From nobody Sun Apr 16 23:40:07 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q069k73zzz44tgV for ; Sun, 16 Apr 2023 23:40:10 +0000 (UTC) (envelope-from jrtc27@jrtc27.com) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q069k4M0Tz45gX for ; Sun, 16 Apr 2023 23:40:10 +0000 (UTC) (envelope-from jrtc27@jrtc27.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-2efbaad9d76so1055644f8f.0 for ; Sun, 16 Apr 2023 16:40:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681688408; x=1684280408; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gJ4Zt0aZJ+3x9Omlcbk9FmiVa+8vHy6++pIMfYXLMSQ=; b=T7rGmCLEDVKm5zBgWNjOWU1rBLpZ8khkE01xRyPSCfzxosBz2e67uBvQ+wMDHw2gWF o3B4PhnhbqSmQOTJdsf6HSzZa9P65By3mhLywR0EykftxZT81i9G0bA4qtyRjppseiEl yNGXpWnqiDN/craY97TIXH77BlwlW7UjkJbZ06c7vu2msn9uOcd6dWwtKZlTmznGtUKF pyMQM8YAxcx8tkI/JqtmafqTUF9aY066TU20BgY3YM86v5/gr82uStLFOh64NPOQzFsN Aufls6Iwc/YsCRuIPMYEst8wAFPFv/SfsxjEtPUv70UTSPU9RJ+Ur9k9n7PsftLmoHXL OIhg== X-Gm-Message-State: AAQBX9fIaGbTG1H7KlZiG7r1BrpBq/r2Lmt5RPnfClwEAiAqwdQK3/aW FNa8cCr+onbS7KfI/E2QcHF6SA== X-Google-Smtp-Source: AKy350Y9NCh+KqGtKKNM9+NOZbsZ+WKYQjLxpjZJxasei4lahGM5p+lm2j+UkGBVbZbtGE4Uv17uew== X-Received: by 2002:adf:e58d:0:b0:2f4:1953:37af with SMTP id l13-20020adfe58d000000b002f4195337afmr3657533wrm.16.1681688408432; Sun, 16 Apr 2023 16:40:08 -0700 (PDT) Received: from smtpclient.apple ([131.111.5.246]) by smtp.gmail.com with ESMTPSA id x4-20020a5d54c4000000b002c3f81c51b6sm8984712wrv.90.2023.04.16.16.40.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 16 Apr 2023 16:40:08 -0700 (PDT) Content-Type: text/plain; charset=utf-8 List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) Subject: Re: git: 6ae8d57652fa - main - mac_veriexec: add mac_priv_grant check for NODEV From: Jessica Clarke In-Reply-To: <202304162314.33GNEwXd039914@gitrepo.freebsd.org> Date: Mon, 17 Apr 2023 00:40:07 +0100 Cc: "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <202304162314.33GNEwXd039914@gitrepo.freebsd.org> To: "Stephen J. Kiernan" X-Mailer: Apple Mail (2.3696.120.41.1.1) X-Rspamd-Queue-Id: 4Q069k4M0Tz45gX X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On 17 Apr 2023, at 00:14, Stephen J. Kiernan wrote: >=20 > The branch main has been updated by stevek: >=20 > URL: = https://cgit.FreeBSD.org/src/commit/?id=3D6ae8d57652faf3bb8532ed627676c65e= ecd94a31 >=20 > commit 6ae8d57652faf3bb8532ed627676c65eecd94a31 > Author: Simon J. Gerraty > AuthorDate: 2019-07-29 22:38:16 +0000 > Commit: Stephen J. Kiernan > CommitDate: 2023-04-16 23:14:40 +0000 >=20 > mac_veriexec: add mac_priv_grant check for NODEV >=20 > Allow other MAC modules to override some veriexec checks. >=20 > We need two new privileges: > PRIV_VERIEXEC_DIRECT process wants to override 'indirect' flag > on interpreter > PRIV_VERIEXEC_NOVERIFY typically associated with = PRIV_VERIEXEC_DIRECT > allow override of O_VERIFY >=20 > We also need to check for PRIV_VERIEXEC_NOVERIFY override > for FINGERPRINT_NODEV and FINGERPRINT_NOENTRY. > This will only happen if parent had PRIV_VERIEXEC_DIRECT override. >=20 > This allows for MAC modules to selectively allow some applications = to > run without verification. >=20 > Needless to say, this is extremely dangerous and should only be = used > sparingly and carefully. >=20 > Obtained from: Juniper Networks, Inc. >=20 > Reviewers: sjg > Subscribers: imp, dab >=20 > Differential Revision: https://reviews.freebsd.org/D39537 Hi Steve, I see you=E2=80=99ve made a bunch of commits over the past few days that = suffer from not following the proper commit message formatting outlined in the Committer=E2=80=99s Guide and templated in tools/tools/git/hooks/prepare-commit-msg; can you please take care and do so in