From owner-svn-src-head@freebsd.org  Fri May 17 18:02:27 2019
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F309B159C1FE;
 Fri, 17 May 2019 18:02:26 +0000 (UTC)
 (envelope-from stevek@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 96812862F8;
 Fri, 17 May 2019 18:02:26 +0000 (UTC)
 (envelope-from stevek@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 70B92BF36;
 Fri, 17 May 2019 18:02:26 +0000 (UTC)
 (envelope-from stevek@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4HI2Qnc090927;
 Fri, 17 May 2019 18:02:26 GMT (envelope-from stevek@FreeBSD.org)
Received: (from stevek@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4HI2QpV090926;
 Fri, 17 May 2019 18:02:26 GMT (envelope-from stevek@FreeBSD.org)
Message-Id: <201905171802.x4HI2QpV090926@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: stevek set sender to
 stevek@FreeBSD.org using -f
From: "Stephen J. Kiernan" <stevek@FreeBSD.org>
Date: Fri, 17 May 2019 18:02:26 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r347934 - head/sys/dev/veriexec
X-SVN-Group: head
X-SVN-Commit-Author: stevek
X-SVN-Commit-Paths: head/sys/dev/veriexec
X-SVN-Commit-Revision: 347934
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 96812862F8
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.95 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0];
 NEURAL_HAM_SHORT(-0.95)[-0.950,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2019 18:02:27 -0000

Author: stevek
Date: Fri May 17 18:02:26 2019
New Revision: 347934
URL: https://svnweb.freebsd.org/changeset/base/347934

Log:
  Protect commands that are considered dangerous with checks for kmem write
  priv. This allows for MAC/veriexec to prevent apps that are not "trusted"
  from using these commands.
  
  Obtained from:	Juniper Networks, Inc.
  MFC after:	1 week

Modified:
  head/sys/dev/veriexec/verified_exec.c

Modified: head/sys/dev/veriexec/verified_exec.c
==============================================================================
--- head/sys/dev/veriexec/verified_exec.c	Fri May 17 17:50:01 2019	(r347933)
+++ head/sys/dev/veriexec/verified_exec.c	Fri May 17 18:02:26 2019	(r347934)
@@ -1,7 +1,7 @@
 /*
  * $FreeBSD$
  *
- * Copyright (c) 2011-2013, 2015, Juniper Networks, Inc.
+ * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -44,6 +44,7 @@
 #include <sys/mount.h>
 #include <sys/mutex.h>
 #include <sys/namei.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/queue.h>
 #include <sys/vnode.h>
@@ -70,6 +71,37 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cm
 	struct verified_exec_params *params;
 	int error = 0;
 
+	/*
+	 * These commands are considered safe requests for anyone who has
+	 * permission to access to device node.
+	 */
+	switch (cmd) {
+	case VERIEXEC_GETSTATE:
+		{
+			int *ip = (int *)data;
+
+			if (ip)
+				*ip = mac_veriexec_get_state();
+			else
+			    error = EINVAL;
+
+			return (error);
+		}
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Anything beyond this point is considered dangerous, so we need to
+	 * only allow processes that have kmem write privs to do them.
+	 *
+	 * MAC/veriexec will grant kmem write privs to "trusted" processes.
+	 */
+	error = priv_check(td, PRIV_KMEM_WRITE);
+	if (error)
+		return (error);
+
 	params = (struct verified_exec_params *)data;
 	switch (cmd) {
 	case VERIEXEC_ACTIVE:
@@ -105,16 +137,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cm
 		else
 			error = EINVAL;
 		mtx_unlock(&ve_mutex);
-		break;
-	case VERIEXEC_GETSTATE:
-		{
-			int *ip = (int *)data;
-			
-			if (ip)
-				*ip = mac_veriexec_get_state();
-			else
-			    error = EINVAL;
-		}
 		break;
 	case VERIEXEC_LOCK:
 		mtx_lock(&ve_mutex);