libreboot
/
lbmk
1
0
Fork 0
Code Packages Projects Releases Activity

util/nvmutil: harden pledge/unveil calls (OpenBSD) 

*Open* files at the start, then unveil. The same overall
behaviour is observed. In the case that invalid arguments
are given, simply opening a file does not cause much
performance impact (if any).

Restrict operations as early as possible in code.

Bonus:

writeGbeFile also hardened; if flags is O_RDONLY, it aborts.

Signed-off-by: Leah Rowe <leah@libreboot.org>
fsdg20230625
Leah Rowe 2023-06-01 13:35:34 +01:00
parent adf3aece6f
commit 69fa333e25
2 changed files with 25 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
util/nvmutil/nvmutil.c
View File

@ -7,14 +7,18 @@ int
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {
xpledge("stdio rpath wpath unveil", NULL); xpledge("stdio rpath wpath unveil", NULL);
int flags = O_RDWR; if (argc < 3)
err(errno = EINVAL, NULL);
if (strcmp(COMMAND, "dump") == 0)
flags = O_RDONLY;
openFiles(FILENAME);
void (*cmd)(void) = NULL; void (*cmd)(void) = NULL;
const char *strMac = NULL, *strRMac = "??:??:??:??:??:??"; const char *strMac = NULL, *strRMac = "??:??:??:??:??:??";
if (argc == 3) { if (argc == 3) {
if (strcmp(COMMAND, "dump") == 0) { if (strcmp(COMMAND, "dump") == 0) {
xpledge("stdio rpath unveil", NULL); xpledge("stdio", NULL);
flags = O_RDONLY;
cmd = &cmd_dump; cmd = &cmd_dump;
} else if (strcmp(COMMAND, "setmac") == 0) { } else if (strcmp(COMMAND, "setmac") == 0) {
strMac = (char *) strRMac; /* random mac address */ strMac = (char *) strRMac; /* random mac address */
@ -42,16 +46,7 @@ main(int argc, char *argv[])
skipread[part ^ 1] = (cmd == &cmd_copy) | (cmd == &cmd_setchecksum) skipread[part ^ 1] = (cmd == &cmd_copy) | (cmd == &cmd_setchecksum)
| (cmd == &cmd_brick); | (cmd == &cmd_brick);
readGbeFile(FILENAME, flags); readGbeFile(FILENAME);
(void)rhex();
xunveil("/dev/urandom", "r");
if (flags == O_RDONLY) {
xpledge("stdio", NULL);
} else {
xpledge("stdio wpath unveil", NULL);
xunveil(FILENAME, "w");
}
if (strMac != NULL) if (strMac != NULL)
cmd_setmac(strMac); /* nvm gbe.bin setmac */ cmd_setmac(strMac); /* nvm gbe.bin setmac */
@ -64,13 +59,24 @@ main(int argc, char *argv[])
} }
void void
readGbeFile(const char *path, int flags) openFiles(const char *path)
{ {
(void)rhex();
xopen(fd, path, flags); xopen(fd, path, flags);
if ((st.st_size != SIZE_8KB)) if ((st.st_size != SIZE_8KB))
err(errno = ECANCELED, "File `%s` not 8KiB", path); err(errno = ECANCELED, "File `%s` not 8KiB", path);
errno = errno != ENOTDIR ? errno : 0; errno = errno != ENOTDIR ? errno : 0;
xunveil("/dev/urandom", "r");
if (flags != O_RDONLY) {
xunveil(path, "w");
xpledge("stdio wpath", NULL);
} else
xpledge("stdio", NULL);
}
void
readGbeFile(const char *path)
{
big_endian = ((uint8_t *) &test)[0] ^ 1; big_endian = ((uint8_t *) &test)[0] ^ 1;
gbe[1] = (gbe[0] = (size_t) buf) + SIZE_4KB; gbe[1] = (gbe[0] = (size_t) buf) + SIZE_4KB;
for (int p = 0; p < 2; p++) { for (int p = 0; p < 2; p++) {
@ -252,6 +258,8 @@ xorswap_buf(int partnum)
void void
writeGbeFile(const char *filename) writeGbeFile(const char *filename)
{ {
if (flags == O_RDONLY)
err(ERR(), "Write aborted due to read-only mode: %s", filename);
if (gbeFileModified) if (gbeFileModified)
errno = 0; errno = 0;
for (int p = 0; p < 2; p++) { for (int p = 0; p < 2; p++) {

5
util/nvmutil/nvmutil.h
View File

@ -13,7 +13,8 @@
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
void readGbeFile(const char *path, int flags); void openFiles(const char *path);
void readGbeFile(const char *path);
void cmd_setmac(const char *strMac); void cmd_setmac(const char *strMac);
int invalidMacAddress(const char *strMac, uint16_t *mac); int invalidMacAddress(const char *strMac, uint16_t *mac);
uint8_t hextonum(char chs); uint8_t hextonum(char chs);
@ -42,7 +43,7 @@ uint8_t *buf = (uint8_t *) &buf16;
size_t nf = 128, gbe[2]; size_t nf = 128, gbe[2];
uint8_t skipread[2] = {0, 0}; uint8_t skipread[2] = {0, 0};
int fd = -1, part, gbeFileModified = 0; int flags = O_RDWR, fd = -1, part, gbeFileModified = 0;
uint8_t nvmPartModified[2] = {0, 0}; uint8_t nvmPartModified[2] = {0, 0};
int test = 1; int test = 1;