Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6700cfccd6
NetBSD/sys/kern/kern_verifiedexec.c
elad 6700cfccd6 Some Veriexec stuff that's been rotting in my tree for months. 
Bug fixes:
  - Fix crash reported by Scott Ellis on current-users@.

  - Fix race conditions in enforcing the Veriexec rename and remove
    policies. These are NOT security issues.

  - Fix memory leak in rename handling when overwriting a monitored
    file.

  - Fix table deletion logic.

  - Don't prevent query requests if not in learning mode.


KPI updates:
  - fileassoc_table_run() now takes a cookie to pass to the callback.

  - veriexec_table_add() was removed, it is now done internally. As a
    result, there's no longer a need for VERIEXEC_TABLESIZE.

  - veriexec_report() was removed, it is now internal.

  - Perform sanity checks on the entry type, and enforce default type
    in veriexec_file_add() rather than in veriexecctl.

  - Add veriexec_flush(), used to delete all Veriexec tables, and
    veriexec_dump(), used to fill an array with all Veriexec entries.


New features:
  - Add a '-k' flag to veriexecctl, to keep the filenames in the kernel
    database. This allows Veriexec to produce slightly more accurate
    logs under certain circumstances. In the future, this can be either
    replaced by vnode->pathname translation, or combined with it.

  - Add a VERIEXEC_DUMP ioctl, to dump the entire Veriexec database.
    This can be used to recover a database if the file was lost.
    Example usage:

        # veriexecctl dump > /etc/signatures

    Note that only entries with the filename kept (that is, were loaded
    with the '-k' flag) will be dumped.

    Idea from Brett Lymn.

  - Add a VERIEXEC_FLUSH ioctl, to delete all Veriexec entries. Sample
    usage:

        # veriexecctl flush

  - Add a 'veriexec_flags' rc(8) variable, and make its default have
    the '-k' flag. On systems using the default signatures file
    (generaetd from running 'veriexecgen' with no arguments), this will
    use additional 32kb of kernel memory on average.

  - Add a '-e' flag to veriexecctl, to evaluate the fingerprint during
    load. This is done automatically for files marked as 'untrusted'.


Misc. stuff:
  - The code for veriexecctl was massively simplified as a result of
    eliminating the need for VERIEXEC_TABLESIZE, and now uses a single
    pass of the signatures file, making the loading somewhat faster.

  - Lots of minor fixes found using the (still under development)
    Veriexec regression testsuite.

  - Some of the messages Veriexec prints were improved.

  - Various documentation fixes.


All relevant man-pages were updated to reflect the above changes.

Binary compatibility with existing veriexecctl binaries is maintained.
2007-05-15 19:47:43 +00:00

