1/*
2 *
3 * Copyright (c) 2011-2023, Juniper Networks, Inc.
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
20 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
21 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
22 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
23 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28#include <sys/param.h>
29#include <sys/systm.h>
30#include <sys/buf.h>
31#include <sys/conf.h>
32#include <sys/errno.h>
33#include <sys/fcntl.h>
34#include <sys/file.h>
35#include <sys/filedesc.h>
36#include <sys/ioccom.h>
37#include <sys/jail.h>
38#include <sys/kernel.h>
39#include <sys/lock.h>
40#include <sys/malloc.h>
41#include <sys/mdioctl.h>
42#include <sys/mount.h>
43#include <sys/mutex.h>
44#include <sys/namei.h>
45#include <sys/priv.h>
46#include <sys/proc.h>
47#include <sys/queue.h>
48#include <sys/vnode.h>
49
50#include <security/mac_veriexec/mac_veriexec.h>
51#include <security/mac_veriexec/mac_veriexec_internal.h>
52
53#include "veriexec_ioctl.h"
54
55/*
56 * We need a mutex while updating lists etc.
57 */
58extern struct mtx ve_mutex;
59
60/*
61 * Handle the ioctl for the device
62 */
63static int
64verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
65    int flags, struct thread *td)
66{
67	struct nameidata nid;
68	struct vattr vattr;
69	struct verified_exec_label_params *lparams;
70	struct verified_exec_params *params, params_;
71	int error = 0;
72
73	/*
74	 * These commands are considered safe requests for anyone who has
75	 * permission to access to device node.
76	 */
77	switch (cmd) {
78	case VERIEXEC_GETSTATE:
79		{
80			int *ip = (int *)data;
81
82			if (ip)
83				*ip = mac_veriexec_get_state();
84			else
85			    error = EINVAL;
86
87			return (error);
88		}
89		break;
90	default:
91		break;
92	}
93
94	/*
95	 * Anything beyond this point is considered dangerous, so we need to
96	 * only allow processes that have kmem write privs to do them.
97	 *
98	 * MAC/veriexec will grant kmem write privs to "trusted" processes.
99	 */
100	error = priv_check(td, PRIV_VERIEXEC_CONTROL);
101	if (error)
102		return (error);
103
104	lparams = (struct verified_exec_label_params *)data;
105	switch (cmd) {
106	case VERIEXEC_LABEL_LOAD:
107		params = &lparams->params;
108		break;
109	case VERIEXEC_SIGNED_LOAD32:
110		params = &params_;
111		memcpy(params, data, sizeof(struct verified_exec_params32));
112		break;
113	default:
114		params = (struct verified_exec_params *)data;
115		break;
116	}
117
118	switch (cmd) {
119	case VERIEXEC_ACTIVE:
120		mtx_lock(&ve_mutex);
121		if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED))
122			mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE);
123		else
124			error = EINVAL;
125		mtx_unlock(&ve_mutex);
126		break;
127	case VERIEXEC_DEBUG_ON:
128		mtx_lock(&ve_mutex);
129		{
130			int *ip = (int *)data;
131
132			mac_veriexec_debug++;
133			if (ip) {
134				if (*ip > 0)
135					mac_veriexec_debug = *ip;
136				*ip = mac_veriexec_debug;
137			}
138		}
139		mtx_unlock(&ve_mutex);
140		break;
141	case VERIEXEC_DEBUG_OFF:
142		mac_veriexec_debug = 0;
143		break;
144	case VERIEXEC_ENFORCE:
145		mtx_lock(&ve_mutex);
146		if (mac_veriexec_in_state(VERIEXEC_STATE_LOADED))
147			mac_veriexec_set_state(VERIEXEC_STATE_ACTIVE |
148			    VERIEXEC_STATE_ENFORCE);
149		else
150			error = EINVAL;
151		mtx_unlock(&ve_mutex);
152		break;
153	case VERIEXEC_GETVERSION:
154		{
155			int *ip = (int *)data;
156
157			if (ip)
158				*ip = MAC_VERIEXEC_VERSION;
159			else
160				error = EINVAL;
161		}
162		break;
163	case VERIEXEC_LOCK:
164		mtx_lock(&ve_mutex);
165		mac_veriexec_set_state(VERIEXEC_STATE_LOCKED);
166		mtx_unlock(&ve_mutex);
167		break;
168	case VERIEXEC_LOAD:
169	    	if (prison0.pr_securelevel > 0)
170			return (EPERM);	/* no updates when secure */
171
172		/* FALLTHROUGH */
173	case VERIEXEC_LABEL_LOAD:
174	case VERIEXEC_SIGNED_LOAD:
175		/*
176		 * If we use a loader that will only use a
177		 * digitally signed hash list - which it verifies.
