188a3358eSStephen J. Kiernan /*- 288a3358eSStephen J. Kiernan * SPDX-License-Identifier: BSD-2-Clause 3fb47a376SStephen J. Kiernan * 494288674SStephen J. Kiernan * Copyright (c) 2011, 2012, 2013, 2015, 2016, 2019, Juniper Networks, Inc. 5fb47a376SStephen J. Kiernan * All rights reserved. 6fb47a376SStephen J. Kiernan * 7fb47a376SStephen J. Kiernan * Redistribution and use in source and binary forms, with or without 8fb47a376SStephen J. Kiernan * modification, are permitted provided that the following conditions 9fb47a376SStephen J. Kiernan * are met: 10fb47a376SStephen J. Kiernan * 1. Redistributions of source code must retain the above copyright 11fb47a376SStephen J. Kiernan * notice, this list of conditions and the following disclaimer. 12fb47a376SStephen J. Kiernan * 2. Redistributions in binary form must reproduce the above copyright 13fb47a376SStephen J. Kiernan * notice, this list of conditions and the following disclaimer in the 14fb47a376SStephen J. Kiernan * documentation and/or other materials provided with the distribution. 15fb47a376SStephen J. Kiernan * 16fb47a376SStephen J. Kiernan * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17fb47a376SStephen J. Kiernan * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18fb47a376SStephen J. Kiernan * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19fb47a376SStephen J. Kiernan * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20fb47a376SStephen J. Kiernan * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21fb47a376SStephen J. Kiernan * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22fb47a376SStephen J. Kiernan * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23fb47a376SStephen J. Kiernan * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24fb47a376SStephen J. Kiernan * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25fb47a376SStephen J. Kiernan * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26fb47a376SStephen J. Kiernan * SUCH DAMAGE. 27fb47a376SStephen J. Kiernan */ 28fb47a376SStephen J. Kiernan 29fb47a376SStephen J. Kiernan #ifndef _SECURITY_MAC_VERIEXEC_INTERNAL_H 30fb47a376SStephen J. Kiernan #define _SECURITY_MAC_VERIEXEC_INTERNAL_H 31fb47a376SStephen J. Kiernan 32fb47a376SStephen J. Kiernan #ifndef _KERNEL 33fb47a376SStephen J. Kiernan #error "no user-serviceable parts inside" 34fb47a376SStephen J. Kiernan #endif 35fb47a376SStephen J. Kiernan 36fb47a376SStephen J. Kiernan #include <sys/queue.h> 37fb47a376SStephen J. Kiernan #include <sys/malloc.h> 38fb47a376SStephen J. Kiernan #include <sys/sysctl.h> 39fb47a376SStephen J. Kiernan 40fb47a376SStephen J. Kiernan #define MAC_VERIEXEC_FULLNAME "MAC/veriexec" 41fb47a376SStephen J. Kiernan 42fb47a376SStephen J. Kiernan #define VERIEXEC_FILES_FIRST 1 43fb47a376SStephen J. Kiernan 44*d195f39dSSteve Kiernan #ifdef MAC_VERIEXEC_DEBUG 45fb47a376SStephen J. Kiernan # define VERIEXEC_DEBUG(n, x) if (mac_veriexec_debug > (n)) printf x 46fb47a376SStephen J. Kiernan #else 47fb47a376SStephen J. Kiernan # define VERIEXEC_DEBUG(n, x) 48fb47a376SStephen J. Kiernan #endif 49fb47a376SStephen J. Kiernan 50fb47a376SStephen J. Kiernan struct mac_veriexec_file_info 51fb47a376SStephen J. Kiernan { 52fb47a376SStephen J. Kiernan int flags; 53fb47a376SStephen J. Kiernan long fileid; 54fb47a376SStephen J. Kiernan unsigned long gen; 55fb47a376SStephen J. Kiernan