From ade97886650b5c08654262389162e815cc0f422d Mon Sep 17 00:00:00 2001
From: "Stephen J. Kiernan" <stevek@FreeBSD.org>
Date: Sat, 14 Jul 2018 17:21:16 +0000
Subject: [PATCH] Add mpo_vnode_check_setmode MAC method to MAC/veriexec. In
 the method, disallow changing SUID/SGID on verified files.

Obtained from:	Juniper Networks, Inc.
---
 sys/security/mac_veriexec/mac_veriexec.c | 33 ++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
index b75328e5e8aa..a8a61db0f869 100644
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -549,6 +549,38 @@ mac_veriexec_vnode_check_open(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+/**
+ * @brief Check mode changes on file to ensure they should be allowed.
+ *
+ * We cannot allow chmod of SUID or SGID on verified files.
+ *
+ * @param cred		credentials to use
+ * @param vp		vnode of the file to open
+ * @param label		vnode label assigned to the vnode
+ * @param mode		mode flags to set
+ *
+ * @return 0 if the mode change should be allowed, EAUTH otherwise.
+ */
+static int
+mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
+    struct label *label __unused, mode_t mode)
+{
+	int error;
+
+	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
+		return (0);
+
+	/*
+	 * Do not allow chmod (set-[gu]id) of verified file
+	 */
+	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
+	if (error == EAUTH)             /* it isn't verified */
+		return (0);
+	if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
+		return (EAUTH);
+	return (0);
+}
+
 /**
  * @internal
  * @brief Initialize the mac_veriexec MAC policy
@@ -673,6 +705,7 @@ static struct mac_policy_ops mac_veriexec_ops =
 	.mpo_proc_check_debug = mac_veriexec_proc_check_debug,
 	.mpo_vnode_check_exec = mac_veriexec_vnode_check_exec,
 	.mpo_vnode_check_open = mac_veriexec_vnode_check_open,
+	.mpo_vnode_check_setmode = mac_veriexec_vnode_check_setmode,
 	.mpo_vnode_copy_label = mac_veriexec_copy_label,
 	.mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label,
 	.mpo_vnode_init_label = mac_veriexec_vnode_init_label,