Page MenuHomeFreeBSD
Differential D33246

Improve parameters handling in veriexec
ClosedPublic
Actions

Authored by hum_semihalf.com on Dec 3 2021, 10:05 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 14, 5:52 AM
Unknown Object (File)
Mon, Nov 11, 2:24 PM
Unknown Object (File)
Oct 15 2024, 5:26 PM
Unknown Object (File)
Sep 25 2024, 8:21 AM
Unknown Object (File)
Sep 24 2024, 4:04 PM
Unknown Object (File)
Sep 20 2024, 10:23 PM
Unknown Object (File)
Sep 16 2024, 12:54 PM
Unknown Object (File)
Sep 9 2024, 2:27 AM
View All Files
Subscribers
dab
sebastien.bini_stormshield.eu
stephane.rochoy_stormshield.eu

Details

Reviewers
mw
kd
imp
sjg
wma
sebastien.bini_stormshield.eu
Commits
rGe2e6c643408f: Improve parameters handling in veriexec
rGb439f64ac1b9: Improve parameters handling in veriexec
Summary

Provide more robust parameter parsing in veriexec. Do a little cleanup as well.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

wma created this revision.Dec 3 2021, 10:05 AM
Herald added a subscriber: dab. · View Herald TranscriptDec 3 2021, 10:05 AM
wma requested review of this revision.Dec 3 2021, 10:05 AM
wma updated this revision to Diff 102442.Feb 7 2022, 10:32 AM

Rebased version.

wma added a reviewer: sjg.Feb 7 2022, 10:36 AM
sjg added inline comments.Feb 7 2022, 4:09 PM
sbin/veriexec/veriexec.c
48

Can you please use the @brief format

94

This would break all our usage of veriexec for past 15+ years.
There is no need to pass more arg than is sufficient to be unambiguous.
So 'a' is sufficient. 'e' is sufficient etc.

199

again the requirement to fully spell out debug vs 'd' is a step backwards.

stephane.rochoy_stormshield.eu added a subscriber: stephane.rochoy_stormshield.eu.Feb 14 2022, 3:31 PM
stephane.rochoy_stormshield.eu added inline comments.
sbin/veriexec/veriexec.c
94

Well, veriexec(8) do not document it as the expected usage:

The possible states are:

loaded   set automatically when first manifest has been loaded.
active   mac_veriexec(4) will begin checking files.  This state can only be entered from the loaded state.
enforce  mac_veriexec(4) will fail attempts to exec(2) or open(2) files with O_VERIFY unless verified.
locked   prevent loading of any more manifests.

And, to be honest, this behavior is quite surprising (for example, mtree(8) wants keywords, not keyword-abbreviations) that's why we felt it would need to be adjusted. Could we agree on something in-between like strcmp(arg_text, "a") == 0 || strcmp(arg_text, "active") == 0 (and adjust the man accordingly)?

sebastien.bini_stormshield.eu added a subscriber: sebastien.bini_stormshield.eu.Feb 14 2022, 3:44 PM
sjg added inline comments.Feb 14 2022, 7:01 PM
sbin/veriexec/veriexec.c
94

I'm happy to update the man page to explain that a non-ambiguous prefix match is sufficient.

Note strcmp would never be a suitable method of matching, if more than a single character is needed, then strncmp would be useful eg.

if (strncmp("active", arg_text, strlen(arg_text) == 0)
sebastien.bini_stormshield.eu added inline comments.Feb 15 2022, 8:46 AM
sbin/veriexec/veriexec.c
94

I believe this parameter parsing should be improved:

  • veriexec -i a && veriexec -i active && veriexec -i alphonse all resolve to the same status. "alphonse" is not even a prefix of "activate".
  • in today's code, "lock" resolves to "locked", but "loc" (which is an unambiguous prefix of "locked") resolved to "loaded".

Personally I find the unambiguous prefix matching a bit overkill for such a small program. I suggest the following: each status can be matched either by a long string ("activate", "locked") or a shortcut string ("a" for "activate", "lock" for "locked", etc...).

sjg added inline comments.Feb 15 2022, 6:39 PM
sbin/veriexec/veriexec.c
94

FWIW the 'locked' state is something we have never used, it is a hold over from the original NetBSD implementation which relied on manifests loaded during single user and then state locked - the only way to update was to reboot.
Using signed manifests allowed for much greater flexibility.

The use of strncmp as I described earlier is a simple way to allow better matching without breaking backwards compatability.

163

ie. current state Is?

hum_semihalf.com commandeered this revision.May 4 2022, 8:54 AM
hum_semihalf.com added a reviewer: wma.
hum_semihalf.com updated this revision to Diff 105668.May 4 2022, 11:52 AM
hum_semihalf.com set the repository for this revision to rG FreeBSD src repository.

Match args with shortest prefix. Add help message and prevent from running with invalid path.

sjg accepted this revision.May 6 2022, 4:12 PM

One style nit, but otherwise looks ok

sbin/veriexec/veriexec.c
248

space before (

This revision is now accepted and ready to land.May 6 2022, 4:12 PM
hum_semihalf.com updated this revision to Diff 105779.May 9 2022, 7:50 AM

Fix style issues.

This revision now requires review to proceed.May 9 2022, 7:50 AM
sjg accepted this revision.May 13 2022, 6:00 PM
This revision is now accepted and ready to land.May 13 2022, 6:00 PM
hum_semihalf.com updated this revision to Diff 106032.May 16 2022, 5:24 AM

Rebase the revision.

This revision now requires review to proceed.May 16 2022, 5:24 AM
sebastien.bini_stormshield.eu added inline comments.May 16 2022, 8:20 AM
sbin/veriexec/veriexec.c
101–104

"l" and "lo" resolve to "loaded" while it should yield an error.

hum_semihalf.com updated this revision to Diff 106091.May 17 2022, 7:10 AM

Add a simple check for the argument whether it matches only one option. In case of ambiguity return an error.

sebastien.bini_stormshield.eu accepted this revision.May 17 2022, 7:34 AM

Looks good, thanks!

This revision is now accepted and ready to land.May 17 2022, 7:34 AM
Closed by commit rGb439f64ac1b9: Improve parameters handling in veriexec (authored by hum_semihalf.com, committed by wma). · Explain WhyJun 29 2022, 8:57 AM
This revision was automatically updated to reflect the committed changes.
wma added a commit: rGb439f64ac1b9: Improve parameters handling in veriexec.
sebastien.bini_stormshield.eu mentioned this in D36477: veriexec: fixed usage and getopt issue on armv6.Sep 7 2022, 8:12 AM
gbe added a commit: rGe2e6c643408f: Improve parameters handling in veriexec.Apr 14 2023, 5:15 AM

Revision Contents
Changeset List

PathSize
sbin/
veriexec/
210 lines

Diff 107539

View Options

sbin/veriexec/veriexec.c

Loading...