dev/veriexec/verified_exec.c

ed7b25daSStephen J. Kiernan/*
ed7b25daSStephen J. Kiernan *
bd4742c9SSteve Kiernan * Copyright (c) 2011-2023, Juniper Networks, Inc.
ed7b25daSStephen J. Kiernan * All rights reserved.
ed7b25daSStephen J. Kiernan *
ed7b25daSStephen J. Kiernan * Redistribution and use in source and binary forms, with or without
ed7b25daSStephen J. Kiernan * modification, are permitted provided that the following conditions
ed7b25daSStephen J. Kiernan * are met:
ed7b25daSStephen J. Kiernan * 1. Redistributions of source code must retain the above copyright
ed7b25daSStephen J. Kiernan *    notice, this list of conditions and the following disclaimer.
ed7b25daSStephen J. Kiernan * 2. Redistributions in binary form must reproduce the above copyright
ed7b25daSStephen J. Kiernan *    notice, this list of conditions and the following disclaimer in the
ed7b25daSStephen J. Kiernan *    documentation and/or other materials provided with the distribution.
ed7b25daSStephen J. Kiernan *
ed7b25daSStephen J. Kiernan * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
ed7b25daSStephen J. Kiernan * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
ed7b25daSStephen J. Kiernan * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
ed7b25daSStephen J. Kiernan * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
ed7b25daSStephen J. Kiernan * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
ed7b25daSStephen J. Kiernan * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
ed7b25daSStephen J. Kiernan * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
ed7b25daSStephen J. Kiernan * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
ed7b25daSStephen J. Kiernan * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
ed7b25daSStephen J. Kiernan * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
ed7b25daSStephen J. Kiernan * SUCH DAMAGE.
ed7b25daSStephen J. Kiernan */
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan#include <sys/param.h>
ed7b25daSStephen J. Kiernan#include <sys/systm.h>
ed7b25daSStephen J. Kiernan#include <sys/buf.h>
ed7b25daSStephen J. Kiernan#include <sys/conf.h>
ed7b25daSStephen J. Kiernan#include <sys/errno.h>
ed7b25daSStephen J. Kiernan#include <sys/fcntl.h>
ed7b25daSStephen J. Kiernan#include <sys/file.h>
ed7b25daSStephen J. Kiernan#include <sys/filedesc.h>
ed7b25daSStephen J. Kiernan#include <sys/ioccom.h>
ed7b25daSStephen J. Kiernan#include <sys/jail.h>
ed7b25daSStephen J. Kiernan#include <sys/kernel.h>
ed7b25daSStephen J. Kiernan#include <sys/lock.h>
ed7b25daSStephen J. Kiernan#include <sys/malloc.h>
ed7b25daSStephen J. Kiernan#include <sys/mdioctl.h>
ed7b25daSStephen J. Kiernan#include <sys/mount.h>
ed7b25daSStephen J. Kiernan#include <sys/mutex.h>
ed7b25daSStephen J. Kiernan#include <sys/namei.h>
9ce904dfSStephen J. Kiernan#include <sys/priv.h>
ed7b25daSStephen J. Kiernan#include <sys/proc.h>
ed7b25daSStephen J. Kiernan#include <sys/queue.h>
ed7b25daSStephen J. Kiernan#include <sys/vnode.h>
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan#include <security/mac_veriexec/mac_veriexec.h>
ed7b25daSStephen J. Kiernan#include <security/mac_veriexec/mac_veriexec_internal.h>
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan#include "veriexec_ioctl.h"
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan/*
ed7b25daSStephen J. Kiernan * We need a mutex while updating lists etc.
ed7b25daSStephen J. Kiernan */
ed7b25daSStephen J. Kiernanextern struct mtx ve_mutex;
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan/*
ed7b25daSStephen J. Kiernan * Handle the ioctl for the device
ed7b25daSStephen J. Kiernan */
ed7b25daSStephen J. Kiernanstatic int
ed7b25daSStephen J. Kiernanverifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
ed7b25daSStephen J. Kiernan    int flags, struct thread *td)
ed7b25daSStephen J. Kiernan{
ed7b25daSStephen J. Kiernan	struct nameidata nid;
ed7b25daSStephen J. Kiernan	struct vattr vattr;
94288674SStephen J. Kiernan	struct verified_exec_label_params *lparams;
bd4742c9SSteve Kiernan	struct verified_exec_params *params, params_;
ed7b25daSStephen J. Kiernan	int error = 0;
ed7b25daSStephen J. Kiernan
9ce904dfSStephen J. Kiernan	/*
9ce904dfSStephen J. Kiernan	 * These commands are considered safe requests for anyone who has
9ce904dfSStephen J. Kiernan	 * permission to access to device node.
