svn commit: r347934 - head/sys/dev/veriexec
Stephen J. Kiernan
stevek at FreeBSD.org
Fri May 17 18:02:27 UTC 2019
Author: stevek
Date: Fri May 17 18:02:26 2019
New Revision: 347934
URL: https://svnweb.freebsd.org/changeset/base/347934
Log:
Protect commands that are considered dangerous with checks for kmem write
priv. This allows for MAC/veriexec to prevent apps that are not "trusted"
from using these commands.
Obtained from: Juniper Networks, Inc.
MFC after: 1 week
Modified:
head/sys/dev/veriexec/verified_exec.c
Modified: head/sys/dev/veriexec/verified_exec.c
==============================================================================
--- head/sys/dev/veriexec/verified_exec.c Fri May 17 17:50:01 2019 (r347933)
+++ head/sys/dev/veriexec/verified_exec.c Fri May 17 18:02:26 2019 (r347934)
@@ -1,7 +1,7 @@
/*
* $FreeBSD$
*
- * Copyright (c) 2011-2013, 2015, Juniper Networks, Inc.
+ * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -44,6 +44,7 @@
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/queue.h>
#include <sys/vnode.h>
@@ -70,6 +71,37 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cm
struct verified_exec_params *params;
int error = 0;
+ /*
+ * These commands are considered safe requests for anyone who has
+ * permission to access to device node.
+ */
+ switch (cmd) {
+ case VERIEXEC_GETSTATE:
+ {
+ int *ip = (int *)data;
+
+ if (ip)
+ *ip = mac_veriexec_get_state();
+ else
+ error = EINVAL;
+
+ return (error);
+ }
+ break;
+ default:
+ break;
+ }
+
+ /*
+ * Anything beyond this point is considered dangerous, so we need to
+ * only allow processes that have kmem write privs to do them.
+ *
+ * MAC/veriexec will grant kmem write privs to "trusted" processes.
+ */
+ error = priv_check(td, PRIV_KMEM_WRITE);
+ if (error)
+ return (error);
+
params = (struct verified_exec_params *)data;
switch (cmd) {
case VERIEXEC_ACTIVE:
@@ -105,16 +137,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cm
else
error = EINVAL;
mtx_unlock(&ve_mutex);
- break;
- case VERIEXEC_GETSTATE:
- {
- int *ip = (int *)data;
-
- if (ip)
- *ip = mac_veriexec_get_state();
- else
- error = EINVAL;
- }
break;
case VERIEXEC_LOCK:
mtx_lock(&ve_mutex);
More information about the svn-src-head
mailing list