mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-11-26 20:12:44 +00:00
1554ba03b6
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec. There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels. The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed. We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter. Add -l option to sbin/veriexec to report labels. Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
311 lines
7.5 KiB
C
311 lines
7.5 KiB
C
/*-
|
|
* SPDX-License-Identifier: BSD-2-Clause
|
|
*
|
|
* Copyright (c) 2018-2023, Juniper Networks, Inc.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
#include <sys/cdefs.h>
|
|
#include <stdlib.h>
|
|
#include <sysexits.h>
|
|
#include <unistd.h>
|
|
#include <paths.h>
|
|
#include <err.h>
|
|
#include <syslog.h>
|
|
#include <libsecureboot.h>
|
|
#include <libveriexec.h>
|
|
#include <sys/types.h>
|
|
|
|
#include "veriexec.h"
|
|
|
|
/* Globals that are shared with manifest_parser.c */
|
|
int dev_fd = -1;
|
|
int ForceFlags = 0;
|
|
int Verbose = 0;
|
|
int VeriexecVersion = 0;
|
|
const char *Cdir = NULL;
|
|
|
|
/*!
|
|
* @brief Print help message describing program's usage
|
|
* @param void
|
|
* @return always returns code 0
|
|
*/
|
|
static int
|
|
veriexec_usage(void)
|
|
{
|
|
printf("%s",
|
|
"Usage:\tveriexec [-C path] [-hlxv] [-[iz] state] [path]\n");
|
|
|
|
return (0);
|
|
}
|
|
|
|
/*!
|
|
* @brief Load a veriexec manifest
|
|
* @param manifest Pointer to the location of the manifest file
|
|
* @retval the error code returned from the parser
|
|
*/
|
|
static int
|
|
veriexec_load(const char *manifest)
|
|
{
|
|
unsigned char *content;
|
|
int rc;
|
|
|
|
content = verify_signed(manifest, VEF_VERBOSE);
|
|
if (!content)
|
|
errx(EX_USAGE, "cannot verify %s", manifest);
|
|
if (manifest_open(manifest, (const char *)content)) {
|
|
rc = yyparse();
|
|
} else {
|
|
err(EX_NOINPUT, "cannot load %s", manifest);
|
|
}
|
|
free(content);
|
|
return (rc);
|
|
}
|
|
|
|
/*!
|
|
* @brief Get the veriexec state for the supplied argument
|
|
* @param arg_text String containing the argument to be processed
|
|
* @retval The veriexec state number for the specified argument
|
|
*/
|
|
static uint32_t
|
|
veriexec_state_query(const char *arg_text)
|
|
{
|
|
uint32_t state = 0;
|
|
unsigned long len;
|
|
|
|
len = strlen(arg_text);
|
|
|
|
if (strncmp(arg_text, "active", len) == 0)
|
|
state |= VERIEXEC_STATE_ACTIVE;
|
|
else if (strncmp(arg_text, "enforce", len) == 0)
|
|
state |= VERIEXEC_STATE_ENFORCE;
|
|
if (strncmp(arg_text, "loaded", len) == 0)
|
|
state |= VERIEXEC_STATE_LOADED;
|
|
if (strncmp(arg_text, "locked", len) == 0)
|
|
state |= VERIEXEC_STATE_LOCKED;
|
|
if (state == 0 || __bitcount(state) > 1)
|
|
errx(EX_USAGE, "Unknown state \'%s\'", arg_text);
|
|
|
|
return (state);
|
|
}
|
|
|
|
/*!
|
|
* @brief Get the veriexec command state for the supplied argument
|
|
* @param arg_text String containing the argument to be processed
|
|
* @retval The veriexec command state for the specified argument
|
|
*/
|
|
static uint32_t
|
|
veriexec_state_modify(const char *arg_text)
|
|
{
|
|
uint32_t state = 0;
|
|
unsigned long len;
|
|
|
|
len = strlen(arg_text);
|
|
|
|
if (strncmp(arg_text, "active", len) == 0)
|
|
state = VERIEXEC_ACTIVE;
|
|
else if (strncmp(arg_text, "enforce", len) == 0)
|
|
state = VERIEXEC_ENFORCE;
|
|
else if (strncmp(arg_text, "getstate", len) == 0)
|
|
state = VERIEXEC_GETSTATE;
|
|
else if (strncmp(arg_text, "lock", len) == 0)
|
|
state = VERIEXEC_LOCK;
|
|
else
|
|
errx(EX_USAGE, "Unknown command \'%s\'", arg_text);
|
|
|
|
return (state);
|
|
}
|
|
|
|
#ifdef HAVE_VERIEXEC_GET_PATH_LABEL
|
|
static void
|
|
veriexec_check_labels(int argc, char *argv[])
|
|
{
|
|
char buf[BUFSIZ];
|
|
char *cp;
|
|
int n;
|
