/* $NetBSD: kern_veriexec.c,v 1.27 2023/04/09 09:18:09 riastradh Exp $ */ /*- * Copyright (c) 2005, 2006 Elad Efrat * Copyright (c) 2005, 2006 Brett Lymn * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the authors may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include __KERNEL_RCSID(0, "$NetBSD: kern_veriexec.c,v 1.27 2023/04/09 09:18:09 riastradh Exp $"); #include "opt_veriexec.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Readable values for veriexec_file_report(). */ #define REPORT_ALWAYS 0x01 /* Always print */ #define REPORT_VERBOSE 0x02 /* Print when verbose >= 1 */ #define REPORT_DEBUG 0x04 /* Print when verbose >= 2 (debug) */ #define REPORT_PANIC 0x08 /* Call panic() */ #define REPORT_ALARM 0x10 /* Alarm - also print pid/uid/.. */ #define REPORT_LOGMASK (REPORT_ALWAYS|REPORT_VERBOSE|REPORT_DEBUG) /* state of locking for veriexec_file_verify */ #define VERIEXEC_UNLOCKED 0x00 /* Nothing locked, callee does it */ #define VERIEXEC_LOCKED 0x01 /* Global op lock held */ /* state of file locking for veriexec_file_verify */ #define VERIEXEC_FILE_UNLOCKED 0x02 /* Nothing locked, callee does it */ #define VERIEXEC_FILE_LOCKED 0x04 /* File locked */ #define VERIEXEC_RW_UPGRADE(lock) while((rw_tryupgrade(lock)) == 0){}; struct veriexec_fpops { const char *type; size_t hash_len; size_t context_size; veriexec_fpop_init_t init; veriexec_fpop_update_t update; veriexec_fpop_final_t final; LIST_ENTRY(veriexec_fpops) entries; }; /* Veriexec per-file entry data. */ struct veriexec_file_entry { krwlock_t lock; /* r/w lock */ u_char *filename; /* File name. */ u_char type; /* Entry type. */ u_char status; /* Evaluation status. */ u_char *fp; /* Fingerprint. */ struct veriexec_fpops *ops; /* Fingerprint ops vector*/ size_t filename_len; /* Length of filename. */ }; /* Veriexec per-table data. */ struct veriexec_table_entry { uint64_t vte_count; /* Number of Veriexec entries. */ const struct sysctlnode *vte_node; }; static int veriexec_verbose; static int veriexec_strict; static int veriexec_bypass = 1; static char *veriexec_fp_names = NULL; static size_t veriexec_name_max = 0; static const struct sysctlnode *veriexec_count_node; static fileassoc_t veriexec_hook; static specificdata_key_t veriexec_mountspecific_key; static LIST_HEAD(, veriexec_fpops) veriexec_fpops_list = LIST_HEAD_INITIALIZER(veriexec_fpops_list); static int veriexec_raw_cb(kauth_cred_t, kauth_action_t, void *, void *, void *, void *, void *); static struct veriexec_fpops *veriexec_fpops_lookup(const char *); static void veriexec_file_free(struct veriexec_file_entry *); static unsigned int veriexec_tablecount = 0; /* * Veriexec operations global lock - most ops hold this as a read * lock, it is upgraded to a write lock when destroying veriexec file * table entries. */ static krwlock_t veriexec_op_lock; /* * Sysctl helper routine for Veriexec. */ static int sysctl_kern_veriexec_algorithms(SYSCTLFN_ARGS) { size_t len; int error; const char *p; if (newp != NULL) return EPERM; if (namelen != 0) return EINVAL; p = veriexec_fp_names == NULL ? "" : veriexec_fp_names; len = strlen(p) + 1; if (*oldlenp < len && oldp) return ENOMEM; if (oldp && (error = copyout(p, oldp, len)) != 0) return error; *oldlenp = len; return 0; } static int sysctl_kern_veriexec_strict(SYSCTLFN_ARGS) { struct sysctlnode node; int error, newval; node = *rnode; node.sysctl_data = &newval; newval = veriexec_strict; error = sysctl_lookup(SYSCTLFN_CALL(&node)); if (error || newp == NULL) return error; if (newval < veriexec_strict) return EPERM; veriexec_strict = newval; return 0; } SYSCTL_SETUP(sysctl_kern_veriexec_setup, "sysctl kern.veriexec setup") { const struct sysctlnode *rnode = NULL; sysctl_createv(clog, 0, NULL, &rnode, CTLFLAG_PERMANENT, CTLTYPE_NODE, "veriexec", SYSCTL_DESCR("Veriexec"), NULL, 0, NULL, 0, CTL_KERN, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "verbose", SYSCTL_DESCR("Veriexec