Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 07 Aug 2012 07:28:15 +0000
From:      gpf@FreeBSD.org
To:        svn-soc-all@FreeBSD.org
Subject:   socsvn commit: r240166 - soc2012/gpf/pefs_head/head/sys/kern
Message-ID:  <20120807072815.9DFAA106566B@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: gpf
Date: Tue Aug  7 07:28:14 2012
New Revision: 240166
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=240166

Log:
  - abort exec if our check fails. future commit will probably turn this
  code snippet into a MAC hook function.
  

Modified:
  soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c

Modified: soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c
==============================================================================
--- soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c	Tue Aug  7 05:46:36 2012	(r240165)
+++ soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c	Tue Aug  7 07:28:14 2012	(r240166)
@@ -549,19 +549,17 @@
 	}
 
 	{
+		/* XXXgpf: [TODO] place this in a MAC hook */
 		int enabled, rval;
 		size_t enabled_len;
 
 		rval = kernel_sysctlbyname(td, "vfs.pefs.exec.enable",
 					&enabled, &enabled_len, NULL, 0, NULL, 0);
-		//printf("sysctl vfs.pefs.exec.enable=%d returns %d\n", enabled,
-			//rval);
+
 		if (rval == 0 && enabled != 0) {
-			printf("checking flag for %s\n", args->fname);
 			if ((imgp->attr->va_flags & SF_IMMUTABLE) == 0) {
-				printf("denied!\n");
-				//error = ...
-				//goto exec_fail_dealloc;
+				error = EPERM;
+				goto exec_fail_dealloc;
 			}
 		}
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120807072815.9DFAA106566B>