#
bb8d4411 |
|
02-Nov-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
veriexec: Simplify the initialization of loader tunable The loader tunable 'security.mac.veriexec.block_unlink' has been already flagged with CTLFLAG_RDTUN, no need to re-fetch it with TUNABLE_INT_FETCH. While here move the definition of sysctl knob out of function body, which is more common in FreeBSD. No functional change intended. Reviewed by: stevek MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D42132
|
#
d195f39d |
|
02-Apr-2023 |
Steve Kiernan <stevek@juniper.net> |
veriexec: Add option MAC_VERIEXEC_DEBUG Obtained from: Juniper Networks, Inc.
|
#
8c3e263d |
|
10-Dec-2021 |
Simon J. Gerraty <sjg@juniper.net> |
veriexec: mac_veriexec_syscall compat32 support Some 32bit apps may need to be able to use MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL Therefore compat32 support is required. Obtained from: Juniper Networks, Inc.
|
#
8512d82e |
|
02-Apr-2023 |
Steve Kiernan <stevek@juniper.net> |
veriexec: Additional functionality for MAC/veriexec Ensure veriexec opens the file before doing any read operations. When the MAC_VERIEXEC_CHECK_PATH_SYSCALL syscall is requested, veriexec needs to open the file before calling mac_veriexec_check_vp. This is to ensure any set up is done by the file system. Most file systems do not explicitly need an open, but some (e.g. virtfs) require initialization of access tokens (file identifiers, etc.) before doing any read or write operations. The evaluate_fingerprint() function needs to ensure it has an open file for reading in order to evaluate the fingerprint. The ideal solution is to have a hook after the VOP_OPEN call in vn_open. For now, we open the file for reading, envaluate the fingerprint, and close the file. While this leaves a potential hole that could possibly be taken advantage of by a dedicated aversary, this code path is not typically visited often in our use cases, as we primarily encounter verified mounts and not individual files. This should be considered a temporary workaround until discussions about the post-open hook have concluded and the hook becomes available. Add MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL and MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL to mac_veriexec_syscall so we can fetch and check label contents in an unconstrained manner. Add a check for PRIV_VERIEXEC_CONTROL to do ioctl on /dev/veriexec Make it clear that trusted process cannot be debugged. Attempts to debug a trusted process already fail, but the failure path is very obscure. Add an explicit check for VERIEXEC_TRUSTED in mac_veriexec_proc_check_debug. We need mac_veriexec_priv_check to not block PRIV_KMEM_WRITE if mac_priv_gant() says it is ok. Reviewed by: sjg Obtained from: Juniper Networks, Inc.
|
#
88a3358e |
|
16-Apr-2023 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
veriexec: Add SPDX-License-Identifier
|
#
6ae8d576 |
|
29-Jul-2019 |
Simon J. Gerraty <sjg@juniper.net> |
mac_veriexec: add mac_priv_grant check for NODEV Allow other MAC modules to override some veriexec checks. We need two new privileges: PRIV_VERIEXEC_DIRECT process wants to override 'indirect' flag on interpreter PRIV_VERIEXEC_NOVERIFY typically associated with PRIV_VERIEXEC_DIRECT allow override of O_VERIFY We also need to check for PRIV_VERIEXEC_NOVERIFY override for FINGERPRINT_NODEV and FINGERPRINT_NOENTRY. This will only happen if parent had PRIV_VERIEXEC_DIRECT override. This allows for MAC modules to selectively allow some applications to run without verification. Needless to say, this is extremely dangerous and should only be used sparingly and carefully. Obtained from: Juniper Networks, Inc. Reviewers: sjg Subscribers: imp, dab Differential Revision: https://reviews.freebsd.org/D39537
|
#
559e41a1 |
|
14-Mar-2023 |
Warner Losh <imp@FreeBSD.org> |
veriexec: Improve comments Make it clear we're checking to see if the target is a verified file and prevent its replacement if so. Sponsored by: Netflix Reviewed by: rpokala Differential Revision: https://reviews.freebsd.org/D39079
|
#
2ef8baba |
|
13-Mar-2023 |
dl <dl@canigo.cat> |
Increase protection provided by veriexec with new unlink/rename hooks. Functions implemented : - mac_veriexec_vnode_check_unlink: Unlink on a file has been requested and requires validation. This function prohibits the deleting a protected file (or deleting one of these hard links, if any). - mac_veriexec_vnode_check_rename_from: Rename the file has been requested and must be validated. This function controls the renaming of protected file - mac_veriexec_vnode_check_rename_to: File overwrite rename has been requested and must be validated. This function prevent overwriting of a file protected (overwriting by mv command). The 3 fonctions together aim to control the 'removal' (via unlink) and the 'mv' on files protected by veriexec. The intention is to reach the functional level of NetBSD veriexec. Add sysctl node security.mac.veriexec.unlink to toggle control on syscall unlink. Add tunable kernel variable security.mac.veriexec.block_unlink to toggle unlink protection. Add the corresponding read-only sysctl. [ tidied up commit message, trailing whitespace, long lines, { placement ] Reviewed by: sjg, imp Pull Request: https://github.com/freebsd/freebsd-src/pull/613