1422 lines
34 KiB
C
Raw Blame History

/* $NetBSD: kern_verifiedexec.c,v 1.99 2007/05/15 19:47:45 elad Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
* Copyright (c) 2005, 2006 Brett Lymn <blymn@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the authors may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.99 2007/05/15 19:47:45 elad Exp $");
#include "opt_veriexec.h"
#include <sys/param.h>
#include <sys/mount.h>
#include <sys/malloc.h>
#include <sys/vnode.h>
#include <sys/namei.h>
#include <sys/exec.h>
#include <sys/once.h>
#include <sys/proc.h>
#include <sys/syslog.h>
#include <sys/sysctl.h>
#include <sys/inttypes.h>
#include <sys/verified_exec.h>
#if defined(__FreeBSD__)
# include <sys/systm.h>
# include <sys/imgact.h>
# include <crypto/sha1.h>
# include <crypto/sha2/sha2.h>
# include <crypto/ripemd160/rmd160.h>
#else
# include <sys/sha1.h>
# include <sys/sha2.h>
# include <sys/rmd160.h>
#endif
#include <sys/md5.h>
#include <uvm/uvm_extern.h>
#include <sys/fileassoc.h>
#include <sys/kauth.h>
#include <sys/conf.h>
#include <miscfs/specfs/specdev.h>
#include <prop/proplib.h>
#include <sys/fcntl.h>
MALLOC_DEFINE(M_VERIEXEC, "Veriexec", "Veriexec data-structures");
/* Readable values for veriexec_file_report(). */
#define REPORT_ALWAYS 0x01 /* Always print */
#define REPORT_VERBOSE 0x02 /* Print when verbose >= 1 */
#define REPORT_DEBUG 0x04 /* Print when verbose >= 2 (debug) */
#define REPORT_PANIC 0x08 /* Call panic() */
#define REPORT_ALARM 0x10 /* Alarm - also print pid/uid/.. */
#define REPORT_LOGMASK (REPORT_ALWAYS|REPORT_VERBOSE|REPORT_DEBUG)
struct veriexec_fpops {
const char *type;
size_t hash_len;
size_t context_size;
veriexec_fpop_init_t init;
veriexec_fpop_update_t update;
veriexec_fpop_final_t final;
LIST_ENTRY(veriexec_fpops) entries;
};
/* Veriexec per-file entry data. */
struct veriexec_file_entry {
u_char *filename; /* File name. */
u_char type; /* Entry type. */
u_char status; /* Evaluation status. */
u_char page_fp_status; /* Per-page FP status. */
u_char *fp; /* Fingerprint. */
void *page_fp; /* Per-page fingerprints */
size_t npages; /* Number of pages. */
size_t last_page_size; /* To support < PAGE_SIZE */
struct veriexec_fpops *ops; /* Fingerprint ops vector*/
};
/* Veriexec per-table data. */
struct veriexec_table_entry {
uint64_t vte_count; /* Number of Veriexec entries. */
const struct sysctlnode *vte_node;
};
static int veriexec_verbose;
int veriexec_strict;
static char *veriexec_fp_names;
static size_t veriexec_name_max;
static const struct sysctlnode *veriexec_count_node;
static fileassoc_t veriexec_hook;
static specificdata_key_t veriexec_mountspecific_key;
static LIST_HEAD(, veriexec_fpops) veriexec_fpops_list;
static int veriexec_raw_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
static struct veriexec_fpops *veriexec_fpops_lookup(const char *);
static void veriexec_file_free(struct veriexec_file_entry *);
static unsigned int veriexec_tablecount = 0;
/*
* Sysctl helper routine for Veriexec.
*/
static int
sysctl_kern_veriexec(SYSCTLFN_ARGS)
{
int newval, error;
int *var = NULL, raise_only = 0;
struct sysctlnode node;
node = *rnode;
if (strcmp(rnode->sysctl_name, "strict") == 0) {
raise_only = 1;
var = &veriexec_strict;
} else if (strcmp(rnode->sysctl_name, "algorithms") == 0) {
node.sysctl_data = veriexec_fp_names;
node.sysctl_size = strlen(veriexec_fp_names) + 1;
return (sysctl_lookup(SYSCTLFN_CALL(&node)));
} else {
return (EINVAL);
}
newval = *var;
node.sysctl_data = &newval;
error = sysctl_lookup(SYSCTLFN_CALL(&node));
if (error || newp == NULL) {
return (error);
}
if (raise_only && (newval < *var))
return (EPERM);
*var = newval;
return (error);
}
SYSCTL_SETUP(sysctl_kern_veriexec_setup, "sysctl kern.veriexec setup")
{
const struct sysctlnode *rnode = NULL;
sysctl_createv(clog, 0, NULL, &rnode,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "kern", NULL,
NULL, 0, NULL, 0,
CTL_KERN, CTL_EOL);
sysctl_createv(clog, 0, &rnode, &rnode,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "veriexec",
SYSCTL_DESCR("Veriexec"),
NULL, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "verbose",
SYSCTL_DESCR("Veriexec verbose level"),
NULL, 0, &veriexec_verbose, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "strict",
SYSCTL_DESCR("Veriexec strict level"),
sysctl_kern_veriexec, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT,
CTLTYPE_STRING, "algorithms",
