Differential D39079 Diff 118835 sys/security/mac_veriexec/mac_veriexec.c

Changeset View

Standalone View

sys/security/mac_veriexec/mac_veriexec.c

Show First 20 Lines • Show All 595 Lines • ▼ Show 20 Lines	mac_veriexec_vnode_check_unlink(struct ucred cred, struct vnode dvp __unused,
int error;		int error;

/*		/*
* Look for the file on the fingerprint lists iff it has not been seen		* Look for the file on the fingerprint lists iff it has not been seen
* before.		* before.
*/		*/
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)		if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
return (0);		return (0);

		error = mac_veriexec_check_vp(cred, vp, VVERIFY);
		rpokalaUnsubmitted Not Done Inline Actions Delete the leading comment entirely. rpokala: Delete the leading comment entirely.
		if (error == 0) {
/*		/*
* Check if it's a verified file		* The target is verified, so disallow replacement.
*/		*/
		rpokalaUnsubmitted Not Done Inline Actions /* The target is verified, so disallow replacement. / rpokala:* ``` /* The target is verified, so disallow replacement. */ ```
error = mac_veriexec_check_vp(cred, vp, VVERIFY);
if (error == 0) { /* file is verified */
MAC_VERIEXEC_DBG(2,		MAC_VERIEXEC_DBG(2,
"(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid);		"(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid);

return (EAUTH);		return (EAUTH);
}		}
return (0);		return (0);
}		}

Show All 20 Lines	mac_veriexec_vnode_check_rename_from(struct ucred *cred,

/*		/*
* Look for the file on the fingerprint lists iff it has not been seen		* Look for the file on the fingerprint lists iff it has not been seen
* before.		* before.
*/		*/
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)		if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
return (0);		return (0);

		error = mac_veriexec_check_vp(cred, vp, VVERIFY);
		if (error == 0) {
/*		/*
* Check if it's a verified file		* The target is verified, so disallow replacement.
*/		*/
error = mac_veriexec_check_vp(cred, vp, VVERIFY);
if (error == 0) { /* file is verified */
MAC_VERIEXEC_DBG(2,		MAC_VERIEXEC_DBG(2,
"(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid);		"(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid);
return (EAUTH);		return (EAUTH);
}		}
return (0);		return (0);
}		}


Show All 28 Lines	mac_veriexec_vnode_check_rename_to(struct ucred cred, struct vnode dvp __unused,

/*		/*
* Look for the file on the fingerprint lists iff it has not been seen		* Look for the file on the fingerprint lists iff it has not been seen
* before.		* before.
*/		*/
if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)		if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
return (0);		return (0);

		error = mac_veriexec_check_vp(cred, vp, VVERIFY);
		if (error == 0) {
/*		/*
* Check if it's a verified file		* The target is verified, so disallow replacement.
*/		*/
error = mac_veriexec_check_vp(cred, vp, VVERIFY);
if (error == 0) { /* file is verified */
MAC_VERIEXEC_DBG(2,		MAC_VERIEXEC_DBG(2,
"(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid);		"(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid);
return (EAUTH);		return (EAUTH);
}		}
return (0);		return (0);
}		}


Show All 14 Lines	mac_veriexec_vnode_check_setmode(struct ucred cred, struct vnode vp,
struct label *label __unused, mode_t mode)		struct label *label __unused, mode_t mode)
{		{
int error;		int error;

if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)		if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
return (0);		return (0);

/*		/*
* Do not allow chmod (set-[gu]id) of verified file		* Prohibit chmod of verified set-[gu]id file.
*/		*/
error = mac_veriexec_check_vp(cred, vp, VVERIFY);		error = mac_veriexec_check_vp(cred, vp, VVERIFY);
if (error == EAUTH) /* it isn't verified */		if (error == EAUTH) /* target not verified */
return (0);		return (0);
if (error == 0 && (mode & (S_ISUID\|S_ISGID)) != 0)		if (error == 0 && (mode & (S_ISUID\|S_ISGID)) != 0)
return (EAUTH);		return (EAUTH);

return (0);		return (0);
}		}

/**		/**
* @internal		* @internal
* @brief Initialize the mac_veriexec MAC policy		* @brief Initialize the mac_veriexec MAC policy
*		*
* @param mpc MAC policy configuration		* @param mpc MAC policy configuration
▲ Show 20 Lines • Show All 285 Lines • Show Last 20 Lines