git: bd4742c97079 - main - veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 17 Apr 2023 15:47:53 UTC
The branch main has been updated by stevek: URL: https://cgit.FreeBSD.org/src/commit/?id=bd4742c9707964a481dbe088e8c2797fa210e9e1 commit bd4742c9707964a481dbe088e8c2797fa210e9e1 Author: Steve Kiernan <stevek@juniper.net> AuthorDate: 2023-04-02 21:58:27 +0000 Commit: Stephen J. Kiernan <stevek@FreeBSD.org> CommitDate: 2023-04-17 15:47:32 +0000 veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32 We need to handle old ioctl from old binary. Add some missing ioctls. Obtained from: Juniper Networks, Inc. --- sys/dev/veriexec/veriexec_ioctl.h | 16 +++++++++++++--- sys/dev/veriexec/verified_exec.c | 26 +++++++++++++++++++------- 2 files changed, 32 insertions(+), 10 deletions(-) diff --git a/sys/dev/veriexec/veriexec_ioctl.h b/sys/dev/veriexec/veriexec_ioctl.h index 1409ebb9f40f..fdb9cbcbe1af 100644 --- a/sys/dev/veriexec/veriexec_ioctl.h +++ b/sys/dev/veriexec/veriexec_ioctl.h @@ -36,6 +36,14 @@ #include <security/mac_veriexec/mac_veriexec.h> +/* for backwards compatability */ +struct verified_exec_params32 { + unsigned char flags; + char fp_type[VERIEXEC_FPTYPELEN]; /* type of fingerprint */ + char file[MAXPATHLEN]; + unsigned char fingerprint[32]; +}; + struct verified_exec_params { unsigned char flags; char fp_type[VERIEXEC_FPTYPELEN]; /* type of fingerprint */ @@ -55,9 +63,11 @@ struct verified_exec_label_params { #define VERIEXEC_DEBUG_ON _IOWR('S', 0x5, int) /* set/get debug level */ #define VERIEXEC_DEBUG_OFF _IO('S', 0x6) /* reset debug */ #define VERIEXEC_GETSTATE _IOR('S', 0x7, int) /* get state */ -#define VERIEXEC_SIGNED_LOAD _IOW('S', 0x8, struct verified_exec_params) -#define VERIEXEC_GETVERSION _IOR('S', 0x9, int) /* get version */ -#define VERIEXEC_LABEL_LOAD _IOW('S', 0xa, struct verified_exec_label_params) +#define VERIEXEC_SIGNED_LOAD32 _IOW('S', 0x8, struct verified_exec_params32) +#define VERIEXEC_VERIFIED_FILD _IOW('S', 0x9, int) /* fd */ +#define VERIEXEC_GETVERSION _IOR('S', 0xa, int) /* get version */ +#define VERIEXEC_LABEL_LOAD _IOW('S', 0xb, struct verified_exec_label_params) +#define VERIEXEC_SIGNED_LOAD _IOW('S', 0xc, struct verified_exec_params) #define _PATH_DEV_VERIEXEC _PATH_DEV "veriexec" diff --git a/sys/dev/veriexec/verified_exec.c b/sys/dev/veriexec/verified_exec.c index c00aa49c2f6c..908b54138212 100644 --- a/sys/dev/veriexec/verified_exec.c +++ b/sys/dev/veriexec/verified_exec.c @@ -1,7 +1,7 @@ /* * $FreeBSD$ * - * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc. + * Copyright (c) 2011-2023, Juniper Networks, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -69,7 +69,7 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, struct nameidata nid; struct vattr vattr; struct verified_exec_label_params *lparams; - struct verified_exec_params *params; + struct verified_exec_params *params, params_; int error = 0; /* @@ -104,10 +104,18 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, return (error); lparams = (struct verified_exec_label_params *)data; - if (cmd == VERIEXEC_LABEL_LOAD) + switch (cmd) { + case VERIEXEC_LABEL_LOAD: params = &lparams->params; - else + break; + case VERIEXEC_SIGNED_LOAD32: + params = ¶ms_; + memcpy(params, data, sizeof(struct verified_exec_params32)); + break; + default: params = (struct verified_exec_params *)data; + break; + } switch (cmd) { case VERIEXEC_ACTIVE: @@ -187,6 +195,13 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, int flags = FREAD; int override = (cmd != VERIEXEC_LOAD); + if (params->flags & VERIEXEC_LABEL) { + labellen = strnlen(lparams->label, + MAXLABELLEN) + 1; + if (labellen > MAXLABELLEN) + return (EINVAL); + } + /* * Get the attributes for the file name passed * stash the file's device id and inode number @@ -228,9 +243,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, FINGERPRINT_INVALID); VOP_UNLOCK(nid.ni_vp); (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td); - if (params->flags & VERIEXEC_LABEL) - labellen = strnlen(lparams->label, - sizeof(lparams->label) - 1) + 1; mtx_lock(&ve_mutex); error = mac_veriexec_metadata_add_file(