SYSCTL_DESCR("Veriexec supported hashing "
"algorithms"),
sysctl_kern_veriexec, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, &veriexec_count_node,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "count",
SYSCTL_DESCR("Number of fingerprints on mount(s)"),
NULL, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
}
/*
* Add ops to the fignerprint ops vector list.
*/
int
veriexec_fpops_add(const char *fp_type, size_t hash_len, size_t ctx_size,
veriexec_fpop_init_t init, veriexec_fpop_update_t update,
veriexec_fpop_final_t final)
{
struct veriexec_fpops *ops;
char *newp;
unsigned int new_max;
/* Sanity check all parameters. */
if ((fp_type == NULL) || (hash_len == 0) || (ctx_size == 0) ||
(init == NULL) || (update == NULL) || (final == NULL))
return (EFAULT);
if (veriexec_fpops_lookup(fp_type) != NULL)
return (EEXIST);
ops = malloc(sizeof(*ops), M_VERIEXEC, M_WAITOK);
ops->type = fp_type;
ops->hash_len = hash_len;
ops->context_size = ctx_size;
ops->init = init;
ops->update = update;
ops->final = final;
LIST_INSERT_HEAD(&veriexec_fpops_list, ops, entries);
/*
* If we don't have space for any names, allocate enough for six
* which should be sufficient. (it's also enough for all algorithms
* we can support at the moment)
*/
if (veriexec_fp_names == NULL) {
veriexec_name_max = 64;
veriexec_fp_names = malloc(veriexec_name_max, M_VERIEXEC,
M_WAITOK|M_ZERO);
}
/*
* If we're running out of space for storing supported algorithms,
* extend the buffer with space for four names.
*/
while (veriexec_name_max - (strlen(veriexec_fp_names) + 1) <
strlen(fp_type)) {
/* Add space for four algorithm names. */
new_max = veriexec_name_max + 64;
newp = realloc(veriexec_fp_names, new_max, M_VERIEXEC,
M_WAITOK|M_ZERO);
veriexec_fp_names = newp;
veriexec_name_max = new_max;
}
if (*veriexec_fp_names != '\0')
strlcat(veriexec_fp_names, " ", veriexec_name_max);
strlcat(veriexec_fp_names, fp_type, veriexec_name_max);
return (0);
}
static void
veriexec_mountspecific_dtor(void *v)
{
struct veriexec_table_entry *vte = v;
if (vte == NULL) {
return;
}
sysctl_free(__UNCONST(vte->vte_node));
veriexec_tablecount--;
free(vte, M_VERIEXEC);
}
/*
* Initialise Veriexec.
*/
void
veriexec_init(void)
{
int error;
/* Register a fileassoc for Veriexec. */
error = fileassoc_register("veriexec",
(fileassoc_cleanup_cb_t)veriexec_file_free, &veriexec_hook);
if (error)
panic("Veriexec: Can't register fileassoc: error=%d", error);
/* Register listener to handle raw disk access. */
if (kauth_listen_scope(KAUTH_SCOPE_DEVICE, veriexec_raw_cb, NULL) ==
NULL)
panic("Veriexec: Can't listen on device scope");
error = mount_specific_key_create(&veriexec_mountspecific_key,
veriexec_mountspecific_dtor);
if (error)
panic("Veriexec: Can't create mountspecific key");
LIST_INIT(&veriexec_fpops_list);
veriexec_fp_names = NULL;
veriexec_name_max = 0;
#define FPOPS_ADD(a, b, c, d, e, f) \
veriexec_fpops_add(a, b, c, (veriexec_fpop_init_t)d, \
(veriexec_fpop_update_t)e, (veriexec_fpop_final_t)f)
#ifdef VERIFIED_EXEC_FP_RMD160
FPOPS_ADD("RMD160", RMD160_DIGEST_LENGTH, sizeof(RMD160_CTX),
RMD160Init, RMD160Update, RMD160Final);
#endif /* VERIFIED_EXEC_FP_RMD160 */
#ifdef VERIFIED_EXEC_FP_SHA256
FPOPS_ADD("SHA256", SHA256_DIGEST_LENGTH, sizeof(SHA256_CTX),
SHA256_Init, SHA256_Update, SHA256_Final);
#endif /* VERIFIED_EXEC_FP_SHA256 */
#ifdef VERIFIED_EXEC_FP_SHA384
FPOPS_ADD("SHA384", SHA384_DIGEST_LENGTH, sizeof(SHA384_CTX),
SHA384_Init, SHA384_Update, SHA384_Final);
#endif /* VERIFIED_EXEC_FP_SHA384 */
#ifdef VERIFIED_EXEC_FP_SHA512
FPOPS_ADD("SHA512", SHA512_DIGEST_LENGTH, sizeof(SHA512_CTX),
SHA512_Init, SHA512_Update, SHA512_Final);
#endif /* VERIFIED_EXEC_FP_SHA512 */
#ifdef VERIFIED_EXEC_FP_SHA1
FPOPS_ADD("SHA1", SHA1_DIGEST_LENGTH, sizeof(SHA1_CTX),
SHA1Init, SHA1Update, SHA1Final);
#endif /* VERIFIED_EXEC_FP_SHA1 */
#ifdef VERIFIED_EXEC_FP_MD5
FPOPS_ADD("MD5", MD5_DIGEST_LENGTH, sizeof(MD5_CTX),
MD5Init, MD5Update, MD5Final);
#endif /* VERIFIED_EXEC_FP_MD5 */
#undef FPOPS_ADD
}
static struct veriexec_fpops *
veriexec_fpops_lookup(const char *name)
{
struct veriexec_fpops *ops;
if (name == NULL)
return (NULL);
LIST_FOREACH(ops, &veriexec_fpops_list, entries) {
if (strcasecmp(name, ops->type) == 0)
return (ops);
}
return (NULL);
}
/*
* Calculate fingerprint. Information on hash length and routines used is
* extracted from veriexec_hash_list according to the hash type.
*/
static int
