Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src More veriexec changes:
details: https://anonhg.NetBSD.org/src/rev/af4e9717bba1
branches: trunk
changeset: 582116:af4e9717bba1
user: elad <elad%NetBSD.org@localhost>
date: Fri Jun 17 17:46:18 2005 +0000
description:
More veriexec changes:
- Better organize strict level. Now we have 4 levels:
- Level 0, learning mode: Warnings only about anything that might've
resulted in 'access denied' or similar in a higher strict level.
- Level 1, IDS mode:
- Deny access on fingerprint mismatch.
- Deny modification of veriexec tables.
- Level 2, IPS mode:
- All implications of strict level 1.
- Deny write access to monitored files.
- Prevent removal of monitored files.
- Enforce access type - 'direct', 'indirect', or 'file'.
- Level 3, lockdown mode:
- All implications of strict level 2.
- Prevent creation of new files.
- Deny access to non-monitored files.
- Update sysctl(3) man-page with above. (date bumped too :)
- Remove FINGERPRINT_INDIRECT from possible fp_status values; it's no
longer needed.
- Simplify veriexec_removechk() in light of new strict level policies.
- Eliminate use of 'securelevel'; veriexec now behaves according to
its strict level only.
diffstat:
lib/libc/gen/sysctl.3 | 22 +++--
sys/dev/verified_exec.c | 15 +--
sys/kern/kern_verifiedexec.c | 146 ++++++++----------------------------------
sys/kern/vfs_syscalls.c | 8 +-
sys/kern/vfs_vnops.c | 42 +++++++-----
sys/sys/vnode.h | 8 +-
6 files changed, 77 insertions(+), 164 deletions(-)
diffs (truncated from 444 to 300 lines):
diff -r 2136d1441dd0 -r af4e9717bba1 lib/libc/gen/sysctl.3
--- a/lib/libc/gen/sysctl.3 Fri Jun 17 17:12:57 2005 +0000
+++ b/lib/libc/gen/sysctl.3 Fri Jun 17 17:46:18 2005 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: sysctl.3,v 1.149 2005/05/24 15:58:11 wiz Exp $
+.\" $NetBSD: sysctl.3,v 1.150 2005/06/17 17:46:18 elad Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
.\"
-.Dd May 24, 2005
+.Dd June 17, 2005
.Dt SYSCTL 3
.Os
.Sh NAME
@@ -898,15 +898,17 @@
Verified Exec will treat various situations.
In strict level 0, the system is in learning mode and will only warn about
fingerprint mismatches, aswell as allow removal of fingerprinted files.
-In strict level 1, the system is in normal mode.
-It will enforce indirect
-execution if needed, prevent access to files with a fingerprint mismatch,
-and prevent removal of fingerprinted files.
-It will also prevent execution of files with no fingerprint.
-In strict level 2, the system is in critical mode.
+It is the only level where fingerprints can be loaded.
+In strict level 1, the system is in IDS mode.
+It will deny access to files with mismatched fingerprints.
+In strict level 2, the system is in IPS mode.
It has all effects of
-strict level 1, plus it will deny access (read, write, exec, and delete)
-to files without a valid fingerprint.
+strict level 1, plus it will deny write access to monitored files,
+prevent their removal, and enforce access type (direct, indirect, file).
+Strict level 3 operates as lockdown mode. It will have all effects of
+strict level 2, but it will also prevent access to non-monitored files.
+Furthermore, it will prevent addition of new files to the system, and
+allow writing only to files opened before the strict level was raised.
.It Li VERIEXEC_ALGORITHMS
Returns a string with the supported algorithms in Verified Exec.
.It Li VERIEXEC_COUNT
diff -r 2136d1441dd0 -r af4e9717bba1 sys/dev/verified_exec.c
--- a/sys/dev/verified_exec.c Fri Jun 17 17:12:57 2005 +0000
+++ b/sys/dev/verified_exec.c Fri Jun 17 17:46:18 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: verified_exec.c,v 1.14 2005/06/16 15:45:48 elad Exp $ */
+/* $NetBSD: verified_exec.c,v 1.15 2005/06/17 17:46:18 elad Exp $ */
/*-
* Copyright 2005 Elad Efrat <elad%bsd.org.il@localhost>
@@ -31,9 +31,9 @@
#include <sys/cdefs.h>
#if defined(__NetBSD__)
-__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.14 2005/06/16 15:45:48 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.15 2005/06/17 17:46:18 elad Exp $");
#else
-__RCSID("$Id: verified_exec.c,v 1.14 2005/06/16 15:45:48 elad Exp $\n$NetBSD: verified_exec.c,v 1.14 2005/06/16 15:45:48 elad Exp $");
+__RCSID("$Id: verified_exec.c,v 1.15 2005/06/17 17:46:18 elad Exp $\n$NetBSD: verified_exec.c,v 1.15 2005/06/17 17:46:18 elad Exp $");
#endif
#include <sys/param.h>
@@ -158,12 +158,9 @@
int error = 0;
u_long hashmask;
- /*
- * Don't allow updates in multi-user mode.
