blob d2e0a03a (3781B) - Raw
1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2011, 2012, 2013, 2015, 2016, 2019, Juniper Networks, Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #ifndef _SECURITY_MAC_VERIEXEC_INTERNAL_H 30 #define _SECURITY_MAC_VERIEXEC_INTERNAL_H 31 32 #ifndef _KERNEL 33 #error "no user-serviceable parts inside" 34 #endif 35 36 #include <sys/queue.h> 37 #include <sys/malloc.h> 38 #include <sys/sysctl.h> 39 40 #define MAC_VERIEXEC_FULLNAME "MAC/veriexec" 41 42 #define VERIEXEC_FILES_FIRST 1 43 44 #ifdef MAC_VERIEXEC_DEBUG 45 # define VERIEXEC_DEBUG(n, x) if (mac_veriexec_debug > (n)) printf x 46 #else 47 # define VERIEXEC_DEBUG(n, x) 48 #endif 49 50 struct mac_veriexec_file_info 51 { 52 int flags; 53 long fileid; 54 unsigned long gen; 55 struct mac_veriexec_fpops *ops; 56 unsigned char fingerprint[MAXFINGERPRINTLEN]; 57 char *label; 58 size_t labellen; 59 LIST_ENTRY(mac_veriexec_file_info) entries; 60 }; 61 62 MALLOC_DECLARE(M_VERIEXEC); 63 64 SYSCTL_DECL(_security_mac_veriexec); 65 66 struct cred; 67 struct image_params; 68 struct proc; 69 struct sbuf; 70 struct thread; 71 struct ucred; 72 struct vattr; 73 struct vnode; 74 75 int mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp, 76 struct vattr *vap, struct thread *td, int check_files); 77 int mac_veriexec_metadata_get_executable_flags(struct ucred *cred, 78 struct proc *p, int *flags, int check_files); 79 int mac_veriexec_metadata_get_file_flags(dev_t fsid, long fileid, 80 unsigned long gen, int *flags, int check_files); 81 int mac_veriexec_metadata_get_file_info(dev_t fsid, long fileid, 82 unsigned long gen, int *found_dev, 83 struct mac_veriexec_file_info **ipp, int check_files); 84 void mac_veriexec_metadata_init(void); 85 void mac_veriexec_metadata_print_db(struct sbuf *sbp); 86 int mac_veriexec_metadata_unmounted(dev_t fsid, struct thread *td); 87 88 int mac_veriexec_fingerprint_add_ops(struct mac_veriexec_fpops *fpops); 89 90 int mac_veriexec_fingerprint_check_image(struct image_params *imgp, 91 int check_files, struct thread *td); 92 int mac_veriexec_fingerprint_check_vnode(struct vnode *vp, 93 struct mac_veriexec_file_info *ip, struct thread *td, 94 off_t file_size, unsigned char *fingerprint); 95 void mac_veriexec_fingerprint_init(void); 96 struct mac_veriexec_fpops * 97 mac_veriexec_fingerprint_lookup_ops(const char *type); 98 99 fingerprint_status_t 100 mac_veriexec_get_fingerprint_status(struct vnode *vp); 101 int mac_veriexec_get_state(void); 102 int mac_veriexec_in_state(int state); 103 void mac_veriexec_set_fingerprint_status(struct vnode *vp, 104 fingerprint_status_t fp_status); 105 void mac_veriexec_set_state(int state); 106 107 #endif /* !_SECURITY_MAC_VERIEXEC_INTERNAL_H */