git: 559e41a11b32 - main - veriexec: Improve comments

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Warner Losh <imp_at_FreeBSD.org>
Date: Wed, 15 Mar 2023 05:00:20 UTC
The branch main has been updated by imp:

URL: https://cgit.FreeBSD.org/src/commit/?id=559e41a11b325b4292531069a697ce6da7e2e4fa

commit 559e41a11b325b4292531069a697ce6da7e2e4fa
Author:     Warner Losh <imp@FreeBSD.org>
AuthorDate: 2023-03-15 04:59:20 +0000
Commit:     Warner Losh <imp@FreeBSD.org>
CommitDate: 2023-03-15 05:00:16 +0000

    veriexec: Improve comments
    
    Make it clear we're checking to see if the target is a verified file and
    prevent its replacement if so.
    
    Sponsored by:           Netflix
    Reviewed by:            rpokala
    Differential Revision:  https://reviews.freebsd.org/D39079
---
 sys/security/mac_veriexec/mac_veriexec.c | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
index 6f06a8577212..e377f61ad21c 100644
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -602,11 +602,11 @@ mac_veriexec_vnode_check_unlink(struct ucred *cred, struct vnode *dvp __unused,
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
-	/*
-	 * Check if it's a verified file
-	 */
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-	if (error == 0) {             /* file is verified */
+	if (error == 0) {
+		/*
+		 * The target is verified, so disallow replacement.
+		 */
 		MAC_VERIEXEC_DBG(2,
     "(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid);
 
@@ -643,11 +643,11 @@ mac_veriexec_vnode_check_rename_from(struct ucred *cred,
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
-	/*
-	 * Check if it's a verified file
-	 */
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-	if (error == 0) {            /* file is verified */
+	if (error == 0) {
+		/*
+		 * The target is verified, so disallow replacement.
+		 */
 		MAC_VERIEXEC_DBG(2,
     "(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid);
 		return (EAUTH);
@@ -692,11 +692,11 @@ mac_veriexec_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp __unuse
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
-	/*
-	 * Check if it's a verified file
-	 */
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-	if (error == 0) {             /* file is verified */
+	if (error == 0) {
+		/*
+		 * The target is verified, so disallow replacement.
+		 */
 		MAC_VERIEXEC_DBG(2,
     "(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid);
 		return (EAUTH);
@@ -727,13 +727,14 @@ mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
 		return (0);
 
 	/*
-	 * Do not allow chmod (set-[gu]id) of verified file
+	 * Prohibit chmod of verified set-[gu]id file.
 	 */
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-	if (error == EAUTH)             /* it isn't verified */
+	if (error == EAUTH)		/* target not verified */
 		return (0);
 	if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
 		return (EAUTH);
+
 	return (0);
 }