| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | .\" $NetBSD: veriexec.9,v 1.22 2009/05/13 22:43:58 wiz Exp $ | | 1 | .\" $NetBSD: veriexec.9,v 1.23 2010/04/13 07:14:45 jruoho Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright 2006 Elad Efrat <elad@NetBSD.org> | | 3 | .\" Copyright 2006 Elad Efrat <elad@NetBSD.org> |
4 | .\" Copyright 2006 Brett Lymn <blymn@NetBSD.org> | | 4 | .\" Copyright 2006 Brett Lymn <blymn@NetBSD.org> |
5 | .\" | | 5 | .\" |
6 | .\" This code is derived from software contributed to The NetBSD Foundation | | 6 | .\" This code is derived from software contributed to The NetBSD Foundation |
7 | .\" by Brett Lymn and Elad Efrat | | 7 | .\" by Brett Lymn and Elad Efrat |
8 | .\" | | 8 | .\" |
9 | .\" Redistribution and use in source and binary forms, with or without | | 9 | .\" Redistribution and use in source and binary forms, with or without |
10 | .\" modification, are permitted provided that the following conditions | | 10 | .\" modification, are permitted provided that the following conditions |
11 | .\" are met: | | 11 | .\" are met: |
12 | .\" 1. Redistributions of source code must retain the above copyright | | 12 | .\" 1. Redistributions of source code must retain the above copyright |
13 | .\" notice, this list of conditions and the following disclaimer. | | 13 | .\" notice, this list of conditions and the following disclaimer. |
14 | .\" 2. Neither the name of The NetBSD Foundation nor the names of its | | 14 | .\" 2. Neither the name of The NetBSD Foundation nor the names of its |
| @@ -25,58 +25,95 @@ | | | @@ -25,58 +25,95 @@ |
25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
28 | .\" POSSIBILITY OF SUCH DAMAGE. | | 28 | .\" POSSIBILITY OF SUCH DAMAGE. |
29 | .\" | | 29 | .\" |
30 | .Dd February 10, 2008 | | 30 | .Dd February 10, 2008 |
31 | .Dt VERIEXEC 9 | | 31 | .Dt VERIEXEC 9 |
32 | .Os | | 32 | .Os |
33 | .Sh NAME | | 33 | .Sh NAME |
34 | .Nm veriexec | | 34 | .Nm veriexec |
35 | .Nd in-kernel file integrity subsystem KPI | | 35 | .Nd in-kernel file integrity subsystem KPI |
36 | .Sh SYNOPSIS | | 36 | .Sh SYNOPSIS |
37 | .In sys/verified_exec.h | | 37 | .In sys/verified_exec.h |
| | | 38 | .Ft void |
| | | 39 | .Fn veriexec_init "void" |
| | | 40 | .Ft bool |
| | | 41 | .Fn veriexec_lookup "struct vnode *vp" |
| | | 42 | .Ft int |
| | | 43 | .Fn veriexec_verify "struct lwp *l" "struct vnode *vp" \ |
| | | 44 | "const u_char *name" "int flag" "bool *found" |
| | | 45 | .Ft void |
| | | 46 | .Fn veriexec_purge "struct vnode *vp" |
| | | 47 | .Ft int |
| | | 48 | .Fn veriexec_fpops_add "const char *fp_type" "size_t hash_len" \ |
| | | 49 | "size_t ctx_size" "veriexec_fpop_init_t init" "veriexec_fpop_update_t update" \ |
| | | 50 | "veriexec_fpop_final_t final" |
| | | 51 | .Ft int |
| | | 52 | .Fn veriexec_file_add "struct lwp *l" "prop_dictionary_t dict" |
| | | 53 | .Ft int |
| | | 54 | .Fn veriexec_file_delete "struct lwp *l" "struct vnode *vp" |
| | | 55 | .Ft int |
| | | 56 | .Fn veriexec_table_delete "struct lwp *l" "struct mount *mp" |
| | | 57 | .Ft int |
| | | 58 | .Fn veriexec_flush "struct lwp *l" |
| | | 59 | .Ft int |
| | | 60 | .Fn veriexec_openchk "struct lwp *l" "struct vnode *vp" \ |
| | | 61 | "const char *path" "int fmode" |
| | | 62 | .Ft int |
| | | 63 | .Fn veriexec_renamechk "struct lwp *l" "struct vnode *fromvp" \ |
| | | 64 | "const char *fromname" "struct vnode *tovp" "const char *toname" |
| | | 65 | .Ft int |
| | | 66 | .Fn veriexec_removechk "struct lwp *l" "struct vnode *vp" \ |
| | | 67 | "const char *name" |