veriexec_fp_calc(struct lwp *l, struct vnode *vp,
struct veriexec_file_entry *vfe, u_char *fp)
{
struct vattr va;
void *ctx, *page_ctx;
u_char *buf, *page_fp;
off_t offset, len;
size_t resid, npages;
int error, do_perpage, pagen;
error = VOP_GETATTR(vp, &va, l->l_cred, l);
if (error)
return (error);
#ifdef notyet /* XXX - for now */
if ((vfe->type & VERIEXEC_UNTRUSTED) &&
(vfe->page_fp_status == PAGE_FP_NONE))
do_perpage = 1;
else
#endif /* notyet */
do_perpage = 0;
ctx = (void *) malloc(vfe->ops->context_size, M_VERIEXEC, M_WAITOK);
buf = (u_char *) malloc(PAGE_SIZE, M_VERIEXEC, M_WAITOK);
page_ctx = NULL;
page_fp = NULL;
npages = 0;
if (do_perpage) {
npages = (va.va_size >> PAGE_SHIFT) + 1;
page_fp = (u_char *) malloc(vfe->ops->hash_len * npages,
M_VERIEXEC, M_WAITOK|M_ZERO);
vfe->page_fp = page_fp;
page_ctx = (void *) malloc(vfe->ops->context_size, M_VERIEXEC,
M_WAITOK);
}
(vfe->ops->init)(ctx);
len = 0;
error = 0;
pagen = 0;
for (offset = 0; offset < va.va_size; offset += PAGE_SIZE) {
len = ((va.va_size - offset) < PAGE_SIZE) ?
(va.va_size - offset) : PAGE_SIZE;
error = vn_rdwr(UIO_READ, vp, buf, len, offset,
UIO_SYSSPACE,
#ifdef __FreeBSD__
IO_NODELOCKED,
#else
0,
#endif
l->l_cred, &resid, NULL);
if (error) {
if (do_perpage) {
free(vfe->page_fp, M_VERIEXEC);
vfe->page_fp = NULL;
}
goto bad;
}
(vfe->ops->update)(ctx, buf, (unsigned int) len);
if (do_perpage) {
(vfe->ops->init)(page_ctx);
(vfe->ops->update)(page_ctx, buf, (unsigned int)len);
(vfe->ops->final)(page_fp, page_ctx);
if (veriexec_verbose >= 2) {
int i;
printf("hash for page %d: ", pagen);
for (i = 0; i < vfe->ops->hash_len; i++)
printf("%02x", page_fp[i]);
printf("\n");
}
page_fp += vfe->ops->hash_len;
pagen++;
}
if (len != PAGE_SIZE)
break;
}
(vfe->ops->final)(fp, ctx);
if (do_perpage) {
vfe->last_page_size = len;
vfe->page_fp_status = PAGE_FP_READY;
vfe->npages = npages;
}
bad:
if (do_perpage)
free(page_ctx, M_VERIEXEC);
free(ctx, M_VERIEXEC);
free(buf, M_VERIEXEC);
return (error);
}
/* Compare two fingerprints of the same type. */
static int
veriexec_fp_cmp(struct veriexec_fpops *ops, u_char *fp1, u_char *fp2)
{
if (veriexec_verbose >= 2) {
int i;
printf("comparing hashes...\n");
printf("fp1: ");
for (i = 0; i < ops->hash_len; i++) {
printf("%02x", fp1[i]);
}
printf("\nfp2: ");
for (i = 0; i < ops->hash_len; i++) {
printf("%02x", fp2[i]);
}
printf("\n");
}
return (memcmp(fp1, fp2, ops->hash_len));
}
static struct veriexec_table_entry *
veriexec_table_lookup(struct mount *mp)
{
/* XXX: From raidframe init */
if (mp == NULL)
return NULL;
return mount_getspecific(mp, veriexec_mountspecific_key);
}
static struct veriexec_file_entry *
veriexec_get(struct vnode *vp)
{
return (fileassoc_lookup(vp, veriexec_hook));
}
bool
veriexec_lookup(struct vnode *vp)
{
return (veriexec_get(vp) == NULL ? false : true);
}
/*
* Routine for maintaining mostly consistent message formats in Veriexec.
*/
static void
veriexec_file_report(struct veriexec_file_entry *vfe, const u_char *msg,
const u_char *filename, struct lwp *l, int f)
{
if (msg == NULL)
return;
if (vfe != NULL && vfe->filename != NULL)
filename = vfe->filename;
if (filename == NULL)
return;
if (((f & REPORT_LOGMASK) >> 1) <= veriexec_verbose) {
if (!(f & REPORT_ALARM) || (l == NULL))
log(LOG_NOTICE, "Veriexec: %s [%s]\n", msg,
filename);
else
log(LOG_ALERT, "Veriexec: %s [%s, prog=%s pid=%u, "
"uid=%u, gid=%u]\n", msg, filename,
l->l_proc->p_comm, l->l_proc->p_pid,
kauth_cred_getuid(l->l_cred),
kauth_cred_getgid(l->l_cred));
}
if (f & REPORT_PANIC)
panic("Veriexec: Unrecoverable error.");
}
/*
* Verify the fingerprint of the given file. If we're called directly from
* sys_execve(), 'flag' will be VERIEXEC_DIRECT. If we're called from
* exec_script(), 'flag' will be VERIEXEC_INDIRECT. If we are called from
* vn_open(), 'flag' will be VERIEXEC_FILE.
*/
static int
veriexec_file_verify(struct lwp *l, struct vnode *vp, const u_char *name, int flag,
struct veriexec_file_entry **vfep)
{
struct veriexec_file_entry *vfe;
int error;
if (vp->v_type != VREG)
return (0);
/* Lookup veriexec table entry, save pointer if requested. */
vfe = veriexec_get(vp);
if (vfep != NULL)
*vfep = vfe;
if (vfe == NULL)
goto out;
/* Evaluate fingerprint if needed. */
error = 0;
if ((vfe->status == FINGERPRINT_NOTEVAL) ||
(vfe->type & VERIEXEC_UNTRUSTED)) {
u_char *digest;
/* Calculate fingerprint for on-disk file. */
digest = malloc(vfe->ops->hash_len, M_VERIEXEC,