verbose level"), NULL, 0, &veriexec_verbose, 0, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "strict", SYSCTL_DESCR("Veriexec strict level"), sysctl_kern_veriexec_strict, 0, NULL, 0, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, NULL, CTLFLAG_PERMANENT, CTLTYPE_STRING, "algorithms", SYSCTL_DESCR("Veriexec supported hashing " "algorithms"), sysctl_kern_veriexec_algorithms, 0, NULL, 0, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, &veriexec_count_node, CTLFLAG_PERMANENT, CTLTYPE_NODE, "count", SYSCTL_DESCR("Number of fingerprints on mount(s)"), NULL, 0, NULL, 0, CTL_CREATE, CTL_EOL); } /* * Add ops to the fingerprint ops vector list. */ int veriexec_fpops_add(const char *fp_type, size_t hash_len, size_t ctx_size, veriexec_fpop_init_t init, veriexec_fpop_update_t update, veriexec_fpop_final_t final) { struct veriexec_fpops *ops; KASSERT(init != NULL); KASSERT(update != NULL); KASSERT(final != NULL); KASSERT(hash_len != 0); KASSERT(ctx_size != 0); KASSERT(fp_type != NULL); if (veriexec_fpops_lookup(fp_type) != NULL) return (EEXIST); ops = kmem_alloc(sizeof(*ops), KM_SLEEP); ops->type = fp_type; ops->hash_len = hash_len; ops->context_size = ctx_size; ops->init = init; ops->update = update; ops->final = final; LIST_INSERT_HEAD(&veriexec_fpops_list, ops, entries); /* * If we don't have space for any names, allocate enough for six * which should be sufficient. (it's also enough for all algorithms * we can support at the moment) */ if (veriexec_fp_names == NULL) { veriexec_name_max = 64; veriexec_fp_names = kmem_zalloc(veriexec_name_max, KM_SLEEP); } /* * If we're running out of space for storing supported algorithms, * extend the buffer with space for four names. */ while (veriexec_name_max - (strlen(veriexec_fp_names) + 1) < strlen(fp_type)) { char *newp; unsigned int new_max; /* Add space for four algorithm names. */ new_max = veriexec_name_max + 64; newp = kmem_zalloc(new_max, KM_SLEEP); strlcpy(newp, veriexec_fp_names, new_max); kmem_free(veriexec_fp_names, veriexec_name_max); veriexec_fp_names = newp; veriexec_name_max = new_max; } if (*veriexec_fp_names != '\0') strlcat(veriexec_fp_names, " ", veriexec_name_max); strlcat(veriexec_fp_names, fp_type, veriexec_name_max); return (0); } static void veriexec_mountspecific_dtor(void *v) { struct veriexec_table_entry *vte = v; if (vte == NULL) { return; } sysctl_free(__UNCONST(vte->vte_node)); veriexec_tablecount--; kmem_free(vte, sizeof(*vte)); } static int veriexec_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) { int result; enum kauth_system_req req; if (action != KAUTH_SYSTEM_VERIEXEC) return KAUTH_RESULT_DEFER; result = KAUTH_RESULT_DEFER; req = (enum kauth_system_req)(uintptr_t)arg0; if (req == KAUTH_REQ_SYSTEM_VERIEXEC_MODIFY && veriexec_strict > VERIEXEC_LEARNING) { log(LOG_WARNING, "Veriexec: Strict mode, modifying " "tables not permitted.\n"); result = KAUTH_RESULT_DENY; } return result; } /* * Initialise Veriexec. */ void veriexec_init(void) { int error; /* Register a fileassoc for Veriexec. */ error = fileassoc_register("veriexec", (fileassoc_cleanup_cb_t)veriexec_file_free, &veriexec_hook); if (error) panic("Veriexec: Can't register fileassoc: error=%d", error); /* Register listener to handle raw disk access. */ if (kauth_listen_scope(KAUTH_SCOPE_DEVICE, veriexec_raw_cb, NULL) == NULL) panic("Veriexec: Can't listen on device scope"); error = mount_specific_key_create(&veriexec_mountspecific_key, veriexec_mountspecific_dtor); if (error) panic("Veriexec: Can't create mountspecific key"); if (kauth_listen_scope(KAUTH_SCOPE_SYSTEM, veriexec_listener_cb, NULL) == NULL) panic("Veriexec: Can't listen on system scope"); rw_init(&veriexec_op_lock); #define FPOPS_ADD(a, b, c, d, e, f) \ veriexec_fpops_add(a, b, c, \ __FPTRCAST(veriexec_fpop_init_t, d), \ __FPTRCAST(veriexec_fpop_update_t, e), \ __FPTRCAST(veriexec_fpop_final_t, f)) #ifdef VERIFIED_EXEC_FP_SHA256 FPOPS_ADD("SHA256", SHA256_DIGEST_LENGTH, sizeof(SHA256_CTX), SHA256_Init, SHA256_Update, SHA256_Final); #endif /* VERIFIED_EXEC_FP_SHA256 */ #ifdef VERIFIED_EXEC_FP_SHA384 FPOPS_ADD("SHA384", SHA384_DIGEST_LENGTH, sizeof(SHA384_CTX), SHA384_Init, SHA384_Update, SHA384_Final); #endif /* VERIFIED_EXEC_FP_SHA384 */ #ifdef VERIFIED_EXEC_FP_SHA512 FPOPS_ADD("SHA512", SHA512_DIGEST_LENGTH, sizeof(SHA512_CTX), SHA512_Init, SHA512_Update, SHA512_Final); #endif /* VERIFIED_EXEC_FP_SHA512 */ #undef FPOPS_ADD } static struct veriexec_fpops * veriexec_fpops_lookup(const char *name) { struct veriexec_fpops *ops; if (name == NULL) return (NULL); LIST_FOREACH(ops, &veriexec_fpops_list, entries) { if (strcasecmp(name, ops->type) == 0) return (ops); } return (NULL); } /* * Calculate fingerprint. Information on hash length and routines used is * extracted from veriexec_hash_list according to the hash type. * * NOTE: vfe is assumed to be locked for writing on entry. */ static int veriexec_fp_calc(struct lwp *l, struct vnode *vp, int file_lock_state, struct veriexec_file_entry *vfe, u_char *fp) { struct vattr va; void *ctx; u_char *buf; off_t offset, len; size_t resid; int error; KASSERT(file_lock_state != VERIEXEC_LOCKED); KASSERT(file_lock_state != VERIEXEC_UNLOCKED); if (file_lock_state == VERIEXEC_FILE_UNLOCKED) vn_lock(vp, LK_SHARED | LK_RETRY); error = VOP_GETATTR(vp, &va, l->l_cred); if (file_lock_state == VERIEXEC_FILE_UNLOCKED) VOP_UNLOCK(vp); if (error) return (error); ctx = kmem_alloc(vfe->ops->context_size, KM_SLEEP); buf = kmem_alloc(PAGE_SIZE, KM_SLEEP); (vfe->ops->init)(ctx); len = 0; error = 0; for (offset = 0; offset < va.va_size; offset += PAGE_SIZE) { len = ((va.va_size - offset) < PAGE_SIZE) ? (va.va_size - offset) : PAGE_SIZE; error = vn_rdwr(UIO_READ, vp, buf, len, offset, UIO_SYSSPACE, ((file_lock_state == VERIEXEC_FILE_LOCKED)? IO_NODELOCKED : 0), l->l_cred, &resid, NULL); if (error) { goto bad; } (vfe->ops->update)(ctx, buf, (unsigned int) len); if (len != PAGE_SIZE) break; } (vfe->ops->final)(fp, ctx); bad: kmem_free(ctx, vfe->ops->context_size); kmem_free(buf, PAGE_SIZE); return (error); } /* Compare two fingerprints of the same type. */ static int veriexec_fp_cmp(struct veriexec_fpops *ops, u_char *fp1, u_char *fp2) { if (veriexec_verbose >= 2) { int i; printf("comparing hashes...\n"); printf("fp1: "); for (i = 0; i < ops->hash_len; i++) { printf("%02x", fp1[i]); } printf("\nfp2: "); for (i = 0; i < ops->hash_len; i++) { printf("%02x", fp2[i]); } printf("\n"); } return (memcmp(fp1, fp2, ops->hash_len)); } static int veriexec_fp_status(struct lwp *l, struct vnode *vp, int file_lock_state, struct veriexec_file_entry *vfe, u_char *status) { size_t hash_len = vfe->ops->hash_len; u_char *digest; int error; digest = kmem_zalloc(hash_len, KM_SLEEP); error = veriexec_fp_calc(l, vp, file_lock_state, vfe, digest); if (error) goto out; /* Compare fingerprint with loaded data. */ if (veriexec_fp_cmp(vfe->ops, vfe->fp, digest) == 0) *status = FINGERPRINT_VALID; else *status = FINGERPRINT_NOMATCH; out: kmem_free(digest, hash_len); return error; } static struct veriexec_table_entry * veriexec_table_lookup(struct mount *mp) { /* XXX: From raidframe init */ if (mp == NULL) return NULL; return mount_getspecific(mp, veriexec_mountspecific_key); } static struct veriexec_file_entry * veriexec_get(struct vnode *vp) { return (fileassoc_lookup(vp, veriexec_hook)); } bool veriexec_lookup(struct vnode *vp) { return (veriexec_get(vp) == NULL ? false : true); } /* * Routine for maintaining mostly consistent message formats in Veriexec. */ static void veriexec_file_report(struct veriexec_file_entry *vfe, const u_char *msg, const u_char *filename, struct lwp *l, int f) { if (vfe != NULL && vfe->filename != NULL) filename = vfe->filename; if (filename == NULL) return; if (((f & REPORT_LOGMASK) >> 1) <= veriexec_verbose) { if (!