| | | 68 | .Ft int |
| | | 69 | .Fn veriexec_unmountchk "struct mount *mp" |
| | | 70 | .Ft int |
| | | 71 | .Fn veriexec_convert "struct vnode *vp" "prop_dictionary_t rdict" |
| | | 72 | .Ft int |
| | | 73 | .Fn veriexec_dump "struct lwp *l" "prop_array_t rarray" |
38 | .Sh DESCRIPTION | | 74 | .Sh DESCRIPTION |
39 | .Nm | | 75 | .Nm |
40 | is the KPI for | | 76 | is the |
| | | 77 | .Tn KPI |
| | | 78 | for |
41 | .Em Veriexec , | | 79 | .Em Veriexec , |
42 | the | | 80 | the |
43 | .Nx | | 81 | .Nx |
44 | in-kernel file integrity subsystem. | | 82 | in-kernel file integrity subsystem. |
45 | It is responsible for managing the supported hashing algorithms, fingerprint | | 83 | It is responsible for managing the supported hashing algorithms, fingerprint |
46 | calculation and comparison, file monitoring tables, and relevant hooks to | | 84 | calculation and comparison, file monitoring tables, and relevant hooks to |
47 | enforce the | | 85 | enforce the |
48 | .Em Veriexec | | 86 | .Em Veriexec |
49 | policy. | | 87 | policy. |
| | | 88 | .Sh FUNCTIONS |
50 | .Ss Core Routines | | 89 | .Ss Core Routines |
51 | .Bl -tag -width compact | | 90 | .Bl -tag -width compact |
52 | .It Ft void Fn veriexec_init "void" | | 91 | .It Fn veriexec_init "void" |
53 | Initialize the | | 92 | Initialize the |
54 | .Em Veriexec | | 93 | .Em Veriexec |
55 | subsystem. | | 94 | subsystem. |
56 | Called only once during system startup. | | 95 | Called only once during system startup. |
57 | .It Ft "bool" Fn veriexec_lookup "struct vnode *vp" | | 96 | .It Fn veriexec_lookup "vp" |
58 | Check if | | 97 | Check if |
59 | .Ar vp | | 98 | .Ar vp |
60 | is monitored by | | 99 | is monitored by |
61 | .Em Veriexec | | 100 | .Em Veriexec . |
62 | or not. | | | |
63 | Returns | | 101 | Returns |
64 | .Dv true | | 102 | .Dv true |
65 | if it is, or | | 103 | if it is, or |
66 | .Dv false | | 104 | .Dv false |
67 | otherwise. | | 105 | otherwise. |
68 | .It Ft int Fn veriexec_verify "struct lwp *l" "struct vnode *vp" \ | | 106 | .It Fn veriexec_verify "l" "vp" "name" "flag" "found" |
69 | "const u_char *name" "int flag" "bool *found" | | | |
70 | Verifies the digital fingerprint of | | 107 | Verifies the digital fingerprint of |
71 | .Ar vp . | | 108 | .Ar vp . |
72 | .Ar name | | 109 | .Ar name |
73 | is the filename, and | | 110 | is the filename, and |
74 | .Ar flag | | 111 | .Ar flag |
75 | is the access flag. | | 112 | is the access flag. |
76 | The access flag can be one of: | | 113 | The access flag can be one of: |
77 | .Bl -tag -width VERIEXEC_INDIRECT | | 114 | .Bl -tag -width VERIEXEC_INDIRECT |
78 | .It Dv VERIEXEC_DIRECT | | 115 | .It Dv VERIEXEC_DIRECT |
79 | The file was executed directly via | | 116 | The file was executed directly via |
80 | .Xr execve 2 . | | 117 | .Xr execve 2 . |
81 | .It Dv VERIEXEC_INDIRECT | | 118 | .It Dv VERIEXEC_INDIRECT |
82 | The file was executed indirectly, either as an interpreter for a script or | | 119 | The file was executed indirectly, either as an interpreter for a script or |
| @@ -84,144 +121,139 @@ mapped to an executable memory region. | | | @@ -84,144 +121,139 @@ mapped to an executable memory region. |
84 | .It Dv VERIEXEC_FILE | | 121 | .It Dv VERIEXEC_FILE |
85 | The file was opened for reading/writing. | | 122 | The file was opened for reading/writing. |
86 | .El | | 123 | .El |
87 | .Pp | | 124 | .Pp |
88 | .Ar l | | 125 | .Ar l |
89 | is the LWP for the request context. | | 126 | is the LWP for the request context. |
90 | .Pp | | 127 | .Pp |
91 | An optional argument, | | 128 | An optional argument, |