|
#
15c362ae |
|
29-Jun-2022 |
Wojciech Macek <wma@FreeBSD.org> |
mac_veriexec: Authorize reads of secured sysctls Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the appropriate secure level is set. mac_veriexec does not behave this way, it blocks such sysctls in read-only mode as well. This change aims to make mac_veriexec behave like secure levels, as it was meant by the original commit ed377cf41. Reviewed by: sjg Differential revision: https://reviews.freebsd.org/D34327 Obtained from: Stormshield
|
#
bb92cd7b |
|
24-Mar-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: NDFREE(&nd, NDF_ONLY_PNBUF) -> NDFREE_PNBUF(&nd)
|
#
7e1d3eef |
|
25-Nov-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: remove the unused thread argument from NDINIT* See b4a58fbf640409a1 ("vfs: remove cn_thread") Bump __FreeBSD_version to 1400043.
|
#
fe8ce390 |
|
29-Jul-2021 |
Wojciech Macek <wma@FreeBSD.org> |
Fix mac_veriexec version mismatch mac_veriexec sets its version to 1, but the mac_veriexec_shaX modules which depend on it expect MAC_VERIEXEC_VERSION = 2. Be consistent and use MAC_VERIEXEC_VERSION everywhere. This unbreaks loading of mac_veriexec modules at boot time. Authored by: Kornel Duleba <mindal@semihalf.com> Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D31268
|
#
6b3a9a0f |
|
11-Jan-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
Convert remaining cap_rights_init users to cap_rights_init_one semantic patch: @@ expression rights, r; @@ - cap_rights_init(&rights, r) + cap_rights_init_one(&rights, r)
|
#
7029da5c |
|
26-Feb-2020 |
Pawel Biernacki <kaktus@FreeBSD.org> |
Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are still not MPSAFE (or already are but aren’t properly marked). Use it in preparation for a general review of all nodes. This is non-functional change that adds annotations to SYSCTL_NODE and SYSCTL_PROC nodes using one of the soon-to-be-required flags. Mark all obvious cases as MPSAFE. All entries that haven't been marked as MPSAFE before are by default marked as NEEDGIANT Approved by: kib (mentor, blanket) Commented by: kib, gallatin, melifaro Differential Revision: https://reviews.freebsd.org/D23718
|
#
478368ca |
|
06-Jan-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: eliminate v_tag from struct vnode There was only one consumer and it was using it incorrectly. It is given an equivalent hack. Reviewed by: jeff Differential Revision: https://reviews.freebsd.org/D23037
|
#
b249ce48 |
|
03-Jan-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: drop the mostly unused flags argument from VOP_UNLOCK Filesystems which want to use it in limited capacity can employ the VOP_UNLOCK_FLAGS macro. Reviewed by: kib (previous version) Differential Revision: https://reviews.freebsd.org/D21427
|
#
6cbc9703 |
|
17-May-2019 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
Obtain a shared lock instead of exclusive in the MAC/veriexec MAC_VERIEXEC_CHECK_PATH_SYSCALL per-MAC policy system call. When we are checking the status of the fingerprint on a vnode using the per-MAC-policy syscall, we do not need an exclusive lock on the vnode. Even if there is more than one thread requesting the status at the same time, the worst we can end up doing is processing the file more than once. This can potentially be improved in the future with offloading the fingerprint evaluation to a separate thread and blocking until the update completes. But for now the race is acceptable. Obtained from: Juniper Networks, Inc. MFC after: 1 week
|
#
ed377cf4 |
|
17-May-2019 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
sysctls which should be restricted when securelevel is raised should also be restricted when veriexec is enforced. Add mpo_system_check_sysctl method to mac_veriexec which does this. Obtained from: Juniper Networks, Inc. MFC after: 1 week
|
#
3d53cd0f |
|
17-May-2019 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
Fix format strings for some debug messages that could have arguments that are different types across architectures by using %ju and typecasting to uintmax_t, where appropriate. Obtained from: Juniper Networks, Inc. MFC after: 1 week
|
#
3da3012a |
|
17-May-2019 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
Ensure we have obtained a lock on the process before calling mac_veriexec_get_executable_flags(). Only try locking/unlocking if the caller has not already acquired the process lock. Obtained from: Juniper Networks, Inc. MFC after: 1 week
|
#
ade97886 |
|
14-Jul-2018 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
Add mpo_vnode_check_setmode MAC method to MAC/veriexec. In the method, disallow changing SUID/SGID on verified files. Obtained from: Juniper Networks, Inc.
