socsvn commit: r240166 - soc2012/gpf/pefs_head/head/sys/kern
gpf at FreeBSD.org
gpf at FreeBSD.org
Tue Aug 7 07:28:17 UTC 2012
Author: gpf
Date: Tue Aug 7 07:28:14 2012
New Revision: 240166
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=240166
Log:
- abort exec if our check fails. future commit will probably turn this
code snippet into a MAC hook function.
Modified:
soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c
Modified: soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c
==============================================================================
--- soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c Tue Aug 7 05:46:36 2012 (r240165)
+++ soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c Tue Aug 7 07:28:14 2012 (r240166)
@@ -549,19 +549,17 @@
}
{
+ /* XXXgpf: [TODO] place this in a MAC hook */
int enabled, rval;
size_t enabled_len;
rval = kernel_sysctlbyname(td, "vfs.pefs.exec.enable",
&enabled, &enabled_len, NULL, 0, NULL, 0);
- //printf("sysctl vfs.pefs.exec.enable=%d returns %d\n", enabled,
- //rval);
+
if (rval == 0 && enabled != 0) {
- printf("checking flag for %s\n", args->fname);
if ((imgp->attr->va_flags & SF_IMMUTABLE) == 0) {
- printf("denied!\n");
- //error = ...
- //goto exec_fail_dealloc;
+ error = EPERM;
+ goto exec_fail_dealloc;
}
}
}
More information about the svn-soc-all
mailing list