From nobody Mon Apr 17 15:47:53 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q0WfL0rcXz44q6f; Mon, 17 Apr 2023 15:47:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q0WfK6MQpz49Nj; Mon, 17 Apr 2023 15:47:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681746473; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Jvrddt0oVWnfZxDJOrDlUDkZYS2Z1Obv/6tcVneQ7/s=; b=rjkyDyIThzkdqqs5Zhg7mwrNnsqY1fRPZZ18qW6wtTU8KEkEm+6ToJ8OYJ9Zx3mPvuHRfp E878rxSzA8G9wLdojkdTqYDv4ZtqbvWTEi0p7aPYqT0ffEZLwfE/sPzrvUbHoHjU+tbvSN JroO9mNQo2ykJk0meF+p2GKxZuRO+wyRYBQki5XLdTSK7tUlfvF0MLy2Sx9fnmwBx4/68w 7s488sWPoEhr7eAxd4JA+OH7bL07a7YmgMrA+UdteYVVWntn6vsplg9b7a9NjPaMdl2ljv lp95U5R56pbfzWAMAZR4kSRU0/NukLGxcxh9J1jNL6pbcqXalSWE7sO5YL6cLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681746473; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Jvrddt0oVWnfZxDJOrDlUDkZYS2Z1Obv/6tcVneQ7/s=; b=quYNLUvr2UY3dxGLdlUF1GOv8ygTZuwfqt69ZKpDLeeIUJfzt1u3BS8GM+SPjnNuu4FrjO VD+WTsCetmSFX3QeBWq47F6Z/SFqfAKvVtbbU8VjJOvB3flzPXJg5BCUJOSBPnFZgn7SvJ OmCS5h0cRgMYSrQYPxLJXSlyL1YC+ZIJCyUrPl1D9HDRTUKXAvZIgMn+I2+K9QL3dCUfn1 E63mlXCIKYGZe1YsBRSTgEsxZATS0JL3xJvx2X5FvwmUvoQ5NW6ZyQwOjhXmTEtFzTa55s qNDb/U9d/gbsxh6j79f6TeTE0DTyvZ4BceKy/yHxkwgFhYfpiM6p5+fktIzIVg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1681746473; a=rsa-sha256; cv=none; b=iW1WOL1Y7C8Z0qdhGLyRnpdKVSvYdgbtdxS8ei77CD9Mkghy3tJK/prIurZT4zp7CuRGC0 BWjMab/2KFv+bNQzlCZDdEG+pf9maKXLnRy/PymLul4Vi8y9iEXo6k8CFylVuYWDBo+yce tEo8l3Scu6cJ2AHhVfw7baF1imz1OJgY6wIUWapRXNHGSSrwc+V8Dfsox1kE3IqPz027HH QOt91VvH9YQSEITgMu+wpmI9UcIOEALwFyMB4NyVQ1aYhSO8B+nKhNSkZTK5mjh3ptoSD5 N4MfuvXsMLM1Eq624FirPKmF2I/mmt/23SlfcVnWGZ07pyQV5qCnMsKDKcZNEg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Q0WfK5D5XzbKt; Mon, 17 Apr 2023 15:47:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33HFlrHL070514; Mon, 17 Apr 2023 15:47:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33HFlrpJ070513; Mon, 17 Apr 2023 15:47:53 GMT (envelope-from git) Date: Mon, 17 Apr 2023 15:47:53 GMT Message-Id: <202304171547.33HFlrpJ070513@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Stephen J. Kiernan" Subject: git: bd4742c97079 - main - veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: stevek X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: bd4742c9707964a481dbe088e8c2797fa210e9e1 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by stevek: URL: https://cgit.FreeBSD.org/src/commit/?id=bd4742c9707964a481dbe088e8c2797fa210e9e1 commit bd4742c9707964a481dbe088e8c2797fa210e9e1 Author: Steve Kiernan AuthorDate: 2023-04-02 21:58:27 +0000 Commit: Stephen J. Kiernan CommitDate: 2023-04-17 15:47:32 +0000 veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32 We need to handle old ioctl from old binary. Add some missing ioctls. Obtained from: Juniper Networks, Inc. --- sys/dev/veriexec/veriexec_ioctl.h | 16 +++++++++++++--- sys/dev/veriexec/verified_exec.c | 26 +++++++++++++++++++------- 2 files changed, 32 insertions(+), 10 deletions(-) diff --git a/sys/dev/veriexec/veriexec_ioctl.h b/sys/dev/veriexec/veriexec_ioctl.h index 1409ebb9f40f..fdb9cbcbe1af 100644 --- a/sys/dev/veriexec/veriexec_ioctl.h +++ b/sys/dev/veriexec/veriexec_ioctl.h @@ -36,6 +36,14 @@ #include +/* for backwards compatability */ +struct verified_exec_params32 { + unsigned char flags; + char fp_type[VERIEXEC_FPTYPELEN]; /* type of fingerprint */ + char file[MAXPATHLEN]; + unsigned char fingerprint[32]; +}; + struct verified_exec_params { unsigned char flags; char fp_type[VERIEXEC_FPTYPELEN]; /* type of fingerprint */ @@ -55,9 +63,11 @@ struct verified_exec_label_params { #define VERIEXEC_DEBUG_ON _IOWR('S', 0x5, int) /* set/get debug level */ #define VERIEXEC_DEBUG_OFF _IO('S', 0x6) /* reset debug */ #define VERIEXEC_GETSTATE _IOR('S', 0x7, int) /* get state */ -#define VERIEXEC_SIGNED_LOAD _IOW('S', 0x8, struct verified_exec_params) -#define VERIEXEC_GETVERSION _IOR('S', 0x9, int) /* get version */ -#define VERIEXEC_LABEL_LOAD _IOW('S', 0xa, struct verified_exec_label_params) +#define VERIEXEC_SIGNED_LOAD32 _IOW('S', 0x8, struct verified_exec_params32) +#define VERIEXEC_VERIFIED_FILD _IOW('S', 0x9, int) /* fd */ +#define VERIEXEC_GETVERSION _IOR('S', 0xa, int) /* get version */ +#define VERIEXEC_LABEL_LOAD _IOW('S', 0xb, struct verified_exec_label_params) +#define VERIEXEC_SIGNED_LOAD _IOW('S', 0xc, struct verified_exec_params) #define _PATH_DEV_VERIEXEC _PATH_DEV "veriexec" diff --git a/sys/dev/veriexec/verified_exec.c b/sys/dev/veriexec/verified_exec.c index c00aa49c2f6c..908b54138212 100644 --- a/sys/dev/veriexec/verified_exec.c +++ b/sys/dev/veriexec/verified_exec.c @@ -1,7 +1,7 @@ /* * $FreeBSD$ * - * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc. + * Copyright (c) 2011-2023, Juniper Networks, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -69,7 +69,7 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, struct nameidata nid; struct vattr vattr; struct verified_exec_label_params *lparams; - struct verified_exec_params *params; + struct verified_exec_params *params, params_; int error = 0; /* @@ -104,10 +104,18 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, return (error); lparams = (struct verified_exec_label_params *)data; - if (cmd == VERIEXEC_LABEL_LOAD) + switch (cmd) { + case VERIEXEC_LABEL_LOAD: params = &lparams->params; - else + break; + case VERIEXEC_SIGNED_LOAD32: + params = ¶ms_; + memcpy(params, data, sizeof(struct verified_exec_params32)); + break; + default: params = (struct verified_exec_params *)data; + break; + } switch (cmd) { case VERIEXEC_ACTIVE: @@ -187,6 +195,13 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, int flags = FREAD; int override = (cmd != VERIEXEC_LOAD); + if (params->flags & VERIEXEC_LABEL) { + labellen = strnlen(lparams->label, + MAXLABELLEN) + 1; + if (labellen > MAXLABELLEN) + return (EINVAL); + } + /* * Get the attributes for the file name passed * stash the file's device id and inode number @@ -228,9 +243,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data, FINGERPRINT_INVALID); VOP_UNLOCK(nid.ni_vp); (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td); - if (params->flags & VERIEXEC_LABEL) - labellen = strnlen(lparams->label, - sizeof(lparams->label) - 1) + 1; mtx_lock(&ve_mutex); error = mac_veriexec_metadata_add_file(