1 /*
2 *
3 * Copyright (c) 2011-2023, Juniper Networks, Inc.
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
20 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
21 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
22 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
23 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/buf.h>
31 #include <sys/conf.h>
32 #include <sys/errno.h>
33 #include <sys/fcntl.h>
34 #include <sys/file.h>
35 #include <sys/filedesc.h>
36 #include <sys/ioccom.h>
37 #include <sys/jail.h>
38 #include <sys/kernel.h>
39 #include <sys/lock.h>
40 #include <sys/malloc.h>
41 #include <sys/mdioctl.h>
42 #include <sys/mount.h>
43 #include <sys/mutex.h>
44 #include <sys/namei.h>
45 #include <sys/priv.h>
46 #include <sys/proc.h>
47 #include <sys/queue.h>
48 #include <sys/vnode.h>
49
50 #include <security/mac_veriexec/mac_veriexec.h>
51 #include <security/mac_veriexec/mac_veriexec_internal.h>
52
53 #include "veriexec_ioctl.h"
54
55 /*
56 * We need a mutex while updating lists etc.
57 */
58 extern struct mtx ve_mutex;
59
60 /*
61 * Handle the ioctl for the device
62 */
63 static int
verifiedexecioctl(struct cdev * dev __unused,u_long cmd,caddr_t data,int flags,struct thread * td)64 verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
65 int flags, struct thread *td)
66 {
67 struct nameidata nid;
68 struct vattr vattr;
69 struct verified_exec_label_params *lparams;
70 struct verified_exec_params *params, params_;
71 int error = 0;
72
73 /*
74 * These commands are considered safe requests for anyone who has
75 * permission to access to device node.
76 */
77 switch (cmd) {
78 case VERIEXEC_GETSTATE:
79 {
80 int *ip = (int *)data;
81
82 if (ip)
83 *ip = mac_veriexec_get_state();
84 else
85 error = EINVAL;
86
87 return (error);
88 }
89 break;
90 default:
91 break;
92 }
93
94 /*
95 * Anything beyond this point is considered dangerous, so we need to
96 * only allow processes that have kmem write privs to do them.
97 *
98 * MAC/veriexec will grant kmem write privs to "trusted" processes.
99 */
100 error = priv_check(td, PRIV_VERIEXEC_CONTROL);
101 if (error)
102 return (error);
103
104 lparams = (struct verified_exec_label_params *)data;
105 switch (cmd) {
106 case VERIEXEC_LABEL_LOAD:
107 params = &lparams->params;
108 break;
109 case VERIEXEC_SIGNED_LOAD32:
110 params = ¶ms_;
111 memcpy(params, data, sizeof(struct verified_exec_params32));
112 break;
113 default:
114 params = (struct verified_exec_params *)data;
115 break;
116 }
117
118 switch (cmd) {
119 case VERIEXEC_ACTIVE:
120 mtx_lock(&ve_mutex);
121 if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED))
122 mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE);
123 else
124 error = EINVAL;
125 mtx_unlock(&ve_mutex);
126 break;
127 case VERIEXEC_DEBUG_ON:
128 mtx_lock(&ve_mutex);
129 {
130 int *ip = (int *)data;
131
132 mac_veriexec_debug++;
133 if (ip) {
134 if (*ip > 0)
135 mac_veriexec_debug = *ip;
136 *ip = mac_veriexec_debug;
137 }
138 }
139 mtx_unlock(&ve_mutex);
140 break;
141 case VERIEXEC_DEBUG_OFF:
142 mac_veriexec_debug = 0;
143 break;
144 case VERIEXEC_ENFORCE:
145 mtx_lock(&ve_mutex);
146 if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED))
147 mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE |
148 VERIEXEC_STATE_ENFORCE);
149 else
150 error = EINVAL;
151 mtx_unlock(&ve_mutex);
152 break;
153 case VERIEXEC_GETVERSION:
154 {
155 int *ip = (int *)data;
156
157 if (ip)
158 *ip = MAC_VERIEXEC_VERSION;
159 else
160 error = EINVAL;
161 }
162 break;
163 case VERIEXEC_LOCK:
164 mtx_lock(&ve_mutex);
165 mac_veriexec_set_state(VERIEXEC_STATE_LOCKED);
166 mtx_unlock(&ve_mutex);
167 break;
168 case VERIEXEC_LOAD:
169 if (prison0.pr_securelevel > 0)
170 return (EPERM); /* no updates when secure */
171
172 /* FALLTHROUGH */
173 case VERIEXEC_LABEL_LOAD:
174 case VERIEXEC_SIGNED_LOAD:
175 /*
176 * If we use a loader that will only use a
177 * digitally signed hash list - which it verifies.