M_WAITOK | M_ZERO);
error = veriexec_fp_calc(l, vp, vfe, digest);
if (error) {
veriexec_file_report(vfe, "Fingerprint calculation error.",
name, NULL, REPORT_ALWAYS);
free(digest, M_VERIEXEC);
return (error);
}
/* Compare fingerprint with loaded data. */
if (veriexec_fp_cmp(vfe->ops, vfe->fp, digest) == 0)
vfe->status = FINGERPRINT_VALID;
else
vfe->status = FINGERPRINT_NOMATCH;
free(digest, M_VERIEXEC);
}
if (!(vfe->type & flag)) {
veriexec_file_report(vfe, "Incorrect access type.", name, l,
REPORT_ALWAYS|REPORT_ALARM);
/* IPS mode: Enforce access type. */
if (veriexec_strict >= VERIEXEC_IPS)
return (EPERM);
}
out:
/* No entry in the veriexec tables. */
if (vfe == NULL) {
veriexec_file_report(NULL, "No entry.", name,
l, REPORT_VERBOSE);
/*
* Lockdown mode: Deny access to non-monitored files.
* IPS mode: Deny execution of non-monitored files.
*/
if ((veriexec_strict >= VERIEXEC_LOCKDOWN) ||
((veriexec_strict >= VERIEXEC_IPS) &&
(flag != VERIEXEC_FILE)))
return (EPERM);
return (0);
}
switch (vfe->status) {
case FINGERPRINT_NOTEVAL:
/* Should not happen. */
veriexec_file_report(vfe, "Not-evaluated status "
"post evaluation; inconsistency detected.", name,
NULL, REPORT_ALWAYS|REPORT_PANIC);
/*NOTREACHED*/
case FINGERPRINT_VALID:
/* Valid fingerprint. */
veriexec_file_report(vfe, "Match.", name, NULL,
REPORT_VERBOSE);
break;
case FINGERPRINT_NOMATCH:
/* Fingerprint mismatch. */
veriexec_file_report(vfe, "Mismatch.", name,
NULL, REPORT_ALWAYS|REPORT_ALARM);
/* IDS mode: Deny access on fingerprint mismatch. */
if (veriexec_strict >= VERIEXEC_IDS)
error = EPERM;
break;
default:
/* Should never happen. */
veriexec_file_report(vfe, "Invalid status "
"post evaluation.", name, NULL, REPORT_ALWAYS|REPORT_PANIC);
}
return (error);
}
int
veriexec_verify(struct lwp *l, struct vnode *vp, const u_char *name, int flag,
bool *found)
{
struct veriexec_file_entry *vfe;
int r;
r = veriexec_file_verify(l, vp, name, flag, &vfe);
if (found != NULL)
*found = (vfe != NULL) ? true : false;
return (r);
}
#ifdef notyet
/*
* Evaluate per-page fingerprints.
*/
int
veriexec_page_verify(struct veriexec_file_entry *vfe, struct vm_page *pg,
size_t idx, struct lwp *l)
{
void *ctx;
u_char *fp;
u_char *page_fp;
int error;
vaddr_t kva;
if (vfe->page_fp_status == PAGE_FP_NONE)
return (0);
if (vfe->page_fp_status == PAGE_FP_FAIL)
return (EPERM);
if (idx >= vfe->npages)
return (0);
ctx = malloc(vfe->ops->context_size, M_VERIEXEC, M_WAITOK);
fp = malloc(vfe->ops->hash_len, M_VERIEXEC, M_WAITOK);
kva = uvm_km_alloc(kernel_map, PAGE_SIZE, 0, UVM_KMF_VAONLY | UVM_KMF_WAITVA);
pmap_kenter_pa(kva, VM_PAGE_TO_PHYS(pg), VM_PROT_READ);
page_fp = (u_char *) vfe->page_fp + (vfe->ops->hash_len * idx);
(vfe->ops->init)(ctx);
(vfe->ops->update)(ctx, (void *) kva,
((vfe->npages - 1) == idx) ? vfe->last_page_size
: PAGE_SIZE);
(vfe->ops->final)(fp, ctx);
pmap_kremove(kva, PAGE_SIZE);
uvm_km_free(kernel_map, kva, PAGE_SIZE, UVM_KMF_VAONLY);
error = veriexec_fp_cmp(vfe->ops, page_fp, fp);
if (error) {
const char *msg;
if (veriexec_strict > VERIEXEC_LEARNING) {
msg = "Pages modified: Killing process.";
} else {
msg = "Pages modified.";
error = 0;
}
veriexec_file_report(msg, "[page_in]", l,
REPORT_ALWAYS|REPORT_ALARM);
if (error) {
ksiginfo_t ksi;
KSI_INIT(&ksi);
ksi.ksi_signo = SIGKILL;
ksi.ksi_code = SI_NOINFO;
ksi.ksi_pid = l->l_proc->p_pid;
ksi.ksi_uid = 0;
kpsignal(l->l_proc, &ksi, NULL);
}
}
free(ctx, M_VERIEXEC);
free(fp, M_VERIEXEC);
return (error);
}
#endif /* notyet */
/*
* Veriexec remove policy code.
*/
int
veriexec_removechk(struct vnode *vp, const char *pathbuf, struct lwp *l)
{
struct veriexec_file_entry *vfe;
vfe = veriexec_get(vp);
if (vfe == NULL) {
/* Lockdown mode: Deny access to non-monitored files. */
if (veriexec_strict >= VERIEXEC_LOCKDOWN)
return (EPERM);
return (0);
}
veriexec_file_report(vfe, "Remove request.", pathbuf, l,
REPORT_ALWAYS|REPORT_ALARM);
/* IDS mode: Deny removal of monitored files. */
if (veriexec_strict >= VERIEXEC_IDS)
return (EPERM);
return (veriexec_file_delete(l, vp));
}
/*
* Veriexe rename policy.
*
* XXX: Once there's a way to hook after a successful rename, it would be
* XXX: nice to update vfe->filename to the new name if it's not NULL and
* XXX: the new name is absolute (ie., starts with a slash).
*/
int
veriexec_renamechk(struct vnode *fromvp, const char *fromname,
struct vnode *tovp, const char *toname, struct lwp *l)
{
