diff options
author | Michael Brown | 2012-03-22 14:39:45 +0100 |
---|---|---|
committer | Michael Brown | 2012-03-22 17:16:02 +0100 |
commit | 97dcc824bf298788e37f6869417662b0b9d16102 (patch) | |
tree | 60d81bbd91a751e02c6b139887eae33dafe33a7c /src/core/image.c | |
parent | [bios] Set character attributes only when necessary (diff) | |
download | ipxe-97dcc824bf298788e37f6869417662b0b9d16102.tar.gz ipxe-97dcc824bf298788e37f6869417662b0b9d16102.tar.xz ipxe-97dcc824bf298788e37f6869417662b0b9d16102.zip |
[image] Add concept of trusted images
Trusted images may always be executed. Untrusted images may be
executed only if the current image trust requirement allows untrusted
images.
Images can be marked as trusted using image_trust(), and marked as
untrusted using image_untrust().
The current image trust requirement can be changed using
image_set_trust(). It is possible to make the change permanent, in
which case any future attempts to change the image trust requirement
will fail.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/core/image.c')
-rw-r--r-- | src/core/image.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/src/core/image.c b/src/core/image.c index b1eba4ad..ae09a072 100644 --- a/src/core/image.c +++ b/src/core/image.c @@ -36,12 +36,28 @@ FILE_LICENCE ( GPL2_OR_LATER ); * */ +/* Disambiguate the various error causes */ +#define EACCES_UNTRUSTED \ + __einfo_error ( EINFO_EACCES_UNTRUSTED ) +#define EINFO_EACCES_UNTRUSTED \ + __einfo_uniqify ( EINFO_EACCES, 0x01, "Untrusted image" ) +#define EACCES_PERMANENT \ + __einfo_error ( EINFO_EACCES_PERMANENT ) +#define EINFO_EACCES_PERMANENT \ + __einfo_uniqify ( EINFO_EACCES, 0x02, "Trust requirement is permanent" ) + /** List of registered images */ struct list_head images = LIST_HEAD_INIT ( images ); /** Currently-executing image */ struct image *current_image; +/** Current image trust requirement */ +static int require_trusted_images = 0; + +/** Prevent changes to image trust requirement */ +static int require_trusted_images_permanent = 0; + /** * Free executable image * @@ -228,6 +244,12 @@ int image_exec ( struct image *image ) { if ( ( rc = image_select ( image ) ) != 0 ) return rc; + /* Check that image is trusted (if applicable) */ + if ( require_trusted_images && ! ( image->flags & IMAGE_TRUSTED ) ) { + DBGC ( image, "IMAGE %s is not trusted\n", image->name ); + return -EACCES_UNTRUSTED; + } + /* Switch current working directory to be that of the image itself */ old_cwuri = uri_get ( cwuri ); churi ( image->uri ); @@ -355,3 +377,27 @@ struct image * image_find_selected ( void ) { } return NULL; } + +/** + * Change image trust requirement + * + * @v require_trusted Require trusted images + * @v permanent Make trust requirement permanent + * @ret rc Return status code + */ +int image_set_trust ( int require_trusted, int permanent ) { + + /* Update trust requirement, if permitted to do so */ + if ( ! require_trusted_images_permanent ) { + require_trusted_images = require_trusted; + require_trusted_images_permanent = permanent; + } + + /* Fail if we attempted to change the trust requirement but + * were not permitted to do so. + */ + if ( require_trusted_images != require_trusted ) + return -EACCES_PERMANENT; + + return 0; +} |