178		 * We can load fingerprints provided veriexec is not locked.
179		 */
180	    	if (prison0.pr_securelevel > 0 &&
181		    !mac_veriexec_in_state(VERIEXEC_STATE_LOADED)) {
182			/*
183			 * If securelevel has been raised and we
184			 * do not have any fingerprints loaded,
185			 * it would dangerous to do so now.
186			 */
187			return (EPERM);
188		}
189		if (mac_veriexec_in_state(VERIEXEC_STATE_LOCKED))
190			error = EPERM;
191		else {
192			size_t labellen = 0;
193			int flags = FREAD;
194			int override = (cmd != VERIEXEC_LOAD);
195
196			if (params->flags & VERIEXEC_LABEL) {
197				labellen = strnlen(lparams->label,
198				    MAXLABELLEN) + 1;
199				if (labellen > MAXLABELLEN)
200					return (EINVAL);
201			}
202
203			/*
204			 * Get the attributes for the file name passed
205			 * stash the file's device id and inode number
206			 * along with it's fingerprint in a list for
207			 * exec to use later.
208			 */
209			/*
210			 * FreeBSD seems to copy the args to kernel space
211			 */
212			NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, params->file);
213			if ((error = vn_open(&nid, &flags, 0, NULL)) != 0)
214				return (error);
215
216			error = VOP_GETATTR(nid.ni_vp, &vattr, td->td_ucred);
217			if (error != 0) {
218				mac_veriexec_set_fingerprint_status(nid.ni_vp,
219				    FINGERPRINT_INVALID);
220				VOP_UNLOCK(nid.ni_vp);
221				(void) vn_close(nid.ni_vp, FREAD, td->td_ucred,
222				    td);
223				return (error);
224			}
225			if (override) {
226				/*
227				 * If the file is on a "verified" filesystem
228				 * someone may be playing games.
229				 */
230				if ((nid.ni_vp->v_mount->mnt_flag &
231				    MNT_VERIFIED) != 0)
232					override = 0;
233			}
234
235			/*
236			 * invalidate the node fingerprint status
237			 * which will have been set in the vn_open
238			 * and would always be FINGERPRINT_NOTFOUND
239			 */
240			mac_veriexec_set_fingerprint_status(nid.ni_vp,
241			    FINGERPRINT_INVALID);
242			VOP_UNLOCK(nid.ni_vp);
243			(void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td);
244
245			mtx_lock(&ve_mutex);
246			error = mac_veriexec_metadata_add_file(
247			    ((params->flags & VERIEXEC_FILE) != 0),
248			    vattr.va_fsid, vattr.va_fileid, vattr.va_gen,
249			    params->fingerprint,
250			    (params->flags & VERIEXEC_LABEL) ?
251			    lparams->label : NULL, labellen,
252			    params->flags, params->fp_type, override);
253
254			mac_veriexec_set_state(VERIEXEC_STATE_LOADED);
255			mtx_unlock(&ve_mutex);
256		}
257		break;
258	default:
259		error = ENODEV;
260	}
261	return (error);
262}
263
264struct cdevsw veriexec_cdevsw = {
265	.d_version =	D_VERSION,
266	.d_ioctl =	verifiedexecioctl,
267	.d_name =	"veriexec",
268};
269
270static void
271veriexec_drvinit(void *unused __unused)
272{
273
274	make_dev(&veriexec_cdevsw, 0, UID_ROOT, GID_WHEEL, 0600, "veriexec");
275}
276
277SYSINIT(veriexec, SI_SUB_PSEUDO, SI_ORDER_ANY, veriexec_drvinit, NULL);
278MODULE_DEPEND(veriexec, mac_veriexec, MAC_VERIEXEC_VERSION,
279    MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION);
280