struct veriexec_file_entry *vfe, *tvfe;
if (veriexec_strict >= VERIEXEC_LOCKDOWN) {
log(LOG_ALERT, "Veriexec: Preventing rename of `%s' to "
"`%s', uid=%u, pid=%u: Lockdown mode.\n", fromname, toname,
kauth_cred_geteuid(l->l_cred), l->l_proc->p_pid);
return (EPERM);
}
vfe = veriexec_get(fromvp);
tvfe = NULL;
if (tovp != NULL)
tvfe = veriexec_get(tovp);
if ((vfe != NULL) || (tvfe != NULL)) {
if (veriexec_strict >= VERIEXEC_IPS) {
log(LOG_ALERT, "Veriexec: Preventing rename of `%s' "
"to `%s', uid=%u, pid=%u: IPS mode, %s "
"monitored.\n", fromname, toname,
kauth_cred_geteuid(l->l_cred),
l->l_proc->p_pid, (vfe != NULL && tvfe != NULL) ?
"files" : "file");
return (EPERM);
}
/*
* Monitored file is renamed; filename no longer relevant.
*
* XXX: We could keep the buffer, and when (and if) updating the
* XXX: filename post-rename, re-allocate it only if it's not
* XXX: big enough for the new filename.
*/
if (vfe != NULL) {
free(vfe->filename, M_VERIEXEC);
vfe->filename = NULL;
}
/*
* Monitored file is overwritten. Remove the entry.
*/
if (tvfe != NULL)
(void)veriexec_file_delete(l, tovp);
log(LOG_NOTICE, "Veriexec: %s file `%s' renamed to "
"%s file `%s', uid=%u, pid=%u.\n", (vfe != NULL) ?
"Monitored" : "Non-monitored", fromname, (tvfe != NULL) ?
"monitored" : "non-monitored", toname,
kauth_cred_geteuid(l->l_cred), l->l_proc->p_pid);
}
return (0);
}
static void
veriexec_file_free(struct veriexec_file_entry *vfe)
{
if (vfe != NULL) {
if (vfe->fp != NULL)
free(vfe->fp, M_VERIEXEC);
if (vfe->page_fp != NULL)
free(vfe->page_fp, M_VERIEXEC);
if (vfe->filename != NULL)
free(vfe->filename, M_VERIEXEC);
free(vfe, M_VERIEXEC);
}
}
static void
veriexec_file_purge(struct veriexec_file_entry *vfe)
{
if (vfe == NULL)
return;
vfe->status = FINGERPRINT_NOTEVAL;
}
static void
veriexec_file_purge_cb(struct veriexec_file_entry *vfe, void *cookie)
{
veriexec_file_purge(vfe);
}
/*
* Invalidate a Veriexec file entry.
* XXX: This should be updated when per-page fingerprints are added.
*/
void
veriexec_purge(struct vnode *vp)
{
veriexec_file_purge(veriexec_get(vp));
}
/*
* Enforce raw disk access policy.
*
* IDS mode: Invalidate fingerprints on a mount if it's opened for writing.
* IPS mode: Don't allow raw writing to disks we monitor.
* Lockdown mode: Don't allow raw writing to all disks.
*
* XXX: This is bogus. There's an obvious race condition between the time
* XXX: the disk is open for writing, in which an attacker can access a
* XXX: monitored file to get its signature cached again, and when the raw
* XXX: file is overwritten on disk.
* XXX:
* XXX: To solve this, we need something like the following:
* XXX: open raw disk:
* XXX: - raise refcount,
* XXX: - invalidate fingerprints,
* XXX: - mark all entries for that disk with "no cache" flag
* XXX:
* XXX: veriexec_verify:
* XXX: - if "no cache", don't cache evaluation result
* XXX:
* XXX: close raw disk:
* XXX: - lower refcount,
* XXX: - if refcount == 0, remove "no cache" flag from all entries
*/
static int
veriexec_raw_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
enum kauth_device_req req;
struct veriexec_table_entry *vte;
result = KAUTH_RESULT_DENY;
req = (enum kauth_device_req)arg0;
switch (action) {
case KAUTH_DEVICE_RAWIO_SPEC: {
struct vnode *vp, *bvp;
dev_t dev;
int d_type;
if (req == KAUTH_REQ_DEVICE_RAWIO_SPEC_READ) {
result = KAUTH_RESULT_DEFER;
break;
}
vp = arg1;
KASSERT(vp != NULL);
dev = vp->v_un.vu_specinfo->si_rdev;
d_type = D_OTHER;
bvp = NULL;
/* Handle /dev/mem and /dev/kmem. */
if ((vp->v_type == VCHR) && iskmemdev(dev)) {
if (veriexec_strict < VERIEXEC_IPS)
result = KAUTH_RESULT_DEFER;
break;
}
switch (vp->v_type) {
case VCHR: {
const struct cdevsw *cdev;
cdev = cdevsw_lookup(dev);
if (cdev != NULL) {
dev_t blkdev;
blkdev = devsw_chr2blk(dev);
if (blkdev != NODEV) {
vfinddev(blkdev, VBLK, &bvp);
if (bvp != NULL)
d_type = cdev->d_type;
}
}
break;
}
case VBLK: {
const struct bdevsw *bdev;
bdev = bdevsw_lookup(dev);
if (bdev != NULL)
d_type = bdev->d_type;
bvp = vp;
break;
}
default:
result = KAUTH_RESULT_DEFER;
break;
}
if (d_type != D_DISK) {
result = KAUTH_RESULT_DEFER;
break;
}
/*
* XXX: See vfs_mountedon() comment in secmodel/bsd44.
*/
vte = veriexec_table_lookup(bvp->v_mount);
if (vte == NULL) {
result = KAUTH_RESULT_DEFER;
break;
}
switch (veriexec_strict) {
case VERIEXEC_LEARNING:
case VERIEXEC_IDS:
result = KAUTH_RESULT_DEFER;
fileassoc_table_run(bvp->v_mount, veriexec_hook,
