git: fe8ce390b8bc - main - Fix mac_veriexec version mismatch

Fri Jul 30 04:01:32 UTC 2021

On 29/07/2021 7:05 pm, Wojciech Macek wrote:
> The branch main has been updated by wma:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=fe8ce390b8bcf304a9956b0f7ca8421868c22492
> 
> commit fe8ce390b8bcf304a9956b0f7ca8421868c22492
> Author:     Wojciech Macek <wma at FreeBSD.org>
> AuthorDate: 2021-07-29 09:02:43 +0000
> Commit:     Wojciech Macek <wma at FreeBSD.org>
> CommitDate: 2021-07-29 09:05:13 +0000
> 
>      Fix mac_veriexec version mismatch
>      
>      mac_veriexec sets its version to 1, but the mac_veriexec_shaX modules which depend on it expect MAC_VERIEXEC_VERSION = 2.
>      Be consistent and use MAC_VERIEXEC_VERSION everywhere.
>      This unbreaks loading of mac_veriexec modules at boot time.
>      
>      Authored by:            Kornel Duleba <mindal at semihalf.com>
>      Obtained from:          Semihalf
>      Sponsored by:           Stormshield
>      Differential Revision:  https://reviews.freebsd.org/D31268
> ---
>   sys/dev/veriexec/verified_exec.c         | 3 ++-
>   sys/security/mac_veriexec/mac_veriexec.c | 2 +-
>   2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/sys/dev/veriexec/verified_exec.c b/sys/dev/veriexec/verified_exec.c
> index 3c72d30155dd..d6fabf825212 100644
> --- a/sys/dev/veriexec/verified_exec.c
> +++ b/sys/dev/veriexec/verified_exec.c
> @@ -266,4 +266,5 @@ veriexec_drvinit(void *unused __unused)
>   }
>   
>   SYSINIT(veriexec, SI_SUB_PSEUDO, SI_ORDER_ANY, veriexec_drvinit, NULL);
> -MODULE_DEPEND(veriexec, mac_veriexec, 1, 1, 1);
> +MODULE_DEPEND(veriexec, mac_veriexec, MAC_VERIEXEC_VERSION,
> +    MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION);
> diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
> index ecaa8cc35e09..dc95890f613e 100644
> --- a/sys/security/mac_veriexec/mac_veriexec.c
> +++ b/sys/security/mac_veriexec/mac_veriexec.c
> @@ -737,7 +737,7 @@ static struct mac_policy_ops mac_veriexec_ops =
>   
>   MAC_POLICY_SET(&mac_veriexec_ops, mac_veriexec, MAC_VERIEXEC_FULLNAME,
>       MPC_LOADTIME_FLAG_NOTLATE, &mac_veriexec_slot);
> -MODULE_VERSION(mac_veriexec, 1);
> +MODULE_VERSION(mac_veriexec, MAC_VERIEXEC_VERSION);
>   
>   static struct vnode *
>   mac_veriexec_bottom_vnode(struct vnode *vp)
> _______________________________________________
> dev-commits-src-main at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
> To unsubscribe, send any mail to "dev-commits-src-main-unsubscribe at freebsd.org"
> 

Any chance of getting this available (not enabled) in default (GENERIC) 
builds? Has come up a few times in the community