xref: /freebsd/sys/security/mac_veriexec/mac_veriexec.h (revision d9a42747950146bf03cda7f6e25d219253f8a57a) 
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2011, 2012, 2013, 2015, 2016, 2019, Juniper Networks, Inc.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #ifndef	_SECURITY_MAC_VERIEXEC_H
30 #define	_SECURITY_MAC_VERIEXEC_H
31 
32 #include <sys/param.h>
33 
34 #ifdef _KERNEL
35 #include <sys/types.h>
36 #include <sys/kernel.h>
37 #include <sys/queue.h>
38 #include <sys/module.h>
39 #endif
40 
41 /**
42  * Name of the MAC module
43  */
44 #define	MAC_VERIEXEC_NAME	"mac_veriexec"
45 
46 /* MAC/veriexec syscalls */
47 #define	MAC_VERIEXEC_CHECK_FD_SYSCALL		1
48 #define	MAC_VERIEXEC_CHECK_PATH_SYSCALL		2
49 #define	MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL	3
50 #define	MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL	4
51 
52 #define	VERIEXEC_FPTYPELEN	16	/* hash name */
53 
54 /**
55  * Enough room for the largest signature...
56  */
57 #define MAXFINGERPRINTLEN	64	/* enough room for largest signature */
58 #define MAXLABELLEN		128
59 
60 /*
61  * Types of veriexec inodes we can have
62  */
63 #define VERIEXEC_INDIRECT	(1<<0)  /* Only allow indirect execution */
64 #define VERIEXEC_FILE		(1<<1)  /* Fingerprint of a plain file */
65 #define VERIEXEC_NOTRACE	(1<<2)	/**< PTRACE not allowed */
66 #define VERIEXEC_TRUSTED	(1<<3)	/**< Safe to write /dev/mem */
67 #define VERIEXEC_NOFIPS		(1<<4)	/**< Not allowed in FIPS mode */
68 #define VERIEXEC_LABEL		(1<<5)	/**< We have a label */
69 
70 #define VERIEXEC_STATE_INACTIVE	0	/**< Ignore */
71 #define VERIEXEC_STATE_LOADED	(1<<0)	/**< Sigs have been loaded */
72 #define VERIEXEC_STATE_ACTIVE	(1<<1)	/**< Pay attention to it */
73 #define VERIEXEC_STATE_ENFORCE	(1<<2)	/**< Fail execs for files that do not
74 					     match signature */
75 #define VERIEXEC_STATE_LOCKED	(1<<3)	/**< Do not allow further changes */
76 
77 /* for MAC_VERIEXEC_GET_PARAMS_*_SYSCALL */
78 struct mac_veriexec_syscall_params  {
79 	char fp_type[VERIEXEC_FPTYPELEN];
80 	unsigned char fingerprint[MAXFINGERPRINTLEN];
81 	char label[MAXLABELLEN];
82 	size_t labellen;
83 	unsigned char flags;
84 };
85 
86 struct mac_veriexec_syscall_params_args {
87 	union {
88 		pid_t pid;
89 		const char *filename;
90 	} u;				/* input only */
91 	struct mac_veriexec_syscall_params *params; /* result */
92 };
93 
94 #ifdef _KERNEL
95 /**
96  * Version of the MAC/veriexec module
97  */
98 #define	MAC_VERIEXEC_VERSION	2
99 
100 /* Valid states for the fingerprint flag - if signed exec is being used */
101 typedef enum fingerprint_status {
102 	FINGERPRINT_INVALID,	/**< Fingerprint has not been evaluated */
103 	FINGERPRINT_VALID,	/**< Fingerprint evaluated and matches list */
104 	FINGERPRINT_INDIRECT,	/**< Fingerprint eval'd/matched but only
105 				     indirect execs allowed */
106 	FINGERPRINT_FILE,	/**< Fingerprint evaluated/matched but
107 				     not executable */
108 	FINGERPRINT_NOMATCH,	/**< Fingerprint evaluated but does not match */
109 	FINGERPRINT_NOENTRY,	/**< Fingerprint evaluated but no list entry */
110 	FINGERPRINT_NODEV,	/**< Fingerprint evaluated but no dev list */
111 } fingerprint_status_t;
112 
113 typedef void (*mac_veriexec_fpop_init_t)(void *);
114 typedef void (*mac_veriexec_fpop_update_t)(void *, const uint8_t *, size_t);
115 typedef void (*mac_veriexec_fpop_final_t)(uint8_t *, void *);
116 
117 struct mac_veriexec_fpops {
118 	const char *type;
119 	size_t digest_len;
120 	size_t context_size;
121 	mac_veriexec_fpop_init_t init;
122 	mac_veriexec_fpop_update_t update;
123 	mac_veriexec_fpop_final_t final;
124 	LIST_ENTRY(mac_veriexec_fpops) entries;
125 };
126 
127 /**
128  * Verified execution subsystem debugging level
129  */
130 extern int	mac_veriexec_debug;
131 
132 /**
133  * @brief Define a fingerprint module.
134  *
135  * @param _name		Name of the fingerprint module
136  * @param _digest_len	Length of the digest string, in number of characters
137  * @param _context_size	Size of the context structure, in bytes
138  * @param _init		Initialization function of type
139  * 			mac_veriexec_fpop_init_t
140  * @param _update	Update function of type mac_veriexec_fpop_update_t
141  * @param _final	Finalize function of type mac_veriexec_fpop_final_t
142  * @param _vers		Module version
143  */
144 #define MAC_VERIEXEC_FPMOD(_name, _digest_len, _context_size, _init,	\
145 	    _update, _final, _vers)					\
146 	static struct mac_veriexec_fpops				\
147 	    mac_veriexec_##_name##_fpops = {				\
148 		.type = #_name,						\
149 		.digest_len = _digest_len,				\
150 		.context_size = _context_size,				\
151 		.init = _init,						\
152 		.update = _update,					\
153 		.final = _final,					\
154 	};								\
155 	static moduledata_t mac_veriexec_##_name##_mod = {		\
156 		"mac_veriexec/" #_name,					\
157 		mac_veriexec_fingerprint_modevent,			\
158 		&(mac_veriexec_##_name##_fpops)				\
159 	};								\
160 	MODULE_VERSION(mac_veriexec_##_name, _vers);			\
161 	DECLARE_MODULE(mac_veriexec_##_name,				\
162 	    mac_veriexec_##_name##_mod, SI_SUB_MAC_POLICY,		\
163 	    SI_ORDER_ANY);						\
164 	MODULE_DEPEND(mac_veriexec_##_name, mac_veriexec,		\
165 	    MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION,			\
166 	    MAC_VERIEXEC_VERSION)
167 
168 /*
169  * The following function should not be called directly. The prototype is
170  * included here to satisfy the compiler when using the macro above.
171  */
172 int	mac_veriexec_fingerprint_modevent(module_t mod, int type, void *data);
173 
174 /*
175  * Public functions
176  */
177 int	mac_veriexec_metadata_add_file(int file_dev, dev_t fsid, long fileid,
178 	    unsigned long gen, unsigned char fingerprint[MAXFINGERPRINTLEN],
179 	    char *label, size_t labellen, int flags, const char *fp_type,
180 	    int override);
181 const char *mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid,
182 	    unsigned long gen, int check_files);
183 int	mac_veriexec_metadata_has_file(dev_t fsid, long fileid,
184 	    unsigned long gen);
185 int	mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p);
186 #endif
187 
188 #endif	/* _SECURITY_MAC_VERIEXEC_H */
189