(fileassoc_cb_t)veriexec_file_purge_cb, NULL);
break;
case VERIEXEC_IPS:
result = KAUTH_RESULT_DENY;
break;
case VERIEXEC_LOCKDOWN:
result = KAUTH_RESULT_DENY;
break;
}
break;
}
case KAUTH_DEVICE_RAWIO_PASSTHRU:
/* XXX What can we do here? */
if (veriexec_strict < VERIEXEC_IPS)
result = KAUTH_RESULT_DEFER;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}
/*
* Create a new Veriexec table.
*/
static struct veriexec_table_entry *
veriexec_table_add(struct lwp *l, struct mount *mp)
{
struct veriexec_table_entry *vte;
u_char buf[16];
vte = malloc(sizeof(*vte), M_VERIEXEC, M_WAITOK | M_ZERO);
mount_setspecific(mp, veriexec_mountspecific_key, vte);
snprintf(buf, sizeof(buf), "table%u", veriexec_tablecount++);
sysctl_createv(NULL, 0, &veriexec_count_node, &vte->vte_node,
0, CTLTYPE_NODE, buf, NULL, NULL, 0, NULL,
0, CTL_CREATE, CTL_EOL);
sysctl_createv(NULL, 0, &vte->vte_node, NULL,
CTLFLAG_READONLY, CTLTYPE_STRING, "mntpt",
NULL, NULL, 0, mp->mnt_stat.f_mntonname,
0, CTL_CREATE, CTL_EOL);
sysctl_createv(NULL, 0, &vte->vte_node, NULL,
CTLFLAG_READONLY, CTLTYPE_STRING, "fstype",
NULL, NULL, 0, mp->mnt_stat.f_fstypename,
0, CTL_CREATE, CTL_EOL);
sysctl_createv(NULL, 0, &vte->vte_node, NULL,
CTLFLAG_READONLY, CTLTYPE_QUAD, "nentries",
NULL, NULL, 0, &vte->vte_count, 0, CTL_CREATE, CTL_EOL);
return (vte);
}
/*
* Add a file to be monitored by Veriexec.
*
* Expected elements in dict: file, fp, fp-type, entry-type.
*/
int
veriexec_file_add(struct lwp *l, prop_dictionary_t dict)
{
struct veriexec_table_entry *vte;
struct veriexec_file_entry *vfe = NULL, *hh;
struct nameidata nid;
const char *file, *fp_type;
int error;
file = prop_string_cstring_nocopy(prop_dictionary_get(dict, "file"));
NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, file, l);
error = namei(&nid);
if (error)
return (error);
/* Add only regular files. */
if (nid.ni_vp->v_type != VREG) {
log(LOG_ERR, "Veriexec: Not adding `%s': Not a regular file.\n",
file);
error = EBADF;
goto out;
}
vfe = malloc(sizeof(*vfe), M_VERIEXEC, M_WAITOK | M_ZERO);
/* Lookup fingerprint hashing algorithm. */
fp_type = prop_string_cstring_nocopy(prop_dictionary_get(dict,
"fp-type"));
if ((vfe->ops = veriexec_fpops_lookup(fp_type)) == NULL) {
log(LOG_ERR, "Veriexec: Invalid or unknown fingerprint type "
"`%s' for file `%s'.\n", fp_type, file);
error = EOPNOTSUPP;
goto out;
}
if (prop_data_size(prop_dictionary_get(dict, "fp")) !=
vfe->ops->hash_len) {
log(LOG_ERR, "Veriexec: Bad fingerprint length for `%s'.\n",
file);
error = EINVAL;
goto out;
}
vfe->fp = malloc(vfe->ops->hash_len, M_VERIEXEC, M_WAITOK);
memcpy(vfe->fp, prop_data_data_nocopy(prop_dictionary_get(dict, "fp")),
vfe->ops->hash_len);
/*
* See if we already have an entry for this file. If we do, then
* let the user know and silently pretend to succeed.
*/
hh = veriexec_get(nid.ni_vp);
if (hh != NULL) {
bool fp_mismatch;
if (strcmp(vfe->ops->type, fp_type) ||
memcmp(hh->fp, vfe->fp, hh->ops->hash_len))
fp_mismatch = true;
else
fp_mismatch = false;
if ((veriexec_verbose >= 1) || fp_mismatch)
log(LOG_NOTICE, "Veriexec: Duplicate entry for `%s' "
"ignored. (%s fingerprint)\n", file,
fp_mismatch ? "different" : "same");
veriexec_file_free(vfe);
/* XXX Should this be EEXIST if fp_mismatch is true? */
error = 0;
goto out;
}
/* Continue entry initialization. */
if (prop_dictionary_get_uint8(dict, "entry-type", &vfe->type) == FALSE)
vfe->type = 0;
else {
uint8_t extra_flags;
extra_flags = vfe->type & ~(VERIEXEC_DIRECT |
VERIEXEC_INDIRECT | VERIEXEC_FILE | VERIEXEC_UNTRUSTED);
if (extra_flags) {
log(LOG_NOTICE, "Veriexec: Contaminated flags `0x%x' "
"for `%s', skipping.\n", extra_flags, file);
error = EINVAL;
goto out;
}
}
if (!(vfe->type & (VERIEXEC_DIRECT | VERIEXEC_INDIRECT |
VERIEXEC_FILE)))
vfe->type |= VERIEXEC_DIRECT;
vfe->status = FINGERPRINT_NOTEVAL;
if (prop_bool_true(prop_dictionary_get(dict, "keep-filename"))) {
size_t len;
len = strlen(file) + 1;
vfe->filename = malloc(len, M_VERIEXEC, M_WAITOK);
strlcpy(vfe->filename, file, len);
} else
vfe->filename = NULL;
vfe->page_fp = NULL;
vfe->page_fp_status = PAGE_FP_NONE;
vfe->npages = 0;
vfe->last_page_size = 0;
vte = veriexec_table_lookup(nid.ni_vp->v_mount);
if (vte == NULL)
vte = veriexec_table_add(l, nid.ni_vp->v_mount);
/* XXX if we bail below this, we might want to gc newly created vtes. */
error = fileassoc_add(nid.ni_vp, veriexec_hook, vfe);
if (error)
goto out;
vte->vte_count++;
