d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

veriexec: Improve comments

Browse Source 
Make it clear we're checking to see if the target is a verified file and
prevent its replacement if so.

Sponsored by:		Netflix
Reviewed by:		rpokala
Differential Revision:	https://reviews.freebsd.org/D39079
This commit is contained in:
Warner Losh 2023-03-14 22:59:20 -06:00
parent 8e933d9c59
commit 559e41a11b
1 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
sys/security/mac_veriexec/mac_veriexec.c
View File

@ -602,11 +602,11 @@ mac_veriexec_vnode_check_unlink(struct ucred *cred, struct vnode *dvp __unused,
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
return (0);
/*
* Check if it's a verified file
*/
error = mac_veriexec_check_vp(cred, vp, VVERIFY);
if (error == 0) { /* file is verified */
if (error == 0) {
/*
* The target is verified, so disallow replacement.
*/
MAC_VERIEXEC_DBG(2,
"(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid);
@ -643,11 +643,11 @@ mac_veriexec_vnode_check_rename_from(struct ucred *cred,
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
return (0);
/*
* Check if it's a verified file
*/
error = mac_veriexec_check_vp(cred, vp, VVERIFY);
if (error == 0) { /* file is verified */
if (error == 0) {
/*
* The target is verified, so disallow replacement.
*/
MAC_VERIEXEC_DBG(2,
"(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid);
return (EAUTH);
@ -692,11 +692,11 @@ mac_veriexec_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp __unuse
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
return (0);
/*
* Check if it's a verified file
*/
error = mac_veriexec_check_vp(cred, vp, VVERIFY);
if (error == 0) { /* file is verified */
if (error == 0) {
/*
* The target is verified, so disallow replacement.
*/
MAC_VERIEXEC_DBG(2,
"(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid);
return (EAUTH);
@ -727,13 +727,14 @@ mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
return (0);
/*
* Do not allow chmod (set-[gu]id) of verified file
* Prohibit chmod of verified set-[gu]id file.
*/
error = mac_veriexec_check_vp(cred, vp, VVERIFY);
if (error == EAUTH) /* it isn't verified */
if (error == EAUTH) /* target not verified */
return (0);
if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
return (EAUTH);
return (0);
}