From owner-svn-soc-all@FreeBSD.ORG  Tue Aug  7 07:28:17 2012
Return-Path: <owner-svn-soc-all@FreeBSD.ORG>
Delivered-To: svn-soc-all@FreeBSD.org
Received: from socsvn.FreeBSD.org (unknown [IPv6:2001:4f8:fff6::2f])
	by hub.freebsd.org (Postfix) with SMTP id 9DFAA106566B
	for <svn-soc-all@FreeBSD.org>; Tue,  7 Aug 2012 07:28:15 +0000 (UTC)
	(envelope-from gpf@FreeBSD.org)
Received: by socsvn.FreeBSD.org (sSMTP sendmail emulation);
	Tue, 07 Aug 2012 07:28:15 +0000
Date: Tue, 07 Aug 2012 07:28:15 +0000
From: gpf@FreeBSD.org
To: svn-soc-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Message-Id: <20120807072815.9DFAA106566B@hub.freebsd.org>
Cc: 
Subject: socsvn commit: r240166 - soc2012/gpf/pefs_head/head/sys/kern
X-BeenThere: svn-soc-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the entire Summer of Code repository
	<svn-soc-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-soc-all>,
	<mailto:svn-soc-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-soc-all>
List-Post: <mailto:svn-soc-all@freebsd.org>
List-Help: <mailto:svn-soc-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-soc-all>,
	<mailto:svn-soc-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2012 07:28:17 -0000

Author: gpf
Date: Tue Aug  7 07:28:14 2012
New Revision: 240166
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=240166

Log:
  - abort exec if our check fails. future commit will probably turn this
  code snippet into a MAC hook function.
  

Modified:
  soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c

Modified: soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c
==============================================================================
--- soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c	Tue Aug  7 05:46:36 2012	(r240165)
+++ soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c	Tue Aug  7 07:28:14 2012	(r240166)
@@ -549,19 +549,17 @@
 	}
 
 	{
+		/* XXXgpf: [TODO] place this in a MAC hook */
 		int enabled, rval;
 		size_t enabled_len;
 
 		rval = kernel_sysctlbyname(td, "vfs.pefs.exec.enable",
 					&enabled, &enabled_len, NULL, 0, NULL, 0);
-		//printf("sysctl vfs.pefs.exec.enable=%d returns %d\n", enabled,
-			//rval);
+
 		if (rval == 0 && enabled != 0) {
-			printf("checking flag for %s\n", args->fname);
 			if ((imgp->attr->va_flags & SF_IMMUTABLE) == 0) {
-				printf("denied!\n");
-				//error = ...
-				//goto exec_fail_dealloc;
+				error = EPERM;
+				goto exec_fail_dealloc;
 			}
 		}
 	}