From 3da3012ace35d97e4e41ae256e63119786c36596 Mon Sep 17 00:00:00 2001 From: "Stephen J. Kiernan" Date: Fri, 17 May 2019 17:50:01 +0000 Subject: [PATCH] Ensure we have obtained a lock on the process before calling mac_veriexec_get_executable_flags(). Only try locking/unlocking if the caller has not already acquired the process lock. Obtained from: Juniper Networks, Inc. MFC after: 1 week --- sys/security/mac_veriexec/mac_veriexec.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c index a8a61db0f869..c029edf10a43 100644 --- a/sys/security/mac_veriexec/mac_veriexec.c +++ b/sys/security/mac_veriexec/mac_veriexec.c @@ -823,10 +823,19 @@ mac_veriexec_set_state(int state) int mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p) { - int error, flags; + int already_locked, error, flags; + + /* Make sure we lock the process if we do not already have the lock */ + already_locked = PROC_LOCKED(p); + if (!already_locked) + PROC_LOCK(p); error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0); + /* Unlock the process if we locked it previously */ + if (!already_locked) + PROC_UNLOCK(p); + /* Any errors, deny access */ if (error != 0) return (0);