9ce904dfSStephen J. Kiernan	 */
9ce904dfSStephen J. Kiernan	switch (cmd) {
9ce904dfSStephen J. Kiernan	case VERIEXEC_GETSTATE:
9ce904dfSStephen J. Kiernan		{
9ce904dfSStephen J. Kiernan			int *ip = (int *)data;
9ce904dfSStephen J. Kiernan
9ce904dfSStephen J. Kiernan			if (ip)
9ce904dfSStephen J. Kiernan				*ip = mac_veriexec_get_state();
9ce904dfSStephen J. Kiernan			else
9ce904dfSStephen J. Kiernan			    error = EINVAL;
9ce904dfSStephen J. Kiernan
9ce904dfSStephen J. Kiernan			return (error);
9ce904dfSStephen J. Kiernan		}
9ce904dfSStephen J. Kiernan		break;
9ce904dfSStephen J. Kiernan	default:
9ce904dfSStephen J. Kiernan		break;
9ce904dfSStephen J. Kiernan	}
9ce904dfSStephen J. Kiernan
9ce904dfSStephen J. Kiernan	/*
9ce904dfSStephen J. Kiernan	 * Anything beyond this point is considered dangerous, so we need to
9ce904dfSStephen J. Kiernan	 * only allow processes that have kmem write privs to do them.
9ce904dfSStephen J. Kiernan	 *
9ce904dfSStephen J. Kiernan	 * MAC/veriexec will grant kmem write privs to "trusted" processes.
9ce904dfSStephen J. Kiernan	 */
8512d82eSSteve Kiernan	error = priv_check(td, PRIV_VERIEXEC_CONTROL);
9ce904dfSStephen J. Kiernan	if (error)
9ce904dfSStephen J. Kiernan		return (error);
9ce904dfSStephen J. Kiernan
94288674SStephen J. Kiernan	lparams = (struct verified_exec_label_params *)data;
bd4742c9SSteve Kiernan	switch (cmd) {
bd4742c9SSteve Kiernan	case VERIEXEC_LABEL_LOAD:
94288674SStephen J. Kiernan		params = &lparams->params;
bd4742c9SSteve Kiernan		break;
bd4742c9SSteve Kiernan	case VERIEXEC_SIGNED_LOAD32:
bd4742c9SSteve Kiernan		params = &params_;
bd4742c9SSteve Kiernan		memcpy(params, data, sizeof(struct verified_exec_params32));
bd4742c9SSteve Kiernan		break;
bd4742c9SSteve Kiernan	default:
ed7b25daSStephen J. Kiernan		params = (struct verified_exec_params *)data;
bd4742c9SSteve Kiernan		break;
bd4742c9SSteve Kiernan	}
94288674SStephen J. Kiernan
ed7b25daSStephen J. Kiernan	switch (cmd) {
ed7b25daSStephen J. Kiernan	case VERIEXEC_ACTIVE:
ed7b25daSStephen J. Kiernan		mtx_lock(&ve_mutex);
ed7b25daSStephen J. Kiernan		if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED))
ed7b25daSStephen J. Kiernan			mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE);
ed7b25daSStephen J. Kiernan		else
ed7b25daSStephen J. Kiernan			error = EINVAL;
ed7b25daSStephen J. Kiernan		mtx_unlock(&ve_mutex);
ed7b25daSStephen J. Kiernan		break;
ed7b25daSStephen J. Kiernan	case VERIEXEC_DEBUG_ON:
ed7b25daSStephen J. Kiernan		mtx_lock(&ve_mutex);
ed7b25daSStephen J. Kiernan		{
ed7b25daSStephen J. Kiernan			int *ip = (int *)data;
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan			mac_veriexec_debug++;
ed7b25daSStephen J. Kiernan			if (ip) {
ed7b25daSStephen J. Kiernan				if (*ip > 0)
ed7b25daSStephen J. Kiernan					mac_veriexec_debug = *ip;
ed7b25daSStephen J. Kiernan				*ip = mac_veriexec_debug;
ed7b25daSStephen J. Kiernan			}
ed7b25daSStephen J. Kiernan		}
ed7b25daSStephen J. Kiernan		mtx_unlock(&ve_mutex);
ed7b25daSStephen J. Kiernan		break;
ed7b25daSStephen J. Kiernan	case VERIEXEC_DEBUG_OFF:
ed7b25daSStephen J. Kiernan		mac_veriexec_debug = 0;
ed7b25daSStephen J. Kiernan		break;
ed7b25daSStephen J. Kiernan	case VERIEXEC_ENFORCE:
ed7b25daSStephen J. Kiernan		mtx_lock(&ve_mutex);
