svn commit: r348449 - in stable/12/stand: . ficl libsa

Thu, 30 May 2019 16:44:57 -0700 

Author: sjg
Date: Thu May 30 23:43:54 2019
New Revision: 348449
URL: https://svnweb.freebsd.org/changeset/base/348449

Log:
  ficl pfopen: verify file
  
  If the file is verified - do not allow write
  otherwise do not allow read.
  
  Add O_ACCMODE to stand.h
  
  MFC of r348249
  
  Reviewed by:  stevek, mindal_semihalf.com
  Sponsored by: Juniper Networks
  Differential Revision:        https://reviews.freebsd.org/D20387

Modified:
  stable/12/stand/ficl.mk
  stable/12/stand/ficl/loader.c
  stable/12/stand/libsa/stand.h

Modified: stable/12/stand/ficl.mk
==============================================================================
--- stable/12/stand/ficl.mk     Thu May 30 21:54:49 2019        (r348448)
+++ stable/12/stand/ficl.mk     Thu May 30 23:43:54 2019        (r348449)
@@ -16,3 +16,7 @@ CFLAGS+=      -fPIC
 
 CFLAGS+=       -I${FICLSRC} -I${FICLSRC}/${FICL_CPUARCH} -I${LDRSRC}
 CFLAGS+=       -DBF_DICTSIZE=15000
+
+.if ${MK_LOADER_VERIEXEC} != "no"
+CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h
+.endif

Modified: stable/12/stand/ficl/loader.c
==============================================================================
--- stable/12/stand/ficl/loader.c       Thu May 30 21:54:49 2019        
(r348448)
+++ stable/12/stand/ficl/loader.c       Thu May 30 23:43:54 2019        
(r348449)
@@ -502,6 +502,23 @@ static void pfopen(FICL_VM *pVM)
 
     /* open the file */
     fd = open(name, mode);
+#ifdef LOADER_VERIEXEC
+    if (fd >= 0) {
+       if (verify_file(fd, name, 0, VE_GUESS) < 0) {
+           /* not verified writing ok but reading is not */
+           if ((mode & O_ACCMODE) != O_WRONLY) {
+               close(fd);
+               fd = -1;
+           }
+       } else {
+           /* verified reading ok but writing is not */
+           if ((mode & O_ACCMODE) != O_RDONLY) {
+               close(fd);
+               fd = -1;
+           }
+       }
+    }
+#endif
     free(name);
     stackPushINT(pVM->pStack, fd);
     return;

Modified: stable/12/stand/libsa/stand.h
==============================================================================
--- stable/12/stand/libsa/stand.h       Thu May 30 21:54:49 2019        
(r348448)
+++ stable/12/stand/libsa/stand.h       Thu May 30 23:43:54 2019        
(r348449)
@@ -286,6 +286,7 @@ extern int  open(const char *, int);
 #define        O_RDONLY        0x0
 #define O_WRONLY       0x1
 #define O_RDWR         0x2
+#define O_ACCMODE      0x3
 /* NOT IMPLEMENTED */
 #define        O_CREAT         0x0200          /* create if nonexistent */
 #define        O_TRUNC         0x0400          /* truncate to zero length */
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to