Date: Wed, 08 Aug 2012 11:45:44 +0000 From: gpf@FreeBSD.org To: svn-soc-all@FreeBSD.org Subject: socsvn commit: r240189 - in soc2012/gpf: pefs_head/head/sys/kern pefs_kmod/sys/fs/pefs pefs_kmod/sys/modules/pefs Message-ID: <20120808114544.C5326106566B@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gpf Date: Wed Aug 8 11:45:43 2012 New Revision: 240189 URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=240189 Log: Move kern_exec.c hack to a proper pefs MAC policy. The problem is that now, the script file is itself checked for the schg flag. More on that can be found on the gigantic comment header in pefs_mac.c Added: soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_mac.c Modified: soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_checksum.c soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_vfsops.c soc2012/gpf/pefs_kmod/sys/modules/pefs/Makefile Modified: soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c ============================================================================== --- soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c Wed Aug 8 09:42:44 2012 (r240188) +++ soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c Wed Aug 8 11:45:43 2012 (r240189) @@ -548,21 +548,21 @@ goto interpret; } - { - /* XXXgpf: [TODO] place this in a MAC hook */ - int enabled, rval; - size_t enabled_len; - - rval = kernel_sysctlbyname(td, "vfs.pefs.exec.enable", - &enabled, &enabled_len, NULL, 0, NULL, 0); - - if (rval == 0 && enabled != 0) { - if ((imgp->attr->va_flags & SF_IMMUTABLE) == 0) { - error = EPERM; - goto exec_fail_dealloc; - } - } - } + //{ + ///* XXXgpf: [TODO] place this in a MAC hook */ + //int enabled, rval; + //size_t enabled_len; + + //rval = kernel_sysctlbyname(td, "vfs.pefs.exec.enable", + //&enabled, &enabled_len, NULL, 0, NULL, 0); + + //if (rval == 0 && enabled != 0) { + //if ((imgp->attr->va_flags & SF_IMMUTABLE) == 0) { + //error = EPERM; + //goto exec_fail_dealloc; + //} + //} + //} /* * NB: We unlock the vnode here because it is believed that none Modified: soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_checksum.c ============================================================================== --- soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_checksum.c Wed Aug 8 09:42:44 2012 (r240188) +++ soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_checksum.c Wed Aug 8 11:45:43 2012 (r240189) @@ -319,7 +319,7 @@ dig = malloc(*digest_len, M_TEMP, M_WAITOK); /* * XXXgpf: Does this interface work for any length input? - * Also, I should either use a different interface or store the + * [TODO] Also, I should either use a different interface or store the * checksums in hex during .pefs.checksum creation because turning * them to hex at this point every single time we have a read is * just silly. Added: soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_mac.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_mac.c Wed Aug 8 11:45:43 2012 (r240189) @@ -0,0 +1,105 @@ +/*- + * Copyright (c) 2012 Efstratios Karatzas + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/dirent.h> +#include <sys/module.h> +#include <sys/mount.h> +#include <sys/sysctl.h> +#include <sys/stat.h> +#include <sys/vnode.h> +#include <sys/imgact.h> + +#include <fs/pefs/pefs.h> + +#include <security/mac/mac_policy.h> + +/* + * XXXgpf: + * The problem with this MAC hook is that the hook is called before + * do_execve() checks if our executable requires an interpreter. + * Therefore, the script file will itself be checked for the schg flag. + * + * We could: + * + * a) allow this because it's a feature! During development of a script, + * user will have to pass it as an argument to the interpreter and when it's + * complete, continue calling it like that or add the schg flag. + * + * b) add a brand new MAC hook that will be called at the precise point + * in do_execve() where only the interpreter or the regular executable + * will be checked for the schg flag. [don't seem the other devs will go + * for us modying MAC framework though] + * + * c) duplicate code from do_execve() and perform the check ourselves. It + * could be done I guess but I'm not sure since image activators seem to have + * their own custom functions that are called in order to figure out whether + * the interpreted flag should be turned on. Don't know how much they are + * allowed to tamper with imgp, besides that flag. + * + */ +static int +pefs_vnode_check_exec(struct ucred *cred, struct vnode *vp, + struct label *vplabel, struct image_params *imgp, + struct label *execlabel) +{ + int enabled, rval; + size_t enabled_len; + + rval = kernel_sysctlbyname(curthread, "vfs.pefs.exec.enable", + &enabled, &enabled_len, NULL, 0, NULL, 0); + + if (rval == 0 && enabled != 0) { + if ((imgp->attr->va_flags & SF_IMMUTABLE) == 0) { + return (EPERM); + } + } + + return (0); +} + +static struct mac_policy_ops pefs_ops = +{ + .mpo_vnode_check_exec = pefs_vnode_check_exec, +}; + +MAC_POLICY_SET(&pefs_ops, mac_pefs, "pefs exec protection", + MPC_LOADTIME_FLAG_UNLOADOK, NULL); + +/* XXXgpf: declare our debugging sysctl for kern_exec.c */ +SYSCTL_NODE(_vfs_pefs, OID_AUTO, exec, CTLFLAG_RW, 0, + "PEFS kern_exec.c stuff"); + +int pefs_exec_enable = 0; +SYSCTL_INT(_vfs_pefs_exec, OID_AUTO, enable, CTLFLAG_RW, + &pefs_exec_enable, 0, "Enable exec protection"); Modified: soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_vfsops.c ============================================================================== --- soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_vfsops.c Wed Aug 8 09:42:44 2012 (r240188) +++ soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_vfsops.c Wed Aug 8 11:45:43 2012 (r240189) @@ -44,7 +44,6 @@ #include <sys/mount.h> #include <sys/namei.h> #include <sys/proc.h> -#include <sys/sysctl.h> #include <sys/vnode.h> #include <sys/dirent.h> @@ -619,14 +618,6 @@ .vfs_vget = pefs_vget, }; -/* XXXgpf: declare our debugging sysctl for kern_exec.c */ -SYSCTL_NODE(_vfs_pefs, OID_AUTO, exec, CTLFLAG_RW, 0, - "PEFS kern_exec.c stuff"); - -int pefs_exec_enable = 0; -SYSCTL_INT(_vfs_pefs_exec, OID_AUTO, enable, CTLFLAG_RW, - &pefs_exec_enable, 0, "Enable exec protection"); - VFS_SET(pefs_vfsops, pefs, VFCF_LOOPBACK); MODULE_DEPEND(pefs, crypto, 1, 1, 1); #ifdef PEFS_AESNI Modified: soc2012/gpf/pefs_kmod/sys/modules/pefs/Makefile ============================================================================== --- soc2012/gpf/pefs_kmod/sys/modules/pefs/Makefile Wed Aug 8 09:42:44 2012 (r240188) +++ soc2012/gpf/pefs_kmod/sys/modules/pefs/Makefile Wed Aug 8 11:45:43 2012 (r240189) @@ -7,7 +7,8 @@ pefs_subr.c pefs_vfsops.c pefs_vnops.c pefs_xbase64.c pefs_crypto.c \ pefs_dircache.c \ pefs_xts.c vmac.c \ - pefs_checksum.c + pefs_checksum.c \ + pefs_mac.c .if ${MACHINE_CPUARCH} == "i386" || ${MACHINE_CPUARCH} == "amd64" SRCS+= pefs_aesni.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120808114544.C5326106566B>