if (prop_bool_true(prop_dictionary_get(dict, "eval-on-load")) ||
(vfe->type & VERIEXEC_UNTRUSTED)) {
u_char *digest;
digest = malloc(vfe->ops->hash_len, M_VERIEXEC,
M_WAITOK | M_ZERO);
error = veriexec_fp_calc(l, nid.ni_vp, vfe, digest);
if (error) {
free(digest, M_VERIEXEC);
goto out;
}
if (veriexec_fp_cmp(vfe->ops, vfe->fp, digest) == 0)
vfe->status = FINGERPRINT_VALID;
else
vfe->status = FINGERPRINT_NOMATCH;
free(digest, M_VERIEXEC);
}
veriexec_file_report(NULL, "New entry.", file, NULL, REPORT_DEBUG);
out:
vrele(nid.ni_vp);
if (error)
veriexec_file_free(vfe);
return (error);
}
int
veriexec_table_delete(struct lwp *l, struct mount *mp) {
struct veriexec_table_entry *vte;
vte = veriexec_table_lookup(mp);
if (vte == NULL)
return (ENOENT);
veriexec_mountspecific_dtor(vte);
mount_setspecific(mp, veriexec_mountspecific_key, NULL);
return (fileassoc_table_clear(mp, veriexec_hook));
}
int
veriexec_file_delete(struct lwp *l, struct vnode *vp) {
struct veriexec_table_entry *vte;
int error;
vte = veriexec_table_lookup(vp->v_mount);
if (vte == NULL)
return (ENOENT);
error = fileassoc_clear(vp, veriexec_hook);
if (!error)
vte->vte_count--;
return (error);
}
/*
* Convert Veriexec entry data to a dictionary readable by userland tools.
*/
static void
veriexec_file_convert(struct veriexec_file_entry *vfe, prop_dictionary_t rdict)
{
if (vfe->filename)
prop_dictionary_set(rdict, "file",
prop_string_create_cstring(vfe->filename));
prop_dictionary_set_uint8(rdict, "entry-type", vfe->type);
prop_dictionary_set_uint8(rdict, "status", vfe->status);
prop_dictionary_set(rdict, "fp-type",
prop_string_create_cstring(vfe->ops->type));
prop_dictionary_set(rdict, "fp",
prop_data_create_data(vfe->fp, vfe->ops->hash_len));
}
int
veriexec_convert(struct vnode *vp, prop_dictionary_t rdict)
{
struct veriexec_file_entry *vfe;
vfe = veriexec_get(vp);
if (vfe == NULL)
return (ENOENT);
veriexec_file_convert(vfe, rdict);
return (0);
}
int
veriexec_unmountchk(struct mount *mp)
{
int error;
if (doing_shutdown)
return (0);
switch (veriexec_strict) {
case VERIEXEC_LEARNING:
error = 0;
break;
case VERIEXEC_IDS:
if (veriexec_table_lookup(mp) != NULL) {
log(LOG_INFO, "Veriexec: IDS mode, allowing unmount "
"of \"%s\".\n", mp->mnt_stat.f_mntonname);
}
error = 0;
break;
case VERIEXEC_IPS: {
struct veriexec_table_entry *vte;
vte = veriexec_table_lookup(mp);
if ((vte != NULL) && (vte->vte_count > 0)) {
log(LOG_ALERT, "Veriexec: IPS mode, preventing"
" unmount of \"%s\" with monitored files.\n",
mp->mnt_stat.f_mntonname);
error = EPERM;
} else
error = 0;
break;
}
case VERIEXEC_LOCKDOWN:
default:
log(LOG_ALERT, "Veriexec: Lockdown mode, preventing unmount "
"of \"%s\".\n", mp->mnt_stat.f_mntonname);
error = EPERM;
break;
}
return (error);
}
int
veriexec_openchk(struct lwp *l, struct vnode *vp, const char *path, int fmode)
{
struct veriexec_file_entry *vfe = NULL;
int error = 0;
if (vp == NULL) {
/* If no creation requested, let this fail normally. */
if (!(fmode & O_CREAT))
goto out;
/* Lockdown mode: Prevent creation of new files. */
if (veriexec_strict >= VERIEXEC_LOCKDOWN) {
log(LOG_ALERT, "Veriexec: Preventing new file "
"creation in `%s'.\n", path);
error = EPERM;
}
goto out;
}
error = veriexec_file_verify(l, vp, path, VERIEXEC_FILE, &vfe);
if (error)
goto out;
if ((vfe != NULL) && ((fmode & FWRITE) || (fmode & O_TRUNC))) {
veriexec_file_report(vfe, "Write access request.", path, l,
REPORT_ALWAYS | REPORT_ALARM);
/* IPS mode: Deny write access to monitored files. */
if (veriexec_strict >= VERIEXEC_IPS)
error = EPERM;
else
veriexec_file_purge(vfe);
}
out:
return (error);
}
static void
veriexec_file_dump(struct veriexec_file_entry *vfe, prop_array_t entries)
{
prop_dictionary_t entry;
/* If we don't have a filename, this is meaningless. */
if (vfe->filename == NULL)
return;
entry = prop_dictionary_create();
veriexec_file_convert(vfe, entry);
prop_array_add(entries, entry);
}
int
veriexec_dump(struct lwp *l, prop_array_t rarray)
{
struct mount *mp;
CIRCLEQ_FOREACH(mp, &mountlist, mnt_list) {
fileassoc_table_run(mp, veriexec_hook,
(fileassoc_cb_t)veriexec_file_dump, rarray);
}
return (0);
}
int
veriexec_flush(struct lwp *l)
{
struct mount *mp;
int error = 0;
CIRCLEQ_FOREACH(mp, &mountlist, mnt_list) {
int lerror;
lerror = veriexec_table_delete(l, mp);
if (lerror && lerror != ENOENT)
error = lerror;
}
return (error);
}
Reference in New Issue View Git Blame Copy Permalink