d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mac_veriexec: Authorize reads of secured sysctls

Browse Source 
Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the appropriate secure level is set. mac_veriexec does not behave this way, it blocks such sysctls in read-only mode as well.

This change aims to make mac_veriexec behave like secure levels, as it was meant by the original commit ed377cf41.

Reviewed by:		sjg
Differential revision:	https://reviews.freebsd.org/D34327
Obtained from:		Stormshield
This commit is contained in:
Wojciech Macek 2022-06-29 10:48:01 +02:00
parent 8cff8e6e13
commit 15c362aeb7
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/security/mac_veriexec/mac_veriexec.c
View File

@ -437,7 +437,7 @@ mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp,
return (0);
oid = oidp;
if (oid->oid_kind & CTLFLAG_SECURE) {
if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) {
return (EPERM); /* XXX call mac_veriexec_priv_check? */
}
return 0;