[PATCH 1/2] Verify commands executed by grub

Wed, 05 Jul 2017 14:26:49 -0700 

Pass commands to the verification code. We want to be able to log these
in the TPM verification case.
---
 grub-core/script/execute.c | 27 ++++++++++++++++++++++++---
 include/grub/verify.h      |  1 +
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index a8502d907..ee299fd0e 100644
--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
@@ -27,6 +27,7 @@
 #include <grub/normal.h>
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/verify.h>
 
 /* Max digits for a char is 3 (0xFF is 255), similarly for an int it
    is sizeof (int) * 3, and one extra for a possible -ve sign.  */
@@ -929,8 +930,9 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
   grub_err_t ret = 0;
   grub_script_function_t func = 0;
   char errnobuf[18];
-  char *cmdname;
-  int argc;
+  char *cmdname, *cmdstring;
+  int argc, offset = 0, cmdlen = 0;
+  unsigned int i;
   char **args;
   int invert;
   struct grub_script_argv argv = { 0, 0, 0 };
@@ -939,6 +941,26 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
   if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
     return grub_errno;
 
+  for (i = 0; i < argv.argc; i++)
+    {
+      cmdlen += grub_strlen (argv.args[i]) + 1;
+    }
+
+  cmdstring = grub_malloc (cmdlen);
+  if (!cmdstring)
+    {
+      return grub_error (GRUB_ERR_OUT_OF_MEMORY,
+                        N_("cannot allocate command buffer"));
+    }
+
+  for (i = 0; i < argv.argc; i++)
+    {
+      offset += grub_snprintf (cmdstring + offset, cmdlen - offset, "%s ",
+                              argv.args[i]);
+    }
+  cmdstring[cmdlen - 1] = '\0';
+  grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
+  grub_free (cmdstring);
   invert = 0;
   argc = argv.argc - 1;
   args = argv.args + 1;
@@ -1163,4 +1185,3 @@ grub_script_execute (struct grub_script *script)
 
   return grub_script_execute_cmd (script->cmd);
 }
-
diff --git a/include/grub/verify.h b/include/grub/verify.h
index acab4f437..517d386d0 100644
--- a/include/grub/verify.h
+++ b/include/grub/verify.h
@@ -11,6 +11,7 @@ enum grub_verify_string_type
   {
     GRUB_VERIFY_KERNEL_CMDLINE,
     GRUB_VERIFY_MODULE_CMDLINE,
+    GRUB_VERIFY_COMMAND,
   };
 
 struct grub_file_verifier
-- 
2.13.2.725.g09c95d1e9-goog


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to