git: bd4742c97079 - main - veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Stephen J. Kiernan <stevek_at_FreeBSD.org>
Date: Mon, 17 Apr 2023 15:47:53 UTC
The branch main has been updated by stevek:

URL: https://cgit.FreeBSD.org/src/commit/?id=bd4742c9707964a481dbe088e8c2797fa210e9e1

commit bd4742c9707964a481dbe088e8c2797fa210e9e1
Author:     Steve Kiernan <stevek@juniper.net>
AuthorDate: 2023-04-02 21:58:27 +0000
Commit:     Stephen J. Kiernan <stevek@FreeBSD.org>
CommitDate: 2023-04-17 15:47:32 +0000

    veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32
    
    We need to handle old ioctl from old binary.
    
    Add some missing ioctls.
    
    Obtained from:  Juniper Networks, Inc.
---
 sys/dev/veriexec/veriexec_ioctl.h | 16 +++++++++++++---
 sys/dev/veriexec/verified_exec.c  | 26 +++++++++++++++++++-------
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/sys/dev/veriexec/veriexec_ioctl.h b/sys/dev/veriexec/veriexec_ioctl.h
index 1409ebb9f40f..fdb9cbcbe1af 100644
--- a/sys/dev/veriexec/veriexec_ioctl.h
+++ b/sys/dev/veriexec/veriexec_ioctl.h
@@ -36,6 +36,14 @@
 
 #include <security/mac_veriexec/mac_veriexec.h>
 
+/* for backwards compatability */
+struct verified_exec_params32  {
+	unsigned char flags;
+	char fp_type[VERIEXEC_FPTYPELEN];	/* type of fingerprint */
+	char file[MAXPATHLEN];
+	unsigned char fingerprint[32];
+};
+
 struct verified_exec_params  {
 	unsigned char flags;
 	char fp_type[VERIEXEC_FPTYPELEN];	/* type of fingerprint */
@@ -55,9 +63,11 @@ struct verified_exec_label_params  {
 #define VERIEXEC_DEBUG_ON	_IOWR('S', 0x5, int) /* set/get debug level */
 #define VERIEXEC_DEBUG_OFF 	_IO('S', 0x6)	/* reset debug */
 #define VERIEXEC_GETSTATE 	_IOR('S', 0x7, int) /* get state */
-#define VERIEXEC_SIGNED_LOAD	_IOW('S', 0x8, struct verified_exec_params)
-#define VERIEXEC_GETVERSION	_IOR('S', 0x9, int) /* get version */
-#define VERIEXEC_LABEL_LOAD	_IOW('S', 0xa, struct verified_exec_label_params)
+#define	VERIEXEC_SIGNED_LOAD32	_IOW('S', 0x8, struct verified_exec_params32)
+#define	VERIEXEC_VERIFIED_FILD	_IOW('S', 0x9, int) /* fd */
+#define VERIEXEC_GETVERSION	_IOR('S', 0xa, int) /* get version */
+#define VERIEXEC_LABEL_LOAD	_IOW('S', 0xb, struct verified_exec_label_params)
+#define	VERIEXEC_SIGNED_LOAD	_IOW('S', 0xc, struct verified_exec_params)
 
 #define	_PATH_DEV_VERIEXEC	_PATH_DEV "veriexec"
 
diff --git a/sys/dev/veriexec/verified_exec.c b/sys/dev/veriexec/verified_exec.c
index c00aa49c2f6c..908b54138212 100644
--- a/sys/dev/veriexec/verified_exec.c
+++ b/sys/dev/veriexec/verified_exec.c
@@ -1,7 +1,7 @@
 /*
  * $FreeBSD$
  *
- * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc.
+ * Copyright (c) 2011-2023, Juniper Networks, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -69,7 +69,7 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
 	struct nameidata nid;
 	struct vattr vattr;
 	struct verified_exec_label_params *lparams;
-	struct verified_exec_params *params;
+	struct verified_exec_params *params, params_;
 	int error = 0;
 
 	/*
@@ -104,10 +104,18 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
 		return (error);
 
 	lparams = (struct verified_exec_label_params *)data;
-	if (cmd == VERIEXEC_LABEL_LOAD)
+	switch (cmd) {
+	case VERIEXEC_LABEL_LOAD:
 		params = &lparams->params;
-	else
+		break;
+	case VERIEXEC_SIGNED_LOAD32:
+		params = &params_;
+		memcpy(params, data, sizeof(struct verified_exec_params32));
+		break;
+	default:
 		params = (struct verified_exec_params *)data;
+		break;
+	}
 
 	switch (cmd) {
 	case VERIEXEC_ACTIVE:
@@ -187,6 +195,13 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
 			int flags = FREAD;
 			int override = (cmd != VERIEXEC_LOAD);
 
+			if (params->flags & VERIEXEC_LABEL) {
+				labellen = strnlen(lparams->label,
+				    MAXLABELLEN) + 1;
+				if (labellen > MAXLABELLEN)
+					return (EINVAL);
+			}
+
 			/*
 			 * Get the attributes for the file name passed
 			 * stash the file's device id and inode number
@@ -228,9 +243,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
 			    FINGERPRINT_INVALID);
 			VOP_UNLOCK(nid.ni_vp);
 			(void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td);
-			if (params->flags & VERIEXEC_LABEL)
-				labellen = strnlen(lparams->label,
-				    sizeof(lparams->label) - 1) + 1;
 
 			mtx_lock(&ve_mutex);
 			error = mac_veriexec_metadata_add_file(