tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
veriexec: read from stdin
It's a bit surprising that after many years of use, veriexecgen can't
read a list of files from stdin/input-file and calculate checksums of
those files.
It can be useful, e.g. when recalculating checksums of existing
fingerprintdb entries:
# awk '{print $1}' /etc/signatures | veriexecgen -i
or to read entries from /etc/mtree/set.* files:
# cd /
# awk '/type=dir/{next} {print $1}' /etc/mtree/set.comp | veriexecgen
The latter could probably be done during the build and checksums could
be placed to /etc/veriexec/sha256.{base,comp,...}.
I wrote a patch that adds the -i option to read from stdin but I don't
want to rush things before I hear opinions. Is it a good approach, does
precalculating checksums at build time make sense, etc.
--
Alex
Index: src/usr.sbin/veriexecgen/veriexecgen.8
===================================================================
RCS file: /cvsroot/src/usr.sbin/veriexecgen/veriexecgen.8,v
retrieving revision 1.20
diff -p -u -u -r1.20 veriexecgen.8
--- src/usr.sbin/veriexecgen/veriexecgen.8 8 Jan 2019 01:31:49 -0000 1.20
+++ src/usr.sbin/veriexecgen/veriexecgen.8 27 Apr 2019 21:51:02 -0000
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 8, 2019
+.Dd April 27, 2019
.Dt VERIEXECGEN 8
.Os
.Sh NAME
@@ -35,7 +35,7 @@
.Nd generate fingerprints for Veriexec
.Sh SYNOPSIS
.Nm
-.Op Fl AaDrSTvW
+.Op Fl AaDirSTvW
.Op Fl d Pa dir
.Op Fl o Pa fingerprintdb
.Op Fl p Pa prefix
@@ -81,6 +81,8 @@ Scan for files in
Multiple uses of this flag can specify more than one directory.
.\" .It Fl F
.\" Try to guess the correct flags for every file.
+.It Fl i
+Read files from the standard input.
.It Fl h
Display the help screen.
.It Fl o Ar fingerprintdb
Index: src/usr.sbin/veriexecgen/veriexecgen.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/veriexecgen/veriexecgen.c,v
retrieving revision 1.19
diff -p -u -u -r1.19 veriexecgen.c
--- src/usr.sbin/veriexecgen/veriexecgen.c 23 Apr 2019 22:35:42 -0000 1.19
+++ src/usr.sbin/veriexecgen/veriexecgen.c 27 Apr 2019 21:51:02 -0000
@@ -84,6 +84,7 @@ typedef struct veriexecgen_t {
int scan_system_dirs; /* just scan system directories */
int verbose; /* verbosity level */
int stamp; /* put a timestamp */
+ int from_stdin; /* read files from stdin */
} veriexecgen_t;
/* this struct describes a directory entry to generate a hash for */
@@ -136,8 +137,12 @@ banner(veriexecgen_t *vp, hash_t *hash_t
(void)printf("Fingerprinting ");
- for (j = 0; search_path[j] != NULL; j++)
- (void)printf("%s ", search_path[j]);
+ if (search_path) {
+ for (j = 0; search_path[j] != NULL; j++)
+ (void)printf("%s ", search_path[j]);
+ } else {
+ (void)printf("files from stdin ");
+ }
(void)printf("(%s) (%s) using %s\n",
vp->all_files ? "all files" : "executables only",
@@ -192,9 +197,43 @@ check_dup(char *filename)
return 0;
}
+/* add a new entry to the list for `path' */
+static void
+add_new_path_entry(veriexecgen_t *vp, const char *file, hash_t *hash)
+{
+ struct stat sb;
+ struct fentry *e;
+
+ if (stat(file, &sb) == -1) {
+ gripe(vp, "Cannot stat file `%s'", file);
+ return;
+ }
+
+ if (!vp->all_files && !IS_EXEC(sb.st_mode))
+ return;
+
+ e = ecalloc(1UL, sizeof(*e));
+
+ if (realpath(file, e->filename) == NULL) {
+ gripe(vp, "Cannot find absolute path `%s'", file);
+ return;
+ }
+ if (check_dup(e->filename)) {
+ free(e);
+ return;
+ }
+ if ((e->hash_val = do_hash(e->filename, hash)) == NULL) {
+ gripe(vp, "Cannot calculate hash `%s'", e->filename);
+ return;
+ }
+ e->flags = figure_flags(e->filename, sb.st_mode);
+
+ TAILQ_INSERT_TAIL(&fehead, e, f);
+}
+
/* add a new entry to the list for `file' */
static void
-add_new_entry(veriexecgen_t *vp, FTSENT *file, hash_t *hash)
+add_new_ftsent_entry(veriexecgen_t *vp, FTSENT *file, hash_t *hash)
{
struct fentry *e;
struct stat sb;
@@ -263,13 +302,33 @@ walk_dir(veriexecgen_t *vp, char **searc
strerror(file->fts_errno));
}
} else {
- add_new_entry(vp, file, hash);
+ add_new_ftsent_entry(vp, file, hash);
}
}
fts_close(fh);
}
+/* read files from stdin */
+static void
+read_from_stdin(veriexecgen_t *vp, hash_t *hash)
+{
+ char *line = NULL;
+ size_t linesize = 0;
+ ssize_t linelen;
+
+ while ((linelen = getline(&line, &linesize, stdin)) != -1) {
+ if (linelen > 0 && line[linelen - 1] == '\n')
+ line[linelen - 1] = '\0';
+ add_new_path_entry(vp, line, hash);
+ }
+
+ if (ferror(stdin)) {
+ gripe(vp, "Error reading from stdin `%s'", strerror(errno));
+ return;
+ }
+}
+
/* return a string representation of the flags */
static char *
flags2str(int flags)
@@ -383,7 +442,7 @@ main(int argc, char **argv)
/* error out if we have a dangling symlink or other fs problem */
v.exit_on_error = 1;
- while ((ch = getopt(argc, argv, "AaDd:ho:p:rSTt:vW")) != -1) {
+ while ((ch = getopt(argc, argv, "AaDd:hio:p:rSTt:vW")) != -1) {
switch (ch) {
case 'A':
v.append_output = 1;
@@ -408,6 +467,9 @@ main(int argc, char **argv)
case 'h':
usage();
return EXIT_SUCCESS;
+ case 'i':
+ v.from_stdin = 1;
+ break;
case 'o':
v.dbfile = optarg;
break;
@@ -452,7 +514,7 @@ main(int argc, char **argv)
TAILQ_INIT(&fehead);
- if (search_path == NULL)
+ if (search_path == NULL && !v.from_stdin)
v.scan_system_dirs = 1;
if (v.scan_system_dirs) {
@@ -469,6 +531,12 @@ main(int argc, char **argv)
walk_dir(&v, search_path, hash);
}
+ if (v.from_stdin) {
+ if (v.verbose)
+ banner(&v, hash, NULL);
+ read_from_stdin(&v, hash);
+ }
+
store_entries(&v, hash);
if (make_immutable && chflags(v.dbfile, SF_IMMUTABLE) != 0)
Home |
Main Index |
Thread Index |
Old Index