Ensure we have obtained a lock on the process before calling

mac_veriexec_get_executable_flags(). Only try locking/unlocking if the caller has not already acquired the process lock. Obtained from: Juniper Networks, Inc. MFC after: 1 week
svn path=/head/; revision=347933
2019-05-17 17:50:01 +00:00 · 2019-05-17 17:50:01 +00:00 · 3da3012ace · 2020-12-20 02:59:44 +00:00
commit 3da3012ace
parent 949f834a61
1 changed files with 10 additions and 1 deletions
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@ -823,10 +823,19 @@ mac_veriexec_set_state(int state)
 int
 mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p)
 {
-	int error, flags;
+	int already_locked, error, flags;
+
+	/* Make sure we lock the process if we do not already have the lock */
+	already_locked = PROC_LOCKED(p);
+	if (!already_locked)
+		PROC_LOCK(p);

 	error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0);

+	/* Unlock the process if we locked it previously */
+	if (!already_locked)
+		PROC_UNLOCK(p);
+
 	/* Any errors, deny access */
 	if (error != 0)
 		return (0);