Changeset View
Changeset View
Standalone View
Standalone View
sys/security/mac_veriexec/mac_veriexec.c
Show First 20 Lines • Show All 597 Lines • ▼ Show 20 Lines | mac_veriexec_vnode_check_unlink(struct ucred *cred, struct vnode *dvp __unused, | ||||
/* | /* | ||||
* Look for the file on the fingerprint lists iff it has not been seen | * Look for the file on the fingerprint lists iff it has not been seen | ||||
* before. | * before. | ||||
*/ | */ | ||||
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) | if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) | ||||
return (0); | return (0); | ||||
/* | /* | ||||
* Check if it's a verified file | * Check if this is an attempt to replace a verified file | ||||
rpokala: Delete the leading comment entirely. | |||||
*/ | */ | ||||
error = mac_veriexec_check_vp(cred, vp, VVERIFY); | error = mac_veriexec_check_vp(cred, vp, VVERIFY); | ||||
if (error == 0) { /* file is verified */ | if (error == 0) { /* the target is verified */ | ||||
Not Done Inline Actions/* The target is verified, so disallow replacement. */ rpokala: ```
/* The target is verified, so disallow replacement. */
``` | |||||
MAC_VERIEXEC_DBG(2, | MAC_VERIEXEC_DBG(2, | ||||
"(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid); | "(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid); | ||||
return (EAUTH); | return (EAUTH); | ||||
} | } | ||||
return (0); | return (0); | ||||
} | } | ||||
Show All 21 Lines | mac_veriexec_vnode_check_rename_from(struct ucred *cred, | ||||
/* | /* | ||||
* Look for the file on the fingerprint lists iff it has not been seen | * Look for the file on the fingerprint lists iff it has not been seen | ||||
* before. | * before. | ||||
*/ | */ | ||||
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) | if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) | ||||
return (0); | return (0); | ||||
/* | /* | ||||
* Check if it's a verified file | * Check if this is an attempt to replace a verified file | ||||
*/ | */ | ||||
error = mac_veriexec_check_vp(cred, vp, VVERIFY); | error = mac_veriexec_check_vp(cred, vp, VVERIFY); | ||||
if (error == 0) { /* file is verified */ | if (error == 0) { /* the target is verified */ | ||||
MAC_VERIEXEC_DBG(2, | MAC_VERIEXEC_DBG(2, | ||||
"(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid); | "(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid); | ||||
return (EAUTH); | return (EAUTH); | ||||
} | } | ||||
return (0); | return (0); | ||||
} | } | ||||
Show All 29 Lines | mac_veriexec_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp __unused, | ||||
/* | /* | ||||
* Look for the file on the fingerprint lists iff it has not been seen | * Look for the file on the fingerprint lists iff it has not been seen | ||||
* before. | * before. | ||||
*/ | */ | ||||
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) | if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) | ||||
return (0); | return (0); | ||||
/* | /* | ||||
* Check if it's a verified file | * Check if this is an attempt to replace a verified file | ||||
*/ | */ | ||||
error = mac_veriexec_check_vp(cred, vp, VVERIFY); | error = mac_veriexec_check_vp(cred, vp, VVERIFY); | ||||
if (error == 0) { /* file is verified */ | if (error == 0) { /* the target is verified */ | ||||
MAC_VERIEXEC_DBG(2, | MAC_VERIEXEC_DBG(2, | ||||
"(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid); | "(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid); | ||||
return (EAUTH); | return (EAUTH); | ||||
} | } | ||||
return (0); | return (0); | ||||
} | } | ||||
▲ Show 20 Lines • Show All 322 Lines • Show Last 20 Lines |
Delete the leading comment entirely.