|
#
1db017d0 |
|
14-Jul-2018 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
Fix a typo which could cause a build breakage when building with MAC/veriexec enabled in the kernel config. Remove unused mac_veriexec_print_db prototype in internal header file.
|
#
fb47a376 |
|
19-Jun-2018 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
MAC/veriexec implements a verified execution environment using the MAC framework. The code is organized into a few distinct pieces: * The meta-data store (in veriexec_metadata.c) which maps a file system identifier, file identifier, and generation key tuple to veriexec meta-data record. * Fingerprint management (in veriexec_fingerprint.c) which deals with calculating the cryptographic hash for a file and verifying it. It also manages the loadable fingerprint modules. * MAC policy implementation (in mac_veriexec.c) which implements the following MAC methods: mpo_init Initializes the veriexec state, meta-data store, fingerprint modules, and registers mount and unmount EVENTHANDLERs mpo_syscall Implements the following per-policy system calls: MAC_VERIEXEC_CHECK_FD_SYSCALL Check a file descriptor to see if the referenced file has a valid fingerprint. MAC_VERIEXEC_CHECK_PATH_SYSCALL Check a path to see if the referenced file has a valid fingerprint. mpo_kld_check_load Check if loading a kld is allowed. This checks if the referenced vnode has a valid fingerprint. mpo_mount_destroy_label Clears the veriexec slot data in a mount point label. mpo_mount_init_label Initializes the veriexec slot data in a mount point label. The file system identifier is saved in the veriexec slot data. mpo_priv_check Check if a process is allowed to write to /dev/kmem and /dev/mem devices. If a process is flagged as trusted, it is allowed to write. mpo_proc_check_debug Check if a process is allowed to be debugged. If a process is not flagged with VERIEXEC_NOTRACE, then debugging is allowed. mpo_vnode_check_exec Check is an exectuable is allowed to run. If veriexec is not enforcing or the executable has a valid fingerprint, then it is allowed to run. NOTE: veriexec will complain about mismatched fingerprints if it is active, regardless of the state of the enforcement. mpo_vnode_check_open Check is a file is allowed to be opened. If verification was not requested, veriexec is not enforcing, or the file has a valid fingerprint, then veriexec will allow the file to be opened. mpo_vnode_copy_label Copies the veriexec slot data from one label to another. mpo_vnode_destroy_label Clears the veriexec slot data in a vnode label. mpo_vnode_init_label Initializes the veriexec slot data in a vnode label. The fingerprint status for the file is stored in the veriexec slot data. * Some sysctls, under security.mac.veriexec, for setting debug level, fetching the current state in a human-readable form, and dumping the fingerprint database are implemented. * The MAC policy implementation source file also contains some utility functions. * A set of fingerprint modules for the following cryptographic hash algorithms: RIPEMD-160, SHA1, SHA2-256, SHA2-384, SHA2-512 * Loadable module builds for MAC/veriexec and fingerprint modules. WARNING: Using veriexec with NFS (or other network-based) file systems is not recommended as one cannot guarantee the integrity of the files served, nor the uniqueness of file system identifiers which are used as key in the meta-data store. Reviewed by: ian, jtl Obtained from: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D8554
|