- */
- if ((securelevel > 0) || (veriexec_strict > 0)) {
- printf("Veriexec: veriexecioctl: Securelevel or strict "
- "mode, modifying veriexec tables is not permitted.\n");
+ if (veriexec_strict > 0) {
+ printf("Veriexec: veriexecioctl: Strict mode, modifying "
+ "veriexec tables is not permitted.\n");
return (EPERM);
}
diff -r 2136d1441dd0 -r af4e9717bba1 sys/kern/kern_verifiedexec.c
--- a/sys/kern/kern_verifiedexec.c Fri Jun 17 17:12:57 2005 +0000
+++ b/sys/kern/kern_verifiedexec.c Fri Jun 17 17:46:18 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_verifiedexec.c,v 1.25 2005/06/14 21:55:21 elad Exp $ */
+/* $NetBSD: kern_verifiedexec.c,v 1.26 2005/06/17 17:46:18 elad Exp $ */
/*-
* Copyright 2005 Elad Efrat <elad%bsd.org.il@localhost>
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.25 2005/06/14 21:55:21 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.26 2005/06/17 17:46:18 elad Exp $");
#include <sys/param.h>
#include <sys/mount.h>
@@ -358,8 +358,8 @@
/* Evaluate fingerprint if needed and set the status on the vp. */
if (vp->fp_status == FINGERPRINT_NOTEVAL) {
- vp->vhe = veriexec_lookup(va->va_fsid, va->va_fileid);
- if (vp->vhe == NULL) {
+ if ((vp->v_type != VREG) || (vp->vhe =
+ veriexec_lookup(va->va_fsid, va->va_fileid)) == NULL) {
vp->fp_status = FINGERPRINT_NOENTRY;
goto out;
}
@@ -380,33 +380,25 @@
}
if (veriexec_fp_cmp(vp->vhe->ops, vp->vhe->fp, digest) == 0) {
- if (vp->vhe->type == VERIEXEC_INDIRECT) {
- vp->fp_status = FINGERPRINT_INDIRECT;
- } else {
- vp->fp_status = FINGERPRINT_VALID;
- }
+ vp->fp_status = FINGERPRINT_VALID;
} else {
vp->fp_status = FINGERPRINT_NOMATCH;
}
+
free(digest, M_TEMP);
}
- switch (flag) {
- case VERIEXEC_DIRECT:
- case VERIEXEC_INDIRECT:
- if ((vp->vhe != NULL) && (vp->vhe->type == VERIEXEC_FILE)) {
- veriexec_report("Execution of 'FILE' entry.",
- name, va, p, REPORT_NOVERBOSE,
- REPORT_ALARM, REPORT_NOPANIC);
+ if (vp->vhe == NULL)
+ goto out;
- if (veriexec_strict > 1)
- return (EPERM);
- }
+ if (flag != vp->vhe->type) {
+ veriexec_report("Incorrect access type.", name, va, p,
+ REPORT_NOVERBOSE, REPORT_ALARM,
+ REPORT_NOPANIC);
- break;
-
- case VERIEXEC_FILE:
- break;
+ /* IPS mode: Enforce access type. */
+ if (veriexec_strict >= 2)
+ return (EPERM);
}
out:
@@ -424,30 +416,13 @@
break;
- case FINGERPRINT_INDIRECT:
- /* Fingerprint is okay; Make sure it's indirect execution. */
- veriexec_report("veriexec_verify: Match. [indirect]",
- name, va, NULL, REPORT_VERBOSE, REPORT_NOALARM,
- REPORT_NOPANIC);
-
- if (flag == VERIEXEC_DIRECT) {
- veriexec_report("veriexec_verify: Direct "
- "execution.", name, va, NULL,
- REPORT_NOVERBOSE, REPORT_ALARM,
- REPORT_NOPANIC);
-
- if (veriexec_strict > 0)
- error = EPERM;
- }
-
- break;
-
case FINGERPRINT_NOMATCH:
- /* Fingerprint mismatch. Deny execution. */
+ /* Fingerprint mismatch. */
veriexec_report("veriexec_verify: Mismatch.", name, va,
NULL, REPORT_NOVERBOSE, REPORT_ALARM, REPORT_NOPANIC);
- if (veriexec_strict > 0)
+ /* IDS mode: Deny access on fingerprint mismatch. */
+ if (veriexec_strict >= 1)
error = EPERM;
break;
@@ -457,22 +432,8 @@
veriexec_report("veriexec_verify: No entry.", name, va,
p, REPORT_VERBOSE, REPORT_NOALARM, REPORT_NOPANIC);
- /* We don't care about these in learning mode. */
- if (veriexec_strict == 0) {
- break;
- }
-
- /*
- * Deny access to files with no entry if
- * - File is being executed, and we're in strict
- * level 1; or
- * - File is being accessed, and we're in strict
- * level 2.
