1 /* 2 * $FreeBSD$ 3 * 4 * Copyright (c) 2011-2023, Juniper Networks, Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/cdefs.h> 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/buf.h> 33 #include <sys/conf.h> 34 #include <sys/errno.h> 35 #include <sys/fcntl.h> 36 #include <sys/file.h> 37 #include <sys/filedesc.h> 38 #include <sys/ioccom.h> 39 #include <sys/jail.h> 40 #include <sys/kernel.h> 41 #include <sys/lock.h> 42 #include <sys/malloc.h> 43 #include <sys/mdioctl.h> 44 #include <sys/mount.h> 45 #include <sys/mutex.h> 46 #include <sys/namei.h> 47 #include <sys/priv.h> 48 #include <sys/proc.h> 49 #include <sys/queue.h> 50 #include <sys/vnode.h> 51 52 #include <security/mac_veriexec/mac_veriexec.h> 53 #include <security/mac_veriexec/mac_veriexec_internal.h> 54 55 #include "veriexec_ioctl.h" 56 57 /* 58 * We need a mutex while updating lists etc. 59 */ 60 extern struct mtx ve_mutex; 61 62 /* 63 * Handle the ioctl for the device 64 */ 65 static int 66 verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, 67 int flags, struct thread *td) 68 { 69 struct nameidata nid; 70 struct vattr vattr; 71 struct verified_exec_label_params *lparams; 72 struct verified_exec_params *params, params_; 73 int error = 0; 74 75 /* 76 * These commands are considered safe requests for anyone who has 77 * permission to access to device node. 78 */ 79 switch (cmd) { 80 case VERIEXEC_GETSTATE: 81 { 82 int *ip = (int *)data; 83 84 if (ip) 85 *ip = mac_veriexec_get_state(); 86 else 87 error = EINVAL; 88 89 return (error); 90 } 91 break; 92 default: 93 break; 94 } 95 96 /* 97 * Anything beyond this point is considered dangerous, so we need to 98 * only allow processes that have kmem write privs to do them. 99 * 100 * MAC/veriexec will grant kmem write privs to "trusted" processes. 101 */ 102 error = priv_check(td, PRIV_VERIEXEC_CONTROL); 103 if (error) 104 return (error); 105 106 lparams = (struct verified_exec_label_params *)data; 107 switch (cmd) { 108 case VERIEXEC_LABEL_LOAD: 109 params = &lparams->params; 110 break; 111 case VERIEXEC_SIGNED_LOAD32: 112 params = ¶ms_; 113 memcpy(params, data, sizeof(struct verified_exec_params32)); 114 break; 115 default: 116 params = (struct verified_exec_params *)data; 117 break; 118 } 119 120 switch (cmd) { 121 case VERIEXEC_ACTIVE: 122 mtx_lock(&ve_mutex); 123 if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) 124 mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE); 125 else 126 error = EINVAL; 127 mtx_unlock(&ve_mutex); 128 break; 129 case VERIEXEC_DEBUG_ON: 130 mtx_lock(&ve_mutex); 131 { 132 int *ip = (int *)data; 133 134 mac_veriexec_debug++; 135 if (ip) { 136 if (*ip > 0) 137 mac_veriexec_debug = *ip; 138 *ip = mac_veriexec_debug; 139 } 140 } 141 mtx_unlock(&ve_mutex); 142 break; 143 case VERIEXEC_DEBUG_OFF: 144 mac_veriexec_debug = 0; 145 break; 146 case VERIEXEC_ENFORCE: 147 mtx_lock(&ve_mutex); 148 if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) 149 mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE | 150 VERIEXEC_STATE_ENFORCE); 151 else 152 error = EINVAL; 153 mtx_unlock(&ve_mutex); 154 break; 155 case VERIEXEC_GETVERSION: 156 { 157 int *ip = (int *)data; 158 159 if (ip) 160 *ip = MAC_VERIEXEC_VERSION; 161 else 162 error = EINVAL; 163 } 164 break; 165 case VERIEXEC_LOCK: 166 mtx_lock(&ve_mutex); 167 mac_veriexec_set_state(VERIEXEC_STATE_LOCKED); 168 mtx_unlock(&ve_mutex); 169 break; 170 case VERIEXEC_LOAD: 171 if (prison0.pr_securelevel > 0) 172 return (EPERM); /* no updates when secure */ 173 174 /* FALLTHROUGH */ 175 case VERIEXEC_LABEL_LOAD: 176 case VERIEXEC_SIGNED_LOAD: 177 /* 178 * If we use a loader that will only use a 179 * digitally signed hash list - which it verifies. 