|
|
|
n = (argc - optind);
|
|
for (; optind < argc; optind++) {
|
|
cp = veriexec_get_path_label(argv[optind], buf, sizeof(buf));
|
|
if (cp) {
|
|
if (n > 1)
|
|
printf("%s: %s\n", argv[optind], cp);
|
|
else
|
|
printf("%s\n", cp);
|
|
if (cp != buf)
|
|
free(cp);
|
|
}
|
|
}
|
|
exit(EX_OK);
|
|
}
|
|
#endif
|
|
|
|
static void
|
|
veriexec_check_paths(int argc, char *argv[])
|
|
{
|
|
int x;
|
|
|
|
x = EX_OK;
|
|
for (; optind < argc; optind++) {
|
|
if (veriexec_check_path(argv[optind])) {
|
|
warn("%s", argv[optind]);
|
|
x = 2;
|
|
}
|
|
}
|
|
exit(x);
|
|
}
|
|
|
|
int
|
|
main(int argc, char *argv[])
|
|
{
|
|
long long converted_int;
|
|
uint32_t state;
|
|
int c, x;
|
|
|
|
if (argc < 2)
|
|
return (veriexec_usage());
|
|
|
|
dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0);
|
|
|
|
while ((c = getopt(argc, argv, "C:hi:lSxvz:")) != -1) {
|
|
switch (c) {
|
|
case 'h':
|
|
/* Print usage info */
|
|
|
|
return (veriexec_usage());
|
|
case 'C':
|
|
/* Get the provided directory argument */
|
|
|
|
Cdir = optarg;
|
|
break;
|
|
case 'i':
|
|
/* Query the current state */
|
|
|
|
if (dev_fd < 0) {
|
|
err(EX_UNAVAILABLE, "cannot open veriexec");
|
|
}
|
|
if (ioctl(dev_fd, VERIEXEC_GETSTATE, &x)) {
|
|
err(EX_UNAVAILABLE,
|
|
"Cannot get veriexec state");
|
|
}
|
|
|
|
state = veriexec_state_query(optarg);
|
|
|
|
exit((x & state) == 0);
|
|
break;
|
|
#ifdef HAVE_VERIEXEC_GET_PATH_LABEL
|
|
case 'l':
|
|
veriexec_check_labels(argc, argv);
|
|
break;
|
|
#endif
|
|
case 'S':
|
|
/* Strictly enforce certificate validity */
|
|
ve_enforce_validity_set(1);
|
|
break;
|
|
case 'v':
|
|
/* Increase the verbosity */
|
|
|
|
Verbose++;
|
|
break;
|
|
case 'x':
|
|
/* Check veriexec paths */
|
|
|
|
/*
|
|
* -x says all other args are paths to check.
|
|
*/
|
|
veriexec_check_paths(argc, argv);
|
|
break;
|
|
case 'z':
|
|
/* Modify the state */
|
|
|
|
if (strncmp(optarg, "debug", strlen(optarg)) == 0) {
|
|
const char *error;
|
|
|
|
if (optind >= argc)
|
|
errx(EX_USAGE,
|
|
"Missing mac_veriexec verbosity level \'N\', veriexec -z debug N, where N is \'off\' or the value 0 or greater");
|
|
|
|
if (strncmp(argv[optind], "off", strlen(argv[optind])) == 0) {
|
|
state = VERIEXEC_DEBUG_OFF;
|
|
x = 0;
|
|
} else {
|
|
state = VERIEXEC_DEBUG_ON;
|
|
|
|
converted_int = strtonum(argv[optind], 0, INT_MAX, &error);
|
|
|
|
if (error != NULL)
|
|
errx(EX_USAGE, "Conversion error for argument \'%s\' : %s",
|
|
argv[optind], error);
|
|
|
|
x = (int) converted_int;
|
|
|
|
|
|
if (x == 0)
|
|
state = VERIEXEC_DEBUG_OFF;
|
|
}
|
|
} else
|
|
state = veriexec_state_modify(optarg);
|
|
|
|
if (dev_fd < 0)
|
|
err(EX_UNAVAILABLE, "Cannot open veriexec");
|
|
if (ioctl(dev_fd, state, &x))
|
|
err(EX_UNAVAILABLE, "Cannot %s veriexec", optarg);
|
|
|
|
if (state == VERIEXEC_DEBUG_ON || state == VERIEXEC_DEBUG_OFF)
|
|
printf("mac_veriexec debug verbosity level: %d\n", x);
|
|
else if (state == VERIEXEC_GETSTATE)
|
|
printf("Veriexec state (octal) : %#o\n", x);
|
|
|
|
exit(EX_OK);
|
|
break;
|
|
default:
|
|
|
|
/* Missing argument, print usage info.*/
|
|
veriexec_usage();
|
|
exit(EX_USAGE);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (Verbose)
|
|
printf("Verbosity level : %d\n", Verbose);
|
|
|
|
if (dev_fd < 0)
|
|
err(EX_UNAVAILABLE, "Cannot open veriexec");
|
|
|
|
openlog(getprogname(), LOG_PID, LOG_AUTH);
|
|
if (ve_trust_init() < 1)
|
|
errx(EX_OSFILE, "cannot initialize trust store");
|
|
#ifdef VERIEXEC_GETVERSION
|
|
if (ioctl(dev_fd, VERIEXEC_GETVERSION, &VeriexecVersion)) {
|
|
VeriexecVersion = 0; /* unknown */
|
|
}
|
|
#endif
|
|
|
|
for (; optind < argc; optind++) {
|
|
if (veriexec_load(argv[optind])) {
|
|
err(EX_DATAERR, "cannot load %s", argv[optind]);
|
|
}
|
|
}
|
|
exit(EX_OK);
|
|
}
|