From nobody Sun Apr 16 23:14:58 2023
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q05cf4llNz44s8X;
	Sun, 16 Apr 2023 23:14:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Q05cf4HPgz4ZCY;
	Sun, 16 Apr 2023 23:14:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1681686898;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=naOD7ZYOwSETM4Ef1cBHlEqKpCumtcbIY+fqptYlV3Y=;
	b=A7GvzmuviVHVkSFowA852oVEVUznz1Fk8/L5Z+2/IXWHYqb/RO8MRQETZ/jmKPN0W96ru7
	oRuUYV0QZ0pBkxIo2ifgWwPNFk0bfQ+DJ1B7mKnw6RH9CBkz1boYJXu/4+25LQFEk7pMvR
	GatUBhawo5RNADY4t7HDUyGKkgTJ8UzGBFEeZOesRtyq2NOvMBZcvLwfVLPwbXjVBOFdIl
	gAzbI0FeJz7godQyiEMaFiKbIpaPrbQJFhcCkvJn15I+7lKUivRQeohyIU/G2FK8ErsXMs
	yTrcHECGrZvqPmC6/IPIOqotEFt4fMuXIQIaaMVr3pCg7LBBtlLEa65f/RRIDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1681686898;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=naOD7ZYOwSETM4Ef1cBHlEqKpCumtcbIY+fqptYlV3Y=;
	b=MjS+5Rs1UcQVeySyoKTvmkQIh4OOzbu+Ev01Huc+6TqCnjgUzcvDoZCP2sPMwMYvVMkYxq
	SOne5UtqkjvOLEqbaLM2YAzaGGz9hGoTZkTvBp3mhstFmIWOsWOsCjt8G3nFJ/IbxDA2A2
	tmwLRRoZwQEeHY3LplmdlOataKysS9JFFBZ/HAITIf6Qg10a6rmjjwV5jcxzCbdIdalCUk
	VVE3BnKpicfKLFV9QBfgyI0MbQPwR81AM+wDI8DQsT3adgT6QIoU/rqwTm+DuOmI08TAUF
	EYNLhxMZT0G3OZqBb+OB+z9hyiVgcY92K0lSEIvOOf0bJLH65bkW5uwBOrp6UQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1681686898; a=rsa-sha256; cv=none;
	b=obn5ZgW+5xSaoQajDFdYPSNtM4WEzWhg2VsDOLhiGCVQgUNcG6wNITfecGBEfF+ktoVD8p
	kleURFWj3Dhz39EFXUOlQeI8ko/tEXrXkDpM4SGAhof8H4ofyI1TQ2n6dc7EK+SRzH0sDb
	kyBPtLSwV0VLOFy2pdv1Zgh2ab+gogfa45zYjOgIFOKmx99vMyiPAMlDAF25025EzDptii
	BazU2zwEfh378QZmmrTx8Fhy0IfFvnYdrMoZBGf826RxL6MfgVmVf/0+xoyY8L/6rC6UD7
	e4Sn7qleyDMcFsaswQ+byl51MpaY+vNRnWxx2oIfwhr2kWfvD870GuS2tKmZug==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Q05cf3MpTz15dv;
	Sun, 16 Apr 2023 23:14:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33GNEwGN039915;
	Sun, 16 Apr 2023 23:14:58 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33GNEwXd039914;
	Sun, 16 Apr 2023 23:14:58 GMT
	(envelope-from git)
Date: Sun, 16 Apr 2023 23:14:58 GMT
Message-Id: <202304162314.33GNEwXd039914@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: "Stephen J. Kiernan" <stevek@FreeBSD.org>
Subject: git: 6ae8d57652fa - main - mac_veriexec: add mac_priv_grant check for NODEV
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: stevek
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 6ae8d57652faf3bb8532ed627676c65eecd94a31
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by stevek:

URL: https://cgit.FreeBSD.org/src/commit/?id=6ae8d57652faf3bb8532ed627676c65eecd94a31

commit 6ae8d57652faf3bb8532ed627676c65eecd94a31
Author:     Simon J. Gerraty <sjg@juniper.net>
AuthorDate: 2019-07-29 22:38:16 +0000
Commit:     Stephen J. Kiernan <stevek@FreeBSD.org>
CommitDate: 2023-04-16 23:14:40 +0000

    mac_veriexec: add mac_priv_grant check for NODEV
    
    Allow other MAC modules to override some veriexec checks.
    
    We need two new privileges:
    PRIV_VERIEXEC_DIRECT    process wants to override 'indirect' flag
                            on interpreter
    PRIV_VERIEXEC_NOVERIFY  typically associated with PRIV_VERIEXEC_DIRECT
                            allow override of O_VERIFY
    
    We also need to check for PRIV_VERIEXEC_NOVERIFY override
    for FINGERPRINT_NODEV and FINGERPRINT_NOENTRY.
    This will only happen if parent had PRIV_VERIEXEC_DIRECT override.
    
