mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-11-30 08:43:23 +00:00
loader: ignore some variable settings if input unverified
libsecureboot can tell us if the most recent file opened was verfied or not. If it's state is VE_UNVERIFIED_OK, skip if variable matches one of the restricted prefixes. Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D20909
This commit is contained in:
parent
068ad27de3
commit
bbac74ca3c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=350099
@ -304,6 +304,36 @@ command_set(int argc, char *argv[])
|
||||
command_errmsg = "wrong number of arguments";
|
||||
return (CMD_ERROR);
|
||||
} else {
|
||||
#ifdef LOADER_VERIEXEC
|
||||
/*
|
||||
* Impose restrictions if input is not verified
|
||||
*/
|
||||
const char *restricted[] = {
|
||||
"boot",
|
||||
"init",
|
||||
"loader.ve.",
|
||||
"rootfs",
|
||||
"secur",
|
||||
"vfs.",
|
||||
NULL,
|
||||
};
|
||||
const char **cp;
|
||||
int ves;
|
||||
|
||||
ves = ve_status_get(-1);
|
||||
if (ves == VE_UNVERIFIED_OK) {
|
||||
#ifdef LOADER_VERIEXEC_TESTING
|
||||
printf("Checking: %s\n", argv[1]);
|
||||
#endif
|
||||
for (cp = restricted; *cp; cp++) {
|
||||
if (strncmp(argv[1], *cp, strlen(*cp)) == 0) {
|
||||
printf("Ignoring restricted variable: %s\n",
|
||||
argv[1]);
|
||||
return (CMD_OK);
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if ((err = putenv(argv[1])) != 0) {
|
||||
command_errmsg = strerror(err);
|
||||
return (CMD_ERROR);
|
||||
|
Loading…
Reference in New Issue
Block a user