92 | .Ar found , | | 129 | .Ar found , |
93 | is a pointer to a boolean indicating whether an entry for the file was found | | 130 | is a pointer to a boolean indicating whether an entry for the file was found |
94 | in the | | 131 | in the |
95 | .Em Veriexec | | 132 | .Em Veriexec |
96 | tables. | | 133 | tables. |
97 | .It Ft void Fn veriexec_purge "struct vnode *vp" | | 134 | .It Fn veriexec_purge "vp" |
98 | Purge the file entry for | | 135 | Purge the file entry for |
99 | .Ar vp . | | 136 | .Ar vp . |
100 | This invalidates the fingerprint so it will be evaluated next time the file | | 137 | This invalidates the fingerprint so it will be evaluated next time the file |
101 | is accessed. | | 138 | is accessed. |
102 | .\" veriexec_page_verify() intentionally not documented. | | 139 | .\" veriexec_page_verify() intentionally not documented. |
103 | .El | | 140 | .El |
104 | .Ss Fingerprint Related Routines | | 141 | .Ss Fingerprint Related Routines |
105 | .Bl -tag -width compact | | 142 | .Bl -tag -width compact |
106 | .It Ft int Fn veriexec_fpops_add "const char *fp_type" "size_t hash_len" \ | | 143 | .It Fn veriexec_fpops_add "fp_type" "hash_len" "ctx_size" \ |
107 | "size_t ctx_size" "veriexec_fpop_init_t init" "veriexec_fpop_update_t update" \ | | 144 | "init" "update" "final" |
108 | "veriexec_fpop_final_t final" | | | |
109 | Add support for fingerprinting algorithm | | 145 | Add support for fingerprinting algorithm |
110 | .Ar fp_type | | 146 | .Ar fp_type |
111 | with binary hash length | | 147 | with binary hash length |
112 | .Ar hash_len | | 148 | .Ar hash_len |
113 | and calculation context size | | 149 | and calculation context size |
114 | .Ar ctx_size | | 150 | .Ar ctx_size |
115 | to | | 151 | to |
116 | .Em Veriexec . | | 152 | .Em Veriexec . |
117 | .Ar init , | | 153 | .Ar init , |
118 | .Ar update , | | 154 | .Ar update , |
119 | and | | 155 | and |
120 | .Ar final | | 156 | .Ar final |
121 | are the routines used to initialize, update, and finalize a calculation | | 157 | are the routines used to initialize, update, and finalize a calculation |
122 | context. | | 158 | context. |
123 | .El | | 159 | .El |
124 | .Ss Table Management Routines | | 160 | .Ss Table Management Routines |
125 | .Bl -tag -width compact | | 161 | .Bl -tag -width compact |
126 | .It Ft int Fn veriexec_file_add "struct lwp *l" \ | | 162 | .It Fn veriexec_file_add "l" "dict" |
127 | "prop_dictionary_t dict" | | | |
128 | Add a | | 163 | Add a |
129 | .Em Veriexec | | 164 | .Em Veriexec |
130 | entry for the file described by | | 165 | entry for the file described by |
131 | .Ar dict . | | 166 | .Ar dict . |
132 | .Pp | | 167 | .Pp |
133 | .Ar dict | | 168 | .Ar dict |
134 | is expected to have the following: | | 169 | is expected to have the following: |
135 | .Bl -column entry-type string "entry type flags (see veriexec(4))" | | 170 | .Bl -column entry-type string "entry type flags (see veriexec(4))" |
136 | .It Sy Name Type Purpose | | 171 | .It Sy Name Type Purpose |
137 | .It file string filename | | 172 | .It file string filename |
138 | .It entry-type uint8 entry type flags ( see Xr veriexec 4 ) | | 173 | .It entry-type uint8 entry type flags ( see Xr veriexec 4 ) |
139 | .It fp-type string fingerprint hashing algorithm | | 174 | .It fp-type string fingerprint hashing algorithm |
140 | .It fp data the fingerprint | | 175 | .It fp data the fingerprint |
141 | .El | | 176 | .El |
142 | .It Ft int Fn veriexec_file_delete "struct lwp *l" "struct vnode *vp" | | 177 | .It Fn veriexec_file_delete "l" "vp" |
143 | Remove | | 178 | Remove |
144 | .Em Veriexec | | 179 | .Em Veriexec |
145 | entry for | | 180 | entry for |
146 | .Ar vp . | | 181 | .Ar vp . |
147 | .It Ft int Fn veriexec_table_delete "struct lwp *l" "struct mount *mp" | | 182 | .It Fn veriexec_table_delete "l" "mp" |
148 | Remove | | 183 | Remove |
149 | .Em Veriexec | | 184 | .Em Veriexec |
150 | table for mount-point | | 185 | table for mount-point |
151 | .Ar mp . | | 186 | .Ar mp . |
152 | .It Ft int Fn veriexec_flush "struct lwp *l" | | 187 | .It Fn veriexec_flush "l" |
153 | Delete all | | 188 | Delete all |
154 | .Em Veriexec | | 189 | .Em Veriexec |
155 | tables. | | 190 | tables. |
156 | .El | | 191 | .El |
157 | .Ss Hook Handlers | | 192 | .Ss Hook Handlers |
158 | .Bl -tag -width compact | | 193 | .Bl -tag -width compact |
159 | .It Ft int Fn veriexec_openchk "struct lwp *l" "struct vnode *vp" \ | | 194 | .It Fn veriexec_openchk "l" "vp" "path" "fmode" |
160 | "const char *path" "int fmode" | | | |
161 | Called when a file is opened. | | 195 | Called when a file is opened. |
162 | .Pp | | 196 | .Pp |
163 | .Ar l | | 197 | .Ar l |
164 | is the LWP opening the file, | | 198 | is the LWP opening the file, |
165 | .Ar vp | | 199 | .Ar vp |
166 | is a vnode for the file being opened as returned from | | 200 | is a vnode for the file being opened as returned from |
167 | .Xr namei 9 . | | 201 | .Xr namei 9 . |
168 | If | | 202 | If |
169 | .Dv NULL , | | 203 | .Dv NULL , |
170 | the file is being created. | | 204 | the file is being created. |
171 | .Ar path | | 205 | .Ar path |
172 | is the pathname for the file (not necessarily a full path), and | | 206 | is the pathname for the file (not necessarily a full path), and |
173 | .Ar fmode | | 207 | .Ar fmode |
174 | are the mode bits with which the file was opened. | | 208 | are the mode bits with which the file was opened. |
175 | .It Ft int Fn veriexec_renamechk "struct lwp *l" "struct vnode *fromvp" \ | | 209 | .It Fn veriexec_renamechk "l" "fromvp" "fromname" "tovp" "toname" |
176 | "const char *fromname" "struct vnode *tovp" "const char *toname" | | | |
177 | Called when a file is renamed. | | 210 | Called when a file is renamed. |
178 | .Pp | | 211 | .Pp |
179 | .Ar fromvp | | 212 | .Ar fromvp |
180 | and | | 213 | and |
181 | .Ar fromname | | 214 | .Ar fromname |
182 | are the vnode and filename of the file being renamed. | | 215 | are the vnode and filename of the file being renamed. |
183 | .Ar tovp | | 216 | .Ar tovp |
184 | and | | 217 | and |
185 | .Ar toname | | 218 | .Ar toname |
186 | are the vnode and filename of the target file. | | 219 | are the vnode and filename of the target file. |
187 | .Ar l | | 220 | .Ar l |
188 | is the LWP renaming the file. | | 221 | is the LWP renaming the file. |
189 | .Pp | | 222 | .Pp |
190 | Depending on the strict level, | | 223 | Depending on the strict level, |
191 | .Nm | | 224 | .Nm |
192 | will either track changes appropriately or prevent the rename. | | 225 | will either track changes appropriately or prevent the rename. |
193 | .It Ft int Fn veriexec_removechk "struct lwp *l" "struct vnode *vp" \ | | 226 | .It Fn veriexec_removechk "l" "vp" "name" |
194 | "const char *name" | | | |
195 | Called when a file is removed. | | 227 | Called when a file is removed. |
196 | .Pp | | 228 | .Pp |
197 | .Ar vp | | 229 | .Ar vp |
198 | is the vnode of the file being removed, and | | 230 | is the vnode of the file being removed, and |
199 | .Ar name | | 231 | .Ar name |
200 | is the filename. | | 232 | is the filename. |
201 | .Ar l | | 233 | .Ar l |
202 | is the LWP removing the file, | | 234 | is the LWP removing the file, |
203 | .Pp | | 235 | .Pp |
204 | Depending on the strict level, | | 236 | Depending on the strict level, |
205 | .Nm | | 237 | .Nm |
206 | will either clean-up after the file or prevent its removal. | | 238 | will either clean-up after the file or prevent its removal. |
207 | .It Ft int Fn veriexec_unmountchk "struct mount *mp" | | 239 | .It Fn veriexec_unmountchk "mp" |
208 | Checks if the current strict level allows | | 240 | Checks if the current strict level allows |
209 | .Ar mp | | 241 | .Ar mp |
210 | to be unmounted. | | 242 | to be unmounted. |
211 | .El | | 243 | .El |
212 | .Ss Miscellaneous Routines | | 244 | .Ss Miscellaneous Routines |
213 | .Bl -tag -width compact | | 245 | .Bl -tag -width compact |
214 | .It Ft int Fn veriexec_convert "struct vnode *vp" "prop_dictionary_t rdict" | | 246 | .It Fn veriexec_convert "vp" "rdict" |
215 | Convert | | 247 | Convert |
216 | .Em Veriexec | | 248 | .Em Veriexec |
217 | entry for | | 249 | entry for |
218 | .Ar vp | | 250 | .Ar vp |
219 | to human-readable | | 251 | to human-readable |
220 | .Xr proplib 3 | | 252 | .Xr proplib 3 |
221 | dictionary, | | 253 | dictionary, |
222 | .Ar rdict , | | 254 | .Ar rdict , |
223 | with the following elements: | | 255 | with the following elements: |
224 | .Bl -column entryxtype string | | 256 | .Bl -column entryxtype string |
225 | .It Sy Name Type Purpose | | 257 | .It Sy Name Type Purpose |
226 | .It entry-type uint8 entry type flags ( see Xr veriexec 4 ) | | 258 | .It entry-type uint8 entry type flags ( see Xr veriexec 4 ) |
227 | .It status uint8 entry status ( see below ) | | 259 | .It status uint8 entry status ( see below ) |
| @@ -233,27 +265,27 @@ The | | | @@ -233,27 +265,27 @@ The |
233 | .Dq status | | 265 | .Dq status |
234 | can be one of the following: | | 266 | can be one of the following: |
235 | .Bl -column fingerprintxmismatch effect | | 267 | .Bl -column fingerprintxmismatch effect |
236 | .It Sy Status Meaning | | 268 | .It Sy Status Meaning |
237 | .It FINGERPRINT_NOTEVAL not evaluated | | 269 | .It FINGERPRINT_NOTEVAL not evaluated |
238 | .It FINGERPRINT_VALID fingerprint match | | 270 | .It FINGERPRINT_VALID fingerprint match |
239 | .It FINGERPRINT_MISMATCH fingerprint mismatch | | 271 | .It FINGERPRINT_MISMATCH fingerprint mismatch |
240 | .El | | 272 | .El |
241 | .Pp | | 273 | .Pp |
242 | If no entry was found, | | 274 | If no entry was found, |
243 | .Er ENOENT | | 275 | .Er ENOENT |
244 | is returned. | | 276 | is returned. |
245 | Otherwise, zero. | | 277 | Otherwise, zero. |
246 | .It Ft int Fn veriexec_dump "struct lwp *l" "prop_array_t rarray" | | 278 | .It Fn veriexec_dump "l" "rarray" |
247 | Fill | | 279 | Fill |
248 | .Ar rarray | | 280 | .Ar rarray |
249 | with entries for all files monitored by | | 281 | with entries for all files monitored by |
250 | .Em Veriexec | | 282 | .Em Veriexec |
251 | that have a filename associated with them. | | 283 | that have a filename associated with them. |
252 | .Pp | | 284 | .Pp |
253 | Each element in | | 285 | Each element in |
254 | .Ar rarray | | 286 | .Ar rarray |
255 | is a dictionary with the same elements as filled by | | 287 | is a dictionary with the same elements as filled by |
256 | .Fn veriexec_convert , | | 288 | .Fn veriexec_convert , |
257 | with an additional field, | | 289 | with an additional field, |
258 | .Dq file , | | 290 | .Dq file , |
259 | containing the filename. | | 291 | containing the filename. |