ed7b25daSStephen J. Kiernan		if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED))
ed7b25daSStephen J. Kiernan			mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE |
ed7b25daSStephen J. Kiernan			    VERIEXEC_STATE_ENFORCE);
ed7b25daSStephen J. Kiernan		else
ed7b25daSStephen J. Kiernan			error = EINVAL;
ed7b25daSStephen J. Kiernan		mtx_unlock(&ve_mutex);
ed7b25daSStephen J. Kiernan		break;
910013c6SStephen J. Kiernan	case VERIEXEC_GETVERSION:
910013c6SStephen J. Kiernan		{
910013c6SStephen J. Kiernan			int *ip = (int *)data;
910013c6SStephen J. Kiernan
910013c6SStephen J. Kiernan			if (ip)
910013c6SStephen J. Kiernan				*ip = MAC_VERIEXEC_VERSION;
910013c6SStephen J. Kiernan			else
910013c6SStephen J. Kiernan				error = EINVAL;
910013c6SStephen J. Kiernan		}
910013c6SStephen J. Kiernan		break;
ed7b25daSStephen J. Kiernan	case VERIEXEC_LOCK:
ed7b25daSStephen J. Kiernan		mtx_lock(&ve_mutex);
ed7b25daSStephen J. Kiernan		mac_veriexec_set_state(VERIEXEC_STATE_LOCKED);
ed7b25daSStephen J. Kiernan		mtx_unlock(&ve_mutex);
ed7b25daSStephen J. Kiernan		break;
ed7b25daSStephen J. Kiernan	case VERIEXEC_LOAD:
ed7b25daSStephen J. Kiernan	    	if (prison0.pr_securelevel > 0)
ed7b25daSStephen J. Kiernan			return (EPERM);	/* no updates when secure */
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan		/* FALLTHROUGH */
94288674SStephen J. Kiernan	case VERIEXEC_LABEL_LOAD:
ed7b25daSStephen J. Kiernan	case VERIEXEC_SIGNED_LOAD:
ed7b25daSStephen J. Kiernan		/*
ed7b25daSStephen J. Kiernan		 * If we use a loader that will only use a
ed7b25daSStephen J. Kiernan		 * digitally signed hash list - which it verifies.
ed7b25daSStephen J. Kiernan		 * We can load fingerprints provided veriexec is not locked.
ed7b25daSStephen J. Kiernan		 */
ed7b25daSStephen J. Kiernan	    	if (prison0.pr_securelevel > 0 &&
ed7b25daSStephen J. Kiernan		    !mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) {
ed7b25daSStephen J. Kiernan			/*
ed7b25daSStephen J. Kiernan			 * If securelevel has been raised and we
ed7b25daSStephen J. Kiernan			 * do not have any fingerprints loaded,
ed7b25daSStephen J. Kiernan			 * it would dangerous to do so now.
ed7b25daSStephen J. Kiernan			 */
ed7b25daSStephen J. Kiernan			return (EPERM);
ed7b25daSStephen J. Kiernan		}
ed7b25daSStephen J. Kiernan		if (mac_veriexec_in_state(VERIEXEC_STATE_LOCKED))
ed7b25daSStephen J. Kiernan			error = EPERM;
ed7b25daSStephen J. Kiernan		else {
94288674SStephen J. Kiernan			size_t labellen = 0;
ed7b25daSStephen J. Kiernan			int flags = FREAD;
94288674SStephen J. Kiernan			int override = (cmd != VERIEXEC_LOAD);
ed7b25daSStephen J. Kiernan
bd4742c9SSteve Kiernan			if (params->flags & VERIEXEC_LABEL) {
bd4742c9SSteve Kiernan				labellen = strnlen(lparams->label,
bd4742c9SSteve Kiernan				    MAXLABELLEN) + 1;
bd4742c9SSteve Kiernan				if (labellen > MAXLABELLEN)
bd4742c9SSteve Kiernan					return (EINVAL);
bd4742c9SSteve Kiernan			}
bd4742c9SSteve Kiernan
ed7b25daSStephen J. Kiernan			/*
ed7b25daSStephen J. Kiernan			 * Get the attributes for the file name passed
ed7b25daSStephen J. Kiernan			 * stash the file's device id and inode number
ed7b25daSStephen J. Kiernan			 * along with it's fingerprint in a list for
ed7b25daSStephen J. Kiernan			 * exec to use later.
