Page MenuHomeFreeBSD

veriexec: Improve comments
ClosedPublic

Authored by imp on Mar 14 2023, 5:06 PM.
Tags
None
Referenced Files
F129104011: D39079.id.diff
Wed, Sep 17, 10:26 AM
F129095166: D39079.id118835.diff
Wed, Sep 17, 8:09 AM
F129093889: D39079.id118834.diff
Wed, Sep 17, 7:52 AM
Unknown Object (File)
Tue, Sep 16, 8:50 AM
Unknown Object (File)
Mon, Sep 15, 7:51 PM
Unknown Object (File)
Mon, Sep 15, 10:22 AM
Unknown Object (File)
Sat, Sep 13, 9:05 PM
Unknown Object (File)
Sat, Sep 13, 10:11 AM
Subscribers

Details

Summary

Make it clear we're checking to see if the target is a verified file and
prevent its replacement if so.

Sponsored by: Netflix

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 50368
Build 47259: arc lint + arc unit

Event Timeline

imp requested review of this revision.Mar 14 2023, 5:06 PM

Oh, do simon's suggestion too

I would just have a single comment for the new functions: The target is verified, so disallow replacement.

In setmode, Prohibit chmod (set-[gu]id) of verified file.

I would just have a single comment for the new functions: The target is verified, so disallow replacement.

In setmode, Prohibit chmod (set-[gu]id) of verified file.

I get the second one, but not the first one... where should that be? I'm having trouble seeing where it might be helpful...

sys/security/mac_veriexec/mac_veriexec.c
604–605

Delete the leading comment entirely.

606–609
/* The target is verified, so disallow replacement. */

ravi's suggestions, I hope

This revision is now accepted and ready to land.Mar 15 2023, 4:38 AM
This revision was automatically updated to reflect the committed changes.