(f & REPORT_ALARM) || (l == NULL)) log(LOG_NOTICE, "Veriexec: %s [%s]\n", msg, filename); else log(LOG_ALERT, "Veriexec: %s [%s, prog=%s pid=%u, " "uid=%u, gid=%u]\n", msg, filename, l->l_proc->p_comm, l->l_proc->p_pid, kauth_cred_getuid(l->l_cred), kauth_cred_getgid(l->l_cred)); } if (f & REPORT_PANIC) panic("Veriexec: Unrecoverable error."); } /* * Verify the fingerprint of the given file. If we're called directly from * sys_execve(), 'flag' will be VERIEXEC_DIRECT. If we're called from * exec_script(), 'flag' will be VERIEXEC_INDIRECT. If we are called from * vn_open(), 'flag' will be VERIEXEC_FILE. * * 'veriexec_op_lock' must be locked (and remains locked). * * NOTE: The veriexec file entry pointer (vfep) will be returned LOCKED * on no error. */ static int veriexec_file_verify(struct lwp *l, struct vnode *vp, const u_char *name, int flag, int file_lock_state, struct veriexec_file_entry **vfep) { struct veriexec_file_entry *vfe; int error = 0; KASSERT(rw_lock_held(&veriexec_op_lock)); KASSERT(file_lock_state != VERIEXEC_LOCKED); KASSERT(file_lock_state != VERIEXEC_UNLOCKED); #define VFE_NEEDS_EVAL(vfe) ((vfe->status == FINGERPRINT_NOTEVAL) || \ (vfe->type & VERIEXEC_UNTRUSTED)) if (vfep != NULL) *vfep = NULL; if (vp->v_type != VREG) return (0); /* Lookup veriexec table entry, save pointer if requested. */ vfe = veriexec_get(vp); if (vfep != NULL) *vfep = vfe; /* No entry in the veriexec tables. */ if (vfe == NULL) { veriexec_file_report(NULL, "No entry.", name, l, REPORT_VERBOSE); /* * Lockdown mode: Deny access to non-monitored files. * IPS mode: Deny execution of non-monitored files. */ if ((veriexec_strict >= VERIEXEC_LOCKDOWN) || ((veriexec_strict >= VERIEXEC_IPS) && (flag != VERIEXEC_FILE))) return (EPERM); return (0); } /* * Grab the lock for the entry, if we need to do an evaluation * then the lock is a write lock, after we have the write * lock, check if we really need it - some other thread may * have already done the work for us. */ if (VFE_NEEDS_EVAL(vfe)) { rw_enter(&vfe->lock, RW_WRITER); if (!VFE_NEEDS_EVAL(vfe)) rw_downgrade(&vfe->lock); } else rw_enter(&vfe->lock, RW_READER); /* Evaluate fingerprint if needed. */ if (VFE_NEEDS_EVAL(vfe)) { u_char status; error = veriexec_fp_status(l, vp, file_lock_state, vfe, &status); if (error) { veriexec_file_report(vfe, "Fingerprint calculation error.", name, NULL, REPORT_ALWAYS); rw_exit(&vfe->lock); return (error); } vfe->status = status; rw_downgrade(&vfe->lock); } if (!(vfe->type & flag)) { veriexec_file_report(vfe, "Incorrect access type.", name, l, REPORT_ALWAYS|REPORT_ALARM); /* IPS mode: Enforce access type. */ if (veriexec_strict >= VERIEXEC_IPS) { rw_exit(&vfe->lock); return (EPERM); } } switch (vfe->status) { case FINGERPRINT_NOTEVAL: /* Should not happen. */ rw_exit(&vfe->lock); veriexec_file_report(vfe, "Not-evaluated status " "post evaluation; inconsistency detected.", name, NULL, REPORT_ALWAYS|REPORT_PANIC); __builtin_unreachable(); /* NOTREACHED */ case FINGERPRINT_VALID: /* Valid fingerprint. */ veriexec_file_report(vfe, "Match.", name, NULL, REPORT_VERBOSE); break; case FINGERPRINT_NOMATCH: /* Fingerprint mismatch. */ veriexec_file_report(vfe, "Mismatch.", name, NULL, REPORT_ALWAYS|REPORT_ALARM); /* IDS mode: Deny access on fingerprint mismatch. */ if (veriexec_strict >= VERIEXEC_IDS) { rw_exit(&vfe->lock); error = EPERM; } break; default: /* Should never happen. */ rw_exit(&vfe->lock); veriexec_file_report(vfe, "Invalid status " "post evaluation.", name, NULL, REPORT_ALWAYS|REPORT_PANIC); /* NOTREACHED */ } return (error); } int veriexec_verify(struct lwp *l, struct vnode *vp, const u_char *name, int flag, bool *found) { struct veriexec_file_entry *vfe; int r; if (veriexec_bypass && (veriexec_strict == VERIEXEC_LEARNING)) return 0; rw_enter(&veriexec_op_lock, RW_READER); r = veriexec_file_verify(l, vp, name, flag, VERIEXEC_FILE_UNLOCKED, &vfe); rw_exit(&veriexec_op_lock); if ((r == 0) && (vfe != NULL)) rw_exit(&vfe->lock); if (found != NULL) *found = (vfe != NULL) ? true : false; return (r); } /* * Veriexec remove policy code. */ int veriexec_removechk(struct lwp *l, struct vnode *vp, const char *pathbuf) { struct veriexec_file_entry *vfe; int error; if (veriexec_bypass && (veriexec_strict == VERIEXEC_LEARNING)) return 0; rw_enter(&veriexec_op_lock, RW_READER); vfe = veriexec_get(vp); rw_exit(&veriexec_op_lock); if (vfe == NULL) { /* Lockdown mode: Deny access to non-monitored files. */ if (veriexec_strict >= VERIEXEC_LOCKDOWN) return (EPERM); return (0); } veriexec_file_report(vfe, "Remove request.", pathbuf, l, REPORT_ALWAYS|REPORT_ALARM); /* IDS mode: Deny removal of monitored files. */ if (veriexec_strict >= VERIEXEC_IDS) error = EPERM; else error = veriexec_file_delete(l, vp); return error; } /* * Veriexec rename policy. * * XXX: Once there's a way to hook after a successful rename, it would be * XXX: nice to update vfe->filename to the new name if it's not NULL and * XXX: the new name is absolute (ie., starts with a slash). */ int veriexec_renamechk(struct lwp *l, struct vnode *fromvp, const char *fromname, struct vnode *tovp, const char *toname) { struct veriexec_file_entry *fvfe = NULL, *tvfe = NULL; if (veriexec_bypass && (veriexec_strict == VERIEXEC_LEARNING)) return 0; rw_enter(&veriexec_op_lock, RW_READER); if (veriexec_strict >= VERIEXEC_LOCKDOWN) { log(LOG_ALERT, "Veriexec: Preventing rename of `%s' to " "`%s', uid=%u, pid=%u: Lockdown mode.\n", fromname, toname, kauth_cred_geteuid(l->l_cred), l->l_proc->p_pid); rw_exit(&veriexec_op_lock); return (EPERM); } fvfe = veriexec_get(fromvp); if (tovp != NULL) tvfe = veriexec_get(tovp); if ((fvfe == NULL) && (tvfe == NULL)) { /* None of them is monitored */ rw_exit(&veriexec_op_lock); return 0; } if (veriexec_strict >= VERIEXEC_IPS) { log(LOG_ALERT, "Veriexec: Preventing rename of `%s' " "to `%s', uid=%u, pid=%u: IPS mode, %s " "monitored.\n", fromname, toname, kauth_cred_geteuid(l->l_cred), l->l_proc->p_pid, (fvfe != NULL && tvfe != NULL) ? "files" : "file"); rw_exit(&veriexec_op_lock); return (EPERM); } if (fvfe != NULL) { /* * Monitored file is renamed; filename no longer relevant. */ /* * XXX: We could keep the buffer, and when (and if) updating the * XXX: filename post-rename, re-allocate it only if it's not * XXX: big enough for the new filename. */ /* XXX: Get write lock on fvfe here? */ VERIEXEC_RW_UPGRADE(&veriexec_op_lock); /* once we have the op lock in write mode * there should be no locks on any file * entries so we can destroy the object. */ if (fvfe->filename_len > 0) kmem_free(fvfe->filename, fvfe->filename_len); fvfe->filename = NULL; fvfe->filename_len = 0; rw_downgrade(&veriexec_op_lock); } log(LOG_NOTICE, "Veriexec: %s file `%s' renamed to " "%s file `%s', uid=%u, pid=%u.\n", (fvfe != NULL) ? "Monitored" : "Non-monitored", fromname, (tvfe != NULL) ? "monitored" : "non-monitored", toname, kauth_cred_geteuid(l->l_cred), l->l_proc->p_pid); rw_exit(&veriexec_op_lock); if (tvfe != NULL) { /* * Monitored file is overwritten. Remove the entry. */ (void)veriexec_file_delete(l, tovp); } return (0); } static void veriexec_file_free(struct veriexec_file_entry *vfe) { if (vfe != NULL) { if (vfe->fp != NULL) kmem_free(vfe->fp, vfe->ops->hash_len); if (vfe->filename != NULL) kmem_free(vfe->filename, vfe->filename_len); rw_destroy(&vfe->lock); kmem_free(vfe, sizeof(*vfe)); } } static void veriexec_file_purge(struct veriexec_file_entry *vfe, int have_lock) { if (vfe == NULL) return; if (have_lock == VERIEXEC_UNLOCKED) rw_enter(&vfe->lock, RW_WRITER); else VERIEXEC_RW_UPGRADE(&vfe->lock); vfe->status = FINGERPRINT_NOTEVAL; if (have_lock == VERIEXEC_UNLOCKED) rw_exit(&vfe->lock); else rw_downgrade(&vfe->lock); } static void