git: 559e41a11b32 - main - veriexec: Improve comments
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 15 Mar 2023 05:00:20 UTC
The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=559e41a11b325b4292531069a697ce6da7e2e4fa commit 559e41a11b325b4292531069a697ce6da7e2e4fa Author: Warner Losh <imp@FreeBSD.org> AuthorDate: 2023-03-15 04:59:20 +0000 Commit: Warner Losh <imp@FreeBSD.org> CommitDate: 2023-03-15 05:00:16 +0000 veriexec: Improve comments Make it clear we're checking to see if the target is a verified file and prevent its replacement if so. Sponsored by: Netflix Reviewed by: rpokala Differential Revision: https://reviews.freebsd.org/D39079 --- sys/security/mac_veriexec/mac_veriexec.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c index 6f06a8577212..e377f61ad21c 100644 --- a/sys/security/mac_veriexec/mac_veriexec.c +++ b/sys/security/mac_veriexec/mac_veriexec.c @@ -602,11 +602,11 @@ mac_veriexec_vnode_check_unlink(struct ucred *cred, struct vnode *dvp __unused, if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) return (0); - /* - * Check if it's a verified file - */ error = mac_veriexec_check_vp(cred, vp, VVERIFY); - if (error == 0) { /* file is verified */ + if (error == 0) { + /* + * The target is verified, so disallow replacement. + */ MAC_VERIEXEC_DBG(2, "(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid); @@ -643,11 +643,11 @@ mac_veriexec_vnode_check_rename_from(struct ucred *cred, if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) return (0); - /* - * Check if it's a verified file - */ error = mac_veriexec_check_vp(cred, vp, VVERIFY); - if (error == 0) { /* file is verified */ + if (error == 0) { + /* + * The target is verified, so disallow replacement. + */ MAC_VERIEXEC_DBG(2, "(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid); return (EAUTH); @@ -692,11 +692,11 @@ mac_veriexec_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp __unuse if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) return (0); - /* - * Check if it's a verified file - */ error = mac_veriexec_check_vp(cred, vp, VVERIFY); - if (error == 0) { /* file is verified */ + if (error == 0) { + /* + * The target is verified, so disallow replacement. + */ MAC_VERIEXEC_DBG(2, "(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid); return (EAUTH); @@ -727,13 +727,14 @@ mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp, return (0); /* - * Do not allow chmod (set-[gu]id) of verified file + * Prohibit chmod of verified set-[gu]id file. */ error = mac_veriexec_check_vp(cred, vp, VVERIFY); - if (error == EAUTH) /* it isn't verified */ + if (error == EAUTH) /* target not verified */ return (0); if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0) return (EAUTH); + return (0); }