git: 7bb4d1302cf7 - main - veriexec: Do not save error from file info in fingerprint status

From: Stephen J. Kiernan <stevek_at_FreeBSD.org>
Date: Fri, 09 Jun 2023 14:50:13 UTC
The branch main has been updated by stevek:

URL: https://cgit.FreeBSD.org/src/commit/?id=7bb4d1302cf76bf84a76232532a3b7d4d28554bf

commit 7bb4d1302cf76bf84a76232532a3b7d4d28554bf
Author:     Stephen J. Kiernan <stevek@FreeBSD.org>
AuthorDate: 2023-06-09 14:38:07 +0000
Commit:     Stephen J. Kiernan <stevek@FreeBSD.org>
CommitDate: 2023-06-09 14:49:59 +0000

    veriexec: Do not save error from file info in fingerprint status
    
    We do not want or need to propagate the error from fetching file info
    when determining the file status. It could cause open(2) and similar
    calls to fail when trying to access devices.
    
    Obtained from:  Juniper Networks, Inc.
---
 sys/security/mac_veriexec/veriexec_metadata.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/security/mac_veriexec/veriexec_metadata.c b/sys/security/mac_veriexec/veriexec_metadata.c
index 4ff635335e9f..4e25b1672575 100644
--- a/sys/security/mac_veriexec/veriexec_metadata.c
+++ b/sys/security/mac_veriexec/veriexec_metadata.c
@@ -516,9 +516,9 @@ mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp,
 	status = mac_veriexec_get_fingerprint_status(vp);
 	if (status == FINGERPRINT_INVALID || status == FINGERPRINT_NODEV) {
 		found_dev = 0;
-		error = mac_veriexec_metadata_get_file_info(vap->va_fsid,
-		    vap->va_fileid, vap->va_gen, &found_dev, &ip, check_files);
-		if (error != 0) {
+		if (mac_veriexec_metadata_get_file_info(vap->va_fsid,
+		    vap->va_fileid, vap->va_gen, &found_dev, &ip,
+		    check_files) != 0) {
 			status = (found_dev) ? FINGERPRINT_NOENTRY :
 			    FINGERPRINT_NODEV;
 			VERIEXEC_DEBUG(3,