veriexec_file_purge_cb(struct veriexec_file_entry *vfe, void *cookie) { veriexec_file_purge(vfe, VERIEXEC_UNLOCKED); } /* * Invalidate a Veriexec file entry. * XXX: This should be updated when per-page fingerprints are added. */ void veriexec_purge(struct vnode *vp) { rw_enter(&veriexec_op_lock, RW_READER); veriexec_file_purge(veriexec_get(vp), VERIEXEC_UNLOCKED); rw_exit(&veriexec_op_lock); } /* * Enforce raw disk access policy. * * IDS mode: Invalidate fingerprints on a mount if it's opened for writing. * IPS mode: Don't allow raw writing to disks we monitor. * Lockdown mode: Don't allow raw writing to all disks. * * XXX: This is bogus. There's an obvious race condition between the time * XXX: the disk is open for writing, in which an attacker can access a * XXX: monitored file to get its signature cached again, and when the raw * XXX: file is overwritten on disk. * XXX: * XXX: To solve this, we need something like the following: * XXX: open raw disk: * XXX: - raise refcount, * XXX: - invalidate fingerprints, * XXX: - mark all entries for that disk with "no cache" flag * XXX: * XXX: veriexec_verify: * XXX: - if "no cache", don't cache evaluation result * XXX: * XXX: close raw disk: * XXX: - lower refcount, * XXX: - if refcount == 0, remove "no cache" flag from all entries */ static int veriexec_raw_cb(kauth_cred_t cred, kauth_action_t action, void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) { int result; enum kauth_device_req req; struct veriexec_table_entry *vte; result = KAUTH_RESULT_DENY; req = (enum kauth_device_req)(uintptr_t)arg0; switch (action) { case KAUTH_DEVICE_RAWIO_SPEC: { struct vnode *vp, *bvp; int error; if (req == KAUTH_REQ_DEVICE_RAWIO_SPEC_READ) { result = KAUTH_RESULT_DEFER; break; } vp = arg1; KASSERT(vp != NULL); /* Handle /dev/mem and /dev/kmem. */ if (iskmemvp(vp)) { if (veriexec_strict < VERIEXEC_IPS) result = KAUTH_RESULT_DEFER; break; } error = rawdev_mounted(vp, &bvp); if (error == EINVAL) { result = KAUTH_RESULT_DEFER; break; } /* * XXX: See vfs_mountedon() comment in rawdev_mounted(). */ vte = veriexec_table_lookup(bvp->v_mount); if (vte == NULL) { result = KAUTH_RESULT_DEFER; break; } switch (veriexec_strict) { case VERIEXEC_LEARNING: case VERIEXEC_IDS: result = KAUTH_RESULT_DEFER; rw_enter(&veriexec_op_lock, RW_WRITER); fileassoc_table_run(bvp->v_mount, veriexec_hook, (fileassoc_cb_t)veriexec_file_purge_cb, NULL); rw_exit(&veriexec_op_lock); break; case VERIEXEC_IPS: result = KAUTH_RESULT_DENY; break; case VERIEXEC_LOCKDOWN: result = KAUTH_RESULT_DENY; break; } break; } case KAUTH_DEVICE_RAWIO_PASSTHRU: /* XXX What can we do here? */ if (veriexec_strict < VERIEXEC_IPS) result = KAUTH_RESULT_DEFER; break; default: result = KAUTH_RESULT_DEFER; break; } return (result); } /* * Create a new Veriexec table. */ static struct veriexec_table_entry * veriexec_table_add(struct lwp *l, struct mount *mp) { struct veriexec_table_entry *vte; u_char buf[16]; vte = kmem_zalloc(sizeof(*vte), KM_SLEEP); mount_setspecific(mp, veriexec_mountspecific_key, vte); snprintf(buf, sizeof(buf), "table%u", veriexec_tablecount++); sysctl_createv(NULL, 0, &veriexec_count_node, &vte->vte_node, 0, CTLTYPE_NODE, buf, NULL, NULL, 0, NULL, 0, CTL_CREATE, CTL_EOL); sysctl_createv(NULL, 0, &vte->vte_node, NULL, CTLFLAG_READONLY, CTLTYPE_STRING, "mntpt", NULL, NULL, 0, mp->mnt_stat.f_mntonname, 0, CTL_CREATE, CTL_EOL); sysctl_createv(NULL, 0, &vte->vte_node, NULL, CTLFLAG_READONLY, CTLTYPE_STRING, "fstype", NULL, NULL, 0, mp->mnt_stat.f_fstypename, 0, CTL_CREATE, CTL_EOL); sysctl_createv(NULL, 0, &vte->vte_node, NULL, CTLFLAG_READONLY, CTLTYPE_QUAD, "nentries", NULL, NULL, 0, &vte->vte_count, 0, CTL_CREATE, CTL_EOL); return (vte); } /* * Add a file to be monitored by Veriexec. * * Expected elements in dict: * file, fp, fp-type, entry-type, keep-filename, eval-on-load. */ int veriexec_file_add(struct lwp *l, prop_dictionary_t dict) { struct veriexec_table_entry *vte; struct veriexec_file_entry *vfe = NULL; struct veriexec_file_entry *ovfe; struct vnode *vp; const char *file, *fp_type; int error; bool ignore_dup = false; if (!prop_dictionary_get_string(dict, "file", &file)) return (EINVAL); error = namei_simple_kernel(file, NSM_FOLLOW_NOEMULROOT, &vp); if (error) return (error); /* Add only regular files. */ if (vp->v_type != VREG) { log(LOG_ERR, "Veriexec: Not adding `%s': Not a regular file.