svn commit: r336289 - head/sys/security/mac_veriexec

Sat Jul 14 17:25:46 UTC 2018

Hey Stephen,

On Sat, Jul 14, 2018 at 05:21:17PM +0000, Stephen J. Kiernan wrote:
> Author: stevek
> Date: Sat Jul 14 17:21:16 2018
> New Revision: 336289
> URL: https://svnweb.freebsd.org/changeset/base/336289
> 
> Log:
>   Add mpo_vnode_check_setmode MAC method to MAC/veriexec.
>   In the method, disallow changing SUID/SGID on verified files.
>   
>   Obtained from:	Juniper Networks, Inc.
> 
> Modified:
>   head/sys/security/mac_veriexec/mac_veriexec.c
> 
> Modified: head/sys/security/mac_veriexec/mac_veriexec.c
> ==============================================================================
> --- head/sys/security/mac_veriexec/mac_veriexec.c	Sat Jul 14 17:20:27 2018	(r336288)
> +++ head/sys/security/mac_veriexec/mac_veriexec.c	Sat Jul 14 17:21:16 2018	(r336289)
> @@ -550,6 +550,38 @@ mac_veriexec_vnode_check_open(struct ucred *cred, stru
>  }
>  
>  /**
> + * @brief Check mode changes on file to ensure they should be allowed.
> + *
> + * We cannot allow chmod of SUID or SGID on verified files.
> + *
> + * @param cred		credentials to use
> + * @param vp		vnode of the file to open
> + * @param label		vnode label assigned to the vnode
> + * @param mode		mode flags to set
> + *
> + * @return 0 if the mode change should be allowed, EAUTH otherwise.
> + */
> +static int
> +mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
> +    struct label *label __unused, mode_t mode)
> +{
> +	int error;
> +
> +	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
> +		return (0);
> +
> +	/*
> +	 * Do not allow chmod (set-[gu]id) of verified file
> +	 */
> +	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
> +	if (error == EAUTH)             /* it isn't verified */

Is EAUTH the right error to return? errno(2) shows that EAUTH
signifies: "Authentication error. Attempted to use an invalid
authentication ticket to mount a NFS file system."

Perhaps EPERM would be better suited?

> +		return (0);
> +	if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
> +		return (EAUTH);
> +	return (0);
> +}
> +
> +/**
>   * @internal
>   * @brief Initialize the mac_veriexec MAC policy
>   *
> @@ -673,6 +705,7 @@ static struct mac_policy_ops mac_veriexec_ops =
>  	.mpo_proc_check_debug = mac_veriexec_proc_check_debug,
>  	.mpo_vnode_check_exec = mac_veriexec_vnode_check_exec,
>  	.mpo_vnode_check_open = mac_veriexec_vnode_check_open,
> +	.mpo_vnode_check_setmode = mac_veriexec_vnode_check_setmode,
>  	.mpo_vnode_copy_label = mac_veriexec_copy_label,
>  	.mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label,
>  	.mpo_vnode_init_label = mac_veriexec_vnode_init_label,

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera at is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20180714/5aed561b/attachment.sig>