1 /* 2 * 3 * Copyright (c) 2011-2023, Juniper Networks, Inc. 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 20 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 22 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 23 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #include <sys/param.h> 30 #include <sys/systm.h> 31 #include <sys/buf.h> 32 #include <sys/conf.h> 33 #include <sys/errno.h> 34 #include <sys/fcntl.h> 35 #include <sys/file.h> 36 #include <sys/filedesc.h> 37 #include <sys/ioccom.h> 38 #include <sys/jail.h> 39 #include <sys/kernel.h> 40 #include <sys/lock.h> 41 #include <sys/malloc.h> 42 #include <sys/mdioctl.h> 43 #include <sys/mount.h> 44 #include <sys/mutex.h> 45 #include <sys/namei.h> 46 #include <sys/priv.h> 47 #include <sys/proc.h> 48 #include <sys/queue.h> 49 #include <sys/vnode.h> 50 51 #include <security/mac_veriexec/mac_veriexec.h> 52 #include <security/mac_veriexec/mac_veriexec_internal.h> 53 54 #include "veriexec_ioctl.h" 55 56 /* 57 * We need a mutex while updating lists etc. 58 */ 59 extern struct mtx ve_mutex; 60 61 /* 62 * Handle the ioctl for the device 63 */ 64 static int 65 verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, 66 int flags, struct thread *td) 67 { 68 struct nameidata nid; 69 struct vattr vattr; 70 struct verified_exec_label_params *lparams; 71 struct verified_exec_params *params, params_; 72 int error = 0; 73 74 /* 75 * These commands are considered safe requests for anyone who has 76 * permission to access to device node. 77 */ 78 switch (cmd) { 79 case VERIEXEC_GETSTATE: 80 { 81 int *ip = (int *)data; 82 83 if (ip) 84 *ip = mac_veriexec_get_state(); 85 else 86 error = EINVAL; 87 88 return (error); 89 } 90 break; 91 default: 92 break; 93 } 94 95 /* 96 * Anything beyond this point is considered dangerous, so we need to 97 * only allow processes that have kmem write privs to do them. 98 * 99 * MAC/veriexec will grant kmem write privs to "trusted" processes. 100 */ 101 error = priv_check(td, PRIV_VERIEXEC_CONTROL); 102 if (error) 103 return (error); 104 105 lparams = (struct verified_exec_label_params *)data; 106 switch (cmd) { 107 case VERIEXEC_LABEL_LOAD: 108 params = &lparams->params; 109 break; 110 case VERIEXEC_SIGNED_LOAD32: 111 params = ¶ms_; 112 memcpy(params, data, sizeof(struct verified_exec_params32)); 113 break; 114 default: 115 params = (struct verified_exec_params *)data; 116 break; 117 } 118 119 switch (cmd) { 120 case VERIEXEC_ACTIVE: 121 mtx_lock(&ve_mutex); 122 if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) 123 mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE); 124 else 125 error = EINVAL; 126 mtx_unlock(&ve_mutex); 127 break; 128 case VERIEXEC_DEBUG_ON: 129 mtx_lock(&ve_mutex); 130 { 131 int *ip = (int *)data; 132 133 mac_veriexec_debug++; 134 if (ip) { 135 if (*ip > 0) 136 mac_veriexec_debug = *ip; 137 *ip = mac_veriexec_debug; 138 } 139 } 140 mtx_unlock(&ve_mutex); 141 break; 142 case VERIEXEC_DEBUG_OFF: 143 mac_veriexec_debug = 0; 144 break; 145 case VERIEXEC_ENFORCE: 146 mtx_lock(&ve_mutex); 147 if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) 148 mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE | 149 VERIEXEC_STATE_ENFORCE); 150 else 151 error = EINVAL; 152 mtx_unlock(&ve_mutex); 153 break; 154 case VERIEXEC_GETVERSION: 155 { 156 int *ip = (int *)data; 157 158 if (ip) 159 *ip = MAC_VERIEXEC_VERSION; 160 else 161 error = EINVAL; 162 } 163 break; 164 case VERIEXEC_LOCK: 165 mtx_lock(&ve_mutex); 166 mac_veriexec_set_state(VERIEXEC_STATE_LOCKED); 167 mtx_unlock(&ve_mutex); 168 break; 169 case VERIEXEC_LOAD: 170 if (prison0.pr_securelevel > 0) 171 return (EPERM); /* no updates when secure */ 172 173 /* FALLTHROUGH */ 174 case VERIEXEC_LABEL_LOAD: 175 case VERIEXEC_SIGNED_LOAD: 176 /* 177 * If we use a loader that will only use a 178 * digitally signed hash list - which it verifies. 