From nobody Sun Apr 16 23:40:07 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q069k3LZJz44tgT
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Sun, 16 Apr 2023 23:40:10 +0000 (UTC)
	(envelope-from jrtc27@jrtc27.com)
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Q069k0s7wz45Pl
	for <dev-commits-src-all@freebsd.org>; Sun, 16 Apr 2023 23:40:10 +0000 (UTC)
	(envelope-from jrtc27@jrtc27.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-2f27a9c7970so1057801f8f.2
        for <dev-commits-src-all@freebsd.org>; Sun, 16 Apr 2023 16:40:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1681688408; x=1684280408;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=gJ4Zt0aZJ+3x9Omlcbk9FmiVa+8vHy6++pIMfYXLMSQ=;
        b=Wxcozd9gX/UKDn3C5cbSa8U1WdcnWEf2oRIWkUCkpEBGo32t2yZUX2sE7Oj5BkxFT2
         kp4DNEXNuXZuVLBR7/KFl8/YWjRMirQ/PTJa1KvRC+zKN8jujDJ1uUYGh+m7rXb2oNcC
         LE4HYVRrAw/pj/GIzFquJ3T3nW4HAG5+VqGZoihZOfQ5LIt/4QfkFBi/isEt+EignC7f
         KaZ01rOHDhJBkG43Wtshp0jEWRjvugQxCuoJO4ht8CccsMEpKT14DXxWJSYi+UOLqCa1
         NioGTO39gQE5TIEb4mQOMbxWe9ariM6K0TNgSoKAZD22MBtdXKVjAfXuOibaEzwqoobS
         J3Wg==
X-Gm-Message-State: AAQBX9eyCOHKflki+r1frVyTYsZCzmL8WHte8OaBZVIEDlMgiGvOqHaq
	NTnaNHGQGEWiTTzcdIkcp3/qJbbcWAr+n6VyCdR0VQ==
X-Google-Smtp-Source: AKy350Y9NCh+KqGtKKNM9+NOZbsZ+WKYQjLxpjZJxasei4lahGM5p+lm2j+UkGBVbZbtGE4Uv17uew==
X-Received: by 2002:adf:e58d:0:b0:2f4:1953:37af with SMTP id l13-20020adfe58d000000b002f4195337afmr3657533wrm.16.1681688408432;
        Sun, 16 Apr 2023 16:40:08 -0700 (PDT)
Received: from smtpclient.apple ([131.111.5.246])
        by smtp.gmail.com with ESMTPSA id x4-20020a5d54c4000000b002c3f81c51b6sm8984712wrv.90.2023.04.16.16.40.07
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 16 Apr 2023 16:40:08 -0700 (PDT)
Content-Type: text/plain;
	charset=utf-8
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: git: 6ae8d57652fa - main - mac_veriexec: add mac_priv_grant check
 for NODEV
From: Jessica Clarke <jrtc27@freebsd.org>
In-Reply-To: <202304162314.33GNEwXd039914@gitrepo.freebsd.org>
Date: Mon, 17 Apr 2023 00:40:07 +0100
Cc: "src-committers@freebsd.org" <src-committers@FreeBSD.org>,
 "dev-commits-src-all@freebsd.org" <dev-commits-src-all@FreeBSD.org>,
 "dev-commits-src-main@freebsd.org" <dev-commits-src-main@FreeBSD.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C919D121-5342-4A3A-8CEB-07B9346D8024@freebsd.org>
References: <202304162314.33GNEwXd039914@gitrepo.freebsd.org>
To: "Stephen J. Kiernan" <stevek@FreeBSD.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-Rspamd-Queue-Id: 4Q069k0s7wz45Pl
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N

On 17 Apr 2023, at 00:14, Stephen J. Kiernan <stevek@FreeBSD.org> wrote:
>=20
> The branch main has been updated by stevek:
>=20
> URL: =
https://cgit.FreeBSD.org/src/commit/?id=3D6ae8d57652faf3bb8532ed627676c65e=
ecd94a31
>=20
> commit 6ae8d57652faf3bb8532ed627676c65eecd94a31
> Author:     Simon J. Gerraty <sjg@juniper.net>
> AuthorDate: 2019-07-29 22:38:16 +0000
> Commit:     Stephen J. Kiernan <stevek@FreeBSD.org>
> CommitDate: 2023-04-16 23:14:40 +0000
>=20
>    mac_veriexec: add mac_priv_grant check for NODEV
>=20
>    Allow other MAC modules to override some veriexec checks.
>=20
>    We need two new privileges:
>    PRIV_VERIEXEC_DIRECT    process wants to override 'indirect' flag
>                            on interpreter
>    PRIV_VERIEXEC_NOVERIFY  typically associated with =
PRIV_VERIEXEC_DIRECT
>                            allow override of O_VERIFY
>=20
>    We also need to check for PRIV_VERIEXEC_NOVERIFY override
>    for FINGERPRINT_NODEV and FINGERPRINT_NOENTRY.
>    This will only happen if parent had PRIV_VERIEXEC_DIRECT override.
>=20
>    This allows for MAC modules to selectively allow some applications =
to
>    run without verification.
>=20
>    Needless to say, this is extremely dangerous and should only be =
used
>    sparingly and carefully.
>=20
>    Obtained from:  Juniper Networks, Inc.
>=20
>    Reviewers: sjg
>    Subscribers: imp, dab
>=20
>    Differential Revision: https://reviews.freebsd.org/D39537

Hi Steve,
I see you=E2=80=99ve made a bunch of commits over the past few days that =
suffer
from not following the proper commit message formatting outlined in the
Committer=E2=80=99s Guide and templated in
tools/tools/git/hooks/prepare-commit-msg; can you please take care and
do so in future?