\n", file); error = EBADF; goto out; } vfe = kmem_zalloc(sizeof(*vfe), KM_SLEEP); rw_init(&vfe->lock); /* Lookup fingerprint hashing algorithm. */ fp_type = prop_string_value(prop_dictionary_get(dict, "fp-type")); if ((vfe->ops = veriexec_fpops_lookup(fp_type)) == NULL) { log(LOG_ERR, "Veriexec: Invalid or unknown fingerprint type " "`%s' for file `%s'.\n", fp_type, file); error = EOPNOTSUPP; goto out; } if (prop_data_size(prop_dictionary_get(dict, "fp")) != vfe->ops->hash_len) { log(LOG_ERR, "Veriexec: Bad fingerprint length for `%s'.\n", file); error = EINVAL; goto out; } vfe->fp = kmem_alloc(vfe->ops->hash_len, KM_SLEEP); memcpy(vfe->fp, prop_data_value(prop_dictionary_get(dict, "fp")), vfe->ops->hash_len); rw_enter(&veriexec_op_lock, RW_WRITER); /* Continue entry initialization. */ if (prop_dictionary_get_uint8(dict, "entry-type", &vfe->type) == FALSE) vfe->type = 0; else { uint8_t extra_flags; extra_flags = vfe->type & ~(VERIEXEC_DIRECT | VERIEXEC_INDIRECT | VERIEXEC_FILE | VERIEXEC_UNTRUSTED); if (extra_flags) { log(LOG_NOTICE, "Veriexec: Contaminated flags `0x%x' " "for `%s', skipping.\n", extra_flags, file); error = EINVAL; goto unlock_out; } } if (!(vfe->type & (VERIEXEC_DIRECT | VERIEXEC_INDIRECT | VERIEXEC_FILE))) vfe->type |= VERIEXEC_DIRECT; vfe->status = FINGERPRINT_NOTEVAL; if (prop_bool_true(prop_dictionary_get(dict, "keep-filename"))) { vfe->filename = kmem_strdupsize(file, &vfe->filename_len, KM_SLEEP); } else vfe->filename = NULL; if (prop_bool_true(prop_dictionary_get(dict, "eval-on-load")) || (vfe->type & VERIEXEC_UNTRUSTED)) { u_char status; error = veriexec_fp_status(l, vp, VERIEXEC_FILE_UNLOCKED, vfe, &status); if (error) goto unlock_out; vfe->status = status; } /* * If we already have an entry for this file, and it matches * the new entry exactly (except for the filename, which may * hard-linked!), we just ignore the new entry. If the new * entry differs, report the error. */ if ((ovfe = veriexec_get(vp)) != NULL) { error = EEXIST; if (vfe->type == ovfe->type && vfe->status == ovfe->status && vfe->ops == ovfe->ops && memcmp(vfe->fp, ovfe->fp, vfe->ops->hash_len) == 0) ignore_dup = true; goto unlock_out; } vte = veriexec_table_lookup(vp->v_mount); if (vte == NULL) vte = veriexec_table_add(l, vp->v_mount); /* XXX if we bail below this, we might want to gc newly created vtes. */ error = fileassoc_add(vp, veriexec_hook, vfe); if (error) goto unlock_out; vte->vte_count++; veriexec_file_report(NULL, "New entry.", file, NULL, REPORT_DEBUG); veriexec_bypass = 0; unlock_out: rw_exit(&veriexec_op_lock); out: vrele(vp); if (error) veriexec_file_free(vfe); if (ignore_dup && error == EEXIST) error = 0; return (error); } int veriexec_table_delete(struct lwp *l, struct mount *mp) { struct veriexec_table_entry *vte; vte = veriexec_table_lookup(mp); if (vte == NULL) return (ENOENT); veriexec_mountspecific_dtor(vte); mount_setspecific(mp, veriexec_mountspecific_key, NULL); return (fileassoc_table_clear(mp, veriexec_hook)); } int veriexec_file_delete(struct lwp *l, struct vnode *vp) { struct veriexec_table_entry *vte; int error; vte = veriexec_table_lookup(vp->v_mount); if (vte == NULL) return (ENOENT); rw_enter(&veriexec_op_lock, RW_WRITER); error = fileassoc_clear(vp, veriexec_hook); rw_exit(&veriexec_op_lock); if (!error) { KASSERT(vte->vte_count > 0); vte->vte_count--; } return (error); } /* * Convert Veriexec entry data