179 * We can load fingerprints provided veriexec is not locked. 180 */ 181 if (prison0.pr_securelevel > 0 && 182 !mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) { 183 /* 184 * If securelevel has been raised and we 185 * do not have any fingerprints loaded, 186 * it would dangerous to do so now. 187 */ 188 return (EPERM); 189 } 190 if (mac_veriexec_in_state(VERIEXEC_STATE_LOCKED)) 191 error = EPERM; 192 else { 193 size_t labellen = 0; 194 int flags = FREAD; 195 int override = (cmd != VERIEXEC_LOAD); 196 197 if (params->flags & VERIEXEC_LABEL) { 198 labellen = strnlen(lparams->label, 199 MAXLABELLEN) + 1; 200 if (labellen > MAXLABELLEN) 201 return (EINVAL); 202 } 203 204 /* 205 * Get the attributes for the file name passed 206 * stash the file's device id and inode number 207 * along with it's fingerprint in a list for 208 * exec to use later. 209 */ 210 /* 211 * FreeBSD seems to copy the args to kernel space 212 */ 213 NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, params->file); 214 if ((error = vn_open(&nid, &flags, 0, NULL)) != 0) 215 return (error); 216 217 error = VOP_GETATTR(nid.ni_vp, &vattr, td->td_ucred); 218 if (error != 0) { 219 mac_veriexec_set_fingerprint_status(nid.ni_vp, 220 FINGERPRINT_INVALID); 221 VOP_UNLOCK(nid.ni_vp); 222 (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, 223 td); 224 return (error); 225 } 226 if (override) { 227 /* 228 * If the file is on a "verified" filesystem 229 * someone may be playing games. 230 */ 231 if ((nid.ni_vp->v_mount->mnt_flag & 232 MNT_VERIFIED) != 0) 233 override = 0; 234 } 235 236 /* 237 * invalidate the node fingerprint status 238 * which will have been set in the vn_open 239 * and would always be FINGERPRINT_NOTFOUND 240 */ 241 mac_veriexec_set_fingerprint_status(nid.ni_vp, 242 FINGERPRINT_INVALID); 243 VOP_UNLOCK(nid.ni_vp); 244 (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td); 245 246 mtx_lock(&ve_mutex); 247 error = mac_veriexec_metadata_add_file( 248 ((params->flags & VERIEXEC_FILE) != 0), 249 vattr.va_fsid, vattr.va_fileid, vattr.va_gen, 250 params->fingerprint, 251 (params->flags & VERIEXEC_LABEL) ? 252 lparams->label : NULL, labellen, 253 params->flags, params->fp_type, override); 254 255 mac_veriexec_set_state(VERIEXEC_STATE_LOADED); 256 mtx_unlock(&ve_mutex); 257 } 258 break; 259 default: 260 error = ENODEV; 261 } 262 return (error); 263 } 264 265 struct cdevsw veriexec_cdevsw = { 266 .d_version = D_VERSION, 267 .d_ioctl = verifiedexecioctl, 268 .d_name = "veriexec", 269 }; 270 271 static void 272 veriexec_drvinit(void *unused __unused) 273 { 274 275 make_dev(&veriexec_cdevsw, 0, UID_ROOT, GID_WHEEL, 0600, "veriexec"); 276 } 277 278 SYSINIT(veriexec, SI_SUB_PSEUDO, SI_ORDER_ANY, veriexec_drvinit, NULL); 279 MODULE_DEPEND(veriexec, mac_veriexec, MAC_VERIEXEC_VERSION, 280 MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION); 281