- */
- if (((veriexec_strict == 1) &&
- ((flag == VERIEXEC_DIRECT) ||
- (flag == VERIEXEC_INDIRECT))) ||
- (veriexec_strict > 1))
+ /* Lockdown mode: Deny access to non-monitored files. */
+ if (veriexec_strict >= 3)
error = EPERM;
break;
@@ -491,9 +452,7 @@
}
/*
- * Veriexec remove policy code. If we have an entry for the file in our
- * tables, we disallow removing if the securelevel is high or we're in
- * strict mode.
+ * Veriexec remove policy code.
*/
int
veriexec_removechk(struct proc *p, struct vnode *vp, const char *pathbuf)
@@ -507,63 +466,16 @@
if (error)
return (error);
- /*
- * Evaluate fingerprint to eliminate FINGERPRINT_NOTEVAL.
- * The flag here should have no affect on the return value.
- */
- error = veriexec_verify(p, vp, &va, pathbuf, VERIEXEC_FILE);
- if (error) {
- return (error);
- }
-
- switch (vp->fp_status) {
- case FINGERPRINT_VALID:
- case FINGERPRINT_INDIRECT:
- case FINGERPRINT_NOMATCH:
- if (veriexec_strict > 0) {
- veriexec_report("veriexec_removechk: Denying "
- "unlink.", pathbuf, &va, p, REPORT_NOVERBOSE,
- REPORT_ALARM, REPORT_NOPANIC);
-
- error = EPERM;
- } else {
- veriexec_report("veriexec_removechk: Removing "
- "entry.", pathbuf, &va, NULL,
- REPORT_NOVERBOSE, REPORT_NOALARM,
- REPORT_NOPANIC);
-
- goto veriexec_rm;
- }
+ vhe = veriexec_lookup(va.va_fsid, va.va_fileid);
+ if (vhe == NULL)
+ return (0);
- break;
-
- case FINGERPRINT_NOENTRY:
- if (veriexec_strict > 1) {
- veriexec_report("veriexec_removechk: Denying "
- "unlink. [strict]", pathbuf, &va, p,
- REPORT_NOVERBOSE, REPORT_ALARM, REPORT_NOPANIC);
-
- error = EPERM;
- }
-
- break;
+ veriexec_report("Remove request.", pathbuf, &va, p,
+ REPORT_NOVERBOSE, REPORT_ALARM, REPORT_NOPANIC);
- default:
- veriexec_report("veriexec_removechk: Invalid status post "
- "evaluation; inconsistency detected.", pathbuf, &va,
- NULL, REPORT_NOVERBOSE, REPORT_NOALARM, REPORT_PANIC);
- }
-
- return (error);
-
-veriexec_rm:
- vhe = veriexec_lookup(va.va_fsid, va.va_fileid);
- if (vhe == NULL) {
- veriexec_report("veriexec_removechk: Inconsistency "
- "detected: Trying to remove entry without having one.",
- pathbuf, &va, NULL, REPORT_NOVERBOSE, REPORT_NOALARM,
- REPORT_PANIC);
- }
+ /* IPS mode: Deny removal of monitored files. */
+ if (veriexec_strict >= 2)
+ return (EPERM);
tbl = veriexec_tblfind(va.va_fsid);
if (tbl == NULL) {
diff -r 2136d1441dd0 -r af4e9717bba1 sys/kern/vfs_syscalls.c
--- a/sys/kern/vfs_syscalls.c Fri Jun 17 17:12:57 2005 +0000
+++ b/sys/kern/vfs_syscalls.c Fri Jun 17 17:46:18 2005 +0000
Home |
Main Index |
Thread Index |
Old Index