to a dictionary readable by userland tools. */ static void veriexec_file_convert(struct veriexec_file_entry *vfe, prop_dictionary_t rdict) { if (vfe->filename) prop_dictionary_set(rdict, "file", prop_string_create_copy(vfe->filename)); prop_dictionary_set_uint8(rdict, "entry-type", vfe->type); prop_dictionary_set_uint8(rdict, "status", vfe->status); prop_dictionary_set(rdict, "fp-type", prop_string_create_copy(vfe->ops->type)); prop_dictionary_set(rdict, "fp", prop_data_create_copy(vfe->fp, vfe->ops->hash_len)); } int veriexec_convert(struct vnode *vp, prop_dictionary_t rdict) { struct veriexec_file_entry *vfe; rw_enter(&veriexec_op_lock, RW_READER); vfe = veriexec_get(vp); if (vfe == NULL) { rw_exit(&veriexec_op_lock); return (ENOENT); } rw_enter(&vfe->lock, RW_READER); veriexec_file_convert(vfe, rdict); rw_exit(&vfe->lock); rw_exit(&veriexec_op_lock); return (0); } int veriexec_unmountchk(struct mount *mp) { int error; if ((veriexec_bypass && (veriexec_strict == VERIEXEC_LEARNING)) || doing_shutdown) return (0); rw_enter(&veriexec_op_lock, RW_READER); switch (veriexec_strict) { case VERIEXEC_LEARNING: error = 0; break; case VERIEXEC_IDS: if (veriexec_table_lookup(mp) != NULL) { log(LOG_INFO, "Veriexec: IDS mode, allowing unmount " "of \"%s\".\n", mp->mnt_stat.f_mntonname); } error = 0; break; case VERIEXEC_IPS: { struct veriexec_table_entry *vte; vte = veriexec_table_lookup(mp); if ((vte != NULL) && (vte->vte_count > 0)) { log(LOG_ALERT, "Veriexec: IPS mode, preventing" " unmount of \"%s\" with monitored files.\n", mp->mnt_stat.f_mntonname); error = EPERM; } else error = 0; break; } case VERIEXEC_LOCKDOWN: default: log(LOG_ALERT, "Veriexec: Lockdown mode, preventing unmount " "of \"%s\".\n", mp->mnt_stat.f_mntonname); error = EPERM; break; } rw_exit(&veriexec_op_lock); return (error); } int veriexec_openchk(struct lwp *l, struct vnode *vp, const char *path, int fmode) { struct veriexec_file_entry *vfe = NULL; int error = 0; if (veriexec_bypass && (veriexec_strict == VERIEXEC_LEARNING)) return 0; if (vp == NULL) { /* If no creation requested, let this fail normally. */ if (!(fmode & O_CREAT)) goto out; /* Lockdown mode: Prevent creation of new files. */ if (veriexec_strict >= VERIEXEC_LOCKDOWN) { log(LOG_ALERT, "Veriexec: Preventing new file " "creation in `%s'.\n", path); error = EPERM; } goto out; } rw_enter(&veriexec_op_lock, RW_READER); error = veriexec_file_verify(l, vp, path, VERIEXEC_FILE, VERIEXEC_FILE_LOCKED, &vfe); if (error) { rw_exit(&veriexec_op_lock); goto out; } if ((vfe != NULL) && ((fmode & FWRITE) || (fmode & O_TRUNC))) { veriexec_file_report(vfe, "Write access request.", path, l, REPORT_ALWAYS | REPORT_ALARM); /* IPS mode: Deny write access to monitored files. */ if (veriexec_strict >= VERIEXEC_IPS) error = EPERM; else veriexec_file_purge(vfe, VERIEXEC_LOCKED); } if (vfe != NULL) rw_exit(&vfe->lock); rw_exit(&veriexec_op_lock); out: return (error); } static void veriexec_file_dump(struct veriexec_file_entry *vfe, prop_array_t entries) { prop_dictionary_t entry; /* If we don't have a filename, this is meaningless. */ if (vfe->filename == NULL) return; entry = prop_dictionary_create(); veriexec_file_convert(vfe, entry); prop_array_add(entries, entry); } int veriexec_dump(struct lwp *l, prop_array_t rarray) { mount_iterator_t *iter; struct mount *mp; mountlist_iterator_init(&iter); while ((mp = mountlist_iterator_next(iter)) != NULL) { fileassoc_table_run(mp, veriexec_hook, (fileassoc_cb_t)veriexec_file_dump, rarray); } mountlist_iterator_destroy(iter); return (0); } int veriexec_flush(struct lwp *l) { mount_iterator_t *iter; struct mount *mp; int error = 0; mountlist_iterator_init(&iter); while ((mp = mountlist_iterator_next(iter)) != NULL) { int lerror; lerror = veriexec_table_delete(l, mp); if (lerror && lerror != ENOENT) error = lerror; } mountlist_iterator_destroy(iter); return (error); }