ed7b25daSStephen J. Kiernan			 */
ed7b25daSStephen J. Kiernan			/*
ed7b25daSStephen J. Kiernan			 * FreeBSD seems to copy the args to kernel space
ed7b25daSStephen J. Kiernan			 */
7e1d3eefSMateusz Guzik			NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, params->file);
ed7b25daSStephen J. Kiernan			if ((error = vn_open(&nid, &flags, 0, NULL)) != 0)
ed7b25daSStephen J. Kiernan				return (error);
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan			error = VOP_GETATTR(nid.ni_vp, &vattr, td->td_ucred);
ed7b25daSStephen J. Kiernan			if (error != 0) {
ed7b25daSStephen J. Kiernan				mac_veriexec_set_fingerprint_status(nid.ni_vp,
ed7b25daSStephen J. Kiernan				    FINGERPRINT_INVALID);
b249ce48SMateusz Guzik				VOP_UNLOCK(nid.ni_vp);
ed7b25daSStephen J. Kiernan				(void) vn_close(nid.ni_vp, FREAD, td->td_ucred,
ed7b25daSStephen J. Kiernan				    td);
ed7b25daSStephen J. Kiernan				return (error);
ed7b25daSStephen J. Kiernan			}
ed7b25daSStephen J. Kiernan			if (override) {
ed7b25daSStephen J. Kiernan				/*
ed7b25daSStephen J. Kiernan				 * If the file is on a "verified" filesystem
ed7b25daSStephen J. Kiernan				 * someone may be playing games.
ed7b25daSStephen J. Kiernan				 */
ed7b25daSStephen J. Kiernan				if ((nid.ni_vp->v_mount->mnt_flag &
ed7b25daSStephen J. Kiernan				    MNT_VERIFIED) != 0)
ed7b25daSStephen J. Kiernan					override = 0;
ed7b25daSStephen J. Kiernan			}
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan			/*
ed7b25daSStephen J. Kiernan			 * invalidate the node fingerprint status
ed7b25daSStephen J. Kiernan			 * which will have been set in the vn_open
ed7b25daSStephen J. Kiernan			 * and would always be FINGERPRINT_NOTFOUND
ed7b25daSStephen J. Kiernan			 */
ed7b25daSStephen J. Kiernan			mac_veriexec_set_fingerprint_status(nid.ni_vp,
ed7b25daSStephen J. Kiernan			    FINGERPRINT_INVALID);
b249ce48SMateusz Guzik			VOP_UNLOCK(nid.ni_vp);
ed7b25daSStephen J. Kiernan			(void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td);
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan			mtx_lock(&ve_mutex);
ed7b25daSStephen J. Kiernan			error = mac_veriexec_metadata_add_file(
ed7b25daSStephen J. Kiernan			    ((params->flags & VERIEXEC_FILE) != 0),
ed7b25daSStephen J. Kiernan			    vattr.va_fsid, vattr.va_fileid, vattr.va_gen,
94288674SStephen J. Kiernan			    params->fingerprint,
94288674SStephen J. Kiernan			    (params->flags & VERIEXEC_LABEL) ?
94288674SStephen J. Kiernan			    lparams->label : NULL, labellen,
94288674SStephen J. Kiernan			    params->flags, params->fp_type, override);
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan			mac_veriexec_set_state(VERIEXEC_STATE_LOADED);
ed7b25daSStephen J. Kiernan			mtx_unlock(&ve_mutex);
ed7b25daSStephen J. Kiernan		}
ed7b25daSStephen J. Kiernan		break;
ed7b25daSStephen J. Kiernan	default:
ed7b25daSStephen J. Kiernan		error = ENODEV;
ed7b25daSStephen J. Kiernan	}
ed7b25daSStephen J. Kiernan	return (error);
ed7b25daSStephen J. Kiernan}
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernanstruct cdevsw veriexec_cdevsw = {
ed7b25daSStephen J. Kiernan	.d_version =	D_VERSION,
ed7b25daSStephen J. Kiernan	.d_ioctl =	verifiedexecioctl,
ed7b25daSStephen J. Kiernan	.d_name =	"veriexec",
ed7b25daSStephen J. Kiernan};
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernanstatic void
ed7b25daSStephen J. Kiernanveriexec_drvinit(void *unused __unused)
ed7b25daSStephen J. Kiernan{
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. Kiernan	make_dev(&veriexec_cdevsw, 0, UID_ROOT, GID_WHEEL, 0600, "veriexec");
ed7b25daSStephen J. Kiernan}
ed7b25daSStephen J. Kiernan
ed7b25daSStephen J. KiernanSYSINIT(veriexec, SI_SUB_PSEUDO, SI_ORDER_ANY, veriexec_drvinit, NULL);
fe8ce390SWojciech MacekMODULE_DEPEND(veriexec, mac_veriexec, MAC_VERIEXEC_VERSION,
fe8ce390SWojciech Macek    MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION);