git: bd4742c97079 - main - veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32

Stephen J. Kiernan Mon, 17 Apr 2023 08:48:25 -0700

The branch main has been updated by stevek:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=bd4742c9707964a481dbe088e8c2797fa210e9e1


commit bd4742c9707964a481dbe088e8c2797fa210e9e1
Author:     Steve Kiernan <ste...@juniper.net>
AuthorDate: 2023-04-02 21:58:27 +0000
Commit:     Stephen J. Kiernan <ste...@freebsd.org>
CommitDate: 2023-04-17 15:47:32 +0000

    veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32
    
    We need to handle old ioctl from old binary.
    
    Add some missing ioctls.
    
    Obtained from:  Juniper Networks, Inc.
---
 sys/dev/veriexec/veriexec_ioctl.h | 16 +++++++++++++---
 sys/dev/veriexec/verified_exec.c  | 26 +++++++++++++++++++-------
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/sys/dev/veriexec/veriexec_ioctl.h 
b/sys/dev/veriexec/veriexec_ioctl.h
index 1409ebb9f40f..fdb9cbcbe1af 100644
--- a/sys/dev/veriexec/veriexec_ioctl.h
+++ b/sys/dev/veriexec/veriexec_ioctl.h
@@ -36,6 +36,14 @@
 
 #include <security/mac_veriexec/mac_veriexec.h>
 
+/* for backwards compatability */
+struct verified_exec_params32  {
+       unsigned char flags;
+       char fp_type[VERIEXEC_FPTYPELEN];       /* type of fingerprint */
+       char file[MAXPATHLEN];
+       unsigned char fingerprint[32];
+};
+
 struct verified_exec_params  {
        unsigned char flags;
        char fp_type[VERIEXEC_FPTYPELEN];       /* type of fingerprint */
@@ -55,9 +63,11 @@ struct verified_exec_label_params  {
 #define VERIEXEC_DEBUG_ON      _IOWR('S', 0x5, int) /* set/get debug level */
 #define VERIEXEC_DEBUG_OFF     _IO('S', 0x6)   /* reset debug */
 #define VERIEXEC_GETSTATE      _IOR('S', 0x7, int) /* get state */
-#define VERIEXEC_SIGNED_LOAD   _IOW('S', 0x8, struct verified_exec_params)
-#define VERIEXEC_GETVERSION    _IOR('S', 0x9, int) /* get version */
-#define VERIEXEC_LABEL_LOAD    _IOW('S', 0xa, struct 
verified_exec_label_params)
+#define        VERIEXEC_SIGNED_LOAD32  _IOW('S', 0x8, struct 
verified_exec_params32)
+#define        VERIEXEC_VERIFIED_FILD  _IOW('S', 0x9, int) /* fd */
+#define VERIEXEC_GETVERSION    _IOR('S', 0xa, int) /* get version */
+#define VERIEXEC_LABEL_LOAD    _IOW('S', 0xb, struct 
verified_exec_label_params)
+#define        VERIEXEC_SIGNED_LOAD    _IOW('S', 0xc, struct 
verified_exec_params)
 
 #define        _PATH_DEV_VERIEXEC      _PATH_DEV "veriexec"
 
diff --git a/sys/dev/veriexec/verified_exec.c b/sys/dev/veriexec/verified_exec.c
index c00aa49c2f6c..908b54138212 100644
--- a/sys/dev/veriexec/verified_exec.c
+++ b/sys/dev/veriexec/verified_exec.c
@@ -1,7 +1,7 @@
 /*
  * $FreeBSD$
  *
- * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc.
+ * Copyright (c) 2011-2023, Juniper Networks, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -69,7 +69,7 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, 
caddr_t data,
        struct nameidata nid;
        struct vattr vattr;
        struct verified_exec_label_params *lparams;
-       struct verified_exec_params *params;
+       struct verified_exec_params *params, params_;
        int error = 0;
 
        /*
@@ -104,10 +104,18 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, 
caddr_t data,
                return (error);
 
        lparams = (struct verified_exec_label_params *)data;
-       if (cmd == VERIEXEC_LABEL_LOAD)
+       switch (cmd) {
+       case VERIEXEC_LABEL_LOAD:
                params = &lparams->params;
-       else
+               break;
+       case VERIEXEC_SIGNED_LOAD32:
+               params = &params_;
+               memcpy(params, data, sizeof(struct verified_exec_params32));
+               break;
+       default:
                params = (struct verified_exec_params *)data;
+               break;
+       }
 
        switch (cmd) {
        case VERIEXEC_ACTIVE:
@@ -187,6 +195,13 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, 
caddr_t data,
                        int flags = FREAD;
                        int override = (cmd != VERIEXEC_LOAD);
 
+                       if (params->flags & VERIEXEC_LABEL) {
+                               labellen = strnlen(lparams->label,
+                                   MAXLABELLEN) + 1;
+                               if (labellen > MAXLABELLEN)
+                                       return (EINVAL);
+                       }
+
                        /*
                         * Get the attributes for the file name passed
                         * stash the file's device id and inode number
@@ -228,9 +243,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, 
caddr_t data,
                            FINGERPRINT_INVALID);
                        VOP_UNLOCK(nid.ni_vp);
                        (void) vn_close(nid.ni_vp, FREAD, td->td_ucred, td);
-                       if (params->flags & VERIEXEC_LABEL)
-                               labellen = strnlen(lparams->label,
-                                   sizeof(lparams->label) - 1) + 1;
 
                        mtx_lock(&ve_mutex);
                        error = mac_veriexec_metadata_add_file(

git: bd4742c97079 - main - veriexec: Rename old VERIEXEC_SIGNED_LOAD as VERIEXEC_SIGNED_LOAD32

Reply via email to