D36506.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D36506.diff
View Options

	diff --git a/sbin/veriexec/veriexec.c b/sbin/veriexec/veriexec.c
	--- a/sbin/veriexec/veriexec.c
	+++ b/sbin/veriexec/veriexec.c
	@@ -53,7 +53,9 @@
	veriexec_usage()
	{
	printf("%s",
	- "Usage:\tveriexec [-h] [-i state] [-C] [-xv state\|verbosity] [path]\n");
	+ "Usage:\tveriexec [-h] [-i state] [-C path] [-S] [-v] [-z state] [path]\n"
	+ "\t\tveriexec -x path...\n"
	+ "\t\tveriexec -l path\n");

	return (0);
	}
	@@ -148,7 +150,7 @@

	dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0);

	- while ((c = getopt(argc, argv, "hC:i:Sxvz:")) != -1) {
	+ while ((c = getopt(argc, argv, "hC:i:Sxvz:l:")) != -1) {
	switch (c) {
	case 'h':
	/* Print usage info */
	@@ -159,6 +161,21 @@

	Cdir = optarg;
	break;
	+ case 'l':
	+ {
	+ if (dev_fd < 0) {
	+ err(EX_UNAVAILABLE, "cannot open veriexec");
	+ }
	+ struct verified_exec_label lbl = { 0 };
	+ if (realpath(optarg, lbl.file) == NULL) {
	+ err(EX_NOINPUT, "cannot resolve file");
	+ }
	+ if (ioctl(dev_fd, VERIEXEC_GETLABEL, &lbl)) {
	+ err(EX_UNAVAILABLE, "Cannot get veriexec label");
	+ }
	+ printf("%s\n", lbl.label);
	+ return (0);
	+ }
	case 'i':
	/* Query the current state */

	diff --git a/sys/dev/veriexec/veriexec_ioctl.h b/sys/dev/veriexec/veriexec_ioctl.h
	--- a/sys/dev/veriexec/veriexec_ioctl.h
	+++ b/sys/dev/veriexec/veriexec_ioctl.h
	@@ -51,6 +51,11 @@
	char label[MAXLABELLEN];
	};

	+struct verified_exec_label {
	+ char file[MAXPATHLEN];
	+ char label[MAXLABELLEN];
	+};
	+
	#define VERIEXEC_LOAD _IOW('S', 0x1, struct verified_exec_params)
	#define VERIEXEC_ACTIVE _IO('S', 0x2) /* start checking */
	#define VERIEXEC_ENFORCE _IO('S', 0x3) /* fail exec */
	@@ -61,6 +66,7 @@
	#define VERIEXEC_SIGNED_LOAD _IOW('S', 0x8, struct verified_exec_params)
	#define VERIEXEC_GETVERSION _IOR('S', 0x9, int) /* get version */
	#define VERIEXEC_LABEL_LOAD _IOW('S', 0xa, struct verified_exec_label_params)
	+#define VERIEXEC_GETLABEL _IOWR('S', 0xb, struct verified_exec_label) /* get label */

	#define _PATH_DEV_VERIEXEC _PATH_DEV "veriexec"

	diff --git a/sys/dev/veriexec/verified_exec.c b/sys/dev/veriexec/verified_exec.c
	--- a/sys/dev/veriexec/verified_exec.c
	+++ b/sys/dev/veriexec/verified_exec.c
	@@ -89,6 +89,39 @@
	return (error);
	}
	break;
	+ case VERIEXEC_GETLABEL:
	+ {
	+ struct verified_exec_label getlabel = (struct verified_exec_label)data;
	+ int flags = FREAD;
	+ /*
	+ * Get the attributes for the file name passed
	+ * stash the file's device id and inode number
	+ * along with it's fingerprint in a list for
	+ * exec to use later.
	+ */
	+ NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE,
	+ getlabel->file, td);
	+ if ((error = vn_open(&nid, &flags, 0, NULL)) != 0)
	+ return (error);
	+
	+ error = VOP_GETATTR(nid.ni_vp, &vattr, td->td_ucred);
	+
	+ VOP_UNLOCK(nid.ni_vp, 0);
	+ (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td);
	+
	+ if (error != 0)
	+ return (error);
	+
	+ mtx_lock(&ve_mutex);
	+ if (!mac_veriexec_metadata_copy_label(vattr.va_fsid, vattr.va_fileid,
	+ vattr.va_gen, getlabel->label, sizeof(getlabel->label)))
	+ {
	+ error = EAUTH;
	+ }
	+ mtx_unlock(&ve_mutex);
	+ return (error);
	+ }
	+ break;
	default:
	break;
	}
	diff --git a/sys/security/mac_veriexec/mac_veriexec.h b/sys/security/mac_veriexec/mac_veriexec.h
	--- a/sys/security/mac_veriexec/mac_veriexec.h
	+++ b/sys/security/mac_veriexec/mac_veriexec.h
	@@ -157,6 +157,8 @@
	int override);
	int mac_veriexec_metadata_has_file(dev_t fsid, long fileid,
	unsigned long gen);
	+int mac_veriexec_metadata_copy_label(dev_t fsid, long fileid,
	+ unsigned long gen, char* label_buf, size_t buf_size);
	int mac_veriexec_proc_is_trusted(struct ucred cred, struct proc p);
	#endif

	diff --git a/sys/security/mac_veriexec/veriexec_metadata.c b/sys/security/mac_veriexec/veriexec_metadata.c
	--- a/sys/security/mac_veriexec/veriexec_metadata.c
	+++ b/sys/security/mac_veriexec/veriexec_metadata.c
	@@ -233,6 +233,38 @@
	return (mac_veriexec_metadata_get_file_info(fsid, fileid, gen, NULL,
	VERIEXEC_FILES_FIRST) != NULL);
	}
	+/**
	+ * @brief Copies the label associated with a file.
	+ *
	+ * @param fsid file system identifier to look for
	+ * @param fileid file to look for
	+ * @param gen generation of file
	+ * @param label_buf label output buffer
	+ * @param buf_size buffer size
	+ *
	+ * @return 1 if there is an entry in the meta-data store, 0 otherwise.
	+ */
	+int
	+mac_veriexec_metadata_copy_label(dev_t fsid, long fileid,
	+ unsigned long gen, char* label_buf, size_t buf_size)
	+{
	+ struct mac_veriexec_file_info *ip = NULL;
	+
	+ if (!label_buf \|\| buf_size == 0)
	+ return (0);
	+
	+ ip = mac_veriexec_metadata_get_file_info(fsid, fileid, gen, NULL,
	+ VERIEXEC_FILES_FIRST);
	+ if (!ip)
	+ return (0);
	+
	+ if (!ip->label)
	+ *label_buf = '\0';
	+ else
	+ strlcpy(label_buf, ip->label, buf_size);
	+
	+ return (1);
	+}

	/**
	* @brief Search the list of devices looking for the one given, in order to

File Metadata

Mime Type: text/plain
Expires: Wed, Feb 5, 8:54 PM (20 h, 49 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 16480690
Default Alt Text: D36506.diff (4 KB)

D36506.diffNo OneTemporaryActions

D36506.diffView Options

File Metadata

Event Timeline

D36506.diff
No OneTemporary
Actions

D36506.diff
View Options