Date: Fri, 17 May 2019 17:50:01 +0000 (UTC) From: "Stephen J. Kiernan" <stevek@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r347933 - head/sys/security/mac_veriexec Message-ID: <201905171750.x4HHo1C8080887@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: stevek Date: Fri May 17 17:50:01 2019 New Revision: 347933 URL: https://svnweb.freebsd.org/changeset/base/347933 Log: Ensure we have obtained a lock on the process before calling mac_veriexec_get_executable_flags(). Only try locking/unlocking if the caller has not already acquired the process lock. Obtained from: Juniper Networks, Inc. MFC after: 1 week Modified: head/sys/security/mac_veriexec/mac_veriexec.c Modified: head/sys/security/mac_veriexec/mac_veriexec.c ============================================================================== --- head/sys/security/mac_veriexec/mac_veriexec.c Fri May 17 17:21:32 2019 (r347932) +++ head/sys/security/mac_veriexec/mac_veriexec.c Fri May 17 17:50:01 2019 (r347933) @@ -823,9 +823,18 @@ mac_veriexec_set_state(int state) int mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p) { - int error, flags; + int already_locked, error, flags; + /* Make sure we lock the process if we do not already have the lock */ + already_locked = PROC_LOCKED(p); + if (!already_locked) + PROC_LOCK(p); + error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0); + + /* Unlock the process if we locked it previously */ + if (!already_locked) + PROC_UNLOCK(p); /* Any errors, deny access */ if (error != 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905171750.x4HHo1C8080887>