future? Jess > --- > sys/security/mac_veriexec/mac_veriexec.c | 16 ++++++++++++++++ > sys/security/mac_veriexec/veriexec_fingerprint.c | 23 = ++++++++++++++++++++++- > sys/sys/priv.h | 8 +++++++- > 3 files changed, 45 insertions(+), 2 deletions(-) >=20 > diff --git a/sys/security/mac_veriexec/mac_veriexec.c = b/sys/security/mac_veriexec/mac_veriexec.c > index e377f61ad21c..b20df7d694ef 100644 > --- a/sys/security/mac_veriexec/mac_veriexec.c > +++ b/sys/security/mac_veriexec/mac_veriexec.c > @@ -51,6 +51,7 @@ > #include > #include > #include > +#include > #include >=20 > #include "mac_veriexec.h" > @@ -430,6 +431,18 @@ mac_veriexec_priv_check(struct ucred *cred, int = priv) > return (0); > } >=20 > +/** > + * @internal > + * @brief Check if the requested sysctl should be allowed > + * > + * @param cred credentials to use > + * @param oidp sysctl OID > + * @param arg1 first sysctl argument > + * @param arg2 second sysctl argument > + * @param req sysctl request information > + * > + * @return 0 if the sysctl should be allowed, otherwise an error = code. > + */ > static int > mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp, > void *arg1, int arg2, struct sysctl_req *req) > @@ -533,6 +546,9 @@ mac_veriexec_check_vp(struct ucred *cred, struct = vnode *vp, accmode_t accmode) > return (error); > break; > default: > + /* Allow for overriding verification requirement = */ > + if (mac_priv_grant(cred, PRIV_VERIEXEC_NOVERIFY) = =3D=3D 0) > + return (0); > /* > * Caller wants open to fail unless there is a = valid > * fingerprint registered. > diff --git a/sys/security/mac_veriexec/veriexec_fingerprint.c = b/sys/security/mac_veriexec/veriexec_fingerprint.c > index 29b5c19eed1e..500842cbd5ab 100644 > --- a/sys/security/mac_veriexec/veriexec_fingerprint.c > +++ b/sys/security/mac_veriexec/veriexec_fingerprint.c > @@ -42,11 +42,14 @@ > #include > #include =20 > #include > +#include > #include > #include > #include > #include >=20 > +#include > + > #include "mac_veriexec.h" > #include "mac_veriexec_internal.h" >=20 > @@ -292,7 +295,8 @@ mac_veriexec_fingerprint_check_image(struct = image_params *imgp, >=20 > case FINGERPRINT_INDIRECT: /* fingerprint ok but need to check > for direct execution */ > - if (!imgp->interpreted) { > + if (!imgp->interpreted && > + mac_priv_grant(td->td_ucred, PRIV_VERIEXEC_DIRECT) = !=3D 0) { > identify_error(imgp, td, "attempted direct = execution"); > if (prison0.pr_securelevel > 1 || > = mac_veriexec_in_state(VERIEXEC_STATE_ENFORCE)) > @@ -326,6 +330,23 @@ mac_veriexec_fingerprint_check_image(struct = image_params *imgp, > identify_error(imgp, td, "invalid status field for = vnode"); > error =3D EPERM; > } > + switch (status) { > + case FINGERPRINT_NODEV: > + case FINGERPRINT_NOENTRY: > + /* > + * Check if this process has override allowed. > + * This will only be true if PRIV_VERIEXEC_DIRECT > + * already succeeded. > + */ > + if (error =3D=3D EAUTH && > + mac_priv_grant(td->td_ucred, PRIV_VERIEXEC_NOVERIFY) = =3D=3D 0) { > + error =3D 0; > + } > + break; > + default: > + break; > + } > + > return error;=20 > } >=20 > diff --git a/sys/sys/priv.h b/sys/sys/priv.h > index cb4dcecea4aa..6574d8c42599 100644 > --- a/sys/sys/priv.h > +++ b/sys/sys/priv.h > @@ -520,10 +520,16 @@ > */ > #define PRIV_KDB_SET_BACKEND 690 /* Allow setting KDB = backend. */ >=20 > +/* > + * veriexec override privileges - very rare! > + */ > +#define PRIV_VERIEXEC_DIRECT 700 /* Can override = 'indirect' */ > +#define PRIV_VERIEXEC_NOVERIFY 701 /* Can override O_VERIFY = */ > + > /* > * Track end of privilege list. > */ > -#define _PRIV_HIGHEST 691 > +#define _PRIV_HIGHEST 702 >=20 > /* > * Validate that a named privilege is known by the privilege system. = Invalid