Date: Wed, 29 Jun 2022 08:49:02 GMT From: Wojciech Macek <wma@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 15c362aeb778 - main - mac_veriexec: Authorize reads of secured sysctls Message-ID: <202206290849.25T8n2Kw047140@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by wma: URL: https://cgit.FreeBSD.org/src/commit/?id=15c362aeb7784385cb464fa364cbdd7a1e64e787 commit 15c362aeb7784385cb464fa364cbdd7a1e64e787 Author: Wojciech Macek <wma@FreeBSD.org> AuthorDate: 2022-06-29 08:48:01 +0000 Commit: Wojciech Macek <wma@FreeBSD.org> CommitDate: 2022-06-29 08:48:01 +0000 mac_veriexec: Authorize reads of secured sysctls Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the appropriate secure level is set. mac_veriexec does not behave this way, it blocks such sysctls in read-only mode as well. This change aims to make mac_veriexec behave like secure levels, as it was meant by the original commit ed377cf41. Reviewed by: sjg Differential revision: https://reviews.freebsd.org/D34327 Obtained from: Stormshield --- sys/security/mac_veriexec/mac_veriexec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c index 7a5b747ef7a2..99a76abd4afb 100644 --- a/sys/security/mac_veriexec/mac_veriexec.c +++ b/sys/security/mac_veriexec/mac_veriexec.c @@ -437,7 +437,7 @@ mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp, return (0); oid = oidp; - if (oid->oid_kind & CTLFLAG_SECURE) { + if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) { return (EPERM); /* XXX call mac_veriexec_priv_check? */ } return 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202206290849.25T8n2Kw047140>