180 * We can load fingerprints provided veriexec is not locked. 181 */ 182 if (prison0.pr_securelevel > 0 && 183 !mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) { 184 /* 185 * If securelevel has been raised and we 186 * do not have any fingerprints loaded, 187 * it would dangerous to do so now. 188 */ 189 return (EPERM); 190 } 191 if (mac_veriexec_in_state(VERIEXEC_STATE_LOCKED)) 192 error = EPERM; 193 else { 194 size_t labellen = 0; 195 int flags = FREAD; 196 int override = (cmd != VERIEXEC_LOAD); 197 198 if (params->flags & VERIEXEC_LABEL) { 199 labellen = strnlen(lparams->label, 200 MAXLABELLEN) + 1; 201 if (labellen > MAXLABELLEN) 202 return (EINVAL); 203 } 204 205 /* 206 * Get the attributes for the file name passed 207 * stash the file's device id and inode number 208 * along with it's fingerprint in a list for 209 * exec to use later. 210 */ 211 /* 212 * FreeBSD seems to copy the args to kernel space 213 */ 214 NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, params->file); 215 if ((error = vn_open(&nid, &flags, 0, NULL)) != 0) 216 return (error); 217 218 error = VOP_GETATTR(nid.ni_vp, &vattr, td->td_ucred); 219 if (error != 0) { 220 mac_veriexec_set_fingerprint_status(nid.ni_vp, 221 FINGERPRINT_INVALID); 222 VOP_UNLOCK(nid.ni_vp); 223 (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, 224 td); 225 return (error); 226 } 227 if (override) { 228 /* 229 * If the file is on a "verified" filesystem 230 * someone may be playing games. 231 */ 232 if ((nid.ni_vp->v_mount->mnt_flag & 233 MNT_VERIFIED) != 0) 234 override = 0; 235 } 236 237 /* 238 * invalidate the node fingerprint status 239 * which will have been set in the vn_open 240 * and would always be FINGERPRINT_NOTFOUND 241 */ 242 mac_veriexec_set_fingerprint_status(nid.ni_vp, 243 FINGERPRINT_INVALID); 244 VOP_UNLOCK(nid.ni_vp); 245 (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td); 246 247 mtx_lock(&ve_mutex); 248 error = mac_veriexec_metadata_add_file( 249 ((params->flags & VERIEXEC_FILE) != 0), 250 vattr.va_fsid, vattr.va_fileid, vattr.va_gen, 251 params->fingerprint, 252 (params->flags & VERIEXEC_LABEL) ? 253 lparams->label : NULL, labellen, 254 params->flags, params->fp_type, override); 255 256 mac_veriexec_set_state(VERIEXEC_STATE_LOADED); 257 mtx_unlock(&ve_mutex); 258 } 259 break; 260 default: 261 error = ENODEV; 262 } 263 return (error); 264 } 265 266 struct cdevsw veriexec_cdevsw = { 267 .d_version = D_VERSION, 268 .d_ioctl = verifiedexecioctl, 269 .d_name = "veriexec", 270 }; 271 272 static void 273 veriexec_drvinit(void *unused __unused) 274 { 275 276 make_dev(&veriexec_cdevsw, 0, UID_ROOT, GID_WHEEL, 0600, "veriexec"); 277 } 278 279 SYSINIT(veriexec, SI_SUB_PSEUDO, SI_ORDER_ANY, veriexec_drvinit, NULL); 280 MODULE_DEPEND(veriexec, mac_veriexec, MAC_VERIEXEC_VERSION, 281 MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION); 282