Protect commands that are considered dangerous with checks for kmem write
priv. This allows for MAC/veriexec to prevent apps that are not "trusted" from using these commands. Obtained from: Juniper Networks, Inc. MFC after: 1 week
This commit is contained in:
parent
3da3012ace
commit
9ce904dfde
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=347934
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*
|
||||
* Copyright (c) 2011-2013, 2015, Juniper Networks, Inc.
|
||||
* Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
@ -44,6 +44,7 @@
|
||||
#include <sys/mount.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/namei.h>
|
||||
#include <sys/priv.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/queue.h>
|
||||
#include <sys/vnode.h>
|
||||
@ -70,6 +71,37 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
|
||||
struct verified_exec_params *params;
|
||||
int error = 0;
|
||||
|
||||
/*
|
||||
* These commands are considered safe requests for anyone who has
|
||||
* permission to access to device node.
|
||||
*/
|
||||
switch (cmd) {
|
||||
case VERIEXEC_GETSTATE:
|
||||
{
|
||||
int *ip = (int *)data;
|
||||
|
||||
if (ip)
|
||||
*ip = mac_veriexec_get_state();
|
||||
else
|
||||
error = EINVAL;
|
||||
|
||||
return (error);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* Anything beyond this point is considered dangerous, so we need to
|
||||
* only allow processes that have kmem write privs to do them.
|
||||
*
|
||||
* MAC/veriexec will grant kmem write privs to "trusted" processes.
|
||||
*/
|
||||
error = priv_check(td, PRIV_KMEM_WRITE);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
params = (struct verified_exec_params *)data;
|
||||
switch (cmd) {
|
||||
case VERIEXEC_ACTIVE:
|
||||
@ -106,16 +138,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
|
||||
error = EINVAL;
|
||||
mtx_unlock(&ve_mutex);
|
||||
break;
|
||||
case VERIEXEC_GETSTATE:
|
||||
{
|
||||
int *ip = (int *)data;
|
||||
|
||||
if (ip)
|
||||
*ip = mac_veriexec_get_state();
|
||||
else
|
||||
error = EINVAL;
|
||||
}
|
||||
break;
|
||||
case VERIEXEC_LOCK:
|
||||
mtx_lock(&ve_mutex);
|
||||
mac_veriexec_set_state(VERIEXEC_STATE_LOCKED);
|
||||
|
Loading…
Reference in New Issue
Block a user