    This allows for MAC modules to selectively allow some applications to
    run without verification.
    
    Needless to say, this is extremely dangerous and should only be used
    sparingly and carefully.
    
    Obtained from:  Juniper Networks, Inc.
    
    Reviewers: sjg
    Subscribers: imp, dab
    
    Differential Revision: https://reviews.freebsd.org/D39537
---
 sys/security/mac_veriexec/mac_veriexec.c         | 16 ++++++++++++++++
 sys/security/mac_veriexec/veriexec_fingerprint.c | 23 ++++++++++++++++++++++-
 sys/sys/priv.h                                   |  8 +++++++-
 3 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
index e377f61ad21c..b20df7d694ef 100644
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -51,6 +51,7 @@
 #include <sys/sysctl.h>
 #include <sys/vnode.h>
 #include <fs/nullfs/null.h>
+#include <security/mac/mac_framework.h>
 #include <security/mac/mac_policy.h>
 
 #include "mac_veriexec.h"
@@ -430,6 +431,18 @@ mac_veriexec_priv_check(struct ucred *cred, int priv)
 	return (0);
 }
 
+/**
+ * @internal
+ * @brief Check if the requested sysctl should be allowed
+ *
+ * @param cred         credentials to use
+ * @param oidp         sysctl OID
+ * @param arg1         first sysctl argument
+ * @param arg2         second sysctl argument
+ * @param req          sysctl request information
+ *
+ * @return 0 if the sysctl should be allowed, otherwise an error code.
+ */
 static int
 mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp,
     void *arg1, int arg2, struct sysctl_req *req)
@@ -533,6 +546,9 @@ mac_veriexec_check_vp(struct ucred *cred, struct vnode *vp, accmode_t accmode)
 				return (error);
 			break;
 		default:
+			/* Allow for overriding verification requirement */
+			if (mac_priv_grant(cred, PRIV_VERIEXEC_NOVERIFY) == 0)
+				return (0);
 			/*
 			 * Caller wants open to fail unless there is a valid
 			 * fingerprint registered.
diff --git a/sys/security/mac_veriexec/veriexec_fingerprint.c b/sys/security/mac_veriexec/veriexec_fingerprint.c
index 29b5c19eed1e..500842cbd5ab 100644
--- a/sys/security/mac_veriexec/veriexec_fingerprint.c
+++ b/sys/security/mac_veriexec/veriexec_fingerprint.c
@@ -42,11 +42,14 @@
 #include <sys/malloc.h>
 #include <sys/mount.h> 
 #include <sys/mutex.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/syslog.h>
 #include <sys/vnode.h>
 
+#include <security/mac/mac_framework.h>
+
 #include "mac_veriexec.h"
 #include "mac_veriexec_internal.h"
 
@@ -292,7 +295,8 @@ mac_veriexec_fingerprint_check_image(struct image_params *imgp,
 
 	case FINGERPRINT_INDIRECT: /* fingerprint ok but need to check
 				      for direct execution */
-		if (!imgp->interpreted) {
+		if (!imgp->interpreted &&
+		    mac_priv_grant(td->td_ucred, PRIV_VERIEXEC_DIRECT) != 0) {
 			identify_error(imgp, td, "attempted direct execution");
 			if (prison0.pr_securelevel > 1 ||
 			    mac_veriexec_in_state(VERIEXEC_STATE_ENFORCE))
@@ -326,6 +330,23 @@ mac_veriexec_fingerprint_check_image(struct image_params *imgp,
 		identify_error(imgp, td, "invalid status field for vnode");
 		error = EPERM;
 	}
+	switch (status) {
+	case FINGERPRINT_NODEV:
+	case FINGERPRINT_NOENTRY:
+		/*
+		 * Check if this process has override allowed.
+		 * This will only be true if PRIV_VERIEXEC_DIRECT
+		 * already succeeded.
+		 */
+		if (error == EAUTH &&
+		    mac_priv_grant(td->td_ucred, PRIV_VERIEXEC_NOVERIFY) == 0) {
+			error = 0;
+		}
+		break;
+	default:
+		break;
+	}
+
 	return error; 
 }
 
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index cb4dcecea4aa..6574d8c42599 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -520,10 +520,16 @@
  */
 #define	PRIV_KDB_SET_BACKEND	690	/* Allow setting KDB backend. */
 
+/*
+ * veriexec override privileges - very rare!
+ */
+#define	PRIV_VERIEXEC_DIRECT	700	/* Can override 'indirect' */
+#define	PRIV_VERIEXEC_NOVERIFY	701	/* Can override O_VERIFY */
+
 /*
  * Track end of privilege list.
  */
-#define	_PRIV_HIGHEST		691
+#define	_PRIV_HIGHEST		702
 
 /*
  * Validate that a named privilege is known by the privilege system.  Invalid