Page MenuHomeFreeBSD
Differential D39079

veriexec: Improve comments
ClosedPublic
Actions

Authored by imp on Mar 14 2023, 5:06 PM.
Tags
None
Referenced Files
F122215331: D39079.id118811.diff
Thu, Jul 3, 10:24 AM
F122183809: D39079.diff
Thu, Jul 3, 2:01 AM
F122161642: D39079.id.diff
Wed, Jul 2, 8:21 PM
Unknown Object (File)
Tue, Jul 1, 4:38 PM
Unknown Object (File)
Tue, Jul 1, 3:46 AM
Unknown Object (File)
Sun, Jun 22, 9:03 PM
Unknown Object (File)
Wed, Jun 18, 3:02 AM
Unknown Object (File)
Tue, Jun 17, 11:55 AM
View All 87 Files
Subscribers
dab
rpokala

Details

Reviewers
rpokala
Commits
rG559e41a11b32: veriexec: Improve comments
Summary

Make it clear we're checking to see if the target is a verified file and
prevent its replacement if so.

Sponsored by: Netflix

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 50368
Build 47259: arc lint + arc unit

Event Timeline

imp created this revision.Mar 14 2023, 5:06 PM
Herald added a subscriber: dab. · View Herald TranscriptMar 14 2023, 5:06 PM
imp requested review of this revision.Mar 14 2023, 5:06 PM
Harbormaster completed remote builds in B50361: Diff 118811.Mar 14 2023, 5:06 PM
imp updated this revision to Diff 118812.Mar 14 2023, 5:08 PM

Oh, do simon's suggestion too

Harbormaster completed remote builds in B50362: Diff 118812.Mar 14 2023, 5:08 PM
rpokala added a subscriber: rpokala.Mar 14 2023, 5:13 PM

I would just have a single comment for the new functions: The target is verified, so disallow replacement.

In setmode, Prohibit chmod (set-[gu]id) of verified file.

imp added a comment.Mar 14 2023, 8:30 PM
In D39079#889622, @rpokala wrote:

I would just have a single comment for the new functions: The target is verified, so disallow replacement.

In setmode, Prohibit chmod (set-[gu]id) of verified file.

I get the second one, but not the first one... where should that be? I'm having trouble seeing where it might be helpful...

rpokala added inline comments.Mar 15 2023, 4:08 AM
sys/security/mac_veriexec/mac_veriexec.c
604–605

Delete the leading comment entirely.

606–609
/* The target is verified, so disallow replacement. */
imp updated this revision to Diff 118834.Mar 15 2023, 4:18 AM

ravi's suggestions, I hope

Harbormaster completed remote builds in B50368: Diff 118834.Mar 15 2023, 4:18 AM
rpokala accepted this revision.Mar 15 2023, 4:38 AM
This revision is now accepted and ready to land.Mar 15 2023, 4:38 AM
Closed by commit rG559e41a11b32: veriexec: Improve comments (authored by imp). · Explain WhyMar 15 2023, 5:00 AM
This revision was automatically updated to reflect the committed changes.
imp added a commit: rG559e41a11b32: veriexec: Improve comments.

Revision Contents
Changeset List

PathSize
sys/
security/
mac_veriexec/
29 lines

Diff 118834

View Options

sys/security/mac_veriexec/mac_veriexec.c

Loading...