_type = cdev->d_type; } } break; } case VBLK: { const struct bdevsw *bdev; bdev = bdevsw_lookup(dev); if (bdev != NULL) d_type = bdev->d_type; bvp = vp; break; } default: result = KAUTH_RESULT_DEFER; break; } if (d_type != D_DISK) { result = KAUTH_RESULT_DEFER; break; } /* * XXX: See vfs_mountedon() comment in secmodel/bsd44. */ vte = veriexec_table_lookup(bvp->v_mount); if (vte == NULL) { result = KAUTH_RESULT_DEFER; break; } switch (veriexec_strict) { case VERIEXEC_LEARNING: case VERIEXEC_IDS: result = KAUTH_RESULT_DEFER; fileassoc_table_run(bvp->v_mount, veriexec_hook, (fileassoc_cb_t)veriexec_file_purge_cb, NULL); break; case VERIEXEC_IPS: result = KAUTH_RESULT_DENY; break; case VERIEXEC_LOCKDOWN: result = KAUTH_RESULT_DENY; break; } break; } case KAUTH_DEVICE_RAWIO_PASSTHRU: /* XXX What can we do here? */ if (veriexec_strict < VERIEXEC_IPS) result = KAUTH_RESULT_DEFER; break; default: result = KAUTH_RESULT_DEFER; break; } return (result); } /* * Create a new Veriexec table. */ static struct veriexec_table_entry * veriexec_table_add(struct lwp *l, struct mount *mp) { struct veriexec_table_entry *vte; u_char buf[16]; vte = malloc(sizeof(*vte), M_VERIEXEC, M_WAITOK | M_ZERO); mount_setspecific(mp, veriexec_mountspecific_key, vte); snprintf(buf, sizeof(buf), "table%u", veriexec_tablecount++); sysctl_createv(NULL, 0, &veriexec_count_node, &vte->vte_node, 0, CTLTYPE_NODE, buf, NULL, NULL, 0, NULL, 0, CTL_CREATE, CTL_EOL); sysctl_createv(NULL, 0, &vte->vte_node, NULL, CTLFLAG_READONLY, CTLTYPE_STRING, "mntpt", NULL, NULL, 0, mp->mnt_stat.f_mntonname, 0, CTL_CREATE, CTL_EOL); sysctl_createv(NULL, 0, &vte->vte_node, NULL, CTLFLAG_READONLY, CTLTYPE_STRING, "fstype", NULL, NULL, 0, mp->mnt_stat.f_fstypename, 0, CTL_CREATE, CTL_EOL); sysctl_createv(NULL, 0, &vte->vte_node, NULL, CTLFLAG_READONLY, CTLTYPE_QUAD, "nentries", NULL, NULL, 0, &vte->vte_count, 0, CTL_CREATE, CTL_EOL); return (vte); } /* * Add a file to be monitored by Veriexec. * * Expected elements in dict: file, fp, fp-type, entry-type. */ int veriexec_file_add(struct lwp *l, prop_dictionary_t dict) { struct veriexec_table_entry *vte; struct veriexec_file_entry *vfe = NULL, *hh; struct nameidata nid; const char *file, *fp_type; int error; file = prop_string_cstring_nocopy(prop_dictionary_get(dict, "file")); NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, file, l); error = namei(&nid); if (error) return (error); /* Add only regular files. */ if (nid.ni_vp->v_type != VREG) { log(LOG_ERR, "Veriexec: Not adding `%s': Not a regular file.\n", file); error = EBADF; goto out; } vfe = malloc(sizeof(*vfe), M_VERIEXEC, M_WAITOK | M_ZERO); /* Lookup fingerprint hashing algorithm. */ fp_type = prop_string_cstring_nocopy(prop_dictionary_get(dict, "fp-type")); if ((vfe->ops = veriexec_fpops_lookup(fp_type)) == NULL) { log(LOG_ERR, "Veriexec: Invalid or unknown fingerprint type " "`%s' for file `%s'.\n", fp_type, file); error = EOPNOTSUPP; goto out; } if (prop_data_size(prop_dictionary_get(dict, "fp")) != vfe->ops->hash_len) { log(LOG_ERR, "Veriexec: Bad fingerprint length for `%s'.