struct mac_veriexec_fpops *ops; 56fb47a376SStephen J. Kiernan unsigned char fingerprint[MAXFINGERPRINTLEN]; 5794288674SStephen J. Kiernan char *label; 5894288674SStephen J. Kiernan size_t labellen; 59fb47a376SStephen J. Kiernan LIST_ENTRY(mac_veriexec_file_info) entries; 60fb47a376SStephen J. Kiernan }; 61fb47a376SStephen J. Kiernan 62fb47a376SStephen J. Kiernan MALLOC_DECLARE(M_VERIEXEC); 63fb47a376SStephen J. Kiernan 64fb47a376SStephen J. Kiernan SYSCTL_DECL(_security_mac_veriexec); 65fb47a376SStephen J. Kiernan 66fb47a376SStephen J. Kiernan struct cred; 67fb47a376SStephen J. Kiernan struct image_params; 68fb47a376SStephen J. Kiernan struct proc; 69fb47a376SStephen J. Kiernan struct sbuf; 70fb47a376SStephen J. Kiernan struct thread; 71fb47a376SStephen J. Kiernan struct ucred; 72fb47a376SStephen J. Kiernan struct vattr; 73fb47a376SStephen J. Kiernan struct vnode; 74fb47a376SStephen J. Kiernan 75fb47a376SStephen J. Kiernan int mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp, 76fb47a376SStephen J. Kiernan struct vattr *vap, struct thread *td, int check_files); 77fb47a376SStephen J. Kiernan int mac_veriexec_metadata_get_executable_flags(struct ucred *cred, 78fb47a376SStephen J. Kiernan struct proc *p, int *flags, int check_files); 79fb47a376SStephen J. Kiernan int mac_veriexec_metadata_get_file_flags(dev_t fsid, long fileid, 80fb47a376SStephen J. Kiernan unsigned long gen, int *flags, int check_files); 818512d82eSSteve Kiernan int mac_veriexec_metadata_get_file_info(dev_t fsid, long fileid, 828512d82eSSteve Kiernan unsigned long gen, int *found_dev, 838512d82eSSteve Kiernan struct mac_veriexec_file_info **ipp, int check_files); 84fb47a376SStephen J. Kiernan void mac_veriexec_metadata_init(void); 85fb47a376SStephen J. Kiernan void mac_veriexec_metadata_print_db(struct sbuf *sbp); 86fb47a376SStephen J. Kiernan int mac_veriexec_metadata_unmounted(dev_t fsid, struct thread *td); 87fb47a376SStephen J. Kiernan 88fb47a376SStephen J. Kiernan int mac_veriexec_fingerprint_add_ops(struct mac_veriexec_fpops *fpops); 89fb47a376SStephen J. Kiernan 90fb47a376SStephen J. Kiernan int mac_veriexec_fingerprint_check_image(struct image_params *imgp, 91fb47a376SStephen J. Kiernan int check_files, struct thread *td); 92fb47a376SStephen J. Kiernan int mac_veriexec_fingerprint_check_vnode(struct vnode *vp, 93fb47a376SStephen J. Kiernan struct mac_veriexec_file_info *ip, struct thread *td, 94fb47a376SStephen J. Kiernan off_t file_size, unsigned char *fingerprint); 95fb47a376SStephen J. Kiernan void mac_veriexec_fingerprint_init(void); 96fb47a376SStephen J. Kiernan struct mac_veriexec_fpops * 97fb47a376SStephen J. Kiernan mac_veriexec_fingerprint_lookup_ops(const char *type); 98fb47a376SStephen J. Kiernan 99fb47a376SStephen J. Kiernan fingerprint_status_t 100fb47a376SStephen J. Kiernan mac_veriexec_get_fingerprint_status(struct vnode *vp); 101fb47a376SStephen J. Kiernan int mac_veriexec_get_state(void); 102fb47a376SStephen J. Kiernan int mac_veriexec_in_state(int state); 103fb47a376SStephen J. Kiernan void mac_veriexec_set_fingerprint_status(struct vnode *vp, 104fb47a376SStephen J. Kiernan fingerprint_status_t fp_status); 105fb47a376SStephen J. Kiernan void mac_veriexec_set_state(int state); 106fb47a376SStephen J. Kiernan 107fb47a376SStephen J. Kiernan #endif /* !_SECURITY_MAC_VERIEXEC_INTERNAL_H */ 108