178 * We can load fingerprints provided veriexec is not locked.
179 */
180 if (prison0.pr_securelevel > 0 &&
181 !mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) {
182 /*
183 * If securelevel has been raised and we
184 * do not have any fingerprints loaded,
185 * it would dangerous to do so now.
186 */
187 return (EPERM);
188 }
189 if (mac_veriexec_in_state(VERIEXEC_STATE_LOCKED))
190 error = EPERM;
191 else {
192 size_t labellen = 0;
193 int flags = FREAD;
194 int override = (cmd != VERIEXEC_LOAD);
195
196 if (params->flags & VERIEXEC_LABEL) {
197 labellen = strnlen(lparams->label,
198 MAXLABELLEN) + 1;
199 if (labellen > MAXLABELLEN)
200 return (EINVAL);
201 }
202
203 /*
204 * Get the attributes for the file name passed
205 * stash the file's device id and inode number
206 * along with it's fingerprint in a list for
207 * exec to use later.
208 */
209 /*
210 * FreeBSD seems to copy the args to kernel space
211 */
212 NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, params->file);
213 if ((error = vn_open(&nid, &flags, 0, NULL)) != 0)
214 return (error);
215
216 error = VOP_GETATTR(nid.ni_vp, &vattr, td->td_ucred);
217 if (error != 0) {
218 mac_veriexec_set_fingerprint_status(nid.ni_vp,
219 FINGERPRINT_INVALID);
220 VOP_UNLOCK(nid.ni_vp);
221 (void) vn_close(nid.ni_vp, FREAD, td->td_ucred,
222 td);
223 return (error);
224 }
225 if (override) {
226 /*
227 * If the file is on a "verified" filesystem
228 * someone may be playing games.
229 */
230 if ((nid.ni_vp->v_mount->mnt_flag &
231 MNT_VERIFIED) != 0)
232 override = 0;
233 }
234
235 /*
236 * invalidate the node fingerprint status
237 * which will have been set in the vn_open
238 * and would always be FINGERPRINT_NOTFOUND
239 */
240 mac_veriexec_set_fingerprint_status(nid.ni_vp,
241 FINGERPRINT_INVALID);
242 VOP_UNLOCK(nid.ni_vp);
243 (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td);
244
245 mtx_lock(&ve_mutex);
246 error = mac_veriexec_metadata_add_file(
247 ((params->flags & VERIEXEC_FILE) != 0),
248 vattr.va_fsid, vattr.va_fileid, vattr.va_gen,
249 params->fingerprint,
250 (params->flags & VERIEXEC_LABEL) ?
251 lparams->label : NULL, labellen,
252 params->flags, params->fp_type, override);
253
254 mac_veriexec_set_state(VERIEXEC_STATE_LOADED);
255 mtx_unlock(&ve_mutex);
256 }
257 break;
258 default:
259 error = ENODEV;
260 }
261 return (error);
262 }
263
264 struct cdevsw veriexec_cdevsw = {
265 .d_version = D_VERSION,
266 .d_ioctl = verifiedexecioctl,
267 .d_name = "veriexec",
268 };
269
270 static void
veriexec_drvinit(void * unused __unused)271 veriexec_drvinit(void *unused __unused)
272 {
273
274 make_dev(&veriexec_cdevsw, 0, UID_ROOT, GID_WHEEL, 0600, "veriexec");
275 }
276
277 SYSINIT(veriexec, SI_SUB_PSEUDO, SI_ORDER_ANY, veriexec_drvinit, NULL);
278 MODULE_DEPEND(veriexec, mac_veriexec, MAC_VERIEXEC_VERSION,
279 MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION);
280