\n", file); error = EINVAL; goto out; } vfe->fp = malloc(vfe->ops->hash_len, M_VERIEXEC, M_WAITOK); memcpy(vfe->fp, prop_data_data_nocopy(prop_dictionary_get(dict, "fp")), vfe->ops->hash_len); /* * See if we already have an entry for this file. If we do, then * let the user know and silently pretend to succeed. */ hh = veriexec_get(nid.ni_vp); if (hh != NULL) { bool fp_mismatch; if (strcmp(vfe->ops->type, fp_type) || memcmp(hh->fp, vfe->fp, hh->ops->hash_len)) fp_mismatch = true; else fp_mismatch = false; if ((veriexec_verbose >= 1) || fp_mismatch) log(LOG_NOTICE, "Veriexec: Duplicate entry for `%s' " "ignored. (%s fingerprint)\n", file, fp_mismatch ? "different" : "same"); veriexec_file_free(vfe); /* XXX Should this be EEXIST if fp_mismatch is true? */ error = 0; goto out; } /* Continue entry initialization. */ if (prop_dictionary_get_uint8(dict, "entry-type", &vfe->type) == FALSE) vfe->type = 0; else { uint8_t extra_flags; extra_flags = vfe->type & ~(VERIEXEC_DIRECT | VERIEXEC_INDIRECT | VERIEXEC_FILE | VERIEXEC_UNTRUSTED); if (extra_flags) { log(LOG_NOTICE, "Veriexec: Contaminated flags `0x%x' " "for `%s', skipping.\n", extra_flags, file); error = EINVAL; goto out; } } if (!(vfe->type & (VERIEXEC_DIRECT | VERIEXEC_INDIRECT | VERIEXEC_FILE))) vfe->type |= VERIEXEC_DIRECT; vfe->status = FINGERPRINT_NOTEVAL; if (prop_bool_true(prop_dictionary_get(dict, "keep-filename"))) { size_t len; len = strlen(file) + 1; vfe->filename = malloc(len, M_VERIEXEC, M_WAITOK); strlcpy(vfe->filename, file, len); } else vfe->filename = NULL; vfe->page_fp = NULL; vfe->page_fp_status = PAGE_FP_NONE; vfe->npages = 0; vfe->last_page_size = 0; vte = veriexec_table_lookup(nid.ni_vp->v_mount); if (vte == NULL) vte = veriexec_table_add(l, nid.ni_vp->v_mount); /* XXX if we bail below this, we might want to gc newly created vtes. */ error = fileassoc_add(nid.ni_vp, veriexec_hook, vfe); if (error) goto out; vte->vte_count++; if (prop_bool_true(prop_dictionary_get(dict, "eval-on-load")) || (vfe->type & VERIEXEC_UNTRUSTED)) { u_char *digest; digest = malloc(vfe->ops->hash_len, M_VERIEXEC, M_WAITOK | M_ZERO); error = veriexec_fp_calc(l, nid.ni_vp, vfe, digest); if (error) { free(digest, M_VERIEXEC); goto out; } if (veriexec_fp_cmp(vfe->ops, vfe->fp, digest) == 0) vfe->status = FINGERPRINT_VALID; else vfe->status = FINGERPRINT_NOMATCH; free(digest, M_VERIEXEC); } veriexec_file_report(NULL, "New entry.", file, NULL, REPORT_DEBUG); out: vrele(nid.ni_vp); if (error) veriexec_file_free(vfe); return (error); } int veriexec_table_delete(struct lwp *l, struct mount *mp) { struct veriexec_table_entry *vte; vte = veriexec_table_lookup(mp); if (vte == NULL) return (ENOENT); veriexec_mountspecific_dtor(vte); mount_setspecific(mp, veriexec_mountspecific_key, NULL); return (fileassoc_table_clear(mp, veriexec_hook)); } int veriexec_file_delete(struct lwp *l, struct vnode *vp) { struct veriexec_table_entry *vte; int error; vte = veriexec_table_lookup(vp->v_mount); if (vte == NULL) return (ENOENT); error = fileassoc_clear(vp, veriexec_hook); if (!error) vte->vte_count--; return (error); } /* * Convert Veriexec entry data to a dictionary readable by