Date: Sat, 14 Jul 2018 17:21:17 +0000 (UTC) From: "Stephen J. Kiernan" <stevek@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r336289 - head/sys/security/mac_veriexec Message-ID: <201807141721.w6EHLHIU047725@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: stevek Date: Sat Jul 14 17:21:16 2018 New Revision: 336289 URL: https://svnweb.freebsd.org/changeset/base/336289 Log: Add mpo_vnode_check_setmode MAC method to MAC/veriexec. In the method, disallow changing SUID/SGID on verified files. Obtained from: Juniper Networks, Inc. Modified: head/sys/security/mac_veriexec/mac_veriexec.c Modified: head/sys/security/mac_veriexec/mac_veriexec.c ============================================================================== --- head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:20:27 2018 (r336288) +++ head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:21:16 2018 (r336289) @@ -550,6 +550,38 @@ mac_veriexec_vnode_check_open(struct ucred *cred, stru } /** + * @brief Check mode changes on file to ensure they should be allowed. + * + * We cannot allow chmod of SUID or SGID on verified files. + * + * @param cred credentials to use + * @param vp vnode of the file to open + * @param label vnode label assigned to the vnode + * @param mode mode flags to set + * + * @return 0 if the mode change should be allowed, EAUTH otherwise. + */ +static int +mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp, + struct label *label __unused, mode_t mode) +{ + int error; + + if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) + return (0); + + /* + * Do not allow chmod (set-[gu]id) of verified file + */ + error = mac_veriexec_check_vp(cred, vp, VVERIFY); + if (error == EAUTH) /* it isn't verified */ + return (0); + if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0) + return (EAUTH); + return (0); +} + +/** * @internal * @brief Initialize the mac_veriexec MAC policy * @@ -673,6 +705,7 @@ static struct mac_policy_ops mac_veriexec_ops = .mpo_proc_check_debug = mac_veriexec_proc_check_debug, .mpo_vnode_check_exec = mac_veriexec_vnode_check_exec, .mpo_vnode_check_open = mac_veriexec_vnode_check_open, + .mpo_vnode_check_setmode = mac_veriexec_vnode_check_setmode, .mpo_vnode_copy_label = mac_veriexec_copy_label, .mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label, .mpo_vnode_init_label = mac_veriexec_vnode_init_label,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807141721.w6EHLHIU047725>