Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/kern Instead of duplicating code, add veriexec_fp_status...



details:   https://anonhg.NetBSD.org/src/rev/82ae907ea735
branches:  trunk
changeset: 337734:82ae907ea735
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sat Apr 25 18:43:13 2015 +0000

description:
Instead of duplicating code, add veriexec_fp_status(). Also reorder a
useless goto.

diffstat:

 sys/kern/kern_veriexec.c |  106 +++++++++++++++++++++++-----------------------
 1 files changed, 53 insertions(+), 53 deletions(-)

diffs (172 lines):

diff -r 8b5f5627ea26 -r 82ae907ea735 sys/kern/kern_veriexec.c
--- a/sys/kern/kern_veriexec.c  Sat Apr 25 18:41:55 2015 +0000
+++ b/sys/kern/kern_veriexec.c  Sat Apr 25 18:43:13 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_veriexec.c,v 1.3 2015/04/25 09:08:51 maxv Exp $   */
+/*     $NetBSD: kern_veriexec.c,v 1.4 2015/04/25 18:43:13 maxv Exp $   */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad%NetBSD.org@localhost>
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_veriexec.c,v 1.3 2015/04/25 09:08:51 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_veriexec.c,v 1.4 2015/04/25 18:43:13 maxv Exp $");
 
 #include "opt_veriexec.h"
 
@@ -557,6 +557,32 @@
        return (memcmp(fp1, fp2, ops->hash_len));
 }
 
+static int
+veriexec_fp_status(struct lwp *l, struct vnode *vp, int file_lock_state,
+    struct veriexec_file_entry *vfe, u_char *status)
+{
+       size_t hash_len = vfe->ops->hash_len;
+       u_char *digest;
+       int error = 0;
+
+       digest = kmem_zalloc(hash_len, KM_SLEEP);
+
+       error = veriexec_fp_calc(l, vp, file_lock_state, vfe, digest);
+       if (error)
+               goto out;
+
+       /* Compare fingerprint with loaded data. */
+       if (veriexec_fp_cmp(vfe->ops, vfe->fp, digest) == 0)
+               *status = FINGERPRINT_VALID;
+       else
+               *status = FINGERPRINT_NOMATCH;
+
+out:
+       kmem_free(digest, hash_len);
+       return error;
+}
+
+
 static struct veriexec_table_entry *
 veriexec_table_lookup(struct mount *mp)
 {
@@ -624,7 +650,7 @@
     int flag, int file_lock_state, struct veriexec_file_entry **vfep)
 {
        struct veriexec_file_entry *vfe;
-       int error;
+       int error = 0;
 
        KASSERT(rw_lock_held(&veriexec_op_lock));
        KASSERT((file_lock_state != VERIEXEC_LOCKED) &&
@@ -643,10 +669,23 @@
        vfe = veriexec_get(vp);
        if (vfep != NULL)
                *vfep = vfe;
-       if (vfe == NULL)
-               goto out;
+
+       /* No entry in the veriexec tables. */
+       if (vfe == NULL) {
+               veriexec_file_report(NULL, "No entry.", name,
+                   l, REPORT_VERBOSE);
 
-       error = 0;
+               /*
+                * Lockdown mode: Deny access to non-monitored files.
+                * IPS mode: Deny execution of non-monitored files.
+                */
+               if ((veriexec_strict >= VERIEXEC_LOCKDOWN) ||
+                   ((veriexec_strict >= VERIEXEC_IPS) &&
+                    (flag != VERIEXEC_FILE)))
+                       return (EPERM);
+
+               return (0);
+       }
 
        /*
         * Grab the lock for the entry, if we need to do an evaluation
@@ -663,27 +702,16 @@
 
        /* Evaluate fingerprint if needed. */
        if (VFE_NEEDS_EVAL(vfe)) {
-               u_char *digest;
+               u_char status;
 
-               /* Calculate fingerprint for on-disk file. */
-               digest = kmem_zalloc(vfe->ops->hash_len, KM_SLEEP);
-
-               error = veriexec_fp_calc(l, vp, file_lock_state, vfe, digest);
+               error = veriexec_fp_status(l, vp, file_lock_state, vfe, &status);
                if (error) {
                        veriexec_file_report(vfe, "Fingerprint calculation error.",
                            name, NULL, REPORT_ALWAYS);
-                       kmem_free(digest, vfe->ops->hash_len);
                        rw_exit(&vfe->lock);
                        return (error);
                }
-
-               /* Compare fingerprint with loaded data. */
-               if (veriexec_fp_cmp(vfe->ops, vfe->fp, digest) == 0)
-                       vfe->status = FINGERPRINT_VALID;
-               else
-                       vfe->status = FINGERPRINT_NOMATCH;
-
-               kmem_free(digest, vfe->ops->hash_len);
+               vfe->status = status;
                rw_downgrade(&vfe->lock);
        }
 
@@ -698,24 +726,6 @@
                }
        }
 
- out:
-       /* No entry in the veriexec tables. */
-       if (vfe == NULL) {
-               veriexec_file_report(NULL, "No entry.", name,
-                   l, REPORT_VERBOSE);
-
-               /*
-                * Lockdown mode: Deny access to non-monitored files.
-                * IPS mode: Deny execution of non-monitored files.
-                */
-               if ((veriexec_strict >= VERIEXEC_LOCKDOWN) ||
-                   ((veriexec_strict >= VERIEXEC_IPS) &&
-                    (flag != VERIEXEC_FILE)))
-                       return (EPERM);
-
-               return (0);
-       }
-
        switch (vfe->status) {
        case FINGERPRINT_NOTEVAL:
                /* Should not happen. */
@@ -1291,23 +1301,13 @@
 
        if (prop_bool_true(prop_dictionary_get(dict, "eval-on-load")) ||
            (vfe->type & VERIEXEC_UNTRUSTED)) {
-               u_char *digest;
-
-               digest = kmem_zalloc(vfe->ops->hash_len, KM_SLEEP);
+               u_char status;
 
-               error = veriexec_fp_calc(l, vp, VERIEXEC_FILE_UNLOCKED,
-                                        vfe, digest);
-               if (error) {
-                       kmem_free(digest, vfe->ops->hash_len);
+               error = veriexec_fp_status(l, vp, VERIEXEC_FILE_UNLOCKED,
+                   vfe, &status);
+               if (error)
                        goto unlock_out;
-               }
-
-               if (veriexec_fp_cmp(vfe->ops, vfe->fp, digest) == 0)
-                       vfe->status = FINGERPRINT_VALID;
-               else
-                       vfe->status = FINGERPRINT_NOMATCH;
-
-               kmem_free(digest, vfe->ops->hash_len);
+               vfe->status = status;
        }
 
        vte = veriexec_table_lookup(vp->v_mount);



Home | Main Index | Thread Index | Old Index