userland tools. */ static void veriexec_file_convert(struct veriexec_file_entry *vfe, prop_dictionary_t rdict) { if (vfe->filename) prop_dictionary_set(rdict, "file", prop_string_create_cstring(vfe->filename)); prop_dictionary_set_uint8(rdict, "entry-type", vfe->type); prop_dictionary_set_uint8(rdict, "status", vfe->status); prop_dictionary_set(rdict, "fp-type", prop_string_create_cstring(vfe->ops->type)); prop_dictionary_set(rdict, "fp", prop_data_create_data(vfe->fp, vfe->ops->hash_len)); } int veriexec_convert(struct vnode *vp, prop_dictionary_t rdict) { struct veriexec_file_entry *vfe; vfe = veriexec_get(vp); if (vfe == NULL) return (ENOENT); veriexec_file_convert(vfe, rdict); return (0); } int veriexec_unmountchk(struct mount *mp) { int error; if (doing_shutdown) return (0); switch (veriexec_strict) { case VERIEXEC_LEARNING: error = 0; break; case VERIEXEC_IDS: if (veriexec_table_lookup(mp) != NULL) { log(LOG_INFO, "Veriexec: IDS mode, allowing unmount " "of \"%s\".\n", mp->mnt_stat.f_mntonname); } error = 0; break; case VERIEXEC_IPS: { struct veriexec_table_entry *vte; vte = veriexec_table_lookup(mp); if ((vte != NULL) && (vte->vte_count > 0)) { log(LOG_ALERT, "Veriexec: IPS mode, preventing" " unmount of \"%s\" with monitored files.\n", mp->mnt_stat.f_mntonname); error = EPERM; } else error = 0; break; } case VERIEXEC_LOCKDOWN: default: log(LOG_ALERT, "Veriexec: Lockdown mode, preventing unmount " "of \"%s\".\n", mp->mnt_stat.f_mntonname); error = EPERM; break; } return (error); } int veriexec_openchk(struct lwp *l, struct vnode *vp, const char *path, int fmode) { struct veriexec_file_entry *vfe = NULL; int error = 0; if (vp == NULL) { /* If no creation requested, let this fail normally. */ if (!(fmode & O_CREAT)) goto out; /* Lockdown mode: Prevent creation of new files. */ if (veriexec_strict >= VERIEXEC_LOCKDOWN) { log(LOG_ALERT, "Veriexec: Preventing new file " "creation in `%s'.\n", path); error = EPERM; } goto out; } error = veriexec_file_verify(l, vp, path, VERIEXEC_FILE, &vfe); if (error) goto out; if ((vfe != NULL) && ((fmode & FWRITE) || (fmode & O_TRUNC))) { veriexec_file_report(vfe, "Write access request.", path, l, REPORT_ALWAYS | REPORT_ALARM); /* IPS mode: Deny write access to monitored files. */ if (veriexec_strict >= VERIEXEC_IPS) error = EPERM; else veriexec_file_purge(vfe); } out: return (error); } static void veriexec_file_dump(struct veriexec_file_entry *vfe, prop_array_t entries) { prop_dictionary_t entry; /* If we don't have a filename, this is meaningless. */ if (vfe->filename == NULL) return; entry = prop_dictionary_create(); veriexec_file_convert(vfe, entry); prop_array_add(entries, entry); } int veriexec_dump(struct lwp *l, prop_array_t rarray) { struct mount *mp; CIRCLEQ_FOREACH(mp, &mountlist, mnt_list) { fileassoc_table_run(mp, veriexec_hook, (fileassoc_cb_t)veriexec_file_dump, rarray); } return (0); } int veriexec_flush(struct lwp *l) { struct mount *mp; int error = 0; CIRCLEQ_FOREACH(mp, &mountlist, mnt_list) { int lerror; lerror = veriexec_table_delete(l, mp); if (lerror && lerror != ENOENT) error = lerror; } return (error); }