1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
/*-
* SPDX-License-Identifier: BSD-2-Clause
*
* Copyright (c) 2011, 2012, 2013, 2015, 2016, 2019, Juniper Networks, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _SECURITY_MAC_VERIEXEC_H
#define _SECURITY_MAC_VERIEXEC_H
#include <sys/param.h>
#ifdef _KERNEL
#include <sys/types.h>
#include <sys/kernel.h>
#include <sys/queue.h>
#include <sys/module.h>
#endif
/**
* Name of the MAC module
*/
#define MAC_VERIEXEC_NAME "mac_veriexec"
/* MAC/veriexec syscalls */
#define MAC_VERIEXEC_CHECK_FD_SYSCALL 1
#define MAC_VERIEXEC_CHECK_PATH_SYSCALL 2
#define MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL 3
#define MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL 4
#define VERIEXEC_FPTYPELEN 16 /* hash name */
/**
* Enough room for the largest signature...
*/
#define MAXFINGERPRINTLEN 64 /* enough room for largest signature */
#define MAXLABELLEN 128
/*
* Types of veriexec inodes we can have
*/
#define VERIEXEC_INDIRECT (1<<0) /* Only allow indirect execution */
#define VERIEXEC_FILE (1<<1) /* Fingerprint of a plain file */
#define VERIEXEC_NOTRACE (1<<2) /**< PTRACE not allowed */
#define VERIEXEC_TRUSTED (1<<3) /**< Safe to write /dev/mem */
#define VERIEXEC_NOFIPS (1<<4) /**< Not allowed in FIPS mode */
#define VERIEXEC_LABEL (1<<5) /**< We have a label */
#define VERIEXEC_STATE_INACTIVE 0 /**< Ignore */
#define VERIEXEC_STATE_LOADED (1<<0) /**< Sigs have been loaded */
#define VERIEXEC_STATE_ACTIVE (1<<1) /**< Pay attention to it */
#define VERIEXEC_STATE_ENFORCE (1<<2) /**< Fail execs for files that do not
match signature */
#define VERIEXEC_STATE_LOCKED (1<<3) /**< Do not allow further changes */
/* for MAC_VERIEXEC_GET_PARAMS_*_SYSCALL */
struct mac_veriexec_syscall_params {
char fp_type[VERIEXEC_FPTYPELEN];
unsigned char fingerprint[MAXFINGERPRINTLEN];
char label[MAXLABELLEN];
size_t labellen;
unsigned char flags;
};
struct mac_veriexec_syscall_params_args {
union {
pid_t pid;
const char *filename;
} u; /* input only */
struct mac_veriexec_syscall_params *params; /* result */
};
#ifdef _KERNEL
/**
* Version of the MAC/veriexec module
*/
#define MAC_VERIEXEC_VERSION 2
/* Valid states for the fingerprint flag - if signed exec is being used */
typedef enum fingerprint_status {
FINGERPRINT_INVALID, /**< Fingerprint has not been evaluated */
FINGERPRINT_VALID, /**< Fingerprint evaluated and matches list */
FINGERPRINT_INDIRECT, /**< Fingerprint eval'd/matched but only
indirect execs allowed */
FINGERPRINT_FILE, /**< Fingerprint evaluated/matched but
not executable */
FINGERPRINT_NOMATCH, /**< Fingerprint evaluated but does not match */
FINGERPRINT_NOENTRY, /**< Fingerprint evaluated but no list entry */
FINGERPRINT_NODEV, /**< Fingerprint evaluated but no dev list */
} fingerprint_status_t;
typedef void (*mac_veriexec_fpop_init_t)(void *);
typedef void (*mac_veriexec_fpop_update_t)(void *, const uint8_t *, size_t);
typedef void (*mac_veriexec_fpop_final_t)(uint8_t *, void *);
struct mac_veriexec_fpops {
const char *type;
size_t digest_len;
size_t context_size;
mac_veriexec_fpop_init_t init;
mac_veriexec_fpop_update_t update;
mac_veriexec_fpop_final_t final;
LIST_ENTRY(mac_veriexec_fpops) entries;
};
/**
* Verified execution subsystem debugging level
*/
extern int mac_veriexec_debug;
/**
* @brief Define a fingerprint module.
*
* @param _name Name of the fingerprint module
* @param _digest_len Length of the digest string, in number of characters
* @param _context_size Size of the context structure, in bytes
* @param _init Initialization function of type
* mac_veriexec_fpop_init_t
* @param _update Update function of type mac_veriexec_fpop_update_t
* @param _final Finalize function of type mac_veriexec_fpop_final_t
* @param _vers Module version
*/
#define MAC_VERIEXEC_FPMOD(_name, _digest_len, _context_size, _init, \
_update, _final, _vers) \
static struct mac_veriexec_fpops \
mac_veriexec_##_name##_fpops = { \
.type = #_name, \
.digest_len = _digest_len, \
.context_size = _context_size, \
.init = _init, \
.update = _update, \
.final = _final, \
}; \
static moduledata_t mac_veriexec_##_name##_mod = { \
"mac_veriexec/" #_name, \
mac_veriexec_fingerprint_modevent, \
&(mac_veriexec_##_name##_fpops) \
}; \
MODULE_VERSION(mac_veriexec_##_name, _vers); \
DECLARE_MODULE(mac_veriexec_##_name, \
mac_veriexec_##_name##_mod, SI_SUB_MAC_POLICY, \
SI_ORDER_ANY); \
MODULE_DEPEND(mac_veriexec_##_name, mac_veriexec, \
MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION, \
MAC_VERIEXEC_VERSION)
/*
* The following function should not be called directly. The prototype is
* included here to satisfy the compiler when using the macro above.
*/
int mac_veriexec_fingerprint_modevent(module_t mod, int type, void *data);
/*
* Public functions
*/
int mac_veriexec_metadata_add_file(int file_dev, dev_t fsid, long fileid,
unsigned long gen, unsigned char fingerprint[MAXFINGERPRINTLEN],
char *label, size_t labellen, int flags, const char *fp_type,
int override);
const char *mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid,
unsigned long gen, int check_files);
int mac_veriexec_metadata_has_file(dev_t fsid, long fileid,
unsigned long gen);
int mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p);
#endif
#endif /* _SECURITY_MAC_VERIEXEC_H */
|