Jess

> ---
> sys/security/mac_veriexec/mac_veriexec.c         | 16 ++++++++++++++++
> sys/security/mac_veriexec/veriexec_fingerprint.c | 23 =
++++++++++++++++++++++-
> sys/sys/priv.h                                   |  8 +++++++-
> 3 files changed, 45 insertions(+), 2 deletions(-)
>=20
> diff --git a/sys/security/mac_veriexec/mac_veriexec.c =
b/sys/security/mac_veriexec/mac_veriexec.c
> index e377f61ad21c..b20df7d694ef 100644
> --- a/sys/security/mac_veriexec/mac_veriexec.c
> +++ b/sys/security/mac_veriexec/mac_veriexec.c
> @@ -51,6 +51,7 @@
> #include <sys/sysctl.h>
> #include <sys/vnode.h>
> #include <fs/nullfs/null.h>
> +#include <security/mac/mac_framework.h>
> #include <security/mac/mac_policy.h>
>=20
> #include "mac_veriexec.h"
> @@ -430,6 +431,18 @@ mac_veriexec_priv_check(struct ucred *cred, int =
priv)
> 	return (0);
> }
>=20
> +/**
> + * @internal
> + * @brief Check if the requested sysctl should be allowed
> + *
> + * @param cred         credentials to use
> + * @param oidp         sysctl OID
> + * @param arg1         first sysctl argument
> + * @param arg2         second sysctl argument
> + * @param req          sysctl request information
> + *
> + * @return 0 if the sysctl should be allowed, otherwise an error =
code.
> + */
> static int
> mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp,
>     void *arg1, int arg2, struct sysctl_req *req)
> @@ -533,6 +546,9 @@ mac_veriexec_check_vp(struct ucred *cred, struct =
vnode *vp, accmode_t accmode)
> 				return (error);
> 			break;
> 		default:
> +			/* Allow for overriding verification requirement =
*/
> +			if (mac_priv_grant(cred, PRIV_VERIEXEC_NOVERIFY) =
=3D=3D 0)
> +				return (0);
> 			/*
> 			 * Caller wants open to fail unless there is a =
valid
> 			 * fingerprint registered.
> diff --git a/sys/security/mac_veriexec/veriexec_fingerprint.c =
b/sys/security/mac_veriexec/veriexec_fingerprint.c
> index 29b5c19eed1e..500842cbd5ab 100644
> --- a/sys/security/mac_veriexec/veriexec_fingerprint.c
> +++ b/sys/security/mac_veriexec/veriexec_fingerprint.c
> @@ -42,11 +42,14 @@
> #include <sys/malloc.h>
> #include <sys/mount.h>=20
> #include <sys/mutex.h>
> +#include <sys/priv.h>
> #include <sys/proc.h>
> #include <sys/sbuf.h>
> #include <sys/syslog.h>
> #include <sys/vnode.h>
>=20
> +#include <security/mac/mac_framework.h>
> +
> #include "mac_veriexec.h"
> #include "mac_veriexec_internal.h"
>=20
> @@ -292,7 +295,8 @@ mac_veriexec_fingerprint_check_image(struct =
image_params *imgp,
>=20
> 	case FINGERPRINT_INDIRECT: /* fingerprint ok but need to check
> 				      for direct execution */
> -		if (!imgp->interpreted) {
> +		if (!imgp->interpreted &&
> +		    mac_priv_grant(td->td_ucred, PRIV_VERIEXEC_DIRECT) =
!=3D 0) {
> 			identify_error(imgp, td, "attempted direct =
execution");
> 			if (prison0.pr_securelevel > 1 ||
> 			    =
mac_veriexec_in_state(VERIEXEC_STATE_ENFORCE))
> @@ -326,6 +330,23 @@ mac_veriexec_fingerprint_check_image(struct =
image_params *imgp,
> 		identify_error(imgp, td, "invalid status field for =
vnode");
> 		error =3D EPERM;
> 	}
> +	switch (status) {
> +	case FINGERPRINT_NODEV:
> +	case FINGERPRINT_NOENTRY:
> +		/*
> +		 * Check if this process has override allowed.
> +		 * This will only be true if PRIV_VERIEXEC_DIRECT
> +		 * already succeeded.
> +		 */
> +		if (error =3D=3D EAUTH &&
> +		    mac_priv_grant(td->td_ucred, PRIV_VERIEXEC_NOVERIFY) =
=3D=3D 0) {
> +			error =3D 0;
> +		}
> +		break;
> +	default:
> +		break;
> +	}
> +
> 	return error;=20
> }
>=20
> diff --git a/sys/sys/priv.h b/sys/sys/priv.h
> index cb4dcecea4aa..6574d8c42599 100644
> --- a/sys/sys/priv.h
> +++ b/sys/sys/priv.h
> @@ -520,10 +520,16 @@
>  */
> #define	PRIV_KDB_SET_BACKEND	690	/* Allow setting KDB =
backend. */
>=20
> +/*
> + * veriexec override privileges - very rare!
> + */
> +#define	PRIV_VERIEXEC_DIRECT	700	/* Can override =
'indirect' */
> +#define	PRIV_VERIEXEC_NOVERIFY	701	/* Can override O_VERIFY =
*/
> +
> /*
>  * Track end of privilege list.
>  */
> -#define	_PRIV_HIGHEST		691
> +#define	_PRIV_HIGHEST		702
>=20
> /*
>  * Validate that a named privilege is known by the privilege system.  =
Invalid