The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)

[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/sys/verified_exec.h

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10  
    1 /*      $NetBSD: verified_exec.h,v 1.57 2007/05/19 22:11:25 christos Exp $      */
    2 
    3 /*-
    4  * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
    5  * Copyright (c) 2005, 2006 Brett Lymn <blymn@NetBSD.org>
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. The name of the authors may not be used to endorse or promote products
   17  *    derived from this software without specific prior written permission.
   18  *
   19  * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR
   20  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   21  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   22  * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT,
   23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   24  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   25  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   26  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   27  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   28  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   29  */
   30 
   31 #ifndef _SYS_VERIFIED_EXEC_H_
   32 #define _SYS_VERIFIED_EXEC_H_
   33 
   34 #include <sys/ioccom.h>
   35 
   36 #if defined(_KERNEL) && !defined(HAVE_NBTOOL_CONFIG_H)
   37 #include <sys/types.h>
   38 #include <prop/proplib.h>
   39 
   40 struct mount;
   41 struct vnode;
   42 
   43 #ifdef notyet
   44 struct vm_page;
   45 #endif /* notyet */
   46 #endif /* _KERNEL */
   47 
   48 /* Flags for a Veriexec entry. These can be OR'd together. */
   49 #define VERIEXEC_DIRECT         0x01 /* Direct execution (exec) */
   50 #define VERIEXEC_INDIRECT       0x02 /* Indirect execution (#!) */
   51 #define VERIEXEC_FILE           0x04 /* Plain file (open) */
   52 #define VERIEXEC_UNTRUSTED      0x10 /* Untrusted storage */
   53 
   54 /* Operations for the Veriexec pseudo-device. */
   55 #define VERIEXEC_LOAD           _IOW('X',  0x1, struct plistref)
   56 #define VERIEXEC_TABLESIZE      _IOW('X',  0x2, struct plistref)
   57 #define VERIEXEC_DELETE         _IOW('X',  0x3, struct plistref)
   58 #define VERIEXEC_QUERY          _IOWR('X', 0x4, struct plistref)
   59 #define VERIEXEC_DUMP           _IOR('X', 0x5, struct plistref)
   60 #define VERIEXEC_FLUSH          _IO('X', 0x6)
   61 
   62 /* Veriexec modes (strict levels). */
   63 #define VERIEXEC_LEARNING       0       /* Learning mode. */
   64 #define VERIEXEC_IDS            1       /* Intrusion detection mode. */
   65 #define VERIEXEC_IPS            2       /* Intrusion prevention mode. */
   66 #define VERIEXEC_LOCKDOWN       3       /* Lockdown mode. */
   67 
   68 /* Valid status field values. */
   69 #define FINGERPRINT_NOTEVAL  0  /* fingerprint has not been evaluated */
   70 #define FINGERPRINT_VALID    1  /* fingerprint evaluated and matches list */
   71 #define FINGERPRINT_NOMATCH  2  /* fingerprint evaluated but does not match */
   72 
   73 /* Per-page fingerprint status. */
   74 #define PAGE_FP_NONE    0       /* no per-page fingerprints. */
   75 #define PAGE_FP_READY   1       /* per-page fingerprints ready for use. */
   76 #define PAGE_FP_FAIL    2       /* mismatch in per-page fingerprints. */
   77 
   78 #if defined(_KERNEL) && !defined(HAVE_NBTOOL_CONFIG_H)
   79 
   80 #if NVERIEXEC > 0
   81 #define VERIEXEC_PATH_GET(from, seg, cto, to) \
   82         do { \
   83                 if (seg == UIO_USERSPACE) { \
   84                         to = PNBUF_GET(); \
   85                         error = copyinstr(from, to, MAXPATHLEN, NULL); \
   86                         if (error) \
   87                                 goto out; \
   88                         cto = to; \
   89                         seg = UIO_SYSSPACE; \
   90                 } else { \
   91                         to = NULL; \
   92                         cto = from; \
   93                 } \
   94         } while (/*CONSTCOND*/0)
   95 #define VERIEXEC_PATH_PUT(to) \
   96         do { \
   97                 if (to) \
   98                         PNBUF_PUT(to); \
   99         } while (/*CONSTCOND*/0)
  100 #else
  101 #define VERIEXEC_PATH_GET(from, seg, cto, to) \
  102         cto = from
  103 #define VERIEXEC_PATH_PUT(to) \
  104         (void)to
  105         
  106 #endif
  107 
  108 /*
  109  * Fingerprint operations vector for Veriexec.
  110  * Function types: init, update, final.
  111  */
  112 typedef void (*veriexec_fpop_init_t)(void *);
  113 typedef void (*veriexec_fpop_update_t)(void *, u_char *, u_int);
  114 typedef void (*veriexec_fpop_final_t)(u_char *, void *);
  115 
  116 void veriexec_init(void);
  117 int veriexec_fpops_add(const char *, size_t, size_t, veriexec_fpop_init_t,
  118     veriexec_fpop_update_t, veriexec_fpop_final_t);
  119 int veriexec_file_add(struct lwp *, prop_dictionary_t);
  120 int veriexec_verify(struct lwp *, struct vnode *, const u_char *, int,
  121     bool *);
  122 #ifdef notyet
  123 int veriexec_page_verify(struct veriexec_file_entry *, struct vm_page *,
  124     size_t, struct lwp *);
  125 #endif /* notyet */
  126 bool veriexec_lookup(struct vnode *);
  127 int veriexec_file_delete(struct lwp *, struct vnode *);
  128 int veriexec_table_delete(struct lwp *, struct mount *);
  129 int veriexec_convert(struct vnode *, prop_dictionary_t);
  130 int veriexec_dump(struct lwp *, prop_array_t);
  131 int veriexec_flush(struct lwp *);
  132 void veriexec_purge(struct vnode *);
  133 int veriexec_removechk(struct lwp *, struct vnode *, const char *);
  134 int veriexec_renamechk(struct lwp *, struct vnode *, const char *,
  135     struct vnode *, const char *);
  136 int veriexec_unmountchk(struct mount *);
  137 int veriexec_openchk(struct lwp *, struct vnode *, const char *, int);
  138 #endif /* _KERNEL */
  139 
  140 #endif /* !_SYS_VERIFIED_EXEC_H_ */

Cache object: f2f49b7810edc5d5f3edc8c36a8be742

[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.